[EternalAugust]

This is pretty cool. I have been considering collating a bunch of notes I've been collecting on Linux security into a free book which would be aimed at security researchers and system administrators who have the luxury of securing their systems beyond checklists... though I'm nowhere near realizing that.

A few comments on the design of the book here, though. It seems strange to me that privacy and security should be treated together. Security and privacy are frequently mutually exclusive. To get the best privacy you often have to sacrifice some security, and vice versa. An example would be allowing Windows Defender to automatically submit data and files to Microsoft. This increases security but decreases privacy. Another example is how Google requires you to submit a non-VoIP phone number during Google account creation. Obviously, this decreases privacy, but it also prevents spammers from flooding the comments section of YouTube videos with links to sites hosting malware (this used to be a huge problem). Of course there are many controls that increase both privacy and security together. But the relationship is complex, and I think the only way to write a clear book for specialists with actionable guidelines is to place either security or privacy as the priority, not both.

Also, at first glance I am not sure if the book is meant to help administrators and businesspeople design services that are secure and protect end-user privacy, or if it is meant to help end-users themselves protect their privacy/security, or both [Edit: 1]. In the Introduction: "This reference architecture is created to improve security and privacy designs in general." Chapter on security principles seems aimed at the admins too. But there is a whole chapter on OSS Privacy Applications that seems target end-users and show them how they can protect their privacy. I am left wondering: "Is this book for me? Maybe. Idk." Maybe I skimmed too quickly, but it really seems like it's trying to address too many audiences at once.

Maybe the authors can comment on why they made these design decisions.

[1] Edit: add to that developers, with the chapter on secure coding guidelines.

[SkyMarshal]

Not an author, but there's a lot of overlap. Code bugs lead to breaches which lead to data theft and loss of privacy, namely.

Figuring out various strategies for tightening up that causality chain improves both security and privacy. Formal verification and security proofs of cryptography code. Provably correct software systems. Comprehensive testing. Using application or systems frameworks that have been developed with a security-first mentality, rather than security-bolted-on mentality (too many today use the latter). Etc.