VintageTechie

Death by Yes

I've Spent 43 Years Securing Systems. Here's Why I Don't Trust Software That Can't Say No.

John Crenshaw
John Crenshaw
4 min read
Death by Yes

I've been doing this for a long time. Forty-three years of backend work, most of it in or adjacent to environments where security wasn't optional. ACH and credit card processing, HIPAA compliance, air-gapped systems, some of it for entities I can't name and projects I'll never talk about. The through-line in all of it was always the same, which is to reduce attack surface. Ports you don't open can't be exploited, services you don't run can't be compromised, and features you don't ship can't betray you.

This shapes how I think about software, even the software on my personal machines. My home network looks like something out of a paranoid sysadmin's fever dream because that's the only way I know how to build things. Pi-hole feeding into Unbound for recursive DNS so no single provider builds a profile of my queries, a UISP Router Pro with VLANs segmenting my network so the IoT garbage can't talk to my workstations, UPnP disabled, no port forwards, and no remote access at all. If I'm not home, I'm not home, and the convenience isn't worth the attack surface.

So when I sit down with a piece of software and it feels like a committee designed it, that stands out to me. A browser that ships with a built-in mail client, calendar, feed reader, and Mastodon panel? I don't see features. I see code, dependencies, and attack surface.

Engineers love building things. That's why we got into this. The dopamine hit of solving a problem, shipping a feature, watching something work that didn't exist yesterday. I get it. I've felt it. But somewhere along the way, the question shifted from "should we build this?" to "can we build this?" And those are very different questions.

I've been testing Vivaldi lately. It's a capable browser with some genuinely nice tab management features, and I wanted to see if it could replace Brave for my daily use. But the longer I spend with it, the more it reminds me of KDE, and that's not a compliment. Both projects feel like someone in a meeting said "oh hey, we could also add this" and nobody in the room had the authority or the inclination to say no.

Vivaldi ships with a mail client, a calendar, a feed reader, translation tools, a notes feature, web panels, and roughly five hundred settings spread across nested menus. The Vivaldi forums have users complaining about feature creep, and the official response boils down to "the reason Vivaldi exists is to have all this stuff built in." That's not a defense, it's an admission that the project has no limiting principle.

KDE has the same energy. The KDE Frameworks consist of 83 separate libraries. After Plasma 6 launched, bug reports jumped from the usual 30-50 per day to 150-200. A KDE developer publicly acknowledged that the project's configurability creates more bugs because there's simply more to test. A bug that only appears when you're using an alternate theme with auto-hiding panels on multiple monitors can't be dismissed as a niche edge case when the software explicitly supports all of those options out of the box, and if you shipped it, you own it.

Here's what bothers me from a security standpoint. Every feature is code, every code path needs to be maintained, and every integration point is a potential vulnerability. When you ship software that tries to do everything, you're not giving users flexibility. You're giving attackers options.

Both Vivaldi and KDE have had real security issues that trace back to this philosophy. KDE's had a screen lock bypass where turning all screens off and back on could unlock the session, notifications that leaked user IP addresses, and X11 clients able to eavesdrop on input events while the screen was supposedly locked. Vivaldi's had an installer vulnerability that allowed arbitrary code execution. These aren't theoretical concerns, they're the natural result of sprawling codebases that try to be everything to everyone.

And then there's the language problem. Vivaldi's UI is built with JavaScript and React running on top of a C++ backend, and KDE uses QML (also JavaScript-based) on top of C++ and Qt. You end up with two languages, two paradigms, and two sets of potential failure modes. The JavaScript layer might be flexible and easy to iterate on, but it's another moving part in a system that already has too many.

Compare this to projects that have a clear vision and stick to it.

Brave is a browser that blocks ads and trackers by default, randomizes your fingerprint, and ships with Tor integration for when you need it. It doesn't have a mail client or a calendar or a feed reader because Brave is a browser and those things are not a browser. The team picked a lane and stayed in it, and the settings fit on a couple of screens because most users don't need to change them. The defaults are the product.

COSMIC is a desktop environment built by System76 entirely in Rust, one language top to bottom, memory-safe by design. They're not bolting features onto GNOME or forking KDE or trying to be everything. They identified what they wanted, which is a tiling-capable desktop that's fast, stable, and doesn't get in your way, and they're building exactly that and nothing else. When I switched to COSMIC on my Thelio, the contrast with KDE was immediate. COSMIC has fewer features because that's the point, not because it's immature.

Good defaults beat infinite toggles, and software that knows what it is beats software that's still figuring it out.

I'm not here to tell anyone what to run. If you love ricing your desktop, rice away because KDE and Vivaldi exist for you. Some people find joy in tweaking every pixel, and I'm not going to pretend that's wrong. Just know what you're trading for those pixels.

For me, the tradeoff isn't worth it. Forty-three years of thinking about attack surface has made me allergic to software that can't define its own boundaries. A project that can't say no to features can't say yes to security, and if everything is configurable, the product doesn't really stand for anything. If the answer to "why does a browser have a mail client?" is "because we could," then I don't trust the team to make harder decisions when the stakes are higher.

I'll stick with Brave and COSMIC, software that knows what it is and isn't embarrassed to ship with defaults.