From Typhoon to Action: A Purism Playbook for Hardening Your Defenses

General
2

From the article:

1. Assume Compromise, Hunt Proactively

  • Baseline your environment: inventory every device, service, and connection.
  • Monitor continuously: flag anomalous logins, unexpected data flows, and configuration changes.
  • Audit firmware/BIOS: replace with verifiable, open-source builds where possible.

Purism’s fully auditable stack reduces blind spots — no hidden kernel binaries, no “just trust us” source code.

2. Harden the Edge

  • Patch immediately: routers, VPNs, firewalls, and load balancers are prime targets.
  • Retire “end of life” systems: unsupported means unprotected.
  • Disable what you don’t use: every open port is an attack surface.

With Purism, you control updates and lifecycles — not vendors who cut you off at their convenience.

3. Strengthen Identity & Access

  • Use phishing-resistant MFA: (FIDO2, hardware tokens, Librem Key).
  • Enforce least privilege: access should always be minimal and time-bound.
  • Rotate credentials after staff or role changes.

Purism invented cryptographic tamper-detection, hardware-based isolation, giving users security without surveillance.

4. Control the Communications Layer

  • Encrypt everything: in transit, at rest, and end-to-end where possible.
  • Segment networks: don’t let one breach cascade into many.
  • Physically disable attack surfaces: remove what is not needed

Purism’s kill switches cut radios, cameras, and microphones at the hardware level. Purism’s Librem PQC Encryptor and Librem PQC Comms Server are the industry best cryptography in action.

5. Log, Retain, and Review

  • Centralize logs from critical systems.
  • Retain long-term: Typhoon campaigns run for years, not weeks.
  • Correlate logs to spot “low and slow” intrusions.

Purism default is never track, 100% source code release, and is the only vendor where you as the user (or agency) controls the encryption keys.

6. Build a Response Muscle

  • Tabletop drills: simulate Typhoon-style intrusions before they happen.
  • Playbooks: define who calls whom, in what order, and with what authority.
  • External allies: have trusted partners for forensics and remediation.

Purism releases 100% of its source code to easily include reproduction testing, regression testing, and allows you to build out an entire on-premise repository to build automated testing against.

7. Eliminate Blind Trust

  • Audit vendors: demand transparency and clear security posture.
  • Verify supply chains: insist on reproducible builds, signed firmware, open documentation.
  • Reject surveillance-driven business models: your data should never be someone else’s revenue stream.

Purism’s business model isn’t built on exploiting user data. That’s not just a selling point — it’s a security necessity.

Some quick notes (probably not comprehensive):

  1. Purism doesn’t exactly support this kind of baselining as there is no central management system offered - either, as a process description (how that should work with linux phones) or an actual software. Organizations can’t be doing this by hand one device at a time. Even small families have trouble with this (to give tech support to several family members of different ages and tech skills). This kind of requirement of central support system is key to most of these points. How to set something like that up - where’s the playbook on that?

  2. PureOS itself is EOL and there is old unpatchable software in there, so maybe this would have been a good place to mention how many month or weeks to wait for the new versions or maybe apologize for this lapse. And as far as I know, the firewall for instance is not hardened by default, which would be easy to note and to do something about. And what about using some other, more modern, security features (like Firejail)?

  3. Have you forgotten that there is a smartcard reader in L5 - that very special feature that has been underutilized and marketed and written about (it’s lacing how-to’s and tools, or tool how-tos)?

  4. This is ok as such. The one thing I noticed, is that this section kinda highlights where Purism’s features and offerings are segmented - which helps to see where the blind spots may be, if one has been relying on only to those. On the kill switches though, they are not perfect and should come with a guide on what their limits are.

  5. Needs a bit of editing, as it calls for centralized logging and surveillance but at the same time says the default is to never track. Readers may not get the point and how this is supposed to work. (also see point 1).

  6. This is very good. Only few organizations do these. Individuals should think about these as well, but they have even less capacity. Now, my only gripe is that - to my knowledge - Purism itself hasn’t been doing these (and seems weak on the third in the greater community), as evident by some of the incidents. Something that everyone should work on, I’m sure, but also to communicate.

  7. Here, it’s the measures taken to secure the supply chain that I find lacking. As I’ve pointed out before, there is no CVE-tracking and I haven’t seen or heard about SBOM or BOM that Purism has for it’s devices and softwares. I hope they are worked on, as those seem to be a requirement in most markets soonish.

Over all, this playbook is a general list of some of the best practices for organizations. The write-up is on par with what has been published in that space before and kind of “meh” and maybe should be shrugged at, but I also see potential there. I see gaps between what is said and what is offered, but also between what organizations can/should do and what individuals can/should do to. This is not to underline failure but to show that there is opportunity to develop something to fill these gaps. I’m sure that there are other comment too, after better analysis.

So, how about a “v.2” of this first AI-draft looking playbook? A bit deeper and more Purism device and linux specific - actually useful? Because that would be awesome.

3 Likes