Security is nigh near impossible. It’s extremely difficult to stop a determined adversary. Often the best you can do is discourage them, and maybe minimize the consequences when they do attack. Why does this statement ring true? Because most people will assume everything is secure until provided strong evidence to the contrary; exactly backwards from a reasonable approach. The confidence that people have in security is inversely proportional to how much they know about it. If you’re not running scared, you have bad security or a bad security product.
People lacking imagination, skepticism, and a sense of humor should not work in the security field. If you focus mostly on the threats, you’re probably in trouble. And we always forget that low-tech attacks work, even against high-tech devices and systems. We know that people and organizations can’t keep secrets. The insider threat from careless or complacent workers exceeds the threat from malicious insiders; though the latter is not negligible. In the end, it all boils down to this: The problem with common sense is that it is not all that common.
Do we have any hope of winning the battle for good security and acceptable privacy?