Security is nigh near impossible. It’s extremely difficult to stop a determined
adversary. Often the best you can do is
discourage them, and maybe minimize the consequences when they do attack. Why does
this statement ring true? Because most people will assume everything is secure
until provided strong evidence to the contrary; exactly backwards from a
reasonable approach. The confidence that people have in security is inversely
proportional to how much they know about it. If you’re not running scared, you
have bad security or a bad security product.
People lacking imagination, skepticism, and a sense of humor
should not work in the security field. If you focus mostly on the threats,
you’re probably in trouble. And we always forget that low-tech attacks work, even
against high-tech devices and systems. We know that people and organizations
can’t keep secrets. The insider threat from careless or complacent workers
exceeds the threat from malicious insiders; though the latter is not
negligible. In the end, it all boils down to this: The problem with common
sense is that it is not all that common.
Do we have any hope of winning the battle for good security
and acceptable privacy?