On Monday, November 19, 2001, at 12:36 PM, Faustine wrote:
But then, that sounds suspiciously resonant with "if they're too lazy or stupid to get it, then screw em", doesn't it. I think the real flaw there--what keeps me so uncomforable with it (even though my gut tells me it's a logical conclusion)--is reflected in the sheer number of people I've seen change their minds once they found out a little more about how insecure they really are.
Haven't you ever been in a discussion/argument/presentation about computer security with someone, and at some point you notice that moment when it finally registers, you know that it really penetrated something...and they must have that sickening queazy little feeling in the pit of their stomachs when they say:
"Oh my God, I had no idea".
No, I can't say that I have. I have never wasted my time trying to convince sheeple that they need to make backups, put good locks on their doors, use encryption, not give their SS numbers to others, and so on. You didn't quote all of my material (which is fine), but it's important that folks remember the point I made about bank vault security: was it requested/demanded by the "industry" or by "the customer" (Joe Sixpack)? The answer is actually more interesting: the drive for better vaults was largely driven by _insurance_ issues. I suspected this when I first started thinking about security and crypto, and then I tracked down some comments from the safe makers (like Mosler). After bank robberies, when safes had to be replaced, banks would look at the economic tradeoffs in deciding whether to get a newer model from companies like Mosler. If they were insured, as became more common as the 20th Century unfolded, their insurance premiums depended on their overall security measures. This applied as well to _new_ banks. This meant that neither the customer (Joe Sixpack) nor the branch manager had to be "convinced" or "sold" on the importance or value of good security. Rather, the normal market discounting forces took care of the issue. Actuaries, underwriters, risk estimators, and security experts think about things some people never think will happen to them. Educating the masses is not the main issue. If you had read much of the past traffic of the list, Faustine, you would know about this point. Will the same happen with online security and crypto? It already has. The credit card companies already have imposed rules for merchants, a major part of why SSL and 128-bit crypto and all the rest is happening. Lawsuits over leaking of medical records are already happening, and some large tort judgements will likely cause increases in security (including better encryption, more use of capability-based architectures to limit access, etc.) Sure, Grandma and Sis aren't using PGP 8.13 to encrypt their notes to you. So? Crypto is economics. Security is economics. Has been since the days of measures and countermeasures with spears and fences and walls and castles and siege engines. "Educating the residents of villages" is neither here nor there. Not that I'm discouraging you from going out to and trying to get that "I didn't know that!" glimmer of awareness that maybe good locks are better than bad locks. Knock yourself out. But as a reason why certain interesting technologies are not being deployed, it's a side show. --Tim May "You don't expect governments to obey the law because of some higher moral development. You expect them to obey the law because they know that if they don't, those who aren't shot will be hanged." - -Michael Shirley