-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim wrote:
Companies have been trying to convince the home computer user that they should be encrypting for years. Doesn't work. And for not very surprising reasons. Same thing seen in the home security business, backups, etc.
(The average user doesn't make any backups. The average homeowner doesn't do any more to secure his house than what it came with. In other words, "the defaults." )
Right. I suppose there's not much that can be done for people who expect "security" to be handed down to them from the sky on a silver platter. I'm sure it couldn't be more obvious to most here that if you don't put out the effort to take responsibility for your own security, you aren't going to have it--for your computer or anything else. But then, that sounds suspiciously resonant with "if they're too lazy or stupid to get it, then screw em", doesn't it. I think the real flaw there--what keeps me so uncomforable with it (even though my gut tells me it's a logical conclusion)--is reflected in the sheer number of people I've seen change their minds once they found out a little more about how insecure they really are. Haven't you ever been in a discussion/argument/presentation about computer security with someone, and at some point you notice that moment when it finally registers, you know that it really penetrated something...and they must have that sickening queazy little feeling in the pit of their stomachs when they say: "Oh my God, I had no idea". And at some point, haven't you all felt that sick, queasy shock of recognition yourselves? Maybe from something you read on John Young's site, or in response to being hacked? I certainly did--after that everything was different. It's a great feeling to have someone thank you for giving them the information they needed to wake up and do something to help themselves. The downside is you always risk coming across like a nutcase cyber-Cassandra, but you don't have to if you just let the raw facts do the convincing for you. More generally, I found it puzzling to see everyone getting hysterical over 911 when we're precisely no more and no less vulnerable than we ever were. I didn't learn a thing from it I hadn't already come to terms with on my own. (Having been abandoned as a child and homeless on your own at 17 tends to do an excellent job of ridding a person of any excess sense of security. Not that I'd recommend it...) So maybe for all the people who responded to the shock of 911 with "I'd give up all my civil liberties to feel safe again" there were enough who were jolted into taking responsibility for their own security to make a difference. Something to consider when thinking about the future of crypto, anyway. ~Faustine. *** The right to be let alone is indeed the beginning of all freedoms. - --William O. Douglas, Associate Justice, US Supreme Court -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. (Diffie-Helman/DSS-only version) iQA/AwUBO/ltPfg5Tuca7bfvEQL/JwCfQQ52fwi89RCGrb09x7HQZLw3/t4AoKFN 5n8Eq5Nqn8kjDbFLGIonDTzT =ADtX -----END PGP SIGNATURE-----
On Monday, November 19, 2001, at 12:36 PM, Faustine wrote:
But then, that sounds suspiciously resonant with "if they're too lazy or stupid to get it, then screw em", doesn't it. I think the real flaw there--what keeps me so uncomforable with it (even though my gut tells me it's a logical conclusion)--is reflected in the sheer number of people I've seen change their minds once they found out a little more about how insecure they really are.
Haven't you ever been in a discussion/argument/presentation about computer security with someone, and at some point you notice that moment when it finally registers, you know that it really penetrated something...and they must have that sickening queazy little feeling in the pit of their stomachs when they say:
"Oh my God, I had no idea".
No, I can't say that I have. I have never wasted my time trying to convince sheeple that they need to make backups, put good locks on their doors, use encryption, not give their SS numbers to others, and so on. You didn't quote all of my material (which is fine), but it's important that folks remember the point I made about bank vault security: was it requested/demanded by the "industry" or by "the customer" (Joe Sixpack)? The answer is actually more interesting: the drive for better vaults was largely driven by _insurance_ issues. I suspected this when I first started thinking about security and crypto, and then I tracked down some comments from the safe makers (like Mosler). After bank robberies, when safes had to be replaced, banks would look at the economic tradeoffs in deciding whether to get a newer model from companies like Mosler. If they were insured, as became more common as the 20th Century unfolded, their insurance premiums depended on their overall security measures. This applied as well to _new_ banks. This meant that neither the customer (Joe Sixpack) nor the branch manager had to be "convinced" or "sold" on the importance or value of good security. Rather, the normal market discounting forces took care of the issue. Actuaries, underwriters, risk estimators, and security experts think about things some people never think will happen to them. Educating the masses is not the main issue. If you had read much of the past traffic of the list, Faustine, you would know about this point. Will the same happen with online security and crypto? It already has. The credit card companies already have imposed rules for merchants, a major part of why SSL and 128-bit crypto and all the rest is happening. Lawsuits over leaking of medical records are already happening, and some large tort judgements will likely cause increases in security (including better encryption, more use of capability-based architectures to limit access, etc.) Sure, Grandma and Sis aren't using PGP 8.13 to encrypt their notes to you. So? Crypto is economics. Security is economics. Has been since the days of measures and countermeasures with spears and fences and walls and castles and siege engines. "Educating the residents of villages" is neither here nor there. Not that I'm discouraging you from going out to and trying to get that "I didn't know that!" glimmer of awareness that maybe good locks are better than bad locks. Knock yourself out. But as a reason why certain interesting technologies are not being deployed, it's a side show. --Tim May "You don't expect governments to obey the law because of some higher moral development. You expect them to obey the law because they know that if they don't, those who aren't shot will be hanged." - -Michael Shirley
On Monday, November 19, 2001, at 12:55 PM, Tim May wrote:
On Monday, November 19, 2001, at 12:36 PM, Faustine wrote:
<...>
This applied as well to _new_ banks. This meant that neither the customer (Joe Sixpack) nor the branch manager had to be "convinced" or "sold" on the importance or value of good security. Rather, the normal market discounting forces took care of the issue. Actuaries, underwriters, risk estimators, and security experts think about things some people never think will happen to them. Educating the masses is not the main issue.
If you had read much of the past traffic of the list, Faustine, you would know about this point.
Will the same happen with online security and crypto? It already has. The credit card companies already have imposed rules for merchants, a major part of why SSL and 128-bit crypto and all the rest is happening. Lawsuits over leaking of medical records are already happening, and some large tort judgements will likely cause increases in security (including better encryption, more use of capability-based architectures to limit access, etc.)
The irony in this, to use your analogy to bank robbers, is that mandating 128bit SSL is not securing the bank vault, but rather making sure nobody but the bank teller and the customer know what they are saying to each other (SSL being transport security). Most bank robbers in the past wanted in to the safe/vault cause that's where the *big* cash is. These days that is done by reading the database, rather than sniffing the wire. But database security is relatively easy and uninteresting.
Sure, Grandma and Sis aren't using PGP 8.13 to encrypt their notes to you. So?
So it makes it more obvious when Bill the Abortion Provider sends me instructions on how to get to his office.
Not that I'm discouraging you from going out to and trying to get that "I didn't know that!" glimmer of awareness that maybe good locks are better than bad locks. Knock yourself out.
Part of the problem is that security is a PITA, and they get that glimmer, and they start worrying about things, but the habits are already there.
--Tim May "You don't expect governments to obey the law because of some higher moral development. You expect them to obey the law because they know that if they don't, those who aren't shot will be hanged." - -Michael Shirley
-- "Remember, half-measures can be very effective if all you deal with are half-wits."--Chris Klein
participants (3)
-
Faustine
-
Petro
-
Tim May