I hold multitudes.  I am in one thread totally cypherpunk, and have been for a very long time.  There are innumerable ways to compromise and be compromised for all kinds of good and mostly bad reasons.  Perfect protection is tough for in many ways and we should keep striving to get closer to that ideal security stance.

On the other hand, life is a balance.  I probably shouldn't have tried to make the point here, but it is something a security professional should understand well: The right amount of security should be moderated by the tradeoff of costs vs. overhead vs. maximizing benefit vs. minimizing loss.  Security stances change over time and aren't necessarily accurately reflected by paranoid absolutism.

An example along these lines that I like to keep in mind:
(I really did avoid writing down passwords anywhere for a long time.  And I still don't carry them with me.  If I did, they wouldn't be plaintext.)

https://www.schneier.com/blog/archives/2005/06/write_down_your.html

Write Down Your Password

Microsoft's Jesper Johansson urged people to write down their passwords.

This is good advice, and I've been saying it for years.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.


It is terrible that some companies have been too eager to share information.  They may or may not have believed whatever safeguards were in place, or not cared, etc.  I'm sure a high pressure meeting with an FBI crew who are strongly playing the terrorism angle is persuasive, as it should be, up to a point.  And companies holding your data can actually look at that data for business purposes, although how they use it is somewhat bounded by privacy laws (however incomplete), not making private things public, unfair business practices, etc.  My point was that the existence of large, valuable services that depend on a lot of trust is, or should be to a sane entity, an even stronger incentive to behave than the patchwork of laws.  Past oversharing, then embarrassment and public abuse, coupled with product impacts as they lose sensitive customers, has almost certainly caused a cleanup of those attitudes.  I'd be interested in the actual policy right now, although I doubt they are going to be too explicit.  I suspect that it also varies heavily by corporate culture.

Every day, you are somewhat at the mercy of dozens and perhaps thousands of people who could cause you pain, suffering, or death if they were so inclined.  There are many in the government, schools, employer personnel departments, medical and insurance companies, etc.  The people driving around you, stopped at a light while you cross the street, making your food, they all have access and the ability to inflict misery on you.  You have to trust someone to some extent.  The question is who you trust, how incentivized they and the people / organization around them protects you, whether wrongs will be limited, corrected, and righted or not.

For a long time, as a contractor at the peak of their heyday, I had access to AOL's entire user database, complete with name, address, full credit card info, phone numbers, etc.  I could have also snooped on their Buddylists, their person-to-person video (Instant Images), and a lot more.  There was zero chance that I would abuse any of that.

sdw

On 7/20/15 2:07 PM, Juan wrote:

	cypherpunk : 

	https://www.wikileaks.org/Op-ed-Google-and-the-NSA-Who-s.html

	"Google and the NSA: Who’s holding the ‘shit-bag’ now?" 


	Not-cypherpunk-at-all : 


2015-07-19 2:22 GMT+09:00 Stephen D. Williams <sdw@lig.net>:

I feel perfectly confident that Google is going to protect their
billions in income and valuation by being very careful with
avoiding abusing their data or users in any strong sense.