caring requires data

[coderman]

On 10/13/14, ianG <iang at iang.org> wrote:
> ...
> No, and I argue that nobody should care about MITM nor downgrade attacks
> nor any other theoretical laboratory thing.  I also argue that people
> shouldn't worry about shark attacks, lightning or wearing body armour
> when shopping.
> ...
> What distinguishes what we should care about and what we shouldn't is
> data.  And analysis of that data.


indeed. thanks for showing me the light, ian!


Q: 'Should I disable Dual_EC_DRBG?'
A: "The data shows zero risk of an attacker compromising the known
vulnerability of a specially seed random number generator. Do not
change; keep using Dual_EC_DRBG!"

Q: 'Should I switch away from 1024 bit strength RSA keys?'
A: "The data shows zero risk of an attacker compromising the known
vulnerability of a insufficiently large RSA key as the cost is
prohibitive and no publicly demonstrated device exists. Do not change
to larger keys; keep using 1024 bit RSA!"

Q: 'Should I worry about the auto-update behavior of my devices or computers?'
A: "The data shows minimal risk of an attacker compromising your
systems via this method. Don't bother changing your vulnerable auto
update any where any time any how; you're probably safe!"


it's all so easy now... :)