an ominous comment

Stephen D. Williams sdw at lig.net
Mon Jul 20 14:53:59 PDT 2015 

I hold multitudes.  I am in one thread totally cypherpunk, and have been for a very long time.  There are innumerable ways to 
compromise and be compromised for all kinds of good and mostly bad reasons.  Perfect protection is tough for in many ways and we 
should keep striving to get closer to that ideal security stance.

On the other hand, life is a balance.  I probably shouldn't have tried to make the point here, but it is something a security 
professional should understand well: The right amount of security should be moderated by the tradeoff of costs vs. overhead vs. 
maximizing benefit vs. minimizing loss.  Security stances change over time and aren't necessarily accurately reflected by paranoid 
absolutism.

An example along these lines that I like to keep in mind:
(I really did avoid writing down passwords anywhere for a long time.  And I still don't carry them with me.  If I did, they wouldn't 
be plaintext.)

https://www.schneier.com/blog/archives/2005/06/write_down_your.html
>
>
>     Write Down Your Password
>
> Microsoft's Jesper Johansson urged <http://news.cnet.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html> 
> people to write down their passwords.
>
> This is good advice, and I've been saying it for years.
>
> Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more 
> secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of 
> paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small 
> pieces of paper: in their wallet.
>

It is terrible that some companies have been too eager to share information.  They may or may not have believed whatever safeguards 
were in place, or not cared, etc.  I'm sure a high pressure meeting with an FBI crew who are strongly playing the terrorism angle is 
persuasive, as it should be, up to a point. And companies holding your data can actually look at that data for business purposes, 
although how they use it is somewhat bounded by privacy laws (however incomplete), not making private things public, unfair business 
practices, etc.  My point was that the existence of large, valuable services that depend on a lot of trust is, or should be to a 
sane entity, an even stronger incentive to behave than the patchwork of laws.  Past oversharing, then embarrassment and public 
abuse, coupled with product impacts as they lose sensitive customers, has almost certainly caused a cleanup of those attitudes.  I'd 
be interested in the actual policy right now, although I doubt they are going to be too explicit.  I suspect that it also varies 
heavily by corporate culture.

Every day, you are somewhat at the mercy of dozens and perhaps thousands of people who could cause you pain, suffering, or death if 
they were so inclined.  There are many in the government, schools, employer personnel departments, medical and insurance companies, 
etc.  The people driving around you, stopped at a light while you cross the street, making your food, they all have access and the 
ability to inflict misery on you.  You have to trust someone to some extent.  The question is who you trust, how incentivized they 
and the people / organization around them protects you, whether wrongs will be limited, corrected, and righted or not.

For a long time, as a contractor at the peak of their heyday, I had access to AOL's entire user database, complete with name, 
address, full credit card info, phone numbers, etc.  I could have also snooped on their Buddylists, their person-to-person video 
(Instant Images), and a lot more.  There was zero chance that I would abuse any of that.

sdw

On 7/20/15 2:07 PM, Juan wrote:
>
> 	cypherpunk :
>
> 	https://www.wikileaks.org/Op-ed-Google-and-the-NSA-Who-s.html
>
> 	"Google and the NSA: Who’s holding the ‘shit-bag’ now?"
>
>
> 	Not-cypherpunk-at-all :
>
>
>> 2015-07-19 2:22 GMT+09:00 Stephen D. Williams <sdw at lig.net>:
>>
>> I feel perfectly confident that Google is going to protect their
>> billions in income and valuation by being very careful with
>> avoiding abusing their data or users in any strong sense.
>
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5708 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20150720/3bbb45a0/attachment-0002.txt>

More information about the cypherpunks mailing list