[personal profile] mjg59
I read this tweet a couple of weeks ago:

and it got me thinking. Security research is often derided as unnecessary stunt hacking, proving insecurity in things that are sufficiently niche or in ways that involve sufficient effort that the realistic probability of any individual being targeted is near zero. Fixing these issues is basically defending you against nation states (who (a) probably don't care, and (b) will probably just find some other way) and, uh, security researchers (who (a) probably don't care, and (b) see (a)).

Unfortunately, this may be insufficient. As basically anyone who's spent any time anywhere near the security industry will testify, many security researchers are not the nicest people. Some of them will end up as abusive partners, and they'll have both the ability and desire to keep track of their partners and ex-partners. As designers and implementers, we owe it to these people to make software as secure as we can rather than assuming that a certain level of adversary is unstoppable. "Can a state-level actor break this" may be something we can legitimately write off. "Can a security expert continue reading their ex-partner's email" shouldn't be.

Not only security researchers

Date: 2016-08-26 01:42 pm (UTC)
From: (Anonymous)
Any abusive partner (regardless of gender), or not even a partner (roommate, relative, stranger, etc) may be tempted to invade the digital live of another person - one doesn't have to be a security researcher for this. There are so-called RATs, key loggers, etc., that don't seem to require sophisticated skills to attack an average computer user - especially if the attacker has physical access to their device. The key is 1) making security the default (disk encryption, screen locking, etc), 2) make it easy to use and, most importantly, 3) educate people about the digital hygiene.

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags