Matthew Garrett ([personal profile] mjg59) wrote2016-08-25 08:02 pm
  • Add Memory
  • Share This Entry
Entry tags:

Priorities in security

I read this tweet a couple of weeks ago:

and it got me thinking. Security research is often derided as unnecessary stunt hacking, proving insecurity in things that are sufficiently niche or in ways that involve sufficient effort that the realistic probability of any individual being targeted is near zero. Fixing these issues is basically defending you against nation states (who (a) probably don't care, and (b) will probably just find some other way) and, uh, security researchers (who (a) probably don't care, and (b) see (a)).

Unfortunately, this may be insufficient. As basically anyone who's spent any time anywhere near the security industry will testify, many security researchers are not the nicest people. Some of them will end up as abusive partners, and they'll have both the ability and desire to keep track of their partners and ex-partners. As designers and implementers, we owe it to these people to make software as secure as we can rather than assuming that a certain level of adversary is unstoppable. "Can a state-level actor break this" may be something we can legitimately write off. "Can a security expert continue reading their ex-partner's email" shouldn't be.
Flat | Top-Level Comments Only

Post tags

(Anonymous) 2016-08-26 12:40 am (UTC)(link)
Is the fedora tag "fedora" as in "m'lady"?

Re: Post tags

[personal profile] mjg59 2016-08-26 01:49 am (UTC)(link)
No, Fedora as in fedoraplanet.org

No.

(Anonymous) 2016-08-26 02:31 am (UTC)(link)
No. Being a security expert does not make you a prick. Being a prick does not make you a criminal. We need security research because transparency is good policy, regardless of its implementation.

Re: No.

(Anonymous) 2016-08-26 03:04 am (UTC)(link)
The field of information security attracts people who are interested in testing boundaries, and it's an unfortunate truth that some of them use those skills at getting around boundaries on others in their life.

Not only security researchers

(Anonymous) 2016-08-26 01:42 pm (UTC)(link)
Any abusive partner (regardless of gender), or not even a partner (roommate, relative, stranger, etc) may be tempted to invade the digital live of another person - one doesn't have to be a security researcher for this. There are so-called RATs, key loggers, etc., that don't seem to require sophisticated skills to attack an average computer user - especially if the attacker has physical access to their device. The key is 1) making security the default (disk encryption, screen locking, etc), 2) make it easy to use and, most importantly, 3) educate people about the digital hygiene.

You just gave me a reason to keep learning about computers

(Anonymous) 2016-09-18 07:08 pm (UTC)(link)
Since bailing out of my last job, I'd gotten increasingly disconnected from infosec and computer stuff. With Google now being the new Microsoft, and the world generally going to hell in a handbasket, I'd pretty much given up. Ten plus years living and breathing Linux having basically gone to waste, etc. The whole thing seemed so trivial and worthless, just an exercise in propping up heartless corporations.

Seriously, thanks for reminding me that software can actually matter.
Flat | Top-Level Comments Only