On Tue, Aug 07, 2012 at 05:18:02PM -0700, e...@sundelof.com wrote 4.7K bytes in 111 lines about: :partial defenses using any technology tool. I may feel too strong about :tools being discussed as THE solution or THE bulletproof vest so to speak.
I'm not picking on you Erik, but this comment finally struck me about what's bothered me with this debate. There is no such thing as 'the bulletproof vest'. I think this is what some have been trying to say, too. Bulletproof vests, like safes, are misnamed for marketing purposes. Bulletproof vests are rated for resistance against classes and types of ammunition. Personally, I think computer security tools need to be more easily identified and rated on a scale for their resistance to specific threat models. Way too many security people assume the perfect adversary, which even the NSA, FSB, MSS, or other national intelligence agencies could never live up to (but they will sure help you believe they are perfect). With a perfect adversary, all is lost. On a theoretical level, a perfect adversary is a fine goal to defeat. On a practical level, a perfect adversary doesn't exist. Bulletproof vests are rated based on type of ammunition, distance from shooter, how many repeated strikes it will survive, and how much force is transmitted to the wearer per strike. Any professional physical security person will understand the trade-offs between desired resistance, vest weight, and likely risks. The material choice matters as well, as kevlar or armored plate perform differently. Generally, these professionals will explain to you how the bulletproof vest protects you and when it doesn't. People are horrible at assessing risk. Give someone a basic local-police quality bulletproof vest with no explanation and they feel they are invulnerable and adjust their risk-taking accordingly. If you explain to them that the vest will last for one, maybe two, shots from a .45 and that FMJ rounds will go right through it, and that anything from a 1m range will likely knock you out from the concussive force of impact, suddenly this person adjusts their expectations and behavior. The bulletproof vest suddenly seems less bulletproof and the wearer understands the risks. In general, when working with someone (activists, law enforcement, abuse victims, teenagers, etc) I try to understand their threat model, explain what solutions work when, and why nothing is perfect. Ultimately, the person is the one that needs to make the risk assessment and adjust accordingly. My risk acceptance is different from theirs. I can't make the decision for them. There is no ultimate tool for security, just different tools for different needs in your toolbox. Some tools are better than others along a scale. If it is easier to understand threat models and resistance against them, everyone would be better off. My $0.02. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
