| Keith via plug on 11 Aug 2020 08:47:41 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] news |
On 8/10/20 5:09 PM, Thomas Delrue wrote:
<snip>
I might as well get guards, triple sets of locks, and half-inch steel doors on my house because I don't know if that knock is the postal worker, the neighbor, or an assailant. Perhaps you misunderstand me. *Ideologically*, I agree with you. Encryption should absolutely always be an option, and be unrestricted by mandate. Its use should never be questioned or assumed malignance or anything of the sort. Everyone should have a right to privacy and integrity of data, and so forth. I've been a pretty steady patron of the EFF for many years. *Practically*, however, I take issue with "encrypt all the things always, and fuck you if you disagree because we say so". In a *perfect* world, things would have been designed to allow for this. But they haven't, so it's incredibly short-sighted to just jump to the guns without consideration of the issues it's going to present. (Like what happened with DoH.)
+1
I once had a conversation with CJ where I said, "everything is a function of risk" and security work has taught me that more than anything else. What you are always trying to do create a balance between a set of parameters- technical, human, practical, ideological, etc. Your calculus is the same task no matter your parameter set- you're spreading risk (or pure risk as financial folks might say).
If you take the factors as ideological and practical you have to accept its never one or the other because solutions have to be real. You are seeking the right balance (i.e. risk spread- how ideological can I be, how practical can I be?) so that a certain confidence (or risk tolerance) can be met.
This is easier to understand when you have a lot of information
to analyze (discussions about risk are rooted is the law of large
numbers from probability theory) but that doesn't always
translate to the individual. What a government or large company
does to spread risk isn't necessarily what small company or
individual should do but it could be. Do all individuals need
24/7 armed security, no but you could certainly understand why
some celebrities and politicians do or why a say a women's shelter
might. You could further understand why almost everyone has locks
on their house.
I know people like to talk about "trust" as THE key component of
security but when you look at security in a more comprehensive
matter (i.e. include things that are not just about technology
solutions), trust is certainly a factor but I think far too much
focus is placed on that instead of understanding risk. In fact, a
by-product of laying security (which spreads risk) is that it is
easy to understand and thus implement control structures when you
consider trust as one of the factors.
<snip>
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
-- ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Managing Member, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug