brent timothy saner via plug on 11 Aug 2020 09:35:03 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] news 

On 8/11/20 11:47 AM, Keith via plug wrote:
> 
> On 8/10/20 5:29 PM, brent timothy saner via plug wrote:
>> On 8/10/20 5:09 PM, Thomas Delrue wrote:
> 
> <snip>
> 
>> I might as well get guards, triple sets of locks, and half-inch steel
>> doors on my house because I don't know if that knock is the postal
>> worker, the neighbor, or an assailant.
>>
>>
>> Perhaps you misunderstand me.
>>
>> *Ideologically*, I agree with you. Encryption should absolutely always
>> be an option, and be unrestricted by mandate. Its use should never be
>> questioned or assumed malignance or anything of the sort. Everyone
>> should have a right to privacy and integrity of data, and so forth. I've
>> been a pretty steady patron of the EFF for many years.
>>
>> *Practically*, however, I take issue with "encrypt all the things
>> always, and fuck you if you disagree because we say so". In a *perfect*
>> world, things would have been designed to allow for this. But they
>> haven't, so it's incredibly short-sighted to just jump to the guns
>> without consideration of the issues it's going to present. (Like what
>> happened with DoH.)
>>
> +1
> 
> I once had a conversation with CJ where I said, "everything is a
> function of risk" and security work has taught me that more than
> anything else.  What you are always trying to do create a balance
> between a set of parameters- technical, human, practical, ideological,
> etc.  Your calculus is the same task no matter your parameter set-
> you're spreading risk (or pure risk as financial folks might say).
> 
> If you take the factors as ideological and practical you have to accept
> its never one or the other because solutions have to be real.  You are
> seeking the right balance (i.e. risk spread- how ideological can I be,
> how practical can I be?) so that a certain confidence (or risk
> tolerance) can be met.
> 
> This is easier to understand when you have a lot of information to
> analyze (discussions about risk are rooted is the law of large numbers
> from probability theory)  but that doesn't always translate to the
> individual.  What a government or large company does to spread risk
> isn't necessarily what small company or individual should do but it
> could be.  Do all individuals need 24/7 armed security, no but you could
> certainly understand why some celebrities and politicians do or why a
> say a women's shelter might.  You could further understand why almost
> everyone has locks on their house.
> 
> I know people like to talk about "trust" as THE key component of
> security but when you look at security in a more comprehensive matter
> (i.e. include things that are not just about technology solutions),
> trust is certainly a factor but I think far too much focus is placed on
> that instead of understanding risk.  In fact, a by-product of laying
> security (which spreads risk) is that it is easy to understand and thus
> implement control structures when you consider trust as one of the factors.
> 
>> <snip>

For clarity for the archives, Keith quoted me. The first paragraph is an
example of why ignoring actual risk factor is troublesome and
overcomplicating.

But yeah, he explained much more eloquently the point I'm trying to
make. It's important to balance risk factor into the equation, and he
explains why it's important here.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug