Andrew: That is exactly what I was trying to say but you explained it much better :-)
Erik Sent from my iPad On Aug 8, 2012, at 6:37 AM, [email protected] wrote: > On Tue, Aug 07, 2012 at 05:18:02PM -0700, [email protected] wrote 4.7K bytes > in 111 lines about: > :partial defenses using any technology tool. I may feel too strong about > :tools being discussed as THE solution or THE bulletproof vest so to speak. > > I'm not picking on you Erik, but this comment finally struck me > about what's bothered me with this debate. There is no such thing as 'the > bulletproof vest'. I think this is what some have been trying to > say, too. Bulletproof vests, like safes, are misnamed for marketing > purposes. Bulletproof vests are rated for resistance against classes and > types of ammunition. Personally, I think computer security tools need > to be more easily identified and rated on a scale for their resistance > to specific threat models. > > Way too many security people assume the perfect adversary, which even the > NSA, FSB, MSS, or other national intelligence agencies could never live > up to (but they will sure help you believe they are perfect). With a > perfect adversary, all is lost. On a theoretical level, a perfect > adversary is a fine goal to defeat. On a practical level, a perfect > adversary doesn't exist. > > Bulletproof vests are rated based on type of ammunition, distance from > shooter, how many repeated strikes it will survive, and how much force is > transmitted to the wearer per strike. Any professional physical security > person will understand the trade-offs between desired resistance, vest > weight, and likely risks. The material choice matters as well, as kevlar > or armored plate perform differently. Generally, these professionals will > explain to you how the bulletproof vest protects you and when it doesn't. > > People are horrible at assessing risk. Give someone a basic local-police > quality bulletproof vest with no explanation and they feel they are > invulnerable and adjust their risk-taking accordingly. If you explain > to them that the vest will last for one, maybe two, shots from a .45 > and that FMJ rounds will go right through it, and that anything from a > 1m range will likely knock you out from the concussive force of impact, > suddenly this person adjusts their expectations and behavior. The > bulletproof vest suddenly seems less bulletproof and the wearer > understands the risks. > > In general, when working with someone (activists, law enforcement, > abuse victims, teenagers, etc) I try to understand their threat model, > explain what solutions work when, and why nothing is perfect. Ultimately, > the person is the one that needs to make the risk assessment and adjust > accordingly. My risk acceptance is different from theirs. I can't make > the decision for them. > > There is no ultimate tool for security, just different tools for different > needs in your toolbox. Some tools are better than others along a scale. If > it is easier to understand threat models and resistance against them, > everyone would be better off. > > My $0.02. > > -- > Andrew > http://tpo.is/contact > pgp 0x6B4D6475 > _______________________________________________ > liberationtech mailing list > [email protected] > > Should you need to change your subscription options, please go to: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > If you would like to receive a daily digest, click "yes" (once you click > above) next to "would you like to receive list mail batched in a daily > digest?" > > You will need the user name and password you receive from the list moderator > in monthly reminders. You may ask for a reminder here: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > Should you need immediate assistance, please contact the list moderator. > > Please don't forget to follow us on http://twitter.com/#!/Liberationtech _______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
