[tech/security, privacy, p/a/s] Fwd: Everything Is Broken
This post, Everything Is Broken, by Quinn Norton, is excellent. Much of it I know, but there were some astute, surprising, and in retrospect obvious observations. E.g.: Then there’s the Intelligence Community, who call themselves the IC. We might like it if they stopped spying on everyone all the time, while they would like us to stop whining
( Read more... )
“Most of the world does not have install privileges on the computer they are using.”
This usually applies to corporate networks or institutions. An activist or journalist *should not* be joined to Active Directory, have some third-party element limiting managing their OS, etc. So, how is a security expert saying, "you're boned" in response to, "I can't install anything", arrogant or myopic?
It's totally true. You should communicate as if you are in plaintext. But on the other hand, if you have have the ability to manage your device, marginal security is well within reach. If you are on a device that you cannot manage, it is entirely appropriate for someone in cybersecurity to reply, "Change that." The author's argument about respecting the nature of activists is fine, but what does she, or should we, expect?
I appreciate the entire article's premise, everything is broken (within that domain)--yet that isn't limited to computers, the Internet, or cybersecurity either. That is a feature embedded in most games.
Reply
*Globally, possibly most is more accurate than many. Although at this point cell phones may have eclipsed that... and they present security nightmares of their own.
Reply
Because security experts aren't just describers-of-security. They are also makers-of-security-products. When someone says "I can't install anything", they aren't asking a question, they're pointing out a bug. When a "security expert" says "you're boned" in response to, "I can't install anything", they're saying, "you're boned because my profession couldn't be bothered to help peons like you." Which would be basically the definition of both arrogant and myopic.
I regularly use at least one desktop application on Windows to increase my security which requires no installation at all. I often wonder what other useful secure applications could be built not to require installation, but which at present do, because of lack of concern for the situation of people who can't install applications.
Reply
Yet still, if you have an intelligent enough person administrating the device you're using, they could still block the execution of any binary with the same hash as (insert application here). Or block the availability of binaries via removable devices. Or disable file downloads (to degrees).
An intelligent administrator could track the execution of any process (following up on their retribution after reviewing the logs or being alerted by some monitoring application). Like the NSA, encrypted communications can be secured to ideally later be broken.
If you can blame security experts for anything, it's ignorance of the multitude.
Security is always evolving, and I have no doubt that certain people in that industry develop products specifically for others affected as described. Still, again, an intelligent administrator may defeat the security expert no matter, and the battle returns. There's no silver bullet.
And so, yes! If you want to achieve what marginal amount of security is available to you, you must secure one of the endpoints (at least). And, if you aren't able to, secure some option that subverts that, inasmuch as the existing system allows. Like I suggest, there's many ways to skin a cat, so while an application that can be run while not installed may resolve the immediate scenario, it doesn't remove the nature of the situation.
Reply
Leave a comment