in

andy vt's tools & blog

automating lazy

This Blog

Syndication

andy vt's blog

Security is a hassle. That's the point.

We don't put locks on our doors because it's convenient. We do it to create inconvenience when someone wants to open them, hoping the bad guys respect that - moving on to an easier target. We use other methods like alarms, cameras, etc. to encourage the selection of other, easier, targets. None of these things is a guarantee against a determined adversary and the right tools. Using these techniques is not costless to us. It's a pain to have to carry a key, remember to carry a key, enter key codes or set the alarm. Of course we do these things because the hassle it creates for us, also affects those who would otherwise prey on our stuff. It generally works because the hassle is disproportionate.

The same thing is true about electronic doors. We use passwords and usernames to lock down accounts on the Interwebs. Making the same exchange in hassle (i.e. remembering passwords & usernames on myriad sites) there, as we do in the physical realm, hoping to realize the same disproportionate trade-off - two factor authentication doesn't change the fundamentals it just ratchets up the inconvenience realized by us and the bad guys.

Adding to this, we have to trust that the companies that host "our" data are investing the appropriate amount of care in building locks and safes. Are they using SSL, hashing our passwords, or building social-engineering resistant recovery mechanisms? These things aren't free, they cost money (a lot of money) and time to buy, build, and implement properly - everywhere.

At its core security is just about creating inconvenience, hopefully uneconomically viable amounts of inconvenience, and that's a hassle. For everyone. If only it was this easy:


Published Apr 11 2013, 05:27 AM by babgvant
Filed under:

Comments

No Comments
@2008 andy vt
Powered by Community Server (Non-Commercial Edition), by Telligent Systems