I’ve written a few things recently which have elicited some pretty “passionate” responses and I’ve been trying to put my finger on precisely what it was they had in common. More than that though, there’s been a theme that’s really irked me and I reckon I’ve worked out what it is: people are mounting security arguments from within bubbles.
One of those was about unhealthy security absolutism amongst certain people who bemoaned the fact that you can go out and get SSL for free from CloudFlare in about 5 minutes flat. It’s not that they were unhappy with the fact that websites presently bereft of any SSL could get it easily, it’s that the SSL may not be perfect. In their bubble, they’re looking at the security and measuring it against the ideal state of perfection we’d all like to be striving for. Now that’s a good goal, but by neglecting to measure against the present reality and instead decreeing that “it’s not perfect therefore its useless” (or various sweeping statements to that effect), they totally miss the point of just how much we gain over the present status quo with so little effort.
It was a similar story yesterday when I wrote about my analysis of the Dropbox hack and how I’d established the legitimacy of the breach data. It wasn’t my methodology that people had problems with, rather the fact that cloud storage was never to be trusted for anything. Dropbox had a security incident ergo “the cloud” is bad and you should use it for cat pictures and that’s about it. Now let us not downplay the significance of it – it was a major event that should never have occurred – but a 4-year-old incident like this which exposed strong hashes is not grounds for throwing out every modern day cloud implementation. What it is grounds for is to remind us of why things like multi-step verification in conjunction with strong passwords created and stored in a password managers are important. Speaking of which…
Every time there’s the slightest inkling of a problem with a password manager there’s a chorus of individuals wanting to burn them at the stake. Never mind that the risk isn’t exploitable unless you’re in the middle of a solar eclipse standing on the leeward side of a grassy knoll in the Scottish Highlands (or an equivalent highly improbable series of circumstances), it’s a good headline so yeah, down with password managers. Of course the alternative is we go back to using our inferior human brains to memorise and then reuse a small collection of poorly chosen passwords (which sadly, is the normal state of affairs anyway), but that alternate reality never seems to feature in the arguments.
The point of all this is that discussions about encryption or cloud storage or password managers or any other security construct for that matter, need to occur in a holistic fashion that looks not just at the technology in question, but how it stacks up against the alternative approaches. Problem is, that requires a lot more considered thought which apparently, is just not appealing to some people.