Conversation

Notices

1. Embed this notice
   Steve Bellovin (stevebellovin@infosec.exchange)'s status on Tuesday, 06-May-2025 15:42:33 JST Steve Bellovin

   in reply to

   • holga
   • Poul-Henning Kamp

   @hpk @bsdphk Absolutely correct. My phrasing, to my students, is "what are you trying to protect, and against whom?"

   • Embed this notice
     Poul-Henning Kamp (bsdphk@fosstodon.org)'s status on Tuesday, 06-May-2025 15:42:33 JST Poul-Henning Kamp

     in reply to

     • holga

     @SteveBellovin @hpk

     Not to #bikeshed but...

     In my experience asking "whom?" only works if the person you ask have a competent(-ish) threat-model, which no normal people do.

     The implicit focus on intentionality also downplays the much more frequent accidental loss of control.

     At least for me, it works better to ask what outcomes we are trying to avoid, and work through both the intentional, incidental and accidental scenarios that lead there.

     feld likes this.
   • Embed this notice
     holga (hpk@chaos.social)'s status on Tuesday, 06-May-2025 15:42:35 JST holga

     Back when i studied #cryptography in the 1990ties, my wonderful professor gave an intro lecture and one of his first points was: "Security" by itself does not exist. You have to state the property you want to secure, and describe the attack model. Moreover, claiming #security as a generic absolute feature marks someone who does not really know what they are talking about. Can't get rid of remembering this lecture ;)