
Priorities in security - zdw
http://mjg59.dreamwidth.org/44363.html
======
Saavedro
It's worth noting that a lot of attacks that seem hard to pull off get sooner
or later packaged up in ways that people with remarkably little knowledge
about computers much less computer security can use them.

An old roommate of mine had a friend that found it funny to change my
wallpaper while I was out of my apartment. I didn't find it as funny so I set
login passwords.

At some point it started happening again, and I eventually figured out my
system had a _bootkit_ on it that made it always accept a certain password.
This wasn't a guy who knew what a bootkit _was_ , conceptually, but managed to
find one and instructions for how to install it.

------
leodeid
I'm a little confused about the point here. Security researchers often hunt
down bugs that are deemed esoteric or state-actor only. Security researchers
are often the sort of people who would do things like stalking. Therefore we
need security researchers to find security flaws so other security researchers
can't use them?

If that is the point, it seems to humanize the problem space in a different
sort of way. Security researchers are people, too. Some are "good", some are
"bad", but most people are in between. But instead of framing your work on
targeted individual attacks as a journalist being targeted by a state-level
actor, realize that there are other researchers out there with your same very
specific set of skills which would allow him/her to target someone of their
own choosing. In this example, perhaps the researcher is vindictively stalking
an ex.

Outside of that, though, I can't help but think that there is a much more
interesting and broader point about the humanity that is affected by the work
you do in both security and privacy. If you consider people who are not as
skilled, but still as vindictive, malicious tweets from fake accounts multiple
times per day is pretty bad. Couples that share passwords can end up really
enabling this vindictive behavior. ( _gasp_ who would ever share passwords to
something private like that? Perhaps an abusive partner demands access to
email and hangs onto a recovery key.)

------
thescribe
False dichotomy in the name of injected identity. Strengthening against state
actors is strengthening against stalkers.

~~~
mjg59
That was the point I was making in the post, yes.

------
tptacek
_As basically anyone who 's spent any time anywhere near the security industry
will testify, many security researchers are not the nicest people. Some of
them will end up as abusive partners, and they'll have both the ability and
desire to keep track of their partners and ex-partners. _

This is some of what got me started with security professionally (I'd been
doing vuln research since my late teens, but not vocationally).

I was running systems for a Chicago ISP, and someone gave me a copy of Michael
Neuman's IP-Watch (the sequel to his TTY-Watch tool) to kick around. Being
able to watch random network connections --- this is the mid '90s, and network
connections were all far more... interactive... than they are now) was so
disturbing that I had a hard time getting it out of my head.

I ended up writing a paper about tools like IP-Watch (what we now call
intrusion detection systems), which is probably the only thing that really got
me taken seriously early in my career.

(Half this site seems to think I'm a paid employee of the NSA, and I have a
weird hang-out about spelling my politics out to get out of sticky arguments,
so I'm always happy to have a natural chance point out that, uh, no.)

------
userbinator
_As basically anyone who 's spent any time anywhere near the security industry
will testify, many security researchers are not the nicest people._

I wonder if there's any correlation between being a security researcher and
authoritarianism, because that's my impression of many of them.

~~~
micaksica
I agree with tptacek here. The common enterprise CISSP I've met seems to have
an authoritarian streak, sure. A lot of the ones that work in or were trained
by the intelligence community, obviously. But a good chunk of the security
engineers and vulnerability researchers I've met have a strong distaste for
the authoritarian structures, arbitrary hierarchies, and in some case the
concept of the state itself.

