Good point. It is important to realize that being too obsessive about security is possible, and to know a reasonable point at which to draw the line.
But there is a difference between the two types of attack you describe that seems to change the rules on the web at least somewhat.
The difference is risk to the attacker. If I start punching someone on the bus, getting thrown off is the optimistic outcome. I could reasonably expect to be arrested, or assaulted in return, possibly fatally.
But if I post malware on the web, the worst I could reasonably expect is that the offending content is taken down, my account with that host rescinded, and assuming I do nothing to conceal my identity, I may become known as the type of scumbag who does such things. I grant that much worse results are possible, but it just doesn't seem realistic to expect much worse punishment, so long as a government or large corporation wasn't a serious victim.
While I agree with you, I also think this line of reasoning is a distraction. If we could prevent people from punching you on the bus by technological means with very little drawback, we would.
It's hard for me to see what is the difference between people who question formalizing best practices in computing and people who disagree with modern car engines and seatbelt laws.
We do these things not because it always makes a difference for one single person all the time but because it the system move in the right direction leading to possibilities we couldn't foresee from the beginning.
Someone who works in "real world" security and always have to weight in the downsides, e.g. the implications of privacy when installing a security camera on a bus, must think we are crazy questioning such low hanging fruit.
But there is a difference between the two types of attack you describe that seems to change the rules on the web at least somewhat.
The difference is risk to the attacker. If I start punching someone on the bus, getting thrown off is the optimistic outcome. I could reasonably expect to be arrested, or assaulted in return, possibly fatally.
But if I post malware on the web, the worst I could reasonably expect is that the offending content is taken down, my account with that host rescinded, and assuming I do nothing to conceal my identity, I may become known as the type of scumbag who does such things. I grant that much worse results are possible, but it just doesn't seem realistic to expect much worse punishment, so long as a government or large corporation wasn't a serious victim.
Or so it seems to me. Thoughts?