Morkonan wrote:Personally, I think everyone should be as paranoid as the most wanted hacker on the planet. Everyone should be using encrypted-everything with every encrypted, anonymous, bit of stuff that's possible to use and still be able to get one's machine to function.
This sort of attitude is nonsense, though. Any security advice that starts with "you should take these inconvenient steps" is going to get ignored. Rule #1 of security: If your security measure is inconvenient, your users will find a convenient way to circumvent it. Corollary: if your security measure is "you should do this", they won't. Relatedly: The more disproportionate to the actual threat your proposed security measures are, the less seriously anyone will take them. Also relevant: changing your behaviour is inconvenient
in itself, even if the changed version is easier. [1]
A better security idea to teach is this: Start by asking what you want to protect, and from whom. Go from there. Telling J Random User, who really only cares that they don't lose their files, money, or dignity, to take a battery of measures suited to protect you from "Putin has it in for me personally", would cost more in lost productivity than it ever saved in security if anybody was ever going to actually listen to you in the first place.
The security industry is slowly beginning to wake up to the idea that we need to make good security convenient, and pick our battles, but it's a damn slow process. [6]
[1] This is why nobody really listens to me when I say "you don't need antivirus any more, just use Windows 10 and for god's sake patch" [2]. When I say "just Windows Defender is fine", they don't hear "AV is pretty irrelevant", they hear "use this AV I heard somebody say isn't very good!" Because we wasted a *decade* teaching everybody that Security == Antivirus, because early Windows versions were so laughably insecure that you needed to pay a third party to crash around in your kernel patching things at random [3] just to beat any malware you might bump into to the punch. Microsoft finally cracked down on this after XP and kicked all the third parties out of the kernel with driver signing enforcement [4] because a significant chunk of the crash dumps they got were caused by AV misbehaving. By this point they were taking security seriously as well, but they couldn't just shrug and say "right, AV isn't needed any more" because we'd trained everybody to assume that not having AV was the depth of insecurity by this point! [5]
[2] Microsoft have, with typical Microsoft aplomb, managed to shoot themselves in the foot on this. Users don't install patches because it's inconvenient. Chrome and Firefox both update themselves automatically now to deal with this - Firefox will occasionally mention that it has updated to you; Chrome just does it completely silently and you'll never notice. Nobody complains about these things, because nobody notices, which is basically the definition of convenience, and it makes everyone MUCH more secure. Meanwhile, everybody complains CONSTANTLY about Windows forcing updates on you because it takes ten minutes and inconvenient reboots. I honestly have no idea why Windows updates are so clunky - any given desktop Linux distro can update nearly anything silently in the background if you configure it to (which is increasingly the default) and occasionally ask for a reboot if you've had a kernel/core library update.
[3] Ever wonder why you couldn't run two antiviruses at once? Yeah, this.
[4] Which caused a spectacular inconvenience drama itself.
[5] Also, they'd created a massive secondary market which would have been DEEPLY unhappy about having their business model just turned back off again.
[6] See also: recent changes to password advice along the lines of "oh hey remember that thing where we told you to change your password every three months? We finally thought about checking what people actually *do* when we tell them to do that and, oh hey, turns out it doesn't actually help, so never mind that. Just try and use good passwords, use a password manager, and change stuff if you think it's actually been compromised." But I bet you still have to change your password at work every three months, because again we wasted a decade training people that Security == Regular Password Changes and now it's ingrained in the popular consciousness as Necessary no matter how stupid it is.
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way