“Locks only keep an honest person honest”. We all know this is true, but don’t think much more beyond gradeschool wisdom. All our houses are designed with the implicit understanding that they present only a facade of security, a hurdle of trouble, to dissuade all but the most determined, and reckless. But why do cheap wooden doors prevent theft, when billion dollar company networks are ripe for plundering. Because the cheap wooden door requires a personal, physical investment to break down. It is risk.
Same thin with locks. A common side-hobby of computer security professions is lockpicking. Fully embracing the understanding that technical mechanisms can be defeated is a central understanding of the craft. All security can be broken. Every time they open that lock without the key, they hold in their hands to reminder that security is not about locks, it is about the social contract in what they everyone who sees it.
It is the social contract that is core. A door doesn’t stop a good kick. A lock doesn’t stop someone with a minute of time to pick it. What gives us true security is society’s incentive strcture against violating it.
This is all completely broken in cyber security
In cyber security, I can try to kick a door thousands of times, and probably no one will hear it. I can spend months on a lock used by millions of other people, and still no one will probably ever see me. Not only is risk to the attacker taken away, the actions are so abstracted that they get lost in the noise. They become invisible.
Its critical to communicate to the public why they’re vulnerable. Why the old assumptions don’t work. Why a cheap wooden door they never think about with a lock that can be picket with a BIC pen is good enough for their house. But a changing password and all the tech in the world isn’t enough for their online accounts.
That’s part one of the trifecta: Why nothing works like it should anymore.