12 comments

[ 5.4 ms ] story [ 37.6 ms ] thread
False dichotomy in the name of injected identity. Strengthening against state actors is strengthening against stalkers.
>> Strengthening against state actors is strengthening against stalkers.

Yeah, maybe, usually... but certainly not always. You can certainly strengthen against stalkers in different ways than you can against state actors, I think? I guess I've not thought this through much, but I don't think of this as a false dichotomy. These things over lap in a bunch of ways, but then also we can defend against each in very different ways. Things that keep out stalkers won't stop a state actor, though most likely anything stopping a state actor would keep out a stalker. Most of us don't need/want to defend against the NSA, but we need to defend against adversaries with skills equal to a stalker. It may even be that we can't really defend against a state actor if we end up in their sites, they have essentially unlimited money time and people to throw at us. It could be that just one extra password stops a regular person though?

I took his point as being one of priorities. This reminds me of that Google Chrome master password thing from several years ago.

That was the point I was making in the post, yes.
Not necessarily. If you start thinking about p2p versus centralized retrieval methods, leaking your access pattern directly to Wikipedia might be nicer than leaking that access pattern to friends who have a personal interest in you.

(FWIW I think this post is an exercise in pouring gasoline on flamebait).

As basically anyone who's spent any time anywhere near the security industry will testify, many security researchers are not the nicest people.

I wonder if there's any correlation between being a security researcher and authoritarianism, because that's my impression of many of them.

If you were talking about "security people" in general, I'd agree strongly, but that's pretty much the opposite of the impression I get from vulnerability researchers.
I agree with tptacek here. The common enterprise CISSP I've met seems to have an authoritarian streak, sure. A lot of the ones that work in or were trained by the intelligence community, obviously. But a good chunk of the security engineers and vulnerability researchers I've met have a strong distaste for the authoritarian structures, arbitrary hierarchies, and in some case the concept of the state itself.
As basically anyone who's spent any time anywhere near the security industry will testify, many security researchers are not the nicest people. Some of them will end up as abusive partners, and they'll have both the ability and desire to keep track of their partners and ex-partners.

This is some of what got me started with security professionally (I'd been doing vuln research since my late teens, but not vocationally).

I was running systems for a Chicago ISP, and someone gave me a copy of Michael Neuman's IP-Watch (the sequel to his TTY-Watch tool) to kick around. Being able to watch random network connections --- this is the mid '90s, and network connections were all far more... interactive... than they are now) was so disturbing that I had a hard time getting it out of my head.

I ended up writing a paper about tools like IP-Watch (what we now call intrusion detection systems), which is probably the only thing that really got me taken seriously early in my career.

(Half this site seems to think I'm a paid employee of the NSA, and I have a weird hang-out about spelling my politics out to get out of sticky arguments, so I'm always happy to have a natural chance point out that, uh, no.)

It's worth noting that a lot of attacks that seem hard to pull off get sooner or later packaged up in ways that people with remarkably little knowledge about computers much less computer security can use them.

An old roommate of mine had a friend that found it funny to change my wallpaper while I was out of my apartment. I didn't find it as funny so I set login passwords.

At some point it started happening again, and I eventually figured out my system had a bootkit on it that made it always accept a certain password. This wasn't a guy who knew what a bootkit was, conceptually, but managed to find one and instructions for how to install it.

(comment deleted)
(comment deleted)
I'm a little confused about the point here. Security researchers often hunt down bugs that are deemed esoteric or state-actor only. Security researchers are often the sort of people who would do things like stalking. Therefore we need security researchers to find security flaws so other security researchers can't use them?

If that is the point, it seems to humanize the problem space in a different sort of way. Security researchers are people, too. Some are "good", some are "bad", but most people are in between. But instead of framing your work on targeted individual attacks as a journalist being targeted by a state-level actor, realize that there are other researchers out there with your same very specific set of skills which would allow him/her to target someone of their own choosing. In this example, perhaps the researcher is vindictively stalking an ex.

Outside of that, though, I can't help but think that there is a much more interesting and broader point about the humanity that is affected by the work you do in both security and privacy. If you consider people who are not as skilled, but still as vindictive, malicious tweets from fake accounts multiple times per day is pretty bad. Couples that share passwords can end up really enabling this vindictive behavior. (gasp who would ever share passwords to something private like that? Perhaps an abusive partner demands access to email and hangs onto a recovery key.)