Security, Threat Profiles and Risk

~ cafebedouin

“It’s very easy to come away from [Lockpicking Lawyer’s] LPL’s [YouTube] channel with a frigid jolt of fear: the realization (whether new or renewed) that so much of what we think is secure is unsafe, that our sense of day-to-day wellbeing depends heavily on what are ultimately poor assessments of what is risky and what is without risk…If LPL’s channel presents a masterclass in lockpicking, it offers other lessons as well: that security lies not, as the frigid-to-lukewarm reactions of lock manufacturers attest, in a libertarian fantasy of earnest corporate responsibility, nor in the individualistic and ultimately futile construction of personal fortresses of solitude, but in the things that make us secure in each other. These too are factors that keep us safe, whether in conditions of obscurity or not. Everything is open.”

-Erica X. Eisen, “Everything is Open.” hazlitt.com. April 5, 2023

I’d probably amend to say, “Everything is potentially open.” I went through a period of trying to understand basic computer security principles. I started using a password manager, a VPN and trying to use more secure operating systems like OpenBSD. Probably the best place to learn, for the user, is to try out TailsOS, which is a security focused version of Linux that funnels all network traffic via Tor.

The more you learn about security, the more you realize that many of the tools we use aren’t secure, and often, the users are the weakest link. For example, you could use something like Tor, but if you reuse passwords and do not follow some of the practices that the Tails system suggests, you are probably not any safer than just using a normal operating system with a VPN. The standard truisms apply. Security is a process. How much security you need depends on your threat profile. Edward Snowden needs better security practices than your typical corporate employee.

The only completely secure system is the one that isn’t used. Use opens up vulnerabilities. The real question is understanding what risks you are most likely facing and learning mitigation strategies to minimize them. But, being more open is better, and in many instances, you can trust in the good nature of the average person. A view, once I see it typed out here, strikes me as both naively optimistic and true.