For your amusement

6 views
Skip to first unread message

Alan Karp

unread,
Sep 17, 2021, 7:20:20 PMSep 17
to <friam@googlegroups.com>
In the real world, threat models are much simpler. Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPest...@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say "It wasn’t us" as they wear t-shirts that say "IT WAS DEFINITELY US," and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.

Bill Frantz

unread,
Sep 18, 2021, 4:46:35 PMSep 18
to fr...@googlegroups.com
This is actually a fine real-world analysis. Consider the latest
Apple zero-day flap. There is a flaw in Apple products that
allow an attacker to pull off a zero click complete compromise.
So far, the only known use is by the NSO Group's "Pegasus" tool.
They sell to governments, and perhaps serious non-government
actors which are friendly to Israel. (Wikipedia notes: The
Pegasus spyware is classified as a weapon by Israel and any
export of the technology must be approved by the government.)

As a low-profile individual, I don't think you have much to
worry about. But if you're a journalist, human rights activist,
or named Jamal Kashoggi, I would worry.

Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | "The only thing we have to | Periwinkle
(408)348-7900 | fear is fear itself." - FDR | 150
Rivermead Rd #235
www.pwpconsult.com | Inaugural address, 3/4/1933 |
Peterborough, NH 03458

Raoul Duke

unread,
Sep 18, 2021, 10:41:01 PMSep 18
to fr...@googlegroups.com
Huh, I can't relate to the "i probably have nothing to worry about"
stance for any privacy or civil rights threats, and 100x when it comes
to digital stuff (as opposed to say having to manually plant physical
bugs).

William ML Leslie

unread,
Sep 19, 2021, 2:49:52 AMSep 19
to Design
I'm with you.

My TL;DR on this one is "Security research is esoteric and irrelevant,
let's release another version of Windows".

There's definitely a degree to which - ok, unless you really want to
write your own operating system, language runtimes, and browser, and
build your own hardware, and have a lot of time - you can probably get
by if you apply patches for known vulnerabilities, attempt security
best practices like using a password manager and an unguessable
password, firewalls, and minimising the amount of code that you run
from untrustworthy sources. But this is very much an arms race, and I
feel that if you weren't completely mortified by the Snowden
revelations then you weren't listening. In the latest move in this
arms race to potentially impact me, the federal government where I
live has passed a law permitting law enforcement to, among other
things, break into the machines of those they suspect of being
involved in a crime and even plant evidence on said machines. At the
same time, I hear reports that those in Russia who do as I do on the
weekend are beaten and thrown into prison for six years. What exactly
are /my/ government are up to? No idea. Just because a group are not
the FSB today does not mean that they will still not be tomorrow.
While they may lock me up at some point - most likely after some
manipulation of public opinion - how easy should it be for them to
gain access to my contacts and movements? Right now, it's almost
trivial.

There is no reason for it to be technically possible to gain control
over someone's machine via bugs in the browser or office suite. We
know how to build secure systems, and to make them usable; it's just
effort. Suggesting that it's enough to simply keep up to date with
your patches and use a good password is imagining that these threats
won't keep growing, and is perhaps dangerously irresponsible advice.
But perhaps I'm not the target audience, or Microsoft is just an
environment I don't comprehend.

--
William Leslie

Q: What is your boss's password?
A: "Authentication", clearly

Notice:
Likely much of this email is, by the nature of copyright, covered
under copyright law. You absolutely MAY reproduce any part of it in
accordance with the copyright law of the nation you are reading this
in. Any attempt to DENY YOU THOSE RIGHTS would be illegal without
prior contractual agreement.
Reply all
Reply to author
Forward
0 new messages