Chris PetrilliWhether a system is “safe" or "trustworthy" depends heavily on your threat model. Do not presume you understand everyone's threat model. And honestly, don't assume anyone understands their own.
Daniël Franke 
@petrillic don’t you DARE bring nuance into a conversation on the internet.
@ainmosni you'd think after almost 40 years, I'd have learned my lesson... BUT NO!
@petrillic later this be a lesson to you, young man! :P
@petrillic on a more serious note, the amount of time I had to stop a team from doing a huge amount of effort trying to mitigate a potential attack vector with the words “once they can do that, we have much more serious problems” is pretty high.
@ainmosni I am constantly shocked by things like "well, if AES is broken..." MY DUDE, WE THEN HAVE OTHER PROBLEMS.
@petrillic I’ve had exactly that conversion.
@ainmosni I have found it amazingly helpful to maintain a catalog of adversaries, their capabilities, motivations, limitations/etc. "Show me on the adversary listing where they hurt you…”
@petrillic I recently had a conversation where someone claimed that a systemd unit that detects that a certain volume and then automatically starts a backup to said volume was a horrible hole.
And I’m like, this is a hole if they can physically add a disk to the computer, are aware that the computer does that, and know the uuid of the volume that the unit monitors. And that’s assuming neither the volume or the backup is encrypted.
I think I can live with that.
forgetful@ainmosni everytime someone comes up with “well, what if someone can physically touch..." then all bets are off buster brown. I've worked on NSA-certified tamper resistant TEMPEST qualified devices. The level of effort required is staggering, as is the price tag.
That is not your threat model.
Something I keep saying is “Too many people are worried about the threats they wish they had, not the risks they do have.”
@petrillic yep, sounds about right, and in corps it’s also just a lot of larping to feel cool and important.