holgaBack when i studied #cryptography in the 1990ties, my wonderful professor gave an intro lecture and one of his first points was: "Security" by itself does not exist. You have to state the property you want to secure, and describe the attack model. Moreover, claiming #security as a generic absolute feature marks someone who does not really know what they are talking about. Can't get rid of remembering this lecture ;)
Steve Bellovin@hpk @bsdphk Absolutely correct. My phrasing, to my students, is "what are you trying to protect, and against whom?"
Poul-Henning KampNot to #bikeshed but...
In my experience asking "whom?" only works if the person you ask have a competent(-ish) threat-model, which no normal people do.
The implicit focus on intentionality also downplays the much more frequent accidental loss of control.
At least for me, it works better to ask what outcomes we are trying to avoid, and work through both the intentional, incidental and accidental scenarios that lead there.
Peter SommerladThose things are part of the process patterns in our "Security Patterns" book.
@bsdphk @SteveBellovin yes, actual user outcomes are the pivotal measurement! Which also depends on which users you ask/care about. For example, device seizure remains the most common and dangerous attack for most people but many western IT folks are not exposed to it and rather focus on NSA level adversaries and endlessly discuss complicated defense schemes against it.