undefined | Better HN

0 pointsjodrellblank6y ago0 comments

The idea behind your complaint is "if we tell good people about risks, then bad people will know about them. If we keep them secret from good people, then bad people won't find out about them". Or, "if we don't make a list of open doors, then bad people can't find which doors are open". Which is .. not true. Bad people will already be making their own list of open doors, and sneaking through them without being noticed, over and over again.

> all almost all people would do just fine

Here's an ongoing ransom attack in the UK, started on New Year's Eve: https://www.bbc.com/news/business-51017852 The ransom is in the millions of dollars range, Travelex websites in 30 countries down for a week, Sainsbury's money exchange websites down for the same time, and "Dates of birth, credit card information and social security numbers [of customers] are all in their possession, they say."

Not looking at problems doesn't stop problems from existing.

0 comments

5 comments · 2 top-level

perl4ever6y ago· 2 in thread

"Which is .. not true. Bad people will already be making their own list of open doors, and sneaking through them without being noticed, over and over again."

But the vast majority of people do literally have front doors which cannot guard them from 1% of the possible attacks in the world, if they were targeted. Never mind the best ones in the world.

jodrellblankOP6y ago

The internet brings a much bigger attack surface than local people who can reach a front door, and home users access the same openssh as companies do, but companies (can) afford stronger doors. "Most people's home doors can't withstand a hit from a sledgehammer" -> "we shouldn't talk about cryptographic weaknesses in case someone abuses them" is a stretch, the comparison does break down.

[1] is a fun YouTube video about physical pen testing; one example at 13:45 in the video, the presenter is walking home from a bar, walks up to a locked high street bank, spits a mouthful of beer through the gap in the doors, triggers the presence sensor on the inside which lets people out, and the door opens and lets him in.

[1] https://www.youtube.com/watch?v=rnmcRTnTNC8

perl4ever6y ago

"The internet brings a much bigger attack surface than local people who can reach a front door"

"Local people", huh. My front door is visible to everyone on the internet, and I have no practical way to prevent that. Some obscure company went by with their mapping vehicle and...

Now, some people do live in big buildings where less is exposed to the outside, but millions don't.

1 more reply

gist6y ago· 1 in thread

> "if we tell good people about risks, then bad people will know about them. If we keep them secret from good people, then bad people won't find out about them". Or, "if we don't make a list of open doors, then bad people can't find which doors are open".

You are not recognizing the nuance which is typically the case with people who supports practically any and all disclosure and thinks it's good plain and simple. With almost no downside at all (not the case).

In particular this: "then bad people won't find out about them"

My point is that disclosure makes it simpler for more bad people to find and learn and inflict damage damage. Unclear to me how you could think that isn't what has and is happening. If someone say publishing how to create a card skimmer at a gas station then more people (who are bad actors) will then have what they need to give it a try. If not there will be people who have figured it out and people who will put the effort into figuring it out but you must realize vastly less will do that, right? The disclosure removes a great deal of friction.

The amount of effort and friction and the amount of 'bad people' that can be actors is many magnitudes larger (I would argue) as a result of disclosure.

jodrellblankOP6y ago

What I think you're missing is that the disclosure could come from a bad person who doesn't care about any of your arguments. It's like I'm saying "banks should invest in vaults to protect against theft" and you're saying "that costs money and disruption of building work, what if you just don't talk about where the money is kept". I agree that if people didn't steal the money, that would be nice. But most of the people who are talking about where banks keep money with a view to stealing it, aren't going to shut up in order to keep the money safe, because they don't care about keeping the money safe. So if us bank customers stop talking about it, a) that doesn't keep it quiet, and b) our money gets stolen.

It would be a nice world if we could tell companies about flaws and they fixed them, and nothing went public, but instead we tell companies with "responsible disclosure" and they ignore it, don't spend any effort on it, act incompetently leaving it with first line support people who don't understand it and have no path to escalate it, have no security contacts available for reports, cover it up or deny it or try to silence it with NDA style agreements, prioritise shareholder profit or public image over it, and generally behave irresponsibly in all possible ways that avoid them having to deal with it, with very few companies excepted.

In light of that, public disclosure with all its risks, actually does kick companies into taking action, and closing risk vectors for good. Like companies who say "we put customers first!" but it takes a complaining public Twitter thread for them to even respond at all. Telling people to not take it to Twitter ignores the fact that there's no other way which seems to actually work.

Give an alternative which also gets problems fixed, and I'll be much more in favour of it.

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

perl4ever6y ago· 2 in thread

"Which is .. not true. Bad people will already be making their own list of open doors, and sneaking through them without being noticed, over and over again."

But the vast majority of people do literally have front doors which cannot guard them from 1% of the possible attacks in the world, if they were targeted. Never mind the best ones in the world.

jodrellblankOP6y ago

[1] https://www.youtube.com/watch?v=rnmcRTnTNC8

perl4ever6y ago

"The internet brings a much bigger attack surface than local people who can reach a front door"

"Local people", huh. My front door is visible to everyone on the internet, and I have no practical way to prevent that. Some obscure company went by with their mapping vehicle and...

Now, some people do live in big buildings where less is exposed to the outside, but millions don't.

1 more reply

gist6y ago· 1 in thread

In particular this: "then bad people won't find out about them"

The amount of effort and friction and the amount of 'bad people' that can be actors is many magnitudes larger (I would argue) as a result of disclosure.

jodrellblankOP6y ago

Give an alternative which also gets problems fixed, and I'll be much more in favour of it.

j / k navigate · click thread line to collapse