Decentralised systems tend to lose to centralised ones because there's no money locus for advertising, development or curation.
It's not totally doomed; the popularity of Snapchat suggests there is demand for services that don't make everything saved and visible forever.
Disagree. In practice security as a guarantee must do so (e.g. the OpenBSD opinion), but security as a gradient need not (e.g. the web opinion).
If Browser X defaults to the TLS version of a page regardless of what the user requested, but gracefully falls back to the unsecured page without action but with a yellow banner across the URL, does this not increase user security without preventing them from doing insecure things?
The objective is not perfect security but rather increased herd security.
If the minimum security threshold (specifically with respect to encryption) is raised, then we all benefit. Decentralized vs centralized and the feasibility of each are an argument for farther down the road (as long as we don't lock ourselves into one or the other). There's much lower-hanging fruit!
For instance, encryption lets me back up files to cloud services that I don't trust. Without the technology of encryption, my security requirement would have me not backing up files at all. I wouldn't just decide "oh, whatever" and back up unencrypted files.
SSL lets me access my bank safely (enough) from a coffeeshop wifi connection. Without SSL, I'd walk into a physical bank or ATM. I wouldn't decide "probably nobody's trying to hack me" and connect to my bank in cleartext.
Bad technologies manifest as an obstacle to users, yes. But passwords are pretty much the epitome of bad technology in the security field. (It's a legitimately hard problem, so I'm not claiming that people should be doing other things, but we also shouldn't let ourselves think that passwords are good.)
SSL, for all that the implementation sucked and still sucks, enabled the e-commerce revolution of the mid-'90s.
Any recommendation on an accessible, audited, client for Windows users? Running some company's random binary, especially when you log in and they can identify you, implies a fair amount of trust. Tarsnap's the best one I know of and it's not really accessible for most users.
Better to have a written down strong password than an easy to remember password not written down.
I've heard somewhere of military organizations having people trained to go in an office and search the places people "hide" their password sticky-notes...
I do agree with your profit motive. I consider that a potential opportunity rather than a problem.
Yeah, e-mail systems lost :-) Anyway, corporate monopols are problem, not systems.
Here are a few of his thoughts on the matter:
https://www.schneier.com/blog/archives/2009/02/balancing_sec...
https://www.schneier.com/blog/archives/2009/08/security_vs_u...
https://www.schneier.com/blog/archives/2009/09/unauthenticat...
Schenier's own words: """ Designing systems for usability is hard, especially when security is involved. Almost by definition, making something secure makes it less usable. """
Feel free to disagree with one of the leading experts in the field, but I doubt you'll end up right.
No, he both isn't that and isn't regarded as that either.
Define security. Not too long ago it was considered "rude" to have a not world-readable home directory on a unix server.
Today, "everyone" is worried about SIGINT by nation states. Meanwhile, there's little talk about things that can actually protect you from criminals like why is code written so shittily in general and why aren't we using a Rust-like solution for internet facing applications? Why is AV useless and unable to stop well-known malware like cryptocker variants? Why are my desktop/cloud files unencrypted by default? Why phishing scammers are constantly emailing me with realistic looking fake sites? Why doesn't Microsoft have a solution to the "download invoice.pdf.exe" problem?
Yes, Obama reading my "maymays" is bothersome, but that's not what my grandma needs. She needs a better way to get online and not get infected, her identity stolen, etc. So, who gets to define priorities here? You? I'd rather lean towards protecting Grandma's than geeks obsessed with the NSA's data collection program. Morally, I see the former as more important. That's my bias and its as valid as yours. If we can't agree then who can?
Grandma needs a phone. A lot of those problems are implicitly disappearing as a majority of tech-illiterate users are moving to mobile platforms, which are far more locked down.
> So, who gets to define priorities here? You?
Those that work on it? Why isn't that obvious? Steps towards fixing either problems are good, so those that work on them get to work on whatever the hell they want, really.
