Expect to lose in highly surprising ways.
However given AWS is so complex (which is required because they want to be a gatekeeping platform) leading the uptime to struggle to match a decent home setup, I'm not sure. I'm sure there's no 6 figure bonus for checking the generators are working, but a rounded corner on a button on an admin page?
When you start successfully reaching many people you can be sure that security agencies will start watching you.
If relevant adversaries don't know which computer to burn the exploit on, then they won't burn it on the right one.
<NO CARRIER>
If you are a target you are screwed. But clever crypto isn't useless.
Most people just don't care enough until after they're hacked, at which point they care just enough to wish they'd done something more previously, which is just shy of enough to start doing something differently going forward.
It's not that normies are too stupid figure this out, it's that they make risk accept decisions on risks they don't thoroughly understand or care enough about to want to understand. My personal observation is that the concept of even thinking about potential future technology risks at all (let alone considering changing behavior to mitigate those risks) seems to represent an almost an almost pathological level of proactive preparation to normies, the same way that preppers building bunkers with years of food and water storage look to the rest of us.
Actual security is possible even against the most powerful and determined adversaries, and it's possible even for you.
(Portions of the US intelligence apparatus knew, but that knowledge didn't transition into action)
It's one of the many asymmetries that changes when you are the defender versus the attacker. As the defender, you have to be right 100% of the time. As the attacker, you have the luxury of being right only 30% of the time. The law of large numbers is on the side of the attacker. This applies to missile offense/defense and to usage of intelligence.
This information asymmetry is also one of the key drivers of the security dilemma, which in turn causes arms races and conflict. The defender knows they can't be perfect all the time, so they have an incentive to preemptively attack if the probability of future problems based on their assessment of current information is high enough.
In the case of Gaza there was also an assessment that Hamas were deterred, which were the tinted glasses through which signals were assessed. Israel also assumed a certain shape of an attack, and the minimal mobilisation of Hamas did not fit that expected template. So the intelligence failure was also a failure in security doctrine and institutional culture. The following principles need to be reinforced: (i) don't assume the best, (ii) don't expect rationality and assume a rival is deterred even if they should be, (iii) intention causes action, believe a rival when they say they want to do X instead of projecting your own worldview onto them, (iv) don't become fixated on a particular scenario, keep the distribution (scenario analyses) broad
b. The Mossad is the equivalent of the CIA, they are not meant to act inside Israel
For that purpose is Gaza inside or not inside Israel?
The amount of examples we've seen of this is staggering.
> If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone
It's like a Mossad agent read this paper and thought hey that's actually not a bad idea.
But the core rant is about dubious assumptions in academic cryptography papers. I was also reading a lot of academic crypto papers in 2014, and the assumptions got old real fast. Mickens mocks these ideas:
• "There are heroes and villains with fantastic (yet oddly constrained) powers". Totally standard way to get a paper published. Especially annoying were the mathematical proofs that sound rigorous to outsiders but quietly assume that the adversary just can't/won't solve a certain kind of equation, because it would be inconvenient to prove the scheme secure if they did. Or the "exploits" that only worked if nobody had upgraded their software stack for five years. Or the systems that assume a perfect implementation with no way to recover if anything goes wrong.
• "you could enlist a well-known technology company to [run a PKI], but this would offend the refined aesthetics of the vaguely Marxist but comfortably bourgeoisie hacker community who wants everything to be decentralized", lol. This got really tiresome when I worked on Bitcoin. Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
• "These [social networks] are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails" - another variant of believing decentralized cryptography and PKI is easy.
He also talks about security labels like in SELinux but I never read those papers. I think Mickens used humor to try and get people talking about some of the bad patterns in academic cryptography, but if you want a more serious paper that makes some similar points there's one here:
And for added fun, that same radical decentralization crowd, finally settling on the extremely centralized Lightning crutch, which is not only centralized but also computationally over complicated and buggy.
If you have a single company, then that's easy enough for a group like Mossad to infiltrate. Probably easier than a distributed system.
2FA isn't going to protect me from cruising altitude walkie talkie detonation and having the debris scattered over an impossibly wide area.
I guess the best thing to do is not take an airline of a country that has recently showed public support for Gaza specifically during a humanitarian visit in the months prior to my flight.
Thankfully none of this is true and everything the mainstream media and governments tell us are true - imagine if things weren't as they seemed?.. Craziness... Back to my password manager!
I like his using Mossad as the extreme. I guess "Mossad'd" is now a verb.
The range of things people do on security is wild. Everything from publicly expose everything and pray the apps login function some random threw together is solid to elaborate intrusion detection systems.
https://scholar.harvard.edu/files/mickens/files/thenightwatc...
> A systems programmer will know what to do when society breaks down, because the systems programmer already lives in a world without law.
samlinnfer•2h ago
chao-•1h ago
I have a fond memory of being at a party where someone had the idea to do dramatic readings of various Mickens Usenix papers. Even just doing partial readings, it was slow going, lots of pauses to recover from overwhelming laughter. When the reading of The Slow Winter got to "THE MAGMA PEOPLE ARE WAITING FOR OUR MISTAKES", we had to stop because someone had laughed so hard they threw up. Not in an awful way, but enough to give us a pause in the action, and to decide we couldn't go on.
Good times.
eeeficus•1h ago
isoprophlex•52m ago
hilarious AND scary levels of prescient writing...