Hacker News new | ask | show | jobs
by SilasX 3586 days ago
The problem in claiming "the evidence says..." in cases like this is that the body of potential perpetrators is intelligent and adaptive.

Say someone cracks a major bank account by guessing "password" as the password. The bank changes the password.

I claim that the weak password was a security risk, and changing it was the right response.

Someone comes a long and gives me a data-intense lecture about "well, electronic bank theft was already declining, and it accounts for only a tiny fraction of financial losses, so changing the password was a waste of time, and was in the context of the IT department using a bunch of pretexts to order people around".

How would you refute that, given all the evidence on their side?
1 comments
Bjartr 3586 days ago
I'm having trouble building an internally consistent response because of things like how "changing a password" is a trivial change, i.e. I'm struggling to take into account the hypothetical in a way consistent with your intent and with what reality would have to work like for the hypothetical, as given, to hold true.

Mind trying again with a different example?

link
SilasX 3586 days ago
The smallness of the change doesn't affect the point I was making. [1] The point is that you can't simply look at the raw incidence rates and conclude that specific added countermeasures are unnecessary or irrelevant to the attacker's incentives.

If you agree with that, then you agree with my general point and it's just an issue of which specific countermeasures survive a CBA.

[1] In fact, I chose a small change specifically to highly the absurdity of being bound by low/declining attack rates.

link