[jsjohnst]

I was recently meeting with the Head of Security for a large firm. He had a pretty decent explanation of the process to implementing security that I thought was very apt. The way he put it, there’s two over arching milestones, “liability” and “actually secure”. “Liability” is where you have checked all the right boxes to be able to aptly defend yourself in court and is the achievable goal. “Actually secure” is the pipe dream you will always strive for, but never obtain.

[jecxjo]

In college I had a Prof who was a leader in network technology and was hired as an expert whiteness for the RIAA trials for people getting busted illegally downloading music and movies. I lost all respect for him when he was working a case where an elderly lady had an open wifi connection on her home router. He never brought up the fact that it's not possible to know what was going on behind the NAT wall and that because her wifi has no encryption anyone driving by could use it.

Now that I'm older it worries me that it is very possible to go to court and be on the right side and have a judge and jury who cannot comprehend these basic concepts. I've had bosses who work in software / hardware industry not understand concepts, God forbid I ever have to defend myself in a public forum.