Hacker News new | ask | show | jobs
by nonrandomstring 804 days ago
> these unknowns

Sorry to throw a Rumsfeld at you, but I think these are "unknown unknowns".

If people were aware of the presence and significance of such critical knowledge voids I do not believe they would tolerate them.

I see it as the job of civic cybersecurity to bring precisely these sorts of things to wider attention and educate folk on why they are are problematic.
1 comments
_factor 804 days ago
I think visibility is one aspect, but not the whole story. An average home user runs Windows and doesn’t necessarily care if a hypothetical backdoor could exist in their hardware/software stack.

They browse the web, do their banking, and share photos on SM after checking their mail and searching for Tiramisu recipes.

The existential threat to themselves is low, so they don’t dig further into the ramifications. Journalists, whistleblowers, activists, “undesirables”, those are the primary concerned parties.

The civic cybersecurity aspect needs to lay out a clear benefit to free speech and oppression which makes tangible sense to day to day life. I’m not quite sure how to spread this level of awareness, or highlight the importance of such measures in a way that hits home.

link
sdwr 804 days ago
Being worried about a hardware backdoor in your network card is more about technology fetishism than realistic threat analysis.

It's like suburbanites being worried about home invasion. Sure, it's technically possible to happen, but the concern reflects personal neuroses rather than practical considerations.

There's a disconnected, individual grandiosity in both cases - "what I have is so valuable that other people want to take it!". Conveniently, the solution always seems to be more individual actions to disconnect further. Security systems, lockdown, heightened fear of a shadowy Other.

link
nonrandomstring 804 days ago
You are minimising [0,1].

(I also think you are wrong in your risk asessment)

[0] https://www.berkeleywellbeing.com/minimizing.html

[1] https://en.wikipedia.org/wiki/Minimisation_(psychology)

link
htek 803 days ago
That is not minimizing. Minimizing from a psychological perspective is to present an event that has occurred as unimportant or insignificant. Had the OP said "suburbanites have nothing to worry about if they are targeted in a home invasion" would be an example of minimizing. The rising fear about crime in general, or home invasion in particular, is a disconnect from the actual risk of either happening to oneself. Violent crime overall is somewhere south of 25 incidents per 1,000. That's 2.5%. Which is 2-3x less than it was 30 or 40 years ago. Increased visibility in the media along with influence peddlers in social media whip up fear and neuroses for more clicks/income that make things appear worse than they ever have been. Which tends to lead people to believe the false narrative that "life was better when I was a (much more uninformed) child/young adult."
link
nonrandomstring 803 days ago
There are two things I want to respond to here.

First, I agree with everything you just said about rising fear and the total disconnect of actual risk from how it is presented.

See my response above to sdwr viz emerging protection rackets in computer security, and my later comment about Ross Anderson's important paper after which I (and Edward Snowden) have found the words "Insecurity Industry" rolls off the tongue - for example Amazon's Ring Doorbell ecosystem which cynically preys on distorted perceptions of suburban crimes.

Other people have commented on that here, and I think they are correct. But let's not allow that to distract us from the reality that cybersecurity is in an appalling state and that the risks are very, very real, and getting worse.

The "insecurity industry" exploits that - while offing no substantial solution, and indeed has no interest in fixing things (as a principal agent problem) - but that's separate from the threat reality.

A great way to understand this might come from reading some of Bruce Schneier's wonderfully clear writing on security theatre and security perception. They sell the problem and the solution. Fear and safety often come in the same packaging, like those Taco kits or fruit and yogurt combos.

Anyway - not wishing to end argumentatively but "minimising" is appropriate because sdwr makes aspersions to grandiosity. It is a really strong characteristic to gaslight or undermine the other as "over-dramatic" etc, not just downplaying the facts. respects.

link
nonrandomstring 803 days ago
> Conveniently, the solution always seems to be more individual actions to disconnect further. Security systems, lockdown, heightened fear of a shadowy Other.

BTW, I also think you are very right about this. The Insecurity Industry preys on fear. But it offers no substantial solutions. That doesn't mean the risks aren't real. They are. Modern software engineering is a calamity. Everything is full of holes. What is at issue is motives. The insecurity industry doen't want anything fixed. It wants, as you say, to lock down all your stuff, control it, and make you pay twice or thrice to use your own property. A protection racket is very different from offering actual "security". I try to expand on that here [0]

[0] https://cybershow.uk/blog/posts/love

link
jbboehr 804 days ago
> "what I have is so valuable that other people want to take it!"

While I do agree this may apply somewhat to the original topic, your dig at suburbanites seems like a mischaracterization. Perhaps the upper/upper-middle classes feel this way. I would expect most other folks are primarily worried about being murdered during the event.

link
reaperducer 804 days ago
While I do agree this may apply somewhat to the original topic, your dig at suburbanites seems like a mischaracterization. I would expect most other folks are primarily worried about being murdered during the event.

With the murder rate in America near historic lows, I think the person you're replying to is spot-on. It's a lot of hysteria fueled by social media, foreign actors, and the fact that security paranoia is a very lucrative business for a lot of companies.

https://www.macrotrends.net/global-metrics/countries/USA/uni...

Yes, there has been a recent uptick, but it's still 30% below what it was 30 years ago. Heck, it's almost 20% lower than it was 100 years ago.

https://www.statista.com/statistics/1088644/homicide-suicide...

To find a U.S. murder rate lower than 2014, you have to go back to 1906.

But security companies, alarm companies, conservative politicians and their media partners, police unions, and others with a financial interest foam at the mouth to make it seem like things have never been worse.

link
nsxwolf 804 days ago
These statistics do not help anyone create a reasonable personal risk assessment.

Murder is at an all time low! But my sister in law is a drug addict, and last year she got mad so her boyfriend shot and killed a family member right in their nice suburban foyer.

There's more to it than that.

link
spencerflem 803 days ago
I'm sorry to hear that, but that does match my understanding that there's very few murders done by a random stranger in their own home.

Most people worrying about home invasions arent thinking about it being their niece.

link
nonrandomstring 804 days ago
A fascinating finding is that the explosion of cybercrime (against the person, so scams, theft etc) inversely and almost perfectly tracks the fall in violent physical crimes like robbery, hijack, burglary [0].

This leads to the problematic idea that a high tolerance is given to cybercrime because it "shifts" it to a more acceptable form (given that all other factors, policing budgets, causes of crime etc remain constant).

That's one interesting conspiracy/explanation for why rampant digital crime is officially played down whereas almost non-existent street crime is "marketed" by Amazon Ring and other elements of the "Insecurity Industry"

[0] https://www.research.ed.ac.uk/en/publications/measuring-the-...

link
0x457 803 days ago
I had such doorbell to know when packages and food is dropped off. Not worried about it being stolen or house being robbed.
link
j33zusjuice 804 days ago
I get the sense it isn’t possible. “What do I have to hide?” “Who would target me?” “I have nothing worth stealing.” Sadly, all those are common replies to what you’re saying needs more awareness.
link
phkahler 804 days ago
>> “What do I have to hide?”

Your gmail account - which is used for password resets from anywhere on earth

>> “Who would target me?”

Criminals

>> “I have nothing worth stealing.”

How about your identity?

link
HeyLaughingBoy 804 days ago
I think people understand cybersecurity very well in the context of a phone but don't think about it with desktops or laptops.

I let someone who was housesitting for a neighbor use my phone because she had left hers in the house and accidentally locked herself out. The neighbor called her back (on my phone of course) and she automatically handed it to me so I could unlock it.

My phone was never locked: too much of a pain to bother with.

It struck me then that I'm the only person I know who doesn't lock their phone. And that's primarily because I wasn't using Google Pay or had any information on that phone more sensitive than my mom's phone number.

For most people it seems that since a phone is a more personal item than their laptop, they instinctively do more to secure it.

link
nonrandomstring 804 days ago
> I think people understand cybersecurity very well

People do understand the risks in cybersecurity very well [0].

Here we interviewed literally ransom strangers on the street, There are about 10 or 20 individuals in this episode but in fact I've interviewed over 100 now and it's all the same;

1) People are very aware of risks, phishing, backdoors, bad links, not scanning QR codes, not installing dodgy "apps"... they get it. Kids get it, Old people get it.

2) They are very aware of the consequences; "identity theft", being tricked, having money stolen, being embarrassed or blackmailed, loss of device or denial of service... Mums get it. Grannies get it.

3) There are daytime TV interviews with people crying their hearts out on camera after being scammed of their life savings. These are popular programmes presented by family presenters like Angela Rippon and Ester Ranzen in the UK.

4) They don't have the first clue who to turn to, or any sense of empowerment to do anything about it (other than abstain). Some think the government should step in. Others say schools and parents are responsible for educating kids from a young age in digital self defence.

So the old "What have I got to hide" trope is painfully naive now and limited to a few diehard old computer beards still in denial that their Internet got fucked-over by criminals.

I think it's important to be in touch with what real people (outside our echo chamber of developers and hackers) really think.

[0] https://cybershow.uk/episodes.php?id=18

link