| > it's one of those cases where insecurity can turn out to be a good thing Well, it's usually a good thing when the bad guys make a mistake, isn't it? "Oh, I wanted to blow up this building, but I set my timer to the wrong time zone." Oops, now the police has an extra hour to evacuate the building and dismantle your bomb. What matters is: Good for whom? Obviously, insecure tools are not good for the person who relies on it for mission-critical tasks. But what is good for that particular person and that particular task might not be good for other people and other tasks. Since "good" is relative, "perfect security" is also relative. Perfect security for whom? And what do we mean by "security", anyway? Let's say we think of security as the ability of a system to resist interference from anybody other than its legitimate user(s). But then the question becomes, who are the legitimate users? If Apple is the sole legitimate user of a device, it makes sense for that device to resist your attempts to interfere with its Apple-approved functions. That's perfect security for Apple, perfect security for Steve Jobs's posthumous ego. If you are the sole legitimate user, on the other hand, the device should resist Apple's attempts to tell you what you can or can't do with it. That's perfect security for you, but it comes at the expense of perfect security from the point of view of Apple designers. As for CryptoLocker, the whole purpose of that program is grossly immoral, so does it even have a legitimate user? Unfortunately, it is becoming increasingly clear that perfect security for one party does not always align with perfect security for some other party. |
The interesting case is: if I am the sole legitimate user of the device, should my device resist my attempts to run cat_pictures_infected_with_cryptolocker.jpg.exe?