The problem with Internet risk is that people are forced to be paranoid whether they want to or not. Let me explain. In the physical world, we all make personal choices about risk all the time – should we lock our door, let our kids cross the street, hop on an airplane, etc.? We get to make the choice based on our interpretation of the publicly available information around the decision in question.
In the online world, "regular" people must acquiesce to the demands of the paranoid who have taken it upon themselves to decide what is in everyone else’s best interests. If they want there to be increased risk, they go out and create it. So rather than Joaquin Phoenix(‘s relatives) running around with tin foil on his head, the entire world has to do it. "White hats" and "black hats" alike are consumed with this level of security elite power.
If the risk is there, there is nothing the "good guys" are doing that will eliminate it (this is a key point – I suggest reading it over and over until its meaning actually dawns on you). Even reducing it is pretty unlikely, based on current research. If it isn’t there, we are just proving how geeky security people can be and forcing everyone else to live on our terms, and ultimately ruining the online experience for many people.
“If the risk is there, there is nothing the “good guys” are doing that will eliminate it (this is a key point – I suggest reading it over and over until its meaning actually dawns on you). Even reducing it is pretty unlikely, based on current research.”
Can you elaborate a bit on that? I agree with “If it isn’t there, we are just proving how geeky security people can be and forcing everyone else to live on our terms, and ultimately ruining the online experience for many people.” but not necessarily with the former statement.
This is a reference to the FACT that the probability of a white hat and a black hat finding the same vulnerability is very, very low within the random world of every vuln that exists everywhere, and of course black hats are motivated to actively reduce even this number. We all are pretty certain that, on average, about 10 NEW vulns will be found by good guys tomorrow, the next day, etc. And yet we do nothing about them today, even though those are the vulns we claim to care about.
(I shouldn’t have said “there is nothing [we] are doing…” I meant that statement wrt white hat vulnerability research.)