Random security thought: Beyond Trust

I talk a lot about “trust.” Generally in connection with the phrase “don’t trust anything you don’t understand.”

This is because trust, at its lowest level, contains vulnerability —
“open your mouth and close your eyes.” And the exploitation of vulnerability is the root of so much of the evil that security tries to prevent.

Understanding is an antidote to this vulnerability, at least on the human level.

I saw a link on Y Combinator’s Hacker News today which, despite being totally unrelated and apparently free of exploitation, went to the heart of this. Guy walks into the house of some friends, they say “it’s time you grew up” and tell him to eat something, without further explanation.

This is the tiniest, most miniature version of a phenomena that bugs me on a very fundamental level: the idea that someone should do something with no real understanding at all of the possible consequences for them or others.

To my eye, the (impossible?) ideal is that this never happens — that we always act knowing the up- and downside risks, having been able to weigh them appropriately. That the guy in the case above, rather than just being told to eat something and doing it, understands beforehand the likely physical, biological, and mental effects, the risks, the rewards, and all the rest… and only then, based on that knowledge, decides whether or not those are what he wants.

In a larger sense, I suppose the “ideal world” goal of defensive security as I see it is the implementation of the libertarian principle that you can do whatever you like up until it infringes on someone else — by ensuring that anyone can protect themselves from the infringements of anyone else. But good luck ever making that a reality :/

%d bloggers like this: