Is security a zero sum game

[apoyusiken]

The question is, is there something that can actually improve public cyber security. Now you can hurt it by for instance failing to protect public data. But lets say you did something to improve it. Then 'hackers' will just target the ones who arent using your protocol. So ultimately is it futile?

[Acid Panda]

Security is a game of always catching up. Hackers will always be one step ahead. its why bug bounty programs exist. Its also a consideration of who is hacking you. Someone from their bedroom just seeing if they can are easier to stop but if its a state you stand no chance.

[GarlicDeliverySystem]

32 minutes ago, apoyusiken said:

So ultimately is it futile?

No, but you have to think a bit different about it.

 

Pushing for systemic changes will have much wider impact than raising awareness and pushing for individual best practices. That is why things like asking for end-to-end encryption on messaging apps or for opening the source code of important applications is so important to some people: by pushing for systemic changes you change the protocol for everyone. Push for best practices to be wildly adopted, like 2FA and the use of password managers so you don't have to reuse passwords.

 

 

 

 

[OddOod]

1 hour ago, apoyusiken said:

So ultimately is it futile?

No. Never. 
Security is always going to be tit for tat. Yes upgrading security will close some holes and open others. But we have been trending to more and more security over time. 
Nothing will ever be perfectly secure (even air gapping can be beaten, see stuxnet). But we can and do  improve security over time 
 

 

1 hour ago, apoyusiken said:

Then 'hackers' will just target the ones who arent using your protocol.

This is why many widely used devices will automatically update their security without user interaction. 
 

[apoyusiken]

22 minutes ago, OddOod said:

No. Never. 
Security is always going to be tit for tat. Yes upgrading security will close some holes and open others. But we have been trending to more and more security over time. 
Nothing will ever be perfectly secure (even air gapping can be beaten, see stuxnet). But we can and do  improve security over time 

but imagine there is literally no security and you can access any device. then the odds of someone targeting you is very small too. 

[Millios]

Imma take it a lil backwards

 

There will always be smb that can hack into anything

 

Why shouldnt security try to catch up to that?

 

If they try to catch up to the best the amount of ppl that can "hack" that will fail cause they arent up to par will be much more by comparisson

 

So instead of thinking "it is a waste cause there will always be that 1 guy" think of like "if they can catch up or give so much trouble to the best then the rest are 

below him wont even touch this no matter their efforts"

 

I'd rather there is an extreme minority rathetr than everyone being able to hack their way into anything

[SpaceGhostC2C]

An arms race is not the same as a zero-sum game.

[GarlicDeliverySystem]

42 minutes ago, apoyusiken said:

but imagine there is literally no security and you can access any device. then the odds of someone targeting you is very small too. 

They don't have to target you anymore at that point, they can just trawl the web and gather all the information. Then they could set up an automatic system to use your credit card information or use your PC as part of a bot system or mine bitcoin. Security on some level is always a tradeoff between how "valuable" you are as a target to how many people vs how easy is it to get at your stuff/information/data.  

If it costs an attacker next to nothing to pull your data as well, open a few credit cards in your name or place random orders on your amazon account, someone will do it sooner or later. But if they would need to invest either some computational resources (brute forcing a password, multiple connections through lots of different clients), burn an exploit they only know about, or even set up some social engineering, then they will chose their target very carefully to get the best return on their "investment".

 

The idea of hiding as a small fish in a giant swarm of fishes in hopes of throwing off your would-be attacker is pointless, given that giant nets and trawlers exist. They'll just scoop up the whole swarm.

[apoyusiken]

3 hours ago, Millios said:

Imma take it a lil backwards

 

There will always be smb that can hack into anything

 

Why shouldnt security try to catch up to that?

 

If they try to catch up to the best the amount of ppl that can "hack" that will fail cause they arent up to par will be much more by comparisson

 

So instead of thinking "it is a waste cause there will always be that 1 guy" think of like "if they can catch up or give so much trouble to the best then the rest are 

below him wont even touch this no matter their efforts"

 

I'd rather there is an extreme minority rathetr than everyone being able to hack their way into anything

my point is there will be a minority that can easily be hacked and they will be targeted automatically

[apoyusiken]

2 hours ago, GarlicDeliverySystem said:

They don't have to target you anymore at that point, they can just trawl the web and gather all the information. Then they could set up an automatic system to use your credit card information or use your PC as part of a bot system or mine bitcoin. Security on some level is always a tradeoff between how "valuable" you are as a target to how many people vs how easy is it to get at your stuff/information/data.  

If it costs an attacker next to nothing to pull your data as well, open a few credit cards in your name or place random orders on your amazon account, someone will do it sooner or later. But if they would need to invest either some computational resources (brute forcing a password, multiple connections through lots of different clients), burn an exploit they only know about, or even set up some social engineering, then they will chose their target very carefully to get the best return on their "investment".

 

The idea of hiding as a small fish in a giant swarm of fishes in hopes of throwing off your would-be attacker is pointless, given that giant nets and trawlers exist. They'll just scoop up the whole swarm.

the idea is that there will be unprotected swarms so there is no point in (over)protecting your swarm

[Millios]

9 hours ago, apoyusiken said:

my point is there will be a minority that can easily be hacked and they will be targeted automatically

And? 

When it comes to smt bad there will always be smb who gets screwed sadly.

Be it diseases, wars, crimes, the current GPU marker where we all get screwed etc etc 

The problem might never go away for some but that doesn't mean that we can't try to prevent it for most 

[apoyusiken]

5 hours ago, Millios said:

And? 

When it comes to smt bad there will always be smb who gets screwed sadly.

Be it diseases, wars, crimes, the current GPU marker where we all get screwed etc etc 

The problem might never go away for some but that doesn't mean that we can't try to prevent it for most 

my point is more security might actually not change a thing since a level of security will ultimately be enough

[GarlicDeliverySystem]

5 hours ago, apoyusiken said:

my point is more security might actually not change a thing since a level of security will ultimately be enough

I invite you to turn off all safety and security measures then, I'll keep mine on if you don't mind. Let's see how that goes.

[SpaceGhostC2C]

6 hours ago, apoyusiken said:

my point is more security might actually not change a thing since a level of security will ultimately be enough

 

It depends for what. My apartment's door doesn't have the same security measures as the door to a Federal Reserve building. I don't think I'm at a particular risk for not having the maximum level of security that exists. I also think the Federal Reserve could not get away with the same security as my house.

[starsmine]

for joe shmoe, its a lot about keeping honest people honest. 

if you are in a position to be targeted, you need a lot more then that.