Hacker News new | past | comments | ask | show | jobs | submit login

So, where does it end?

Cybersecurity has been playing those silly games of "increasing security" and some 80% of recommendations were frankly BS

"longer passwords" yes. "password has to have symbols, numbers and be rotated every 3 mo" no

2FA yes, but not SMS, but not OTP because people get fished, blah blah blah

Not to forget the "put everything in a password manager" then you lose or forget your "extra safe random password" and are SOL

Meanwhile there are still incompetent people around that think asking for Mother's Maiden Name should be a security question

So where does it end?




> So where does it end?

It doesn't (can't) ever end because security is a process, not something you achieve and are done.

With ~inifite budget, one could achieve perfect security (but only for a clearly scoped threat model) for an instant, but both the infrastructure and the attackers move on, things constantly change, so it's not perfect anymore. And of course infinite budgets don't exist.


I don’t think it ever truly ends, so long as there are secrets and people who want to uncover them. This is the classic arms race, and subsequently people who can’t keep up are just casualties…


It ends when you have an internet that has consequences. To get proper consequences, you need all users on the network to be identifiable and every device linked to that identity. With ipv6, you can give each person a (few?) static ipv6 address(es). This will basically allow you to determine where and who originated every piece of information on the internet. Next to every comment/photo or other upload, your real name/surname and facial photo needs to show. For each country you travel to, you get an IP address and you are bound to all laws for that country. Your IP address basically becomes your online passport. Anonymity is a source of massive amounts of nastiness online, there are things that people say/do online that they would never do in real life as there are social consequences. The same rules can be applied (or even stricter ones) to businesses or any server, that way you know who your attackers are. It should also be easier to block out whole countries from connecting to you, if you want that (not enforced).

Obviously, no children should be allowed online even in a clean / locked down version of the internet. Ideally no ads/marketing should ever target children either.

I have the same impulse as most people that locking the internet down is a bad idea, but it seems like that is the only natural outcome eventually. We either stop abusing the internet and keep some form of freedom of speech / freedom (some countries values this more than others), or eventually the internet might become heavily regulated/controlled, which is the path we are currently on. Companies are already testing the waters with this, in some cases they are all ready committed to this (see self-hosting email vs big providers blocking small sender).

The problem of security is just an arms race towards the above, it is just a side effect because it is tolerated / no real consequences for misuse of the internet in most countries (that includes leaking data, being breached and data stolen, or just plain ol phishing - companies face zero consequences for data breaches).

Another way to think of it, you have a scale: on one side you have ultimate control, ultimate safety, no freedom - on the other side you have less control, less safety, but absolute freedom. The security arms race is just the shifting of balance between the two extremes.


Smart cards have long been mostly phishing proof. WebAuthN is essentially a more convenient interface to the same technology.


Then your phishing involves them installing some type of remote access on their machines. Or to get some information you need


Don’t worry, we’ll cover this in annual mandatory security training.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: