<div dir="ltr"><div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-02-08 12:44 GMT+01:00 ianG <span dir="ltr"><<a href="mailto:iang@iang.org" target="_blank">iang@iang.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 8/02/2015 00:05 am, Bill Frantz wrote:<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 2/6/15 at 3:10 PM, <a href="mailto:kentborg@borg.org" target="_blank">kentborg@borg.org</a> (Kent Borg) wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ah, but then one would have to stop and figure out what one is trying<br>
to do...damn! Can't I just ask for Wholesome Apple Pie and be done?<br>
</blockquote>
<br>
The more I hear people talk about making thing secure, the more I hope<br>
they will explain what they mean by secure. What I mean, in the broadest<br>
sense, is "Bad Things Won't Happen". Now this is a bit over nebulous. :-)<br>
</blockquote>
<br>
<br></span>
Well, they often do, as we see. The issue isn't so much that the result is nebulous, but that security is *individual*.<br>
<br>
In the old days, we used to say, WYTM or what's your threat model? The problem with this was it captured the above fallacy perfectly -- we were all searching for the one threat model to rule all others.<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:garamond,serif;display:inline">The more useful questions is: What are the most important security attributes of your resources and what are your most important resources.</div></div><div><div class="gmail_default" style="font-family:garamond,serif;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:garamond,serif;display:inline">The fallacy of the treat model is best illustrated by the second/third lock analogy. Ask a cop and a fireman the same question: "Should I use the second and third lock on my door?" </div></div><div><div class="gmail_default" style="font-family:garamond,serif;display:inline"><br></div></div><div><div class="gmail_default" style="font-family:garamond,serif">For the cop the thread model would be intruders and thus the answer would be a definite yes. </div><div class="gmail_default" style="font-family:garamond,serif">For the fireman the thread model would be fire and smoke and thus the answer would be a definite no. When you look at the most valuable resource (you and your family) and the most important security attributes (survival), than you can start to look at the local crime and fire statistics to try and calculate the most appropriate use of your locks. Maybe if you live in an urban area on the US south you should use the locks but if you live in the north of Europe not using the locks would maximize the chances of survival. Maybe you should choose to use your additional locks during the holiday season when there are more house brake ins. Maybe you should stop using these locks during the dry season. The base idea is, it doesn't really matter how you die, dying is the least acceptable outcome and thus the policy should be geared at minimizing the 'all cause' probability of dying.</div></div><div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif"><br></div></div></div></div>