Everything is Insecure: What Matters is What You’re Getting vs. Giving Up

zoom some good news

I’ve been thinking a lot about this Zoom situation. It’s fascinating to me that millions are using it as a lifeboat to humanity while others label it a threat.

Throughout the media you have people substituting their in-person events with virtual ones, and they all seem to be using Zoom. John Krasinski gave this medium a pulse when he had the entire cast of Hamilton perform together for a little girl. It was extraordinary.

This got me thinking more about the implicit tradeoffs we make in life with regard to functionality vs. risk—tradeoffs that we’re really bad at capturing and articulating.

Driving is basically insane. We have these massive networks of interconnected highways, where people take giant self-propelled missiles and fly them in particular directions. You’re usually just separated from an oncoming, life-changing accident by a few feet and a bit of paint. And there’s no way to know if the person in the other car is drunk or looking at their phone.

And even though thousands of people die every year in traffic accidents, nobody would even take seriously the idea of getting rid of cars and roads. We accept this risk because driving is a requirement for our society to function.

It’s a tradeoff calculation that everyone makes automatically in their head—a massive amount of good on one side, and a little bit of bad on the other.

tire fire

The internet is a tire fire of horrible software. It’s astounding that the internet even works given how bad the infrastructure and software is. Basically every corporation in the world has been publicly hacked, and it’s to the point now where nobody even cares when they hear about another one. We’re like 20 years into this silly experiment and every month we have a Tuesday of Pain and Suffering because nobody’s figured out (or been forced to figure out) how to create secure products.

But the crazier part is that nobody actually cares. If they did they’d stop using it. We don’t stop using it because it’s good enough.

More precisely, a tradeoff is being made at the level of society that says the benefits of the barely-duct-taped-together internet are far greater than the downsides of all the hacks and the fraud and instability caused by its security issues.

That’s a powerful, meaningful choice we’ve made.

forced prioritization

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

And that brings me back to the Zoom thing.

Zoom is no highway system, and it’s no Internet. But it’s damn sure performing a critical function for humanity right now. And it’s doing so far better than its competitors. Like, “20X growth in three weeks” better.

This forces us to place things we care about on a balance.

  1. We care about millions of people connecting to each other in a time of crisis.

  2. And we care about using software that doesn’t put us at risk.

So the question is simple:

How bad is the second one relative to the benefits of the first?

That is the question that matters—for highways, for space travel, for using an insecure internet—and yes, for Zoom.

This software has brought people together because it’s actually usable. I don’t know what that’s worth exactly, but it’s a lot.

And if I were to take the risk to people presented by Zoom—as I understand it—and multiply it by 10X, and put that on the other side of the scale, well, it wouldn’t even budge.

The most important thing we can do as security professionals is to keep our risk evaluations in context with what we’re protecting.

In the case of corporate infosec that’s the business, and in the consumer world it’s the business of human thriving.

Related posts: