I really wish all security professionals had this insight. Far too many design one-size-fits-all solutions, generally against a spy movie threat. This leads to situations where they often dismiss security solutions that would work well for average threats, because they can conceive of a spy movie threat that would work around it. For instance, I think most people in security agree that SMS 2FA isn’t ideal and there are practical workarounds for it that your average attacker now has access to. However a lot of security professionals just issue a blanket “don’t use SMS 2FA!” statement and ignore the fact that many average folks will see that and disable 2FA altogether, even though it would provide them better protection than passwords alone.
This was the whole problem with password policy for decades–security professionals wrote policy strictly aiming for attackers with high-performance computing performing dictionary attacks and ignored the human side of things. Hackers focused on the human side.
Exactly. I go to greater lengths for my own security (PureBoot, Qubes, Librem Key, strict use of hardware kill switches, heavy use of GPG, among other things) because of the risks I face (and the stakes behind those risks) than I would consider reasonable for an average person that doesn’t face the same threats. I also have a much higher tolerance for inconvenience than I would expect most people to have.
At Purism we try hard to maintain a balance here between having sensible defaults that are reasonably secure, on a good foundation, while also offering more secure options for those folks who need it. The main challenge we (and specifically I) face is that I believe very strongly in empowering users to manage their own security, and that means I often have to pass on industry-standard security measures that would remove control from the user and place it in Purism’s hands.
This is one reason why we are still only getting started on the security measures on the Librem 5, for instance. Traditional phone security approaches all center on the “jail model” of locking down the hardware so it only runs binaries signed by the vendor and restricting what access not only apps have, but what the user has (unless they break out of jail). I don’t like the jail model. We have a good foundation for Librem 5 security, but still only a foundation. There’s a lot more still to build on top of it.