Rethinking Security: Securing Activities Instead of Computers

An anonymous reader writes: Security is not a property of a technical system," says independent security consultant Eleanor Saitta. "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users." But software development teams that understand what users want and what adversaries they face are very rare. And security engineers forgot — or misunderstood — what their job is: not securing computers, but securing activities that lead to the realization of greater goals.

Don't use the word security

If you can describe your goals, and avoid terms like "security" and "protection", you will focus on results, not simply repeating marketing catch phrases.

Live long and prosper...

Security is a property of a technical system...

Security is a property of a technical system, and may be increased with a set of activities.

Re:Security is a property of a technical system...

security is not a property of something.
security is a process.

Re:Security is a property of a technical system...

security is not a "process".
security is a state of mind.

So in otherwords

[ckatko]

So in otherwords, you're talking about basic Kerberos Authentication we've had since Windows 2000, and MIT invented in the 1980's. Wow, amazing stuff. Using this new pioneering technology, we'll be able to finally treat individual services, functions and resources in those services as "security resources" that are controlled by access tokens verified and given out by a "domain controller."

What's next, promote synergy?

After skimming, reading and confusion.

After reading the 'article', I am not sure what is being said or the point is for that matter. I don't understand WTF is being said.

"A threat model is a formal, complete, human-readable model of the human activities and priorities and of the security-relevant features of in-scope portions of a system," Saitta defines. "An engineering tool that will help use define what we are trying to get the system to do."

Huh? That sounds like a REAL fancy way to say social engineering.

In my years in this shitty fucking business, there are a lot of BS artists who get away with bullshit because the IT/engineering industry is almost exclusively filled with people who are afraid of appearing 'stupid' to say he looks naked and charlatans get away with selling shit. The Emperor may have no clothes, but everyone is too afraid to appear stupid or have some arrogant asshole say, "You don't belong here!" because HE thinks there are clothes.

Is this article different? I don't know.

independent security consultant Eleanor Saitta

Ah 'consultant'.

Re:After skimming, reading and confusion.

[Ravaldy]

In my years in this shitty fucking business, there are a lot of BS artists who get away with bullshit because the IT/engineering industry is almost exclusively filled with people who are afraid of appearing 'stupid' to say he looks naked and charlatans get away with selling shit.

Lol @ that. I'm not one to say it's a shitty business because I actually enjoy what I do. Putting aside the skillset and experience required to build secure applications and systems there is still lots of extra time required to do so which translates into $$$$ or late delivery. The biggest problem with security is ignorance. People at the top of the food chain within or outside tech departments tend to see it as an unneeded expenditure until they get hit (E.g. Sony).

It is our responsibility (the techs and tech leaders) to present to them the risk and dangers ignoring security. Over the years I've developed two simple questions to help me convince even the most resilient leaders:
1. Do you have any sensitive data you wouldn't shared with just anybody (be ready to list data stored locally that you consider sensitive)?
2. Can your company survive if all the data on the in-house servers disappears overnight?

Almost every single company will answer YES to at least one of these questions. As an IT professional you need to come ready to answer questions about what the risks are, the solutions and the cost. Obviously the SMB will most probably agree to a strategy that is less robust than the one for a large enterprise.

Re:After skimming, reading and confusion.

[khasim]

I have different concerns with that article.

"Security is not a property of a technical system," she noted in her talk at the Hack in the Box conference in Amsterdam. "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users."

No. "Security" does not exist. You can be MORE secure than X or you can be LESS secure than X but you cannot achieve "security".

For me, being MORE secure means that fewer people can successfully attack you (or that the attack requires more of them to work together).

Saitta realized that a lot of what we know in the security world can't be effectively used if someone in the real world is targeted by a determined adversary.

No. That is getting back to the MORE secure or LESS secure. If the attacker has to drop armed forces onto your office building then you are MORE secure than if they exploited a 0-day on your web site.

We shouldn't work on assumptions or go by intuition - we should set aside our egos, and consult with the end users - learn about their goals and adversaries.

I'd say that 99.9+% of them have no idea who their adversaries are. Other than "that asshole Bob" or "the Chinese".

In the case of high-risk users, usable security is a must.

Is there ever a case where unusable security is a must?

As she vividly put it: if you're on a rooftop, trying to get a connection and successfully send out an encrypted message because your life or freedom - or that of others - depends on it, and you know that there are snipers waiting to take a shot at you - there is simply zero room for using a tool as complex as PGP.

Choose the right tool for the job AND LEARN HOW TO USE IT PRIOR TO THE EMERGENCY.

And if her example is, literally, snipers on the rooftops then whomever did the computer security did a fucking great job. This is an example of a win, not a failure.

Re:After skimming, reading and confusion.

[bouldin]

The security industry is full of "thought leaders" who spout off opinions and forecasts.

There are no real credentials necessary to earn respect, because the infosec industry has historically mistrusted formal education.

So, we get people with little or no computer science education who just make stuff up. The people who know less talk louder and tweet a lot. The infosec press loves it. It's all really just marketing for infosec vendors.

Re:After skimming, reading and confusion.

[mlts]

The funny thing is that back in the 80s, every company that used computers thought of this. Back then, diskettes and other media was notoriously unreliable, so even the accounting firm had a grandfather/father/son backup rotation system in place, with tapes/disks going somewhere offsite.

Sensitive data had some form of PW protection. Because someone had to have physical access, usually basic physical access controls worked. Then the fact that very often, the "computer" in use was a terminal, which likely would lock permanently after 3 missed passwords, didn't hurt either.

Now, it seems all those cautions get tossed out the window. I see companies considering RAID as backup (especially those who use their SAN for backup/archiving purposes), and assume that no intruder can get onto their SAN's management network.

This worked adequately... but the Sony hack changed things with the data being destroyed. Now, there is a good chance that after the intruders copy off the data, they will just log onto the SAN and purge things. A simple dropping of LUNs, then rebuilding all drives as one RAID array will ensure all data is overwritten and unrecoverable.

I am a strong advocate of offline media like tapes, mainly because it addresses the parent poster's two points:

1: LTO-4 and newer can be set with an encryption key on the tape drive itself (via SPIN/SPOUT), so if a cartridge falls of the back of the Iron Maiden truck, it can be treated as just a loss of a $10 tape.... with data well protected.

2: Just by being offline, it requires "boots on the ground" to destroy the media. An attacker can't just do a "rm -rf /" and destroy the entire business.

Yes, businesses can get destroyed by data loss. Texas Textbooks, around 20 years ago, used to be the top dog for student textbooks and items in Austin. Their main computer croaked... and the company went down for good with it due to the loss of payroll, accounts payable/receivable/sales info, inventory, and other items.

Re:After skimming, reading and confusion.

[LaurenCates]

Eh, in every forum I frequent where there are "big names", those big names got to be where they were precisely because they were social climbers. Or, if you like, attention whores. That's why the people with little competence get so much attention: because they have the time and energy to get people to pay attention to them.

And in principle, there's nothing wrong with that. You want to be praised for the good work that you do, you should spend a little time on your hustle game making sure people know who you are and why they should care.

Yeah, that goes lop-sided because the people who "care" are the ones that are "too busy" to put in the hustle and the people who "just want to sell a product" are visible and are "talking over" the "real deal", but them's the breaks when the "real deal" can't look past his/her own nose and acknowledge the game is so much bigger than them.

Need more people who know how to build on sand

Because people need houses, not foundations.

Venn Diagram

There's a Venn diagram in the article. I think we better listen to the author.

Of course it's the software's fault

that the user has put themselves in a dramatically unsecured situation. FTA "As she vividly put it: if you're on a rooftop, trying to get a connection and successfully send out an encrypted message because your life or freedom - or that of others - depends on it, and you know that there are snipers waiting to take a shot at you - there is simply zero room for using a tool as complex as PGP." Physical security is the foundation of software security.

Adversaries Vary

Nobody can predict what kind of extra, para and non legal adversaries a set of business processes face during their lifetime. Mapping the risk and reacting to legal adversaries is also called "keeping up with the society" and "reading government bulletin boards, newspapers and publications." In other words, a cubic fuckton of sets of activities inside sets of activities strictly inside unbounded fuzzy sets of adversaries.

Double Speak 101

[s.petry]

Take a word and mince up the definition, and call it something else. Security is not a thing that people can do, it's things people do to stop other people from accessing things... Sadly people pay to drink this kind of KoolAid.

Re:Double Speak 101

[cshark]

Pretty much. I suppose that's what keeps people in repetitive jobs though.

Re:Double Speak 101

[Kevin+by+the+Beach]

I have to agree, and if they weren't expecting Cherry and tested against Tropical Punch (ok, too much Kool-Aid metaphor )

Unfortunately we get legal departments involved and everybody becomes "risk averse" so nobody will take ownership of the truth. (flashback to Cruise / Nicholson, and another Kool-Aid tie in) Truth, you can't handle the Truth!

Here is my shot at Truth: Strong biometric authentication is the only solid machine / human authentication available today.

Re:Double Speak 101

[s.petry]

Strong Biometrics are too expensive to be feasible for the majority of businesses, and depending on what you are accessing a huge privacy concern. I have forged Biometric data, and know plenty of other people who have done the same. If I can spoof systems access at a facility, I can commit a crime and leave your fingerprints at the scene.

Read TFA and she is correct with much of what she says. I only take issue with the double speak. Security is a point where a whole lot of things have to meet.

Re:Double Speak 101

[LaurenCates]

Security is a point where a whole lot of things have to meet.

Indeed. Security is not passive. It's active. And it should be drilled into everyone's head that it's -everyone's- responsibility.

Re:Double Speak 101

[Lemmeoutada+Collecti]

I don't think any amount of "drilling it into" everyone's heads will help. The underlying issue appears to be that the security folks take everything security related personally (like a crusade), the IT folks take it as something they have to do to keep their jobs, and the non-technical folks take it as just another random policy from the higher ups.

In order for security to mean anything, it needs to be personal. Everyone needs to understand not only how to protect themselves, but why they want to. This approach is why self defense classes across the US (and possibly in other countries) are filled with people wanting to learn - these people have a real, personal fear that they will end up being the victim if they don't and the consequences of being a victim are close and personal.

Security professional and IT professionals, unfortunately, avoid marketing and avoid employing marketing people to deliver this message in a way that will have impact to the non-technical world. And in doing so, we end up coming across as end-of-the-world doomsayers - until it is too late and the doom has come.

Re:Double Speak 101

[s.petry]

As a security professional, I disagree with your last paragraph. The people I know are not against marketing our services and solutions, nor are they against telling people why they should be aware of security. What most of us are against are the few people that attempt to gimmick our industry and trick people into thinking "they" have some new and novel solution.

Get-rich-quick scams are bad for security. Telling people you invented something new, which in reality is old hat, by twisting words is bad for security. Security professionals take security seriously, not as a gimmick.

Re:Double Speak 101

[Kevin+by+the+Beach]

I am in 100% agreement.

I was just stirring the pot, because I see the human element as the point of failure in most scenarios. (had to laugh about Cardinals v. Astros in the news yesterday) If the human involved had changed his (default/typical) password after moving to a competing company, the unauthorized access wouldn't have been practical. --it's likely the same password on social media, email, banking, etc..

Most (I'm talking non-programmers) people don't realize that an unscrupulous web site or service can store your password in clear text. Just because it isn't displayed doesn't imply that it hasn't been saved someplace in the cloud with enough information to attempt similar credentials against other sites and services.

No shit

[penguinoid]

Step 1: Increase the security of the software development activity, by allowing programmers to do their job without being overworked and overstressed and rushed to ship their code now now now don't worry we'll patch it later.

Re:No shit

It's a lemon-market situation: The people who pay programmers have no way of telling good programmers from bad programmers. They only have approximate metrics, like lines of code, tickets closed, etc. As a result, they also have no way of knowing whether a programmer is slacking off or taking the necessary time for a proper solution. Without a measure of quality, they can only push for higher quantity and lower prices. You do the same when you can't tell a good product from a bad one.

Security is a system of imposed limitations.

Not all of them are well thought out from the get-go, I think is the point. If you can remove the need for a potential vulnerability, you remove a security need.

Pointless Enterprise Speak.

[cshark]

Look, I know the guys in suits buy into this crap, but there's really no reason to spread it on our walls.

If you're going to provide a solution to a problem do it, describe it in clear concise english. This person hasn't actually said anything at all. They simply used a larger than necessary amount of words to do it.

Re:Pointless Enterprise Speak.

[bluefoxlucid]

It's even worse: he uses "reduce" instead of "minimize". Reduces compared to what?

Re:Pointless Enterprise Speak.

[gurps_npc]

It basically works like this. The better you are at any field, the more likely you are to use precise words. These words include both the more common and the rare cases.

So you talk about 'enterprises' instead of businesses because enterprises includes charitable organizations.

The problem comes when the expert tries to talk to (note I said talk not communicate even though we are really using an electronic form of communication, not talking) to normal people (an expert might have said non-technically proficient people).

They talk like this for a reason, and it is very hard to get them to stop.

Same things happen in law, medicine, and other extremely precise fields.

Re:Pointless Enterprise Speak.

[cshark]

Fair point. I think I've just got newspeak burnout at the moment.

Re:Pointless Enterprise Speak.

[Livius]

The better you are at any field, the more likely you are to use precise words.

The reverse, however, is not true. In fact, overuse of precise terminology is, ironically, likely a sign of ignorance.

The article is an example of one of those two cases.

Re:Pointless Enterprise Speak.

Without examples it's just jargon. TFA has an example up front demonstrating the problem but none after the jargon stream of a solution. Coincidence? I think not...

Re:Pointless Enterprise Speak.

Thank you.

I very much doubt that "...security engineers forgot — or misunderstood — what their job is..." In fact the restated mission of "securing activities" is demonstrably wrong. If you want to get to the essentials, security systems secure information. That is the essence, not "activities".

The consultant quoted in the OP is hyping a different approach, at least one different from traditional security approaches. I refuse to say it's new because it isn't new. I'm all for different approaches if they get superior results though.

One thing I can agree with. Developers don't understand their security adversaries, in general. Why? Well they aren't security specialists for one thing. For another, the tactics employed by intruders morph over time and it's very difficult to keep up unless you are a security specialist. This can be mitigated to some extent by understanding and deploying the fundamentals of security.

It's a very different mindset, the difference between a developer and a hacker. Devs could benefit from trying to hack their own, or other systems. With appropriate approvals and safety mechanisms of course!

Partial (not complete) Horseshit

That's one of the most pedantic definitions of Security I've ever seen. It follows then that malware that mines a few bitcoins in the background for Hacker Group X doesn't violate a user's Security as long as grandma can still check her email and Powerball tickets?

What people want

[sjames]

People want an attempted computer intrusion to look like The Matrix combined with William Gibson novels combined with red alert klaxons and people in military uniforms running around in a war room. They want it to be free, fool proof, and not require them to know or remember anything.

Good luck!

Re:What people want

... They want it to be free, fool proof, and not require them to know or remember anything.

Machines reduce time, cost and indirectly labour; is the reason given for using any machine. But the real reason is, machines reduce training and operator error. A machine converts a job into by-the-numbers tasks to produce a consistent output. It's one reason why businesses have totally embraced the on-demand workforce. Don't spend money training employees because it's expensive, they might not learn, or worse, they can take their knowledge to the competition. Instead, wait for trained operators to appear, begging for a paycheck. Alas, work is work, so very few people know how to touch-type and create a 10 page brochure in the latest MS publisher, in 2 days.

Computers have consistently been treated as routine: For nearly 50 years, researchers have been promising the demise of the programmer as they promise mix-n-match software. But businesses want to own the code-base, have legacy code and legacy systems that defy the mix-n-match paradigm. Plus, the more of the business one tries to shove into a computer, the less it matches any software.

... activities that reduce the likelihood ...

Meaning employees must be taught which activities are correct, which are wrong, and then be refreshed on a yearly basis. Those activities include more than what the employee does. It's detecting when the computer does the wrong thing too. This is where most people suck. This is why IT exists as an industry: To make computers do the right thing and notice when they do the wrong thing.

Re:What people want

[BVis]

Meaning employees must be taught which activities are correct, which are wrong, and then be refreshed on a yearly basis.

You can do all that, but if there are no consequences for breaching security policy (the "wrong" activities) then your average mundane has no incentive to do their part to improve security.

If one in every twenty employees that was caught breaking security policy were given an all-expense-paid trip to the curb with all their shit in a box, the rest would start taking it seriously and not just bitch about having to change their password every 90 days.

room full of rocking chairs

[Kevin+by+the+Beach]

"I asked everyone to look at their systems from the perspective that they would need to detect, track, and limit a privileged access breach"

I didn't see how what I had said was unreasonable, but it was like I turned a long tailed cat loose in a rocking chair convention. What is wrong with assuming the worst and seeing what you can do about it? If you can't admit that your administration level accounts can be hacked, I don't believe you understand what you are up against.

 

As an independent security consultant myself...

[bobbied]

You are full of ...... It...

(/sarcasim)

Look, ANYBODY can claim to be an " independent security consultant" and it's stuff like this that sounds complex enough to be true. You can baffle people with BS if you know the buzz words, and even get consultant gigs from time to time, just hang out a shingle, buy a website and go to a couple of symposiums.

Security is about common sense and risk management. You need to understand the risks (which means you need to know what they are) and that takes some domain knowledge, plus you need to know what the possible techniques are to manage the risks, but once you know what the risks are and what tools you have to manage these risks, doing the actual *work* is decidedly easy and not that hard.

The moral of the story here is that if it sounds complicated coming from your "expert" then you need to fire them. If you cannot understand what they are suggesting needs to be done, they are just trying to separate you from your money, not provide you with security.

the forgotten part of security

[roc97007]

If I'm understanding TFA, it seems like a restatement of one aspect of the three laws of security -- of Confidentiality, Integrity, Availability, the last one. That if "security" results in legitimate users not having sufficient access (availability) to achieve assigned goals, it's not really security. Kind-of the opposite, actually.

If your not connected to the internet your secure

In all reality its the internet and what we use it for that makes our devices at risk. Its email, rogue web sites, click jacking, malware laced ads, lousy security with servers and so much else. But the common thread in all this is the internet. If you had a PC that was never connected in anyway to the internet you would probably have a very secure PC. Unless of course you install a virus or malware from a external source. But that's not very common these days, and it get's worse as even our climate system, alarm systems and other home systems get onto the internet. A potential for any one of them to be a open invitation for hackers. My advice is fixed the internet and don't waste time fixing every single device and OS that accesses it.

Security is multi-layered

For IT systems:

- Software developers and Vendors need to write secure code that isn't vulnerable to buffer overflows or code injection
- Users and managers need to beware of social engineering and phishing attacks and maintain good practices.. passwords, screen locks etc.
- Specialized IT Security needs to be notified by users when suspicious things happen and need to monitor the network for suspicious activity
- Police/Feds investigate crime syndicates, terrorists, corporate espionage and foreign intelligence

And don't forget physical security...

Securing an activity needs a computer secured...

[mlts]

Devil's advocate here:

Securing a task is one thing, but if the endpoint hardware is compromised on any level, nothing you can do higher up on the chain matters. This is the same reason why DRM tends to fail on the PC unless it uses a very elaborate system of obfuscation.

Yes, task security is important, but what the task depends on is also critical.

Take sending secure E-mail for instance. The task requires the computer, the storage medium, RAM, the CPU, and anything on the bus that can read/interfere with the encryption/decryption to be "clean". However, once the encrypted data is on the wire, the only real protection needed is to keep a bad guy from blocking packets, since they can't tamper with the contents.

This is a different task from sending normal E-mail, but both require the same security (clean endpoint) to function.

OMG, more buzzwords and silver bullets

[roman_mir]

FTFA:

As she vividly put it: if you're on a rooftop, trying to get a connection and successfully send out an encrypted message because your life or freedom - or that of others - depends on it, and you know that there are snipers waiting to take a shot at you - there is simply zero room for using a tool as complex as PGP.

"We forgot that our job was really to stop bad things from happening to good people," she pointed out.

- well fuck, a system that sends messages shouldn't require that you know how PGP works, it should just apply it without forcing you to do anything you wouldn't do on a 'non-secure' system. Login, write a message and push the send button. Login could even be an option, your equipment could login by itself.

So, how do we go about doing that? The answer is: in an organized manner - with threat modeling, adversary modeling, and operational planning.

- sure. Or you could sanitise your inputs, follow sound practices, like not pass parameters in the open and if you do, ensure that the information they represent actually can be accessed by whoever passes them, prevent people from using bad passwords, set permissions on resources in such a way that only authenticated and authorised users can see and modify them.

Basically TFA is somebody trying to sell the same thing with a set of buzzwords.

Re:If your not connected to the internet your secu

[mlts]

Stuxnet showed that line of thinking can be wrong. Even though the Internet has made it easy for attackers to do a lot of damage for relatively little work (compared to getting boots on the ground), one still needs defense in depth. All it takes is a MicroSD card gotten in or out of a secure facility.

Time to ponder

Whether one agrees or not is irrelevant. Eleanor has advanced the collective by causing thought and discourse. I find her thesis curious.

A bit obtuse, but not bad.

[dweller_below]

As security definitions go, "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users." is not bad. It is a bit obtuse. It lends itself to Venn diagrams and powerpoint. It is also weakened by it's fixation on adversaries. Adversaries are nice if you can blame them, but usually, you are your own worst enemy.

The worst security definition that I have seen is the one currently used by the US Security communities. Geer stated it as: "..the absence of unmitigatable surprise." This definition is horrible. It offers you no guidance on prioritization or limits. This definition says you are insecure until you have achieved omniscience and omnipotence.

The best definition of security that I have found is: "Security is a MEANINGFUL assurance that YOUR most important goals are being accomplished." This is easily understood by everybody and it guides you to effective action. Using this definition you are guided to create and maintain the potential for success. The other definitions ultimately force you to focus your efforts on less important objectives.

Security is not about securing computers?

[nickweller]

How about designing a computer that can't be compromised by opening an email attachment or clicking on a URL. Design a system that runs on embedded hardware, that can't be overwritten and provides full usability to the end users.

Re:If your not connected to the internet your secu

[tnk1]

People did get computer virus infections before the wide use of the internet. It came from people sharing floppies or other portable media. Also, you'd get the odd LAN viruses. The Internet just made it far easier to both spread and make use of the intrusions.

Oddly enough, people used to write virus programs with nothing more than the malicious desire to crash your computer or the completely amoral idea of wanting to see what would happen, because it was difficult to get your computer to phone home before people had "always on" Internet connection, so you couldn't really use infected machines for DDoS attacks or for reliably sending back information to the virus writer/operator.

I remember having to be worried about infected disks long before I ever owned a modem at home.

secuity

I am 67 years old.
I do not do anything using my data without being safe.
If you folks cannot secure you systems not my fault. The amout of money spent is crazy . Laws will be made to hold
folks for mistakes. You should held accountable for systems that are not safe .
 

Re:If your not connected to the internet your secu

[bobbied]

Where I get where you are coming from...

The internet is NOT really the biggest source of risk, users are. The internet is just the vehicle most often used to do direct and indirect attacks, there are a number of other sources of problems for the security expert. Most systems that sit behind any kind of firewall and a NAT address are generally perfectly safe from a direct attack, at least until the user logs in.

Users, once authenticated, are able to download stuff, do stupid things to the system configuration and/or copy data off the system. For most security risks, the BIG money risks are not directly coming from the internet.

Met 2 alleged "security engineers" here on /.

THIS was the result (his annihilation) -> http://tech.slashdot.org/comme... in his Bouldin's "GOLDEN" top 10 greatest security 'fail' hits as I called it... & on SIMPLE & WIDELY KNOWN topics in security that DOLT should've known but didn't, lol!

AND?

Yes, there's YET another blowhard ALLEGED 'security engineer' on /. named raymorris I did even WORSE too -> http://it.slashdot.org/comment... PROVING HIS UTTER LACK OF KNOW-HOW on a single point he TOTALLY BLEW IT ON!

Later?

Yes, folks - I >b>absolutely & TRULY fried him here regarding computer security & ads (which he works for an ad redirector no less it turned out) -> http://it.slashdot.org/comment...

* LITERALLY BURNING HIM WITH 100's of proofs to the contrary vs. his utter BULLSHIT...

(Some 'security engineers' we get around here, eh? Not!)

APK

P.S.=> I'm not "too impressed" with the "security engineers" (wannabes) that often show up here - especially if "lil' ole' me" can SCORCH them the way I did, with ease, mind you... lol!

... apk

hope springs eternal

[slew]

When facing a nearly unprovable situation (e.g, the security or insecurity of a system), we often resort to deities and idolatry.

It's much easier to believe in magic pixie dust called security protection that you can apply to some activity which is insecure to make it secure, than to face the reality that the activity itself might be inherently insecure and we must modify our activity to make it secure.

You have a virus, there must exist anti-virus protection, you have malware, there must exist some anti-malware protection, just a little more encryption, and a little more authentication will always help too (just like sunblock and contraceptive devices, you gotta apply that stuff correctly or it doesn't work as advertized). However, as we have seen, the belief in these artifacts are mostly a mirage. It's not to say these things aren't useful to a limited extent, but we want to believe we can use technology to "solve" a problem that is intrinsic. Hope springs eternal.

The real security question is

How did this article make the front page?

Here's a thought...

How about we train people not to click shit in emails, and how about OS/app vendors write their code to not allow the shit that people clicked in emails to take over the entire system because EVERYTHING runs in Kernel space (because it's easier)...