Bad analogy. It is not that easy to break modern multi-layer glazing, and it is also a lot easier to get away with breaking into a computer or account than breaking a window, undetected, until it is time to let the user know (for a ransom attempt or other such). Locking your doors is a much better analogy. You don't leave them unlocked in case you forget your keys do you? That would be a much better analogy for choosing convenience over security in computing.

> I know I could faff with multiple locks for my bike, but I rather accept some risk for it to be stolen for the convenience.

Someone breaking into a computer or account isn't the same as them taking a single object. It is more akin to them getting into your home or office, or on a smaller scale a briefcase. They don't take an object, but that can collect information that will help in future phishing attacks against you and people you care about.

The intruder could also operate from the hacked resource to continue their attack on the wider Internet.

> A major dumb is that security people think breaking in is the end of the world.

The major dumb of thinking like this is that breaking in is often not the end of anything, it can be the start or continuation of a larger problem. Security people know this and state it all the time, but others often don't listen.

This is exactly the counter productive attitude I criticized. I told you why others don't often listen, but you don't seem to listen to that.

Also, people do listen. They just don't agree.

Because the fallout can cause significant problems for others, people not agreeing that online security is relevant to them is like people not agreeing that traffic safety measures (seatbelts, speed limits) are not relevant to them, and should IMO command no greater respect.

Maybe being a bit of a dick about it doesn't help much, but being nicer about it doesn't seem to help at all.

End of the world? No. But it's really, really bad.

When you get your stolen car back, problem over.

But your broken into system should in most cases be considered forever tainted until fully reinstalled. You can't enumerate badness. That the antivirus got rid of one thing doesn't mean they didn't sneak in something it didn't find. You could be still a DoS node, a CSAM distributor, or a spam sender.

Reinstalling an OS is not really, really bad. It's an inconvenience. Less so than e.g. having to get new cards after a lost wallet or getting a new car.

Security people don't seem to really assess what are the actual consequences of breaches. Just that they are "really really bad" and have to be protected against all costs. Often literally the cost being an unusable system.

Isn’t there malware around that can store itself in the BIOS or something, and survive an OS reinstall?

You can decide for yourself whether to include that in your personal threat analysis.

No

Security people are acutely aware of the consequences of a breach.

Look at the catastrophic consequences of the recent wave of ransomware attacks.

Lax security at all levels, victim blaming (they clicked a link....) and no consequences I know of for those responsible for that bad design. Our comrades built those vulnerable systems

Reinstalling an OS is not nearly enough. You have to reinstall all of them, without letting the "dirty" ones contaminate the clean part of your network; you have to re-obtain all of your binaries; and good luck trusting any local source code.

The way most places are organized today, getting computers infected is a potentially unfixable issue.

No

Security people are acutely aware of the consequences of a breach.

Look at the catastrophic consequences of the recent wave of ransomware attacks.

Lax security at all levels, victim blaming (they clicked a link....) and no consequences I know of foe those responsible for that bad design

> But your broken into system should in most cases be considered forever tainted

Actually this is exactly how stolen cars work. A stolen car that is recovered will have a branded title from then on (at least it will if an insurance company wrote it off).

Not if it contains computers; either the original ones it had before being stolen, or some new, gifted ones you don't know about.

People can use HTTPS now instead of HTTP, without degrading usability. This has taken a lot of people a lot of work, but everyone gets to enjoy better security. No need to lock and unlock every REST call as if it were a bicycle.

Also, a hacker will replace the broken glass within milliseconds, and you won't find out it was ever broken.

Meanwhile, other security zealots were just happy to scream at users for not sending 20 forms and thousands of dollars to cert authorities.

Usability matters - and the author of this original rant seems to be one of those security people who don't understand why the systems they're guarding are useful, used and how are they used. That's the core security cancer still in the wild - security experts not understanding just how transparent the security has to be and that it's sometimes ok to have a less secure system if that means users won't do something worse.

HTTPS by default is good, especially after Let's Encrypt. Before that is was not worth the hassle/cost most of the time.

E.g. forced MFA everywhere is not good.

> Also, a hacker will replace the broken glass within milliseconds, and you won't find out it was ever broken.

This is very rare in practice for normal users. Again, risks in context please.

Steel bars?

Some situations definitely call for steel bars, some for having no windows at all.

But for you and me, windows are fine, because the value of being inside my apartment is not the same value as being in a jewellers or in a building with good sight-lines to something even more valuable -- and the value of having unrestricted windows is high for us.