"Breach Assumptions Offer Comfort"

The main topic on the recent Privacy, Security, OSINT Show episode by Michael Bazzell was this: “Breach Assumptions Offer Comfort”. The argument was Michael, who needs to be an exemplar in privacy and security for his industry and clients, doesn’t worry too much about breaches because he assumes it will happen at some point. In other words, he assumes the possibility of all becoming public.

Therefore, Michael takes proactive measures to lessen/minimize the (inevitable) breach by being tactful on what information to share.

Strategies Michael presents include always-on VPNs (assuming the service will know the IP address and that can be breached) and compartmentalization with addresses (via custom domains).

What I really like about Michael’s argument is being practical instead of fearful. The tone of Michael’s topic starkly contrasts with a Signal failure I had with someone.

A while back, I introduced Signal to a friend. Like me, she has an interest in digital privacy. She’s an engineer after all. So, did we hop onto Signal?

The Signal introduction got completely shot down. Why? She said all messengers have loopholes and just assume what I send is public info anyway. So, we should still use SMS, which is over twice her age!

In my mind, her premises (particularly her second one) would have raised the case to use something like Signal instead of SMS. Because Signal works better with the “assuming everything is public” premise by providing mitigation. (And also, I have dealt with reliability issues with SMS so many times…) The opposite, in my eyes, either leads to not using it at all or simply giving up because “the outcome will be the same”.

So, I want to understand better the contrast Michael and my friend presents. One actually responds and uses measures to work with the assumption to lessen externalities. And the other does nothing and gives up.

It might work if I try again with introducing Signal, but to ask: when someone simply gives up (like my friend), how do you help them? Do you speak softly, but carry a big stick by presenting a solution as an option and not the option? Do you mentally give up on the person and leave them in the dust? Try to come up with a middle ground solution?

1 Like

With Signal in particular (and I’ve seen this opinion voiced in other Signal discussions on this forum) it’s usually more effective to switch people to Signal by demonstrating the feature improvements over SMS rather than talk about security, especially on Android. “Signal is basically iMessage for Android” usually gets people on board: Functional group chats, high resolution photos, typing/read indicators, emoji reactions, etc.

1 Like

I can try that. Thanks Jonah.

But presenting Signal as an iMessage probably won’t fly with iOS users. “Why do I need this? iMessage is enough!”

Guess it depends on how many Android users they text, the frustrations with iOS<>Android texting are on both sides and they’ll appreciate things like working group texts. If you’re the only Android user in a sea of iOS users then… Good luck to you :slight_smile: