I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.
~ Bruce Schneier from, https://www.schneier.com/blog/archives/2018/04/obscure_e-mail_.html
slip:4usebo12.
I had to read the entire thing twice.
I’m on a “security” tirade here for a few days, so here’s my strategy for security: Get off the peak of the bell curve.
If someone wants your stuff, they will take it. Actors can always, if sufficiently motivated, apply more resources than you have available for defense. Therefore, one should not bother defending (worry, spending crazy amounts of resources,) against a “motivated” attacker. Instead, deploy defense in depth and then make incremental improvements everywhere.
https://en.wikipedia.org/wiki/Defence_in_depth
ɕ