...Can we consider computer security a success story at all? I admit, I am not a professional security researcher but between Bitcoin, the DNMs, and my own interest in computer security & crypto, I read a great deal on these topics and from watching it in real-time, I had the definite impression that, far from anyone at all considering modern computer security a success (or anything you want to emulate at all), the Snowden leaks came as an existential shock and revelation of systemic failure to the security community in which it collectively realized that it had been staggeringly complacent because the NSA had devoted a little effort to concealing its work, that the worst-case scenarios were ludicrously optimistic, and that most research and efforts were almost totally irrelevant to the NSA because the NSA was still hacking everyone everywhere because it had simply shifted resources to attacking the weakest links, be it trusted third parties, decrypted content at rest, the endless list of implementation flaws (Heartbleed etc), and universal attacks benefiting from precomputation. Even those who are the epitome of modern security like Google were appalled to discover how, rather than puzzle over the random oracle model or do deep R&D on quantum computing, the NSA would just tap its inter-datacenter links to get the data it wanted.
When I was researching my "Bitcoin is Worse is Better" essay, I came across a declassified NSA essay where the author visited an academic conference and concluded at the end, with insufferable - yet in retrospect, shockingly humble - arrogance, that while much of the research was of high quality and interesting, the researchers there were no threat to the NSA and never would be. I know I'm not the only one to be struck by that summary because Rogaway quotes it prominently in his recent "The Moral Character of Cryptographic Work" reflecting on the almost total failure of the security community to deliver, well, security. Bernstein also has many excellent critiques of the security community's failure to deliver security and its frequent tendency towards "l'art pour l'art".
The Snowden leaks have been to computer security what DNA testing was to the justice system or clinical trials to the medical system; there are probably better words for how the Snowden revelations made computer security researchers look than 'silly'.
It's a success story in the sense that there is a lot solid work being done. It is not a success story in the sense that currently, and for the foreseeable future, attack >> defense (but this was true in lots of other areas of warfare throughout various periods of history). We wouldn't consider armor research not a success story just because at some point flintlocks phased out heavy battlefield armor.
The fact that computer security is having a hard time solving a much easier problem with a ton more resources should worry people who are into AI safety.
If it's worth saying, but not worth its own post (even in Discussion), then it goes here.
Notes for future OT posters:
1. Please add the 'open_thread' tag.
2. Check if there is an active Open Thread before posting a new one. (Immediately before; refresh the list-of-threads page before posting.)
3. Open Threads should be posted in Discussion, and not Main.
4. Open Threads should start on Monday, and end on Sunday.