Perceptions of risk

Originally posted on on September 14, 2011

At Blackhat & Defcon recently I was once again surprised by the number of security professionals who refused to touch a networked device for the duration of the conference. Yes, the risk is elevated and people might have zero days. But the risk is also high in airports, coffee shops, and hotels in far-away places. People in some parts of the world live at a constantly high risk of zero-days in their own homes.

How can we be expected to help defend our users (who at most have a small fraction of the security knowledge that we do) in hostile environments if we can’t defend ourselves? Some have called this attitude cavalier or attributed it to hubris, but that’s missing the point.

The point is that either we are overestimating the risk at Blackhat, or underestimating the risk the rest of the time. If a security pro can’t defend themselves in a highly hostile environment, then I claim they can’t defend their users in a moderately hostile one.