Bruce Schneier writes on his blog: The Myth of Consumer-Grade Security. I had to catch myself by judging a book by its cover, or article by its title in this case. Because there are security offerings that are out of reach of a consumer. I sat through a presentation at RVASEC this past year with a representative from CrowdStrike in which he showed off some of their products and services that seemed like technological witchcraft to me. Although he didn’t present any price tags in his presentation, after doing a bit of research, I think that not only are their offerings out of reach of my small government organization, they’re certainly out of reach of my personal budget. Cisco’s ASA, which is just shy of a mandatory piece of equipment in a Cisco shop, is certainly out of budget for a family home.
There are some consumer offerings that seem to be making some real traction at making home-grade security appliances, like Eero’s mesh network hardware, which looks good and might be good, if you can trust your network to a company that is owned by Amazon.
Bruce’s article is actually a retort to the Attorney General Bill Barr’s argument that he is advocating for the weakening of exclusively consumer security technologies (specifically encryption) to benefit law enforcement investigations. I’ve written before that this is a terrible idea that will unquestionably be abused by valid members of law enforcement when their policies become over reaching, and certainly by the bad guys because a key that works on all locks will be eventually lost. Intentionally broken encryption is not a valid encryption once the broken part is found and public. Furthermore, law enforcement should be hard. If it is not a hard job to do, that means that the liberties of the citizenry have been undermined.
However, Schneier makes a very important point - there is no legitimate difference between the technologies that protect people’s personal devices and the enterprise protections, beyond scale. AES encryption or SHA-256 hashes are based on mathematics that work the same regardless of the device that are processing them. Arguing that there currently exist two tiers of security is factually deficient and irresponsible. Barr appears to be pressing to make that fable a reality though. As I mentioned before, I do take issue with the weakening of privacies from a personal liberties standpoint, but furthermore the idea that all citizens must suffer because some people use their technology in pursuit of criminal activity is offensive and immoral. And, furthermore, the idea that if I’m a company that means that it is A-OK for me to have top notch encryption because, I, as a company, am presumed to never be in commission of criminal or illegal activity, so all of my stuff can be hidden from view, is also building towards corporations having a second set of laws that apply to them differently than from you or I.