So you do a lot of work and achieve what you might call "near-perfect real-world security" and are not hacked, are you secure?
When you later find out you were vulnerable. Were you secure?
Does knowing that an undetectable root-kit could have been installed during this time, change your perception of the state of your current security?
Would it matter if the newly-released insecurity was a one-in-a-billion thing?
For instance when's the last time you actually took measures to guard against a trojaned compiler?
If you did get hacked because of a one-in-a-billion thing which nobody could have predicted did it happen because you weren't secure or did it happen despite your security? It's a subtle difference in perceptions.
Does your perception of your security level change if you realize the crooked CEO conspired with the security consultant to arrange a back door and that the one-in-a-billion thing was a virtual certainty?
It goes deeper than simply being all relative, you always make some assumptions - even incredibly large ones. Even a tiny mistake can totally scupper system robustness. In crypto and security a system is often weaker than its weakest link and that includes designer assumptions, operator errors, and customer specifications as well as expected issues such as programming errors. Speaking of security as a thing that can be achieved is mostly wrong and confuses many.
When you later find out you were vulnerable. Were you secure?
Does knowing that an undetectable root-kit could have been installed during this time, change your perception of the state of your current security?
Would it matter if the newly-released insecurity was a one-in-a-billion thing?
For instance when's the last time you actually took measures to guard against a trojaned compiler?
If you did get hacked because of a one-in-a-billion thing which nobody could have predicted did it happen because you weren't secure or did it happen despite your security? It's a subtle difference in perceptions.
Does your perception of your security level change if you realize the crooked CEO conspired with the security consultant to arrange a back door and that the one-in-a-billion thing was a virtual certainty?
It goes deeper than simply being all relative, you always make some assumptions - even incredibly large ones. Even a tiny mistake can totally scupper system robustness. In crypto and security a system is often weaker than its weakest link and that includes designer assumptions, operator errors, and customer specifications as well as expected issues such as programming errors. Speaking of security as a thing that can be achieved is mostly wrong and confuses many.