[AndroidNeox (OP)]

Listening to a podcast about cybersecurity, today, I yelled at my iPhone, "You're totally on the wrong track!"

The experts were talking about how some industries are good at it and others not. That's goofy. It's not the job of bankers or hospitals or schools to all master the intricacies of security. The features should be built in, by default.

There is a standard 7-layer model for computing, from the hardware layer (e.g. ethernet card) up to the presentation layer that handles the user interface. When some layer communicates with another computer, each layer establishes some form of link with the corresponding layer in the other computer. When exchanging data, each intervening layer takes the data and packages it for delivery to the corresponding layer in the other computer. There is no reason that every time the message goes into a new envelope, the contents shouldn't be encrypted.

Before the data I type in this window on my screen leaves my computer, the text should be encrypted half a dozen times by independent computing processes.

All of the technology exists within the public domain. I can see no excuse for not requiring it.

[evan_au]

the text should be encrypted half a dozen times

There is processing and communications overhead in multiple encryption. The TOR browser does this, and apparently it is fairly slow.

There is also the question of how much security you need for text which will be displayed unencrypted on a public discussion forum, vs the password for your bank account.

One goal of security is to increase the availability of your data to yourself, and whoever else you choose to allow access.
- If the security is inadequate, you can't access your data because the hard disk has been encrypted by malware, or you can't access a website because it is suffering a Denial of Service attack.
- Or perhaps some unauthorized people get their hands on your credit card details
- But if the security is too good, you can't access your data because you keep mistyping your 50-character password, or you have to retype your password every 5 minutes, or you have to remember 5 different passwords to purchase a book online. Or even if the bank suspends payment because you made a purchase from a company you haven't used before...

But I agree that security should be a basic design consideration in all applications.

[tkadm30]

Are we Thinking About Cybersecurity All Wrong?

Yes. In my opinion, cybersecurity should include defensive technology for resisting human-assisted neural devices
weaponization and remote neural monitoring. The technology of remote neural monitoring should be publicly disclosed to avoid cybernetic influences and surveillance of the minds of targeted victims.

[Bored chemist]

Are we Thinking About Cybersecurity All Wrong?

Yes. In my opinion, cybersecurity should include defensive technology for resisting human-assisted neural devices
weaponization and remote neural monitoring. The technology of remote neural monitoring should be publicly disclosed to avoid cybernetic influences and surveillance of the minds of targeted victims.

Don't you think it would be better to employ resources to counter threats that are real, rather than ones yo seem to have invented and have no evidence for?

[syhprum]

To  much security can be counter productive, if a communication channel demands a 20 random character password and locks you out for a day if you get it wrong, what do you do the best solution is write it on a note that you pin to your monitor or leave it in a file on your desk top.
That why the wonder encryption machine Enigma failed because it required idiot proof operators 

[puppypower]

Instead of being defensive, couldn't security be offensive. If someone tries to hack computer, a silent assassin program could be released that will create havoc for the perpetrator; release the dog. It should not be about the good guys figuring out how to survive an assault. It should be about the goods guy putting hurt on the bad guys, if they are bad. This is how you teach the bad guys good behavior. If they wish to gain illegal access, they will need too make portal back to themselves, which will become the portal for mad dog-ware.

[tkadm30]

Don't you think it would be better to employ resources to counter threats that are real, rather than ones yo seem to have invented and have no evidence for?

Neural networks security is real and can be attacked by hackers using human-assisted neural devices to trigger neural responses.

[tkadm30]

EEG Identification Can Steal Your Most Closely Held Secrets: http://spectrum.ieee.org/the-human-os/biomedical/devices/eeg-identification-can-steal-your-most-private-secrets

Who controls your private EEG data collected from your "smart" phone ?

[AndroidNeox (OP)]

There is processing and communications overhead in multiple encryption. The TOR browser does this, and apparently it is fairly slow.

TOR routes through different servers to hide the identity of the user. Traffic is routed between random servers, often in different countries. This isn't necessary for normal security. All that's needed is for the contents of traffic to be secure. Encryption isn't necessarily slow or require large overhead. The problem is that companies don't bother because customers don't insist.

There is also the question of how much security you need for text which will be displayed unencrypted on a public discussion forum, vs the password for your bank account.

How much security the user needs is total. Do you want your public forum identity used to present statements you didn't make? There's no reason for any of the traffic, except for routing information necessary for the active protocol, to be unencrypted. Maybe even that should be protected in private sessions between nodes and routers.

One goal of security is to increase the availability of your data to yourself, and whoever else you choose to allow access.

No, the goal of security is to ensure that nobody can access the data except those who are entitled to it. Minimizing overhead and inconvenience is a design goal but not a goal of security. You don't put locks on your door so that people can enter your home... you put locks on so nobody without a key can enter. You accept the inconvenience in return for the security.

- But if the security is too good, you can't access your data because you keep mistyping your 50-character password, or you have to retype your password every 5 minutes, or you have to remember 5 different passwords to purchase a book online. Or even if the bank suspends payment because you made a purchase from a company you haven't used before...

This is a strawman argument. Nowhere here have I suggested anything so stupid as a 50 character password. I do suggest dual authentications for certain operations.

The extra security should be invisible to the users. All of the technology exists in the public domain. Engineers know how to implement it. The problem is with the business majors and accountants that run companies and customers not demanding security.

Governments will find that their negligence in legislating security requirements has left our global economy wide open.

[AndroidNeox (OP)]

The TOR browser does this, and apparently it is fairly slow.

Encryption doesn't have to be slow. The overhead of TOR isn't local, it's due to routing connections through multiple servers.