"I don't expect an overnight change of all desktops to what the US Military used to call B3 level security. And even that would not stop users from shooting themselves into the foot"
About this Quote
Venema is doing what great security people do: puncturing the fantasy that safety is a product you install. The nod to “B3 level security” is a deliberately nerdy flash of authority - a reference to the old U.S. military security classifications that evoke locked-down, audited, high-assurance systems. By choosing that benchmark, he signals both competence and restraint. He’s not promising utopia; he’s reminding you what utopia would cost.
The sentence turns on a quiet double move. First, he concedes the obvious political reality: desktops are messy, heterogeneous, and owned by everyone from teenagers to CFOs. “Overnight change” is a jab at the recurring industry ritual where vendors, policymakers, or pundits announce that one big upgrade, one new standard, one “secure by design” pivot will fix it. Then he undercuts even the hardline alternative. Even if you could wave a wand and get B3-grade controls on every machine, people would still “shoot themselves into the foot.” The clunky phrasing is almost purposeful; it mirrors the blunt inevitability of user-driven failure.
Subtext: security isn’t only a technical property, it’s a behavioral system under constant pressure from convenience, incentives, and misunderstanding. Venema isn’t blaming users so much as rejecting the scapegoat logic of “just lock it down.” He’s arguing for humility: threat models that include human error, designs that anticipate self-sabotage, and a culture that treats security as continuous risk management, not a finish line with a military label.
The sentence turns on a quiet double move. First, he concedes the obvious political reality: desktops are messy, heterogeneous, and owned by everyone from teenagers to CFOs. “Overnight change” is a jab at the recurring industry ritual where vendors, policymakers, or pundits announce that one big upgrade, one new standard, one “secure by design” pivot will fix it. Then he undercuts even the hardline alternative. Even if you could wave a wand and get B3-grade controls on every machine, people would still “shoot themselves into the foot.” The clunky phrasing is almost purposeful; it mirrors the blunt inevitability of user-driven failure.
Subtext: security isn’t only a technical property, it’s a behavioral system under constant pressure from convenience, incentives, and misunderstanding. Venema isn’t blaming users so much as rejecting the scapegoat logic of “just lock it down.” He’s arguing for humility: threat models that include human error, designs that anticipate self-sabotage, and a culture that treats security as continuous risk management, not a finish line with a military label.
Quote Details
| Topic | Privacy & Cybersecurity |
|---|
More Quotes by Wietse
Add to List
