Sự không tin là cần thiết vì cách con người tương tác với nhau khác với cách máy tính tương tác với nhau
Khái niệm::
Trusting based on authorization only works when components don’t make their own trust decisions
“IRL” criminal attempts are limited by the resources available (how many bank robbers / thieves / muggers / fraudsters can you get working for you at once; how quickly can you identify and focus on potential victims) and by fear of detectability/traceability (how can you avoid being spotted in the attempt and recognised; how do you avoid being informed on).
Electronic criminals can use botnets to attack millions of potential victims at once, with minimal chance of detection and even less chance of follow-up or being traced and caught, and without needing to involve a large number of co-conspirators (& potential informants) in the execution of the plan.
Risk assessments made based on intuition about physical scenarios don’t often extrapolate well to computerised crime.
Even the advice to at least avoid being the low-hanging fruit (“I don’t need to run faster than the bear, just faster than you”) doesn’t fully apply – botnet resources won’t be left idle once once victim is found (password cracked or whatever). To abuse the bear analogy, there are actually 100 bears after us; I need to outrun both you and the 99 bears that will continue chasing me while the other one chows down on your leg.