The computer security industry has sometimes been compared unfavourably to the fashion industry, putting up flamboyant defences where it doesn't make any difference while paying no attention to the open barn door behind the curtain.
Why do we allow three retries for passwords instead of two, or four, or thirty-eight? How effective are SSH fingerprints? And how's the ol' PKI thing doing?
This talk will look at some widespread examples of defending where the enemy isn't, including the underlying threat models (or lack thereof), the effectiveness of the defences, and the real-world pressures and externalities that affect them, along with various modest proposals for alternative approaches.