I greatly respect Geer. He has done much good. He has been a stalwart guide. The advice he offers is hard-won and mostly solid.
I am also a security professional. Geer's expertise dwarfs mine. But, I take exception with a couple of his views.
First, and foremost, we differ on the fundamental definition of Security. Geer says:
".. that is to say that one is in a state of security, if and only if there can be no unmitigatable surprises."
Thus Geer would say that somebody on Death Row has attained security. He knows exactly what will happen to him. There will be no surprises. While this may be a form of security, it is not a desirable one. Another consequence of this world-view is you are driven to seek knowledge of your environment. And if your environment is unknowable, then you can not be secure.
The view of Security that we practice is fundamentally different. We teach:
Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished
We feel that this view is superior because it guides you to effective action.
It saddens me to see that Geer seems to be giving up. Perhaps he has been forced into so many untenable positions that he needs a rest. But giving up is not good advice.
Geer concludes with:
"There are no people sadder but wiser about the scale and scope of the attack surface you get when you connect everything to everything and give up your prior ability to do without. Until such people are available, I will busy myself with reducing my dependence on, and thus my risk exposure to, the digital world even though that will be mistaken for curmudgeonly nostalgia. Call that misrepresentation, if you like."
So long Geer. Thanks for all the good advice. Forgive me if I continue to think we can make a difference.