7
" If you do enough threat modeling, you start noticing all kinds of instances where people get the threat profoundly wrong:
* The cell phone industry spent a lot of money designing their systems to detect fraud, but they misunderstood the threat. They thought the criminals would steal cell phone service to avoid paying the charge. Actually, what the criminals wanted was anonymity; they didn't want cell phone calls traced back to them. Cell phone identities are stolen off the air, used a few times, and then thrown away. The antifraud system wasn't designed to catch this kind of fraud.
* The same cell phone industry, back in the analog days, didn't bother securing the connection because (as they said): 'scanners are expensive, and rare.' Over the years, scanners became cheap and plentiful. Then, in a remarkable display of not getting it, the same industry didn't bother securing digital cell phone connections because 'digital scanners are expensive, and rare.' Guess what? They're getting cheaper, and more plentiful.
* Hackers often trade hacking tools on Web sites and bulletin boards. Some of those hacking tools are themselves infected with Back Orifice, giving the tool writer access to the hacker's computer. Aristotle called this kind of thing 'poetic justice.'
[...]
These attacks are interesting not because of flaws in the countermeasures, but because of flaws in the threat model. In all of these cases, there were countermeasures in place; they just didn't solve the correct problem. Instead, they solved some problem near the correct problem. And in some cases, the solutions created worse problems than they solved. "
― Bruce Schneier , Secrets and Lies: Digital Security in a Networked World
