Do not know how yet, but...
That fact that attack is cheaper than defense is hardly news.
To have reasonable security against attackers you need advice from people you can trust, trustee services from different people you can trust, secure algorithms, secure key sizes, secure hardware, secure storage and internal communication, secure operating systems, secure devices, secure device drivers, secure software, secure external communication and storage, trustworthy users and secure premises.
We don't really have any of the above and all of them are necessary (but still not sufficient) to have a system reasonably resistant to attack.
I am not going to pretend putting the right things in place is easy, but they are doable. The fact that they are not being openly addressed shows me that people who understand don't care and people who care don't understand. Anyone with much understanding knows that all traffic and storage should be encrypted. It is not.
In many security discussions you see something along these lines:
We can verify this with the appropriate keys.
Unfortunately, that is costly.
Solution: Don't verify.
As the Treacherous Computing Asshats have discovered, it is very difficult to secure anything that must be decrypted and then used outside of a controlled environment, especially if part of your agenda is to cripple security otherwise.
As a collective of some 500 million plus people with a vested interest in making things genuinely secure, we can overcome the attack/defense disparity even if it is many orders of magnitude. Step one in getting there is to stop paying the attackers to secure our system.
Biting the hand that feeds IT
