And as long as you've got users who'll click on random executables and use their kid's name as a password and share their credentials with someone else, encryption isn't really going to get you very far.
You went from the above in your original post, to whistleblower employees playing Spy vs. Spy in your latest. I humored your first reply by pointing out ways that you can actually layer your security to prevent most data protection breaches, instead of resigning yourself to the fact that users prefer to make their passwords "password", and it's not like there's anything you can do about that... But come on, you're kind of changing the subject here... I specifically said that nothing is 100% effective. I realize that cognitive marvels can memorize things. Or write them down on a notepad. I wasn't talking about that, but then neither were you initially.
Whether you want to acknowledge it or not, in many, many cases and environments, the weakest link is absolutely the sysadmin, who throws up his hands in the midst of his end-users, and does nothing. Rather than the end-users themselves, the vast majority of whom are more likely to click on a random executable than to want to sell the secret formula of New Coke to the highest bidder.
And implementing all sorts of high-tech security isn't going to make it any harder to exploit that weakest link.
I couldn't disagree with you more. Most of the point of IT security is to make it harder for anyone to exploit the user, that user included... so hard that it isn't worth the effort.
If the sysadmin fails to implement counter-measures, it's he who is the weakest link. Because whatever its true effectiveness is, there's ALWAYS a counter-measure. I can think of an industry-standard counter to every single scenario you and others have alluded to here; you had to downshift into a pretty specific hypothetical about someone who willfully chooses to leak data, in order to support your original assertion. It doesn't make it any less misguided to let the sysadmin asleep in the corner off the hook.
Feel free to give yourself the last word here.
And I don't like quoting numbers to several figures accurately...
Feel free not to quote numbers then, and just declare to everyone your "feelings" about things instead. And leave the numbers to people who are actually interested in facts and accuracy, not just in overstating those numbers to win arguments or make vague points about "oil-rich" countries, or Google, or whatever. I, for one, am definitely more interested in looking at the actual data than someone's exaggerated estimations of it. And I think I'm probably in good company on
In the United States, almost 30% of the population has at a Bachelors degree or higher, and again that many have attended university but only have an associates degree or nothing...
Nowhere in the links provided is "almost 30%" a number. From the above wikipedia source, "The 2006 American Community Survey conducted by the United States Census Bureau found that 19.5 percent of the population had attended college but had no degree, 7.4 percent held an associate's degree, 17.1 percent held a bachelor's degree, and 9.9 percent held a graduate or professional degree." Even if you decide to sum bachelor's degrees and graduate or professional degrees (since it's entirely feasible that the Census Bureau considers the latter to be a subset of the former), you still come away with 27%. If the country had 300 million people as of 2006, you just overestimated by 9 million residents. And 23% (Arab states) versus 27% (US?) is a mere 4% difference.
I'm not entirely sure what the poster's point was in comparing somewhat inflated/rounded-up numbers of US college graduates with other global regions, and how that makes them dime-a-dozen or whatever, but the actual percentages sourced appear to be closer than they were editorialized to be, in any event.
Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson