Dominant discourse.

Since the NSA revelations began coming a couple of times a week for the past month, an all too common set of dialogues has been cropping up again and again and again in practically every forum that one would care to visit. While the discussion itself isn't perfectly replicated the overall pattern is. It goes something like this:

• Brief description of vulnerability. Mitigating tactic.
• Mention of a vulnerability elsewhere in the user's system.
• Description of a slightly more esoteric vulnerability.
• Use another system.
• Encrypt everything.
• Quantum computer.
• Use Tor.
• Tor can't protect against country-level surveillance.
• NSA backdoor.
• The NSA has thousands of 0-day exploits stockpiled for everything from my Commodore-64 to Cray Unicos.
• Mention of a highly esoteric hardware level attack.
• Malware used to surreptitiously dump contents of RAM, including crypto keys.
• Evil Maid Attack.
• Mention of a backdoored software development chain compromising the software as it's compiled.
• See? I told you! NSA backdoor!
• Open source software is safer.
• CryptoCat vulnerability that received stupid amounts of press coverage.
• Mention of circuitry backdoored at the factory.
• Link to unclassified US military research paper about backdoored circuitry discovered in the field.
• We're all screwed.
• User never posts again, presumably because they've given up on the Internet.

The implicit assumption here is that every single user on the Net is being overseen by a neigh omniscent government agency that, at the drop of a hat will crack your computer and go rifling through everything you've ever written, posted, sent, or thought to look for a reason to throw a black bag over your head and drag you to Guantanamo Bay. There is no way to prove or disprove such an assertion, just as there is no way to prove or disprove that a particular server hasn't been compromised. There is a further assumption that everybody online - you, me, your friendly neighborhood sysadmin, the folks who run your ISP, and everybody else out there - are presumed to be potentially dangerous, which is why we're all under surveillance. I can't refuse that assertion, either, because there is a wealth of evidence that suggests that this is, in fact the case. When you have a state apparatus trying to fight a fourth generation war but the very nature of the world we live in now operates in a fifth generation mode by default, the only real strategy that has any hope of succeeding is to treat everybody as a potential enemy combatant. In all of these discussions, very few people (if any) openly talk about risk management, or the process of figuring out what risks you're taking with a given hardware and software configuration, which are high, medium, or low priority, which are irrelevant, and figuring out what to do about it. Any vulnerability that we know of is assumed to be actively and aggressively exploited by agencies unknown (read: intelligence agencies) for the purpose of information collection. Any shred of basic common sense (such as installing updates when they're made available) never even blows past the discussion, and if it does nobody seems to notice (they certainly don't respond if they see it). News flash, denizens of the Internet: Nothing is perfect. Nothing. People seem to want to eliminate any and all risk entirely, i.e., they want perfect safety and security. There is no such thing, nor will there ever be such a thing. None of the existing models, from time based security to language theoretic security to game theory say anything about eliminating the possibility of being pwned. Risks and dangers can be analyzed, mitigated, and planned for but you can never catch all of the edge and corner cases. Another implicit assumption made in this body of discourse seem to be that all of everybody's encrypted comms are being decrypted and read for content, when in fact this is only half true. For all intents and purposes, all of our comms are, in fact, being inter