CattleGrid News
THE WISDOM OF FOOLISHNESS
Cybersecurity Ideas the Establishment Got Wrong
Contents
1. Public-Key Cryptography — The “Fool’s Errand” That Secured the Internet
2. The Crypto Wars — When Encryption Was a Crime
3. Zero Trust — From “Neat But Impractical” to Presidential Executive Order
4. Full Disclosure — “Information Anarchy” That Saved Us All
5. Penetration Testing — “You Want to Pay Someone to Hack Us?”
6. Bug Bounties — Paying Strangers to Break Your Software
7. Multi-Factor Authentication — “Too Inconvenient” to Bother With
8. Open Source Security — “You’re Giving Attackers the Blueprint!”
9. The Pattern — Why the Establishment Always Gets It Wrong First
Post 1: Public-Key Cryptography — The “Fool’s Errand” That Secured the Internet
They told him he was wasting his time.
When Martin Hellman began his research into public-key cryptography in the 1970s, every single one of his colleagues told him it was a fool’s errand. The NSA actively tried to suppress the work. An NSA employee warned the IEEE that a Stanford conference presentation by Hellman could violate export control laws. When MIT’s Ron Rivest published his RSA paper, elements within the NSA urged that it be seized and classified.
But here’s the part that really stings for the establishment:
GCHQ in the UK actually discovered it first. James Ellis theorised public-key cryptography in 1970. Clifford Cocks implemented RSA in 1973. Malcolm Williamson developed Diffie-Hellman key exchange. But GCHQ’s senior managers weren’t farsighted enough to see the digital revolution. They dismissed it as impractical. It was classified for 27 years. By the early 1980s, they were regretting that decision.
The NSA’s initial reaction to civilian PKC? Amazement that it was created outside government, and recognition of its power as “a weapon of war.”
Hellman later coined the phrase “the wisdom of foolishness.” He’s since asked six Nobel laureates whether their prize-winning work was initially encouraged or discouraged. Five of six were firmly in the “foolish, crazy, never go anywhere” camp.
Today, public-key cryptography underpins every secure transaction on the internet. SSL/TLS, digital signatures, banking, e-commerce, all of it.
The next time someone tells you an idea is stupid, remember: the entire digital economy runs on something that every expert said would never work.
References:
Hellman, M. (2025) “Federal Funding of Public Key Cryptography” — Communications of the ACM
https://cacm.acm.org/federal-funding-of-academic-research/federal-funding-of-public-key-cryptography
Singh, S. “The Alternative History of Public-Key Cryptography” — Cryptome
https://cryptome.org/ukpk-alt.htm
National Academies Press — “A Brief History of Cryptography Policy”
https://nap.nationalacademies.org/read/5131/chapter/19
FindLaw — “30 Years of Public Key Cryptography”
https://www.findlaw.com/legal/technology/legal-software/30-years-of-public-key-cryptography.html
Verified References
1. Hellman, M. (2025) “Federal Funding of Public Key Cryptography” — Communications of the ACM
https://cacm.acm.org/federal-funding-of-academic-research/federal-funding-of-public-key-cryptography
2. Singh, S. “The Alternative History of Public-Key Cryptography” — Cryptome
https://cryptome.org/ukpk-alt.htm
3. National Academies Press — “A Brief History of Cryptography Policy”
https://nap.nationalacademies.org/read/5131/chapter/19
4. FindLaw — “30 Years of Public Key Cryptography”
https://www.findlaw.com/legal/technology/legal-software/30-years-of-public-key-cryptography.html
Post 2: The Crypto Wars — When Encryption Was a Crime
In the 1990s, the US government classified encryption as a weapon of war.
Not metaphorically. Literally. Cryptographic software was listed alongside missiles and tanks on the US Munitions List. Exporting strong encryption was a federal offence.
When Phil Zimmermann released PGP (Pretty Good Privacy) in 1991, giving ordinary people access to strong encryption for the first time, the US Justice Department launched a three-year criminal investigation. His alleged crime? Exporting munitions. The NSA publicly argued his software would be used by criminals and child abusers.
The establishment’s grand plan was the Clipper Chip: NSA-designed encryption hardware with a built-in government backdoor. Every encryption key would be held in escrow by the government. The Clinton administration pushed it hard.
It was a disaster. Cryptographer Matt Blaze defeated the chip’s encryption entirely. The tech industry, privacy advocates, and academics united against it. The Association for Computing Machinery urged the government to withdraw the proposal outright.
Meanwhile, the NSA had deliberately weakened the Data Encryption Standard. IBM originally designed DES with 128-bit keys. The NSA lobbied it down to 56 bits, known to be insecure as early as 1977.
By September 1999, the government reversed course completely, removing virtually all restrictions on encryption exports. As journalist Steven Levy wrote: “It was official: public crypto was our friend.”
Today, strong encryption is the foundation of the entire digital economy. Every online banking session, every e-commerce transaction, every private message, all protected by the very technology the establishment tried to criminalise.
References:
Wikipedia — “Crypto Wars”
https://en.wikipedia.org/wiki/Crypto_Wars
New America — “Doomed to Repeat History? Lessons from the Crypto Wars of the 1990s”
Reason — “When Encryption Was a Crime” (2020)
https://reason.com/video/2020/10/21/cryptowars-gilmore-zimmermann-cryptography
Verified References
1. Wikipedia — “Crypto Wars”
https://en.wikipedia.org/wiki/Crypto_Wars
2. New America — “Doomed to Repeat History? Lessons from the Crypto Wars of the 1990s”
3. Reason — “When Encryption Was a Crime” (2020)
https://reason.com/video/2020/10/21/cryptowars-gilmore-zimmermann-cryptography
Post 3: Zero Trust — From “Neat But Impractical” to Presidential Executive Order
For decades, cybersecurity worked like a castle with a moat.
Build a big wall (firewall). Put everything valuable inside. Trust everyone who gets through the gate. This was gospel. Anyone who questioned it was dismissed.
In 1994, Stephen Paul Marsh first proposed the concept of “zero trust” in his doctoral thesis at the University of Stirling. The idea? Stop trusting things just because they’re inside your network. The response from the industry? Silence, then dismissal.
In 2004, the Jericho Forum’s Paul Simmonds coined “deperimeterisation” and argued the castle-and-moat model was fundamentally broken. Most exploits would bypass perimeter security easily, he said. Building a harder wall was a losing battle.
John Kindervag at Forrester formalised the term “Zero Trust” in 2010, writing: “Information security professionals must eliminate the soft chewy centre by making security ubiquitous throughout the network, not just at the perimeter.”
The industry’s reaction? A niche academic concept. Too complex. Too disruptive. Users would revolt.
Then Google published BeyondCorp in 2014, widely credited with transforming Zero Trust from “a neat but impractical idea” to “an urgent mandate.” Google had built it in response to a Chinese military cyber attack (Operation Aurora) that proved the perimeter model was fatally flawed.
Users did initially resist. They complained about extra authentication prompts. They wanted more access than they needed.
Then reality hit. Breach after breach showed that once attackers got inside the perimeter, they had the run of the place.
By 2021, President Biden made Zero Trust a federal mandate by executive order. Okta reported in 2023 that 61% of organisations globally now have a defined Zero Trust initiative — up from just 16% in 2018.
From laughable to law in under a decade.
References:
1Password — “The History, Evolution, and Controversies of Zero Trust”
https://blog.1password.com/history-of-zero-trust
Censys — “The Evolution of the Zero Trust Framework: The Origins”
https://censys.com/blog/the-evolution-of-the-zero-trust-framework-the-origins
ISC2 — “15 Years of Zero Trust” (2025)
https://www.isc2.org/Insights/2025/10/15-Years-of-Zero-Trust
SecurityWeek — “Zero Trust Is 15 Years Old” (2025)
https://www.securityweek.com/zero-trust-is-15-years-old-why-full-adoption-is-worth-the-struggle
Verified References
1. Password — “The History, Evolution, and Controversies of Zero Trust”
https://blog.1password.com/history-of-zero-trust
2. Censys — “The Evolution of the Zero Trust Framework: The Origins”
https://censys.com/blog/the-evolution-of-the-zero-trust-framework-the-origins
3. ISC2 — “15 Years of Zero Trust” (2025)
https://www.isc2.org/Insights/2025/10/15-Years-of-Zero-Trust
4. SecurityWeek — “Zero Trust Is 15 Years Old” (2025)
https://www.securityweek.com/zero-trust-is-15-years-old-why-full-adoption-is-worth-the-struggle
Post 4: Full Disclosure — “Information Anarchy” That Saved Us All
Microsoft’s security manager called it “information anarchy.”
The idea was simple: when you find a security vulnerability, tell the world. Don’t quietly whisper to the vendor and hope they fix it. Publish the details. Let everyone, defenders and attackers alike, know.
The establishment went apoplectic.
This debate is actually older than computers. In the 1850s, locksmith Alfred Hobbs demonstrated he could pick the most advanced locks in the world. Lock manufacturers argued that publishing such knowledge would help criminals. Hobbs argued the opposite: secrecy only helped the criminals who already knew, while leaving everyone else defenceless.
In the software world, the same battle played out for decades. Before full disclosure became the norm, researchers would privately report vulnerabilities to software companies, who would ignore them. Some vendors threatened researchers with legal action if they went public. Why spend money fixing a bug nobody knows about?
Bruce Schneier put it bluntly: “Full disclosure, the practice of making the details of security vulnerabilities public, is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.”
The vendors eventually proposed “responsible disclosure”, a private grace period before going public. But as Schneier noted, this only works because full disclosure remains the threat. Without that pressure, vendors go back to ignoring problems.
Today, coordinated vulnerability disclosure is industry standard. Google’s Project Zero enforces 90-day deadlines. CISA actively supports disclosure programmes. Bug bounty platforms formalise the entire process. Nearly all responsible major software companies on earth now have a vulnerability disclosure programme.
All because a few “irresponsible” researchers refused to keep quiet.
References:
Wikipedia — “Full Disclosure (Computer Security)”
https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)
Schneier, B. (2007) “Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea'”
Markkula Center for Applied Ethics — “The Vulnerability Disclosure Debate”
https://www.scu.edu/ethics/focus-areas/business-ethics/resources/the-vulnerability-disclosure-debate
Verified References
1. Wikipedia — “Full Disclosure (Computer Security)”
https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)
2. Schneier, B. (2007) “Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea'”
Schneier: Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea’
3. Markkula Center for Applied Ethics — “The Vulnerability Disclosure Debate”
https://www.scu.edu/ethics/focus-areas/business-ethics/resources/the-vulnerability-disclosure-debate
Post 5: Penetration Testing — “You Want to Pay Someone to Hack Us?”
Imagine walking into a 1980s boardroom and saying: “I’d like to hire someone to break into our computer systems.”
You’d have been shown the door.
Yet the concept dates back to 1967, when Willis Ware of the RAND Corporation warned that private companies wouldn’t invest enough to keep determined outsiders from accessing their data. His paper “Security and Privacy in Computer Systems” became a manifesto for the cybersecurity industry.
The military got it first. In 1971, the US Air Force ordered security testing for time-shared computer systems. By the mid-1970s, “Tiger Teams”, specialised groups tasked with stress-testing security, were running formal penetration tests. In 1974, the Air Force ran one of the first known “white hat” attacks against its own MULTICS system, revealing critical security flaws.
But for the private sector? The very idea was absurd. Why would you deliberately attack your own systems? Why would you trust an outsider with that access? The prevailing wisdom was simple: build stronger defences, don’t invite people to test them.
The term “ethical hacker” was considered an oxymoron. Hackers were criminals, full stop. The 1986 Computer Fraud and Abuse Act in the US didn’t distinguish between malicious and authorised testing, making pen testing a legal grey area for years.
It took decades of catastrophic breaches to change minds. The private sector eventually realised that if you don’t test your own defences, someone else will and they won’t ask permission first.
Today, the global penetration testing market is projected to exceed $5 billion annually by 2031. Certifications like CEH and OSCP are mainstream career paths. Red teams, purple teams, and continuous testing are standard practice.
From boardroom joke to billion-dollar industry.
References:
Cybersecurity Ventures — “The History of Ethical Hacking and Penetration Testing” (2025)
Cyphere — “The History of Penetration Testing” (2025)
https://thecyphere.com/blog/history-of-penetration-testing
Infosec Institute — “The History of Penetration Testing”
https://www.infosecinstitute.com/resources/penetration-testing/the-history-of-penetration-testing
Verified References
1. Cybersecurity Ventures — “The History of Ethical Hacking and Penetration Testing” (2025)
2. Cyphere — “The History of Penetration Testing” (2025)
https://thecyphere.com/blog/history-of-penetration-testing
3. Infosec Institute — “The History of Penetration Testing”
https://www.infosecinstitute.com/resources/penetration-testing/the-history-of-penetration-testing
Post 6: Bug Bounties — Paying Strangers to Break Your Software
“You want to pay random people on the internet to hack us?”
That was the reaction most companies had to the idea of bug bounty programmes for over a decade.
Netscape launched the very first one on 10th October 1995, offering cash rewards for bugs found in Navigator 2.0 Beta. It was considered a novelty, an experiment by a scrappy browser company. Nobody followed suit.
For nearly ten years, the idea sat dormant. Mozilla picked it up in 2004, offering $500 for critical vulnerabilities in Firefox. A few “middleman” programmes like iDefense and TippingPoint’s Zero Day Initiative bridged the gap by buying vulnerabilities from researchers and passing them to vendors.
But the mainstream tech industry? They were horrified by the concept. Companies feared that inviting external researchers would expose them to more vulnerabilities, not fewer. The idea that outsiders could find things your own security team couldn’t was an insult to internal capabilities.
Google changed everything in 2010 with its Vulnerability Reward Programme. Facebook followed in 2011 with its Whitehat programme — no upper limit on payouts. Suddenly, the world’s biggest tech companies were openly paying strangers to break their software.
The US Department of Defense launched “Hack the Pentagon” in 2016, the first federal bug bounty programme. The same government that once classified encryption as weapons was now inviting hackers to attack its own infrastructure.
Today, platforms like HackerOne and Bugcrowd are mainstream. Thousands of organisations run continuous programmes. The US DoD has run over 40 bug bounty programmes, engaging 1,400+ researchers who’ve found 2,100+ vulnerabilities.
From absurd to essential in 20 years.
References:
Wikipedia — “Bug Bounty Program”
https://en.wikipedia.org/wiki/Bug_bounty_program
Cobalt — “The History of Bug Bounty Programs”
https://www.cobalt.io/blog/the-history-of-bug-bounty-programs
Intigriti — “A History of Bug Bounty Programs & Incentivised Vulnerability Disclosure”
https://blog.intigriti.com/cybersecurity-news/history-bug-bounty-programs
Verified References
1. Wikipedia — “Bug Bounty Program”
https://en.wikipedia.org/wiki/Bug_bounty_program
2. Cobalt — “The History of Bug Bounty Programs”
https://www.cobalt.io/blog/the-history-of-bug-bounty-programs
3. Intigriti — “A History of Bug Bounty Programs & Incentivised Vulnerability Disclosure”
https://blog.intigriti.com/cybersecurity-news/history-bug-bounty-programs
Post 7: Multi-Factor Authentication — “Too Inconvenient” to Bother With
For years, the cybersecurity establishment said passwords were enough.
When multi-factor authentication was first proposed for mainstream use, the pushback was immediate and fierce, not from hackers, but from the very organisations it was designed to protect.
“Too inconvenient.” “Users will revolt.” “It’ll kill productivity.” “The cost isn’t justified.”
Even when the US Federal Financial Institutions Examination Council recommended MFA for online banking in 2005, the response from vendors was to game the system, promoting security questions and “secret images” as “multi-factor” authentication. The FFIEC had to issue supplemental guidelines in 2006 to clarify that these weren’t actual MFA at all.
The resistance was so deep that when companies implemented MFA but made it optional, adoption rates were abysmal. People took the path of least resistance every time.
It took an extraordinary parade of breaches, each one exposing millions of credentials, to shift the conversation. Stolen passwords became the single most common attack vector, causing 10% of all data breaches according to IBM.
By 2016, President Obama published an editorial calling for a national campaign to move Americans beyond passwords. CISA now states that MFA makes accounts 99% less likely to be compromised.
Today, MFA is effectively mandatory for any serious security posture. Major platforms enforce it. Regulators require it. Cyber insurance demands it. The technology that was “too inconvenient” is now the bare minimum.
The most common password in use today is still 123456. The establishment was wrong to wait this long.
References:
CISA — “Multifactor Authentication”
https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication
IBM — “What is MFA (Multifactor Authentication)?”
https://www.ibm.com/think/topics/multi-factor-authentication
Wikipedia — “Multi-factor Authentication”
https://en.wikipedia.org/wiki/Multi-factor_authentication
SailPoint — “What is Multi-Factor Authentication (MFA)?”
https://www.sailpoint.com/identity-library/what-is-multi-factor-authentication
Verified References
1. CISA — “Multifactor Authentication”
https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication
2. IBM — “What is MFA (Multifactor Authentication)?”
https://www.ibm.com/think/topics/multi-factor-authentication
3. Wikipedia — “Multi-factor Authentication”
https://en.wikipedia.org/wiki/Multi-factor_authentication
4. SailPoint — “What is Multi-Factor Authentication (MFA)?”
https://www.sailpoint.com/identity-library/what-is-multi-factor-authentication
Post 8: Open Source Security — “You’re Giving Attackers the Blueprint!”
“If attackers can read the source code, they’ll find all the vulnerabilities!”
This was the dominant argument against open-source security software for decades. The establishment believed fervently in “security through obscurity”, if nobody can see how your system works, nobody can break it.
This debate is far older than computing.
In 1883, Dutch cryptographer Auguste Kerckhoffs published a principle that became foundational to all modern cryptography: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” He was roundly ignored by most practitioners for over a century.
In the 1850s, locksmith Alfred Hobbs picked every “unpickable” lock at the Great Exhibition, locks whose manufacturers insisted that secrecy of design was their primary defence. The manufacturers were furious. The public was enlightened.
When open-source software began gaining traction in the 1990s, the establishment’s reaction was predictable: publishing source code gives attackers a blueprint. Microsoft, in particular, championed the closed-source model as inherently more secure.
The US Department of Defense eventually dismantled this argument directly: “Hiding source code does inhibit the ability of third parties to respond to vulnerabilities, but this is obviously not a security advantage.”
Decades of evidence now support the transparency advocates. Linux, despite fully public source code, demonstrates security competitive with or superior to closed-source alternatives. The world’s most trusted encryption algorithms, AES, RSA, ChaCha20, are all public. Their security depends on mathematical robustness, not secrecy.
Today, open-source tools form the backbone of cybersecurity: Snort, Nmap, Metasploit, Wireshark, the entire Linux ecosystem. GitHub estimates open source is the foundation of 99% of the world’s software.
Kerckhoffs was right in 1883. It took the industry over a century to catch up.
References:
Okta — “Security Through Obscurity: History, Criticism & Risks”
https://www.okta.com/identity-101/security-through-obscurity
ACM — “Increased Security Through Open Source”
https://cacm.acm.org/research/increased-security-through-open-source
The New Stack — “Open Source Propels the Fall of Security by Obscurity”
https://thenewstack.io/open-source-propels-the-fall-of-security-by-obscurity
Schneier, B. — “Open-Source Software Feels Insecure”
Open-Source Software Feels Insecure
Verified References
1. Okta — “Security Through Obscurity: History, Criticism & Risks”
https://www.okta.com/identity-101/security-through-obscurity
2. ACM — “Increased Security Through Open Source”
https://cacm.acm.org/research/increased-security-through-open-source
3. The New Stack — “Open Source Propels the Fall of Security by Obscurity”
https://thenewstack.io/open-source-propels-the-fall-of-security-by-obscurity
4. Schneier, B. — “Open-Source Software Feels Insecure”
Open-Source Software Feels Insecure
Post 9: The Pattern — Why the Establishment Always Gets It Wrong First
Over the past 8 posts, I’ve told the stories of cybersecurity ideas that were dismissed, ridiculed, suppressed, or criminalised by the establishment, and which are now the standard tools we all rely on.
Public-key cryptography — colleagues called it a fool’s errand
Strong civilian encryption — classified as a weapon of war
Zero Trust — dismissed as neat but impractical
Full disclosure — branded “information anarchy”
Penetration testing — a boardroom joke
Bug bounties — paying strangers to hack you?
Multi-factor authentication — too inconvenient
Open-source security — giving attackers the blueprint
The pattern is remarkably consistent:
1. An outsider proposes something contrarian
2. The establishment dismisses it: through ridicule, legal threats, classification, or silence
3. Reality forces the issue: breaches, economic pressure, or technological change
4. The “stupid” idea becomes standard practice: often mandated by the very people who fought it
Martin Hellman coined it “the wisdom of foolishness.” He asked six Nobel laureates whether their prize-winning work was initially encouraged. Five of six said it was dismissed as foolish.
So what’s the lesson for today?
Right now, there are ideas being dismissed that will be standard practice in ten years. AI data loss prevention. Data sovereignty enforcement. Outbound API inspection. Ephemeral processing architectures.
The next time you hear “that’s not how we do things” or “that’s not practical” or “nobody needs that” — remember that every critical security tool we use today was once called exactly the same thing.
There’s another thread running through every one of these stories: the concepts were simple, but making them work was brutally hard.
Public-key cryptography is elegant mathematics — but implementing it securely at scale took decades. Zero Trust is two words — but re-architecting enterprise networks around it is an enormous engineering challenge. Full disclosure sounds obvious — but building the coordinated processes around it took years of painful iteration.
Simple to explain. Ferociously difficult to build.
That’s exactly where CattleGrid sits today. The concept is straightforward: inspect what your organisation sends to AI providers and stop sensitive data from leaking. Simple.
But under the bonnet? Compliance detection accuracy. Sub-millisecond latency. Complete invisibility to end users. European data sovereignty. Ephemeral processing that never writes your data to disk. That’s the hard part — and CattleGrid has done that work for you.
The question isn’t whether the establishment is wrong about something right now. It’s what they’re wrong about.
