Disclosure: I am a layman that follows security issues. I regularly read Krebs and Schneir’s blogs and I read (and sometimes participate) in the comments on Schneir’s. Sometimes I can even follow the less arcane discussions! Thus I think I understood most of what you wrote. ;-) [Edit: I also follow the grugq here on Medium. He provides a great high level view and insight into the security mindset.]

Don’t even get me started on cyber threats vs headline grabbing mass killings and terrorist acts. I don’t need to tell you which threat outweighs the other, nor how bad an idea forensic backdoors are.

I agree with you that common civil liability must supersede click through user agreements that absolve negligent companies. This won’t directly solve the problems of cyber threats, but it sure will incentivize companies to solve them. I don’t think other forms of regulation* are viable — the threat environment changes much too fast.

*except maybe regulations mandating disclosure and transparency when a company is hacked.

PS: I think/hope my password strategy protects against low level attacks. I use a mix of symbols, numbers, and letters with a minimum key length of 10 characters. They are memorizable by an ordinary person like me, although I only really manage to memorize the ones I use frequently. The others are written down and securely stored offline/air gapped — not copy pasted, but actually rewritten onto a device that cannot connect to the Internet.

It’s a bit crude and analog, but I hope it works.

Of course, as you point out, my strategy won’t work and my effort will be for nothing if the companies I trust use poor security measures.