Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

Security quotes

John Menerick

"Two can keep a secret if one is dead."

-- Unknown

"How you can tell an extrovert from an introvert at NSA ? In the elevators? The extroverts look at the OTHER guy's shoes."

-- Steven Aftergood, e-mail to Cryptography mailing list, 6/11/02.

" There's no reason to treat software any differently from other products. Today Firestone can produce a tire with a single systemic flaw and they're liable, but Microsoft can produce an operating system with multiple systemic flaws discovered per week and not be liable. This makes no sense, and it's the primary reason security is so bad today. "

-- Bruce Schneier, Cryptogram, 16/04/2002.

"The present need for security products far exceeds the number of individuals capable of designing secure systems. Consequently, indust ry has resorted to employing folks and purchasing "solutions" from vendors that shouldn't be let near a project involving securing a system."

-- Lucky Green

"The problem isn't the Internet. The problem is the horribly insecure computers attached to the Internet. I would rather rewrite Windows than TCP/IP."

-- Bruce Scheier, Netcraft interview, 13/8/04.

"People who are willing to rely on the government to ke ep them safe are pretty much standing on Darwin's mat, pounding on the door, scr eaming, 'Take me, take me!'"

-- Carl Jacobs, Alt.Sysadmin.Recovery

"When stopping a terrorist attack or seeking to recover a kidnapped child, encountering encryption may mean the difference between success and catastrophic failures"

-- Janet Reno, Sept 99. Or in plain English "When trying to commit economic espionage and illegaly spying on our citizens, encountering encryption...."

"What makes you think you can invent a good cipher if y ou have no expertise in the subject? Maybe you can, but it's not terribly likely. Imagine how you would react if your doctor told you "You have appendicitis, a disease that is life-threatening if not treated. We have a time-tested cure that cures 99% of all patients with no noticeable side-effects, but I'm not going to give you that: I'm going to give you a new experimental treatment my cousin dreamed up last week. No, my cousin has no medical training. No, I have no evidence that the new treatment will work, and it's never been tested or analyzed in depth -- but I'm going to give it to you anyway because my cousin thinks it is good stuff." You'd find another doctor, I hope. Rational people leave medical care to the medical experts. The medical experts have a much better track record than the quacks."

-- David Wagner PhD, sci.crypt, 19th Oct 02.

"History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did."

-- Bruce Schneier.

"I believed then, and continue to believe now, that the benefits to our security and freedom of widely available cryptography far, far outweigh the inevitable damage that comes from its use by criminals and terrorists...I believed, and continue to believe, that the arguments against widely available cryptography, while certainly advanced by people of good will, did not hold up against the cold light of reason and were inconsistent with the most basic American values."

-- Matt Blaze, AT&T Labs, Sept 01.

"The more corrupt the state, the more numerous the laws "

-- Tacitus

"Every time I write about the impossibility of effectiv ely protecting digital files on a general-purpose computer, I get responses from people decrying the death of copyright. "How will authors and artists get paid for their work?" they ask me. Truth be told, I don't know. I feel rather like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked: "How do you expect us to get to the stars, then?" I'm sorry, but I don't know that, either.'' "

-- Bruce Schneier, Cryptogram 15 Aug 01.

"$_='while(read+STDIN,$_,2048) {$a=29;$c=142; if((@a=unx"C*",$_) [20]&48) {$h=5;$_=unxb24,join"",@b=map{xB8,unxb8, chr($_^$a[--$h+84])} @ARGV;s/...$/1$&/;$d=unxV,xb25,$_;$b=73;$e=256| (ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=($t=255)& ($d>>12^$d>>4^$d^$d/8))<<17, $e=$e>>8^($t&($g=($q=$e>>14&7^$e) ^$q*8^$q<<6))<<9,$_=(map {$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100) [$_/16%8])&110;$t^=(72, @z=(64,72,$a^=12*($_%16-2?0:$m&17)) ,$b^=$_%64?12:0,@z)[$_%8]}(16..271)) [$_]^(( $h>>=8)+=$f+(~$g&$t)) for@a[128..$#a]}print+x"C*",@a}'; s/x/pack+/g;eval"

-- D e C S S in PERL

"Cryptography is like literacy in the Dark Ages. Infini tely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege."

-- "A Thinking Man's Creed for Crypto", Vin McLellan.

"This is by-design behavior, not a security vulnerability. "

-- Scott Culp, Microsoft Security Response Center, discussing the hole allowing ILOVEU to propogate, 5/5/00.

"Paranoia is our profession."

-- Strategic Air command

"a trusted system is one which, when it breaks, can break your security policy "

-- Bob Morris, NSA.

Evolutionary risk modeling series

Yet Another Risk Management series