Security quotes of the week [LWN.net]

If I could, I would repeal the Internet. It is the technological marvel of the age, but it is not — as most people imagine — a symbol of progress. Just the opposite. We would be better off without it. I grant its astonishing capabilities: the instant access to vast amounts of information, the pleasures of YouTube and iTunes, the convenience of GPS and much more. But the Internet's benefits are relatively modest compared with previous transformative technologies, and it brings with it a terrifying danger: cyberwar.

— Robert J. Samuelson throws the baby out with the bath water

I find it hilarious that Redhat cripples their cryptographic security software. In the sense that it makes me wonder about the rest of their security processes and software. What the...

— Jacob Appelbaum

The ancients, given a chance to observe today's intelligence and spying brouhaha, would likely assert that the gods are laughing at us, finding hilarious our public attempts at indignation not only over what is being done, but our laughable efforts to pretend that we didn't know about it all along.

— Lauren Weinstein

The biological world is also open source in the sense that threats are always present, largely unpredictable, and always changing. Because of this, defensive measures that are perfectly designed for a particular threat leave you vulnerable to other ones. Imagine if our immune system were designed to deal only with a single strain of flu. In fact, our immune system works because it looks for the full spectrum of invaders — low-level viral infections, bacterial parasites, or virulent strains of a pandemic disease. Too often, we create security measures — such as the Department of Homeland Security's BioWatch program — that spend too many resources to deal specifically with a very narrow range of threats on the risk spectrum.

— Rafe Sagarin

(Log in to post comments)

Says more about US legal/patent process

Posted Jul 4, 2013 15:07 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link]

Actually, I think this says more about the problems in the US legal/patent process than it does about Red Hat.

Says more about US legal/patent process

Posted Jul 9, 2013 0:19 UTC (Tue) by gmaxwell (subscriber, #30048) [Link]

The patent holder in question isn't a US company and they hold patents all around the world (well, at least Canada and Europe). Singling out the US here isn't accurate and it distorts the understanding of the problem.

The specific contours of the issues with ECC in OpenSSL are complicated. While _most_ ECC techniques are unpatented (and, indeed, too old to be patentable) some are patented. OpenSSL implements a number of techniques which no one seems to dispute have valid patents and a great many obviously unpatented ecc things, the only way to disable the problematic ones is to disable ECC support entirely.

Says more about US legal/patent process

Posted Jul 9, 2013 14:22 UTC (Tue) by drag (subscriber, #31333) [Link]

> Singling out the US here isn't accurate and it distorts the understanding of the problem.

It's worth pointing out that the U.S. and U.S. Government are not synonyms. The problem is the U.S. Government and the various educational, legal, business, and other groups that support and defend intellectual property law.

Security quotes of the week

Posted Jul 8, 2013 9:58 UTC (Mon) by njwhite (subscriber, #51848) [Link]

> their exclusion of ECC is motivated by legal paranoia, so it says nothing about their security processes and software, only about their legal processes

Well, it says that their legal processes are allowed to get in the way of their security processes, which is an issue (but to an extent unavoidable, particularly for a company).

Security quotes of the week

Posted Jul 11, 2013 17:15 UTC (Thu) by davidstrauss (subscriber, #85867) [Link]

It's also disabled in OpenSSL, which is not the preferred SSL library on Red Hat or Fedora systems. Things that can use NSS, do. For example, libcurl on Fedora uses NSS despite OpenSSL being the default.