Security quotes of the week [LWN.net]

At the end of the day, there is no real replacement for a real HWRNG [Hardware Random Number Generator]. And I've never had any illusions that the random driver could be a replacement for a real HWRNG. The problem is though is that most HWRNG can't be audited, because they are not open, and most users aren't going to be able to grab a wirewrap gun and make their own --- and even if they did, it's likely they will screw up in some embarrassing way. Really, the best you can do is [hopefully] have multiple sources of entropy. RDRAND, plus the random number generator in the TPM, etc. and hope that mixing all of this plus some OS-level entropy, that this is enough to frustrate the attacker enough that it's no longer the easiest way to compromise your security.

— Ted Ts'o

The NSA's belief that more data is always good, and that it's worth doing anything in order to collect it, is wrong. There are diminishing returns, and the NSA almost certainly passed that point long ago. But the idea of trade-offs does not seem to be part of its thinking.

The NSA missed the Boston Marathon bombers, even though the suspects left a really sloppy Internet trail and the older brother was on the terrorist watch list. With all the NSA is doing eavesdropping on the world, you would think the least it could manage would be keeping track of people on the terrorist watch list. Apparently not.

I don't know how the CIA measures its success, but it failed to predict the end of the Cold War.

More data does not necessarily mean better information. It's much easier to look backward than to predict. Information does not necessarily enable the government to act. Even when we know something, protecting the methods of collection can be more valuable than the possibility of taking action based on gathered information. But there's not a lot of value to intelligence that can't be used for action. These are the paradoxes of intelligence, and it's time we started remembering them.

— Bruce Schneier

(Log in to post comments)

Security quotes of the week

Posted Sep 19, 2013 8:33 UTC (Thu) by ortalo (subscriber, #4654) [Link]

Wow. Observed from the other side of the ocean, it looks like a symptomatic comment.
Do all the United States citizens (CIA internals included of course) fall prey to paranoia nowadays ?

Security quotes of the week

Posted Sep 19, 2013 14:10 UTC (Thu) by drag (subscriber, #31333) [Link]

> Do all the United States citizens (CIA internals included of course) fall prey to paranoia nowadays ?

Is it paranoia when they are actually out to get you? If you have a huge number of people from all different walks of life, political dispositions, and cultural backgrounds crying out against government mismanagement indicative of a collective mental illness?

Like all human organizations the secret police like CIA and NSA are entirely and 100% self-serving. The individuals working their are there for their own reasons and to fulfill their own goals... There is no such thing as a 'non-profit' organization. Whether it's Walmart or NSA they are all made up of the same types of people with the same needs and desires and same potential for corruption.

These government organizations operate in secracy. They have secret laws, secret rules, secret budgets, secret courts, secret judges, and only have to obey secret rulings. They operate entirely without oversight, have budgets measured in the billions, and most laws don't apply to them... why would anybody expect this to work out well?

The Democratic process is entirely too weak and inadequate to control governments who behave like this.

Security quotes of the week

Posted Sep 19, 2013 15:33 UTC (Thu) by nix (subscriber, #2304) [Link]

Like all human organizations the secret police like CIA and NSA are entirely and 100% self-serving.

This is overstated. Yes, human organizations do eventually accrete a high-priority goal of never ceasing to exist (if they don't, they cease to exist); but they do not all have that goal from the start, and they all have other goals too, which sometimes supersede the survive-dammit goal.

Security quotes of the week

Posted Sep 19, 2013 16:13 UTC (Thu) by jwakely (subscriber, #60262) [Link]

> There is no such thing as a 'non-profit' organization. Whether it's Walmart or NSA [...]

Those wouldn't be the first examples that spring to mind when I think of non-profit organisations!

Security quotes of the week

Posted Sep 19, 2013 16:26 UTC (Thu) by khim (subscriber, #9252) [Link]

You think about NYSE, right?

Security quotes of the week

Posted Sep 19, 2013 17:06 UTC (Thu) by nix (subscriber, #2304) [Link]

No, IKEA! Or, rather, the Stichting Ingka Foundation, which owns (much of) IKEA and has the hilarious faux-charitable 'mission' (for what is basically a holding company) "to promote and support innovation in the field of architectural and interior design", although as I understand it its real innovation is in the field of tax dodging.

Security quotes of the week

Posted Sep 19, 2013 17:20 UTC (Thu) by jwakely (subscriber, #60262) [Link]

OK, OK, so maybe he's right there's no such thing :)

Security quotes of the week

Posted Sep 20, 2013 19:02 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

This is all just semantics. There's an ancient philosophical question: does altruism exist? Being altruistic makes a person feel good, so isn't altruism selfish? In a semantic battle like this, it's important to define the terms so that they're actually useful -- for "self-serving" to be a useful word, there have to be parties to whom it doesn't apply, and that probably means excluding certain kinds of compensation from the formula, so that the NSA could easily be non-self-serving.

The statement that non-profit (we mean not-for-profit, of course) organizations don't exist seems to be just saying that people are generally motivated to steal. So even though the Red Cross is organized so its members can't legally make a profit, there will always be some members looking for a way to steal from the organization and they sometimes will succeed, thereby making a profit via the Red Cross.

Security quotes of the week

Posted Sep 19, 2013 11:57 UTC (Thu) by niner (subscriber, #26151) [Link]

Are there still people who actually believe that terrorists are or have been at any time a top priority for these organizations? Industrial espionage and securing power are the goals. Of course, determining how well these goals are met is much more difficult.

Security quotes of the week

Posted Sep 19, 2013 15:36 UTC (Thu) by nix (subscriber, #2304) [Link]

No, their primary purpose is to spy on other governments. They are military intelligence organizations first and foremost, focused on that class of threat. (Most of them were born in an era when major industrialized nation-states had engaged in multiple major wars and killed tens of millions in under half a decade, and threatened to drown the world in nuclear fire: what had terrorists done in that time period? Assassinated a bunch of national leaders. Bad, yes, but not remotely *as* bad, plus the heyday of that was fifty years ago from the perspective of the 1940s--1950s, thus ignored. It is true that one of those assassinations turned out to start the Great War, but it wasn't the assassination that killed umpty million people, it was the Great War, and God knows Gavrilo Princip didn't intend to start *that*...)

Security quotes of the week

Posted Sep 22, 2013 14:26 UTC (Sun) by hummassa (subscriber, #307) [Link]

This would be believable if one of the highest-profile spying ops of the NSA in Brasil wasn't of the state-owned oil company, Petrobras, just weeks before a major bidding for a field with lots of oil starts.