Security quotes of the week

[Posted December 9, 2020 by jake]

In the current location data marketplace, if your phone and apps know where you are, then the government could, too. But the Supreme Court has decided that our detailed location data is so revealing about our activities and associations that law enforcement must get a warrant in order to acquire it. Government purchase of location data also threatens to chill people’s willingness to participate in protests in public places, associate with who they want, or practice their religion. History and legal precedent teach us that when the government indiscriminately collects records of First Amendment activities, it can lead to retaliation or further surveillance.

— Matthew Guariglia on the EFF Deeplinks blog

Open source means that the code is available for security evaluation, not that it necessarily has been evaluated by anyone. This is an important distinction.

— Bruce Schneier

Security quotes of the week

Posted Dec 11, 2020 23:34 UTC (Fri) by gerdesj (subscriber, #5446) [Link] (2 responses)

"Open source means that the code is available for security evaluation, not that it necessarily has been evaluated by anyone. This is an important distinction."

Well that is only one feature of open source and not even the most important one to me. BS, having chosen one door from many then decides to lick the door knob instead of simply using it as designed: you turn the knob, pull or push as appropriate and walk through the gap.

That is an important distinction: Open source has more than one implication and the one highlighted is not the most important.

(Sorry, couldn't resist pontificating at a professional pontificator)

Security quotes of the week

Posted Dec 12, 2020 3:17 UTC (Sat) by mpr22 (subscriber, #60784) [Link] (1 responses)

In the context of security discussions (this is security QOTW, not general QOTW), the distinction between "can be" and "definitely has been" is, if not necessarily top of the pile, certainly pretty close to the top of the pile.

Security quotes of the week

Posted Dec 12, 2020 16:05 UTC (Sat) by mstone_ (subscriber, #66309) [Link]

Even in a security context "can at least theoretically be fixed by a concerned user" is still a more important attribute when compared to "can only be fixed if the vendor wants it to be".

And really the distinction between "can be" reviewed and "has been" reviewed is the more theoretical attribute--most of the critical software in which new exploits are routinely identified "has been" reviewed. The problem there is that our ability to review away all bugs is pretty bad.

Security quotes of the week

Posted Dec 12, 2020 3:17 UTC (Sat) by pabs (subscriber, #43278) [Link]

These folks have created an interesting tool for distributed code review:

https://github.com/crev-dev/crev https://github.com/crev-dev/cargo-crev