Security quotes of the week []

In other words, because of pesky things like the Constitution in the United States and instead of just using existing, vast international resources to prosecute criminals and terrorists, we’re going to be expanding broken ISP filters against the advice of pretty much everybody. Granted what is deemed “extremist” will likely be entirely arbitrary, and as we’ve seen with the porn filters, there’s probably no limit to the number of entirely legal and legitimate websites UK citizens will find suddenly inaccessible.

— Karl Bode on expansion of the UK’s “porn” filters

Billy Rios, director of threat intelligence at Qualys, here [Kaspersky Security Analyst Summit] today said he and colleague Terry McCorkle purchased a secondhand Rapiscan 522 B X-ray system via eBay and found several blatant security weaknesses that leave the equipment vulnerable to abuse: It runs on the outdated Windows 98 operating system, stores user credentials in plain text, and includes a feature called Threat Image Projection used to train screeners by injecting .bmp images of contraband, such as a gun or knife, into a passenger carry-on in order to test the screener’s reaction during training sessions. The weak logins could allow a bad guy to project phony images on the X-ray display.

— Kelly Jackson Higgins in Dark Reading on vulnerabilities found in carry-on baggage screening devices

While much of the NSA’s capabilities to locate someone in the real world by their network activity piggy-backs on corporate surveillance capabilities, there’s a critical difference: False positives are much more expensive. If Google or Facebook get a physical location wrong, they show someone an ad for a restaurant they’re nowhere near. If the NSA gets a physical location wrong, they call a drone strike on innocent people.

— Bruce Schneier

via Security quotes of the week [].

Distribution quote of the week []

It is theoretically possible to give a loaded gun to a baby; things will probably work out fine. Searching for news about such mishaps, they are quite rare. Still, they do occur, and I suspect the industry has “warning labels” regarding leaving guns lying around.

strcpy-related security holes still occur these days, but I think they have been reduced. There has been a slight improvement; software is being written with a little bit more care. Fewer developers are handing strcpy “guns” to their users.

I believe the OpenBSD “warnings labels” do play a small part in improving the situation. You don’t need to reach all the grumpy programmers who believe they have godlike powers to avoid making overflow mistakes; if you reach some people, you get progress.

— Theo de Raadt

IMHO, nothing kills corner cases like polymorphism. Remove the conditions and you remove the dark corners where bugs like to hide.

— John Florian

via Distribution quote of the week [].