QOTD on Privacy

Every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to, and interact with, and is around them, and when they do these things. The contextualization of the web in the world and the connection of the world to the web, mediated by the connections of people to each other, is forming a new Internet which has vast implications of privacy, identity, and innovation; and how we are going to structure our societies and our economies.

-- Marc Davis, Partner Architect at Microsoft Online Services Division

Src: Microsoft's Davis on Privacy: Your Digital Life Data is Bankable Currency | NetworkWorld.com

QOTD on APTs

If they don’t know what it is, it’s an APT. While the attacks aren’t new — they have happened in the government world for a long time — the realization of what is going on is new. It can be difficult for an organization to sort out whether it is just a zero-day malware or if the organization is being specifically targeted. In the conventional world, if somebody launches a missile, you can pretty much understand what the intent is and you can attribute it. In the cyber world, if someone launches an attack, you might not be sure who is behind it and you don’t know what the intent is. In the military world, they make a distinction between information gathering and an actual attack.

-- George Kurtz, worldwide CTO for McAfee

Src: Lessons learned from investigating the Google attacks -- Government Computer News

QOTD on Insiders

Insiders do not attack – instead they use legitimate accesses in support of their operations.

-- DARPA (US) Broad Agency Agreement for Project CINDER

Src: DARPA-BAA-10-84, Cyber Insider Threat (CINDER) Program | FedBizOps

QOTD on Online Privacy

As social media become more embedded in everyday society, the mismatch between the rule-based privacy that software offers and the subtler, intuitive ways that humans understand the concept will increasingly cause cultural collisions and social slips. But people will not abandon social media, nor will privacy disappear. They will simply work harder to carve out a space for privacy as they understand it and to maintain control, whether by using pseudonyms or speaking in code.

-- Danah Boyd, fellow at Harvard University's Berkman Center for Internet and Society

Src: Why Privacy Is Not Dead | Technology Review

QOTD - Geer on Risk & Dependencies

The root source of risk is dependence — dependence on system state, including dependence on expectations of system state reliability. Indeed, my definition of security has co-evolved with my understanding of risk and risk’s source, to where I currently define security as the absence of unmitigatable surprise. Thus, increasing dependence results in heightened difficulty in crafting mitigations. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.
And that is the crux of the matter: our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable. That sounds more apocalyptic than I intend, but the competent risk manager always asks, “How bad could it be?” or, in the altogether American tortious style, “Who will have to pay?”

-- Dan Geer, Chief Information Security Officer for In-Q-Tel

Note: emphasis is mine

Src: Cybersecurity and National Policy | Harvard National Security Journal

QOTD on Disclosure

Thinking that there's no one else out there who knows the details of a given zero-day flaw is one of the things that leads to ridiculously long gaps between disclosure and the release of a patch. Even in the case of a vulnerability for which all of the details aren't public, a bit of information combined with a short window of time before a patch is available can give attackers the head start they need to launch mass exploits.

-- Dennis Fisher, Editor at ThreatPost

Src: Why Vulnerability Research Matters | threatpost