'Unplug it, baby.'
— Whitfield Diffie, in response to Ramzan's question, "If you could design a piece of [security] advice short enough to fit on a bumper sticker, what would that advice be?"
(Image by dlyastokiv via Adobe Stock)
— Ron Rivest, on quantum computing.
He added, "There are so many startups happening. The amount of money being invested in this technology is incredible. And one wonders if it's really going to be substance there. I think the two major questions are, 'Can you build the quantum computer at scale that will last long enough to do it a useful computation?' That's number one. And number two is, 'Are there useful applications for this technology, even if you could build it?' And I think the answers so far are 'not clear' and 'maybe.'"
(Image by intheskies via Adobe Stock)
— Adi Shamir, mentioning that Microsoft recently backtracked on research it made three years ago that claimed an impressive "breakthrough" in quantum physics: that it had observed the existence of the elusive Majorana fermium.
"At the moment it's not clear at all if [the particle] does exist and whether Microsoft will be able to proceed in the way that they have pursued quantum computing over the last 10 years."
(Image by Sergey Bitos via Adobe Stock)
— Ross Anderson, on quantum cryptography.
"As far as quantum cryptography is concerned, I'm entirely unimpressed because all you can do is rekey your encryptor, and we've known how to do that for 40 years. And the proofs based on quantum entanglement don't convince me because that interpretation only works in certain interpretations of quantum mechanics. I don't want to go into a debate on foundations of quantum computing, but I personally am a skeptic."
(Image by Inna via Adobe Stock)
— Carmela Troncoso, on mobile phone operating system companies' (Google and Apple) role in the privacy of contact tracing applications.
"Something I found very interesting is that under the data protection regulation, for instance, they are still part of the supply chain and, as such, not subject to the law. So they were very free, which I find very surprising."
(Image by visivasnc via Adobe Stock)
— Adi Shamir.
"Machine learning [systems] are, at the moment, they're totally untrustworthy. And we don't have at the moment a good understanding where the adversarial examples are coming from, what do they represent. Some progress is being made along these lines. But I think that until we solve the robustness issue, I'll be worried about deploying any kind of a big machine learning system that no one understands and no one knows in which ways it can fail."
(Image by besjunior via Adobe Stock)
'Maybe the question we should be asking is not, 'Can we make the machine trustable?' but, 'Can we make the ones [who] are using these machine learning [someone] we want to trust with them?"
— Carmela Troncoso, on machine learning and the privacy risks posed by how companies collect the data they feed to ML tools.
(Image by Elnur via Adobe Stock)
— Ross Anderson on SolarWinds.
"SolarWinds was a mature company. Once upon a time it was a keen startup with lots of lively engineers, but recently it had become a monopoly and much of the technical expertise had been farmed to engineers in Eastern Europe. And so they weren't caring as much about security as they used to. In essence, the company was being run by bankers as a cash cow. One of the pieces of due diligence you have to do if you're running a big IT shop is to ask yourself about the culture of the ownership and the competence of all those suppliers who have got stuff within your security perimeter."
(Image by Better Stock via Adobe Stock)
— Ron Rivest.
"The idea of rekeying and reauthenticating everyone is not one we talk about much. Adi may disagree with me. But overall I would give us a grade of C-minus, us cryptographers, on resilience. I think the systems we design tend to be brittle and tend to break if there's a serious key compromise."
Shamir countered, "So I will actually give our system designers a D or an F. But I'll give cryptographers an A."
(Image by Олександр Луценко via Adobe Stock)
— Ross Anderson, on the development of "vaccine passport" apps.
"... we have good old-fashioned paper mechanisms like we have for yellow fever vaccination. And so I've got my vaccine card, which was written by the nurse when I got my jab, and that's fine. I can stick it in my passport and that's good enough. Trying to build an all-singing, all-dancing worldwide system is the wrong thing to do at a time like this. It's just rent-seeking by tech companies who want to down governments for hundreds of millions of dollars. And in the process they will cost thousands of more lives to be unnecessarily lost."
(Image by spryakot via Adobe Stock)