Bookmark and Share

Quotable Spaf


In the News & On the WWW

Short Bio

Full C.V. PDF indicator

Selected Firsts

Notable Activities

My CERIAS Blog Posts

Spaf & the US Gov

Courses & Teaching

Information for Grad Students

Students Past and Present

Research and Papers

Selected Quotes

Miscellaneous Items

• • •

In a discussion on social media, I noted Securing legacy systems is like trying to put rebar into jello without changing its appearance or flavor.

Two of my responses to the Pew Research Center and Elon University's Imagining the Internet have already started to get quoted. When asked about the impact of social media, I replied Most writing online is devolving toward SMS and tweets that involve quick, throwaway notes with abbreviations and threaded references. This is not a form of lasting communication. In 2020 there is unlikely to be a list of classic tweets and blog posts that every student and educated citizen should have read.

A second quote, in response to the value of search engines and on-line media was Access to more information isn't enough — the information needs to be correct, timely, and presented in a manner that enables the reader to learn from it. The current network is full of inaccurate, misleading, and biased information that often crowds out the valid information. People have not learned that "popular" or "available" information is not necessarily valid.

One quote that varies in pertinence cyclically is Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. I used to say this in presentations, but I believe I first put it down in writing in an email to the RAID (Research Advances in Intrusion Detection) workshop program committee in mid-1998.

Something I stated at the founding of CERIAS and in an invited keynote address at the 2nd CISSE conference, May 1998: Without computers, we'd have no computer crime. But without people, we'd have no computer crime, either. We must address the human component to really address the issues. That includes psychology, law, politics, communication, education, and more; addressing only the computing is addressing only part of the problems.

Several people seem to be quoting a line from an interview I gave to Baseline Magazine in 2007. A key concept is that security is an enabler, not a disabler... security enables you to keep your job, security enables you to move into new markets, security enables you to have confidence in what you're doing.

One a few of my colleagues find amusing, in a dark way, was uttered after a particularly trying week: Our department is only 4 memorial services away from being excellent.

The following quote is from an essay I posted to Dave Farber's "Interesting People" list on 6 Jan 2005. Judging from feedback, a lot of people liked the post, and this line in particular. Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom.

The following line from the same message has also been quoted a few places: Questioning the status quo can result in banishment, imprisonment, ridicule or being burned at the stake, depending on your era, your locale, and the sacred cows you wish to butcher.

An aphorism I coined and have used several times: The difference between a vision and a hallucination is how many people you can get to believe they see it, too. This goes along with There is a fine line between genius and madness -- and you can achieve a lot when people are never quite sure which side of the line you're on today.

This quote is about security of computer systems. It appeared in "Computer Recreations: Of Worms, Viruses and Core War" by A. K. Dewdney in Scientific American, March 1989, pp 110. It was later misquoted in the book @Large: The Strange Case of the World's Biggest Internet Invasion by David H. Freedman and Charles C. Mann. (The misquoted version refers to titanium and nerve gas -- I never said anything like that.) The original quote is: The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

This quote first appeared in print in the first edition of Web Security & Commerce (O'Reilly, 1997, S. Garfinkel & G. Spafford). The quote is on page 9:

Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.

I originally came up with an abbreviated version of this quote during an invited presentation at SuperComputing 95 (December of 1995) in San Diego. The quote at that time was everything up to the "Further...." and was in reference to using encryption, not secure WWW servers.

In 2002, during an interview for a security magazine about "white hat" hackers, I said the following: Hats are obvious, behavior isn't. And what is white to one person may be gray to another.

One of my better-known quotes was a 1992 description of Usenet: Usenet is like a herd of performing elephants with diarrhea -- massive, difficult to redirect, awe-inspiring, entertaining, and a source of mind-boggling amounts of excrement when you least expect it.

I came up with this quote while in the shower one morning. It seemed really profound. I have no idea what inspired it. I first posted the quote to a mailing list, and it then got picked up on some newsgroups.

Another quote about Usenet, and concerning the importance of mailing lists and newsgroups of the time (and now, perhaps, about blogs) was this one from around 1988: Don't sweat it -- it's not real life. It's only ones and zeroes. I have since seen this quoted on T-shirts and bumper stickers, but without credit to me.

Something I have used in teaching and lecturing for years has been labeled as "Spaf's First Law of System Administration": If your position in an organization includes responsibility for security, but does not include corresponding authority, then your role in the organization is to take the blame when something happens. You should make sure your resume is up-to-date."

I came up with my 2nd Law of Cybersecurity when I set the basic philosophy for CERIAS at Purdue: If we had no computers, we'd have no computer crime. But if we had no people, we'd have no computer crime, either. We must include people in our plans and mechanisms to protect systems.

In 2018 in a Facebook post, I coined

After some reflection, it appears the "C" in USB-C stands for Cloaca.

Around 1987, I formulated my three axioms of Usenet, with corollaries:

Axiom #1:
The Usenet is not the real world. The Usenet usually does not even resemble the real world.
Corollary #1:
Attempts to change the real world by altering the structure of the Usenet is an attempt to work sympathetic magic -- electronic voodoo.
Corollary #2:
Arguing about the significance of newsgroup names and their relation to the way people really think is equivalent to arguing whether it is better to read tea leaves or chicken entrails to divine the future.
Axiom #2:
Ability to type on a computer terminal is no guarantee of sanity, intelligence, or common sense.
Corollary #3:
An infinite number of monkeys at an infinite number of keyboards could produce something like Usenet.
Corollary #4:
They could do a better job of it.
Axiom #3:
Sturgeon's Law (90% of everything is crap) applies to Usenet.
Corollary #5:
In an unmoderated newsgroup, no one can agree on what constitutes the 10%.
Corollary #6:
Nothing guarantees that the 10% isn't crap, too.

I do not remember where I first posted these.

I do not know who accumulated these quotes but last time I looked, they were indeed all mine.