Those were all the quotes I noted from the book Security Engineering by Ross Anderson.

So far it is my favourite read this year. Beside a lot of detailed information about encryption it covers a lot of interesting history and in many places offered - at least for me - new viewpoints.

If you're interested in , and/or this is a book you'll probably like.

"The wording is designed to cover software in the goods themselves, online services to which the goods are connected, and apps which may communicate with the goods either via the services or directly. They must be maintained for a minimum of two years after sale, and for a longer period if that is a reasonable expectation of the customer. What might that mean in practice?"

(Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)


"The tech lobbyists blocked the first couple of attempts, but eventually in 2019 the European Parliament updated consumer law to cover software maintenance.

28.5.1 The Sales of Goods Directive

This Directive passed the European Parliament in May 2019 [656] and will take effect from 2021. Thereafter, firms selling goods ‘with digital elements’ must maintain those elements for a reasonable service life."


With cars, for example, Europe generally requires safety testing by independent labs, while America doesn’t; but most US vendors have their US models tested independently too, as Europe created the ‘industry norm’ by which US courts assess tort cases when things go wrong. In this sense, Europe has become a ‘regulatory superpower’ (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

technical debt. This concept, due to Ward Cunningham, encapsulates the observation that development shortcuts are like debt. Whenever we skimp on documentation, fix a problem with a quick-and-dirty kludge, don’t test a fix thoroughly, fail to build in security controls, or fail to work through the consequences of errors, we’re storing up problems that may have to be repaid with interest in the future (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

the centralisation of human knowledge in the servers of a small number of firms – from Amazon’s e-book system to the servers of the major news organisations – takes us, in some sense, back to the 15th century. It’s also easier for the authorities to observe the transmission of disapproved material, as they can monitor electronic communications more easily than physical packages (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

The rhetoric of terror puffed up the security agencies at the expense of public health, predisposing governments in America, Europe, India and Africa to disregard the lesson of SARS in 2003 – (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

… This means that most of your subscription – or at least of the money the tech firms don’t take one way or another – goes to the megastars like Ariana, and Ed Sheeran and Lady Gaga (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)


So if my granddaughter pays £10 a month and listens to Ariana Grande four hours a day while I pay the same and listen to Kathryn Tickell two hours a week, then rather than giving them £10 each (less Apple’s 30% commission), Ariana will get fourteen times what Kathryn gets [1553]. …


That was a sharp reminder that it’s hard to block the attacks that haven’t been invented yet, and that attacks can improve very quickly once experts start to hone them (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

Software encryption of disk contents can be defeated unless there are mechanisms to zeroise the keys on power-down (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

Phone phreaks were counterculture heroes, while phone companies were hand-in-hand with the forces of darkness (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

Indeed, the main users of evaluated products are precisely those system operators whose focus is on due diligence rather than risk reduction (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

if a capable motivated opponent can run their code on the same machine as you, you’re basically toast (Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

