Mellow Root

"Trust, but verify" is bullshit

I'm not sure why this is a popular saying in security, it doesn't make sense to me. If you trust something or someone, why would you need to verify?

I trust my wife, but to verify she's not cheating I've installed stalkerware1 on her phone!

Does that sound like trust to you?

This saying got popular after Reagan repeated it every meeting when negotiating the terms of a nuclear missile treaty with the Russians2, a treaty that included 10 years of on-site inspections. I doubt there would be much trust without the verification process going on there.

We should do it the other way around, "Verify, then trust."

  1. Malware used to spy on and stalk people, usually spouses. Stalkerware - Wikipedia

  2. Trust, but verify - Wikipedia

#rant #security

- 8 toasts