Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds. — John Perry Barlow

I don't know about technology and I don't know about finance and accounting. — Bernard J. Ebbers, former chief executive of WorldCom, at his trial.

If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. — White House Cybersecurity Advisor, Richard Clarke

"We have only two modes - complacency and panic." — James R. Schlesinger, the first U.S. Dept. of Energy secretary, in 1977, on the country's approach to energy.

The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. — Kevin Mitnick

Amateurs hack systems, professionals hack people. — Bruce Schneier

We didn't install the [Code Red] patch on those DMZ systems because they were only used for development and testing. — Anonymous client, shortly after spending 48 continuous hours removing 2001's Code Red worm from internal corporate servers [from "Secure Coding Principles and Practices by Mark G. Graff & Kenneth R. van Wyk]

Computer security can simply be protecting your equipment and files from disgruntled employees, spies, and anything that goes bump in the night, but there is much more. Computer security helps ensure that your computers, networks, and peripherals work as expected all the time, and that your data is safe in the event of hard disk crash or a power failure resulting from an electrical storm. Computer security also makes sure no damage is done to your data and that no one is able to read it unless you want them to. — Bruce Schneier (Protect Your Macintosh, 1994)

Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. — Bruce Schneier (Protect Your Macintosh, 1994)

People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. — Bruce Schneier, Secrets and Lies

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. — Gene Spafford

Microsoft made a big deal about Windows NT getting a C2 security rating. They were much less forthcoming with the fact that this rating only applied if the computer was not attached to a network and had no network card, and had its floppy drive epoxied shut, and was running on a Compaq 386. Solaris's C2 rating was just as silly. — Bruce Schneier

The man who trades freedom for security does not deserve nor will he ever receive either. — Benjamin Franklin

We will bankrupt ourselves in the vain search for absolute security. — Dwight D. Eisenhower

"No serious commentary will say that the user has no responsibility. We all have responsibilities to lock our doors in our homes and to buckle up when we get in cars." — spokesman, Information Technology Association of America, Business Roundtable, AP, May 19, 2004

As security or firewall administrators, we've got basically the same concerns [as plumbers]: the size of the pipe, the contents of the pipe, making sure the correct traffic is in the correct pipes, and keeping the pipes from splitting and leaking all over the place. Of course, like plumbers, when the pipes do leak, we're the ones responsible for cleaning up the mess, and we're the ones who come up smelling awful... — Marcus J. Ranum

When you know that you're capable of dealing with whatever comes, you have the only security the world has to offer. — Harry Browne

One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum

Security must begin at the top of an organization. It is a leadership issue, and the chief executive must set the example. — heard at a security conference

There is no castle so strong that it cannot be overthrown by money. — Cicero

As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know.
— Donald Rumsfeld, February 12, 2002, Department of Defense news briefing (quote contributed by Bernarr B. Coletta, CISSP - Thank You!)


Let us not look back in anger or forward in fear, but around in awareness. — James Thurber

The user's going to pick dancing pigs over security every time. — Bruce Schneier

If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. — Kahlil Gibran

There are no secrets better kept than the secrets that everybody guesses. — George Bernard Shaw

Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke

The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. — Bruce Schneier

Politically Correct Virus: Doesn't refer to itself as a virus - instead, refers to itself as an "electronic microorganism." — Mark Kaye

I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image. — Stephen Hawking

In view of all the deadly computer viruses that have been spreading lately, Weekend Update would like to remind you: when you link up to another computer, you're linking up to every computer that that computer has ever linked up to. — Dennis Miller

Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them. — Gosser

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila. — Mitch Ratliff

It is much more secure to be feared than to be loved. — Niccolo Machiavelli

"You shouldn't overestimate the I.Q. of crooks." — NYT: Stuart A. Baker, General Counsel for the NSA, explained why crooks and terrorists who are smart enough to use data encryption would be stupid enough to choose the U.S. Government's compromised data encryption standard.

People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobody bought them. — Gene Spafford

Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. — Gene Spafford (in e-mail to organizers of a workshop on insider misuse)

Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. — Gene Spafford

If privacy is outlawed, only outlaws will have privacy. — Philip Zimmermann

Interest is a terrible thing to waste. — Roger Schank

Men do not like to admit to even momentary imperfection. My husband forgot the code to turn off the alarm. When the police came, he wouldn't admit he'd forgotten the code... he turned himself in. — Rita Rudner

We're sitting on four million pounds of fuel, one nuclear weapon and a thing that has two hundred thousand moving parts built by the lowest bidder. — "Rockhound" in the movie 'Armageddon'

Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful. — Niccolo Machiavelli, The Prince

Those who do not archive the past are condemned to retype it! — Garfinkel and Spafford, Practical UNIX Security (first edition)

Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia

We only need to be lucky once. You need to be lucky every time. — The IRA to Margaret Thatcher, after a failed assassination attempt.

The anguish of low quality lingers long after the sweetness of low cost is forgotten. — unknown, quote suggested by Peter Gregory, CISSP, CISA (Thank you!)

The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something nonrandom like 'Susan.' And if it's random, like 'r7U2*Qnp,' then it's not easy to remember. — Bruce Schneier

In God we trust. All others, we virus scan.

Those of us in security are very much like heart doctors -- cardiologists. Our patients know that lack of exercise, too much dietary fat, and smoking are all bad for them. But they will continue to smoke, and eat fried foods, and practice being couch potatoes until they have their infarction. Then they want a magic pill to make them better all at once, without the effort. And by the way, they claim loudly that their condition really isn't their fault -- it was genetics, or the tobacco companies, or McDonalds that was to blame. And they blame us for not taking better care of them. Does this sound familiar?
But it doesn't have to be this way. We can do things better. We need to stop doing business as usual and start focusing on end-to-end quality. Security needs to be built in from the start -- not slapped on after the fact. — Gene Spafford, at the 23rd National Information Systems Security Conference in October 2000

Phishing is a major problem because there really is no patch for human stupidity — Mike Danseglio, program manager in the Security Solutions group at Microsoft, April 4, 2006

In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money. — Mike Danseglio, program manager in the Security Solutions group at Microsoft, April 4, 2006

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier

Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. — Ronald Reagan

I walked into this classroom full of law enforcement officers and said, "Do you guys recognize any of these names?" I read off a list of the names. One federal officer explained, "Those are the names of judges in the US District Court in Seattle." And I said, "Well, I have a password file here with 26 passwords cracked." Those federal officers about turned green. — Don Belling, Boeing, quoted in The Art of Intrusion by Kevin Mitnick

Sed quis custodiet ipsos custodes? [Who watches the watchers?] — quote contributed by Joy Walker - Thank you!

Badges? We ain't got no badges! We don't need no badges. I don't have to show you any stinkin' badges! — from the film "Treasure of Sierra Madre"

You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. — Daryl White, DOI CIO

In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute

I personally like to think of the Internet as a parallel universe, a cyber-world as opposed to the real-world. In cyber-world people do much the same thing as in the real-world, such as chat, work, or go shopping. And, as in the real-world, there are dangers. In the real-world, we spend years as children learning about the world and all its dangers before we can safely go out on our own. This is not the case in cyber-world. People wander into cyber-world as cyber-toddlers or even cyber-infants. How can these people be expected to look after themselves in this strange new world? ... I believe that education must be the first step to computer security. Cyber-world is too complex and dangerous to jump into without understanding the dangers.

— Jimi Loo, in Comments & Feedback to Noam Eppel's Article, "Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. A long-overdue wake up call for the security community."

America believes in education: the average professor earns more money in a year than a professional athlete earns in a whole week. — Evan Esar

If computers get too powerful, we can organize them into a committee - that will do them in. — Bradley's Bromide

I do not fear computers. I fear the lack of them. — Isaac Asimov

The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein

Fear not those who argue, but those who dodge. — Marie Ebner von Eschenbach

The Internet is like alcohol in some sense. It accentuates what you would do anyway. If you want to be a loner, you can be more alone. If you want to connect, it makes it easier to connect. — Esther Dyson

The best way to get management excited about a disaster plan is to burn down the building across the street. — Dan Erwin, Security Officer, Dow Chemical Co.

A business will have good security if its corporate culture is correct. That depends on one thing: tone at the top. There will be no grassroots effort to overwhelm corporate neglect. — William Malik, Vice President and Research Area Director for Information Security at Gartner.

A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder

Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active part of the problem. — Fred Langa

Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery.
— Nik Cubrilovic (TechCrunch.com, October 10, 2008)

It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! — Robert Morris, former Chief Scientist of the US National Security Agency (NSA) National Computer Security Center, 1995

If your personnel do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, not only do you risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but you also risk being in non-compliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another valuable asset, corporate reputation. — Rebecca Herold, "Managing an Information Security and Privacy Awareness and Training Program" 2005

One of the tests of leadership is the ability to recognize a problem before it becomes an emergency. — Arnold Glascow

The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk. — Jerry Davis, CISO

Never say anything on the phone that you wouldn't want your mother to hear at your trial. — Sydney Biddle Barrows

People don't react to reality; they react to their perceptions of reality. — human psychology truism

As any farmer will tell you, only a fool lets a fox guard the henhouse door. — proverb

Be careful and you will save many men from the sin of robbing you. — Ed Howe

Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. — Justice Louis D. Brandeis

Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their consciences. — C. S. Lewis

Men are only as good as their technical development allows them to be. — George Orwell

No one realized that the pumps that delivered fuel to the emergency generators were electric. — Angel Feliciano, representative of Verizon explaining why Verizon's backup power failed during the August 13, 2003 blackout causing disruption to the 911 service

When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. — David Brin

Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target. — Paul Herbka

Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world. — John Markoff (NY Times writer)

There's a growing sense that the online ad industry is out of control from a privacy perspective and that some rules need to be put in place. — [Linkleri Görmek İçin Ücretsiz Üye Olun], Executive Director for the Electronic Privacy Information Center

The trouble with quotes on the Internet is that you never know if they are genuine. — Benjamin Franklin

Solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress. — Samuel D. Warren and Louis D. Brandeis, Harvard Law Review, 1890

We cannot simply suspend or restrict civil liberties until the War on Terror is over, because the War on Terror is unlikely ever to be truly over. — Judge Gerald Tjoflat of the 11th U.S. Circuit Court of Appeals, October 15, 2004

We have never had vulnerabilities exploited before the patch was known. — David Aucsmith, head of technology at Microsoft's security business and technology unit, February 2004

An unconditional right to say what one pleases about public affairs is what I consider to be the minimum guarantee of the First Amendment. — Justice Hugo Black

You can only protect your liberties in this world by protecting the other man's freedom. You can only be free if I am free. — Clarence S. Darrow

No government can be long secure without a formidable opposition. — Benjammin Disraeli

Today's systems must anticipate future attacks. Any comprehensive system – whether for authenticated communications, secure data storage, or electronic commerce – is likely to remain in use for five years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won't be time to upgrade it in the field.
History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier, "Why Cryptography Is Harder Than It Looks" 1997

Briefly and simply, assurance work makes a user or a creditor more confident that the system works as intended without flaws, without surprises, even in the presence of malice. … The major shortfall is absence of assurance or safety mechanisms in software. If my car crashed as often as my computer does, I'd be dead by now. — Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance" AusCERT 2008

Even a paranoid can have enemies. — Henry Kissinger

The smartphone is the most lethal weapon you can get inside a prison.The smartphone is the equivalent of the old Swiss Army knife. You can do a lot of other things with it. — Terry L. Bittner, Director of Security Products, ITT Corporation

Although prison officials have long battled illegal cellphones, smartphones have changed the game. With Internet access, a prisoner can call up phone directories, maps and photographs for criminal purposes, corrections officials and prison security experts say. Gang violence and drug trafficking, they say, are increasingly being orchestrated online, allowing inmates to keep up criminal behavior even as they serve time. — Kim Severson and Robbie Brown, NY Times, "Outlawed, Cellphones Are Thriving in Prisons," published January 2, 2011

The Internet is the crime scene of the 21st Century. — Manhattan District Attorney Cyrus Vance Jr., October 2010.

Stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars. — Carmen M. Ortiz, United States attorney for Massachusetts

A secure system is one that does what it is supposed to. — Eugene Spafford (Breaux, Antón, & Spafford, 2009)

A secure system is one that does what it is supposed to do, and nothing more. — John B. Ippolito, CISSP

Asking the Government to protect your Privacy is like asking a Peeping Tom to install your window blinds. — Founder of the EFF

In some ways, cryptography is like pharmaceuticals. Its integrity may be absolutely crucial. Bad penicillin looks the same as good penicillin. You can tell if you spread sheet is wrong, but how do you tell if your cryptography package is weak? The ciphertext produced by a weak encryption algorithm looks as good as ciphertext produced by a strong encryption algorithm. There's a lot of snake oil out there. A lot of quack cures. Unlike the patent medicine hucksters of old, these sofwtare implementors usually don't even know their stuff is snake oil. They may be good software engineers, but they usually haven't even read any of the academic literature in cryptography. But they think they can write good cryptographic software. And why not? After all, it seems intuitively easy to do so. And their software seems to work ok." — Philip Zimmermann

Gentlemen do not read each others mail. — Henry Lewis Stimson