These security quotations relate to computers, information technology, and human nature.
This material is largely based on email, newsgroup, or web postings of presumably public domain material. If you're aware of a correction or if you have a security-related quote that you'd like added to this page, please let us know.
Check out these other pages for a bunch of entertaining security slogans like this one: "Passwords are like toothbrushes. They are best when new and should never be shared." If you are trying to explain a difficult topic, try out the security analogies page for explanations like this: "Suggesting that IT security issues can be dealt with simply by drafting and implementing a security policy is like saying that speeding drivers won’t be a problem if we introduce speed limits" - Reflex Magnetics
Let us not look back in anger or forward in fear, but around in awareness. — James Thurber
Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them. — Gosser
A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila. — Mitch Ratliff
It is much more secure to be feared than to be loved. — Niccolo Machiavelli
Filter Bubbles are the work of algorithms programmed to constantly reflect back to us variations of our own image. The more we feed them our "likes," our "clicks," and our "choices," the more of ourselves the algorithms volley back. Soon, if we're not careful. we begin to live in a house of mirrors. All of our content is specifically designed to look like us. — Tim Leberecht
Hackers are free people, just like artists who wake up in the morning in a good mood and start painting. [...] If they are patriotically minded, they start making their contributions – which are right, from their point of view – to fight against those who say bad things about Russia. — Vladamir Putin
Facebook could tell that in Oklahoma the race between Republicans and Democrats is particularly close, identify the 32,417 voters who still haven’t made up their minds, and determine what each candidate needs to say in order to tip the balance. How could Facebook obtain this priceless political data? We provide it for free. In the heyday of European imperialism, conquistadors and merchants bought entire islands and countries in exchange for coloured beads. In the twenty-first century our personal data is probably the most valuable resource most humans still have to offer, and we are giving it to the tech giants in exchange for email services and funny cat videos. — Yuval Noah Harari, Homo Deus: A Brief History of Tomorrow
Sed quis custodiet ipsos custodes? [Who watches the watchers?]
Badges? We ain't got no badges! We don't need no badges. I don't have to show you any stinkin' badges! — from the film "Treasure of Sierra Madre"
You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. — Daryl White, DOI CIO
The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk. — Jerry Davis, CISO
You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes. — Theo De Raadt on the statement "Virtualization seems to have a lot of security benefits," October 23, 2007
In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters. — Jeff Jarmoc
Any sufficiently advanced bug is indistinguishable from a feature. — Rich Kulawiec, with apologies to Arthur C. Clarke
If someone else can run arbitrary code on your computer, it's not YOUR computer any more. — Rich Kulawiec
Only people with dull lives can afford to forego privacy. — Jan Chipchase
Privacy is not for the passive. — Jeffrey Rosen
What happens in Vegas ends up on YouTube. — Tim Leberecht
If privacy is outlawed, only outlaws will have privacy. — Philip Zimmermann
Gentlemen do not read each others' mail. — Henry Lewis Stimson
Philosopher and legal reformer Jeremy Bentham's 1791 concept of the "Panopticon" — a cutting edge innovation in the design of institutional buildings that allowed one single inspector to observe large numbers of the building population (for example, inmates, workers, patients). [...] more than two-hundred years later, we find ourselves voluntarily carrying tiny versions of Bentham's Panopticon in our pockets. — Tim Leberecht
Never say anything on the phone that you wouldn't want your mother to hear at your trial. — Sydney Biddle Barrows
Never say anything in an electronic message that you wouldn't want appearing, and attributed to you, in tomorrow morning's front-page headline in the New York Times. — Colonel David Russell, former head of DARPA's Information Processing Techniques Office
Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. — Justice Louis D. Brandeis
Solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress. — Samuel D. Warren and Louis D. Brandeis, Harvard Law Review, 1890
It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public. — Clay Shirky, Internet scholar and professor at N.Y.U.
Recommended addition to the Consumer Privacy Bill of Rights: “A right to not have your data rise up and attack you.” — Benjamin Wittes, Brookings Institution
When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. — David Brin
The trouble with quotes on the Internet is that you never know if they are genuine. — Benjamin Franklin
If computers get too powerful, we can organize them into a committee - that will do them in. — Bradley's Bromide
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
The best way to get management excited about a disaster plan is to burn down the building across the street. — Dan Erwin, Security Officer, Dow Chemical Co.
Schrodinger’s Backup: "The condition of any backup is unknown until a restore is attempted."
Men do not like to admit to even momentary imperfection. My husband forgot the code to turn off the alarm. When the police came, he wouldn't admit he'd forgotten the code... he turned himself in. — Rita Rudner
We're sitting on four million pounds of fuel, one nuclear weapon and a thing that has two hundred thousand moving parts built by the lowest bidder. — "Rockhound" in the movie 'Armageddon'
Security Quotes With Analogies
We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back. — Cory Doctorow
Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. — Gene Spafford (in email to organizers of a workshop on insider misuse)
Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. — Gene Spafford
Those of us in security are very much like heart doctors -- cardiologists. Our patients know that lack of exercise, too much dietary fat, and smoking are all bad for them. But they will continue to smoke, and eat fried foods, and practice being couch potatoes until they have their infarction. Then they want a magic pill to make them better all at once, without the effort. And by the way, they claim loudly that their condition really isn't their fault -- it was genetics, or the tobacco companies, or McDonalds that was to blame. And they blame us for not taking better care of them. Does this sound familiar? But it doesn't have to be this way. We can do things better. We need to stop doing business as usual and start focusing on end-to-end quality. Security needs to be built in from the start--not slapped on after the fact. — Gene Spafford, at the 23rd National Information Systems Security Conference in October 2000
The Internet is like alcohol in some sense. It accentuates what you would do anyway. If you want to be a loner, you can be more alone. If you want to connect, it makes it easier to connect. — Esther Dyson
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. — Ronald Reagan
Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target. — Paul Herbka
Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world. — John Markoff (NY Times writer)
Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active part of the problem. — Fred Langa
As security or firewall administrators, we've got basically the same concerns [as plumbers]: the size of the pipe, the contents of the pipe, making sure the correct traffic is in the correct pipes, and keeping the pipes from splitting and leaking all over the place. Of course, like plumbers, when the pipes do leak, we're the ones responsible for cleaning up the mess, and we're the ones who come up smelling awful... — Marcus J. Ranum
Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds. — John Perry Barlow
Privacy snafus are to social networks as violence is to football. The whole point of social networks is to share stuff about people that’s interesting, just as the whole point of football is to upend the guy with the ball. Every so often, someone gets paralyzed, which prompts us to add padding to the helmets or set new rules about tackling. Then we move on. — Nicholas Thompson
"No serious commentary will say that the user has no responsibility. We all have responsibilities to lock our doors in our homes and to buckle up when we get in cars." — spokesman, Information Technology Association of America, Business Roundtable, AP, May 19, 2004
Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off. — FedCIRC
Strengthening U.S. cyber security is common sense, like locking your door at night. But it's one thing to turn the lock -- and another to spend the night hunched in your living room with a shotgun. — Douglas Birch
Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery. — Nik Cubrilovic (TechCrunch.com, October 10, 2008)
I personally like to think of the Internet as a parallel universe, a cyber-world as opposed to the real-world. In cyber-world people do much the same thing as in the real-world, such as chat, work, or go shopping. And, as in the real-world, there are dangers. In the real-world, we spend years as children learning about the world and all its dangers before we can safely go out on our own. This is not the case in cyber-world. People wander into cyber-world as cyber-toddlers or even cyber-infants. How can these people be expected to look after themselves in this strange new world? ... I believe that education must be the first step to computer security. Cyber-world is too complex and dangerous to jump into without understanding the dangers. — Jimi Loo, in Comments & Feedback to Noam Eppel's Article, "Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. A long-overdue wake up call for the security community."
In some ways, cryptography is like pharmaceuticals. Its integrity may be absolutely crucial. Bad penicillin looks the same as good penicillin. You can tell if you spread sheet is wrong, but how do you tell if your cryptography package is weak? The ciphertext produced by a weak encryption algorithm looks as good as ciphertext produced by a strong encryption algorithm. There's a lot of snake oil out there. A lot of quack cures. Unlike the patent medicine hucksters of old, these sofwtare implementors usually don't even know their stuff is snake oil. They may be good software engineers, but they usually haven't even read any of the academic literature in cryptography. But they think they can write good cryptographic software. And why not? After all, it seems intuitively easy to do so. And their software seems to work ok. — Philip Zimmermann
Security-Related Proverbs and Wisdom
As any farmer will tell you, only a fool lets a fox guard the henhouse door. — proverb
There is no castle so strong that it cannot be overthrown by money. — Cicero
No government can be long secure without a formidable opposition. — Benjammin Disraeli
Even a paranoid can have enemies. — Henry Kissinger
Be careful and you will save many men from the sin of robbing you. — Ed Howe
If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. — Kahlil Gibran
There are no secrets better kept than the secrets that everybody guesses. — George Bernard Shaw
Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke
Quotes From Judges and Lawyers
We cannot simply suspend or restrict civil liberties until the War on Terror is over, because the War on Terror is unlikely ever to be truly over. — Judge Gerald Tjoflat of the 11th U.S. Circuit Court of Appeals, October 15, 2004
An unconditional right to say what one pleases about public affairs is what I consider to be the minimum guarantee of the First Amendment. — Justice Hugo Black
You can only protect your liberties in this world by protecting the other man's freedom. You can only be free if I am free. — Clarence S. Darrow
Quotes About Cyber Crime
The Internet is the crime scene of the 21st Century. — Manhattan District Attorney Cyrus Vance Jr., October 2010
Stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars. — Carmen M. Ortiz, United States attorney for Massachusetts
The smartphone is the most lethal weapon you can get inside a prison.The smartphone is the equivalent of the old Swiss Army knife. You can do a lot of other things with it. — Terry L. Bittner, Director of Security Products, ITT Corporation
Although prison officials have long battled illegal cellphones, smartphones have changed the game. With Internet access, a prisoner can call up phone directories, maps and photographs for criminal purposes, corrections officials and prison security experts say. Gang violence and drug trafficking, they say, are increasingly being orchestrated online, allowing inmates to keep up criminal behavior even as they serve time. — Kim Severson and Robbie Brown, NY Times, "Outlawed, Cellphones Are Thriving in Prisons," published January 2, 2011
Phishing is a major problem because there really is no patch for human stupidity — Mike Danseglio, program manager in the Security Solutions group at Microsoft, April 4, 2006
In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money. — Mike Danseglio, program manager in the Security Solutions group at Microsoft, April 4, 2006
History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier
Quotes About Malware
Politically Correct Virus: Doesn't refer to itself as a virus - instead, refers to itself as an "electronic microorganism." — Mark Kaye
I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image. — Stephen Hawking
In view of all the deadly computer viruses that have been spreading lately, Weekend Update would like to remind you: when you link up to another computer, you're linking up to every computer that that computer has ever linked up to. — Dennis Miller
In God we trust. All others, we virus scan.
In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute
A secure system is one that does what it is supposed to. — Eugene Spafford (Breaux, Antón, & Spafford, 2009)
A secure system is one that does what it is supposed to do, and nothing more. — John B. Ippolito, CISSP
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. — Gene Spafford
Today's systems must anticipate future attacks. Any comprehensive system – whether for authenticated communications, secure data storage, or electronic commerce – is likely to remain in use for five years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won't be time to upgrade it in the field.
History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier, "Why Cryptography Is Harder Than It Looks" 1997
Briefly and simply, assurance work makes a user or a creditor more confident that the system works as intended without flaws, without surprises, even in the presence of malice. … The major shortfall is absence of assurance or safety mechanisms in software. If my car crashed as often as my computer does, I'd be dead by now. — Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance" AusCERT 2008
More Miscellaneous Security Quotes
A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder
I do not fear computers. I fear the lack of them. — Isaac Asimov
Fear not those who argue, but those who dodge. — Marie Ebner von Eschenbach
A business will have good security if its corporate culture is correct. That depends on one thing: tone at the top. There will be no grassroots effort to overwhelm corporate neglect. — William Malik, Vice President and Research Area Director for Information Security at Gartner.
We are at the mercy of our preparation. — Tim Leberecht
It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! — Robert Morris, former Chief Scientist of the US National Security Agency (NSA) National Computer Security Center, 1995
One of the tests of leadership is the ability to recognize a problem before it becomes an emergency. — Arnold Glascow
Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their consciences. — C. S. Lewis
If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different. — Bruce Schneier
The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. — Bruce Schneier
"You shouldn't overestimate the I.Q. of crooks." — NYT: Stuart A. Baker, General Counsel for the NSA, explained why crooks and terrorists who are smart enough to use data encryption would be stupid enough to choose the U.S. Government's compromised data encryption standard.
If you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is "it isn't scaling well." — Paul Vixie, on NANOG
Information security's response to bitter failure, in any area of endeavour, is to try the same thing that didn't work -- only harder. — Marcus Ranum
Gibbs' Rule #35: Always watch the watchers. — First mentioned in Season 8, Episode 22 - "Baltimore"
Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful. — Niccolo Machiavelli, The Prince
Those who do not archive the past are condemned to retype it! — Garfinkel and Spafford, Practical UNIX Security (first edition)
Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia
We only need to be lucky once. You need to be lucky every time. — The IRA to Margaret Thatcher, after a failed assassination attempt.
The anguish of low quality lingers long after the sweetness of low cost is forgotten. — unknown, quote suggested by Peter Gregory, CISSP, CISA
The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something nonrandom like 'Susan.' And if it's random, like 'r7U2*Qnp,' then it's not easy to remember. — Bruce Schneier
If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. — White House Cybersecurity Advisor, Richard Clarke
The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. — Kevin Mitnick
If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders. — Dan Farmer, System Administrators Guide to Cracking
There are risks and costs to a program of action — but they are far less than the long range cost of comfortable inaction. — John F. Kennedy
"We have only two modes - complacency and panic." — James R. Schlesinger, the first U.S. Dept. of Energy secretary, in 1977, on the country's approach to energy.
Security used to be an inconvenience sometimes, but now it's a necessity all the time. — Martina Navratilova after the stabbing of Monica Seles by a fan of Steffi Graf, 1993
Computer security can simply be protecting your equipment and files from disgruntled employees, spies, and anything that goes bump in the night, but there is much more. Computer security helps ensure that your computers, networks, and peripherals work as expected all the time, and that your data is safe in the event of hard disk crash or a power failure resulting from an electrical storm. Computer security also makes sure no damage is done to your data and that no one is able to read it unless you want them to. — Bruce Schneier (Protect Your Macintosh, 1994)
Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. — Bruce Schneier (Protect Your Macintosh, 1994)
We will bankrupt ourselves in the vain search for absolute security. — Dwight D. Eisenhower
When you know that you're capable of dealing with whatever comes, you have the only security the world has to offer. — Harry Browne
One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum
As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know.
— Donald Rumsfeld, February 12, 2002, Department of Defense news briefing (quote contributed by Bernarr B. Coletta, CISSP)
Mistakes Were Made
We didn't install the [Code Red] patch on those DMZ systems because they were only used for development and testing. — Anonymous client, shortly after spending 48 continuous hours removing 2001's Code Red worm from internal corporate servers ("Secure Coding Principles and Practices by Mark G. Graff & Kenneth R. van Wyk)
We have never had vulnerabilities exploited before the patch was known. — David Aucsmith, head of technology at Microsoft's security business and technology unit, February 2004
I walked into this classroom full of law enforcement officers and said, "Do you guys recognize any of these names?" I read off a list of the names. One federal officer explained, "Those are the names of judges in the US District Court in Seattle." And I said, "Well, I have a password file here with 26 passwords cracked." Those federal officers about turned green. — Don Belling, Boeing, quoted in The Art of Intrusion by Kevin Mitnick
In 2011 RSA, a major technology company, was hacked all when an employee responded to a phishing attempt. This is a company whose whole business was security, and fell victim to what hackers know, No matter how secure a target the user is always the weakest link. — Jim Guckin
No one realized that the pumps that delivered fuel to the emergency generators were electric. — Angel Feliciano, representative of Verizon explaining why Verizon's backup power failed during the August 13, 2003 blackout causing disruption to the 911 service
We know everyone who breaks the law. We know when you’re doing it. We have GPS in your car, so we know what you’re doing. — Jim Farley, Ford Motor Company sales executive known for making off-the-cuff comments, speaking to a panel at the CES. He quickly added: "By the way, we don’t supply that data to anyone,” and later issued a full retraction. [NY Times, The Next Data Privacy Battle May Be Waged Inside Your Car, Jaclyn Trop, January 10, 2014]
Security is a Human Issue
The user's going to pick dancing pigs over security every time. — Bruce Schneier
Amateurs hack systems, professionals hack people. — Bruce Schneier
People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobody bought them. — Gene Spafford
It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so. — Mark Twain
People don't react to reality; they react to their perceptions of reality. — human psychology truism
Most people spend more time and energy going around problems than trying to solve them. — Henry Ford
People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. — Bruce Schneier, Secrets and Lies
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce SchneierThe man who trades freedom for security does not deserve nor will he ever receive either. — Benjamin Franklin
Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue. — NIST SP 800-50.
If your personnel do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, not only do you risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but you also risk being in non-compliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another valuable asset, corporate reputation. — Rebecca Herold, "Managing an Information Security and Privacy Awareness and Training Program" 2005
Looking for more security inspiration?
We also have a bunch of entertaining security slogans like this one: "Passwords are like toothbrushes. They are best when new and should never be shared." If you are trying to explain a difficult topic, try out the security analogies page for explanations like this: "Suggesting that IT security issues can be dealt with simply by drafting and implementing a security policy is like saying that speeding drivers won’t be a problem if we introduce speed limits" - Reflex Magnetics