Security Quotes

Security QuotationsThese quotations relate to computers, information technology, and security.

This material is largely based on email, newsgroup, or web postings of presumably public domain material.
If you're aware of a correction or if you have a quote that you'd like to see added to this page, please let us know.

 

Let us not look back in anger or forward in fear, but around in awareness. — James Thurber

 

It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public. — Clay Shirky, Internet scholar and professor at N.Y.U.

 

Privacy is not for the passive. — Jeffrey Rosen

 

Hackers are free people, just like artists who wake up in the morning in a good mood and start painting. [...] If they are patriotically minded, they start making their contributions – which are right, from their point of view – to fight against those who say bad things about Russia. — Vladamir Putin

 

Facebook could tell that in Oklahoma the race between Republicans and Democrats is particularly close, identify the 32,417 voters who still haven’t made up their minds, and determine what each candidate needs to say in order to tip the balance. How could Facebook obtain this priceless political data? We provide it for free. In the heyday of European imperialism, conquistadors and merchants bought entire islands and countries in exchange for coloured beads. In the twenty-first century our personal data is probably the most valuable resource most humans still have to offer, and we are giving it to the tech giants in exchange for email services and funny cat videos. — Yuval Noah Harari, Homo Deus: A Brief History of Tomorrow
 

Noah's ark has a pair of computer viruses.
A computer without security is like a fish without water.
You wouldn't download a bear, would you?

America believes in education: the average professor earns more money in a year than a professional athlete earns in a whole week. — Evan Esar

 

If computers get too powerful, we can organize them into a committee - that will do them in. — Bradley's Bromide

 

I do not fear computers. I fear the lack of them. — Isaac Asimov

 

The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein

 

Fear not those who argue, but those who dodge. — Marie Ebner von Eschenbach

 

The Internet is like alcohol in some sense. It accentuates what you would do anyway. If you want to be a loner, you can be more alone. If you want to connect, it makes it easier to connect. — Esther Dyson

 

The best way to get management excited about a disaster plan is to burn down the building across the street. — Dan Erwin, Security Officer, Dow Chemical Co.

 

A business will have good security if its corporate culture is correct. That depends on one thing: tone at the top. There will be no grassroots effort to overwhelm corporate neglect. — William Malik, Vice President and Research Area Director for Information Security at Gartner.

 

A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder

 

Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active part of the problem. — Fred Langa

 

Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery.  — Nik Cubrilovic (TechCrunch.com, October 10, 2008)

 

It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! — Robert Morris, former Chief Scientist of the US National Security Agency (NSA) National Computer Security Center, 1995

 

In 2011 RSA, a major technology company, was hacked all when an employee responded to a phishing attempt.  This is a company whose whole business was security, and fell victim to what hackers know, No matter how secure a target the user is always the weakest link. — Jim Guckin

 

If your personnel do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, not only do you risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but you also risk being in non-compliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another valuable asset, corporate reputation.  — Rebecca Herold, "Managing an Information Security and Privacy Awareness and Training Program" 2005

 

One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.  — Arnold Glascow

 

The software industry is really one of the only organizations where you can knowingly build a defective product and push it out to a potential buyer and the buyer assumes all the risk. — Jerry Davis, CISO

 

Never say anything on the phone that you wouldn't want your mother to hear at your trial.  — Sydney Biddle Barrows

 

People don't react to reality; they react to their perceptions of reality.  — human psychology truism

 

As any farmer will tell you, only a fool lets a fox guard the henhouse door.  — proverb

 

Be careful and you will save many men from the sin of robbing you. — Ed Howe

 

Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.  — Justice Louis D. Brandeis

 

Of all tyrannies, a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end, for they do so with the approval of their consciences. — C. S. Lewis

 

Men are only as good as their technical development allows them to be. — George Orwell

 

No one realized that the pumps that delivered fuel to the emergency generators were electric. — Angel Feliciano, representative of Verizon explaining why Verizon's backup power failed during the August 13, 2003 blackout causing disruption to the 911 service

 

When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.  — David Brin

Security in IT is like locking your house or car – it doesn't stop the bad guys,  but if it's good enough they may move on to an easier target. — Paul Herbka

 

Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world. — John Markoff (NY Times writer)

 

There's a growing sense that the online ad industry is out of control from a privacy perspective and that some rules need to be put in place. — Marc Rotenberg, Executive Director for the Electronic Privacy Information Center

 

The trouble with quotes on the Internet is that you never know if they are genuine. — Benjamin Franklin

 

Solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress. — Samuel D. Warren and Louis D. Brandeis, Harvard Law Review, 1890

 

We cannot simply suspend or restrict civil liberties until the War on Terror is over, because the War on Terror is unlikely ever to be truly over. — Judge Gerald Tjoflat of the 11th U.S. Circuit Court of Appeals, October 15, 2004

 

We have never had vulnerabilities exploited before the patch was known. — David Aucsmith, head of technology at Microsoft's security business and technology unit, February 2004

 

An unconditional right to say what one pleases about public affairs is what I consider to be the minimum guarantee of the First Amendment.  — Justice Hugo Black

 

You can only protect your liberties in this world by protecting the other man's freedom. You can only be free if I am free.  — Clarence S. Darrow

 

No government can be long secure without a formidable opposition. — Benjammin Disraeli

 

Today's systems must anticipate future attacks. Any comprehensive system – whether for authenticated communications, secure data storage, or electronic commerce – is likely to remain in use for five years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won't be time to upgrade it in the field.

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier, "Why Cryptography Is Harder Than It Looks" 1997

 

Briefly and simply, assurance work makes a user or a creditor more confident that the system works as intended without flaws, without surprises, even in the presence of malice. … The major shortfall is absence of assurance or safety mechanisms in software. If my car crashed as often as my computer does, I'd be dead by now. — Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance" AusCERT 2008

 

Even a paranoid can have enemies. — Henry Kissinger

 

The smartphone is the most lethal weapon you can get inside a prison.The smartphone is the equivalent of the old Swiss Army knife. You can do a lot of other things with it. — Terry L. Bittner, Director of Security Products, ITT Corporation

 

Although prison officials have long battled illegal cellphones, smartphones have changed the game. With Internet access, a prisoner can call up phone directories, maps and photographs for criminal purposes, corrections officials and prison security experts say. Gang violence and drug trafficking, they say, are increasingly being orchestrated online, allowing inmates to keep up criminal behavior even as they serve time. — Kim Severson and Robbie Brown, NY Times, "Outlawed, Cellphones Are Thriving in Prisons," published January 2, 2011

 

The Internet is the crime scene of the 21st Century. — Manhattan District Attorney Cyrus Vance Jr., October 2010

 

Stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars. — Carmen M. Ortiz, United States attorney for Massachusetts

 

A secure system is one that does what it is supposed to. — Eugene Spafford (Breaux, Antón, & Spafford, 2009)

 

A secure system is one that does what it is supposed to do, and nothing more. — John B. Ippolito, CISSP

 

In some ways, cryptography is like pharmaceuticals. Its integrity may be absolutely crucial. Bad penicillin looks the same as good penicillin. You can tell if you spread sheet is wrong, but how do you tell if your cryptography package is weak? The ciphertext produced by a weak encryption algorithm looks as good as ciphertext produced by a strong encryption algorithm. There's a lot of snake oil out there. A lot of quack cures. Unlike the patent medicine hucksters of old, these sofwtare implementors usually don't even know their stuff is snake oil. They may be good software engineers, but they usually haven't even read any of the academic literature in cryptography. But they think they can write good cryptographic software. And why not? After all, it seems intuitively easy to do so. And their software seems to work ok." — Philip Zimmermann

 

Gentlemen do not read each others' mail. — Henry Lewis Stimson

 

Strengthening U.S. cyber security is common sense, like locking your door at night. But it's one thing to turn the lock -- and another to spend the night hunched in your living room with a shotgun. — Douglas Birch

 

Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue. — NIST SP 800-50.

 

Sea otter with laptop and message: You otter back up your files.
How strong is your password?
What's in your computer?

If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different. — Bruce Schneier

 

If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. — Kahlil Gibran

 

There are no secrets better kept than the secrets that everybody guesses. — George Bernard Shaw

 

Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke

 

The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. — Bruce Schneier

 

Politically Correct Virus: Doesn't refer to itself as a virus - instead, refers to itself as an "electronic microorganism." — Mark Kaye

 

I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image. — Stephen Hawking

 

In view of all the deadly computer viruses that have been spreading lately, Weekend Update would like to remind you: when you link up to another computer, you're linking up to every computer that that computer has ever linked up to. — Dennis Miller

 

Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them. — Gosser

 

A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila. — Mitch Ratliff

 

It is much more secure to be feared than to be loved. — Niccolo Machiavelli

 

"You shouldn't overestimate the I.Q. of crooks." — NYT: Stuart A. Baker, General Counsel for the NSA, explained why crooks and terrorists who are smart enough to use data encryption would be stupid enough to choose the U.S. Government's compromised data encryption standard.

 

It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so. — Mark Twain

We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back. — Cory Doctorow

 

Never say anything in an electronic message that you wouldn't want appearing, and attributed to you, in tomorrow morning's front-page headline in the New York Times. — Colonel David Russell, former head of DARPA's Information Processing Techniques Office

 

If you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is "it isn't scaling well." — Paul Vixie, on NANOG

 

Just once, why can't one of our poorly considered quick fixes work? — Joel Helgeson

 

Information security's response to bitter failure, in any area of endeavour, is to try the same thing that didn't work -- only harder. — Marcus Ranum

 

You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes. — Theo De Raadt on the statement "Virtualization seems to have a lot of security benefits," October 23, 2007

 

In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters. — Jeff Jarmoc

 

Any sufficiently advanced bug is indistinguishable from a feature. — Rich Kulawiec, with apologies to Arthur C. Clarke

 

If someone else can run arbitrary code on your computer, it's not YOUR computer any more. — Rich Kulawiec

 

Gibbs' Rule #35: Always watch the watchers. — First mentioned in Season 8, Episode 22 - "Baltimore"

 

People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobody bought them. — Gene Spafford

 

Schrodinger’s Backup: "The condition of any backup is unknown until a restore is attempted."

 

Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. — Gene Spafford (in email to organizers of a workshop on insider misuse)

 

Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. — Gene Spafford

 

Most people spend more time and energy going around problems than trying to solve them. — Henry Ford

 

If privacy is outlawed, only outlaws will have privacy. — Philip Zimmermann

 

Interest is a terrible thing to waste. — Roger Schank

 

Men do not like to admit to even momentary imperfection. My husband forgot the code to turn off the alarm. When the police came, he wouldn't admit he'd forgotten the code... he turned himself in. — Rita Rudner

 

We're sitting on four million pounds of fuel, one nuclear weapon and a thing that has two hundred thousand moving parts built by the lowest bidder. — "Rockhound" in the movie 'Armageddon'

 

Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful. — Niccolo Machiavelli, The Prince

 

Those who do not archive the past are condemned to retype it! — Garfinkel and Spafford, Practical UNIX Security (first edition)

 

Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia

 

We only need to be lucky once. You need to be lucky every time. — The IRA to Margaret Thatcher, after a failed assassination attempt.

 

The anguish of low quality lingers long after the sweetness of low cost is forgotten. — unknown, quote suggested by Peter Gregory, CISSP, CISA

 

The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something nonrandom like 'Susan.' And if it's random, like 'r7U2*Qnp,' then it's not easy to remember. — Bruce Schneier

 

In God we trust. All others, we virus scan.

 

Those of us in security are very much like heart doctors -- cardiologists. Our patients know that lack of exercise, too much dietary fat, and smoking are all bad for them. But they will continue to smoke, and eat fried foods, and practice being couch potatoes until they have their infarction. Then they want a magic pill to make them better all at once, without the effort. And by the way, they claim loudly that their condition really isn't their fault -- it was genetics, or the tobacco companies, or McDonalds that was to blame. And they blame us for not taking better care of them. Does this sound familiar?  But it doesn't have to be this way. We can do things better. We need to stop doing business as usual and start focusing on end-to-end quality. Security needs to be built in from the start--not slapped on after the fact. — Gene Spafford, at the 23rd National Information Systems Security Conference in October 2000

 

Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds. — John Perry Barlow

 

I don't know about technology and I don't know about finance and accounting. — Bernard J. Ebbers, former chief executive of WorldCom, at his trial.

 

If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. — White House Cybersecurity Advisor, Richard Clarke

 

"We have only two modes - complacency and panic." — James R. Schlesinger, the first U.S. Dept. of Energy secretary, in 1977, on the country's approach to energy.

 

The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully. — Kevin Mitnick

 

Amateurs hack systems, professionals hack people. — Bruce Schneier

 

If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders. — Dan Farmer, System Administrators Guide to Cracking

 

There are risks and costs to a program of action--but they are far less than the long range cost of comfortable inaction. — John F. Kennedy

 

Security used to be an inconvenience sometimes, but now it's a necessity all the time. — Martina Navratilova after the stabbing of Monica Seles by a fan of Steffi Graf, 1993

 

We didn't install the [Code Red] patch on those DMZ systems because they were only used for development and testing.  — Anonymous client, shortly after spending 48 continuous hours removing 2001's Code Red worm from internal corporate servers ("Secure Coding Principles and Practices by Mark G. Graff & Kenneth R. van Wyk)

 

Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off. — FedCIRC

 

Computer security can simply be protecting your equipment and files from disgruntled employees, spies, and anything that goes bump in the night, but there is much more. Computer security helps ensure that your computers, networks, and peripherals work as expected all the time, and that your data is safe in the event of hard disk crash or a power failure resulting from an electrical storm. Computer security also makes sure no damage is done to your data and that no one is able to read it unless you want them to. — Bruce Schneier (Protect Your Macintosh, 1994)

 

Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. — Bruce Schneier (Protect Your Macintosh, 1994)

 

People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. — Bruce Schneier, Secrets and Lies

 

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier

 

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards. — Gene Spafford

 

Microsoft made a big deal about Windows NT getting a C2 security rating. They were much less forthcoming with the fact that this rating only applied if the computer was not attached to a network and had no network card, and had its floppy drive epoxied shut, and was running on a Compaq 386. Solaris's C2 rating was just as silly. — Bruce Schneier

 

The man who trades freedom for security does not deserve nor will he ever receive either. — Benjamin Franklin

 

We will bankrupt ourselves in the vain search for absolute security. — Dwight D. Eisenhower

 

"No serious commentary will say that the user has no responsibility. We all have responsibilities to lock our doors in our homes and to buckle up when we get in cars." — spokesman, Information Technology Association of America, Business Roundtable, AP, May 19, 2004

 

As security or firewall administrators, we've got basically the same concerns [as plumbers]: the size of the pipe, the contents of the pipe, making sure the correct traffic is in the correct pipes, and keeping the pipes from splitting and leaking all over the place. Of course, like plumbers, when the pipes do leak, we're the ones responsible for cleaning up the mess, and we're the ones who come up smelling awful... — Marcus J. Ranum

 

When you know that you're capable of dealing with whatever comes, you have the only security the world has to offer. — Harry Browne

 

One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum

 

Security must begin at the top of an organization. It is a leadership issue, and the chief executive must set the example. — heard at a security conference

 

There is no castle so strong that it cannot be overthrown by money. — Cicero

 

As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know.

 — Donald Rumsfeld, February 12, 2002, Department of Defense news briefing (quote contributed by Bernarr B. Coletta, CISSP)

 

Phishing is a major problem because there really is no patch for human stupidity — Mike Danseglio, program manager in the Security Solutions group at Microsoft, April 4, 2006

 

In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money. — Mike Danseglio, program manager in the Security Solutions group at Microsoft, April 4, 2006

 

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier

 

Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. — Ronald Reagan

 

I walked into this classroom full of law enforcement officers and said, "Do you guys recognize any of these names?" I read off a list of the names. One federal officer explained, "Those are the names of judges in the US District Court in Seattle." And I said, "Well, I have a password file here with 26 passwords cracked." Those federal officers about turned green. — Don Belling, Boeing, quoted in The Art of Intrusion by Kevin Mitnick

 

Sed quis custodiet ipsos custodes? [Who watches the watchers?] — quote contributed by Joy Walker

 

Badges? We ain't got no badges! We don't need no badges. I don't have to show you any stinkin' badges! — from the film "Treasure of Sierra Madre"

 

You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. — Daryl White, DOI CIO

 

In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute

We know everyone who breaks the law. We know when you’re doing it. We have GPS in your car, so we know what you’re doing. — Jim Farley, Ford Motor Company sales executive known for making off-the-cuff comments, speaking to a panel at the CES. He quickly added: "By the way, we don’t supply that data to anyone,” and later issued a full retraction. [NY Times, The Next Data Privacy Battle May Be Waged Inside Your Car, Jaclyn Trop, January 10, 2014]

 

Privacy snafus are to social networks as violence is to football. The whole point of social networks is to share stuff about people that’s interesting, just as the whole point of football is to upend the guy with the ball. Every so often, someone gets paralyzed, which prompts us to add padding to the helmets or set new rules about tackling. Then we move on. — Nicholas Thompson

 

Recommended addition to the Consumer Privacy Bill of Rights: “A right to not have your data rise up and attack you.” — Benjamin Wittes, Brookings Institution

 

The user's going to pick dancing pigs over security every time. — Bruce Schneier

 

I personally like to think of the Internet as a parallel universe, a cyber-world as opposed to the real-world. In cyber-world people do much the same thing as in the real-world, such as chat, work, or go shopping. And, as in the real-world, there are dangers. In the real-world, we spend years as children learning about the world and all its dangers before we can safely go out on our own. This is not the case in cyber-world. People wander into cyber-world as cyber-toddlers or even cyber-infants. How can these people be expected to look after themselves in this strange new world? ... I believe that education must be the first step to computer security. Cyber-world is too complex and dangerous to jump into without understanding the dangers. — Jimi Loo, in Comments & Feedback to Noam Eppel's Article, "Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. A long-overdue wake up call for the security community."