Bruce Schneier Quotes

We can't keep weapons out of prisons; we can't possibly expect to keep them out of airports.

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

Amateurs hack systems, professionals hack people.

The user's going to pick dancing pigs over security every time.

It is sort of interesting that in our society this days we are very quick to apply the term 'war' to places where thare are no actual wars, and loath to apply the term 'war' when we are actually fighting wars.

Surveillance of power is one of the most important ways to ensure that power does not abuse its status. But, of course, power does not like to be watched.

It's certainly easier to implement bad security and make it illegal for anyone to notice than it is to implement good security.

The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act. And we're doing exactly what the terrorists want [...] Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we're terrified, and we share that fear, we help.

Metadata equals surveillance; it's that simple.

Think of your existing power as the exponent in an equation that determines the value of information. The more power you have, the more additional power you derive from the new data.

We no longer know whom to trust. This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix.

Surveillance is the business model of the Internet.

When a big company lays you off, they often give you a year's salary to 'go pursue a dream.' If you're stupid, you panic and get another job. If you're smart, you take the money and use the time to figure out what you want to do next.

It is poor civic hygiene to install technologies that could someday facilitate a police state.

The more technological a society is, the greater the security gap is.

I tell people: if it's in the news, don't worry about it, because by definition, news is something that almost never happens.

Choosing providers is not a choice between surveillance/not; it's just choosing which feudal lord gets to spy on you.

Microsoft made a big deal about Windows NT getting a C2 security rating. They were much less forthcoming with the fact that this rating only applied if the computer was not attached to a network and had no network card, and had its floppy drive epoxied shut, and was running on a Compaq 386. Solaris's C2 rating was just as silly.

It's frustrating; terrorism is rare and largely ineffectual, yet we regularly magnify the effects of both their successes and failures by terrorizing ourselves.

I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually 'Nothing; you're screwed'.

People don't understand computers. Computers are magical boxes that do things. People believe what computers tell them.

Societies without a reservoir of people who don't follow the rules lack an important mechanism for societal evolution. Vibrant societies need a dishonest minority; if society makes its dishonest minority too small, it stifles dissent as well as common crime.

Microsoft knows that reliable software is not cost effective. According to studies, 90% to 95% of all bugs are harmless. They're never discovered by users, and they don't affect performance. It's much cheaper to release buggy software and fix the 5% to 10% of bugs people find and complain about.

The more we expect technology to protect us from people in the same way it protects us from nature, the more we will sacrifice the very values of our society in futile attempts to achieve this security.

A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography

Only amateurs attack machines; professionals target people.

Technical problems can be remediated. A dishonest corporate culture is much harder to fix.

Corporate and government surveillance aren't separate; they're an alliance of interests.

Privacy is a fundamental human need.

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.

Why is it that we all - myself included - believe these stories? Why are we so quick to assume that the TSA is a bunch of jack-booted thugs, officious and arbitrary and drunk with power? It's because everything seems so arbitrary, because there's no accountability or transparency in the DHS.

The question to ask when you look at security is not whether this makes us safer, but whether it's worth the trade-off.

And honestly, if anyone thinks they can get an accurate picture of anyplace on the planet by reading news reports, they're sadly mistaken.

The mantra of any good security engineer is: "Security is a not a product, but a process." It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together.

Cryptography products may be declared illegal, but the information will never be

Liberty requires security without intrusion, security plus privacy.

Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four.

Despite fearful rhetoric to the contrary, terrorism is not a transcendent threat. A terrorist attack cannot possibly destroy our country's way of life; it's only our reaction to that attack that can do that kind of damage.

The very definition of news is something that hardly ever happens. If an incident is in the news, we shouldn't worry about it. It's when something is so common that its no longer news - car crashes, domestic violence - that we should worry.

Secret courts making secret rulings on secret laws, and companies flagrantly lying to consumers about the insecurity of their products and services, undermine the very foundations of our society.

Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.

If someone steals your password, you can change it. But if someone steals your thumbprint, you can't get a new thumb. The failure modes are very different.

There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.

If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security.

Air travel survived decades of terrorism, including attacks which resulted in the deaths of everyone on the plane. It survived 9/11. It'll survive the next successful attack. The only real worry is that we'll scare ourselves into making air travel so onerous that we won't fly anymore.

Given the credible estimate that we've spent $1 trillion on anti-terrorism security

Chaos is hard to create, even on the Internet.

It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.