Bruce Schneier Quotes

Air travel survived decades of terrorism, including attacks which resulted in the deaths of everyone on the plane. It survived 9/11. It'll survive the next successful attack. The only real worry is that we'll scare ourselves into making air travel so onerous that we won't fly anymore.

If you have nothing to hide, then you have nothing to fear. This is a dangerously narrow conception of the value of privacy. Privacy is an essential human need, and central to our ability to control how we relate to the world. Being stripped of privacy is fundamentally dehumanizing, and it makes no difference whether the surveillance is conducted by an undercover policeman following us around or by a computer algorithm tracking our every move.

Corporate and government surveillance aren't separate; they're an alliance of interests.

Terrorism is a crime against the mind. We win by refusing fear.

More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.

A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

Only amateurs attack machines; professionals target people.

People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.

Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.

We saw this in late 2014 when Apple finally encrypted iPhone data; one after the other, law enforcement officials raised the specter of kidnappers and child predators. This is a common fearmongering assertion, but no one has pointed to any actual cases where this was an issue. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping - and the victim wasn't a child.

Embedded in digital photos is information such as the date, time, and location - yes, many cameras have GPS - of the photo's capture; generic information about the camera, lens, and settings; and an ID number of the camera itself. If you upload the photo to the web, that information often remains attached to the file.

The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together.

If the FBI parks a van bristling with cameras outside your house, you are justified in closing your blinds.

We can't keep weapons out of prisons; we can't possibly expect to keep them out of airports.

Think of your existing power as the exponent in an equation that determines the value of information. The more power you have, the more additional power you derive from the new data.

If someone steals your password, you can change it. But if someone steals your thumbprint, you can't get a new thumb. The failure modes are very different.

The most common misconception about privacy is that it's about having something to hide. "If you aren't doing anything wrong, then you have nothing to hide," the saying goes, with the obvious implication that privacy only aids wrongdoers.

Societies without a reservoir of people who don't follow the rules lack an important mechanism for societal evolution. Vibrant societies need a dishonest minority; if society makes its dishonest minority too small, it stifles dissent as well as common crime.

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

It doesn't matter how big your neocortex is or how abstractly you can reason: unless you can trust others, your species will forever remain stuck in the Stone Age.

Terrorists can only take my life. Only my government can take my freedom.

Given the credible estimate that we've spent $1 trillion on anti-terrorism security

If something is free, you're not the customer; you're the product.

There's an entire flight simulator hidden in every copy of Microsoft Excel 97.

If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security.

The whole notion of passwords is based on an oxymoron. The idea is to have a random string that is easy to remember. Unfortunately, if it's easy to remember, it's something nonrandom like 'Susan.' And if it's random, like 'r7U2*Qnp,' then it's not easy to remember.

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.

Digital files cannot be made uncopyable, any more than water can be made not wet.

I used to say that Google knows more about what I'm thinking of than my wife does. But that doesn't go far enough. Google knows more about what I'm thinking of than I do, because Google remembers all of it perfectly and forever.

I tell people if it's in the news don't worry about it. Because by definition news is something that almost never happens.

But eavesdropping acquired a new, and more intense, life after the terrorist attacks of 9/11. "Never again" was an impossible mandate, of course, but the only way to have any hope of preventing something from happening is to know everything that is happening. That led the NSA to put the entire planet under surveillance.

It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.

Terrorism isn't a crime against people or property. It's a crime against our minds, using the death of innocents and destruction of property to make us fearful. Terrorists use the media to magnify their actions and further spread fear. And when we react out of fear, when we change our policy to make our country less open, the terrorists succeed
even if their attacks fail. But when we refuse to be terrorized, when we're indomitable in the face of terror, the terrorists fail
even if their attacks succeed.

ID can be hijacked, and cards can be faked. All of the 9/11 terrorists had fake IDs, yet they still got on the planes. If the British national ID card can't be faked, it will be the first on the planet.

Computer security can simply be protecting your equipment and files from disgruntled employees, spies, and anything that goes bump in the night, but there is much more. Computer security helps ensure that your computers, networks, and peripherals work as expected all the time, and that your data is safe in the event of hard disk crash or a power failure resulting from an electrical storm. Computer security also makes sure no damage is done to your data and that no one is able to read it unless you want them to

The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act. And we're doing exactly what the terrorists want [ ... ] Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we're terrified, and we share that fear, we help.

The science and engineering of programming just isn't good enough to produce flawless software, and that isn't going to change anytime soon. The

The very definition of news is something that hardly ever happens. If an incident is in the news, we shouldn't worry about it. It's when something is so common that its no longer news - car crashes, domestic violence - that we should worry.

Surveillance of power is one of the most important ways to ensure that power does not abuse its status. But, of course, power does not like to be watched.

When people are scared, they need something done that will make them feel safe, even if it doesn't truly make them safer. Politicians naturally want to do something in response to crisis, even if that something doesn't make any sense. But unfortunately for politicians, the security measures that work are largely invisible.

Even though we don't know which companies the NSA has compromised – or by what means – knowing that they could have compromised any of them is enough to make us mistrustful of all of them. This is going to make it hard for large companies like Google and Microsoft to get back the trust they lost. Even if they succeed in limiting government surveillance. Even if they succeed in improving their own internal security. The best they'll be able to say is: "We have secured ourselves from the NSA, except for the parts that we either don't know about or can't talk about.

One of the most surreal aspects of the NSA stories based on the Snowden documents is how they made even the most paranoid conspiracy theorists seem like paragons of reason and common sense.

Mug shot extortion sites turn this sort of thing into a business. Mug shots are public record, but they're not readily available. Owners of mug shot sites acquire the photos in bulk and publish them online, where everybody can find them, then charge individuals to remove their photos from the sites.

Google controls two-thirds of the US search market. Almost three-quarters of all Internet users have Facebook accounts. Amazon controls about 30% of the US book market, and 70% of the e-book market. Comcast owns about 25% of the US broadband market. These companies have enormous power and control over us simply because of their economic position. They all collect and use our data to increase their market dominance and profitability. When eBay first started, it was easy for buyers and sellers to communicate outside of the eBay system because people's e-mail addresses were largely public. In 2001, eBay started hiding e-mail addresses; in 2011, it banned e-mail addresses and links in listings; and in 2012, it banned them from user-to-user communications. All of these moves served to position eBay as a powerful intermediary by making it harder for buyers and sellers to take a relationship established inside of eBay and move it outside of eBay.

When a big company lays you off, they often give you a year's salary to 'go pursue a dream.' If you're stupid, you panic and get another job. If you're smart, you take the money and use the time to figure out what you want to do next.

As former NSA general counsel Stewart Baker said, "Metadata absolutely tells you everything about somebody's life. If you have enough metadata you don't really need content.

You can think of the difference between tactical and strategic oversight as the difference between doing things right and doing the right things. Both are required.

The user's going to pick dancing pigs over security every time.

Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.

By 2010, we as a species were creating more data per day than we did from the beginning of time until 2003. By 2015, 76 exabytes of data will travel across the Internet every year.

Why is it that we all - myself included - believe these stories? Why are we so quick to assume that the TSA is a bunch of jack-booted thugs, officious and arbitrary and drunk with power? It's because everything seems so arbitrary, because there's no accountability or transparency in the DHS.

If anyone thinks they can get an accurate picture of anyplace on the planet by reading news reports, they're sadly mistaken.

There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.

When my mother gets a prompt 'Do you want to download this?' she's going to say yes. It's disingenuous for Microsoft to give you all of these tools with which to hang yourself, and when you do, then say it's your fault.

Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect. It is about choice, and having the power to control how you present yourself to the world.

I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually 'Nothing; you're screwed'.

It is sort of interesting that in our society this days we are very quick to apply the term 'war' to places where thare are no actual wars, and loath to apply the term 'war' when we are actually fighting wars.

The more technological a society is, the greater the security gap is.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back. And by we, I mean the engineering community.

Technical problems can be remediated. A dishonest corporate culture is much harder to fix.

Cryptography products may be declared illegal, but the information will never be

Increasingly, companies use their power to influence and manipulate their users. Websites that profit from advertising spend a lot of effort making sure you spend as much time on those sites as possible, optimizing their content for maximum addictiveness.

Metadata equals surveillance; it's that simple.

Choosing providers is not a choice between surveillance/not; it's just choosing which feudal lord gets to spy on you.