Patching systems is fundamentally a human problem, and beneficial worms are a technical solution that doesn't work. - Bruce Schneier % Q: Aren't there too many Linux security patches around? A: Having a choice is not bad. One size does not fit all. It is only a problem when you do not know how to choose or when you think your OS religion is the Only True OS Religion(tm) and you do not like people to choose something else. - Adamantix FAQ % We have a hack in our flavor of Wine, in the CreateProcess call (the code to start an executable) that basically checks to see if the parent process is outlook.exe, and if it is, we crash and burn, preventing many of the worms and such from running. - Jeremy White, May 2004 % Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, never trust closed source. - Eric Raymond, May 2004 % ...it's easier to add documentation and support to Linux than security to Windows. - Dan DeMaggio, CRYPTO-GRAM, June 2003 % ...algorithms from the NSA are considered a sort of alien technology: they come from a superior race with no explanations. - Bruce Schneier, CRYPTO-GRAM, September 2004 % You can and you shall protect them from the outside world; you can and you shall protect your critical services from them; but you can't and you shall not protect them from themselves. - Francois-René Rideau, Firewall Piercing mini-HOWTO, November 2001 % If there are a few shark attacks in Florida - and a graphic movie - suddenly every swimmer is worried. More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk. - Bruce Schneier, May 2005 % One of the things I routinely tell people is that if it's in the news, don't worry about it. By definition, "news" means that it hardly ever happens. If a risk is in the news, then it's probably not worth worrying about. When something is no longer reported - automobile deaths, domestic violence - when it's so common that it's not news, then you should start worrying. - Bruce Schneier, May 2005 % ...Linux security has been better than many rivals. However, even the best systems today are totally inadequate. Saying Linux is more secure than Windows isn't really addressing the bigger issue - neither is good enough. - Alan Cox, September 2005 % Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. [...] It is exactly this feature-above-security mindset that needs to go. - Bruce Schneier, February 2002 % Even in the most wildly optimistic projections, data mining isn't tenable for uncovering future terrorist plots. We're not trading privacy for security; we're giving up privacy and getting no security in return. - Bruce Schneier, February 2002 % For over a year, Microsoft has planted a program on every modern Windows- powered PC that reported home every day. [...] Maybe you can trust your computer, your livelihood, your home finances, your kids' games, every- thing you do online, to a company that would do that, but you can count me out. - Steven J. Vaughan-Nichols, June 2006 % Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. [...] Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide. - Bruce Schneier, June 2006 % Dogs are wild animals and shouldn't be kept as a pet. It's as simple as that. A fish is a safe pet. A dog isn't. How many children get injured - often in the face - by dogs each year? It's just not worth it. - Mattijs % When talking about Security, most people think about something where "they" attack and "we" defend. If they succeed only once, we have lost. If we succeed in defending, the next wave of attackers will be ready, meaner and faster than the first wave. This is not "Security", this is "Space Invaders". - Kristian Köhntopp, April 2006 % Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it. - Bruce Schneier, February 2007 % I don't want to live in a world where companies can sell me software they know is full of holes or where the government can implement security measures without accountability. I much prefer a world where I have all the information I need to assess and protect my own security. - Bruce Schneier, February 2007 % Crypto is like an ATM that only lets you get money after you authenticate yourself with your card and PIN. DRM is like some kind of nefarious goon hired by the bank to follow you around after you get your money out, controlling how you spend it. - Cory Doctorow, December 2006 % We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security? - Bruce Schneier, December 2006