Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.
Cryptography products may be declared illegal, but the information will never be
The more we expect technology to protect us from people in the same way it protects us from nature, the more we will sacrifice the very values of our society in futile attempts to achieve this security.
Surveillance is the business model of the Internet.
The question to ask when you look at security is not whether this makes us safer, but whether it's worth the trade-off.
Security is a process, not a product.
Surveillance of power is one of the most important ways to ensure that power does not abuse its status. But, of course, power does not like to be watched.
It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.
There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.
Don't make the mistake of thinking you're Facebook's customer, you're not – you're the product,
If someone steals your password, you can change it. But if someone steals your thumbprint, you can't get a new thumb. The failure modes are very different.
People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.
More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.
Amateurs hack systems, professionals hack people.
It's frustrating; terrorism is rare and largely ineffectual, yet we regularly magnify the effects of both their successes and failures by terrorizing ourselves.
The user's going to pick dancing pigs over security every time.
Think of your existing power as the exponent in an equation that determines the value of information. The more power you have, the more additional power you derive from the new data.
You can't defend. You can't prevent. The only thing you can do is detect and respond.
There's an entire flight simulator hidden in every copy of Microsoft Excel 97.
People don't understand computers. Computers are magical boxes that do things. People believe what computers tell them.
I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually 'Nothing; you're screwed'.
No one can duplicate the confidence that RSA offers after 20 years of cryptanalytic review.
It is poor civic hygiene to install technologies that could someday facilitate a police state.
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.
Despite fearful rhetoric to the contrary, terrorism is not a transcendent threat. A terrorist attack cannot possibly destroy our country's way of life; it's only our reaction to that attack that can do that kind of damage.
When a big company lays you off, they often give you a year's salary to 'go pursue a dream.' If you're stupid, you panic and get another job. If you're smart, you take the money and use the time to figure out what you want to do next.
Air travel survived decades of terrorism, including attacks which resulted in the deaths of everyone on the plane. It survived 9/11. It'll survive the next successful attack. The only real worry is that we'll scare ourselves into making air travel so onerous that we won't fly anymore.
When people are scared, they need something done that will make them feel safe, even if it doesn't truly make them safer. Politicians naturally want to do something in response to crisis, even if that something doesn't make any sense. But unfortunately for politicians, the security measures that work are largely invisible.
The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together.
