Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.
Weak security that’s easy to use will help more people than strong security that’s hard to use.
When you hear a company say 'we designed our own crypto', think, 'I am taking a cancer drug I designed myself'.
Plus, other recent breaches, such as Gamma and Hacking Team, tell us that even government-affiliated organizations are freely operating without respecting UN embargoes and international regulations anyway - ironically, it was hackers and the security community that exposed them, and not law enforcement. So, who is the law working for?
Hackers don't break software, they simply demonstrate that it was already broken.
Much of our security ideas and concepts are based on the days when sysadmins ruled the world. They were like a massive T-Rex ruling their domain, instilling fear into those beneath them. Today in security we are trying to build Jurassic Park, except there are no dinosaurs, they all went extinct. Maybe we can use horses instead, nobody will notice … probably. Most security leaders and security conferences are the same people saying the same things for the last ten years. If any of it worked even a little, I think we'd notice by now.
At a previous employer we had a policy that all passwords started with '/' because of the sheer number of times someone typed the root password into a public IRC channel.
Why do we need patch management? -Wannacry
Why do we need credential management? -Nyetya
Why do we need backups? -Someone uses real 0day