Fears -- real and illusory

by Paul Glister
News & Observer
January 21, 2004

In 1996, a man named Willis Robinson reprogrammed a computerized cash register at a Taco Bell in Maryland. The compromised machine would ring a $2.99 item internally as a one-cent sale, even as it showed the proper amount on its screen. Robinson skimmed $3,600 from his employer. He was caught only because he bragged about his exploits.

Bruce Schneier has much to say about technology in his new book "Beyond Fear: Thinking Sensibly About Security in an Uncertain World" (Copernicus Books, $25). The book uses anecdotes and examples to show how security changes. In the Robinson case, technology created a new kind of threat, and that is what technology tends to do. Sure, you could play fast and loose with a store's account from a manual or electric cash register, but you would have to do it repeatedly, and the theft would be visible. Robinson's hack allowed him to pocket all the money that any cashier unwittingly rang up day or night.

Schneier is a security expert, the author of the classic book "Applied Cryptography" and co-founder of Counterpane Internet Security, a Fortune 2000 company that includes companies such as FedEx and Boeing among its clients. His online security newsletter Cryptogram (at www.schneier.com) is a must for following these issues.

Perhaps the most dangerous thing about technology in a post-9-11 world is that it breeds complexity, which in turn leads to vulnerability. Consider the power failure of August 2003, the result of tightly coupled systems brought down by the breakdown of a single transmission grid in Ohio.

Technology also brings standardization, another security vulnerability because it makes possible what Schneier calls "class breaks" -- attacks that will work against every instance of a given security system. Think of garage doors. A thief has to pick each manual lock individually, but the invention of automatic garage door openers means a single device is now available that can be made to open all the garages on a street.

Automate a class break and it becomes a security nightmare. Most Internet attacks happen this way. A hacker figures out how to break into a network and writes an automated tool, which can then be downloaded by "script kiddies" -- people who, although they have no idea how the attack works, have the clout to execute it anyway.

So are we even less secure than we think? Schneier makes the case that despite such vulnerabilities, the risk of terrorism is low, and that many of the countermeasures put in place after the 2001 attacks have been both costly and ineffective. He concludes that only two effective countermeasures came out of 9-11: strengthened cockpit doors and passengers who know they need to fight back.

Why? Programs like CAPPS, a computerized pre-screening database for airline passengers, build massive data sets that can be penetrated. Not only can such a database compromise privacy, but it can also establish an inflexible passenger profiling that is easily probed and defeated. In Schneier's view, we're paying too much for a system that delivers little extra safety.

Advance detection and counterattack, not excessive government secrecy, are the way to fight. "The only way to deal effectively with terrorists," Schneier writes, "is to detect terrorist plots before they're implemented, then counterattack and go after the terrorists themselves: rolling up terrorist networks, disrupting funding streams and communications ..."

"Beyond Fear" is a tour de force, stuffed with more ideas than I have room to talk about here. It is a timely contribution to our national debate.

Paul Gilster, a local author and technologist, can be reached at gilster@mindspring.com.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..