Essays: 1999 Archives

The 1999 Crypto Year-in-Review

  • Bruce Schneier
  • Information Security
  • December 19, 1999

In 1999, the major developments in cryptography were more political than scientific. Of course, there were scientific conferences and scientific announcements, some of which were significant. But, by far, the most important events happened in the areas of law, court cases and regulation. As we move into the new millennium, these political and regulatory shifts could have resounding effects on the implementation of cryptography, especially in how it relates to balancing privacy concerns with the needs of government and law enforcement.

Read More →

A Plea for Simplicity

You can't secure what you don't understand.

  • Bruce Schneier
  • Information Security
  • November 19, 1999

Ask any 21 experts to predict the future, and they're likely to point in 21 different directions. But whatever the future holds--IP everywhere, smart cards everywhere, video everywhere, Internet commerce everywhere, wireless everywhere, agents everywhere, AI everywhere, everything everywhere--the one thing you can be sure of is that it will be complex. For consumers, this is great. For security professionals, this is terrifying.

Read More →

DVD Encryption Broken

  • Bruce Schneier
  • ZDNet
  • November 1999

A version of this article appeared as a guest commentary on ZDNet.

The scheme to protect DVDs has been broken. There are now freeware programs on the net that remove the copy protection on DVDs, allowing them to be played, edited, and copied without restriction.

This should be no surprise to anyone, least of all to the entertainment industry.

The protection scheme is seriously flawed in several ways.

Read More →

Why Computers Are Insecure

  • Bruce Schneier
  • Computerworld
  • November 1999

A shortened version of this essay appeared in the November 15, 1999 issue of Computerworld as "Satan's Computer: Why Security Products Fail Us."

Almost every week the computer press covers another security flaw: a virus that exploits Microsoft Office, a vulnerability in Windows or UNIX, a Java problem, a security hole in a major Web site, an attack against a popular firewall. Why can't vendors get this right, we wonder? When will it get better?

I don't believe it ever will.

Read More →

Risks of Relying on Cryptography

  • Bruce Schneier
  • Communications of the ACM
  • October 1999

Cryptography is often treated as if it were magic security dust: "sprinkle some on your system, and it is secure; then, you're secure as long as the key length is large enough--112 bits, 128 bits, 256 bits" (I've even seen companies boast of 16,000 bits.) "Sure, there are always new developments in cryptanalysis, but we've never seen an operationally useful cryptanalytic attack against a standard algorithm. Even the analyses of DES aren't any better than brute force in most operational situations. As long as you use a conservative published algorithm, you're secure."

This just isn't true. Recently we've seen attacks that hack into the mathematics of cryptography and go beyond traditional cryptanalysis, forcing cryptography to do something new, different, and unexpected.

Read More →

The Trojan Horse Race

  • Bruce Schneier
  • Communications of the ACM
  • September 1999

1999 is a pivotal year for malicious software ( malware) such as viruses, worms, and Trojan horses. Although the problem is not new, Internet growth and weak system security have evidently increased the risks.

Viruses and worms survive by moving from computer to computer. Prior to the Internet, computers (and viruses!) communicated relatively slowly, mostly through floppy disks and bulletin boards.

Read More →

International Cryptography

  • Bruce Schneier
  • Information Security
  • September 1999

Revised version.

One of the stranger justifications of U.S. export controls is that they prevent the spread of cryptographic expertise. Years ago, the Administration argued that there were no cryptographic products available outside the U.S. When several studies proved that there were hundreds of products designed, built, and marketed outside the U.S., the Administration changed its story.

Read More →

Web-Based Encrypted E-Mail

  • Bruce Schneier
  • ZDNet
  • August 1999

A version of this essay appeared on ZDNet.com.

The idea is enticing. Just as you can log onto Hotmail with your browser to send and receive e-mail, there are Web sites you can log on to to send and receive encrypted e-mail. HushMail, ZipLip, YNN-mail, ZixMail. No software to download and install...it just works.

But how well?

Read More →

NIST AES News

  • Bruce Schneier
  • ZDNet
  • August 1999

A version of this essay appeared on ZDNet.com.

AES is the Advanced Encryption Standard, the encryption algorithm that will eventually replace DES. In 1997, the U.S. government (NIST, actually), solicited candidate algorithms for this standard. By June 1998 (the submission deadline), NIST received fifteen submissions.

Read More →

Biometrics: Uses and Abuses

  • Bruce Schneier
  • Communications of the ACM
  • August 1999

Biometrics are seductive. Your voiceprint unlocks the door of your house. Your iris scan lets you into the corporate offices. You are your own key.

Read More →

Cryptography: The Importance of Not Being Different

  • Bruce Schneier
  • IEEE Computer
  • March 1999

Suppose your doctor said, "I realize we have antibiotics that are good at treating your kind of infection without harmful side effects, and that there are decades of research to support this treatment. But I'm going to give you tortilla-chip powder instead, because, uh, it might work." You'd get a new doctor.

Practicing medicine is difficult. The profession doesn't rush to embrace new drugs; it takes years of testing before benefits can be proven, dosages established, and side effects cataloged.

Read More →

Why the Worst Cryptography is in the Systems that Pass Initial Analysis

  • Bruce Schneier
  • Information Security
  • March 1999

Imagine this situation: An engineer builds a bridge. It stands for a day, and then collapses. He builds another. It stands for three days, and then collapses.

Read More →

Intel's Processor ID

  • Bruce Schneier
  • ZDNet News
  • January 26, 1999

Last month Intel Corp. announced that its new processor chips would come equipped with ID numbers, a unique serial number burned into the chip during manufacture. Intel said that this ID number will help facilitate e-commerce, prevent fraud and promote digital content protection.

Unfortunately, it doesn't do any of these things.

To see the problem, consider this analogy: Imagine that every person was issued a unique identification number on a national ID card.

Read More →

Security in the Real World: How to Evaluate Security

  • Bruce Schneier
  • Computer Security Journal
  • 1999

The following remarks are excerpted from a general session presentation delivered at CSI's NetSec Conference in St. Louis, MO, on June 15th, 1999.

At Counterpane Systems, we evaluate security products and systems for a living. We do a lot of breaking of things for manufacturers and other clients. Over the years, I've built a body of lore about the ways things tend to fail. I want to share my "top 20 list" of what's wrong with security products these days.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.