Essays: 2000 Archives

Technology Was Only Part of the Florida Problem

  • Bruce Schneier
  • Computerworld
  • December 18, 2000

In the wake of the presidential election, pundits have called for more accurate voting and vote counting. To most people, this obviously means more technology. But before jumping to conclusions, let's look at the security and reliability issues surrounding voting technology.

Most of Florida's voting problems are a direct result of "translation" errors stemming from too much technology.

Read More →

Security Research and the Future

  • Bruce Schneier
  • Dr. Dobb's Journal
  • December 2000

Security threats will continue to loom

For the longest time, cryptography was a solution looking for a problem. And outside the military and a few paranoid individuals, there wasn't any problem. Then along came the Internet, and with the Internet came e-commerce, corporate intranets and extranets, voice over IP, B2B, and the like. Suddenly everyone is talking about cryptography.

Read More →

The Fallacy of Trusted Client Software

  • Bruce Schneier
  • Information Security
  • August 2000

The Fallacy of Trusted Client Software Controlling what a user can do with a piece of data assumes a trust paradigm that doesn't exist in the real world. Software copy protection, intellectual property theft, digital watermarking-different companies claim to solve different parts of this growing problem. Some companies market e-mail security solutions in which the e-mail cannot be read after a certain date, effectively "deleting" it. Other companies sell rights-management software: audio and video files that can't be copied or redistributed, data that can be read but not printed and software that can't be copied.

Read More →

Debunking Virus-Based Fixes

  • Bruce Schneier
  • ZDNet
  • July 31, 2000

The latest tale of security gaps in Microsoft Corp.'s software is a complicated story, and there are a lot of lessons to take away ... so let's take it chronologically.

On June 27, Georgi Guninski discovered a new vulnerability in Internet Explorer (4.0 or higher) and Microsoft Access (97 or 2000) running on Windows 95, 98, NT 4.0 or 2000. An attacker can compromise a user's system by getting the user to read an HTML e-mail message (not an attachment) or visit a Web site.

Read More →

The Process of Security

  • Bruce Schneier
  • Information Security
  • April 2000

I've been writing the CryptoRhythms column for this magazine for a little over a year now. When the editor and I sat down a couple months ago to talk about topics for 2000, I told him I wanted to expand the focus a bit from crypto-specific topics to broader information security subjects. So even though the column still falls under the CryptoRhythms banner, you can expect some (but not all) of this year's columns to address broader security issues that in some way incorporate cryptography. This month's article does just that, focusing on the process of security.

Read More →

Risks of PKI: Electronic Commerce

  • Carl Ellison and Bruce Schneier
  • Communications of the ACM
  • February 2000

Open any popular article on public-key infrastructure (PKI) and you're likely to read that a PKI is desperately needed for E-commerce to flourish. Don't believe it. E-commerce is flourishing, PKI or no PKI. Web sites are happy to take your order if you don't have a certificate and even if you don't use a secure connection.

Read More →

Risks of PKI: Secure E-Mail

  • Carl Ellison and Bruce Schneier
  • Communications of the ACM
  • January 2000

Public-key infrastructure (PKI), usually meaning digital certificates from a commercial or corporate certificate authority (CA), is touted as the current cure-all for security problems.

Certificates provide an attractive business model. They cost almost nothing to manufacture, and you can dream of selling one a year to everyone on the Internet. Given that much potential income for CAs, we now see many commercial CAs, producing literature, press briefings and lobbying.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.