Essays: 2001 Archives
You may already be vulnerable
It used to be that when you connected to one of Counterpane's mailers, it responded with a standard SMTP banner that read something like the following:
220 counterpane.com ESMTP Sendmail 8.8.88. 7.5; Mon, 7 May 2001 21:13:35 0600 (MDT
Because this information includes a Sendmail version number, some people sent us mail that read (loosely interpreted): "Heh, heh, heh. Bruce's company runs a stupid Sendmail!"
Until recently, our IT staffs standard response was to smile and say, "Yes, that certainly is what the banner says," leaving the original respondent to wonder why we didn't care. (There are a bunch of reasons we don't care, and explaining them would take both the amusement and security out of it all.)
However, we were getting a bit tired of the whole thing.
The events of 11 September offer a rare chance to rethink public security.
Appalled by the events of 11 September, many Americans have declared so loudly that they are willing to give up civil liberties in the name of security that this trade-off seems to be a fait accompli. Article after article in the popular media debates the 'balance' of privacy and security -- are various types of increase in security worth the consequent losses to privacy and civil liberty? Rarely do I see discussion about whether this linkage is valid.
Security and privacy are not two sides of an equation.
In the wake of the devastating attacks on New York's World Trade Center and the Pentagon, Sen. Judd Gregg (R-N.H.), with backing from other high- ranking government officials, quickly seized the opportunity to propose limits on strong encryption and "key-escrow" systems that insure government access. This is a bad move because it will do little to thwart terrorist activities and it will also reduce the security of our critical infrastructure.
As more and more of our nation's critical infrastructure goes digital, cryptography is more important than ever. We need all the digital security we can get; the government shouldn't be doing things that actually reduce it.
Most people don't understand the real lessons of Code Red II.
Code Red II could have been much worse. As it had full control of every machine it took over, it could have been programmed to do anything, including dropping the entire Internet. It could have spread faster and been stealthier.
The arrest of a Russian computer security researcher was a major setback for computer security research. The FBI nabbed Dmitry Sklyarov after he presented a paper at DefCon, the hacker community convention in Las Vegas, on the strengths and the weaknesses of software to encrypt an electronic book.
Although I'm certain the FBI's case will never hold up in court, it shows that free speech is secondary to the entertainment industry's paranoia about copyright protection.
Sklyarov is accused of violating the Digital Millennium Copyright Act (DMCA), which makes publishing critical research on this technology more serious than publishing design information on nuclear weapons.
Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.
Hearing on Internet Security before the Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science and Transportation
United States Senate
July 16, 2001
253 Russell Senate Office Building
My name is Bruce Schneier. I am the founder and Chief Technical Officer of Counterpane Internet Security. Inc. Counterpane was founded to address the immediate need for increased Internet security, and essentially provides burglar alarm services for computer networks.
One of the key reasons businesses have yet to link their business applications with telephone services is there's no common interface. While two standards under development promise to let businesses integrate and control telephony services, such as call forwarding and automatic number identification, with software, such as Web-based call center apps, these standards could introduce huge security risks.
These standards address key issues. One organization working in this space is The Parlay Group (www.parlay.org), a consortium of software, hardware and telecommunication service providers.
In warfare, information is power. The better you understand your enemy, the more able you are to defeat him.
In the war against malicious hackers, network intruders and the other black-hat denizens of cyberspace, the good guys have surprisingly little information. Most security experts-even those who design products to protect against attacks-are ignorant of the tools, tactics and motivations of the enemy.
Despite numerous efforts over the years to develop comprehensive computer security standards, it's a goal that remains elusive at best.
As far back as 1985, the U.S. government attempted to establish a general method for evaluating security requirements. This resulted in the "Orange Book," the colloquial name for the U.S.
In a paper he wrote with Roger Needham , Ross Anderson coined the phrase "programming Satan's computer" to describe the problems faced by computer-security engineers. It's a phrase I've used ever since.
Programming a computer is straightforward: keep hammering away at the problem until the computer does what it's supposed to do. Large application programs and operating systems are a lot more complicated, but the methodology is basically the same.
The author of a pioneering work on the NSA delivers a new book of revelations about the mysterious agency's coverups, eavesdropping and secret missions.
In 1982, James Bamford published "The Puzzle Palace," his first exposé on the National Security Agency. His new exposé on the NSA is called "Body of Secrets." Twenty years makes a lot of difference in the intelligence biz.
During those 20 years, the Reagan military buildup came and went, the Soviet Union fell and the Cold War ended, and a bevy of new military enemies emerged. Electronic communications exploded through faxes, cellphones, the Internet, etc.
Despite huge investments by corporations in computer security infrastructure, an overwhelming majority of companies are finding that their networks are still being compromised. And there's no reason to believe this will change anytime soon.
About 64 percent of companies' systems have been victims of some form of unauthorized access, according to a recent survey by the Computer Security Institute (CSI). While 25 percent said they had no breaches and 11 percent said they didn't know, I'd bet the actual number of companies that have been compromised is much higher.
Underwriters Laboratories (UL) is an independent testing organization created in 1893, when William Henry Merrill was called in to find out why the Palace of Electricity at the Columbian Exposition in Chicago kept catching on fire (which is not the best way to tout the wonders of electricity). After making the exhibit safe, he realized he had a business model on his hands. Eventually, if your electrical equipment wasn't UL certified, you couldn't get insurance.
Today, UL rates all kinds of equipment, not just electrical.
When a hacker adds a back door to your computer systems for later unauthorized access, that's a serious threat. But it's an even bigger problem if you created the back door yourself.
It seems that Borland did just that with its Interbase database. All versions released for the past seven years (versions 4.x through 6.01) have a back door.
In the future, the computer security industry will be run by the insurance industry. I don't mean insurance companies will start selling firewalls, but rather the kind of firewall you use--along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use--will be strongly influenced by the constraints of insurance.
Consider security and safety in the real world. Businesses don't install alarms in their warehouses because it makes them safer; they do it because they get a break in their insurance rates.
Reports that PGP, a standard used to encrypt e-mail, is broken are greatly exaggerated. Although a recent criminal investigation has led some to conclude that flaws in the PGP protocol helped the FBI nab its suspect, the truth is that no one has broken the cryptographic algorithms that protect PGP traffic. And no one has discovered a software flaw in the PGP program that would allow someone to read PGP- encrypted traffic. All that happened was that someone installed a keyboard sniffer on a computer, letting that someone eavesdrop on every keystroke the user made.
Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use--along with the kind of authentication scheme you use, the kind of operating system you use and the kind of network monitoring scheme you use--will be strongly influenced by the constraints of insurance.
Consider security, and safety, in the real world. Businesses don't install building alarms because it makes them feel safer; they do it to get a reduction in their insurance rates.
Hacking contests are a popular way for software companies to demonstrate claims of how good their security products are in practice. But companies looking to protect their digital assets shouldn't give too much credence to these challenges.
These contests typically involve a group or vendor offering money to anyone who can break through its firewall, crack its algorithm or make a fraudulent transaction using its technology. The Secure Digital Music Initiative (SDMI), an industry group that's developed encryption methods to protect the copying of digital music files, issued a hacking challenge in September, offering $10,000 to anyone who could strip various copy-protection technologies out of songs provided as examples.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.