Essays: 2003 Archives

Better get used to routine loss of personal privacy

  • Bruce Schneier
  • Minneapolis Star Tribune
  • December 21, 2003

At a gas station in British Columbia, two employees installed a camera in the ceiling in front of an ATM machine. They recorded thousands of people as they typed in their PIN numbers. Combined with a false front on the ATM that recorded account numbers from the cards, the pair were able to steal millions before they were caught.

In at least 14 Kinko's copy shops in New York City, Juju Jiang installed keystroke loggers on the rentable computers.

Read More →

Are you sophisticated enough to recognize an Internet scam?

  • Bruce Schneier
  • The Mercury News
  • December 19, 2003

Recently I have been receiving e-mails from PayPal. At least, they look like they're from PayPal. They send me to a Web site that looks like it's from PayPal. And it asks for my password, just like PayPal. The problem is that it's not from PayPal, and if I do what the Web site says, some criminal is going to siphon money out of my bank account.

Welcome to the third wave of network attacks, what I have named "semantic attacks." They are much more serious and harder to defend against because they attack the user and not the computers. And they're the future of fraud on the Internet.

The first wave of attacks against the Internet was physical: against the computers, wires and electronics.

Read More →

Blaster and the Great Blackout

  • Bruce Schneier
  • Salon
  • December 16, 2003

Ten years ago our critical infrastructure was run by a series of specialized systems, both computerized and manual, on dedicated networks. Today, many of these computers have been replaced with standard mass-market computers connected via the Internet. This shift brings with it all sorts of cost savings, but it also brings additional risks. The same worms and viruses, the same vulnerabilities, the same Trojans and hacking tools that have so successfully ravaged the Internet can now affect our critical infrastructure.

Read More →

Internet Worms and Critical Infrastructure

  • Bruce Schneier
  • CNET
  • December 9, 2003

Did MSBlast cause the Aug. 14 blackout? The official analysis says "no," but I'm not so sure. A November interim report a panel of government and industry officials issued concluded that the blackout was caused by a series of failures with the chain of events starting at FirstEnergy, a power company in Ohio. A series of human and computer failures then turned a small problem into a major one. And because critical alarm systems failed, workers at FirstEnergy did not stop the cascade, because they did not know what was happening.

Read More →

Festung Amerika

  • Bruce Schneier
  • Financial Times Deutschland
  • November 11, 2003

Im Jahr 2004 werden die USA viele Milliarden Dollar für Sicherheit ausgeben. Leider ist das meiste davon zum Fenster herausgeworfen – wirklichen Schutz bringt diese Aufrüstung nicht

Der 11. September 2001 hat ein Trauma hinterlassen. Seit den Terroranschlägen brauchen die Amerikaner das Gefühl von mehr Sicherheit.

Read More →

Airplane Hackers

  • Bruce Schneier
  • IEEE Security & Privacy
  • November/December 2003

Nathaniel Heatwole is a student at Guilford College. Several times between 7 February and 15 September 2003, he tested airline security. First, he smuggled in box cutters, clay resembling plastic explosives, and bleach simulating bomb-making chemicals through security. Then he hid these things in airplane lavatories, along with notes.

Read More →

Liability changes everything

  • Bruce Schneier
  • Heise Security
  • November 2003

German translation

Computer security is not a problem that technology can solve. Security solutions have a technological component, but security is fundamentally a people problem. Businesses approach security as they do any other business uncertainty: in terms of risk management. Organizations optimize their activities to minimize their cost-risk product, and understanding those motivations is key to understanding computer security today.

Read More →

Terror Profiles by Computers Are Ineffective

  • Bruce Schneier
  • Newsday
  • October 21, 2003

In September 2002, JetBlue Airways secretly turned over data about 1.5 million of its passengers to a company called Torch Concepts, under contract with the Department of Defense.

Torch Concepts merged this data with Social Security numbers, home addresses, income levels and automobile records that it purchased from another company, Acxiom Corp. All this was to test an automatic profiling system to automatically give each person a terrorist threat ranking.

Many JetBlue customers feel angry and betrayed that their data was shared without their consent. JetBlue's privacy policy clearly states that "the financial and personal information collected on this site is not shared with any third parties." Several lawsuits against JetBlue are pending.

Read More →

Outside View: Fixing intelligence

  • Bruce Schneier
  • UPI
  • October 14, 2003

A joint congressional intelligence inquiry has concluded that 9/11 could have been prevented if our nation's intelligence agencies shared information better and coordinated more effectively. This is both a trite platitude and a profound proscription.

Intelligence is easy to understand after the fact. With the benefit of hindsight, it's easy to draw lines from people in flight school here, to secret meetings in foreign countries there, over to interesting tips from informants, and maybe to INS records.

Read More →

CyberInsecurity: The Cost of Monopoly

How the Dominance of Microsoft's Products Poses a Risk to Security

  • Daniel Geer, Charles P. Pfleeger, Bruce Schneier, John S. Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann
  • Computer & Communications Industry Association Report
  • September 24, 2003
Table of Contents
  1. 1. Author Listing
  2. 2. Introduction by Computer & Communications Industry Association (CCIA)
  3. 3. CyberInsecurity Report
  4. 4.

Read More →

Voting and Technology: Who Gets to Count Your Vote?

Paperless voting machines threaten the integrity of democratic process by what they don't do.

  • David L. Dill, Bruce Schneier, and Barbara Simons
  • Communications of the ACM
  • August 2003

Voting problems associated with the 2000 U.S. Presidential election have spurred calls for more accurate voting systems. Unfortunately, many of the new computerized voting systems purchased today have major security and reliability problems.

The ideal voting technology would have five attributes: anonymity, scalability, speed, audit, and accuracy (direct mapping from intent to counted vote).

Read More →

The Speed of Security

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2003

"The Slammer worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes." (See "Inside the Slammer Worm," p. 33 of this issue.)For the six months prior to the Sapphire (or SQL Slammer) worm's release, the particular vulnerability that Slammer exploited was one of literally hundreds already known.

Read More →

Testimony before the Subcommittee on Cybersecurity, Science, and Research and Development

  • Bruce Schneier
  • June 25, 2003

Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.

Hearing on "Overview of the Cyber Problem-A Nation Dependent and Dealing with Risk"

Before the Subcommittee on Cybersecurity, Science, and Research and Development
Committee on Homeland Security
United States House of Representatives

June 25, 2003
2318 Rayburn House Office Building

Mr. Chairman, members of the Committee, thank you for the opportunity to testify today regarding cybersecurity, particularly in its relation to homeland defense and our nation's critical infrastructure. My name is Bruce Schneier, and I have worked in the field of computer security for my entire career. I am the author of seven books on the topic, including the best-selling Secrets and Lies: Digital Security in a Networked World [1].

Read More →

Walls Don't Work in Cyberspace

  • Bruce Schneier
  • Wired
  • June 2003

Internet security is usually described as a fortress, with the good guys inside the wall and the bad guys outside. Network owners buy products to shore up the barrier, on the logic that a stronger wall will give them better security. Flaws in the network are holes in the barricade, patches the mortar that closes them.

This metaphor might have been appropriate 10 years ago, when the Internet was made up of disparate networks that occasionally communicated, but it's outdated today.

Read More →

Guilty Until Proven Innocent?

  • Bruce Schneier
  • IEEE Security & Privacy
  • May/June 2003

In April 2003, the US Justice Department administratively discharged the FBI of its statutory duty to ensure the accuracy and completeness of the National Crime Information Center (NCIC) database. This enormous database contains over 39 million criminal records and information on wanted persons, missing persons, and gang members, as well as information about stolen cars and boats. More than 80,000 law enforcement agencies have access to this database. On average, the database processes 2.8 million transactions each day.

Read More →

American Cyberspace: Can We Fend off Attackers?

Forget It: Bland PR Document Has Only Recommendations

  • Bruce Schneier
  • San Jose Mercury News
  • March 7, 2003

AT 60 pages, the White House's National Strategy to Secure Cyberspace is an interesting read, but it won't help to secure cyberspace. It's a product of consensus, so it doesn't make any of the hard choices necessary to radically increase cyberspace security. Consensus doesn't work in security design, and invariably results in bad decisions. It's the compromises that are harmful, because the more parties you have in the discussion, the more interests there are that conflict with security.

Read More →

Internet Shield: Secrecy and security

  • Bruce Schneier
  • SF Chronicle
  • March 2, 2003

THERE'S considerable confusion between the concepts of secrecy and security, and it is causing a lot of bad security and some surprising political arguments. Secrecy is not the same as security, and most of the time secrecy contributes to a false feeling of security instead of to real security.

Last month, the SQL Slammer worm ravished the Internet, infecting in some 15 minutes about 13 root servers that direct information traffic, and thus disrupting services as diverse as the 911 network in Seattle and much of Bank of America's 13,000 ATM machines. The worm took advantage of a software vulnerability in a Microsoft database management program, one that allowed a malicious piece of software to take control of the computer.

Read More →

Locks and Full Disclosure

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2003

The full disclosure vs bug secrecy debate is a lot larger than computer security. Blaze's paper on master-key locking systems in this issue is an illustrative case in point. It turns out that the ways we've learned to conceptualize security and attacks in the computer world are directly applicable to other areas of security--like door locks. But the most interesting part of this entire story is that the locksmith community went ballistic after learning about what Blaze did.

Read More →

We Are All Security Consumers

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2003

Computer security is vital, and IEEE is launching this new magazine devoted to the topic. But there's more to security than what this magazine is going to talk about. If we don't help educate the average computer user about how to be a good security consumer, little of what we do matters.

Dozens of times a day, we are security consumers.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.