Schneier on Security

It used to be that when you connected to one of Counterpane’s mailers, it responded with a standard SMTP banner that read something like the following:

220 counterpane.com ESMTP Sendmail 8.8.88. 7.5; Mon, 7 May 2001 21:13:35 0600 (MDT

Because this information includes a Sendmail version number, some people sent us mail that read (loosely interpreted): “Heh, heh, heh. Bruce’s company runs a stupid Sendmail!”

Until recently, our IT staffs standard response was to smile and say, “Yes, that certainly is what the banner says,” leaving the original respondent to wonder why we didn’t care. (There are a bunch of reasons we don’t care, and explaining them would take both the amusement and security out of it all.)…

Security threats will continue to loom

For the longest time, cryptography was a solution looking for a problem. And outside the military and a few paranoid individuals, there wasn’t any problem. Then along came the Internet, and with the Internet came e-commerce, corporate intranets and extranets, voice over IP, B2B, and the like. Suddenly everyone is talking about cryptography. Suddenly everyone is talking about computer security. There are more companies and products, and more research. And a lot more interest.

But at the same time, the state of security is getting worse. There are more vulnerabilities being found in operating systems-not just Microsoft’s, but everyone’s-than ever before. There are more viruses (or worms) being released, and they’re doing more damage. There are nastier denial-of-service tools, and more effective root kits. What research is necessary to reverse this trend? How can we make security work?…

GCHQ, the British equivalent of the U.S. NSA, released a document on December 1 1997, claiming to have invented publickey cryptography several years before it was discovered by the research community (http://www.cesg.gov.uk/ellisint.htm). According to the paper, GCHQ discovered both RSA and Diffie-Hellman, then kept their discoveries secret.

James Ellis the author of the paper (who died a few days before the paper’s release), wrote that he was inspired by an unknown Bell Telephone labs researcher during World War II. This researcher had the idea that a receiver could inject noise onto a communications circuit and effectively drown out any signal. An eavesdropper would only hear the noise, but the receiver could subtract the noise and recover the signal. The interesting idea here is that the sender doesn’t have to know any encryption “key” to send a secret message to the receiverthe receiver does all the work. (This is essentially what ech(>cancelling modems do; they scream at each other along the same line, and subtract out their own signal when they listen for the other.) This was promptly classified by the Li.S. government…