Latest Essays
Page 70
Protecting Privacy and Liberty
The events of 11 September offer a rare chance to rethink public security.
Appalled by the events of 11 September, many Americans have declared so loudly that they are willing to give up civil liberties in the name of security that this trade-off seems to be a fait accompli. Article after article in the popular media debates the ‘balance’ of privacy and security—are various types of increase in security worth the consequent losses to privacy and civil liberty? Rarely do I see discussion about whether this linkage is valid.
Security and privacy are not two sides of an equation. This association is simplistic and largely fallacious. The best ways to increase security are not at the expense of privacy and liberty. Giving airline pilots firearms, reinforcing cockpit doors, better authentication of airport maintenance workers, armed air marshals travelling on flights and teaching flight attendants karate are all examples of suggested security measures that have no effect on individual privacy or liberties…
Efforts to Limit Encryption Are Bad for Security
In the wake of the devastating attacks on New York’s World Trade Center and the Pentagon, Sen. Judd Gregg (R-N.H.), with backing from other high- ranking government officials, quickly seized the opportunity to propose limits on strong encryption and “key-escrow” systems that insure government access. This is a bad move because it will do little to thwart terrorist activities and it will also reduce the security of our critical infrastructure.
As more and more of our nation’s critical infrastructure goes digital, cryptography is more important than ever. We need all the digital security we can get; the government shouldn’t be doing things that actually reduce it. We’ve been through these arguments before, but legislators seem to have short memories. Here’s why trying to limit cryptography is bad for e-business:…
The Real Lesson of Code Red: Insecurity Is a Way of Life
Most people don’t understand the real lessons of Code Red II.
Code Red II could have been much worse. As it had full control of every machine it took over, it could have been programmed to do anything, including dropping the entire Internet. It could have spread faster and been stealthier. It could have exploited several vulnerabilities, not just one. It could have been polymorphic.
Code Red II left a lot of questions unanswered. What will come in when Code Red II installs a back door and drops a Trojan program in vulnerable computers? Will there be a Code Red III? What will it do? What about Code Red XXVII?…
Arrest of Computer Researcher Is Arrest of First Amendment Rights
The arrest of a Russian computer security researcher was a major setback for computer security research. The FBI nabbed Dmitry Sklyarov after he presented a paper at DefCon, the hacker community convention in Las Vegas, on the strengths and the weaknesses of software to encrypt an electronic book.
Although I’m certain the FBI’s case will never hold up in court, it shows that free speech is secondary to the entertainment industry’s paranoia about copyright protection.
Sklyarov is accused of violating the Digital Millennium Copyright Act (DMCA), which makes publishing critical research on this technology more serious than publishing design information on nuclear weapons…
Testimony before the Senate Subcommittee on Science, Technology, and Space
Testimony and Statement for the Record of Bruce Schneier
Chief Technical Officer, Counterpane Internet Security, Inc.
Hearing on Internet Security before the Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science and Transportation
United States Senate
July 16, 2001
253 Russell Senate Office Building
My name is Bruce Schneier. I am the founder and Chief Technical Officer of Counterpane Internet Security. Inc. Counterpane was founded to address the immediate need for increased Internet security, and essentially provides burglar alarm services for computer networks. I am the author of seven books on cryptography and computer security, as well as hundreds of articles and papers on those topics. For several years, I have been a security consultant to many major Internet companies…
Marriage Of Phone Services, Biz Apps Could Be A Security Risk
One of the key reasons businesses have yet to link their business applications with telephone services is there’s no common interface. While two standards under development promise to let businesses integrate and control telephony services, such as call forwarding and automatic number identification, with software, such as Web-based call center apps, these standards could introduce huge security risks.
These standards address key issues. One organization working in this space is The Parlay Group (www.parlay.org), a consortium of software, hardware and telecommunication service providers. The group is creating a specification and an application programming interface that will enable phone-system control from outside the secure telco network. This interface can be embedded in applications to reroute calls, provide notification of call attempts, retrieve the location of mobile users and link to telco billing systems, among other features…
In War Against Cyberspace Intruders, Knowledge Is Power
In warfare, information is power. The better you understand your enemy, the more able you are to defeat him.
In the war against malicious hackers, network intruders and the other black-hat denizens of cyberspace, the good guys have surprisingly little information. Most security experts-even those who design products to protect against attacks-are ignorant of the tools, tactics and motivations of the enemy.
The Honeynet Project, a group of 30 researchers from academia and the commercial sector, is trying to change that. The group obtains information through the use of a Honeynet-a computer network on the Internet that’s designed to be compromised. The network is made up of various production systems complete with sensors as well as a suitably enticing name and content. (The actual IP address changes regularly and isn’t published.) Hackers’ actions are recorded as they happen: how the culprits try to break in, when they’re successful and what they do when they succeed…
Computer Security Standards Aren't Scoring In The Commercial World
Despite numerous efforts over the years to develop comprehensive computer security standards, it’s a goal that remains elusive at best.
As far back as 1985, the U.S. government attempted to establish a general method for evaluating security requirements. This resulted in the “Orange Book,” the colloquial name for the U.S. Department of Defense Trusted Computer System Evaluation Criteria. The Orange Book gave computer manufacturers a way to measure the security of their systems and offered a method of classifying different levels of computer security…
Foreword to Security Engineering by Ross Anderson
In a paper he wrote with Roger Needham , Ross Anderson coined the phrase “programming Satan’s computer” to describe the problems faced by computer-security engineers. It’s a phrase I’ve used ever since.
Programming a computer is straightforward: keep hammering away at the problem until the computer does what it’s supposed to do. Large application programs and operating systems are a lot more complicated, but the methodology is basically the same. Writing a reliable computer program is much harder, because the program needs to work even in the face of random errors and mistakes: Murphy’s computer, if you will. Significant research has gone into reliable software design, and there are many mission-critical software applications that are designed to withstand Murphy…
Body of Secrets by James Bamford
The author of a pioneering work on the NSA delivers a new book of revelations about the mysterious agency's coverups, eavesdropping and secret missions.
In 1982, James Bamford published “The Puzzle Palace,” his first exposé on the National Security Agency. His new exposé on the NSA is called “Body of Secrets.” Twenty years makes a lot of difference in the intelligence biz.
During those 20 years, the Reagan military buildup came and went, the Soviet Union fell and the Cold War ended, and a bevy of new military enemies emerged. Electronic communications exploded through faxes, cellphones, the Internet, etc. Cryptography came out of the shadows to become an essential technology of the networked world. And computing power increased ten thousand-fold…
Sidebar photo of Bruce Schneier by Joe MacInnis.