<html><head>

to know about computer and internet security?">

law secure e-commerce Sun Java Java Script Microsoft Internet

Explorer cookies">

<title>

Basic Internet Reference Article used to support

'No Push' technologies and decentralization of

computer networks / databases</title>

</head>

<body>

<h2>

</h2> Homeland Insecurity

A top expert says America's approach to protecting itself

will only make matters worse. Forget "foolproof"

technology-we need systems designed to fail smartly

<p>

by Charles C. Mann

<p>

To stop the rampant theft of expensive cars,

manufacturers in the 1990s began to make ignitions very

difficult to hot-wire. This reduced the likelihood that cars

would be stolen from parking lots-but apparently

contributed to the sudden appearance of a new and more

dangerous crime, carjacking.

<p>

After a vote against management Vivendi Universal

announced earlier this year that its electronic

shareholder-voting system, which it had adopted to

tabulate votes efficiently and securely, had been broken into

by hackers. Because the new system eliminated the old

paper ballots, recounting the votes-or even independently

verifying that the attack had occurred-was impossible.

<p>

To help merchants verify and protect the identity of their

customers, marketing firms and financial institutions have

created large computerized databases of personal

information: Social Security numbers, credit-card numbers,

telephone numbers, home addresses, and the like. With

these databases being increasingly interconnected by

means of the Internet, they have become irresistible targets

for criminals. From 1995 to 2000 the incidence of identity

theft tripled.

<p>

As was often the case, Bruce Schneier was thinking

about a really terrible idea. We were driving around

the suburban-industrial wasteland south of San

Francisco, on our way to a corporate presentation, while

Schneier looked for something to eat not purveyed by a

chain restaurant. This was important to Schneier, who in

addition to being America's best-known

ex-cryptographer is a food writer for an alternative

newspaper in Minneapolis, where he lives. Initially he had

been sure that in the crazy ethnic salad of Silicon Valley it

would be impossible not to find someplace of culinary

interest-a Libyan burger stop, a Hmong bagelry, a

Szechuan taco stand. But as the rented car swept toward

the vast, amoeboid office complex that was our

destination, his faith slowly crumbled. Bowing to reality,

he parked in front of a nondescript sandwich shop,

disappointment evident on his face.

<p>

Schneier is a slight, busy man with a dark, full, closely

cropped beard. Until a few years ago he was best known

as a prominent creator of codes and ciphers; his book

Applied Cryptography (1993) is a classic in the field. But

despite his success he virtually abandoned cryptography in

1999 and co-founded a company named Counterpane

Internet Security. Counterpane has spent considerable

sums on advanced engineering, but at heart the company

is dedicated to bringing one of the oldest forms of

policing-the cop on the beat-to the digital realm. Aided

by high-tech sensors, human guards at Counterpane

patrol computer networks, helping corporations and

governments to keep their secrets secret. In a world that is

both ever more interconnected and full of malice, this is a

task of considerable difficulty and great importance. It is

also what Schneier long believed cryptography would

do-which brings us back to his terrible idea.

<p>

"Pornography!" he exclaimed. If the rise of the Internet

has shown anything, it is that huge numbers of

middle-class, middle-management types like to look at

dirty pictures on computer screens. A good way to steal

the corporate or government secrets these middle

managers are privy to, Schneier said, would be to set up a

pornographic Web site. The Web site would be free, but

visitors would have to register to download the naughty

bits. Registration would involve creating a password-and

here Schneier's deep-set blue eyes widened mischievously.

<p>

People have trouble with passwords. The idea is to have a

random string of letters, numbers, and symbols that is

easy to remember. Alas, random strings are by their

nature hard to remember, so people use bad but

easy-to-remember passwords, such as "hello" and

"password." (A survey last year of 1,200 British office

workers found that almost half chose their own name, the

name of a pet, or that of a family member as a password;

others based their passwords on the names Darth Vader

and Homer Simpson.) Moreover, computer users can't

keep different passwords straight, so they use the same

bad passwords for all their accounts.

<p>

Many of his corporate porn surfers, Schneier predicted,

would use for the dirty Web site the same password they

used at work. Not only that, many users would surf to the

porn site on the fast Internet connection at the office. The

operators of Schneier's nefarious site would thus learn

that, say, "Joesmith," who accessed the Web site from

Anybusiness.com, used the password "JoeS." By trying to

log on at Anybusiness.com as "Joesmith," they could learn

whether "JoeS" was also the password into Joesmith's

corporate account. Often it would be.

<p>

"In six months you'd be able to break into Fortune 500

companies and government agencies all over the world,"

Schneier said, chewing his nondescript meal. "It would

work! It would work-that's the awful thing."

<p>

During the 1990s Schneier was a field marshal in the

disheveled army of computer geeks, mathematicians,

civil-liberties activists, and libertarian wackos

that-in a series of bitter lawsuits that came to be known

as the Crypto Wars-asserted the right of the U.S.

citizenry to use the cryptographic equivalent of kryptonite:

ciphers so powerful they cannot be broken by any

government, no matter how long and hard it tries. Like his

fellows, he believed that "strong crypto," as these ciphers

are known, would forever guarantee the privacy and

security of information-something that in the Information

Age would be vital to people's lives. "It is insufficient to

protect ourselves with laws," he wrote in Applied

Cryptography. "We need to protect ourselves with

mathematics."

<p>

Schneier's side won the battle as the nineties came to a

close. But by that time he had realized that he was

fighting the wrong war. Crypto was not enough to

guarantee privacy and security. Failures occurred all the

time-which was what Schneier's terrible idea

demonstrated. No matter what kind of technological

safeguards an organization uses, its secrets will never be

safe while its employees are sending their passwords,

however unwittingly, to pornographers-or to anyone else

outside the organization.

<p>

The Parable of the Dirty Web Site illustrates part of what

became the thesis of Schneier's most recent book, Secrets

and Lies (2000): The way people think about security,

especially security on computer networks, is almost

always wrong. All too often planners seek technological

cure-alls, when such security measures at best limit risks

to acceptable levels. In particular, the consequences of

going wrong-and all these systems go wrong

sometimes-are rarely considered. For these reasons

Schneier believes that most of the security measures

envisioned after September 11 will be ineffective, and that

some will make Americans less safe.

<p>

It is now a year since the World Trade Center was

destroyed. Legislators, the law-enforcement community,

and the Bush Administration are embroiled in an essential

debate over the measures necessary to prevent future

attacks. To armor-plate the nation's security they

increasingly look to the most powerful technology

available: retina, iris, and fingerprint scanners; "smart"

driver's licenses and visas that incorporate

anti-counterfeiting chips; digital surveillance of public

places with face-recognition software; huge centralized

databases that use data-mining routines to sniff out

hidden terrorists. Some of these measures have already

been mandated by Congress, and others are in the pipeline.

State and local agencies around the nation are adopting

their own schemes. More mandates and more schemes

will surely follow.

<p>

Schneier is hardly against technology-he's the sort of

person who immediately cases public areas for outlets to

recharge the batteries in his laptop, phone, and other

electronic prostheses. "But if you think technology can

solve your security problems," he says, "then you don't

understand the problems and you don't understand the

technology." Indeed, he regards the national push for a

high-tech salve for security anxieties as a reprise of his

own early and erroneous beliefs about the transforming

power of strong crypto. The new technologies have

enormous capacities, but their advocates have not realized

that the most critical aspect of a security measure is not

how well it works but how well it fails.

<h2>

The Crypto Wars

</h2>

If mathematicians from the 1970s were suddenly

transported through time to the present, they would be

happily surprised by developments such as the proofs to

Kepler's conjecture (proposed in 1611, confirmed in 1998)

and to Fermat's last theorem (1637, 1994). But they

would be absolutely astonished by the RSA Conference,

the world's biggest trade show for cryptographers.

Sponsored by the cryptography firm RSA Security, the

conferences are attended by as many as 10,000

cryptographers, computer scientists, network managers,

and digital-security professionals. What would amaze

past mathematicians is not just the number of conferences

but that they exist at all.

<p>

Sidebar:

<p>

Why the Maginot Line Failed

"In fact, the Maginot Line, the chain of fortifications on

France's border with Germany, was indicative neither of

despair about defeating Germany nor of thought mired in

the past...." Cryptology is a specialized branch of

mathematics with some computer science thrown in. As

recently as the 1970s there were no cryptology courses in

university mathematics or computer-science departments;

nor were there crypto textbooks, crypto journals, or crypto

software. There was no private crypto industry, let alone

venture-capitalized crypto start-ups giving away key

rings at trade shows (crypto key rings-techno-humor).

Cryptography, the practice of cryptology, was the province

of a tiny cadre of obsessed amateurs, the National

Security Agency, and the NSA's counterparts abroad.

Now it is a multibillion-dollar field with applications in

almost every commercial arena.

<p>

As one of the people who helped to bring this change

about, Schneier is always invited to speak at RSA

conferences. Every time, the room is too small, and

overflow crowds, eager to hear their favorite guru, force

the session into a larger venue, which is what happened

when I saw him speak at an RSA conference in San

Francisco's Moscone Center last year. There was applause

from the hundreds of seated cryptophiles when Schneier

mounted the stage, and more applause from the throng

standing in the aisles and exits when he apologized for the

lack of seating capacity. He was there to talk about the

state of computer security, he said. It was as bad as ever,

maybe getting worse.

<p>

In the past security officers were usually terse ex-military

types who wore holsters and brush cuts. But as computers

have become both attackers' chief targets and their chief

weapons, a new generation of security professionals has

emerged, drawn from the ranks of engineering and

computer science. Many of the new guys look like people

the old guard would have wanted to arrest, and Schneier

is no exception. Although he is a co-founder of a

successful company, he sometimes wears scuffed black

shoes and pants with a wavering press line; he gathers his

thinning hair into a straggly ponytail. Ties, for the most

part, are not an issue. Schneier's style marks him as a true

nerd-someone who knows the potential, both good and

bad, of technology, which in our technocentric era is an

asset.

<p>

Schneier was raised in Brooklyn. He got a B.S. in physics

from the University of Rochester in 1985 and an M.S. in

computer science from American University two years

later. Until 1991 he worked for the Department of

Defense, where he did things he won't discuss. Lots of kids

are intrigued by codes and ciphers, but Schneier was

surely one of the few to ask his father, a lawyer and a

judge, to write secret messages for him to analyze. On his

first visit to a voting booth, with his mother, he tried to

figure out how she could cheat and vote twice. He didn't

actually want her to vote twice-he just wanted, as he

says, to "game the system."

<p>

Unsurprisingly, someone so interested in figuring out the

secrets of manipulating the system fell in love with the

systems for manipulating secrets. Schneier's childhood

years, as it happened, were a good time to become

intrigued by cryptography-the best time in history, in fact.

In 1976 two researchers at Stanford University invented

an entirely new type of encryption, public-key encryption,

which abruptly woke up the entire field.

<p>

Public-key encryption is complicated in detail but simple

in outline. All ciphers employ mathematical procedures

called algorithms to transform messages from their

original form into an unreadable jumble. (Cryptographers

work with ciphers and not codes, which are

spy-movie-style lists of prearranged substitutes for

letters, words, or phrases-"meet at the theater" for

"attack at nightfall.") Most ciphers use secret keys:

mathematical values that plug into the algorithm.

Breaking a cipher means figuring out the key. In a kind of

mathematical sleight of hand, public-key encryption

encodes messages with keys that can be published openly

and decodes them with different keys that stay secret and

are effectively impossible to break using today's

technology. (A more complete explanation of public-key

encryption will soon be available on The Atlantic's Web

site, www.theatlantic.com.)

<p>

The best-known public-key algorithm is the RSA

algorithm, whose name comes from the initials of the

three mathematicians who invented it. RSA keys are

created by manipulating big prime numbers. If the private

decoding RSA key is properly chosen, guessing it

necessarily involves factoring a very large number into its

constituent primes, something for which no

mathematician has ever devised an adequate shortcut.

Even if demented government agents spent a trillion

dollars on custom factoring computers, Schneier has

estimated, the sun would likely go nova before they

cracked a message enciphered with a public key of

sufficient length.

<p>

Schneier and other technophiles grasped early how

important computer networks would become to daily life.

They also understood that those networks were dreadfully

insecure. Strong crypto, in their view, was an answer of

almost magical efficacy. Even federal officials believed

that strong crypto would Change Everything

Forever-except they thought the change would be for the

worse. Strong encryption "jeopardizes the public safety

and national security of this country," Louis Freeh, then

the director of the (famously computer-challenged)

Federal Bureau of Investigation, told Congress in 1995.

"Drug cartels, terrorists, and kidnappers will use

telephones and other communications media with

impunity knowing that their conversations are immune"

from wiretaps.

<p>

The Crypto Wars erupted in 1991, when Washington

attempted to limit the spread of strong crypto. Schneier

testified before Congress against restrictions on

encryption, campaigned for crypto freedom on the

Internet, co-wrote an influential report on the technical

snarls awaiting federal plans to control cryptographic

protocols, and rallied 75,000 crypto fans to the cause in his

free monthly e-mail newsletter, Crypto-Gram. Most

important, he wrote Applied Cryptography, the first-ever

comprehensive guide to the practice of cryptology.

<p>

Washington lost the wars in 1999, when an appellate

court ruled that restrictions on cryptography were illegal,

because crypto algorithms were a form of speech and thus

covered by the First Amendment. After the ruling the FBI

and the NSA more or less surrendered. In the sudden

silence the dazed combatants surveyed the battleground.

Crypto had become widely available, and it had indeed

fallen into unsavory hands. But the results were different

from what either side had expected.

<p>

As the crypto aficionados had envisioned, software

companies inserted crypto into their products. On the

"Tools" menu in Microsoft Outlook, for example,

"encrypt" is an option. And encryption became big

business, as part of the infrastructure for e-commerce-it

is the little padlock that appears in the corner of Net

surfers' browsers when they buy books at Amazon.com,

signifying that credit-card numbers are being enciphered.

But encryption is rarely used by the citizenry it was

supposed to protect and empower. Cryptophiles, Schneier

among them, had been so enraptured by the possibilities of

uncrackable ciphers that they forgot they were living in a

world in which people can't program VCRs. Inescapably,

an encrypted message is harder to send than an

unencrypted one, if only because of the effort involved in

using all the extra software. So few people use encryption

software that most companies have stopped selling it to

individuals.

<p>

Sidebar:

<p>

The Worm in the Machine

"Buffer overflows (sometimes called stack smashing) are

the most common form of security vulnerability in the last

ten years...." Among the few who do use crypto are

human-rights activists living under dictatorships. But,

just as the FBI feared, terrorists, child pornographers, and

the Mafia use it too. Yet crypto has not protected any of

them. As an example, Schneier points to the case of

Nicodemo Scarfo, who the FBI believed was being

groomed to take over a gambling operation in New Jersey.

Agents surreptitiously searched his office in 1999 and

discovered that he was that rarity, a gangster nerd. On his

computer was the long-awaited nightmare for law

enforcement: a crucial document scrambled by strong

encryption software. Rather than sit by, the FBI installed

a "keystroke logger" on Scarfo's machine. The logger

recorded the decrypting key-or, more precisely, the

passphrase Scarfo used to generate that key-as he typed it

in, and gained access to his incriminating files. Scarfo

pleaded guilty to charges of running an illegal gambling

business on February 28 of this year.

<p>

Schneier was not surprised by this demonstration of the

impotence of cryptography. Just after the Crypto Wars

ended, he had begun writing a follow-up to Applied

Cryptography. But this time Schneier, a fluent writer, was

blocked-he couldn't make himself extol strong crypto as a

security panacea. As Schneier put it in Secrets and Lies,

the very different book he eventually did write, he had

been portraying cryptography-in his speeches, in his

congressional testimony, in Applied Cryptography-as "a

kind of magic security dust that [people] could sprinkle

over their software and make it secure." It was not.

Nothing could be. Humiliatingly, Schneier discovered that,

as a friend wrote him, "the world was full of bad security

systems designed by people who read Applied

Cryptography."

<p>

In retrospect he says, "Crypto solved the wrong problem."

Ciphers scramble messages and documents, preventing

them from being read while, say, they are transmitted on

the Internet. But the strongest crypto is gossamer

protection if malevolent people have access to the

computers on the other end. Encrypting transactions on

the Internet, the Purdue computer scientist Eugene

Spafford has remarked, "is the equivalent of arranging an

armored car to deliver credit-card information from

someone living in a cardboard box to someone living on a

park bench."

<p>

To effectively seize control of Scarfo's computer, FBI

agents had to break into his office and physically alter his

machine. Such black-bag jobs are ever less necessary,

because the rise of networks and the Internet means that

computers can be controlled remotely, without their

operators' knowledge. Huge computer databases may be

useful, but they also become tempting targets for criminals

and terrorists. So do home computers, even if they are

connected only intermittently to the Web. Hackers look

for vulnerable machines, using software that scans

thousands of Net connections at once. This vulnerability,

Schneier came to think, is the real security issue.

<p>

With this realization he closed Counterpane Systems, his

five-person crypto-consulting company in Chicago, in

1999. He revamped it and reopened immediately in Silicon

Valley with a new name, Counterpane Internet Security,

and a new idea-one that relied on old-fashioned methods.

Counterpane would still keep data secret. But the lessons

of the Crypto Wars had given Schneier a different vision

of how to do that-a vision that has considerable relevance

for a nation attempting to prevent terrorist crimes.

<p>

Where Schneier had sought one overarching

technical fix, hard experience had taught him the

quest was illusory. Indeed, yielding to the

American penchant for all-in-one high-tech solutions

can make us less safe-especially when it leads to

enormous databases full of confidential information.

Secrecy is important, of course, but it is also a trap. The

more secrets necessary to a security system, the more

vulnerable it becomes.

<p>

To forestall attacks, security systems need to be

small-scale, redundant, and compartmentalized. Rather

than large, sweeping programs, they should be carefully

crafted mosaics, each piece aimed at a specific weakness.

The federal government and the airlines are spending

millions of dollars, Schneier points out, on systems that

screen every passenger to keep knives and weapons out of

planes. But what matters most is keeping dangerous

passengers out of airline cockpits, which can be

accomplished by reinforcing the door. Similarly, it is

seldom necessary to gather large amounts of additional

information, because in modern societies people leave wide

audit trails. The problem is sifting through the already

existing mountain of data. Calls for heavy monitoring and

record-keeping are thus usually a mistake. ("Broad

surveillance is a mark of bad security," Schneier wrote in

a recent Crypto-Gram.)

<p>

To halt attacks once they start, security measures must

avoid being subject to single points of failure. Computer

networks are particularly vulnerable: once hackers bypass

the firewall, the whole system is often open for

exploitation. Because every security measure in every

system can be broken or gotten around, failure must be

incorporated into the design. No single failure should

compromise the normal functioning of the entire system

or, worse, add to the gravity of the initial breach. Finally,

and most important, decisions need to be made by people

at close range-and the responsibility needs to be given

explicitly to people, not computers.

<p>

Unfortunately, there is little evidence that these principles

are playing any role in the debate in the Administration,

Congress, and the media about how to protect the nation.

Indeed, in the argument over policy and principle almost

no one seems to be paying attention to the practicalities of

security-a lapse that Schneier, like other security

professionals, finds as incomprehensible as it is dangerous.

<h2>

Stealing Your Thumb

</h2>

A couple of months after September 11, I flew from

Seattle to Los Angeles to meet Schneier. As I was

checking in at Sea-Tac Airport, someone ran

through the metal detector and disappeared onto the little

subway that runs among the terminals. Although the

authorities quickly identified the miscreant, a concession

stand worker, they still had to empty all the terminals and

re-screen everyone in the airport, including passengers

who had already boarded planes. Masses of unhappy

passengers stretched back hundreds of feet from the

checkpoints. Planes by the dozen sat waiting at the gates. I

called Schneier on a cell phone to report my delay. I had

to shout over the noise of all the other people on their cell

phones making similar calls. "What a mess," Schneier

said. "The problem with airport security, you know, is that

it fails badly."

<p>

For a moment I couldn't make sense of this gnomic

utterance. Then I realized he meant that when something

goes wrong with security, the system should recover well.

In Seattle a single slip-up shut down the entire airport,

which delayed flights across the nation. Sea-Tac,

Schneier told me on the phone, had no adequate way to

contain the damage from a breakdown-such as a button

installed near the x-ray machines to stop the subway, so

that idiots who bolt from checkpoints cannot disappear

into another terminal. The shutdown would inconvenience

subway riders, but not as much as being forced to go

through security again after a wait of several hours. An

even better idea would be to place the x-ray machines at

the departure gates, as some are in Europe, in order to

scan each group of passengers closely and minimize

inconvenience to the whole airport if a risk is detected-or

if a machine or a guard fails.

<p>

Schneier was in Los Angeles for two reasons. He was to

speak to ICANN, the Internet Corporation for Assigned

Names and Numbers, which controls the "domain name

system" of Internet addresses. It is Schneier's belief that

attacks on the address database are the best means of

taking down the Internet. He also wanted to review Ginza

Sushi-Ko, perhaps the nation's most exclusive restaurant,

for the food column he writes with his wife, Karen

Cooper.

<p>

Minutes after my delayed arrival Schneier had with

characteristic celerity packed himself and me into a taxi.

The restaurant was in a shopping mall in Beverly Hills

that was disguised to look like a collection of

nineteenth-century Italian villas. By the time Schneier

strode into the tiny lobby, he had picked up the thread of

our airport discussion. Failing badly, he told me, was

something he had been forced to spend time thinking

about.

<p>

In his technophilic exuberance he had been seduced by the

promise of public-key encryption. But ultimately Schneier

observed that even strong crypto fails badly. When

something bypasses it, as the keystroke logger did with

Nicodemo Scarfo's encryption, it provides no protection at

all. The moral, Schneier came to believe, is that security

measures are characterized less by their manner of success

than by their manner of failure. All security systems

eventually miscarry. But when this happens to the good

ones, they stretch and sag before breaking, each

component failure leaving the whole as unaffected as

possible. Engineers call such failure-tolerant systems

"ductile." One way to capture much of what Schneier told

me is to say that he believes that when possible, security

schemes should be designed to maximize ductility,

whereas they often maximize strength.

<p>

Since September 11 the government has been calling for a

new security infrastructure-one that employs advanced

technology to protect the citizenry and track down

malefactors. Already the USA PATRIOT Act, which

Congress passed in October, mandates the establishment

of a "cross-agency, cross-platform electronic system ... to

confirm the identity" of visa applicants, along with a

"highly secure network" for financial-crime data and

"secure information sharing systems" to link other,

previously separate databases. Pending legislation

demands that the Attorney General employ "technology

including, but not limited to, electronic fingerprinting, face

recognition, and retinal scan technology." The proposed

Department of Homeland Security is intended to oversee a

"national research and development enterprise for

homeland security comparable in emphasis and scope to

that which has supported the national security community

for more than fifty years"-a domestic version of the

high-tech R&D juggernaut that produced stealth

bombers, smart weapons, and anti-missile defense.

<p>

Iris, retina, and fingerprint scanners; hand-geometry

assayers; remote video-network surveillance;

face-recognition software; smart cards with custom

identification chips; decompressive baggage checkers that

vacuum-extract minute chemical samples from inside

suitcases; tiny radio implants beneath the skin that

continually broadcast people's identification codes; pulsed

fast-neutron analysis of shipping containers ("so precise,"

according to one manufacturer, "it can determine within

inches the location of the concealed target"); a vast

national network of interconnected databases-the list goes

on and on. In the first five months after the terrorist

attacks the Pentagon liaison office that works with

technology companies received more than 12,000

proposals for high-tech security measures. Credit-card

companies expertly manage credit risks with advanced

information-sorting algorithms, Larry Ellison, the head of

Oracle, the world's biggest database firm, told The New

York Times in April; "We should be managing security

risks in exactly the same way." To "win the war on

terrorism," a former deputy undersecretary of commerce,

David J. Rothkopf, explained in the May/June issue of

Foreign Policy, the nation will need "regiments of

geeks"-"pocket-protector brigades" who "will provide the

software, systems, and analytical resources" to "close the

gaps Mohammed Atta and his associates revealed."

<p>

Such ideas have provoked the ire of civil-liberties groups,

which fear that governments, corporations, and the police

will misuse the new technology. Schneier's concerns are

more basic. In his view, these measures can be useful, but

their large-scale application will have little effect against

terrorism. Worse, their use may make Americans less safe,

because many of these tools fail badly-they're "brittle," in

engineering jargon. Meanwhile, simple, effective, ductile

measures are being overlooked or even rejected.

<p>

The distinction between ductile and brittle security

dates back, Schneier has argued, to the

nineteenth-century linguist and cryptographer

Auguste Kerckhoffs, who set down what is now known as

Kerckhoffs's principle. In good crypto systems, Kerckhoffs

wrote, "the system should not depend on secrecy, and it

should be able to fall into the enemy's hands without

disadvantage." In other words, it should permit people to

keep messages secret even if outsiders find out exactly

how the encryption algorithm works.

<p>

At first blush this idea seems ludicrous. But contemporary

cryptography follows Kerckhoffs's principle closely. The

algorithms-the scrambling methods-are openly revealed;

the only secret is the key. Indeed, Schneier says,

Kerckhoffs's principle applies beyond codes and ciphers to

security systems in general: every secret creates a

potential failure point. Secrecy, in other words, is a prime

cause of brittleness-and therefore something likely to

make a system prone to catastrophic collapse. Conversely,

openness provides ductility.

<p>

From this can be drawn several corollaries. One is that

plans to add new layers of secrecy to security systems

should automatically be viewed with suspicion. Another is

that security systems that utterly depend on keeping

secrets tend not to work very well. Alas, airport security is

among these. Procedures for screening passengers, for

examining luggage, for allowing people on the tarmac, for

entering the cockpit, for running the autopilot

software-all must be concealed, and all seriously

compromise the system if they become known. As a result,

Schneier wrote in the May issue of Crypto-Gram,

brittleness "is an inherent property of airline security."

<p>

Few of the new airport-security proposals address this

problem. Instead, Schneier told me in Los Angeles, they

address problems that don't exist. "The idea that to stop

bombings cars have to park three hundred feet away from

the terminal, but meanwhile they can drop off passengers

right up front like they always have ..." He laughed. "The

only ideas I've heard that make any sense are reinforcing

the cockpit door and getting the passengers to fight back."

Both measures test well against Kerckhoffs's principle:

knowing ahead of time that law-abiding passengers may

forcefully resist a hijacking en masse, for example, doesn't

help hijackers to fend off their assault. Both are

small-scale, compartmentalized measures that make the

system more ductile, because no matter how hijackers get

aboard, beefed-up doors and resistant passengers will

make it harder for them to fly into a nuclear plant. And

neither measure has any adverse effect on civil liberties.

<p>

Evaluations of a security proposal's merits, in

Schneier's view, should not be much different from

the ordinary cost-benefit calculations we make in

daily life. The first question to ask of any new security

proposal is, What problem does it solve? The second:

What problems does it cause, especially when it fails?

<h2>

Sidebar:

</h2>

Gummi Fingers<br>

"Tsutomu Matsumoto, a Japanese cryptographer, recently

decided to look at biometric fingerprint devices. These are

security systems that attempt to identify people based on

their fingerprint...." Failure comes in many kinds, but two

of the more important are simple failure (the security

measure is ineffective) and what might be called

subtractive failure (the security measure makes people less

secure than before). An example of simple failure is

face-recognition technology. In basic terms,

face-recognition devices photograph people; break down

their features into "facial building elements"; convert

these into numbers that, like fingerprints, uniquely

identify individuals; and compare the results with those

stored in a database. If someone's facial score matches

that of a criminal in the database, the person is detained.

Since September 11 face-recognition technology has been

placed in an increasing number of public spaces: airports,

beaches, nightlife districts. Even visitors to the Statue of

Liberty now have their faces scanned.

<p>

Face-recognition software could be useful. If an airline

employee has to type in an identifying number to enter a

secure area, for example, it can help to confirm that

someone claiming to be that specific employee is indeed

that person. But it cannot pick random terrorists out of

the mob in an airline terminal. That much-larger-scale

task requires comparing many sets of features with the

many other sets of features in a database of people on a

"watch list." Identix, of Minnesota, one of the largest

face-recognition-technology companies, contends that in

independent tests its FaceIt software has a success rate of

99.32 percent-that is, when the software matches a

passenger's face with a face on a list of terrorists, it is

mistaken only 0.68 percent of the time. Assume for the

moment that this claim is credible; assume, too, that good

pictures of suspected terrorists are readily available. About

25 million passengers used Boston's Logan Airport in

2001. Had face-recognition software been used on 25

million faces, it would have wrongly picked out just 0.68

percent of them-but that would have been enough, given

the large number of passengers, to flag as many as 170,000

innocent people as terrorists. With almost 500 false alarms

a day, the face-recognition system would quickly become

something to ignore.

<p>

The potential for subtractive failure, different and more

troublesome, is raised by recent calls to deploy biometric

identification tools across the nation. Biometrics-"the

only way to prevent identity fraud," according to the

former senator Alan K. Simpson, of Wyoming-identifies

people by precisely measuring their physical

characteristics and matching them up against a database.

The photographs on driver's licenses are an early example,

but engineers have developed many high-tech

alternatives, some of them already mentioned: fingerprint

readers, voiceprint recorders, retina or iris scanners,

face-recognition devices, hand-geometry assayers, even

signature-geometry analyzers, which register pen pressure

and writing speed as well as the appearance of a signature.

<p>

Appealingly, biometrics lets people be their own ID

cards-no more pass words to forget! Unhappily,

biometric measures are often implemented poorly.

This past spring three reporters at c't, a German

digital-culture magazine, tested a face-recognition

system, an iris scanner, and nine fingerprint readers. All

proved easy to outsmart. Even at the highest security

setting, Cognitec's FaceVACS-Logon could be fooled by

showing the sensor a short digital movie of someone

known to the system-the president of a company, say-on

a laptop screen. To beat Panasonic's Authenticam iris

scanner, the German journalists photographed an

authorized user, took the photo and created a detailed,

life-size image of his eyes, cut out the pupils, and held the

image up before their faces like a mask. The scanner read

the iris, detected the presence of a human pupil-and

accepted the imposture. Many of the fingerprint readers

could be tricked simply by breathing on them, reactivating

the last user's fingerprint. Beating the more sophisticated

Identix Bio-Touch fingerprint reader required a trip to a

hobby shop. The journalists used graphite powder to dust

the latent fingerprint-the kind left on glass-of a previous,

authorized user; picked up the image on adhesive tape;

and pressed the tape on the reader. The Identix reader, too,

was fooled. Not all biometric devices are so poorly put

together, of course. But all of them fail badly.

<p>

Consider the legislation introduced in May by

Congressmen Jim Moran and Tom Davis, both of

Virginia, that would mandate biometric data chips in

driver's licenses-a sweeping, nationwide data-collection

program, in essence. (Senator Dick Durbin, of Illinois, is

proposing measures to force states to use a "single

identifying designation unique to the individual on all

driver's licenses"; President George W. Bush has already

signed into law a requirement for biometric student visas.)

Although Moran and Davis tied their proposal to the need

for tighter security after last year's attacks, they also

contended that the nation could combat fraud by using

smart licenses with bank, credit, and Social Security cards,

and for voter registration and airport identification.

Maybe so, Schneier says. "But think about screw-ups,

because the system will screw up."

<p>

Smart cards that store non-biometric data have been

routinely cracked in the past, often with inexpensive

oscilloscope-like devices that detect and interpret the

timing and power fluctuations as the chip operates. An

even cheaper method, announced in May by two

Cambridge security researchers, requires only a bright

light, a standard microscope, and duct tape. Biometric ID

cards are equally vulnerable. Indeed, as a recent National

Research Council study points out, the extra security

supposedly provided by biometric ID cards will raise the

economic incentive to counterfeit or steal them, with

potentially disastrous consequences to the victims. "Okay,

somebody steals your thumbprint," Schneier says.

"Because we've centralized all the functions, the thief can

tap your credit, open your medical records, start your car,

any number of things. Now what do you do? With a credit

card, the bank can issue you a new card with a new

number. But this is your thumb-you can't get a new one."

<p>

The consequences of identity fraud might be offset if

biometric licenses and visas helped to prevent terrorism.

Yet smart cards would not have stopped the terrorists who

attacked the World Trade Center and the Pentagon.

According to the FBI, all the hijackers seem to have been

who they said they were; their intentions, not their

identities, were the issue. Each entered the country with a

valid visa, and each had a photo ID in his real name (some

obtained their IDs fraudulently, but the fakes correctly

identified them). "What problem is being solved here?"

Schneier asks.

<p>

Good security is built in overlapping, cross-checking

layers, to slow down attacks; it reacts limberly to the

unexpected. Its most important components are almost

always human. "Governments have been relying on

intelligent, trained guards for centuries," Schneier says.

"They spot people doing bad things and then use laws to

arrest them. All in all, I have to say, it's not a bad system."

<h2>

The Human Touch

</h2>

One of the first times I met with Schneier was at the

Cato Institute, a libertarian think tank in

Washington, D.C., that had asked him to speak

about security. Afterward I wondered how the Cato

people had reacted to the speech. Libertarians love

cryptography, because they believe that it will let people

keep their secrets forever, no matter what a government

wants. To them, Schneier was a kind of hero, someone

who fought the good fight. As a cryptographer, he had

tremendous street cred: he had developed some of the

world's coolest ciphers, including the first rigorous

encryption algorithm ever published in a best-selling

novel (Cryptonomicon, by Neal Stephenson) and the

encryption for the "virtual box tops" on Kellogg's cereals

(children type a code from the box top into a Web site to

win prizes), and had been one of the finalists in the

competition to write algorithms for the federal

government's new encryption standard, which it adopted

last year. Now, in the nicest possible way, he had just told

the libertarians the bad news: he still loved cryptography

for the intellectual challenge, but it was not all that

relevant to protecting the privacy and security of real

people.

<p>

In security terms, he explained, cryptography is classed as

a protective counter-measure. No such measure can foil

every attack, and all attacks must still be both detected

and responded to. This is particularly true for digital

security, and Schneier spent most of his speech evoking

the staggering insecurity of networked computers.

Countless numbers are broken into every year, including

machines in people's homes. Taking over computers is

simple with the right tools, because software is so often

misconfigured or flawed. In the first five months of this

year, for example, Microsoft released five "critical"

security patches for Internet Explorer, each intended to

rectify lapses in the original code.

<p>

Computer crime statistics are notoriously sketchy, but the

best of a bad lot come from an annual survey of

corporations and other institutions by the FBI and the

Computer Security Institute, a research and training

organization in San Francisco. In the most recent survey,

released in April, 90 percent of the respondents had

detected one or more computer-security breaches within

the previous twelve months-a figure that Schneier calls

"almost certainly an underestimate." His own experience

suggests that a typical corporate network suffers a serious

security breach four to six times a year-more often if the

network is especially large or its operator is politically

controversial.

<p>

Luckily for the victims, this digital mayhem is mostly

wreaked not by the master hackers depicted in Hollywood

techno-thrillers but by "script kiddies"-youths who know

just enough about computers to download and run

automated break-in programs. Twenty-four hours a day,

seven days a week, script kiddies poke and prod at

computer networks, searching for any of the thousands of

known security vulnerabilities that administrators have

not yet patched. A typical corporate network, Schneier

says, is hit by such doorknob-rattling several times an

hour. The great majority of these attacks achieve nothing,

but eventually any existing security holes will be found

and exploited. "It's very hard to communicate how bad the

situation is," Schneier says, "because it doesn't correspond

to our normal intuition of the world. To a first

approximation, bank vaults are secure. Most of them don't

get broken into, because it takes real skill. Computers are

the opposite. Most of them get broken into all the time,

and it takes practically no skill." Indeed, as automated

cracking software improves, it takes ever less knowledge

to mount ever more sophisticated attacks.

<p>

Given the pervasive insecurity of networked computers, it

is striking that nearly every proposal for "homeland

security" entails the creation of large national databases.

The Moran-Davis proposal, like other biometric schemes,

envisions storing smart-card information in one such

database; the USA PATRIOT Act effectively creates

another; the proposed Department of Homeland Security

would "fuse and analyze" information from more than a

hundred agencies, and would "merge under one roof"

scores or hundreds of previously separate databases. (A

representative of the new department told me no one had

a real idea of the number. "It's a lot," he said.) Better

coordination of data could have obvious utility, as was

made clear by recent headlines about the failure of the

FBI and the CIA to communicate. But carefully linking

selected fields of data is different from creating huge

national repositories of information about the citizenry, as

is being proposed. Larry Ellison, the CEO of Oracle, has

dismissed cautions about such databases as whiny cavils

that don't take into account the existence of murderous

adversaries. But murderous adversaries are exactly why

we should ensure that new security measures actually

make American life safer.

<p>

Any new database must be protected, which

automatically entails a new layer of secrecy. As

Kerckhoffs's principle suggests, the new secrecy

introduces a new failure point. Government information is

now scattered through scores of databases; however

inadvertently, it has been compartmentalized-a basic

security practice. (Following this practice, tourists divide

their money between their wallets and hidden pouches;

pickpockets are less likely to steal it all.) Many new

proposals would change that. An example is Attorney

General John Ashcroft's plan, announced in June, to

fingerprint and photograph foreign visitors "who fall into

categories of elevated national security concern" when

they enter the United States ("approximately 100,000"

will be tracked this way in the first year). The fingerprints

and photographs will be compared with those of "known

or suspected terrorists" and "wanted criminals." Alas, no

such database of terrorist fingerprints and photographs

exists. Most terrorists are outside the country, and thus

hard to fingerprint, and latent fingerprints rarely survive

bomb blasts. The databases of "wanted criminals" in

Ashcroft's plan seem to be those maintained by the FBI

and the Immigration and Naturalization Service. But

using them for this purpose would presumably involve

merging computer networks in these two agencies with

the visa procedure in the State Department-a security

nightmare, because no one entity will fully control access

to the system.

<h2>

Sidebar:

</h2>

How Insurance Improves Security<br>

"Eventually, the insurance industry will subsume the

computer security industry...." Equivalents of the big,

centralized databases under discussion already exist in the

private sector: corporate warehouses of customer

information, especially credit-card numbers. The record

there is not reassuring. "Millions upon millions of

credit-card numbers have been stolen from computer

networks," Schneier says. So many, in fact, that Schneier

believes that everyone reading this article "has, in his or

her wallet right now, a credit card with a number that has

been stolen," even if no criminal has yet used it. Number

thieves, many of whom operate out of the former Soviet

Union, sell them in bulk: $1,000 for 5,000 credit-card

numbers, or twenty cents apiece. In a way, the sheer

volume of theft is fortunate: so many numbers are floating

around that the odds are small that any one will be

heavily used by bad guys.

<p>

Large-scale federal databases would undergo similar

assaults. The prospect is worrying, given the government's

long-standing reputation for poor information security.

Since September 11 at least forty government networks

have been publicly cracked by typographically challenged

vandals with names like "CriminalS," "S4t4n1c S0uls,"

"cr1m3 0rg4n1z4d0," and "Discordian Dodgers."

Summing up the problem, a House subcommittee last

November awarded federal agencies a collective

computer-security grade of F. According to

representatives of Oracle, the federal government has been

talking with the company about employing its software

for the new central databases. But judging from the past,

involving the private sector will not greatly improve

security. In March, CERT/CC, a computer-security

watchdog based at Carnegie Mellon University, warned of

thirty-eight vulnerabilities in Oracle's database software.

Meanwhile, a centerpiece of the company's international

advertising is the claim that its software is "unbreakable."

Other software vendors fare no better: CERT/CC issues a

constant stream of vulnerability warnings about every

major software firm.

<p>

Schneier, like most security experts I spoke to, does not

oppose consolidating and modernizing federal databases

per se. To avoid creating vast new opportunities for

adversaries, the overhaul should be incremental and

small-scale. Even so, it would need to be planned with

extreme care-something that shows little sign of

happening.

<p>

Tne key to the success of digital revamping will be a

little-mentioned, even prosaic feature: training the

users not to circumvent secure systems. The federal

government already has several computer

networks-INTELINK, SIPRNET, and NIPRNET among

them-that are fully encrypted, accessible only from secure

rooms and buildings, and never connected to the Internet.

Yet despite their lack of Net access the secure networks

have been infected by e-mail perils such as the Melissa

and I Love You viruses, probably because some official

checked e-mail on a laptop, got infected, and then plugged

the same laptop into the classified network. Because

secure networks are unavoidably harder to work with,

people are frequently tempted to bypass them-one reason

that researchers at weapons labs sometimes transfer their

files to insecure but more convenient machines.

<h2>

Sidebar:

</h2>

Remember Pearl Harbor<br>

"Surprise, when it happens to a government, is likely to be

a complicated, diffuse, bureaucratic thing...." Schneier has

long argued that the best way to improve the very bad

situation in computer security is to change software

licenses. If software is blatantly unsafe, owners have no

such recourse, because it is licensed rather than bought,

and the licenses forbid litigation. It is unclear whether the

licenses can legally do this (courts currently disagree), but

as a practical matter it is next to impossible to win a

lawsuit against a software firm. If some big software

companies lose product-liability suits, Schneier believes,

their confreres will begin to take security seriously.

<p>

Computer networks are difficult to keep secure in part

because they have so many functions, each of which must

be accounted for. For that reason Schneier and other

experts tend to favor narrowly focused security

measures-more of them physical than digital-that target

a few precisely identified problems. For air travel, along

with reinforcing cockpit doors and teaching passengers to

fight back, examples include armed uniformed-not

plainclothes-guards on select flights; "dead-man"

switches that in the event of a pilot's incapacitation force

planes to land by autopilot at the nearest airport; positive

bag matching (ensuring that luggage does not get on a

plane unless its owner also boards); and separate

decompression facilities that detonate any altitude bombs

in cargo before takeoff. None of these is completely

effective; bag matching, for instance, would not stop

suicide bombers. But all are well tested, known to at least

impede hijackers, not intrusive to passengers, and unlikely

to make planes less secure if they fail.

<h2>

From Atlantic Unbound:

</h2>

Flashbacks: "Pearl Harbor in Retrospect" (May 25, 2001)

Atlantic articles from 1948, 1999, and 1991 look back at

Pearl Harbor from American and Japanese perspectives. It

is impossible to guard all potential targets, because

anything and everything can be subject to attack.

Palestinian suicide bombers have shown this by murdering

at random the occupants of pool halls and hotel meeting

rooms. Horrible as these incidents are, they do not risk the

lives of thousands of people, as would attacks on critical

parts of the national infrastructure: nuclear-power plants,

hydroelectric dams, reservoirs, gas and chemical facilities.

Here a classic defense is available: tall fences and armed

guards. Yet this past spring the Bush Administration cut

by 93 percent the funds requested by the Energy

Department to bolster security for nuclear weapons and

waste; it denied completely the funds requested by the

Army Corps of Engineers for guarding 200 reservoirs,

dams, and canals, leaving fourteen large public-works

projects with no budget for protection. A recommendation

by the American Association of Port Authorities that the

nation spend a total of $700 million to inspect and control

ship cargo (today less than two percent of container traffic

is inspected) has so far resulted in grants of just $92

million. In all three proposals most of the money would

have been spent on guards and fences.

<p>

The most important element of any security measure,

Schneier argues, is people, not technology-and the people

need to be at the scene. Recall the German journalists

who fooled the fingerprint readers and iris scanners. None

of their tricks would have worked if a reasonably attentive

guard had been watching. Conversely, legitimate

employees with bandaged fingers or scratched corneas will

never make it through security unless a guard at the scene

is authorized to overrule the machinery. Giving guards

increased authority provides more opportunities for abuse,

Schneier says, so the guards must be supervised carefully.

But a system with more people who have more

responsibility "is more robust," he observed in the June

Crypto-Gram, "and the best way to make things work.

(The U.S. Marine Corps understands this principle; it's

the heart of their chain of command rules.)"

<p>

"The trick is to remember that technology can't save you,"

Schneier says. "We know this in our own lives. We realize

that there's no magic anti-burglary dust we can sprinkle

on our cars to prevent them from being stolen. We know

that car alarms don't offer much protection. The Club at

best makes burglars steal the car next to you. For real

safety we park on nice streets where people notice if

somebody smashes the window. Or we park in garages,

where somebody watches the car. In both cases people are

the essential security element. You always build the

system around people."

<h2>

Looking for Trouble

</h2>

After meeting Schneier at the Cato Institute, I drove

with him to the Washington command post of

Counterpane Internet Security. It was the first time

in many months that he had visited either of his

company's two operating centers (the other is in Silicon

Valley). His absence had been due not to inattentiveness

but to his determination to avoid the classic high-tech

mistake of involving the alpha geek in day-to-day

management. Besides, he lives in Minneapolis, and the

company headquarters are in Cupertino, California. (Why

Minneapolis? I asked. "My wife lives there," he said. "It

seemed polite.") With his partner, Tom Rowley,

supervising day-to-day operations, Schneier constantly

travels in Counterpane's behalf, explaining how the

company manages computer security for hundreds of large

and medium-sized companies. It does this mainly by

installing human beings.

<p>

The command post was nondescript even by the bland

architectural standards of exurban office complexes.

Gaining access was like a pop quiz in security: How would

the operations center recognize and admit its boss, who

was there only once or twice a year? In this country

requests for identification are commonly answered with a

driver's license. A few years ago Schneier devoted

considerable effort to persuading the State of Illinois to

issue him a driver's license that showed no picture,

signature, or Social Security number. But Schneier's

license serves as identification just as well as a license

showing a picture and a signature-which is to say, not all

that well. With or without a picture, with or without a

biometric chip, licenses cannot be more than state-issued

cards with people's names on them: good enough for

social purposes, but never enough to assure identification

when it is important. Authentication, Schneier says,

involves something a person knows (a password or a PIN,

say), has (a physical token, such as a driver's license or an

ID bracelet), or is (biometric data). Security systems

should use at least two of these; the Counterpane center

employs all three. At the front door Schneier typed in a

PIN and waved an iButton on his key chain at a sensor

(iButtons, made by Dallas Semiconductor, are

programmable chips embedded in stainless-steel discs

about the size and shape of a camera battery). We entered

a waiting room, where Schneier completed the

identification trinity by placing his palm on a

hand-geometry reader.

<h2>