Ain’t no network strong enough

Master cryptographer Bruce Schneier's "Secrets and Lies" explains why computer security is an oxymoron.

Topics: Business,

The cloak-and-dagger capers of computer no-goodniks may seem like prime page-turning material, but most books on the subject have all the sex appeal of a VCR manual. The typical tome on digital security is a dreary assemblage of techno-jargon, geared toward the small clique that gets its hardcore jollies from Perl programming. Most laymen are asleep by Page 10, or at least yearning for their dog-eared copy of “Hannibal.”

Bruce Schneier, master cryptographer and idol of the computer underground, targets those short-attention-spanners in his latest book, “Secrets and Lies: Digital Security in a Networked World.” Aiming straight for the vaunted “general audience,” he peppers the 400-plus pages with Yogi Berra quotes, analogies drawn from “Star Wars” and trivia tidbits from Greek mythology. But the folksy wit doesn’t obscure a core message as frighteningly entertaining as Dr. Lecter’s flesh-eating antics: In cyberspace, you’re dead meat on a stick.

“Computer insecurity is inevitable,” he warns. “Networks will be hacked. Fraud will be committed. Money will be lost. People will die.” Indeed, the bulk of “Secrets and Lies” is a harrowing rundown of the myriad pitfalls that plague even the simplest systems. And that nifty new security software your company just bought for a jillion dollars isn’t going to help — if some teenage miscreant really, really wants to deface your Web page with Limp Bizkit lyrics, he’s going to get his way.

As Schneier sees it, the wired universe is plagued with hard-to-fix vulnerabilities. One notable example is buffer overflow bugs, which permit attackers to overwrite memories with their own instructions. Even the planet’s smartest, most diligent coder would be hard-pressed to completely cleanse a program of such holes. “With any piece of modern, large, complex code, there are just too many places where buffer overflows are possible,” Schneier laments. “The larger and more complex the code, the more likely the attack.” As a result, buffer overflows were the most popular attack of the 1990s, the tactic of choice for lightly skilled “script kiddies” bent on easy-to-execute mischief.



“Secrets and Lies” is a mea culpa of sorts. Schneier’s best-known book, “Applied Cryptography,” a geek bible of the ’90s, trumpeted strong encryption as the key to perfect online security — “a mathematical utopia.” Better cryptography, the book claimed, would spell the end of hackable networks and protect even the measliest Hotmail communiquis. “It is insufficient to protect ourselves with laws,” he wrote in that book’s second edition. “We must protect ourselves with mathematics.”

Schneier looks back on his optimistic pronouncements with more than a hint of embarrassment. “I talked about cryptography as if it were The Answer,” he confesses in the preface to “Secrets and Lies.” “I was pretty naive … Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure.”

Stupid idea, Schneier now admits. Computer networks, he has come to believe, are so dauntingly complex that loopholes will always remain. Just as brush clearance teams will never rid the world of wildfires — how could they possibly find every last dried twig? — security professionals can’t head off every attack, no matter how pricey their toys. World-class cryptography is pretty useless, Schneier notes, if the administrator’s password is set to “password.”

Blame human beings, error-prone by definition. Though programmers are often regarded as akin to sorcerers, they are as bungling as any non-gearhead. There are an average of five to 15 bugs in every thousand lines of code, which means that Windows 98 is riddled with somewhere between 90,000 and 270,000 oopsies. Since software vendors cannot be held liable for faulty code, thanks to those licenses they make users agree to, they have zero incentive to create better products — much to the delight of computer criminals, who revel in exploiting bug-ridden programs.

The truly savvy cracker needn’t bother with sophisticated tools if he can trick a corporate lackey into revealing network secrets, a tact known as “social engineering.” By posing as a help-desk employee and sending out forged e-mails, for example, a brazen attacker can cull dozens of passwords in a matter of minutes. People are basically pretty helpful, and they’ll rarely think twice about cheerfully responding to a well-written request.

People are also woefully lazy. Most users instinctively click the “OK” boxes on their PC screens, seemingly indifferent to security hazards. That’s how the love bug made the rounds, causing an estimated $10 billion worth of damage. “If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet,” Schneier writes, “he’s going to choose the dancing pigs over computer security any day.”

Humans can be excused for their foibles. The book’s real spleen is reserved for the various snake oils that are passed off as anti-hacker panaceas. Schneier ably debunks the magic-bullet claims of every class of product. Firewalls? Too easy to fool with forged requests for access. Intrusion detection systems? Too many false alarms. Digital watermarks? Taiwanese software pirates will simply figure out how to delete them. Biometrics? Please — a clever attacker need only steal a digital file containing thumbprint data, and they’ve got instant access to the nation’s goriest secrets.

The outlook offered by “Secrets and Lies” is so grim that readers might be inclined to join an abacus-using Luddite clan in Micronesia, far from anything as elementary as an ATM or Ms. Pac-Man machine. Schneier sympathizes; he admits that depression forced him to cease working on the manuscript for over a year. “I got two-thirds of the way through the book without giving the reader any hope at all,” he writes. “It was about then I realized that I didn’t have the hope to give.”

Fortunately for the reader’s mental health, “Secrets and Lies” does contain a few strains of optimism. Given the inevitability of attacks, “prevention” can no longer be the security buzzword. Just as even the finest hockey goalies must regularly suffer the humiliation of allowing a goal, companies must learn to live with penetrations. Prepare for the worst, Schneier urges. Make sure networks are designed to “fail safe.” Have a recovery plan in place. Track down attackers by collecting and analyzing forensic data. Assess the risks and purchase some insurance.

The solutions are a nice, moderately upbeat touch, but the horror stories are the real draw — “Secrets and Lies” is more thriller than primer. Schneier crafts scary tales that deftly avoid a Chicken Little tone. No, the Internet will not be felled by malicious kiddies and laptop-toting members of Osama bin Laden’s crew. But there are some bad seeds prowling the world’s systems, and they’ve got the upper hand. It’s almost enough to convince you to stop choosing the dancing pigs.

Brendan I. Koerner is a Markle Fellow at the New America Foundation.

More Related Stories

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 22
  • Close
  • Fullscreen
  • Thumbnails

    Once upon a time on the Bowery

    Talking Heads, 1977
    This was their first weekend as a foursome at CBGB’s, after adding Jerry Harrison, before they started recording the LP “Talking Heads: 77.”

    Once upon a time on the Bowery

    Patti Smith, Bowery 1976
    Patti lit up by the Bowery streetlights. I tapped her on the shoulder, asked if I could do a picture, took two shots and everyone went back to what they were doing. 1/4 second at f/5.6 no tripod.

    Once upon a time on the Bowery

    Blondie, 1977
    This was taken at the Punk Magazine Benefit show. According to Chris Stein (seated, on slide guitar), they were playing “Little Red Rooster.”

    Once upon a time on the Bowery

    No Wave Punks, Bowery Summer 1978
    They were sitting just like this when I walked out of CBGB's. Me: “Don’t move” They didn’t. L to R: Harold Paris, Kristian Hoffman, Diego Cortez, Anya Phillips, Lydia Lunch, James Chance, Jim Sclavunos, Bradley Field, Liz Seidman.

    Once upon a time on the Bowery

    Richard Hell + Bob Quine, 1978
    Richard Hell and the Voidoids, playing CBGB's in 1978, with Richard’s peerless guitar player Robert Quine. Sorely missed, Quine died in 2004.

    Once upon a time on the Bowery

    Bathroom, 1977
    This photograph of mine was used to create the “replica” CBGB's bathroom in the Punk Couture show last summer at the Metropolitan Museum of Art. So I got into the Met with a bathroom photo.

    Once upon a time on the Bowery

    Stiv Bators + Divine, 1978
    Stiv Bators, Divine and the Dead Boys at the Blitz Benefit show for injured Dead Boys drummer Johnny Blitz.

    Once upon a time on the Bowery

    Ramones, 1977
    “The kids are all hopped up and ready to go…” View from the unique "side stage" at CBGB's that you had to walk past to get to the basement bathrooms.

    Once upon a time on the Bowery

    Klaus Nomi, Christopher Parker, Jim Jarmusch – Bowery 1978
    Jarmusch was still in film school, Parker was starring in Jim’s first film "Permanent Vacation" and Klaus just appeared out of nowhere.

    Once upon a time on the Bowery

    Hilly Kristal, Bowery 1977
    When I used to show people this picture of owner Hilly Kristal, they would ask me “Why did you photograph that guy? He’s not a punk!” Now they know why. None of these pictures would have existed without Hilly Kristal.

    Once upon a time on the Bowery

    Dictators, Bowery 1976
    Handsome Dick Manitoba of the Dictators with his girlfriend Jody. I took this shot as a thank you for him returning the wallet I’d lost the night before at CBGB's. He doesn’t like that I tell people he returned it with everything in it.

    Once upon a time on the Bowery

    Alex Chilton, Bowery 1977
    We were on the median strip on the Bowery shooting what became a 45 single sleeve for Alex’s “Bangkok.” A drop of rain landed on the camera lens by accident. Definitely a lucky night!

    Once upon a time on the Bowery

    Bowery view, 1977
    The view from across the Bowery in the summer of 1977.

    Once upon a time on the Bowery

    Ramones, 1977 – never before printed
    I loved shooting The Ramones. They would play two sets a night, four nights a week at CBGB's, and I’d be there for all of them. This shot is notable for Johnny playing a Strat, rather than his usual Mosrite. Maybe he’d just broken a string. Love that hair.

    Once upon a time on the Bowery

    Richard Hell, Bowery 1977 – never before printed
    Richard exiting CBGB's with his guitar at 4am, about to step into a Bowery rainstorm. I’ve always printed the shots of him in the rain, but this one is a real standout to me now.

    Once upon a time on the Bowery

    Patti Smith + Ronnie Spector, 1979
    May 24th – Bob Dylan Birthday show – Patti “invited” everyone at that night’s Palladium show on 14th Street down to CBGB's to celebrate Bob Dylan’s birthday. Here, Patti and Ronnie are doing “Be My Baby.”

    Once upon a time on the Bowery

    Legs McNeil, 1977
    Legs, ready for his close-up, near the front door of CBGB's.

    Once upon a time on the Bowery

    Suicide, 1977
    Rev and Alan Vega – I thought Alan was going to hit me with that chain. This was the Punk Magazine Benefit show.

    Once upon a time on the Bowery

    Ian Hunter and Fans, outside bathroom
    I always think of “All the Young Dudes” when I look at this shot. These fans had caught Ian Hunter in the CBGB's basement outside the bathrooms, and I just stepped in to record the moment.

    Once upon a time on the Bowery

    Tommy Ramone, 1977
    Only at CBGB's could I have gotten this shot of Tommy Ramone seen through Johnny Ramones legs.

    Once upon a time on the Bowery

    Bowery 4am, 1977
    End of the night garbage run. Time to go home.

  • Recent Slide Shows

Comments

0 Comments

Comment Preview

Your name will appear as username ( settings | log out )

You may use these HTML tags and attributes: <a href=""> <b> <em> <strong> <i> <blockquote>