Ain’t no network strong enough

Master cryptographer Bruce Schneier's "Secrets and Lies" explains why computer security is an oxymoron.

Topics: Business,

The cloak-and-dagger capers of computer no-goodniks may seem like prime page-turning material, but most books on the subject have all the sex appeal of a VCR manual. The typical tome on digital security is a dreary assemblage of techno-jargon, geared toward the small clique that gets its hardcore jollies from Perl programming. Most laymen are asleep by Page 10, or at least yearning for their dog-eared copy of “Hannibal.”

Bruce Schneier, master cryptographer and idol of the computer underground, targets those short-attention-spanners in his latest book, “Secrets and Lies: Digital Security in a Networked World.” Aiming straight for the vaunted “general audience,” he peppers the 400-plus pages with Yogi Berra quotes, analogies drawn from “Star Wars” and trivia tidbits from Greek mythology. But the folksy wit doesn’t obscure a core message as frighteningly entertaining as Dr. Lecter’s flesh-eating antics: In cyberspace, you’re dead meat on a stick.

“Computer insecurity is inevitable,” he warns. “Networks will be hacked. Fraud will be committed. Money will be lost. People will die.” Indeed, the bulk of “Secrets and Lies” is a harrowing rundown of the myriad pitfalls that plague even the simplest systems. And that nifty new security software your company just bought for a jillion dollars isn’t going to help — if some teenage miscreant really, really wants to deface your Web page with Limp Bizkit lyrics, he’s going to get his way.

As Schneier sees it, the wired universe is plagued with hard-to-fix vulnerabilities. One notable example is buffer overflow bugs, which permit attackers to overwrite memories with their own instructions. Even the planet’s smartest, most diligent coder would be hard-pressed to completely cleanse a program of such holes. “With any piece of modern, large, complex code, there are just too many places where buffer overflows are possible,” Schneier laments. “The larger and more complex the code, the more likely the attack.” As a result, buffer overflows were the most popular attack of the 1990s, the tactic of choice for lightly skilled “script kiddies” bent on easy-to-execute mischief.



“Secrets and Lies” is a mea culpa of sorts. Schneier’s best-known book, “Applied Cryptography,” a geek bible of the ’90s, trumpeted strong encryption as the key to perfect online security — “a mathematical utopia.” Better cryptography, the book claimed, would spell the end of hackable networks and protect even the measliest Hotmail communiquis. “It is insufficient to protect ourselves with laws,” he wrote in that book’s second edition. “We must protect ourselves with mathematics.”

Schneier looks back on his optimistic pronouncements with more than a hint of embarrassment. “I talked about cryptography as if it were The Answer,” he confesses in the preface to “Secrets and Lies.” “I was pretty naive … Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure.”

Stupid idea, Schneier now admits. Computer networks, he has come to believe, are so dauntingly complex that loopholes will always remain. Just as brush clearance teams will never rid the world of wildfires — how could they possibly find every last dried twig? — security professionals can’t head off every attack, no matter how pricey their toys. World-class cryptography is pretty useless, Schneier notes, if the administrator’s password is set to “password.”

Blame human beings, error-prone by definition. Though programmers are often regarded as akin to sorcerers, they are as bungling as any non-gearhead. There are an average of five to 15 bugs in every thousand lines of code, which means that Windows 98 is riddled with somewhere between 90,000 and 270,000 oopsies. Since software vendors cannot be held liable for faulty code, thanks to those licenses they make users agree to, they have zero incentive to create better products — much to the delight of computer criminals, who revel in exploiting bug-ridden programs.

The truly savvy cracker needn’t bother with sophisticated tools if he can trick a corporate lackey into revealing network secrets, a tact known as “social engineering.” By posing as a help-desk employee and sending out forged e-mails, for example, a brazen attacker can cull dozens of passwords in a matter of minutes. People are basically pretty helpful, and they’ll rarely think twice about cheerfully responding to a well-written request.

People are also woefully lazy. Most users instinctively click the “OK” boxes on their PC screens, seemingly indifferent to security hazards. That’s how the love bug made the rounds, causing an estimated $10 billion worth of damage. “If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet,” Schneier writes, “he’s going to choose the dancing pigs over computer security any day.”

Humans can be excused for their foibles. The book’s real spleen is reserved for the various snake oils that are passed off as anti-hacker panaceas. Schneier ably debunks the magic-bullet claims of every class of product. Firewalls? Too easy to fool with forged requests for access. Intrusion detection systems? Too many false alarms. Digital watermarks? Taiwanese software pirates will simply figure out how to delete them. Biometrics? Please — a clever attacker need only steal a digital file containing thumbprint data, and they’ve got instant access to the nation’s goriest secrets.

The outlook offered by “Secrets and Lies” is so grim that readers might be inclined to join an abacus-using Luddite clan in Micronesia, far from anything as elementary as an ATM or Ms. Pac-Man machine. Schneier sympathizes; he admits that depression forced him to cease working on the manuscript for over a year. “I got two-thirds of the way through the book without giving the reader any hope at all,” he writes. “It was about then I realized that I didn’t have the hope to give.”

Fortunately for the reader’s mental health, “Secrets and Lies” does contain a few strains of optimism. Given the inevitability of attacks, “prevention” can no longer be the security buzzword. Just as even the finest hockey goalies must regularly suffer the humiliation of allowing a goal, companies must learn to live with penetrations. Prepare for the worst, Schneier urges. Make sure networks are designed to “fail safe.” Have a recovery plan in place. Track down attackers by collecting and analyzing forensic data. Assess the risks and purchase some insurance.

The solutions are a nice, moderately upbeat touch, but the horror stories are the real draw — “Secrets and Lies” is more thriller than primer. Schneier crafts scary tales that deftly avoid a Chicken Little tone. No, the Internet will not be felled by malicious kiddies and laptop-toting members of Osama bin Laden’s crew. But there are some bad seeds prowling the world’s systems, and they’ve got the upper hand. It’s almost enough to convince you to stop choosing the dancing pigs.

Brendan I. Koerner is a Markle Fellow at the New America Foundation.

More Related Stories

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 11
  • Close
  • Fullscreen
  • Thumbnails

    Ten spectacular graphic novels from 2014

    Beautiful Darkness by Fabien Vehlmann & Kerascoët
    Kerascoët's lovely, delicate pen-and-watercolor art -- all intricate botanicals, big eyes and flowing hair -- gives this fairy story a deceptively pretty finish. You find out quickly, however, that these are the heartless and heedless fairies of folk legend, not the sentimental sprites beloved by the Victorians and Disney fans. A host of tiny hominid creatures must learn to survive in the forest after fleeing their former home -- a little girl who lies dead in the woods. The main character, Aurora, tries to organize the group into a community, but most of her cohort is too capricious, lazy and selfish to participate for long. There's no real moral to this story, which is refreshing in itself, beyond the perpetual lessons that life is hard and you have to be careful whom you trust. Never has ugly truth been given a prettier face.

    Ten spectacular graphic novels from 2014

    Climate Changed: A Personal Journey Through the Science by Philippe Squarzoni
    Squarzoni is a French cartoonist who makes nonfiction graphic novels about contemporary issues and politics. While finishing up a book about France under Jacques Chirac, he realized that when it came to environmental policy, he didn't know what he was talking about. "Climate Changed" is the result of his efforts to understand what has been happening to the planet, a striking combination of memoir and data that ruminates on a notoriously elusive, difficult and even imponderable subject. Panels of talking heads dispensing information (or Squarzoni discussing the issues with his partner) are juxtaposed with detailed and meticulous yet lyrical scenes from the author's childhood, the countryside where he takes a holiday and a visit to New York. He uses his own unreachable past as a way to grasp the imminent transformation of the Earth. The result is both enlightening and unexpectedly moving.

    Ten spectacular graphic novels from 2014

    Here by Richard McGuire
    A six-page version of this innovative work by a regular contributor to the New Yorker first appeared in RAW magazine 25 years ago. Each two-page spread depicts a single place, sometimes occupied by a corner of a room, over the course of 4 billion years. The oldest image is a blur of pink and purple gases; others depict hazmat-suited explorers from 300 years in the future. Inset images show the changing decor and inhabitants of the house throughout its existence: family photos, quarrels, kids in Halloween costumes, a woman reading a book, a cat walking across the floor. The cumulative effect is serene and ravishing, an intimation of the immensity of time and the wonder embodied in the humblest things.

    Ten spectacular graphic novels from 2014

    Kill My Mother by Jules Feiffer
    The legendary Pulitzer Prize-winning cartoonist delivers his debut graphic novel at 85, a deliriously over-the-top blend of classic movie noir and melodrama that roams from chiaroscuro Bay City to Hollywood to a USO gig in the Pacific theater of World War II. There's a burnt-out drunk of a private eye, but the story is soon commandeered by a multigenerational collection of ferocious women, including a mysterious chanteuse who never speaks, a radio comedy writer who makes a childhood friend the butt of a hit series and a ruthless dame intent on making her whiny coward of a husband into a star. There are disguises, musical numbers and plenty of gunfights, but the drawing is the main attraction. Nobody convey's bodies in motion more thrillingly than Feiffer, whether they're dancing, running or duking it out. The kid has promise.

    Ten spectacular graphic novels from 2014

    The Motherless Oven by Rob Davis
    This is a weird one, but in the nervy surreal way that word-playful novels like "A Clockwork Orange" or "Ulysses" are weird. The main character, a teenage schoolboy named Scarper Lee, lives in a world where it rains knives and people make their own parents, contraptions that can be anything from a tiny figurine stashable in a pocket to biomorphic boiler-like entities that seem to have escaped from Dr. Seuss' nightmares. Their homes are crammed with gadgets they call gods and instead of TV they watch a hulu-hoop-size wheel of repeating images that changes with the day of the week. They also know their own "death day," and Scarper's is coming up fast. Maybe that's why he runs off with the new girl at school, a real troublemaker, and the obscurely dysfunctional Castro, whose mother is a cageful of talking parakeets. A solid towline of teenage angst holds this manically inventive vision together, and proves that some graphic novels can rival the text-only kind at their own game.

    Ten spectacular graphic novels from 2014

    NOBROW 9: It's Oh So Quiet
    For each issue, the anthology magazine put out by this adventurous U.K.-based publisher of independent graphic design, illustration and comics gives 45 artists a four-color palette and a theme. In the ninth issue, the theme is silence, and the results are magnificent and full of surprises. The comics, each told in images only, range from atmospheric to trippy to jokey to melancholy to epic to creepy. But the two-page illustrations are even more powerful, even if it's not always easy to see how they pertain to the overall concept of silence. Well, except perhaps for the fact that so many of them left me utterly dumbstruck with visual delight.

    Ten spectacular graphic novels from 2014

    Over Easy by Mimi Pond
    When Pond was a broke art student in the 1970s, she took a job at a neighborhood breakfast spot in Oakland, a place with good food, splendid coffee and an endlessly entertaining crew of short-order cooks, waitresses, dishwashers and regular customers. This graphic memoir, influenced by the work of Pond's friend, Alison Bechdel, captures the funky ethos of the time, when hippies, punks and disco aficionados mingled in a Bay Area at the height of its eccentricity. The staff of the Imperial Cafe were forever swapping wisecracks and hopping in and out of each other's beds, which makes them more or less like every restaurant team in history. There's an intoxicating esprit de corps to a well-run everyday joint like the Imperial Cafe, and never has the delight in being part of it been more winningly portrayed.

    Ten spectacular graphic novels from 2014

    The Shadow Hero by Gene Luen Yang and Sonny Liew
    You don't have to be a superhero fan to be utterly charmed by Yang and Liew's revival of a little-known character created in the 1940s by the cartoonist Chu Hing. This version of the Green Turtle, however, is rich in characterization, comedy and luscious period detail from the Chinatown of "San Incendio" (a ringer for San Francisco). Hank, son of a mild-mannered grocer, would like to follow in his father's footsteps, but his restless mother (the book's best character and drawn with masterful nuance by Liew) has other ideas after her thrilling encounter with a superhero. Yang's story effortlessly folds pathos into humor without stooping to either slapstick or cheap "darkness." This is that rare tribute that far surpasses the thing it celebrates.

    Ten spectacular graphic novels from 2014

    Shoplifter by Michael Cho
    Corinna Park, former English major, works, unhappily, in a Toronto advertising agency. When the dissatisfaction of the past five years begins to oppress her, she lets off steam by pilfering magazines from a local convenience store. Cho's moody character study is as much about city life as it is about Corinna. He depicts her falling asleep in front of the TV in her condo, brooding on the subway, roaming the crowded streets after a budding romance goes awry. Like a great short story, this is a simple tale of a young woman figuring out how to get her life back, but if feels as if it contains so much of contemporary existence -- its comforts, its loneliness, its self-deceptions -- suspended in wintery amber.

    Ten spectacular graphic novels from 2014

    Through the Woods by Emily Carroll
    This collection of archetypal horror, fairy and ghost stories, all about young girls, comes lushly decked in Carroll's inky black, snowy white and blood-scarlet art. A young bride hears her predecessor's bones singing from under the floorboards, two friends make the mistake of pretending to summon the spirits of the dead, a family of orphaned siblings disappears one by one into the winter nights. Carroll's color-saturated images can be jagged, ornate and gruesome, but she also knows how to chill with absence, shadows and a single staring eye. Literary readers who cherish the work of Kelly Link or the late Angela Carter's collection, "The Bloody Chamber," will adore the violent beauty on these pages.

  • Recent Slide Shows

Comments

0 Comments

Comment Preview

Your name will appear as username ( settings | log out )

You may use these HTML tags and attributes: <a href=""> <b> <em> <strong> <i> <blockquote>