Several years ago at the very first DefCon hacker's conference in Las Vegas, Dan Farmer sat like a rock star in the back of the meeting room in the old Sands Hotel. Dressed entirely in black leather with shoulder length flaming red hair, Dan sat trading kisses with two girls while the other speakers droned on. In a culture where nerds speak of women generally as a concept rather than an experience, to see a techie with groupies was a phenomenon. It got even better when Dan finally took his turn at the podium and I learned his position in those days was head of network security for Sun Microsystems. And his message to this room half-filled with young computer criminals and half-filled with Feds trying to not look like Feds was that their efforts were pathetic and boring. Farmer urged them, if they were going to insist on trying to break-in to his network, that they at least come up with techniques that were more clever, more deserving of his attention.

This scene has returned to my memory many times since, but especially lately as a new batch of computer criminals seems to be at work. You've seen the stories. Moving-on from simple destruction and mayhem, the new game is blackmail. Some smart kid steals a few thousand passwords or credit card numbers, then uses that theft to extort money from ISPs and e-commerce sites. Only it doesn't work. So far as we know, the ISPs and e-commerce people aren't paying-up. Or are they? Whether they are or not, I am sure that Farmer would find it boring. I know I do.

Since I have in the past known a few people operating on the shady side of computer law, my take on this extortion racket is that they are trying to create what they believe to be a victimless crime. Of course it isn't victimless at all. The other attraction is the juvenile satisfaction of trumpeting the crime: "I did this to you, now pay-up." Professional criminals would rather their crime go undetected. These are not professionals.

What we are seeing, though, is a progression of criminal acts headed in an escalating direction. There will come a time when ego will be put aside and somebody is going to steal some major bucks. And if the FBI or any other organization says it can't be done, well, they are wrong. It will happen.

The point of this column is to give the lay reader a sense of where we currently stand in this war to protect our bytes from being bitten. This is another one of those columns the nerds will see as simplistic and useless, except I pretty much guarantee a close reading will tell most of them something they didn't know before.

So, in a world where money isn't greenbacks anymore but electrons flowing through a global network, where teenagers seem to crack Pentagon computers with impunity, where most of us have no idea at all how any of this is accomplished or how to protect ourselves, is our wealth really secure? What's to keep some kid from stealing our IRAs and Keoghs, our CDs and mutual funds, even our identities? Just how safe is our information and, by implication, our money? Are the ways we do business going to have to change? The bad news says that nothing is secure. With enough effort, every technology that we have to protect the data we call money can be broken. The good news is that it nearly always costs more to gain access to our holdings than those holdings are worth. If it costs $100,000 to steal $10,000, nobody will even bother — or that's the theory.

What keeps you from losing your credit card number to some thief when you buy a book or CD at Amazon.com? This is the key question that dogs the proponents of consumer E-commerce. Forget that we hand the same credit card without hesitation to a waiter who might be a career felon, or give the number over the phone to a salesperson who might be working on a telephone bank in some minimum-security prison. People distrust machines, and they are not at all embarrassed to express that distrust. So what's to keep Amazon.com or someone else from stealing our information?

Beyond simple morality and ethics, there are two things keeping Amazon.com from robbing us blind: Amazon CEO Jeff Bezos wants to remain a billionaire, and our credit-card information is scrambled, or encrypted, before it is sent over the Net. Bezos knows he makes more money by selling books than he could by stealing from his customers, so he doesn't steal. That keeps Amazon honest. Scrambling the credit card information makes an honest person of everyone else who might be in a position to snoop on your shopping session — say, a technician at your Internet service provider. To make sure your credit card numbers remain private, use only Internet merchants that offer secure transactions. Before you push that "send" key, make sure the URL line on your web browser starts with "https," not just "http," or ends with "shtml." These mean your outgoing data is being encrypted.

Before we get too far into data encryption, understand that the single most popular technique for gaining access to online data is called by its proponents, "social engineering." This is strictly non-technical. Social engineering is a crook tricking us into giving him our Internet password or finding it by searching wastebaskets or looking over shoulders. Why bother to bring in the heavy computing firepower to crack a password if people will hand theirs over to someone who claims to be a customer service representative from the Internet service provider? This is why America Online makes such a point of reminding its users that the company will never ask them for their passwords. Social engineering is a greater threat than all the criminal supercomputers in the world.

Nearly all Internet commerce is protected, in whole or in part, by cryptographic software derived from the late-1970s work of three mathematicians at MIT — Ronald Rivest, Adi Shamir, and Leonard Adleman. The Rivest, Shamir, Adleman algorithm, generally known as simply RSA, represents both a method of scrambling a message between two parties in a way that allows the message to be decoded only at its intended destination and a way of identifying the parties to each other.

The patented RSA algorithm comes in several levels of security, defined by the size of prime numbers that are used to generate both the encoding and decoding keys. Nearly all RSA codes use at least 512-bit numbers. (If your browser mentions 40-bit or 128-bit, this is just geekspeak for a complementary technology that works with RSA, trust me.) That's plenty secure for most purposes, though these days many web browsers and serious e-commerce sites have stepped up to 1,024-bit RSA, and the super-paranoid can encode their e-mail messages with 2,048- or even 4,096-bit encryption. More bits means it takes longer to encrypt and decrypt data, but the data is much more secure.

Some forms of encryption are cracked through a brute-force method that simply applies a mathematical test to the zillions of possible solutions until one is found that can decode the target message. RSA requires more sophisticated approaches. Five-hundred-twelve-bit RSA was cracked for the first time last August by 292 computers running on and off for seven months — a total of 35 years of computing time. What is significant about this is that earlier in this decade, the best guess said it would take 50,000 years of computing time to crack 512-bit RSA.

So it would take a massive effort to crack your credit card transaction, and that's only if your transaction could be isolated from the millions of others happening each day. On the face of it, e-commerce looks pretty secure. But there is a dark side to all this, which is the ability to use the Internet itself as a means to gang thousands, even millions, of computers together to attack such a problem, possibly without the computer owners' being aware their machines are being used. Take comfort that such firepower would more likely be applied to cracking some giant interbank money transfer than to gaining access to your Discover card.

To keep our money secure, the trend is toward harder and harder encryption using more bits. In this way, it is still quite easy to remain comfortably ahead of the criminal community. RSA 1,024-bit encryption is still wondrously secure, to say nothing of 2,048 and 4,096. For the spies among us who don't even trust RSA, there are whole new classes of codes based on elliptical mathematical functions that look to be even harder to crack. But just as cracking 512-bit RSA dropped from 50,000 years of computing time to 35 in less than a decade, the real concern among users of cryptography is that a breakthrough — a secret breakthrough — will allow devices to accomplish in seconds what used to take years. Just such a device was described last fall in a now discredited story in The Times of London. The handheld device was supposed to have been invented at Israel's Weizmann Institute of Science and was claimed to crack 512-bit RSA in microseconds.

Such a device is probably decades away, but then cracking 512-bit RSA was supposed to take 50,000 years and turned out not to. There is no way of knowing when a breakthrough in quantum computing or another field will make such a device possible. But I can tell you how to know when it has happened. The inventors of such a device wouldn't be content with stealing credit card numbers or siphoning pennies from checking accounts. These would be big thinkers. They would have the ability to literally take control of the world financial system with their device. So we'd awaken one day to a back-to-the-future moment in which some gargantuan shift of resources would have taken place in a manner that would be difficult or impossible to reverse. These are, after all, only the electronic equivalent of ledger entries we are talking about. And on that fateful morning we would wake to find that Russia was suddenly the economic superpower and that the U.S. was begging for foreign aid.

Now THAT would impress Dan Farmer.