How has your position on computer security changed?
An internationally recognized expert in cryptography, computer security, and
privacy issues, he is the author of six books, including the seminal work
Applied Cryptography and Secrets and Lies: Digital Security in a
Networked World. Schneier is also Chief Technology Officer and co-founder
of Counterpane Internet Security, Inc.
I came to security as a cryptographer, as a mathematician. And in my first
book [Applied Cryptography], I wrote that the mathematics will protect
you, that because cryptography is so powerful, it can provide absolute security
to anybody--not just to governments, but to average people. But I learned
over the years of analyzing systems and building systems that that's just not
true. Mathematics, while it's very strong, isn't enough. Security is a chain.
A chain includes the mathematics, includes the protocols, the software, the
implementation, the user interface, the people. The security of that chain is
only as strong as the weakest link. And cryptography, while an incredibly
strong link, says nothing about all those other links, and those other links
are how you break systems. So I've learned that cryptography isn't enough; it
isn't even a good start. It's necessary, but by no means will it give you
security. . . .
There are lots of examples of problems that cryptography doesn't solve. All
the viruses we've been seeing like the "I Love You" virus . . . and all the attacks against the name system, people hijacking domain names and selling domain names--cryptography can't solve that. Cryptography can't solve the CGI scripting errors that allowed people to break into web sites and steal credit card numbers. . . . These are the major problems we're facing on the internet today . . .
Do you share the view of many people that . . . the people who build
software just haven't taken security issues seriously?
I think it's more fundamental than the people who are building the software not
taking security seriously. I think that software, the internet, has gotten
more and more complex over the years. And complexity is anathema to security.
There are a whole lot of reasons that complex software and complex systems are
harder to secure. And even if you took security seriously, you couldn't do it.
It would take too long, it would cost too much money, and it wouldn't be
cost-effective. You couldn't produce a good product. We love complexity on
the internet. We can play games, we can do cool things, we can have rich
content, we can get audio, video, we can get instant chat. All of these things
that make the internet exciting also make it insecure, and that's not going
away. So it's more fundamental than not taking security seriously, because
there's too much other stuff going on.
Are you saying that, ultimately, the internet can't be secure?
I believe the internet will never be secure. But that's okay. The real world
is an insecure place. Anybody can kill anybody they wanted to. Yet we all live
pretty much happy lives. . . . So the internet will be no more secure than
walking through the streets. But the reason we have security in our daily
lives is not because there's magic technology that renders guns inoperable, but
because we have a legal system, we have societal rules, we have culture that
makes our city safe, and our world safe. And I see the same thing happening on
As a society, are we up to speed on this? We have rules for guns, and rules
for traffic. But are we up to speed on the internet?
I don't think we are. I think the internet is a much more anonymous place.
One of the reasons there seems to be a lot of low-level crime in hacking is
that it's very easy to be anonymous. There isn't low-level mugging in cities,
because you're doing it. It's you. You're there, you can get caught, and you
can get in trouble. The internet is much more anonymous; it's much more
distant. You can do things without fear of reprise. That has to change. We
have to spend more time detecting crime, responding to crime, and prosecuting
crime on the internet, just like we prosecute crime on the streets to make our
cities safe. . . . The real moral is that the internet is no different than
the real world. We just have to take all the things that work in the real
world and move them into the internet. You can't just buy that firewall and
think you're safe. . . .
What is the role of hackers on the internet?
Historically, hackers have played a number of roles--some good, some bad. On
the one hand, hackers find vulnerabilities and point them out, and this results
in improved security. We're sitting in a world where often hackers are the
only ones holding up their hands and saying, "Look, this isn't any good.
You're being sold a bill of goods. This isn't really security." And they
perform a very necessary function doing that.
On the other hand, hackers also write tools to break into systems, which, when
they fall in the wrong hands, cause insecurity. So there's a balance. There's
good hacking and there's bad hacking. . . . And you can use your skills for
good, or you can use them for bad. And this is true for most every other aspect
of society. If you're a demolitions expert, you can blow up bridges for fun,
or you can do it because you're hired. The skill set is the same. Hacking is
a very important skill set in our society, because these are the experts in
how the systems work and how the systems fail. The people who use that
expertise for bad are bad people. People who use that expertise for good are
What are the dangers for the average computer user?
The danger for the average computer user is that someone will hack their
system. Now, most average computer users don't have anything worth stealing.
Right. It's the joke of protecting your house by poverty--there's nothing in
your house worth stealing. Now, on the internet, there are other dangers,
because your computer could be a launching pad for other attacks. So people
might want to break into your computer to use your computer as a site to break
into something further on. These are real dangers, and this happens all the
time. A lot of the denial of service attacks from last February were based on these sorts of launching pads.
What are the economic dangers for the corporate world?
For a corporation, the dangers are very great, and we see it again and again.
We see major web sites that are hacked, and they're brought down for six, eight,
ten hours. This affects their bottom line if they have a revenue model. We
see a company like CD Universe get hacked and have 300,000 credit card numbers
stolen. This greatly affects their credibility, and I don't know if they've
recovered yet from that.
We see companies that are losing proprietary information. The web site for the
television show "Survivor" had the big ending of their series stolen off the
web site. . . . So there are enormous risks out there if you're a business.
On the plus side, all these risks are manageable. None of them are new. None
of them are new for the internet. If you had a storefront, you were worried
about graffiti. You worry about someone breaking into your store and stealing
things. You worry about losing money, you worry about losing credibility. So
the internet is just a new venue for these old risks. . . .
What the internet does have, because the internet has no definition of
place, is that you're suddenly worried about all the criminals in the world.
If you had a store in Toronto, you had to be secure against all the criminals
for whom it's worth their time to drive to your store and break in. But if
you're on the internet, everything is next to you. So you're sitting in
Toronto, and you can have an attacker in Thailand who can very easily attack
your internet store.
So because the internet is global and there's no definition of place, the
number of criminals that you have to worry about goes up. On the other hand,
the number of targets goes up. So if you're in Toronto, those Toronto
criminals have no one else to rob except Toronto stores. But if you're on the
internet, all those criminals have all those other stores to possibly rob.
So, on the one hand there are a lot more possible attackers, but there are
also a lot more possible targets.
If hackers can do all this stuff, what could organized crime do?
I think we have to take organized crime much more seriously than we do hackers.
Organized crime goes where the money is, and the money is moving to the
internet. And if you can go on the internet and steal people's credit card
numbers, and steal identities, and steal phone numbers, and steal products and
money and possibly sell faulty goods, organized crime will move to that.
They're going to move to it as long as it's profitable. And organized crime is
likely to be better funded, better skilled and better organized than lone
criminals, than hackers are. . . . I think organized crime is a big worry,
and I think it's going to get worse, as criminals realize that there's money to
be made on the internet.
What's the difference between computer security products and real world
What's interesting about computer security products is they're often sold in
ways you never see the real world products sold. You never go to a hardware
store and buy a lock for your front door, and the lock says, as a slogan, "This
lock prevents burglaries." You never see that. But in computer security you
see it all the time. "This firewall prevents unauthorized network access.
This encryption product prevents eavesdropping." And that difference is real
important, because it's just not true. A firewall can't prevent unauthorized
access. It can make it harder. It can, like a door lock, provide a measure of
protection for your house. But it can't prevent the attack.
Of course, that will lead to a whole new law of liability.
That's right. It's odd, because you never see this in the real world either,
right. You can imagine a builder of skyscrapers, after skyscraper 1.0 falls
down, saying, "Oh, we're sorry, but the new skyscraper, version 1.1, will stay
up, we promise." Right. That'll never happen, because there are liabilities.
You can't build a skyscraper and have it fall down because you made a mistake.
But in computer security, the vendors have no liability. They could build a
computer security product, have it be completely broken, and there's no
liability. That has to change.
Why is it this way?
It's that way because that's the history of the computer licenses. Originally,
computers and computer software were sold without liabilities. So adding
liabilities is hard.
Is it true that the Microsoft product in particular has been vulnerable to
serious security risks?
Microsoft tends not to pay attention to real security. They pay lip service to
it. But they're being smart. They know that security doesn't matter in the
marketplace. They could take an extra two years and an extra whatever million
dollars, and make sure Windows is secure, but they'll be two years late.
They're much better off as a company putting it out early and grabbing market
share. They know that. They're responding to the marketplace. If automobile
manufacturers could do that, they would, too. If drug companies could do that,
they would, too. A drug company knows it can't just put a product out there.
There are liabilities, there are laws, there are regulations. There aren't any
such regulations in the software industry. So it's much smarter to be insecure
and fast, than be secure and slow.
The internet is built on that model. We've built a system that was never
built to be used in this way, or to be secure in this way.
Sure, and remember that the internet and computers sort of backfed into
business. They were built by academics. They were built for use by computer
geeks. They were not built to run Amazon.com. That happened by accident. So
all this infrastructure which served well in the academic world is failing in
the business world. And that's not a surprise. The internet was never built
as a business system, so why should it be work as a business system?
Can it be retrofitted?
I don't think it can be retrofitted. But I think that's okay. . . .
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation