homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

interview: bruce schneier

An internationally recognized expert in cryptography, computer security, and privacy issues, he is the author of six books, including the seminal work Applied Cryptography and Secrets and Lies: Digital Security in a Networked World. Schneier is also Chief Technology Officer and co-founder of Counterpane Internet Security, Inc.
How has your position on computer security changed?

I came to security as a cryptographer, as a mathematician. And in my first book [Applied Cryptography], I wrote that the mathematics will protect you, that because cryptography is so powerful, it can provide absolute security to anybody--not just to governments, but to average people. But I learned over the years of analyzing systems and building systems that that's just not true. Mathematics, while it's very strong, isn't enough. Security is a chain. A chain includes the mathematics, includes the protocols, the software, the implementation, the user interface, the people. The security of that chain is only as strong as the weakest link. And cryptography, while an incredibly strong link, says nothing about all those other links, and those other links are how you break systems. So I've learned that cryptography isn't enough; it isn't even a good start. It's necessary, but by no means will it give you security. . . .

There are lots of examples of problems that cryptography doesn't solve. All the viruses we've been seeing like the "I Love You" virus . . . and all the attacks against the name system, people hijacking domain names and selling domain names--cryptography can't solve that. Cryptography can't solve the CGI scripting errors that allowed people to break into web sites and steal credit card numbers. . . . These are the major problems we're facing on the internet today . . .

Do you share the view of many people that . . . the people who build software just haven't taken security issues seriously?

I think it's more fundamental than the people who are building the software not taking security seriously. I think that software, the internet, has gotten more and more complex over the years. And complexity is anathema to security. There are a whole lot of reasons that complex software and complex systems are harder to secure. And even if you took security seriously, you couldn't do it. It would take too long, it would cost too much money, and it wouldn't be cost-effective. You couldn't produce a good product. We love complexity on the internet. We can play games, we can do cool things, we can have rich content, we can get audio, video, we can get instant chat. All of these things that make the internet exciting also make it insecure, and that's not going away. So it's more fundamental than not taking security seriously, because there's too much other stuff going on.

Are you saying that, ultimately, the internet can't be secure?

I believe the internet will never be secure. But that's okay. The real world is an insecure place. Anybody can kill anybody they wanted to. Yet we all live pretty much happy lives. . . . So the internet will be no more secure than walking through the streets. But the reason we have security in our daily lives is not because there's magic technology that renders guns inoperable, but because we have a legal system, we have societal rules, we have culture that makes our city safe, and our world safe. And I see the same thing happening on the internet.

You can't build a skyscraper and have it fall down because  you made a mistake.  But in computer security, the vendors have no liability. As a society, are we up to speed on this? We have rules for guns, and rules for traffic. But are we up to speed on the internet?

I don't think we are. I think the internet is a much more anonymous place. One of the reasons there seems to be a lot of low-level crime in hacking is that it's very easy to be anonymous. There isn't low-level mugging in cities, because you're doing it. It's you. You're there, you can get caught, and you can get in trouble. The internet is much more anonymous; it's much more distant. You can do things without fear of reprise. That has to change. We have to spend more time detecting crime, responding to crime, and prosecuting crime on the internet, just like we prosecute crime on the streets to make our cities safe. . . . The real moral is that the internet is no different than the real world. We just have to take all the things that work in the real world and move them into the internet. You can't just buy that firewall and think you're safe. . . .

What is the role of hackers on the internet?

Historically, hackers have played a number of roles--some good, some bad. On the one hand, hackers find vulnerabilities and point them out, and this results in improved security. We're sitting in a world where often hackers are the only ones holding up their hands and saying, "Look, this isn't any good. You're being sold a bill of goods. This isn't really security." And they perform a very necessary function doing that.

On the other hand, hackers also write tools to break into systems, which, when they fall in the wrong hands, cause insecurity. So there's a balance. There's good hacking and there's bad hacking. . . . And you can use your skills for good, or you can use them for bad. And this is true for most every other aspect of society. If you're a demolitions expert, you can blow up bridges for fun, or you can do it because you're hired. The skill set is the same. Hacking is a very important skill set in our society, because these are the experts in how the systems work and how the systems fail. The people who use that expertise for bad are bad people. People who use that expertise for good are good people.

What are the dangers for the average computer user?

The danger for the average computer user is that someone will hack their system. Now, most average computer users don't have anything worth stealing. Right. It's the joke of protecting your house by poverty--there's nothing in your house worth stealing. Now, on the internet, there are other dangers, because your computer could be a launching pad for other attacks. So people might want to break into your computer to use your computer as a site to break into something further on. These are real dangers, and this happens all the time. A lot of the denial of service attacks from last February were based on these sorts of launching pads.

What are the economic dangers for the corporate world?

For a corporation, the dangers are very great, and we see it again and again. We see major web sites that are hacked, and they're brought down for six, eight, ten hours. This affects their bottom line if they have a revenue model. We see a company like CD Universe get hacked and have 300,000 credit card numbers stolen. This greatly affects their credibility, and I don't know if they've recovered yet from that.

We see companies that are losing proprietary information. The web site for the television show "Survivor" had the big ending of their series stolen off the web site. . . . So there are enormous risks out there if you're a business. On the plus side, all these risks are manageable. None of them are new. None of them are new for the internet. If you had a storefront, you were worried about graffiti. You worry about someone breaking into your store and stealing things. You worry about losing money, you worry about losing credibility. So the internet is just a new venue for these old risks. . . .

What the internet does have, because the internet has no definition of place, is that you're suddenly worried about all the criminals in the world. If you had a store in Toronto, you had to be secure against all the criminals for whom it's worth their time to drive to your store and break in. But if you're on the internet, everything is next to you. So you're sitting in Toronto, and you can have an attacker in Thailand who can very easily attack your internet store.

So because the internet is global and there's no definition of place, the number of criminals that you have to worry about goes up. On the other hand, the number of targets goes up. So if you're in Toronto, those Toronto criminals have no one else to rob except Toronto stores. But if you're on the internet, all those criminals have all those other stores to possibly rob. So, on the one hand there are a lot more possible attackers, but there are also a lot more possible targets.

If hackers can do all this stuff, what could organized crime do?

I think we have to take organized crime much more seriously than we do hackers. Organized crime goes where the money is, and the money is moving to the internet. And if you can go on the internet and steal people's credit card numbers, and steal identities, and steal phone numbers, and steal products and money and possibly sell faulty goods, organized crime will move to that. They're going to move to it as long as it's profitable. And organized crime is likely to be better funded, better skilled and better organized than lone criminals, than hackers are. . . . I think organized crime is a big worry, and I think it's going to get worse, as criminals realize that there's money to be made on the internet.

What's the difference between computer security products and real world security products?

What's interesting about computer security products is they're often sold in ways you never see the real world products sold. You never go to a hardware store and buy a lock for your front door, and the lock says, as a slogan, "This lock prevents burglaries." You never see that. But in computer security you see it all the time. "This firewall prevents unauthorized network access. This encryption product prevents eavesdropping." And that difference is real important, because it's just not true. A firewall can't prevent unauthorized access. It can make it harder. It can, like a door lock, provide a measure of protection for your house. But it can't prevent the attack.

Of course, that will lead to a whole new law of liability.

That's right. It's odd, because you never see this in the real world either, right. You can imagine a builder of skyscrapers, after skyscraper 1.0 falls down, saying, "Oh, we're sorry, but the new skyscraper, version 1.1, will stay up, we promise." Right. That'll never happen, because there are liabilities. You can't build a skyscraper and have it fall down because you made a mistake. But in computer security, the vendors have no liability. They could build a computer security product, have it be completely broken, and there's no liability. That has to change.

Why is it this way?

It's that way because that's the history of the computer licenses. Originally, computers and computer software were sold without liabilities. So adding liabilities is hard.

Is it true that the Microsoft product in particular has been vulnerable to serious security risks?

Microsoft tends not to pay attention to real security. They pay lip service to it. But they're being smart. They know that security doesn't matter in the marketplace. They could take an extra two years and an extra whatever million dollars, and make sure Windows is secure, but they'll be two years late. They're much better off as a company putting it out early and grabbing market share. They know that. They're responding to the marketplace. If automobile manufacturers could do that, they would, too. If drug companies could do that, they would, too. A drug company knows it can't just put a product out there. There are liabilities, there are laws, there are regulations. There aren't any such regulations in the software industry. So it's much smarter to be insecure and fast, than be secure and slow.

The internet is built on that model. We've built a system that was never built to be used in this way, or to be secure in this way.

Sure, and remember that the internet and computers sort of backfed into business. They were built by academics. They were built for use by computer geeks. They were not built to run Amazon.com. That happened by accident. So all this infrastructure which served well in the academic world is failing in the business world. And that's not a surprise. The internet was never built as a business system, so why should it be work as a business system?

Can it be retrofitted?

I don't think it can be retrofitted. But I think that's okay. . . .

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2014 WGBH educational foundation