Dr. Dobb's Journal April 2003
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
—Bruce Schneier
1969: Concerned about safety and order at a rock concert at Altamont Speedway in California, the Rolling Stones hire the Hell's Angels motorcycle gang to handle security. The stoned and drunk Angels, whose idea of a fine way to maintain order is to throw full cans of beer and swing pool cues through the crowd, wreak havoc, knock out a member of the band Jefferson Airplane, and eventually kill a young Black man in front of the stage while the Stones are performing "Sympathy for the Devil." Three other people die before the concert is over. The event is widely regarded as the death of '60s idealism.
2000: Concerned that it might miss out on an opportunity to capitalize on the financial community's concerns over security of online transactions, Reuters joins with Equant to form Radianz, the world's largest IP-based network for the global financial services industry. "A Trusted Future for the Financial Community," the Radianz web site promises.
Three years later, they're still wrangling over their own internal security issues. I base this conclusion on the confidential Reuters/Radianz e-mail that arrived unexpectedly in my mailbox one day. I can tell it's confidential because at the bottom it says:
The contents of this e-mail and any attachments contain information that may be confidential. Unless you are the named addressee (or authorized to receive for the named addressee) you may not read, copy, distribute, disclose or otherwise use this information for any purpose. If you have received this transmission in error, please notify the sender immediately by reply e-mail and then delete this message from your system.
I didn't do any such thing, of course. I wouldn't want to embarrass the person who accidentally forwarded this confidential e-mail to a journalist. When lawyers say "you may not," they usually mean "you may, but we're going to do our best to make sure that you don't understand your rights." This is standard legalese. The confidential e-mail goes on to say:
While we make every effort to keep our network free from viruses, you do need to check this e-mail (and any attachments) for viruses, as we take no responsibility for any virus transferred by this e-mail.
Now that's security. The first line of defense in all security operations is the establishment of deniability of responsibility. If the main content of this confidential e-mail were at all interesting, I'd share it with you and we'd have a few laughs at Radianz's expense. But all it talks about is how to handle security incidents in their software. Personally, I think that what they need to address is e-mail security.
2002: Concerned about the deteriorating reputation for security of the software produced by his company, Microsoft cofounder Bill Gates issues his "Trustworthy Computing" edict to all Microsoft staff. This memo signals a fundamental change in company priorities, "from focusing on features to spotlighting security and privacy." Security, Gates tells the Microsofties, is our "highest priority."
Over the next year, the most obvious consequence of the edict is an increase in Microsoft's admonishing of system administrators to install Microsoft patches promptly.
One year later, an Internet worm sets a record by spreading its effect across a huge part of the Internet in about 10 minutes, using servers that aren't secure. Microsoft's own servers, those maintained at Microsoft by Microsoft system administrators, are among those helping the worm do its job. Turns out that Microsoft system administrators have not installed the relevant Microsoft patches issued over a year before. Security analysts give Microsoft an "F" in security.
2003: Concerned over appearing to be soft on terrorism, the U.S. Senate confirms Tom Ridge as the first Secretary of the new Cabinet-level Department of Homeland Security. Ridge's mission is to prevent terrorist attacks within the United States, reduce America's vulnerability to terrorism, and minimize the damage and recover from attacks that do occur.
How long do you think it'll be before the DHS databases are cracked, and all the personal information the DHS has collected on you is made available to terrorists, your neighbors, and junk mailers?
All these stories have the same moral: Be careful whom you entrust to protect your security.
Michael Swaine
editor-at-large
mike@swaine.com