Foil The Hackers? A Security Maven Discusses The Impossible

All you can do, says Bruce Schneier, is try to keep up

In the past two weeks, a new phrase has sprung into popular parlance: distributed denial-of-service attack. It refers to the sinister mode of digital vandalism that crippled several major e-commerce Web sites in the second week of February. The attacks were not taken lightly in Washington, where President Clinton held a high-level meeting with Internet security mavens on Feb. 15.

To shed some light on the nature of these attacks and the magnitude of the threat in the future, BUSINESS WEEK Senior Writer Neil Gross spoke with Bruce Schneier, chief technical officer at Counterpane Internet Security Inc. in San Jose, Calif. Author of the 1994 book Applied Cryptography, which has sold more than 120,000 copies, Schneier has provided security advice to the likes of Microsoft, Hewlett-Packard, Intel, and Merrill Lynch. Here are some of Schneier's thoughts:

Q: What kinds of lessons do you extract from these events?

A: The Net changes the nature of crime. You don't need skills to be an attacker. If you are going to make counterfeit bills or burglarize a building, you need certain abilities. On the Net, you download an attack script and click here. We could be seeing the work of young teenagers with no particular skills or ethics as hackers and no understanding of what they are doing.

The nature of distance has also changed. In the world offline, your house only has to be secure from criminals within driving distance. On the Net, eBay and Yahoo! must be concerned about everyone on the planet. The hackers need not be in America. This is the death of distance: Crime is no longer based on proximity.

Q: These crimes also expand the definition of the victim, right?

A: Yes. But in some ways, you can also think of a distributed attack as an ingenious high-school prank. If there is somebody you really dislike, you can call 100 pizza parlors and ask each one to deliver five pies to your victim. A half-hour later, hundreds of pies show up on his front porch. Here, an attacker breaks into hundreds or thousands of small, unsecured sites and installs a little attack script on the computer. Later, he sends a message to all those computers telling them to run the attack. Those computers are just like the pizza parlors. They're victims, too.

Q: Could the same technique be used to cause more serious damage?

A: Yes. If you have a cable modem and a personal firewall, you can watch programs knocking on the door, maybe every 10 minutes. Lots of those knocks are automatic programs [like those used against Yahoo] trying to get in and run some code. This is all petty vandalism. The worrisome thing is, somebody could run a real attack, in which large sums of money are taken, or maybe it would be something less obvious. We haven't seen that kind of thing, but I'm willing to bet that if it happened, you would never see it or know it was happening.

Q: You have also made the case that the proliferation of cable modems and DSL connections could aggravate the situation. How?

A: In many cases, these devices are always on, always connected. And often, they have a persistent "Internet protocol" address. The IP address is the computer-readable address of your computer on the network. If you use a telephone modem, the address changes each time you log on. If you have an always-on connection, in most cases the address stays the same. The attack programs knock on all doors, and use the ones that work.

Q: What about the new Net appliances, like refrigerators or televisions that are connected to the Net?

A: All these devices have powerful processors in them, and could be used in denial-of-service attacks. If you imagine a world of Net appliances, you could break into everyone's refrigerator and hijack the processors. There's nothing special about the device being a PC. In theory, you can break into 10 million thermostats and do mischief. The Sega Dreamcast [game machine] comes with an IP stack and is Internet-ready. The upcoming Sony Play Station 2 will be the same.

Q: Is there any defense against distributed denial-of-service attacks?

A: We don't really know how to defend against this kind of thing. All the defenses I've heard of are of the civic hygiene variety--in other words, making sure all computers on the Net are secure. But that isn't possible, technically. Even if you put firewalls around 99.99% of computers--which is very unlikely--malicious programs would sniff out the remainder that weren't secured. That would still be thousands. And thousands would be enough to do damage.

I compare this to wiping out malaria. We don't actually stamp out the disease. The reason there is no malaria in Washington, D.C., is that they have drained all the swamps. But if you are building swampland--meaning buggy software or unsecured PCs--at the rate we are, draining the swamps is impossible.

Q: If personal firewalls don't prevent attacks, what are they really good for?

A: It's the 99.99% problem. A personal firewall will protect you as an individual, and make sure that you are not a launchpad, but it won't drain the swamps.

Q: So software quality is the culprit?

A: We are dealing with fact that software products are always buggy, and probably always will be. At the same time, systems are too complex to secure. We actually can't test security to the level we need to. We'll see three or four major bugs in each new version of Windows or Explorer or Java. New products are coming out faster and faster, so we keep losing ground. We've been finding and fixing security bugs in past years, but none of those fixes transfers forward. For all these programs, a new version comes out, the new version is more complex, and there are new bugs. We end up taking a big step backwards. And the complacency about bugs makes the problem worse.

Q: What can be done?

A: We have to address the problem in a new way. We don't know how to do it. We can't get around security problems just by building a better firewall. As a personal mantra, I've been saying that security is a process, not a product. What is the very best that you can do, in a world where you can't really make systems secure? You install all the best security, and the next week there will be a new bug that will open a new entry point. The advice is not as simple as "Don't use Microsoft Windows." You cannot avoid Windows or the Web or Java. There is no blanket advisory.

Q: Can law enforcement make a difference?

A: Maybe. Certainly, there is nothing good about the tools used in the attack. They're malicious. The question is whether the authors of these attack tools have any liability. Why is it O.K. to write and publicize a tool that can only do harm? Guns also cause problems, but they can be used in self-defense. These tools can't do anything good.

Before it's here, it's on the Bloomberg Terminal.