Secrets and Lies: Digital Security in a Networked World by Bruce Schneier

From Barnes & Noble

The Barnes & Noble Review
Finally in paperback: what may be the world’s most thoughtful guide to computer and network security. Bruce Schneier’s Secrets and Lies is for anyone who needs to address security: businesspeople and technical people alike.

Schneier begins with a paradox: “Even as we learn more about security... we build things with less security.” This book explains why -- and what can (and can’t) be done about it.

The problem starts with systems. They’re complex. They interact. They’re buggy. And they have “emergent” properties their creators never anticipated. The best (if imperfect) response: prevention, detection, and reaction. (Most networks rely primarily on prevention. Not enough.)

Schneier then explains why attacks are becoming more frequent, widespread, automated, and difficult to track. What to do? Working from the premise that technology isn’t nearly everything, he carefully explains today’s key security technologies. Never expected to understand public-key encryption or digital signatures? You finally will.

Today’s most common attacks are covered; so are the best available responses (often far from foolproof). There’s also a brutally realistic chapter on the human side of computer security: how people perceive risks, the futility of asking them to make intelligent security decisions, and the dangers of “social engineering.”

Part III is dedicated to high-level response strategies -- including Schneier’s own “attack trees” technique, the first systematic way to describe threats, countermeasures, and overall security.

Schneier’s updated this edition with a new introduction: “What Has Changed Since 9-11.” Like the rest of this book -- and his many public writings on homeland security -- it’s very much worth reading. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2003 and Upgrading & Fixing Networks for Dummies, Second Edition.

From the Publisher

Bestselling author Bruce Schneier offers his expert guidance on achieving security on a network
Internationally recognized computer security expert Bruce Schneier offers a practical, straightforward guide to achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems. This practical guide provides readers with a better understanding of why protecting information is harder in the digital world, what they need to know to protect digital information, how to assess business and corporate security needs, and much more.
* Walks the reader through the real choices they have now for digital security and how to pick and choose the right one to meet their business needs
* Explains what cryptography can and can't do in achieving digital security

Electronic Review of Computer Books - Danny Yee

Bruce Schneier begins Secrets and Lies by saying "I have written this book partly to correct a mistake" -- that being the utopian vision of cryptography in his earlier Applied Cryptography. Of the wonders he predicted in that work, he now writes:

"Cryptography can't do any of that.
"... Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers."

Secrets and Lies, then, is a non-technical introduction to the full, messy complexity of digital security. Cryptography is covered, but only as part of the broader picture and without any mathematics at all. The result is broadly accessible, but many of the ideas it explains are misunderstood even by the technically trained, so it is a work that offers something to techs and managers as well as lay readers.

Part 1 is a 70-page overview of digital security which could (and perhaps should) be read by anyone who uses the Net. Schneier surveys the threats, covering not just the full range of criminal attacks but also publicity attacks and attacks using the legal system. He categorizes the attackers, who can include national intelligence organizations and the press as well as terrorists, insiders, lone criminals, and corporate spies. And he looks as the various kinds of security we need, among them privacy, anonymity, integrity, authenticity, and audit.

Part 2 looks at a broad range of security technologies (cryptography and its context, software reliability, secure hardware, identification and authentication, and certificates and credentials) and security domains (computer, networked-computer, and network security), with a final chapter on "the human factor." Schneier provides clear, non-technical explanations of everything from the problems with mobile code to the uses of secure hardware to the limitations of digital certificates. In the process he corrects many common misconceptions about security, including some of the rather misleading statements used in product marketing.

Part 3, on security strategies, covers the management of digital security. Schneier looks at vulnerabilities, attack methodologies, and countermeasures (protection, detection, and response), stressing the importance of threat modelling and risk assessment (including an approach of his own called "attack trees"). He also covers product testing and verification and the future of products. In the final analysis, however, digital security is about risk management: "security is not a product; it's a process."

Fortune

...a jewel box of little surprises you can actually use...a startlingly lively treatise...

Journal

...worth a read...

Business Week

A computer virus shuts down your corporate e-mail for a day. Hackers deface your Web site with pornography. The need to share data with customers and vendors exposes critical corporate information to online theft. With your business ever more dependent on safe use of the Internet, security savvy has become as important as understanding marketing or finance. Such savvy, however, has been hard for non-techie executives to acquire. Books and articles on security generally came in two equally useless varieties: incomprehensible or sensationalized. Remember all those books on how the Y2K bug would end civilization as we knew it? Now, Bruce Schneier, a highly respected security expert, has stepped into the breach with Secrets Lies: Digital Security in a Networked World. The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be. Schneier brings strong credentials to the job. His book Applied Cryptography is a classic in the field, and he is one of the creators of the Twofish algorithm, a finalist in the U.S. government's competition for the Advanced Encryption Standard. Schneier serves as chief technology officer of Counterpane Internet Security, which manages computer security for corporations. Although this is a book for the general reader, it's not always easy going. But Secrets Lies requires no prior knowledge of computer or security technology and should be accessible to anyone who is willing to put in a little effort. For example, Schneier explains encryption, essentially a mathematical process, without resorting to a single equation. While Schneier is not an elegantwriter, he has a nice ability to use analogies to make the obscure understandable. The book has two main thrusts. First is Schneier's mantra: "Security is a process, not a product." Anyone who promises you a hacker-proof system or offers to provide "unbreakable" encryption is selling you snake oil. There is simply no way to wave a magic wand over a system to make it -and keep it- secure. Second, Schneier says, getting security right is hard, and small mistakes can be deadly.

Risk Management. Schneier backs his opinions with real-world examples. For instance, Hollywood was terrified of piracy and worked hard on a scheme to encrypt digital videodisks so that only authorized players could read the disks. The encryption would have been hard to break, but hackers didn't have to do it. A design flaw made it easy to steal the decryption keys from the software players supplied with PC's. Similarly, most e-commerce sites use a technology called SSL to protect transaction data from online snoopers. SSL works fine, but some e-tailers left customers' credit card information in files where hackers could swipe it. The last third of the book is most valuable to managers. In it, Schneier discusses the process by which people should assess security vulnerabilities and decide what to do about them. His central point: Computer security is basically risk management. Banks and credit-card companies can tolerate a considerable amount of credit risk and fraud because they know how to anticipate losses and price their services accordingly. That's good, since zero tolerance would put them out of business. Similarly, seeking perfect security would make a system useless because anything worth doing carries some risk. Unfortunately, the art of computer security has not progressed to the point where Underwriters Labs can certify that a firewall can protect you against attack for two hours, as can be done for safes and fire doors. But with the crude tools that are available, managers have to decide what they are trying to protect and how much they are willing to spend, both in cost and convenience, to defend it. This is a business issue, not a technical one, and executives can no longer leave such decisions to techies. That's why Secrets and Lies belongs in every manager's library.

Charles Piller

Secrets and Lies" is well-timed on the heels of an apparently unstoppable wave of security foul-ups, hacks and government surveillance revelations. The best-known attacks—such as the breach of Microsoft's corporate network revealed last week, disruptions of Yahoo, EBay and other top Web sites early this year, and the "Love Bug" virus, which infected millions of computers—made headlines. Paranoids have delighted in recent revelations about "Echelon," the government's once super-secret system for monitoring worldwide voice and data communications, and the FBI's "Carnivore" technology, which sniffs millions of supposedly private e-mail messages.

A burgeoning underground of Internet vandals, network nihilists, data thieves and those who probe vulnerabilities as an intellectual exercise begs a scorecard to distinguish "hackers" from "crackers," "white hats" from "black hats." "Script kiddies"—wannabes who use turnkey hacking tools they find posted on the Web—may be emerging as the biggest threat. Schneier explains the reasons for this grim scenario in simple truths: * In the hacking wars, technology favors offense over defense. * Complexity is the enemy of security, and the Internet is the mother of all complex systems. * Software is buggy. Experts suggest that every 1,000 lines of computer programming code contains between five and 15 mistakes, some of which inevitably open security holes. Consider that Windows 2000 shipped with some 63,000 known bugs and incompatibilities. * People are often foolish. Early this month the National Institute of Standards and Technology adopted an encryption algorithm (a mathematical formula used to scramble digital data that itsaid would take more than 149 trillion years to crack. Then again, if you use your name or the word "password" as a decoding key—typical among lazy computer users—a neophyte hacker would need about five minutes.

Any security scheme can and will be subverted. Little wonder that software licensing agreements specifically disclaim responsibility for the product working as advertised. It's not hard to imagine why security software developers would be short on confidence—their products are nearly always developed in a vacuum.

"A common joke from my college physics class was to 'assume a spherical cow of uniform density,' " Schneier writes. "We could only make calculations on idealized systems; the real world was much too complicated for the theory. Digital system security is the same way"—probably reliable in the lab, always vulnerable in the wild. Part of the problem is that conventional thinking about Internet security is drawn from the physical world, where some kinds of security are "good enough."

"If you had a great scam to pick someone's pocket, but it only worked once every hundred thousand tries, you'd starve before you robbed anyone," Schneier writes. "In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance. You'd probably find a couple dozen every day. —'Lies' Propagates One Truth: No One Can Get a Lock on Net Security Los Angeles Times by Charles Piller <%AUTHOR%> individuals,A big part of the solution, he writes, is to recognize that "security is a process, not a product." Virus-protection software and "firewalls" designed to guard private networks can be effective only as part of a comprehensive strategy about security. This means that network users—as individuals or employees—must understand their role in protecting information—instead of naively relying on software tools to work without human vigilance.

So how to reach people with this geeky material? Schneier, founder of Counterpane Internet Security Inc. in San Jose, peppers the book with lively anecdotes and aphorisms, making it unusually accessible. But I still wouldn't have judged it suitable for the average reader. So I wasstonished to find "Secrets and Lies" recently ranked 68th on Amazon.com's sales list. Unless all the buyers are hackers, that's a hopeful sign. So take Schneier's good advice, but don't panic: Like security, fear-mongering is a process. Exploiting that fear has become a growth industry. Hundreds of security companies shamelessly hype every new virus or hacking to pump up business. Consider that while it's theoretically possible to bring down much of the Internet with a single orchestrated hack, the most damaging episodes so far have affected only a few sites out of millions. The worst ones, such as Love Bug, though genuinely harmful, fade in a couple of weeks.

Dopey business plans are a bigger threat to the "dot-com" world,and the sale of personal data by marketers a bigger threat to individuals, than hackers will ever be.

Anne Fisher

Think You're Safe Online? Think Again! Let's assume for a moment that you are not a techie or a hacker. You're browsing in a bookstore and happen to pick up a copy of Secrets and Lies: Digital Security in a Networked World (John Wiley Sons, $29.99. As you idly flip through it, all you see are dense paragraphs on arcana: the role of symmetric algorithms in encryption systems, the relative merits of code signing and access control at the interfaces, and what a one-way hash function does. Whoa! This is way over your head, you think, as you sheepishly put the book down and look for the latest Grisham thriller.

Not so fast. Despite big chunks of esoteric techspeak, Secrets and Lies is a thriller of subtler sort. Author Bruce Schneier, chief technology officer at counterpane Internet Security in San Jose, wrote a 1994 book called Applied Cryptography that became the bible of the field. Since then, while consulting for clients like Hewlett-Packard, Intel, and Merrill Lynch, he has done some deep and imaginative thinking on whether digital security is in fact an oxymoron. —p. 304 <%AUTHOR%> network,As he says in the preface, if you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. The result is a startlingly lively treatise on, among many other things, why our basic decency, trust, and willingness to help others will always allow "social engineers" (a hacker term for con artists to leapfrog even the most elaborate firewall. There are, however, ways to minimize the damage, which Schneier spells out in user-friendly language, with lots of colorful asides: In a discussion of page-jacking, hementions that the dial telephone was invented in 1887 by a Kansas City funeral director named Almon Strowger, who suspected that operators were routing his phone calls to rival undertakers. —Fortune Magazine

Overload

I think you owe it to yourself to take the time to read this book" "Highly recommended to all.

PC Magazine

FOR YOUR EYES ONLY? I regard privacy as a special instance of security. It's information security on the personal level: Your phone number. Your purchasing habits. Your bookmarked Web sites. Your credit card numbers. Your e-mail address. Your bank account number. Your vices. Your IP address. We have different levels of sensitivity. My phone number is listed; perhaps yours isn't. I shop online with credit cards; maybe you don't. You browse without much thought to where you've been; I purge cookies and anonymize.

Virtually all e-commerce sites collect as much data on users as they can in order to amass demographic and psychographic profiles. This helps them personalize your on-line experience. In theory, it costs them less to sell more, and we should all benefit. But when private information becomes a corporate asset to be bought, bartered, and sold, as it recently did with Amazon.com's revised privacy policy, we have to pay attention to the ramifications.

Schneier's book will give you a firm foundation in what it takes to establish and maintain network security, but you should also think afresh about personal security.

Computer Weekly

Setting himself apart, Schneier navigates rough terrain without being overly technical or sensational...

Bookseller

...a pragmatic, stimulating and rather readable guide...

Computing

The great thing about the book - the thing that makes it an essential read - is that Schneier is an excellent teacher. .... At times the book is even funny, which makes even technical chapters an easy read...

UNIX NT

Bruce Schneier's book is a common-sense, practical guide..."( Computing, 22nd March 2001"As a thoughtful read, prior to planning or reviewing your business's security strategy, you could not do better...

Forbes Magazine

Attack Defense Laymen have no idea just how hard maintaining security really is. For a more readable but rather depressing look at just how tough it can be, read Secrets and Lies: Digital Security in a Networked World (Wiley, $30, in which cryptographer and security consultant Bruce Schneier minces no words in describing the many ways computer systems can be compromised. The problem, it turns out, is as much human as technological. System managers often fail to install important security fixes. Users don't like systems that get in their way - like having to use passwords that are hard to remember. Miscreants may find it simpler to ask or pay someone for a password or trick them into divulging it rather than using sophisticated technical means. It can happen to you.

And you can minimize the risk. When it comes to security software, says Schneier, "Testing for all possible weaknesses is impossible." But he adds that "mediocre security now is better than perfect security never."

So keep that antivirus software updated, follow the other suggestions I offered in our June 12 issue and get yourself a firewall. I can't pretend to be able to test all the ins and outs of firewall software - Schneier makes it clear what a daunting task that is - but Zone-Alarm from Zone Labs seems to do a good job not just of fending off outsiders but also of warning you when the kind of malware that apparently bit Microsoft attempts to make mischief via the Net from inside your machine. It's free for personal and nonprofit users, $40 or less per machine for others.

Like other firewalls, ZoneAlarm will force you to make some decisions about permission that you are probably ill-equipped to make. Buteven if you get a few of those calls wrong, it's better than perfect security never.

Daintry Duffy

Bruce Schneier's latest book on security is a rare achievement, as it takes a highly technical and often deadly dull topic and creates a surprisingly acessible and often fascinating read for even the least techy exec. "Secrets and Lies" lays out the current landscape of network security- from the challenges presented by hackers and viruses to the often ineffectual state of corporate security systems. Schneier offers enough gritty history, cautionary tales, and colorful explanations to keep readers engrossed, whether they're new to the security field or seasoned professionals. In addition, he has managed to pepper his text (especially the latter sections with plenty of useful tips and advice that can help companies battle their way through the dangerous and often confusing task of securing their most valued assets. —CIO Magazine

Computer Bulletin

...essential reading for security practitioners...

Computer Business Review

...provides a timely debunking of myths...an invaluable reference point.

E-business

...a good read...The book is interesting [and] educational...

EuroBusiness

This book is a must for any business person with a stake in e-commerce.

Managing Information Strategies

[It's] written like a thriller (and a good one at that...

QSDG

Anyone who does business online should buy this book and read it carefully.

Supply Management

The book is an impressive 'how to think' like a hacker.

MacFormat

Schneier writes with a pleasingly readable style.

Booknews

Information security expert Schneier tells businesses what they need to know to protect themselves from the risks of the wired world. He examines many aspects of networked society, from the reasons for technical insecurities to what's in the minds of hackers who engineer viruses and other malicious attacks. He provides practical advice about the capabilities and limitations of security technologies and products as well as how to recognize and manage vulnerabilities and protect data. Schneier is also the author of . Annotation c. Book News, Inc., Portland, OR (booknews.com)

The Standard

In April 1999, Bruce Schneier, mathematician, digital security expert and unlikely hacker-scene hero, had an epiphany. It prodded him to reorganize his company, Counterpane Internet Security, and altered his view of securing computer systems. The fruits of that thinking also make up the bulk of his engaging and exhaustive new book, Secrets and Lies: Digital Security in a Networked World.

Schneier, the creator of two widely used data-scrambling formulas and author of the definitive Applied Cryptography, realized that he and his colleagues were trained to view security as a hopeless prophylactic, a passive approach that relies too heavily on complex technologies to keep hackers and criminals out. "Too many system designers think about security design as a cookbook thing," writes Schneier. Add a firewall and a pinch of encryption, and eventually you'll have a secure system.

He concluded that technology, no matter how complex, can't solve all our problems. "Security is rooted in the physical world. The physical world is not logical. It is not orderly," he explains. "People don't play along. They do the unexpected; they break the rules."

In a land of rule-breakers, rules-based systems are not especially useful. Instead of building the digital equivalent of a Maginot Line, Schneier argues, it is far more effective to think of security as an ongoing process of "risk management" that includes not just protection, but also detection and reaction mechanisms.

Secrets and Lies, then, isn't so much a "how-to" as a "how-to-think" - a philosophical road map in which Schneier guides the reader along the same path that brought about his new thinking. With the single-minded discipline of a programmer, Schneier spends almost two-thirds of the 400-page book getting to know the mind of the enemy; surveying the methods hackers employ to break into systems, from automated programs to the person-to-person con games known as "social engineering."

The aim in mastering such arcana, according to Schneier, is "threat modeling," which is his way of teaching readers to think like the most methodic of thieves. Schneier provides a series of cognitive exercises designed to get crime-inspiring synapses firing. How might one rig an election or hack a stored-value smartcard without getting caught, for instance?

In one exhaustive deconstruction, Schneier walks readers through the process of getting free pancakes: "We can eat and run. We can pay with a fake credit card, a fake check or counterfeit cash. We can persuade another patron to leave the restaurant without eating and eat his food. We can impersonate (or actually become) a cook, a waiter or the restaurant owner ..." Schneier goes so far as to diagram these threat models - to near-comic effect - with what he calls "attack trees." With such deep knowledge of one's potential security flaws in hand, managers can far more effectively secure their systems.

Schneier is the right person to popularize these views. His prose is lively and his work is informed by current headlines about the I Love You virus, obscure historical facts about Germany's World War II "Enigma" data-scrambling device and ancient myth. (How did Zeus sneak into Danae's supposedly impenetrable bronze chamber? He turned himself into gold dust and showered down into Danae's lap through a hole in the roof.)

In the wake of this year's denial-of-service attacks on major Web sites, Schneier's book joins a host of other popular works on digital security - most notably Winn Schwartau's Cybershock. Setting himself apart, Schneier navigates rough terrain without being overly technical or sensational - two common pitfalls of writers who take on cybercrime and security. All this helps to explain Schneier's long-standing cult-hero status, even - indeed especially - among his esteemed hacker adversaries.

Business Week

"The book is of value to anyone whose business depends on safe use of e-mail, the Web, or other networked communications. If that's not yet everybody, it soon will be."
--Business Week

Business 2.0

Secrets is a comprehensive, well-written work on a topic few business leaders can afford to neglect.
--Business 2.0

Fortune - Anne Fisher

Despite big chunks of esoteric techspeak, Secrets and Lies is a thriller of a subtler sort.

Product Details

• Table of Contents
• Forewords & Introductions
• Read an Excerpt
• Read a Sample Chapter

Table of Contents

Forewords & Introductions

Seven years ago I wrote another book: Applied Cryptography. In it, I described a mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactions-unregulated gambling, undetectable authentication, anonymous cash-safely and securely. In my vision cryptography was the great technological equalizer; anyone with a cheap (and getting cheaper every year) computer could have the same security as the largest government. In the second edition of the same book, written two years later, I went so far as to write: "It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics."

It's just not true. Cryptography can't do any of that.

It's not that cryptography has gotten weaker since 1994, or that the things I described in that book are no longer true; it's that cryptography doesn't exist in a vacuum.

Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers.

Mathematics is perfect; reality is subjective. Mathematics is defined; computers are ornery. Mathematics is logical; people are erratic, capricious, and barely comprehensible.

The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were The Answer. I was pretty naive.

Theresult wasn't pretty. Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure. That they could invoke magic spells like "128-bit key" and "public-key infrastructure." A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography.

Since writing the book, I have made a living as a cryptography consultant: designing and analyzing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people. Beautiful pieces of mathematics were made irrelevant through bad programming, a lousy operating system, or someone's bad password choice. I learned to look beyond the cryptography, at the entire system, to find weaknesses. I started repeating a couple of sentiments you'll find throughout this book: "Security is a chain; it's only as secure as the weakest link." "Security is a process, not a product."

Any real-world system is a complicated series of interconnections. Security must permeate the system: its components and connections. And in this book I argue that modern systems have so many components and connections-some of them not even known by the systems' designers, implementers, or users-that insecurities always remain. No system is perfect; no technology is The Answer.

This is obvious to anyone involved in real-world security. In the real world, security involves processes. It involves preventative technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. And if we're ever going to make our digital systems secure, we're going to have to start building processes.

A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

This book is about those security problems, the limitations of technology, and the solutions.

Read this book in order, from beginning to end.

No, really. Many technical books are meant to skim, bounce around in, and use as a reference. This book isn't. This book has a plot; it tells a story. And like any good story, it makes less sense telling it out of order. The chapters build on each other, and you won't buy the ending if you haven't come along on the journey.

Actually, I want you to read the book through once, and then read it through a second time. This book argues that in order to understand the security of a system, you need to look at the entire system-and not at any particular technologies. Security itself is an interconnected system, and it helps to have cursory knowledge of everything before learning more about anything. But two readings is probably too much to ask; forget I mentioned it.

This book has three parts. Part 1 is "The Landscape," and gives context to the rest of the book: who the attackers are, what they want, and what we need to deal with the threats. Part 2 is "Technologies," basically a bunch of chapters describing different security technologies and their limitations. Part 3 is "Strategies": Given the requirements of the landscape and the limitations of the technologies, what do we do now?

I think digital security is about the coolest thing you can work on today, and this book reflects that feeling. It's serious, but fun, too. Enjoy the read.

Read an Excerpt

Chapter 1: Introduction

Someone broke into the business-to-business Web site for SalesGate.com and stole about 3,000 customer records, including credit card numbers and other personal information. He posted some of them on the Internet.

For years, personal information has "leaked" from Web sites (such as Intuit) to advertisers (such as DoubleClick). When visitors used various financial calculators on the Intuit site, a design glitch in the Web site's programming allowed information they entered to be sent to DoubleClick. This happened without the users' knowledge or consent, and (more surprising) without Intuit's knowledge or consent.

Convicted criminal hacker Kevin Mitnick testified before Congress. He told them that social engineering is a major security vulnerability: He can often get passwords and other secrets just by pretending to be someone else and asking. A Gallup poll showed that a third of online consumers said that they might be less likely to make a purchase from a Web site, in light of recent computer-security events. Personal data from customers who ordered the P1ayStation 2 from the Sony Web site were accidentally leaked to some other customers. (This is actually a rampant problem on all sorts of sites. People try to check out, only to be presented with the information of another random Web customer.)

Amazon.com pays commissions to third-party Web sites for referrals. Someone found a way to subvert the program that manages this, enabling anyone to channel information to whomever. It is unclear whether Amazon considers this a problem. The CIA director denied that the United States engages in economic espionage, but did not go on to deny the existence of the massive intelligence-gathering system called ECHELON.

Pierre-Guy Lavoie, 22, was convicted in Quebec of breaking into several Canadian and U.S. government computers. He will serve 12 months in prison.

Japan's Defense Agency delayed deployment of a new defense computer system after it discovered that the software had been developed by the members of the Aum Shinrikyo cult.

A new e-mail worm, called Pretty Park, spread across the Internet. It's a minor modification of one that appeared last year. It spreads automatically, by sending itself to all the addresses listed in a user's Outlook Express program.

Novell and Microsoft continued to exchange barbs about an alleged security bug with Windows 2000's Active Directory. Whether or not this is a real problem depends on what kind of security properties you expect from your directory. (I believe it's a design flaw in Windows, and not a bug.)

Two people in Sicily (Giuseppe Russo and his wife, Sandra Elazar) were arrested after stealing about 1,000 U.S. credit card numbers on the Internet and using them to purchase luxury goods and lottery tickets.

A hacker (actually a bored teenager) known as "Coolio" denied launching massive denial-of-service attacks in February 2000. He admitted to hacking into about 100 sites in the past, including cryptography company RSA Security and a site belonging to the US. State Department.

Attackers launched a denial-of-service attack against Microsoft's Israeli Web site. Jonathan Bosanac, a.k.a. "The Gatsby," was sentenced to 18 months in prison for hacking into three telephone company sites...

Read a Sample Chapter

So who is threatening the digital world anyway? Hackers? Criminals? Child pornographers? Governments? The adversaries are the same as they are in the physical world: common criminals looking for financial gain, industrial spies looking for a competitive advantage, hackers looking for secret knowledge, military-intelligence agencies looking for, well, military intelligence. People haven't changed; it's just that cyberspace is a new place to ply their trades.

We can categorize adversaries in several ways: objectives, access, resources, expertise, and risk.

Adversaries have varying objectives: raw damage, financial gain, information, and so on. This is important. The objectives of an industrial spy are different from the objectives of an organized-crime syndicate, and the countermeasures that stop the former might not even faze the latter. Understanding the objectives of likely attackers is the first step toward figuring out what countermeasures are going to be effective.

Adversaries have different levels of access; for example, an insider has much more access than someone outside the organization. Adversaries also have access to different levels of resources: some are well funded; others operate on a shoestring. Some have considerable technical expertise; others have none.

Different adversaries are willing to tolerate different levels of risk. Terrorists are often happy to die for their cause. Criminals are willing to risk jail time, but probably don't want to sacrifice themselves to the higher calling of bank robbery. Publicity seekers don't want to go to jail.

A wealthy adversary is the most flexible, since he can trade his resources for other things. He can gain access by paying off an insider, and expertise by buying technology or hiring experts (maybe telling them the truth, maybe hiring them under false pretenses). He can also trade money for risk by executing a more sophisticated--and therefore more expensive--attack.

The rational adversary--not all adversaries are sane, but most are rational within their frames of reference--will choose an attack that gives him a good return on investment, considering his budget constraints: expertise, access, manpower, time, and risk. Some attacks require a lot of access but not much expertise: a car bomb, for example. Some attacks require a lot of expertise but no access: breaking an encryption algorithm, for example. Each adversary is going to have set of attacks that is affordable to him, and a set of attacks that isn't. If the adversary is paying attention, he will choose the attack that minimizes his cost and maximizes his benefits.

HACKERS

The word hacker has several definitions, ranging from a corporate system administrator adept enough to figure out how computers really work to an ethically inept teenage criminal who cackles like Beavis and Butthead as he trashes your network. The word has been co-opted by the media and stripped of its meaning. It used to be a compliment; then it became an insult. Lately, people seem to like "cracker" for the bad guys, and "hacker" for the good guys. I define a hacker as an individual who experiments with the limitations of systems for intellectual curiosity or sheer pleasure; the word describes a person with a particular set of skills and not a particular set of morals. There are good hackers and bad hackers, just as there are good plumbers and bad plumbers. (There are also good bad hackers, and bad good hackers . . . but never mind that.)

Hackers are as old as curiosity, although the term itself is modern. Galileo was a hacker. Mme. Curie was one, too. Aristotle wasn't. (Aristotle had some theoretical proof that women had fewer teeth than men. A hacker would have simply counted his wife s teeth. A good hacker would have counted his wife s teeth without her knowing about it, while she was asleep. A good bad hacker might remove some of them, just to prove a point.)

When I was in college, I knew a group similar to hackers: the key freaks. They wanted access, and their goal was to have key to every lock on campus. They would study lockpicking and learn new techniques, trade maps of the steam tunnels and where they led, and exchange copies of keys with each other. A locked door was a challenge, a personal affront to their ability. These people weren't out to do damage--stealing stuff wasn t their objective--although they certainly could have. Their hobby was the power to go anywhere they wanted to.

Remember the phone phreaks of yesteryear, the ones who could whistle into payphones and make free phone calls. Sure, they stole phone service. But it wasn't like they needed to make eight-hour calls to Manila or McMurdo. And their real work was secret knowledge: The phone network was a vast maze of information. They wanted to know the system better than the designers, and they wanted the ability to modify it to their will. Understanding how the phone system worked--that was the true prize. Other early hackers were ham-radio hobbyists and model-train enthusiasts.

Richard Feynman was a hacker; read any of his books.

Computer hackers follow these evolutionary lines. Or, they are the same genus operating on a new system. Computers, and networks in particular, re the new landscape to be explored. Networks provide the ultimate maze of steam tunnels, where a new hacking technique becomes a key that can open computer after computer. And inside is knowledge, understanding. Access. How things work. Why things work. It s all out there, waiting to be discovered.

Today's computer hackers are stereotypically young (twenty- something and younger) , male, and socially on the fringe. They have their own counterculture: hacker names or handles, lingo, rules. And like any subculture, only a small percentage of hackers are actually smart. The real hackers have an understanding of technology at a basic level, and are driven by desire to understand. The rest are talentless poseurs and hangers-on, either completely inept or basic criminals. Sometimes they re called lamers or script kiddies.

Hackers can have considerable expertise, often greater than that of the system's original designers. I ve heard lots of security lectures, and the most savvy speakers are the hackers. For them, it's a passion. Hackers look at a system from the outside as an attacker, not from the inside as a designer. They look at the system as an organism, as a coherent whole. And they often understand the attacks better than the people who designed the systems. The real hackers, that is.

Hackers generally have lot of time, but few financial resources. (Put one of them to work at a big company, and that will change.) Some of them are risk verse and tread gingerly around the edges of the law, but others have no fear of prosecution and engage in illegal activities with no consideration of the risk involved.

There are hacker newsgroups, hacker Web sites and hacker conventions. Hackers often trade attacks and automated attacking tools among themselves. There are different hacker groups (or gangs, if you are less kind), but there is no hierarchy. You can't galvanize the hacker community against a particular target; hackers go after what they can. Often they ll hack something because it's widely deployed, interesting, or because the target "deserves" it.

Unfortunately, much of what hackers do is illegal. I'm not talking about the few who work in research environments, who evaluate the security of systems in laboratory settings, and who publish analyses of products and systems. I'm talking about the hackers who break into other people's networks, deface Web pages, crash computers, spread viruses, and write automatic programs that let other people do these things. These people are criminals, and society needs to treat them as such.

I don't buy the defense that a hacker just broke in a system to look around, and didn't do any damage. Some systems are frangible, and simply looking around can inadvertently cause damage. And once an unauthorized person has been inside a system, you can t trust its integrity. You don't know that the intruder didn't touch anything.

Imagine that you come home to find a note on your refrigerator door saying: "Hi. I noticed that you had a lousy front door lock, so I broke in. I didn't touch anything. You really should get a better security system." How would you feel?

The problem starts with the hackers who write hacking tools. These are programs--sometimes called exploits or--that automate the process of breaking into systems. An example is the Trin00 distributed denial-of-service tool. Thousands of servers h ve been brought down because of this attack, and it s caused legitimate companies millions of dollars in time and effort to recover from. It's one thing to research the vulnerability of the Internet against this type of attack, and to write a research paper about defending against it. It's another thing entirely to write program that automates the attack.

The Trin00 exploit serves no conceivable purpose other than to attack systems. Gun owners can argue self-defense, but Internet servers don t break into anyone's house at night. It's actually much worse, because once an exploit is written and made vailable, ny wannabe hacker can download it and attack computers on the Internet. He doesn t even have to know how it works. (See why they re called script kiddies?) Trin00 attacks were popular in early 2000 because the exploit was vailable. If it weren't--even if a research paper were available--none of the script kiddies would be able to exploit the vulnerability.

Certainly the lamers that use Trin00 to attack systems are criminals. I believe the person who wrote the exploit is, too. A fine line exists between writing code to demonstrate research and publishing attack tools; between hacking for good and hacking as a criminal activity. I will get back to this in Chapter 22.

Most organizations are wary about hiring hackers, nd rightfully so. There are exceptions--the NSA offering scholarships to hackers willing to work at Fort Meade, Israeli intelligence hiring Jewish hackers from the United States, Washington offering security fellowships--and some hackers have gone on to form upstanding and professional security companies. Recently, handful of consulting companies have sprung up to whitewash hackers and present them in a more respectable light. And sometimes this works, but for many people it can be hard to tell the ethical hackers from the criminals.

LONE CRIMINALS

In April 1993, small group of criminals wheeled a Fujitsu model 7020 automated teller machine into the Buckland Hills Mall in Hartford, Connecticut, and turned it on. The machine was specially programmed to accept ATM cards from customers, record their account numbers and PINs, and then tell the unfortunate consumers that no transactions were possible. A few days later, the gang encoded the stolen account numbers and PINs onto counterfeit ATM cards, and started withdrawing cash from ATMs in midtown Manhattan. They were eventually caught when the bank correlated the use of the counterfeit ATM cards with routine surveillance films.

It was a shrewd attack, and much higher tech than most banking crimes. One innovative criminal in New Jersey attached a fake night deposit box to a bank wall, and took it way early in the morning. It's worse elsewhere. A few years ago, an ATM was stolen in South Africa . . . from inside police headquarters in broad daylight.

Lone criminals cause the bulk of computer-related crimes. Sometimes they are insiders who notice a flaw in a system and decide to exploit it; other times they work outside the system. They usually don't have much money, access, or expertise, and they often get caught because of stupid mistakes. Someone might be smart enough to install fake ATM and collect account numbers and PINs, but if he brags about his cleverness in a bar and gets himself arrested before cleaning out all the accounts . . . well, it s hard to have ny sympathy for him. Look at the two public Internet attacks of early 2000. Someone manages to gain access to over ten thousand credit card numbers, with names and addresses. The best crime he can think of to do: extortion. Someone else manages to control a large number of distributed computers, ready to do his bidding. The best crime he can think of: irritate major Web sites.

Lone criminals will target commerce systems because that's where the money is. Their techniques may lack elegance, but they will steal money, and they will cost even more money to catch and prosecute. And there will be a lot of them.

MALICIOUS INSIDERS

A malicious insider is a dangerous and insidious adversary. He's already inside the system he wants to attack, so he can ignore any perimeter defenses around the system. He probably has a high level of access, and could be considered trusted by the system he is attacking. Remember the Russian spy Aldrich Ames? He was in a perfect position within the CIA to sell the names of U. S. operatives living in Eastern Europe to the KGB; he was trusted with their names. Think about a programmer writing malicious code into the payroll database program to give himself raise every six months. Or the bank vault guard purposely missetting the time lock to give his burglar friends easy access. Insiders can be impossible to stop because they're the exact same people you're forced to trust.

Here's a canonical insider attack. In 1978, Stanley Mark Rifkin was a consultant at a major bank. He used his insider knowledge of (and access to) the money transfer system to move several million dollars into a Swiss account, and then to convert that money into diamonds. He also programmed the computer system to automatically erase the backup tapes that contained evidence of his crime. (He would have gotten away with it, except that he bragged to his lawyer, who turned him in.)

Insiders don't always attack a system; sometimes they subvert system for their own ends. In 1991, employees at Charles Schwab in San Francisco used the company's e-mail system to buy and sell cocaine. A convicted child rapist working in a Boston-area hospital stole a co-worker's password, paged through confidential patient records, and made obscene phone calls.

Insiders are not necessarily employees. They can be consultants and contractors. During the Y2K scare, many companies hired programmers from China and India to update old software. Rampant xenophobia aside, ny of those programmers could have attacked the systems as an insider.

Most computer security measures--firewalls, intrusion detection systems, and so on--try to deal with the external attacker, but are pretty much powerless against insiders. Insiders might be less likely to attack system than outsiders are, but systems are far more vulnerable to them.

An insider knows how the systems work and where the weak points are. He knows the organizational structure, and how any investigation against his actions would be conducted. He may already be trusted by the system he is going to attack. An insider can use the system's own resources against itself. In extreme cases the insider might have considerable expertise, especially if he was involved in the design of the systems he is now attacking.

Revenge, financial gain, institutional change, or even publicity can motivate insiders. They generally also fit into another of the categories: a hacker, lone criminal, or a national intelligence agent. Malicious insiders can have risk tolerance ranging from low to high, depending on whether they are motivated by a "higher purpose" or simple greed.

Of course, insider attacks aren't new, and the problem is bigger than cyberspace. If the e-mail system hadn t been there, the Schwab employees might have used the telephone system, or fax machines, or maybe even paper mail.

INDUSTRIAL ESPIONAGE

Business is war. Well, it s kind of like war, but it has referees. The referees establish the rules--what is legal and what isn't--and do their best to enforce them. Sometimes, if business has enough money and clout, it can petition to the referees and get the rules changed. Usually, it just plays within them.

The line where investigative techniques stop being legal and start being illegal is where competitive intelligence stops and industrial espionage starts. The line moves from jurisdiction to jurisdiction, but there are gross generalities. Breaking into a competitor s office and stealing files is always illegal (even for Richard Nixon); looking them up in news article database is always legal. Bribing their senior engineers is illegal; hiring them is legal. Hiring them and having them bring a copy of the competitor's source code is illegal. Pretending to want to hire their senior engineers so that you can interview them . . . that's legal, pretty sleazy, and really clever.

Industrial espionage attacks have precise motivations: to gain an advantage over the competition by stealing competitors trade secrets. In one public example, Borland accused Symantec of stealing trade secrets via a departing executive. In another case, Cadence Design Systems filed suit against competitor Avant! for, among other things, stealing source code. In 1999, online bookseller Alibris pled guilty to eavesdropping on Amazon. com corporate e-mail. Companies from China, France, Russia, Israel, the United States, and elsewhere have stolen technology secrets from foreign competitors.

Industrial espionage can be well-funded; an amoral but rational company will devote enough resources toward industrial espionage to achieve an acceptable return on investment. Even if stealing a rival's technology costs you half a million dollars, it could be one-tenth the cost of developing the technology yourself. (Ever wonder why the Russian Space Shuttle looks a whole lot like the U. S. Space Shuttle?) This kind of adversary has a medium risk tolerance because a company's reputation (an intangible but valuable item) will be damaged considerably if it is caught spying on the competition but--desperate times can bring desperate measures.

PRESS

Think of the press as a subspecies of industrial spy, but with different motivations. The press isn't interested in a competitive advantage over its targets; it is interested in a "newsworthy" story. This would be the Washington City Pages publishing the video rental records of Judge Bork ( which led to the Video Privacy Protection Act of 1988), the British tabloids publishing private phone conversations between Prince Charles and Camilla P rker Bowles, or a newspaper doing an exposé on this company or that government agency.

It can be worth a lot of newspaper sales to get pictures of a presidential candidate like Gary Hart with a not-his-wife on his lap. Even marginally compromising photographs of Princess Di were worth over half a million dollars. Some reporters have said that they would not think twice about publishing national security secrets; they believe the public's right to know comes first.

In many countries, the free press is viewed as a criminal. In such countries, the press is usually not well funded, and generally more the victim of attack than the attacker. Journalists have gone to jail, been tortured, and have even been killed for daring to speak against the ruling government. This is not what I mean by the press as an attacker.

In industrial countries with reasonable freedoms, the press can bring considerable resources to bear on attacking a particular system or target. They can be well funded; they can hire experts and gain access. And if they believe their motivations are true, they can tolerate risk. (Certainly the reporters who broke the Watergate story fall into this category. ) Reporters in the United States and other countries have gone to jail to protect what they believe is right. Some have even died for it.

ORGANIZED CRIME

Organized crime is a lot more than Italian Mafia families and Francis Ford Coppola movies. It's a global business. Russian crime syndicates operate both in Russia and in the United States. Asian crime syndicates operate both at home and abroad. Colombian drug cartels are also international. Nigerian and other West African syndicates have captured 70 percent of the Chicago heroin market. Polish gangsters run an elaborate car theft operation, stealing cars in the United States and shipping them back to Poland. Of course, there are turf battles between rival gangs, but there is a lot of international cooperation, too.

Organized crime s core competencies haven't changed much this century: drugs, prostitution, loan sharking, extortion, fraud, and gambling. And they use technology in two ways. First, it's a new venue for crime. They use hacking tools to break into bank computers and steal money; they steal cell phone IDs and resell them; they engage in computer fraud. Identity theft is a growth area; Chinese gangs are industry leaders here. Certainly electronic theft is more profitable: One big Chicago bank lost $60,000 in 1996 to bank robbers, and $60 million to check-related fraud.

The mob also uses computers to assist its core businesses. Illegal gambling is easier to run: Cell phones allow bookies to operate from anywhere, and hair-trigger computers can erase all evidence within seconds of a raid. And money laundering is increasingly a business of computers and electronic funds transfers: moving money from one account to another to a third, changing ownership of accounts, disguising the money's origins, moving it through countries that keep less detailed records.

In terms of risk, organized crime is what you get when you combine lone criminals with a lot of money and organization. These guys know that you have to spend money to make money, and are willing to invest in profitable attacks against a financial system. They have minimal expertise, but can purchase it. They have minimal access, but they can purchase it. They often have higher risk tolerance than lone criminals; the pecking order of the crime syndicate often forces those in the lower ranks to take greater risks, and the protection afforded by the syndicate makes the risks more tolerable.

POLICE

You can think of the police as kind of like a national intelligence organization, except that they are less well funded, less technically savvy, and focused on crimefighting. Understand, though, that depending on how benevolent the country is and whether or not they hold occasional democratic elections, crimefighting could cover a whole lot of things not normally associated with law enforcement. Maybe they're more like the press, but with better funding and a readership that only cares about true crime stories. Or maybe you can think of them as organized crime's industrial competitor.

In any case, police have a reasonable amount of funding and expertise. They re pretty risk averse--no cop wants to die for his beliefs--but since they have the laws on their side, things that are risks to some groups can be less risky to the police. (Having a warrant issued, for example, turns eavesdropping from a risky attack to a valid evidence-gathering tool.) Their primary goal is information gathering, with information that stands up in court being more useful than information that doesn't.

But police aren't above breaking the law. The fundamental assumption is that we trust the individual or some government to respect our privacy and to only use their powers wisely. While this is true most of the time, buses are regular and can be pretty devastating. A spate of illegal FBI wiretaps in Florida and a subsequent cover-up got some press in 1992; the 150 or so illegal wiretaps by the Los Angeles Police Department have gotten more. (Drugs were involved, of course; more than one person has pointed out that the war on drugs seems to be the root password to the U.S. Constitution.) J. Edgar Hoover regularly used illegal wiretaps to keep tabs on his enemies. And 25 years ago a sitting president used illegal wiretaps in an attempt to stay in power.

Things seem to have improved since the days of Hoover and Nixon, and I have many reasons to hope we won't be back there again. But the risk remains. Technology moves slowly, but intentions change quickly. Even if we are sure today that the police will follow all privacy legislation, eavesdrop only when necessary, obtain all necessary warrants, follow proper minimization procedures, and generally behave like upstanding public servants, we don't know about tomorrow. The same kind of reactive crisis thinking that led us to persecute suspected Communists during the McCarthy era could again sweep across the country. Census data is, by law, not supposed to be used for any other purpose. Even so, it was used during World War II to round up Japanese Americans and put them in concentration camps. The eerily named "Mississippi Sovereignty Commission" spied on thousands of civil rights activists in the 1960s. The FBI used illegal wiretaps to spy on Martin Luther King, Jr. A national public-key infrastructure could be a precursor to national registration of cryptography. Once the technology is in place, there will always be the temptation to use it. And it is poor civic hygiene to install technologies that could someday facilitate a police state.

TERRORISTS

This category is a catchall for a broad range of ideological groups and individuals, both domestic and international. There s no attempt to make moral judgments here: One person s terrorist is another person's freedom fighter. Terrorist groups are usually motivated by geopolitics or (even worse) ethnoreligion--Hezbollah, Red Brigade, Shining Path, Tamil Tigers, IRA, ETA, FLNC, PKK, UCK--but can also be motivated by moral and ethical beliefs, such as those of Earth First and radical antiabortion groups.

These groups are generally more concerned with causing harm than gathering information, so their techniques run more along the lines of denial of service and outright destruction. While their long-term goals are usually something vaguely reasonable, like the reunification of Gondwanaland or the return of all cows to the wild, their near-term goals are things like revenge, chaos, and blood-soaked publicity. Bombings are f vorite; kidnappings also work well. It makes a big international splash when a DC-10 falls out of the sky or an abortion clinic is blown to bits, but eventually these guys will figure out that a lot more damage is done when O'Hare air traffic control starts vectoring planes into each other. Or that if they can hack the airline reservation system to find out which 747 is taking the congressional delegation to the south of France this summer, their bombing will be all that much more effective.

There are actually very few terrorists. Their attacks are acts of war more than anything else, and probably should be in the "infowarrior" category. And since terrorists generally consider themselves to be personally in a state of war, they have a very high risk-tolerance.

Unless they have rich idealist funding their actions, most terrorists operate on a shoestring budget. Most of them are unskilled: "You there. Carry this bag. Walk into the middle of that busy market. Push this button. See you in the glorious afterlife." There are exceptions (some of the organizations in the first paragraph are well-organized, well-trained, and well-supported--it is believed that the counterfeit TV descramblers sold in Ireland helped finance the IRA, for example), but the majority of groups don't have good organization or access. And they tend to make stupid mistakes.

NATIONAL INTELLIGENCE ORGANIZATIONS

These are the big boys. The CIA, NSA, DIA, and NRO in the United States (there are others), the KGB (now FAPSI for counter-intelligence and FSB for foreign intelligence) and GRU (military intelligence) in Russia, MI5 (counter-intelligence), MI6 (like the CIA), and GCHQ (like the NSA) in the United Kingdom, DGSE in France, BND in Germany, Ministry of National Security in China (also called the "Technical Department"), Mossad in Israel, CSE in Canada. For most of the other adversaries, this is all a game: break into a Web site, gain some competitive intelligence, steal some money, cause a little mayhem, whatever. For these guys, it's very real.

A major national intelligence organization is the most formidable adversary around. It is extremely well funded, since it is usually considered a branch of the military. ( Although the exact number is a secret, the press reports that "congressional sources" put the combined budgets of the CIA, Defense Intelligence Agency, NSA, the National Reconnaissance Office, and other federal intelligence agencies as $33.5 billion in 1997.) It is a dedicated and capable adversary, with the funding to buy a whole lot of research, equipment, expertise, and plain old skilled manpower.

On the other hand, major national intelligence organization is usually highly risk verse. National intelligence organizations don't like to see their names on the front page of the New York Times, and generally don't engage in risky activities. ( Exceptions, of course, exist; they re the ones you read about on the front page of the New York Times.) Exposed operations cause several problems. One, they expose the data. National intelligence is based on gathering information that the country should not know. It's eavesdropping on a negotiating position, sneaking a peek at a new weapons system, knowing more than the adversary does. If the adversary learns what the intelligence organization knows, some of the benefit of that knowledge is lost.

Two, and probably more important, botched operations expose techniques, capabilities, and sources. For many years the NSA eavesdropped on Soviet car phones as the Politburo drove around Moscow. Someone leaked information about Khrushchev's health in the newspapers, and suddenly the car phones were encrypted. The newspapers didn't say anything about car phones, but the KGB wasn't stupid. The leak here wasn t that we knew about Khrushchev's health, but that we were listening to their communications. The same thing happened after some terrorists bombed a Berlin disco in 1986. Reagan announced that we had proof of Libya's involvement, compromising the fact that we were ble to eavesdrop on their embassy traffic to and from Tripoli. During World War II, the Allies couldn't use much of the intelligence gleaned from decrypting German Enigma traffic out of fear that the Germans would change their codes.

Intelligence objectives include everything you d normally think about--military information, weapons designs, diplomatic information--and a lot of things you wouldn't. The telephone system is probably a gold mine of intelligence information; so is the Internet. Several national intelligence organizations are actively engaged in industrial espionage (the FBI estimates "up to 20" are targeting U.S. companies) and passing the information gained to rival companies in their own countries. China is the world's worst offender, France and Japan are also bad, and there are others.

The United States is not above this. A 1999 EU report gives several examples, including the following:

• In 1994, the Brazilian government awarded a $1.4 billion contract to Raytheon Corporation, rather than two French companies. Raytheon supposedly altered its bid when it learned of details of the French proposals.
• In 1994, McDonnell Douglas Corporation won a Saudi Arabia contract over Airbus Industrie, supposedly based on inside information passed from U.S. intelligence.

Former CIA director R. James Woosley has admitted using ECHELON information about foreign companies using bribes to win foreign contracts to help "level the playing field," passing the information to U.S. companies and pressuring the foreign governments to stop the bribes. None of this is proven, though. Certainly any company that loses a bid is going to look for reasons why it wasn't its fault, and none of the "victims" have said anything in public. Still, the possibilities are disturbing.

And this kind of stuff is even worse in cyberspace. ECHELON is not the only program that targets the Internet. Singapore and China eavesdrop on Internet traffic in their countries (China uses its national firewall, the Great Wall) . Internet service providers across Russia are helping the main KGB successor agencies to read private e-mails and other Internet traffic, as part of an internal espionage program called SORM-2.

National intelligence organizations are not above using hacker tools, or even hackers, to do their work. The Israeli and Japanese governments both have programs to bring hackers into their country, feed them pizza and Jolt Cola, and have them do intelligence work. Other governments go onto the Net and taunt hackers, trying to get them to work for free. "If you re so good you ll have the password to this government computer"--that sort of thing works well if directed against a talented teenager with no self-esteem. The Cuckoo's Egg by Clifford Stoll is about the exploits of three hackers who worked for the KGB in exchange for cash and cocaine.

The techniques of national security agencies are varied and, with the full weight of a nation behind them, can be very effective. British communications security companies have been long rumored to build exploitable features into their encryption products, at the request of British intelligence. In 1997, CIA director George Tenet mentioned (in passing, without details) using hacker tools and techniques to disrupt international money transfers and other financial activities of Arab businessmen who support terrorists. The possibilities are endless.

INFOWARRIORS

Yes, it's a buzzword. But it s also real. An infowarrior is a military adversary who tries to undermine his target s ability to wage war by attacking the information or network infrastructure. Specific attacks range from subtly modifying systems so that they don't work (or don't work correctly) to blowing up the systems completely. The attacks could be covert, in which case they might resemble terrorist attacks (although good infowarrior cares less about publicity than results). If executed via the Internet, the attacks could originate from foreign soil, making detection and retaliation much more difficult.

This adversary has all the resources of a national intelligence organization, but differs in two important areas. One, he focuses almost exclusively on the short-term goal of affecting his target s ability to wage war. And two, he is willing to tolerate risks that would be intolerable to long-term intelligence interests. His objectives are military advantage and, more generally, chaos. Some of the particular targets that might interest an infowarrior include military command and control facilities, telecommunications, logistics and supply facilities and infrastructure ("think commercial information systems"), and transportation lines ("think commercial aviation"). These kinds of targets are called critical infrastructure.

In 1999, NATO targeted Belgrade s electric plants; this had profound effects on its computing resources. In retaliation, Serbian hackers attacked hundreds of U.S. and NATO computer sites. Chinese hackers crashed computers in the Department of the Interior, the Department of Energy, and the U.S. embassy in Beijing in retaliation for our accidental bombing of their embassy in Belgrade. China and Taiwan engaged in a little cyberwar through most of 1999, attacking each other's computers over the Internet (although this was probably not government coordinated on either side).

In the past, military and civilian systems were separate and distinct: different hardware, different communications protocols, different everything. Over the past decade, this has shifted; advances in technology are coming too fast for the military's traditional multiyear procurement cycle. More and more, commercial computer systems are being used for military applications. This means that all of the vulnerabilities and attacks that work against commercial computers may work against militaries. And both sides of a conflict may be using the same equipment and protocols: TCP/IP, Windows operating systems, GPS satellite receivers. The U.S. Air Force s Strategic Air Command (SAC) recently switched to Windows NT on its external networks.

Militaries have waged war on infrastructure ever since they started waging war. Medieval knights killed serfs, Napoleonic armies burned crops, Allied bombers targeted German factories during World War II. (Ball bearing factories were favorite.) Today, information is infrastructure. During Desert Storm, the Americans systematically destroyed Iraq's command and control infrastructure. Communications systems were jammed; individual communications cables were bombing targets. Without command and control, the ground troops were all but useless. The media hype surrounding infowar is embarrassing, but the militaries of the world are taking this seriously. Here is a quote from the Chinese Army newspaper, Jiefangjun Bao, a summary of speeches delivered in May 1996:

War isn't necessarily a major conflict like World War II or the oft-feared United States versus USSR, Armageddon. More likely, it is "low-intensity conflict": Desert Storm, the Argentine invasion of the Falklands, civil war in Rwanda. In The Transformation of War, Martin van Creveld points out that so-called low-intensity conflicts have been the dominant form of warfare since World War II, killing over 20 million people worldwide. This shift is a result of two main trends. One, it is easier for smaller groups to lay their hands on weapons of mass destruction: chemical weapons, biological weapons, long-range missiles, and so forth. Two, more nonnation states are capable of waging war. In fact, the distinction between nation and nonnation states is blurring. Organized crime groups are merging with government at various levels in countries such as Mexico, Colombia, and Russia. Infowarriors don't all work for major industrial nations. Increasingly, they work for minor political powers.