Computer Security Articles

Academic Papers

Introduction to the Second Edition of Secrets and Lies

Information Security Magazine Point-Counterpoints

IEEE Security & Privacy Columns

Communications of the ACM Columns

eWeek Articles

Computerworld Articles

CNET News.com Articles

Information Security Magazine Columns

Other Articles

The Problem Is Information Insecurity
Security Watch, August 10, 2008
Information security isn't a technological problem. It's an economics problem.

Secret Questions Blow a Hole in Security
ComputerWeekly, April 4, 2008
It's a mystery to me why websites think "secret questions" are a good idea.

Information Security and Externalities
ENISA Quarterly, January 2007
Information insecurity is costing us billions. We pay for the lack of security, year after year.

Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'
CSO Online, January 2007
Full disclosure—the practice of making the details of security vulnerabilities public—is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure.

Security in the Cloud (Feb 06)
Network World, February 15, 2006
One of the basic philosophies of security is defense in depth: overlapping systems designed to provide security even if one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS). Defense in depth provides security, because there's no single point of failure and no assumed single vector for attacks.

The Hackers are Coming!
Utility Automation & Engineering T&D, December 13, 2005
Over the past few years, we have seen hacking transform from a hobbyist activity to a criminal one. Hobbyist threats included defacing web pages, releasing worms that did damage, and running denial-of-service attacks against major networks. The goal was fun, notoriety, or just plain malice.

Attack Trends: 2004 and 2005
Queue, June 2, 2005
Counterpane Internet Security Inc. monitors more than 450 networks in 35 countries, in every time zone. In 2004 we saw 523 billion network events, and our analysts investigated 648,000 security "tickets." What follows is an overview of what's happening on the Internet right now, and what we expect to happen in the coming months.

Microsoft's Actions Speak Louder Than Words
Network World, May 31, 2004
The security of your computer and network depends on two things: what you do to secure your computer and network, and what everyone else does to secure their computers and networks.

Security Pitfalls in Cryptography
Strong cryptography is very powerful when it is done right, but it is not a panacea. Focusing on the cryptographic algorithms while ignoring other aspects of security is like defending your house not by building a fence around it, but by putting an immense stake into the ground and hoping that the adversary runs right into it.

Why Cryptography is Harder than it Looks
The cryptography now on the market doesn't provide the level of security it advertises. Most systems are not designed and implemented in concert with cryptographers, but by engineers who thought of cryptography as just another component. It's not. You can't make systems secure by tacking on cryptography as an afterthought. You have to know what you are doing every step of the way, from conception through installation.

Cryptography, Security, and the Future
Present-day computer security is a house of cards; it may stand for now, but it can't last. Many insecure products have not yet been broken because they are still in their infancy. But when these products are widely used, they will become tempting targets for criminals. The press will publicize the attacks, undermining public confidence in these systems. Ultimately, products will win or lose in the marketplace depending on the strength of their security.

Self-Study Course in Block Cipher Cryptanalysis
Studying cryptanalysis is difficult because there is no standard textbook, and no way of knowing which cryptanalytic problems are suitable for different levels of students. This paper attempts to organize the existing literature of block-cipher cryptanalysis in a way that students can use to learn cryptanalytic techniques and ways to break new algorithms.

How to Evaluate Security Technology
Cryptography has the potential of transforming the Internet, or any network, from an academic toy into a real business tool. It does so by allowing us to do real business -- for example, signing and enforcing contracts or doing e-commerce. Unfortunately, most of the products out there aren't very good. They have problems, they're broken. Most cryptography in these products doesn't perform as advertised. The article discusses why this happens, what you should watch out for, and what can be done to change the situation.

Ten Risks of PKI
Public-key infrastructure has been oversold as the answer to many network security problems. We discuss the problems that PKI doesn't solve, and that PKI vendors don't like to mention.

The Case for Outsourcing Security
Deciding to outsource network security is difficult. The stakes are high, so it's no wonder that paralysis is a common reaction when contemplating whether to outsource or not.

Click here to bring down the Internet
In recent Congressional testimony, hackers from the L0pht boasted that they could bring down the Internet in under 30 minutes. Should we be concerned?

DVD Encryption Broken
ZDNet, November 1999

Web-Based Encrypted E-Mail
ZDNet, August 1999

NIST AES News
ZDNet, August 1999

Why the Worst Cryptography is in the Systems that Pass Initial Analysis
Information Security Magazine, March 1999

Intel's Processor ID
ZDNet, January 26, 1999

up to Essays and Op Eds

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.