Bruce Schneier, founder and CTO of Counterpane Internet Security, is one of the world's foremost security experts and author of the influential books Applied Cryptography, Secrets & Lies and Beyond Fear. His free monthly newsletter, Crypto-Gram, has over 100,000 readers. Interviewed by Glyn Moody, he discusses the lack of accountability of software companies, security through diversity, and why he would rather re-write Windows than TCP/IP.
Q. You've said that Applied Cryptography described a "mathematical utopia" of algorithms and protocols: what was the attraction of that utopia for you?
A. Cryptographic security comes from mathematics, not from people and not from machines. Mathematical security is available to everyone, both the weak and the powerful alike, and gives ordinary people a very powerful tool to protect their privacy. That's the cryptographic ideal of security.
Q. To what extent is the Internet and its global linking of computers together to blame for the destruction of that utopia?
A. They're entirely to blame, although "blame" is not really the right word. Cryptography worked well in the era of radios and telegraphs, where the threat was eavesdropping and mathematical cryptography could protect absolutely. But in the world of computers and networks, the threats are more complex and involve software and system vulnerabilities. Cryptography is much less able to provide security in this new world; that's the cryptographic reality of security.
Q. In Secrets & Lies you wrote that you had an epiphany about security in April 1999: can you say what it was?
A. As a cryptographic consultant, I did a lot of work analyzing operating systems. Invariably I would break them, but almost never would I break the mathematical cryptography. I eventually realized that cryptography is the strongest part of a very weak system, and that the system aspects around the cryptography - the software, the operating system, the network, the user interface, etc. - are much more important.
Q. One of the ideas in your book Secrets & Lies is that at the root of the computer security problems we face today is the lack of accountability by software manufacturers for their faulty products: why do you think that they have managed to evade the responsibility - unlike everyone else - despite the scale of the damage and the associated profits?(more...)
MyHosting.com CEO and President Tony Yustein is passionate and opinionated about Windows web hosting. A former regional director for Microsoft, Yustein founded Toronto's SoftCom Technology in 1997, and has built it into a significant player in both web hosting and webmail. In an interview with Rich Miller, Yustein shares his views on Microsoft's approach to hosting and security, and the road ahead for webmail and spam.
Q. In April MyHosting.com introduced a "blended hosting environment" for shared hosting customers that includes both Windows and Linux accounts within a single plan. You'd previously been a Windows-only provider. What led you to add Linux hosting, and to adopt this particular approach?
A. Simply put, demand from our customers. Our experience with our customers showed us that it's not the operating system which drives their choices, but the availability of the applications. Most popular web applications are either in Perl or PHP and use MySQL. We had two options: either install Perl, PHP and MySQL on Windows platform, or offer our customers the native platform which these tools are developed on. This is the main reason we decided to offer a native Linux offering at no additional cost to our web hosting customers. So they get 2 for the price of 1, both Windows Server 2003 and Linux under the same account.(more...)
Brian Behlendorf co-founded the Apache Web Server Project and was the first Chief Engineer at Wired Magazine. He also co-founded the web design firm Organic Online and CollabNet, where Behlendorf now serves as CTO. He talks to Rich Miller about Apache's growth, the SCO case's unexpected benefits for open source, and changing the world through software.
Q. It's been a year of big gains for Apache, which now runs more than two-thirds of the sites on the Web, according to the Netcraft Web Server Survey, erasing inroads by Microsoft during 2001. What's your take on Apache's continuing gains?
A. I could speculate all day long as to why it's continued to grow, and I'd love to see a real survey done on it. Anecdotally, my take is that I imagine most of the growth continues to be either with the small mom-n-pop companies, or web hosting ISPs, or internationally - all places where price sensitivity is high, where the economic downturn is still causing budgets to be hurt, and there's willingness to consider an Open Source approach to solving a given problem. No doubt the security holes in IIS have continued to plague its reputation, and while there have been some noticed recently (and fixed) in Apache, they have been much less serious. Finally, I imagine the rise of related Apache projects, like the continued rise in use of mod_perl and Tomcat and our friends over at PHP, have only increased the confidence in using the web server for mission-critical situations.
Q. What's your take on the long-term impact of the SCO lawsuits? What changes - positive and negative - do you see it producing for Linux and the open source community?
A. I'm assuming that thanks to the BayStar callback that this lawsuit is nearly dead. Of course SCO, could sue their own financial backers and prolong this further, but it feels like we're seeing the beginning of the end. But while it was alive, it did a lot for Open Source in some unexpected ways. The community at large had taken a largely see-no-evil, hear-no-evil approach to issues around IP ownership, clearance of rights, that sort of thing, except for a few organizations like the FSF and the Apache Software Foundation who actually put effort into collecting license agreements from contributors. Now, developers are more aware than ever that getting a clean history for code matters a great deal.(more...)
Born in Mexico City, Miguel de Icaza was the driving force behind the creation of the Gnome free software desktop, and co-founded the open source company Ximian, bought last August by Novell. In July 2001, he helped start another ambitious project, Mono: a free implementation for GNU/Linux of Microsoft's .Net framework. He talks to Glyn Moody about Mono's progress, how Ximian was bought by Novell, and why he is so scared of Microsoft's Longhorn.
Q. How has your vision of Mono changed since you began the project, and what are the main aims of Mono today?
A. A lot of the things that Microsoft was addressing with .Net were touching on existing pain points for us. We've been using C and C++ way too much - they're nice, but they're very close to the machine and what we wanted was to empower regular users to build applications for Linux. Windows has a lot of tools that address a particular problem but on Linux we're kind of on our own in terms of development So when Microsoft came out with this [.Net] thing, initially what we saw was very interesting, and that's how the project got started. But as people got together and started to work and collaborate on this effort, a couple of things happened.
The first one is that there was more and more momentum behind building APIs that were compatible with the Microsoft ones. Novell and Ximian were focused just on the core and C#; a lot of the people who came and contributed software to the project were interested in Windows Forms, or ASP.Net or Web services or databases, which were part of the Microsoft stack.
And at the same time we have grown organically a stack completely independent of the Microsoft stack, which we call the Mono stack but it includes things like tools for doing GUI development for Linux - that was one thing that we were very interested in and we actually invested a lot of effort into that.
So today at the core we still have Mono, which is what we wanted to do, and now we've got two very healthy independent stacks: the Microsoft-compatible stack for people who want to bring their applications from Windows to Linux, and also this completely new and fresh stack of things that in some cases are portable from Linux to Windows, and in some cases are very, very Linux specific.
Q. Microsoft doesn't seem to be making so much noise about .Net these days: what's your view of .Net's progress at the moment: how is it shaping up as a platform for writing software?(more...)
Peter Pathos has guided The Planet Internet Services of Dallas through a period of dynamic growth, posting impressive numbers in the first two months of 2004. Pathos, the company's president, launched The Planet after selling the ISP he founded, National Knowledge Networks, to Verio in 1998. In an interview with Rich Miller, Pathos shares his views about hosting technology, the SCO case, and how security issues will bring about the death of the "mom-and-pop" hosting company. (more...)
Jim Gray won the 1998 Turing Award "for seminal contributions to database and transaction processing research." More recently, he has been working as a Distinguished Engineer in Microsoft's Scalable Servers Research Group, based in San Francisco, on the creation of terabyte-sized distributed online databases. Talking with Glyn Moody, Gray reflects on his career, the power of Web services, and the arrival of sentient machines later this century. (more...)