D. J. Bernstein
Bernstein v. United States

Internet security

``Today a small group of technically sophisticated people with nothing more than off-the-shelf computer equipment can get into, can disrupt the computers and the Internet connections on which our finance, telecommunications, power, water systems, emergency service systems all depend. ... Terrorists, organized crime, drug cartels, as well as nation states are either creating cybertech capabilities or are talking about using them. I believe that cyberspace is the next battlefield for this nation.'' Jamie Gorelick (Vice Chair of Fannie Mae, former co-chair of the Advisory Committee of the President's Commission on Critical Infrastructure Protection, former Deputy Attorney General, former General Counsel of the Department of Defense), 22 January 1999

Thousands of innocent people were murdered on 11 September 2001. Gorelick was wrong about cyberspace being the next battlefield for this nation.

Gorelick was correct, however, in pointing to the Internet as a part of our critical infrastructure, a part horribly vulnerable to attack. Anyone with five minutes of Internet access and a moderate amount of skill can easily destroy all the data on several million computers, for example; or disable the Internet's root servers, effectively turning off the entire World Wide Web; or, more insidiously, arrange for billions of passwords sent through the Internet to be quietly collected and stored for the attacker's future use. Imagine a terrorist learning a password to one of the central FBI computers!

There are, fortunately, not many terrorists in the world. But there are many criminals exploiting Internet vulnerabilities for economic gain. They infiltrate computers and steal whatever secrets they can find, from individual credit-card numbers to corporate business plans. There are also quite a few vandals causing trouble just for fun.

On the bright side, most researchers agree that the Internet can be protected against attacks. It's difficult, because there are so many vulnerabilities to fix, but it's possible, and we're trying to make it happen. Here are some of the important research areas:

I work in all of these areas. I like to think that my research has already helped stop some attacks. Example: Internet post-office software is a notorious source of security problems. I published my own post-office software, qmail, in 1996; my $500 reward for publication of a qmail security hole has never been claimed, and I don't expect that it ever will be. An October 2001 survey found qmail running on seven hundred thousand mail servers around the Internet.