But that economy is not a reflection of the ecosystems to which it is very closely tied, nor is it tied to the priorities that we, as societies, must maintain. We have always paid more to fuel our vehicles than we have to fuel our bodies, but this quixotic miscarriage of effort was not particularly problematic so long as our food and our fossil fuels came from different places. Rice paddies to not typically compete with oilfields.

I think that most of us intuitively agree with the fact that food sustenance is a much more important priority than transport. And while the two are interdependent, corn subsidies have knocked the whole dependency chain deeply out of alignment. The thesis I attempt to draw your attention to here is that without those subsidies, at least for the time being, the whole notion of “growing energy” in fields would be akin to mania. And without them, at least in the interim, the whole notion of our food supply competing for arable land with our fuel supply would be a non-issue.

Agflation is here. The cost of raw materials such as grains, rice, and especially corn is rising across the board. This means the cost of your daily meals will soon be rising as well, and the culprit is likely you — or at least it’s the twats you voted for. It’s not a good sign for a foundering U.S. economy, either, as “official” inflation reports tend to track just those sorts of items when measuring prosperity and struggle in inflationary markets.

Our planet, thanks to global warming and a mixture of other predicaments such as population growth and rampant warfare, barely has the resources to feed us all through agriculture, much less power our vehicles, industry, and cities. And while economic systems are supposed to be causing our allocation of resources etc. to fall into a natural balance, in this case there is substantial governmental interference which is creating an artificial economy around corn. Furthermore, many experts say that our past century, even when taking the extended drought of the 1930s into account, was unusually ideal for agriculture, and these days we ain’t doing so well. As the chart below illustrates, drought is the rule, rather than the exception to it, on the Great Plains.

There’s a perfect storm here which is diverting resources from your lunch plate to your gas tank. The basis for this imbalance are the subsidies for corn farmers in Canada and the U.S., as I’ve pointed out before. Corn is evil. And we wouldn’t grow as much of it as we do in North America, if it weren’t for the fact that it’s so heavily subsidized. The numbers for the U.S. alone are staggering.

No wonder farmers have been turning over rice and wheat and sugar crops to grow corn. With subsidies, they’re able to sell the corn on the market at prices substantially lower than it costs to produce. Of course, that’s especially fun if you’re a Mexican Farmer trying to grow maize as your family has done for hundreds of years, and there happen to be no subsidies in your own country. This has happened to Canada, mostly because of NAFTA and its proximity to the U.S. But it’s tempting, in the face of stiff competition from subsidized American farmers, for regulators around the world to attempt the same meddlesome subsidies in order to sustain their industries.

The second driver in the emergence of Ethanol also owes itself to interference by politicians and lobbyists: it can be traced back to a key loophole in the supposedly stringent fuel economy requirements placed on automobile manufacturers, called CAFE. As Timothy Carney points out:

“In 1975, following the Arab oil embargo, Congress created CAFE standards to force automakers and car buyers toward more fuel-efficient cars. An automaker’s ‘CAFE’ is the average miles per gallon of its entire fleet (weighted by number of sales per model) for a given year. … Current law requires all automakers to have a CAFE of 27.5 mpg for cars and 22.2 mpg for light trucks.”

Sounds great, right? Only problem is that auto manufacturers need only pay fines in order to escape the strangulation that CAFE restrictions would otherwise place on their big SUVs. The U.S. government has collected about $500 Million from the manufacturers.

The loophole is more recent, and it’s driving ethanol into the mainstream, which doesn’t bode well for those of us who like our corn-on-the-cob, not in our tank. In 1988, the US congress enacted the “Alternative Motor Fuels Act, creating an exemption from CAFE standards for auto manufacturers interested in developing what we now call “Flex-Fuel” vehicles, which run on E-85, a mixture of 85% ethanol (derived from corn) and 15% gasoline. It’s also why most of these Flex Fuel vehicles are big gas guzzlers, like GM’s Silverado and Suburban (listed here). Thanks to the AMFA, those bad boys are now exempt from the dreaded CAFE, saving millions of dollars in annual fines. This is of course regardless of whether you choose to use E-85 at the pump or not. As Carney adds,

“the federal government would multiply ethanol’s mileage by 6.6 and assume all flex-fuel cars would use ethanol half the time. This means a car that gets 20 mpg on gasoline and 15 mpg on ethanol would be treated for CAFE purposes as if it got 60 mpg.”

Typically, true alternative motor fuels such as Hydrogen, Electricity or Flux Capacitor were not invited to the AMFA party. It was strictly focused on E85. And now, with higher CAFE standards in the works, the U.S. Congress is poised to drive even more car models to the road using E85.

The result of this will be an even deeper investment in Ethanol, and further diversion away from the production of actual food on our farms. Surprisingly, even usually intelligent folks like Vinod Khosla and Tom Daschle have jumped on the Ethanol Bandwagon. Khosla has bet big on Ethanol, and the two waged a propaganda war, penning an OpEd piece in the NY Times called “Miles Per Cob” and speaking on radio shows like the one below:

powered by ODEO

The reality is far from the rosy picture they paint of America growing its own gasoline in perpetuity. It takes precious energy to produce Ethanol from crops, and of course since the cost of the raw materials is artificially deflated, there is little to advise the value of E85 once the true costs of the fuel are accounted for. And the emphasis on E85 as any sort of saviour is actually diminishing efforts to develop sustainable alternative fuel strategies, as it substantially displaces their economic benefits.

An unexpected benefit of all of this diversion of corn into the fuels market might be a return by our candymakers and soft drink manufacturers to real sugar, as maize prices skyrocket. The omnipresence of High-Fructose Corn Syrup, as I have asserted, is probably a major contributor to the North American obesity epidemic.

Ex-Computer Hacker Granted Radio License Thu Dec 26, 5:21 PM ET Add Technology – AP to My Yahoo!

By DAVID HO, Associated Press Writer

WASHINGTON – A man the federal government once labeled “the most wanted computer criminal in U.S. history” has won a long fight to renew his ham radio license and next month can resume surfing the Internet.

Kevin Mitnick, 39, of Thousand Oaks, Calif., served five years in federal prison for stealing software and altering data at Motorola, Novell, Nokia (news – web sites), Sun Microsystems and the University of Southern California. Prosecutors accused him of causing tens of millions of dollars in damage to corporate computer networks.

Mitnick was freed in January 2000. The terms of his probation, which expire Jan. 20, require he get government permission before using computers, software, modems or any devices that connect to the Internet. His travel and employment also are limited.

Mitnick has been allowed to use a cell phone for a couple of years and received permission this year to type a manuscript on a computer not connected to the Internet.

“Not being allowed to use the Internet is kind of like not being allowed to use a telephone,” Mitnick said Thursday in a phone interview.

Mitnick said he is starting a firm to help companies protect themselves from computer attacks. He said the end of his probation will allow him to do hands-on work.

Christopher Painter, deputy chief of the Justice Department (news – web sites)’s computer crime section and the former assistant U.S. attorney who prosecuted Mitnick, said that once the former hacker’s probation is over, he won’t be subject to any special surveillance.

“Not any more than anyone else would,” Painter said. He added that “if there’s any indication that anyone is engaged in illegal conduct, we’re going to look into that.”

Mitnick led the FBI (news – web sites) on a three-year manhunt that ended in 1995 when agents collared him in an apartment in Raleigh, N.C., with the help of a top security expert. During the chase, Mitnick continued breaking into computer networks and became a cult hero among hackers.

Mitnick applied to renew his ham radio license in 1999, while still in prison. The Federal Communications Commission (news – web sites) ordered a hearing, citing that Mitnick at one time was “the most wanted computer criminal in U.S. history.”

FCC (news – web sites) Administrative Law Judge Richard Sippel granted the license in a ruling made public Monday.

“He started hacking as an inquisitive teenager and wound up a disgraced felon,” Sippel wrote. “There is reliable evidence that Mr. Mitnick has focused on becoming an honest, productive citizen.”

Mitnick said he was pleased with the decision.

“We put on a good case to show the FCC that I’m sorry for my past actions,” he said.

Mitnick, who began using ham radios when he was 13, said it cost him more than $16,000 in legal expenses to convince the FCC to renew his license. Typical renewals are free. “It’s the most expensive amateur radio license in the world,” Mitnick said.

Since his release from prison, Mitnick has appeared on television, as an expert witness in the courtroom and before Congress, offering advice about computer security. He also wrote a book, “The Art of Deception,” which was published in October and describes scenarios where tricksters dupe computer network administrators into revealing security details.

___

———–

Service Providers suck. They hire guys like me to figure out how to maximize the share-of-wallet while containing the growth and supporting their other, boneheaded, legacy products. Generally speaking, carriers are obstacles to the adoption of technology, rather than instigators of it.

What this article hints at is a mesh of ad-hoc mobile phone users each sharing their network capacity and organically frequency-hopping to avoid network trouble zones. Whereas it has proven impossible for mobile phone network dweebs to engineer reliable wireless services in North America, this could be the answer.

More and more spectrum will be made available to the general public around this world, or we will figure out better ways to use that which is already allocated. In the end, the Return On Investment that carriers expect for their 3G licenses, which already has an event horizon measured in decades, may never happen.

Regulatory bodies will be faced with bolstering floundering wireless carriers, which are clearly obstacles to growth, or enabling an ecosystem of radical technologies to flower into a jungle of new technologies, applications, and networks. The trend of technology and invention clearly favours the latter.

-Ian.

——— http://story.news.yahoo.com/news?tmpl=story&ncidR8&e=4&cidR8&u=/ap/ 20021125/ap_on_hi_te/the_new_spectrum

New Gadgets May Spark Deregulation Mon Nov 25, 7:38 AM ET Add Technology – AP to My Yahoo!

By BRIAN BERGSTEIN, AP Business Writer

NEW YORK (AP) – It almost sounds too “Star Trek” to be possible: A multipurpose cell phone that also serves as an FM radio, walkie-talkie, garage door opener and TV remote control.

And what if every time you made a call with that handset it increased the performance of other phones already in use — instead of competing for airwaves with them?

While such wireless wizardry remains a few years off, those days could be coming faster now, thanks to a rare confluence of technology breakthroughs and a rethinking of airwave regulation by the federal government.

“It is kind of an interesting point in time when it comes to wireless networks,” said Dallas Nash, co-founder of Mississippi-based SIGFX LLC, a player in the impending wireless revolution.

SIGFX figured out how to transmit cell phone calls in a thin part of the airwave spectrum already used by TV stations. By dramatically reducing the cost and increasing the range of wireless phone networks, the invention could bring reliable service to rural areas and developing countries.

Vanu Bose has big dreams, too: to create that new generation of radios — that’s really all that cell phones and garage-door openers are — that can move between various functions with an icon click. The trick is to replace much of the circuitry found in radios with flexible software.

Bose began working at it in a military-sponsored communications project at the Massachusetts Institute of Technology (news – web sites). After graduating in 1998, he started his own company, Vanu Inc., to further develop the technology.

Now Cambridge, Mass.-based Vanu Inc. has created an all-software base station — which relays calls from wireless phones on cellular networks. Vanu also has built a prototype handheld computer that can make calls on different kinds of wireless networks and work as a walkie-talkie, baby monitor, FM radio — “whatever you want,” Bose said.

The big challenge is that the device is limited to 10 to 20 hours of battery life. Bose — son of the stereo engineer who founded Bose Corp. — believes that with more development and improvements in low-power microprocessors, the device could be the size of a cell phone and have a much longer battery life.

At the same time, other researchers are making progress in developing “smart” radio receivers that can, on their own, determine instantaneously when and where a bit of spectrum is going unused and switch their communications accordingly to avoid interference. (A method of doing that is already employed in cellular networks and cordless phones).

In fact, advocates of an “open spectrum” or a “commons” policy believe new generations of radio receivers will routinely handle their own conversations and help relay others at the same time.

“If every radio is both a transmitter and a receiver, as you add more, you add capacity to the network,” said David P. Reed, a former chief scientist at Lotus Development Corp. and a leader of the “open spectrum” movement.

“My gut feeling,” Reed said, “is that in 10 or 20 years this will be as big as the Internet.”

That may seem a wide-eyed prediction, but ideas like this are not just grass-roots dreams.

Intel Corp. backs software-defined radio in hopes it will ignite an explosion of demand for wireless chips. The military’s Defense Advanced Research Projects Agency (DARPA) is working on several ways to “increase spectrum usage by dynamically sensing and adapting in frequency, time and space.”

Researchers at Bell Laboratories, part of Lucent Technologies Inc., recently announced a breakthrough in their BLAST technology, which takes advantage of interference on a network to increase the rates at which data can be sent.

Many technology experts say such breakthroughs should force a revolution in how we treat the airwaves. Since the 1920s, electromagnetic spectrum has been handled like real estate. The government licenses use of slices of spectrum and tightly regulates what can be done in those bands.

Much of the spectrum is tied up — largely by the military — and there’s only so much room for experimental and innovative new technologies in unlicensed bands, such as those occupied by cordless phones and the wireless networking system known as WiFi.

But in what looks like the beginning of a historic policy shift, the Federal Communications Commission (news – web sites) has been listening closely to the technology crowd — and to cellular carriers that spent tens of billions of dollars for spectrum licenses and want more freedom to use or trade them as they see fit.

“We have perhaps the most interesting debate in spectrum governance taking place in America since the 1930s,” said Adam Thierer, director of telecommunications studies at the Cato Institute, a libertarian think tank.

This month, a task force appointed by FCC (news – web sites) Chairman Michael Powell — and headed by the former leader of DARPA’s communications research — offered a framework for a spectrum policy overhaul expected to begin next year.

The group said the government should grant wireless carriers more flexibility with their expensive spectrum licenses so they may lease portions of the airwaves that go unused at certain times, for example.

It also endorsed the “commons” concept in some circumstances, saying new technologies should have more freedom to operate in regulated bands — as long as they don’t interfere with cellular conversations or radio broadcasts — and in unlicensed parts of the spectrum as well.

In essence, the FCC finally would be treating spectrum like real estate in the physical world, where the public has easements and parks alongside private property, and airplanes can fly overhead.

Such monumental changes probably will provoke some fights in Washington.

“Certain ossified licensees will inherently be resistant to change,” said Bryan Tramont, Powell’s senior legal adviser.

Even parties who are clamoring for change are circumspect. Wireless phone carriers, for example, praise the FCC’s efforts to modernize spectrum policy. But some say technologies such as software-defined radio might be too unproven to form the basis of policy changes.

They also worry that low-power transmissions by rival technologies on or near already-licensed frequencies could interfere with wireless phone conversations.

“It’s hard to oppose looking at spectrum policy anew,” said Doug Brandon, AT&T Wireless’ vice president of federal affairs. But, he added, eventually, “someone will say, `My ox just got gored.'”

———–

The Bush administration and the American media have passed by the anniversary of the anthrax attacks on leading congressional Democrats in virtual silence. There has been little media commentary assessing the meaning of the attempt to kill Senate Majority Leader Tom Daschle and Senate Judiciary Committee Chairman Patrick Leahy, whose offices were targeted with letters filled with trillions of lethal anthrax spores that could have killed dozens, if not hundreds, of people.

The mailings to Daschle and Leahy followed a series of mailings of less potent anthrax spores to media outlets—a tabloid office in Florida, the New York Post, and NBC News. The Democrats and the media are habitual targets of the ultra-right in the United States. But both federal investigators and the media itself have been largely silent about the likelihood of a right-wing political motivation for the anthrax attacks.

Nor has the media spotlight been placed on the manifest failure of federal investigators to apprehend the person or persons responsible for the attacks, which killed five people and caused serious and potentially disabling illness in a dozen others. Once it became clear, within a few days of the attack, that the most likely suspects were fascist-minded elements in the US military-intelligence establishment, not terrorists affiliated with Al Qaeda or Iraq, the FBI effectively shoved its investigation onto the back burner.

According to scientists who have discussed the investigation with the press, there are extraordinary delays and unexplained wrong turns in the FBI investigation:

* The FBI could have identified the institutions that possessed the Ames strain of anthrax used in the attacks with a routine database search. But subpoenas for samples of the bacteria were not sent out until February, four months after the attacks.

* Receipt of the samples was delayed by another two to four months because no proper storage room had been prepared at the Ft. Detrick Army germ warfare lab, which was to test them.

* Investigators did not locate the contaminated mailbox in Princeton, New Jersey, where the anthrax letters were likely mailed from, until August, ten months after the attacks. Testing of the 600 mailboxes on that postal route should have taken only two weeks, one expert said.

* Investigators waited until September 2002, 11 months later, to conduct exhaustive environmental testing at the Florida tabloid newspaper building where the first person to die of anthrax, photo editor Robert Stevens, worked.

* Investigators have still not spoken with all of the US scientists who made anthrax for the military’s biological weapons program in the 1950s and 1960s, although only two dozen are still alive. None were interviewed until months after the attacks.

Strangest of all, of course, is the treatment of Dr. Steven Hatfill, whose name was reportedly provided to the FBI within a few days of the anthrax attacks. Hatfill had a grievance against the government because his security clearance was revoked in August 2001, ultimately costing him his job at defense contractor SAIC. He was, according to his own resume, familiar with both dry and wet forms of the anthrax toxin. He had written a novel about a germ warfare attack on the US Congress, and commissioned a study of the threat of anthrax-laced letters that included information on the best size of particles and kinds of envelopes.

Although Hatfill had opportunity, motive and the necessary skills, and reportedly failed several lie detector tests, he was never arrested or detained. His name only came to public attention after a campaign of exposure by Barbara Hatch Rosenberg, a bioweapons expert at the Federation of American Scientists, and New York Times columnist Nicholas Kristof.

Rosenberg charged that Hatfill was being given high-level protection by the government because of his involvement in top secret germ warfare projects. “We know that the FBI is looking at this person, and it’s likely that he participated in the past in secret activities that the government would not like to see disclosed,” she wrote. “And this raises the question of whether the FBI may be dragging its feet somewhat and may not be so anxious to bring to public light the person who did this.”

Kristof detailed Hatfill’s role as a military/intelligence operative for white racist-ruled Rhodesia and South Africa. He suggested that Hatfill—whom he initially called “Mr. Z.”, in deference to the government’s refusal to name him—was still on active duty for the US government in operations in Central Asia.

As the World Socialist Web Site commented at the time: “Kristof’s central accusation is that the anthrax investigation has reached a dead end, not because of the lack of evidence, but because the prime suspect has powerful friends in high places and enjoys official protection….Kristof’s column points inexorably to the conclusion that the Bush administration is an accessory after the fact—if not before it—in the attempted assassination of the official political opposition.”

Neither Rosenberg nor Kristof provided definitive proof that Hatfill was the anthrax terrorist. But they detailed circumstantial evidence that was far more convincing than the vague suspicions, or racist innuendo, used by the Justice Department in its roundup of thousands of Arab and Muslim immigrants after the September 11 terrorist attacks. The Justice Department’s reluctance to move against Hatfill was in sharp contrast to the agency’s practice in other terrorist investigations. If the prime suspect in the anthrax case had been a Muslim—or even better, an Iraqi—Attorney General John Ashcroft would likely have designated him an “enemy combatant” and had him locked up indefinitely.

That Hatfill had—and still enjoys—high-level protection is demonstrated by political associations that came to light after the FBI was compelled to move more openly against him. After the third search of Hatfill’s Frederick, Maryland apartment, the Justice Department sent a letter to Louisiana State University to forbid the school to hire Hatfill as a $150,000 deputy director of the National Center for Biomedical Research and Training, an LSU lab financed by the federal government.

Hatfill fought back, holding a public press conference at which he denied any connection to the anthrax attacks. He has rallied sections of the ultra-right to his defense. His press spokesman and close friend, Pat Clawson, is a former CNN journalist who now works on the radio talk show of right-wing activist and Iran-Contra plotter Oliver North. The right-wing propaganda outfit Accuracy in Media hosted his press conferences and published statements denouncing the alleged FBI “persecution.” Senator Charles Grassley, an Iowa Republican, raised the issue in the Senate Judiciary Committee and wrote a letter of protest to Ashcroft, declaring, “‘ It is important that the government act according to laws, rules, policies, and procedures, rather than make arbitrary decisions that affect individual citizens.”

Perhaps the most significant intervention came from the editorial page of the Wall Street Journal, which denounced Rosenberg and Kristof for pressuring the FBI, and declared that the real culprit in the anthrax attacks was Iraq.

On October 9, the Baltimore Sun—one of the few daily newspapers to pursue the anthrax issue seriously—published a report claiming that Hatfill had lied repeatedly about his educational and employment record, including forging a bogus certificate for a Ph.D. from Rhodes University that he had not received.

Again, the double standard is staggering. Muslim and Arab immigrants were seized by federal authorities and detained indefinitely for missing deadlines for submitting routine paperwork that would never have been the occasion for arrest or prosecution before September 11.

The anthrax attacks had extraordinary political significance. Daschle and Leahy are among the highest-ranking leaders of the official opposition party in Washington. Daschle is Senate majority leader, the top Democrat in Congress, while Leahy’s committee handles such politically sensitive issues as the confirmation of judicial nominees and legislation on abortion, criminal justice and civil rights.

During the first several days after an anthrax-laced letter was opened October 15, 2001 by a Daschle aide, sending spores into the ventilation system of the office building, the entire building had to be closed and cleaned, putting dozens of senators into temporary accommodations for several months. The Republican-controlled House of Representatives voted to adjourn indefinitely, and Senate Republican leader Trent Lott initially proposed that the Senate do likewise.

There is a curious coincidence between what Lott proposed and the decision by the Bush administration after the September 11 terrorist attacks to establish a shadow government in secret bunkers which would provide continuity in the event of a nuclear/chemical/biological attack that destroyed Washington DC. The shadow government was also limited to the executive branch, making no provision for the safeguarding or reconstitution of an elected legislature.

The political consequences of the anthrax terrorism and the Bush administration’s plans for a shadow government dovetailed completely. Both would have shut down the legislative branch and left the executive branch with virtually unrestricted power.

It was revealed last December that the anthrax spores in the Daschle and Leahy letters were genetically identical to those produced at US germ warfare facilities at Ft. Detrick, Maryland and Dugway, Utah. In other words, the Democratic Party leadership was targeted for assassination using weapons produced by (or stolen from) the American military itself. The whole affair exudes the stench of an attempted political coup.

See Also:

———–

October 6, 2002 The De Facto Capital By FRANK RICH The New York Times

They got it right the first time. New York was the capital of the nation at its birth. The first presidential inauguration, in 1789, wasn’t far from ground zero, and the first presidential residence, at 3 Cherry Street, was on a spot now occupied by one of the supports for the Brooklyn Bridge. George Washington slept there, but not for long. In a political deal purportedly made on a downtown sidewalk, Alexander Hamilton traded away the location of the capital to Thomas Jefferson to entice the South to give the federal government power to assume state debts. A year later, Congress and the president decamped to Philadelphia, and a decade after that, they settled into a new federal city next to which the City of Brotherly Love seems like Shangri-La. As Jack Lait and Lee Mortimer, two New York tabloid reporters of a later day, would assess the fateful final choice of a national capital in their 1951 best seller, ”Washington Confidential”: ”The founding fathers, whose infinite wisdom gave us a Constitution and form of government well nigh perfect, located the seat of that government in a stinking, steaming swamp.”

The country’s seat may still be mired in that swamp, but its heart, soul and brains are more evident than ever in its first capital, 200 miles to the north. While New York has long been the nation’s center of culture, finance, fashion and media, the city in the aftermath of Sept. 11 cohered into something more than the sum of its perennially celebrated parts. After its highest towers were taken down, New York rose from its initial shock to illustrate in real time what America actually is, a huge and resilient democracy animated by citizens of every conceivable stripe, pursuit and ethic (from those who gave their lives for others at the World Trade Center to those who looted its shopping mall). Instead of seeming, as it often had, like an eccentric island adrift from the rest of the country, the city found itself valued instead as a concentrated representation of the whole. That outsiders would regard it as the true American capital was proof that Americans now define themselves far more by their cultural choices, most of which are tweaked and marketed by the information factories of Manhattan, than by their choice (if any) of political party. Not that New York is shy about offering political leadership if it spots a vacuum. When the White House’s occupant was nowhere to be found on the day the country needed him most, New York went so far as to offer up its own chief executive as the nation’s paterfamilias. America is still grateful.

Even at the literal level, New York is more representative of American political values than the official capital. Washington, where I grew up and where my family has lived since the Civil War, is still a colony where the voters are denied the full rights of self-determination. Its citizens and public officials alike remain in thrall to a federal government over which they have virtually no say, in the shadow of a president who serves as the de facto prince regent of the tourist precincts, the only part of the city most Americans see. Washington is less an exemplar of democracy than an agglomeration of marble facades paying unctuous tribute to that aspiration. George W. Bush, and he is hardly the first president to do so, treats it as a politically obligatory diorama that he can flee any and every chance he gets.

New York doesn’t think of itself as competing with Washington — the same cannot be said of the reverse — but periodically it does so, if only to let the world know who’s really boss. After World War II, suburban Virginia tried to lure the fledgling United Nations to metropolitan Washington, until someone belatedly realized that an international citizenry would not take kindly to segregated schools. In 1959, the Washington Board of Trade mounted an elaborate campaign to make the ”Capital of the Free World” the site of the 1964 World’s Fair. According to one account, the D.C. advocates’ hard sell leaned heavily on the annual cherry-blossom festivals, the ”colorful parades constantly held when distinguished foreign guests visit the city” and ”the elaborate and dignified presidential inauguration celebrations.” That was all it took to persuade the World’s Fair Commission to reach unanimity in awarding the plum to Robert Moses’s posse from New York.

This year brought the Olympics bake-off. To increase its odds as a site for the 2012 summer games, Washington entered into a shotgun marriage with the more plausibly urban Baltimore. The capital’s confidence was such that it took for granted a Washington Post report in July that D.C. and San Francisco were ”the apparent front-runners,” beating out New York and Houston. The next month brought the shocking news that it was Washington that had been eliminated along with Houston (the only other city that can match both its toxic summer weather and complement of former Enron executives). After this defeat, there was much local muttering that ”politics” was the culprit and that Washington might have been punished because of the unpopularity abroad of the incipient war on Iraq.

How much easier for Washingtonians to blame Saddam than to take a hard look at their own city. D.C. may have talked a good game about sports to the U.S. Olympic Committee, but for three decades it has lacked a major-league team in the most American sport of them all. It purports to be as up to date as the new economy, but the signature digital-era companies to put down roots there, AOL and MicroStrategy, are synonymous with the dot-com bust. The capital’s Maryland and Virginia suburban enclaves are famous for having some of the country’s most over-the-top houses as measured by square footage but none of the most imaginative architecture.

Such is Washington’s appeal to tourists that it did not make the list of the Top 10 North American cities in this year’s Travel and Leisure magazine readers’ poll. (New York came in first.) The capital’s restaurants can’t compete with those of Vegas, let alone New York, Chicago and the Seattle-to-Los Angeles culinary axis of the West. Its taxicabs have a suspect fee structure as gerrymandered as the map of Congressional voting districts. While New York has contributed to the American language such joyous words as ”whoopee” and ”hot dog,” Washington has coined ”inside the Beltway” and ”Department of Homeland Security.” America’s songwriters and poets have repeatedly celebrated Manhattan, the Bronx and Staten Island too — not to mention San Francisco, Chicago and St. Louis — but where is that romantic lyric about the capital? ”Hail to the Redskins” will have to do.

First appearances can be deceptive to new visitors to D.C. Edmund Wilson once observed that Washington, ”after other American cities, seems at first such a relief, so agreeable,” but ”turns out, when one has stayed there any length of time, to have little personality of its own and to come to taste rather flat.” Or as Cindy Adams wrote this year: ”Even folks who live in Washington don’t want to be there. The high point for a visitor? Catching a glimpse of Trent Lott in Person? I mean, please.”

By contrast, you have to pry people away from New York. The gaping wound only deepened the citizenry’s already intimate connection to their city. In the poignant opening episode of the post-9/11 season of ”Sex and the City,” Carrie went so far as to choose the city over sex, spurning the advances of a Fleet Week sailor after he committed the sin of knocking her town. It was the patriotic thing to do.

New Yorkers who were out of town on 9/11 felt desperate to return. Since then, we seem inexorably drawn to the watering holes and restaurants and merchants downtown, as if to fill in the shadow of death with the lubricious glow and laughter of irrepressible life. We are more aware of our neighbors than before: not just the firemen and the cops and the family that lost someone, but the guy who lost his business in the undertow, the guy who is trying to rebuild, the all-American Sikh cabbie who bedecks his windshield with flags lest he be victimized (as in New York he has generally not been) by guilt-by-turban. The fate of ground zero is, inevitably, a noisy political and aesthetic debate, but whatever acrimony may attend it, it is also a classic American project: a battle between money and values, between commerce and art, between powerful interests and upstart citizenry, between past and future, all staged on an open 16-acre expanse that is urban America’s largest frontier.

Not only were the dire predictions of a mass exodus wrong, but the reverse may be happening. A New York Times/CBS News poll in August found that the number of inhabitants who think that New York will be a better place to live in 10 or 15 years is the same as it was the month before the attack. Manhattan’s residential real-estate values were clocked this summer at 15 percent higher than they had been pre-Sept. 11; signed contracts on apartments were up this July over last, too, reflecting the possibility that more people are arriving than leaving, even during an economic downturn. Neighborhoods reinvent themselves faster than anyone can keep count, from Harlem to the Lower East Side. Queens, generally an also-ran in any five-borough hipness sweepstakes, shows signs of becoming the new Brooklyn (though it still lacks its own Zagat). The Museum of Modern Art lives in Queens now, and so do a disproportionate number of artists, writers, dancers and musicians — including the novelist Jonathan Safran Foer, who is only the latest in a long list of Washington-spawned talents (from Duke Ellington to Paul Taylor) who fled the capital’s culturally parched environment to reach full bloom in the enriching concrete of New York.

In Washington, there is far more culture than there used to be, but spectacle, in keeping with the town’s own bombastic aesthetics, tends to be the hottest ticket — blockbuster shows at the National Gallery, Disney musicals and the Bolshoi on tour. Cities as small as Minneapolis and Seattle have a more lively indigenous arts scene than Washington. The plight of culture in the capital is symbolized by the Kennedy Center, an afterthought not even deemed worthy of its own stop on the city’s part-time Metro system. A world-class impresario, Michael Kaiser, has at last been imported to revive the place, and this summer he performed a Heimlich maneuver in the form of the well-received Sondheim Celebration. But half the weekend audience was New Yorkers, to whom Kaiser may have to continue to cater. The low-slung performing arts barn on the Potomac has for so long been isolated from the best American culture, high, middle and pop, that its annual low-rated televised honors have of late been reduced to bestowing some of their medallions on Brits rather than native genius. (This year’s Kennedy Center knight, Paul McCartney, has taken a rain check.) Such is President Bush’s respect for the capital’s temple of culture that among his first appointments to its board was Bo Derek.

With the exception of the B-list Hollywood names who get all dressed up (once, anyway) for the White House Correspondents’ Dinner, artists turn up in the city en masse only when Congress is posturing about the arts and humanities endowments. As for what American pop culture thinks of Washington as a city, as opposed to a government, one need only look at ”Minority Report,” in which the capital’s defining trait, even years in the future, is its historically high crime rate. The movie’s point seems to be that nothing short of the ability to arrest suspects before they commit a crime would have enabled D.C.’s benighted police force to crack a case like Chandra Levy’s.

New York is hardly without crime, but it also has the positive side of urban friction: the manifest humanity that results when millions of people of all kinds are packed together to make a go of it. The fundamental DNA of the city has never changed. It has always been a gateway for immigrants as well as an arena for big money. Its crowds have been large and raucous from the start. That ”culture of congestion,” in the phrase of the architect Rem Koolhaas, leads to a nonstop chain reaction of serendipitous human fusion, creative and sexual and economic, that is as American as you can get. The byproducts include hyphenated talents, melting-pot families, a constant, bubbling hands-on laboratory for social, political and cultural change in which the experiments alternately succeed big and fail catastrophically, in full public view.

At some point, Washington had its own dreams of being a sizzling capital. In ”Political Terrain,” Carl Abbott writes of how in the late 19th century it was still hoped that D.C. ”could aspire to be the Rome of America in the arts, the Berlin of America in education and the Paris of America as a city of beauty and pleasure.” But the city stood still while those roles were respectively claimed by New York, Boston and San Francisco. (Though George Washington had offered to help endow a major university for the new capital, few of its grandees seconded his enthusiasm.) Despite early hopes that the federal district might be an economic hub, it was as hard for capitalism to take root as culture. As Edwin G. Burrows and Mike Wallace write in ”Gotham,” it became apparent early in the 19th century that the United States ”would have two centers, one governmental, the other economic.” It was a ”separation of powers as emphatic as anything in the Constitution” with ”no parallel in the Western world.” The American capital that emerged was, in John Kennedy’s famous formulation, a city of ”southern efficiency and northern charm” — a rare point of agreement between him and Richard Nixon, who pronounced Washington ”a city without identity” and voted with his feet to spend most of his political exile in New York prior to his 1968 comeback.

If Washington has an indistinct identity, it does have its own DNA — that of a town of transients. When legislative sessions were far briefer than they are now, Congress and the Supreme Court took residence in temporary quarters, then fled to better climes (as they still do when in recess). ”The greatest and most respectable business that is done in Washington is keeping boarding houses,” said an 1829 handbook for new arrivals. It wasn’t until well into the 20th century, as the federal government expanded during the New Deal (with its hefty infusion of F.D.R. New Yorkers) and World War II, that the city’s population did as well. By then it had long since missed out on the great wave of turn-of-the-century immigration that gave New York and every other East Coast metropolis their human and cultural variety. Even now, the capital lacks the ethnic spectrum of other major American cities. In the 2000 census, the Asian population of New York — almost 10 percent of the city’s eight million inhabitants — was substantially larger than the entire population of D.C., where the Asian population is only 2.6 percent. Though the number of Hispanics is rising in Washington as elsewhere, in 2000 they still made up, at most, 9 percent of the city, as opposed to a quarter of New York.

When the W.P.A. assembled its guidebook to the capital during the Depression, the authors seemed almost desperate to imbue their subject with distinction. One wistful accolade paid tribute to the city’s ”profusion of shade trees.” When the book was revised in 1942, the district’s most distinctive aspect was played down — the references to the second-class citizenship of its black residents, who like all Washingtonians had no right to vote, even in presidential elections, but who also continued to suffer many of the deprivations of slavery, from discrimination to poor public health and schools. In a 1983 reissue, a new editor set the record straight, but noted as compensation that ”it is easier to find one’s bearings in Washington than in other American cities.” (So true, and so what?)

Though opponents of full home rule for the District then and now can give all sorts of highfalutin constitutional arguments for their position, the perennial sub rosa reason for its substatus remains the same as it was before anyone had heard of Marion Barry’s coke bust or of the hapless current mayor, Anthony Williams, whose fraudulent nominating petitions contained ”signatures” from New York celebrities like Martha Stewart and Billy Joel. In 1965, Washington became the first major American city in which blacks outnumbered whites by more than 10 percent. Given the Republican Party’s inability to attract large numbers of black voters, it has hardly been in any rush to empower more of them at the price of likely handing the Democrats two voting seats in the Senate and one in the House.

The only time the capital’s residents had true self-rule was during a short-lived biracial governance experiment during Reconstruction, soon ended by white resistance. Though Washingtonians can now vote for president (since 1961), they have but a single nonvoting member of Congress. Under their limited form of home rule, in place only since the early 1970’s, the City Council, the mayor, the budget and even citizen-passed ballot initiatives can all be overruled by congressmen from states whose constituents’ firsthand knowledge of the capital may be limited to the compulsory school trip. It could be argued that nowhere in the country is the plantation mentality still more embedded in civic life than in an African-American city whose citizens lack the full rights of citizenship, even as their Army National Guard units are called on active duty for the war on terrorism. This antediluvian, or at least antebellum, state of affairs makes D.C. a strikingly anachronistic capital of America in the 21st century, whatever its validity as a capital before the passage of the 13th Amendment. Indeed, America’s capital has less democratic autonomy than President Bush this year demanded of the Palestinians.

Whatever Washington lacks in actual democracy, it makes up, of course, in monuments. But what represents the spirit of modern America more than the Statue of Liberty? The view of Lait and Mortimer, Washington’s churlish chroniclers of the 1950’s, still holds. They likened the city’s tourist appeal to that of Hollywood’s Forest Lawn cemetery, where busloads of Americans come to visit the movie stars’ graves. ”Its gleaming public buildings of white marble are like so many mausoleums,” they wrote. ”Where it doesn’t look like a cemetery it resembles a movie set. It has a feel of unreality.” But if politics is show business for ugly people, as the old joke has it, you can’t push the Hollywood analogy too far. ”Washington is dominated by elected and appointed functionaries who are schooled to believe they must never be caught having fun,” Lait and Mortimer wrote. ”Therefore, after dark, it is more like Paducah than Paris.” Unlike New York, which has winked at mayoral girlfriends from Jimmy Walker’s to Rudolph Giuliani’s (and doesn’t care where its current bachelor mayor spends his weekends), Washington was the last to discover John Kennedy’s sex life and is still as open-mouthed as an Edvard Munch screamer when contemplating Bill Clinton’s.

Washington’s idea of a Hollywood sex symbol is a cast member in ”The West Wing” — no matter whom — because what could be more erotic than a powerful government bureaucrat? The city’s idea of an intellectual is a Sunday-morning talking head; its literary apotheosis is the trade journal. Its loudest academic posturing emanates from the so-called university without students, the think tank, invented by the Brookings Institution in 1927 and a major Washington growth industry since the 1970’s. The think tanks’ tenured ”professors,” with grandiose titles that might have been lifted from the Marx Brothers’ ”Duck Soup,” are often out-of-office ideologues with more position papers than books to their credit. Only in this heady environment could William Bennett be mistaken for Harold Bloom and CNN’s ”Capital Gang” for the Algonquin Round Table. Unlike decision makers in other capitals, Washington’s power elite don’t routinely commingle with top-rung scholars, scientists, novelists, artists and musicians who might broaden their thinking beyond the parameters set by the city’s army of lobbyists and single-issue advocates.

Though Washington suffered its own grievous wound on Sept. 11, it remains as insular as it was before the attack. As the country’s official capital, it is to New York as Ankara is to Istanbul, Canberra is to Sydney, Brasilia is to Rio. Strolling through downtown and past the alabaster public buildings on a beautiful afternoon, you find that the sparse pedestrian traffic is often limited to government workers in cookie-cutter garb and cadres of tourists hoping to find some semblance of urban brio after having had their fill of the National Air and Space Museum. (They’d be better advised to hightail it to the city’s black or gay enclaves or even the suburbs.)

Take a similar walk through the central commercial districts of New York, whatever the borough, and you’ll find not just animated sidewalks packed with locals but also signs of a city in perpetual renewal, pursuing creation and demolition with equal abandon, always testing the limits. That hope, that drive, that hunger to keep moving no matter what, is America at its highest throttle. Should the Olympians come to the true capital, they won’t automatically own the town, as they would if they had landed in Washington. In New York, they’ll find that no sooner do the games begin than they are locked into the even tougher competition of winning the city’s favor, just like every other newcomer who has ever come here with dreams of going for the gold.

Frank Rich is a Times columnist and a senior writer for the magazine.

———–

To stop the rampant theft of expensive cars, manufacturers in the 1990s began to make ignitions very difficult to hot-wire. This reduced the likelihood that cars would be stolen from parking lots— but apparently contributed to the sudden appearance of a new and more dangerous crime, carjacking. After a vote against management Vivendi Universal announced earlier this year that its electronic shareholder-voting system, which it had adopted to tabulate votes efficiently and securely, had been broken into by hackers. Because the new system eliminated the old paper ballots, recounting the votes—or even independently verifying that the attack had occurred—was impossible. To help merchants verify and protect the identity of their customers, marketing firms and financial institutions have created large computerized databases of personal information: Social Security numbers, credit-card numbers, telephone numbers, home addresses, and the like. With these databases being increasingly interconnected by means of the Internet, they have become irresistible targets for criminals. From 1995 to 2000 the incidence of identity theft tripled. s was often the case, Bruce Schneier was thinking about a really terrible idea. We were driving around the suburban-industrial wasteland south of San Francisco, on our way to a corporate presentation, while Schneier looked for something to eat not purveyed by a chain restaurant. This was important to Schneier, who in addition to being America’s best-known ex-cryptographer is a food writer for an alternative newspaper in Minneapolis, where he lives. Initially he had been sure that in the crazy ethnic salad of Silicon Valley it would be impossible not to find someplace of culinary interest—a Libyan burger stop, a Hmong bagelry, a Szechuan taco stand. But as the rented car swept toward the vast, amoeboid office complex that was our destination, his faith slowly crumbled. Bowing to reality, he parked in front of a nondescript sandwich shop, disappointment evident on his face. Schneier is a slight, busy man with a dark, full, closely cropped beard. Until a few years ago he was best known as a prominent creator of codes and ciphers; his book Applied Cryptography (1993) is a classic in the field. But despite his success he virtually abandoned cryptography in 1999 and co-founded a company named Counterpane Internet Security. Counterpane has spent considerable sums on advanced engineering, but at heart the company is dedicated to bringing one of the oldest forms of policing—the cop on the beat— to the digital realm. Aided by high-tech sensors, human guards at Counterpane patrol computer networks, helping corporations and governments to keep their secrets secret. In a world that is both ever more interconnected and full of malice, this is a task of considerable difficulty and great importance. It is also what Schneier long believed cryptography would do—which brings us back to his terrible idea. “Pornography!” he exclaimed. If the rise of the Internet has shown anything, it is that huge numbers of middle-class, middle-management types like to look at dirty pictures on computer screens. A good way to steal the corporate or government secrets these middle managers are privy to, Schneier said, would be to set up a pornographic Web site. The Web site would be free, but visitors would have to register to download the naughty bits. Registration would involve creating a password—and here Schneier’s deep-set blue eyes widened mischievously. People have trouble with passwords. The idea is to have a random string of letters, numbers, and symbols that is easy to remember. Alas, random strings are by their nature hard to remember, so people use bad but easy-to-remember passwords, such as “hello” and “password.” (A survey last year of 1,200 British office workers found that almost half chose their own name, the name of a pet, or that of a family member as a password; others based their passwords on the names Darth Vader and Homer Simpson.) Moreover, computer users can’t keep different passwords straight, so they use the same bad passwords for all their accounts. Many of his corporate porn surfers, Schneier predicted, would use for the dirty Web site the same password they used at work. Not only that, many users would surf to the porn site on the fast Internet connection at the office. The operators of Schneier’s nefarious site would thus learn that, say, “Joesmith,” who accessed the Web site from Anybusiness.com, used the password “JoeS.” By trying to log on at Anybusiness.com as “Joesmith,” they could learn whether “JoeS” was also the password into Joesmith’s corporate account. Often it would be. “In six months you’d be able to break into Fortune 500 companies and government agencies all over the world,” Schneier said, chewing his nondescript meal. “It would work! It would work—that’s the awful thing.” uring the 1990s Schneier was a field marshal in the disheveled army of computer geeks, mathematicians, civil-liberties activists, and libertarian wackos that—in a series of bitter lawsuits that came to be known as the Crypto Wars—asserted the right of the U.S. citizenry to use the cryptographic equivalent of kryptonite: ciphers so powerful they cannot be broken by any government, no matter how long and hard it tries. Like his fellows, he believed that “strong crypto,” as these ciphers are known, would forever guarantee the privacy and security of information—something that in the Information Age would be vital to people’s lives. “It is insufficient to protect ourselves with laws,” he wrote in Applied Cryptography. “We need to protect ourselves with mathematics.” Schneier’s side won the battle as the nineties came to a close. But by that time he had realized that he was fighting the wrong war. Crypto was not enough to guarantee privacy and security. Failures occurred all the time—which was what Schneier’s terrible idea demonstrated. No matter what kind of technological safeguards an organization uses, its secrets will never be safe while its employees are sending their passwords, however unwittingly, to pornographers—or to anyone else outside the organization. The Parable of the Dirty Web Site illustrates part of what became the thesis of Schneier’s most recent book, Secrets and Lies (2000): The way people think about security, especially security on computer networks, is almost always wrong. All too often planners seek technological cure-alls, when such security measures at best limit risks to acceptable levels. In particular, the consequences of going wrong—and all these systems go wrong sometimes—are rarely considered. For these reasons Schneier believes that most of the security measures envisioned after September 11 will be ineffective, and that some will make Americans less safe. It is now a year since the World Trade Center was destroyed. Legislators, the law-enforcement community, and the Bush Administration are embroiled in an essential debate over the measures necessary to prevent future attacks. To armor-plate the nation’s security they increasingly look to the most powerful technology available: retina, iris, and fingerprint scanners; “smart” driver’s licenses and visas that incorporate anti-counterfeiting chips; digital surveillance of public places with face-recognition software; huge centralized databases that use data-mining routines to sniff out hidden terrorists. Some of these measures have already been mandated by Congress, and others are in the pipeline. State and local agencies around the nation are adopting their own schemes. More mandates and more schemes will surely follow. Schneier is hardly against technology—he’s the sort of person who immediately cases public areas for outlets to recharge the batteries in his laptop, phone, and other electronic prostheses. “But if you think technology can solve your security problems,” he says, “then you don’t understand the problems and you don’t understand the technology.” Indeed, he regards the national push for a high-tech salve for security anxieties as a reprise of his own early and erroneous beliefs about the transforming power of strong crypto. The new technologies have enormous capacities, but their advocates have not realized that the most critical aspect of a security measure is not how well it works but how well it fails. The Crypto Wars f mathematicians from the 1970s were suddenly transported through time to the present, they would be happily surprised by developments such as the proofs to Kepler’s conjecture (proposed in 1611, confirmed in 1998) and to Fermat’s last theorem (1637, 1994). But they would be absolutely astonished by the RSA Conference, the world’s biggest trade show for cryptographers. Sponsored by the cryptography firm RSA Security, the conferences are attended by as many as 10,000 cryptographers, computer scientists, network managers, and digital-security professionals. What would amaze past mathematicians is not just the number of conferences but that they exist at all. Sidebar: Why the Maginot Line Failed “In fact, the Maginot Line, the chain of fortifications on France’s border with Germany, was indicative neither of despair about defeating Germany nor of thought mired in the past….” Cryptology is a specialized branch of mathematics with some computer science thrown in. As recently as the 1970s there were no cryptology courses in university mathematics or computer-science departments; nor were there crypto textbooks, crypto journals, or crypto software. There was no private crypto industry, let alone venture-capitalized crypto start-ups giving away key rings at trade shows (crypto key rings—techno-humor). Cryptography, the practice of cryptology, was the province of a tiny cadre of obsessed amateurs, the National Security Agency, and the NSA’s counterparts abroad. Now it is a multibillion-dollar field with applications in almost every commercial arena. As one of the people who helped to bring this change about, Schneier is always invited to speak at RSA conferences. Every time, the room is too small, and overflow crowds, eager to hear their favorite guru, force the session into a larger venue, which is what happened when I saw him speak at an RSA conference in San Francisco’s Moscone Center last year. There was applause from the hundreds of seated cryptophiles when Schneier mounted the stage, and more applause from the throng standing in the aisles and exits when he apologized for the lack of seating capacity. He was there to talk about the state of computer security, he said. It was as bad as ever, maybe getting worse. In the past security officers were usually terse ex-military types who wore holsters and brush cuts. But as computers have become both attackers’ chief targets and their chief weapons, a new generation of security professionals has emerged, drawn from the ranks of engineering and computer science. Many of the new guys look like people the old guard would have wanted to arrest, and Schneier is no exception. Although he is a co-founder of a successful company, he sometimes wears scuffed black shoes and pants with a wavering press line; he gathers his thinning hair into a straggly ponytail. Ties, for the most part, are not an issue. Schneier’s style marks him as a true nerd—someone who knows the potential, both good and bad, of technology, which in our technocentric era is an asset. Schneier was raised in Brooklyn. He got a B.S. in physics from the University of Rochester in 1985 and an M.S. in computer science from American University two years later. Until 1991 he worked for the Department of Defense, where he did things he won’t discuss. Lots of kids are intrigued by codes and ciphers, but Schneier was surely one of the few to ask his father, a lawyer and a judge, to write secret messages for him to analyze. On his first visit to a voting booth, with his mother, he tried to figure out how she could cheat and vote twice. He didn’t actually want her to vote twice—he just wanted, as he says, to “game the system.” Unsurprisingly, someone so interested in figuring out the secrets of manipulating the system fell in love with the systems for manipulating secrets. Schneier’s childhood years, as it happened, were a good time to become intrigued by cryptography—the best time in history, in fact. In 1976 two researchers at Stanford University invented an entirely new type of encryption, public-key encryption, which abruptly woke up the entire field. Public-key encryption is complicated in detail but simple in outline. All ciphers employ mathematical procedures called algorithms to transform messages from their original form into an unreadable jumble. (Cryptographers work with ciphers and not codes, which are spy-movie-style lists of prearranged substitutes for letters, words, or phrases—”meet at the theater” for “attack at nightfall.”) Most ciphers use secret keys: mathematical values that plug into the algorithm. Breaking a cipher means figuring out the key. In a kind of mathematical sleight of hand, public-key encryption encodes messages with keys that can be published openly and decodes them with different keys that stay secret and are effectively impossible to break using today’s technology. (A more complete explanation of public-key encryption will soon be available on The Atlantic’s Web site, www.theatlantic.com.) The best-known public-key algorithm is the RSA algorithm, whose name comes from the initials of the three mathematicians who invented it. RSA keys are created by manipulating big prime numbers. If the private decoding RSA key is properly chosen, guessing it necessarily involves factoring a very large number into its constituent primes, something for which no mathematician has ever devised an adequate shortcut. Even if demented government agents spent a trillion dollars on custom factoring computers, Schneier has estimated, the sun would likely go nova before they cracked a message enciphered with a public key of sufficient length. Schneier and other technophiles grasped early how important computer networks would become to daily life. They also understood that those networks were dreadfully insecure. Strong crypto, in their view, was an answer of almost magical efficacy. Even federal officials believed that strong crypto would Change Everything Forever—except they thought the change would be for the worse. Strong encryption “jeopardizes the public safety and national security of this country,” Louis Freeh, then the director of the (famously computer-challenged) Federal Bureau of Investigation, told Congress in 1995. “Drug cartels, terrorists, and kidnappers will use telephones and other communications media with impunity knowing that their conversations are immune” from wiretaps. The Crypto Wars erupted in 1991, when Washington attempted to limit the spread of strong crypto. Schneier testified before Congress against restrictions on encryption, campaigned for crypto freedom on the Internet, co-wrote an influential report on the technical snarls awaiting federal plans to control cryptographic protocols, and rallied 75,000 crypto fans to the cause in his free monthly e-mail newsletter, Crypto-Gram. Most important, he wrote Applied Cryptography, the first-ever comprehensive guide to the practice of cryptology. Washington lost the wars in 1999, when an appellate court ruled that restrictions on cryptography were illegal, because crypto algorithms were a form of speech and thus covered by the First Amendment. After the ruling the FBI and the NSA more or less surrendered. In the sudden silence the dazed combatants surveyed the battleground. Crypto had become widely available, and it had indeed fallen into unsavory hands. But the results were different from what either side had expected. As the crypto aficionados had envisioned, software companies inserted crypto into their products. On the “Tools” menu in Microsoft Outlook, for example, “encrypt” is an option. And encryption became big business, as part of the infrastructure for e-commerce—it is the little padlock that appears in the corner of Net surfers’ browsers when they buy books at Amazon.com, signifying that credit-card numbers are being enciphered. But encryption is rarely used by the citizenry it was supposed to protect and empower. Cryptophiles, Schneier among them, had been so enraptured by the possibilities of uncrackable ciphers that they forgot they were living in a world in which people can’t program VCRs. Inescapably, an encrypted message is harder to send than an unencrypted one, if only because of the effort involved in using all the extra software. So few people use encryption software that most companies have stopped selling it to individuals. Sidebar: The Worm in the Machine “Buffer overflows (sometimes called stack smashing) are the most common form of security vulnerability in the last ten years….” Among the few who do use crypto are human-rights activists living under dictatorships. But, just as the FBI feared, terrorists, child pornographers, and the Mafia use it too. Yet crypto has not protected any of them. As an example, Schneier points to the case of Nicodemo Scarfo, who the FBI believed was being groomed to take over a gambling operation in New Jersey. Agents surreptitiously searched his office in 1999 and discovered that he was that rarity, a gangster nerd. On his computer was the long-awaited nightmare for law enforcement: a crucial document scrambled by strong encryption software. Rather than sit by, the FBI installed a “keystroke logger” on Scarfo’s machine. The logger recorded the decrypting key— or, more precisely, the passphrase Scarfo used to generate that key— as he typed it in, and gained access to his incriminating files. Scarfo pleaded guilty to charges of running an illegal gambling business on February 28 of this year. Schneier was not surprised by this demonstration of the impotence of cryptography. Just after the Crypto Wars ended, he had begun writing a follow-up to Applied Cryptography. But this time Schneier, a fluent writer, was blocked—he couldn’t make himself extol strong crypto as a security panacea. As Schneier put it in Secrets and Lies, the very different book he eventually did write, he had been portraying cryptography—in his speeches, in his congressional testimony, in Applied Cryptography—as “a kind of magic security dust that [people] could sprinkle over their software and make it secure.” It was not. Nothing could be. Humiliatingly, Schneier discovered that, as a friend wrote him, “the world was full of bad security systems designed by people who read Applied Cryptography.” In retrospect he says, “Crypto solved the wrong problem.” Ciphers scramble messages and documents, preventing them from being read while, say, they are transmitted on the Internet. But the strongest crypto is gossamer protection if malevolent people have access to the computers on the other end. Encrypting transactions on the Internet, the Purdue computer scientist Eugene Spafford has remarked, “is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.” To effectively seize control of Scarfo’s computer, FBI agents had to break into his office and physically alter his machine. Such black-bag jobs are ever less necessary, because the rise of networks and the Internet means that computers can be controlled remotely, without their operators’ knowledge. Huge computer databases may be useful, but they also become tempting targets for criminals and terrorists. So do home computers, even if they are connected only intermittently to the Web. Hackers look for vulnerable machines, using software that scans thousands of Net connections at once. This vulnerability, Schneier came to think, is the real security issue. With this realization he closed Counterpane Systems, his five-person crypto-consulting company in Chicago, in 1999. He revamped it and reopened immediately in Silicon Valley with a new name, Counterpane Internet Security, and a new idea—one that relied on old-fashioned methods. Counterpane would still keep data secret. But the lessons of the Crypto Wars had given Schneier a different vision of how to do that—a vision that has considerable relevance for a nation attempting to prevent terrorist crimes. here Schneier had sought one overarching technical fix, hard experience had taught him the quest was illusory. Indeed, yielding to the American penchant for all-in-one high-tech solutions can make us less safe—especially when it leads to enormous databases full of confidential information. Secrecy is important, of course, but it is also a trap. The more secrets necessary to a security system, the more vulnerable it becomes. To forestall attacks, security systems need to be small-scale, redundant, and compartmentalized. Rather than large, sweeping programs, they should be carefully crafted mosaics, each piece aimed at a specific weakness. The federal government and the airlines are spending millions of dollars, Schneier points out, on systems that screen every passenger to keep knives and weapons out of planes. But what matters most is keeping dangerous passengers out of airline cockpits, which can be accomplished by reinforcing the door. Similarly, it is seldom necessary to gather large amounts of additional information, because in modern societies people leave wide audit trails. The problem is sifting through the already existing mountain of data. Calls for heavy monitoring and record-keeping are thus usually a mistake. (“Broad surveillance is a mark of bad security,” Schneier wrote in a recent Crypto-Gram.) To halt attacks once they start, security measures must avoid being subject to single points of failure. Computer networks are particularly vulnerable: once hackers bypass the firewall, the whole system is often open for exploitation. Because every security measure in every system can be broken or gotten around, failure must be incorporated into the design. No single failure should compromise the normal functioning of the entire system or, worse, add to the gravity of the initial breach. Finally, and most important, decisions need to be made by people at close range—and the responsibility needs to be given explicitly to people, not computers. Unfortunately, there is little evidence that these principles are playing any role in the debate in the Administration, Congress, and the media about how to protect the nation. Indeed, in the argument over policy and principle almost no one seems to be paying attention to the practicalities of security—a lapse that Schneier, like other security professionals, finds as incomprehensible as it is dangerous. Stealing Your Thumb couple of months after September 11, I flew from Seattle to Los Angeles to meet Schneier. As I was checking in at Sea-Tac Airport, someone ran through the metal detector and disappeared onto the little subway that runs among the terminals. Although the authorities quickly identified the miscreant, a concession stand worker, they still had to empty all the terminals and re-screen everyone in the airport, including passengers who had already boarded planes. Masses of unhappy passengers stretched back hundreds of feet from the checkpoints. Planes by the dozen sat waiting at the gates. I called Schneier on a cell phone to report my delay. I had to shout over the noise of all the other people on their cell phones making similar calls. “What a mess,” Schneier said. “The problem with airport security, you know, is that it fails badly.” For a moment I couldn’t make sense of this gnomic utterance. Then I realized he meant that when something goes wrong with security, the system should recover well. In Seattle a single slip-up shut down the entire airport, which delayed flights across the nation. Sea-Tac, Schneier told me on the phone, had no adequate way to contain the damage from a breakdown—such as a button installed near the x-ray machines to stop the subway, so that idiots who bolt from checkpoints cannot disappear into another terminal. The shutdown would inconvenience subway riders, but not as much as being forced to go through security again after a wait of several hours. An even better idea would be to place the x-ray machines at the departure gates, as some are in Europe, in order to scan each group of passengers closely and minimize inconvenience to the whole airport if a risk is detected—or if a machine or a guard fails. Schneier was in Los Angeles for two reasons. He was to speak to ICANN, the Internet Corporation for Assigned Names and Numbers, which controls the “domain name system” of Internet addresses. It is Schneier’s belief that attacks on the address database are the best means of taking down the Internet. He also wanted to review Ginza Sushi-Ko, perhaps the nation’s most exclusive restaurant, for the food column he writes with his wife, Karen Cooper. Minutes after my delayed arrival Schneier had with characteristic celerity packed himself and me into a taxi. The restaurant was in a shopping mall in Beverly Hills that was disguised to look like a collection of nineteenth-century Italian villas. By the time Schneier strode into the tiny lobby, he had picked up the thread of our airport discussion. Failing badly, he told me, was something he had been forced to spend time thinking about. In his technophilic exuberance he had been seduced by the promise of public-key encryption. But ultimately Schneier observed that even strong crypto fails badly. When something bypasses it, as the keystroke logger did with Nicodemo Scarfo’s encryption, it provides no protection at all. The moral, Schneier came to believe, is that security measures are characterized less by their manner of success than by their manner of failure. All security systems eventually miscarry. But when this happens to the good ones, they stretch and sag before breaking, each component failure leaving the whole as unaffected as possible. Engineers call such failure-tolerant systems “ductile.” One way to capture much of what Schneier told me is to say that he believes that when possible, security schemes should be designed to maximize ductility, whereas they often maximize strength. Since September 11 the government has been calling for a new security infrastructure—one that employs advanced technology to protect the citizenry and track down malefactors. Already the USA PATRIOT Act, which Congress passed in October, mandates the establishment of a “cross-agency, cross-platform electronic system … to confirm the identity” of visa applicants, along with a “highly secure network” for financial-crime data and “secure information sharing systems” to link other, previously separate databases. Pending legislation demands that the Attorney General employ “technology including, but not limited to, electronic fingerprinting, face recognition, and retinal scan technology.” The proposed Department of Homeland Security is intended to oversee a “national research and development enterprise for homeland security comparable in emphasis and scope to that which has supported the national security community for more than fifty years”—a domestic version of the high-tech R&D juggernaut that produced stealth bombers, smart weapons, and anti-missile defense. Iris, retina, and fingerprint scanners; hand-geometry assayers; remote video-network surveillance; face-recognition software; smart cards with custom identification chips; decompressive baggage checkers that vacuum-extract minute chemical samples from inside suitcases; tiny radio implants beneath the skin that continually broadcast people’s identification codes; pulsed fast-neutron analysis of shipping containers (“so precise,” according to one manufacturer, “it can determine within inches the location of the concealed target”); a vast national network of interconnected databases—the list goes on and on. In the first five months after the terrorist attacks the Pentagon liaison office that works with technology companies received more than 12,000 proposals for high-tech security measures. Credit-card companies expertly manage credit risks with advanced information-sorting algorithms, Larry Ellison, the head of Oracle, the world’s biggest database firm, told The New York Times in April; “We should be managing security risks in exactly the same way.” To “win the war on terrorism,” a former deputy undersecretary of commerce, David J. Rothkopf, explained in the May/June issue of Foreign Policy, the nation will need “regiments of geeks”—”pocket-protector brigades” who “will provide the software, systems, and analytical resources” to “close the gaps Mohammed Atta and his associates revealed.” Such ideas have provoked the ire of civil-liberties groups, which fear that governments, corporations, and the police will misuse the new technology. Schneier’s concerns are more basic. In his view, these measures can be useful, but their large-scale application will have little effect against terrorism. Worse, their use may make Americans less safe, because many of these tools fail badly— they’re “brittle,” in engineering jargon. Meanwhile, simple, effective, ductile measures are being overlooked or even rejected. he distinction between ductile and brittle security dates back, Schneier has argued, to the nineteenth-century linguist and cryptographer Auguste Kerckhoffs, who set down what is now known as Kerckhoffs’s principle. In good crypto systems, Kerckhoffs wrote, “the system should not depend on secrecy, and it should be able to fall into the enemy’s hands without disadvantage.” In other words, it should permit people to keep messages secret even if outsiders find out exactly how the encryption algorithm works. At first blush this idea seems ludicrous. But contemporary cryptography follows Kerckhoffs’s principle closely. The algorithms— the scrambling methods—are openly revealed; the only secret is the key. Indeed, Schneier says, Kerckhoffs’s principle applies beyond codes and ciphers to security systems in general: every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness—and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility. From this can be drawn several corollaries. One is that plans to add new layers of secrecy to security systems should automatically be viewed with suspicion. Another is that security systems that utterly depend on keeping secrets tend not to work very well. Alas, airport security is among these. Procedures for screening passengers, for examining luggage, for allowing people on the tarmac, for entering the cockpit, for running the autopilot software—all must be concealed, and all seriously compromise the system if they become known. As a result, Schneier wrote in the May issue of Crypto-Gram, brittleness “is an inherent property of airline security.” Few of the new airport-security proposals address this problem. Instead, Schneier told me in Los Angeles, they address problems that don’t exist. “The idea that to stop bombings cars have to park three hundred feet away from the terminal, but meanwhile they can drop off passengers right up front like they always have …” He laughed. “The only ideas I’ve heard that make any sense are reinforcing the cockpit door and getting the passengers to fight back.” Both measures test well against Kerckhoffs’s principle: knowing ahead of time that law-abiding passengers may forcefully resist a hijacking en masse, for example, doesn’t help hijackers to fend off their assault. Both are small-scale, compartmentalized measures that make the system more ductile, because no matter how hijackers get aboard, beefed-up doors and resistant passengers will make it harder for them to fly into a nuclear plant. And neither measure has any adverse effect on civil liberties. valuations of a security proposal’s merits, in Schneier’s view, should not be much different from the ordinary cost-benefit calculations we make in daily life. The first question to ask of any new security proposal is, What problem does it solve? The second: What problems does it cause, especially when it fails? Sidebar: Gummi Fingers “Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. These are security systems that attempt to identify people based on their fingerprint….” Failure comes in many kinds, but two of the more important are simple failure (the security measure is ineffective) and what might be called subtractive failure (the security measure makes people less secure than before). An example of simple failure is face-recognition technology. In basic terms, face-recognition devices photograph people; break down their features into “facial building elements”; convert these into numbers that, like fingerprints, uniquely identify individuals; and compare the results with those stored in a database. If someone’s facial score matches that of a criminal in the database, the person is detained. Since September 11 face-recognition technology has been placed in an increasing number of public spaces: airports, beaches, nightlife districts. Even visitors to the Statue of Liberty now have their faces scanned. Face-recognition software could be useful. If an airline employee has to type in an identifying number to enter a secure area, for example, it can help to confirm that someone claiming to be that specific employee is indeed that person. But it cannot pick random terrorists out of the mob in an airline terminal. That much-larger-scale task requires comparing many sets of features with the many other sets of features in a database of people on a “watch list.” Identix, of Minnesota, one of the largest face-recognition-technology companies, contends that in independent tests its FaceIt software has a success rate of 99.32 percent—that is, when the software matches a passenger’s face with a face on a list of terrorists, it is mistaken only 0.68 percent of the time. Assume for the moment that this claim is credible; assume, too, that good pictures of suspected terrorists are readily available. About 25 million passengers used Boston’s Logan Airport in 2001. Had face-recognition software been used on 25 million faces, it would have wrongly picked out just 0.68 percent of them—but that would have been enough, given the large number of passengers, to flag as many as 170,000 innocent people as terrorists. With almost 500 false alarms a day, the face-recognition system would quickly become something to ignore. The potential for subtractive failure, different and more troublesome, is raised by recent calls to deploy biometric identification tools across the nation. Biometrics—”the only way to prevent identity fraud,” according to the former senator Alan K. Simpson, of Wyoming—identifies people by precisely measuring their physical characteristics and matching them up against a database. The photographs on driver’s licenses are an early example, but engineers have developed many high-tech alternatives, some of them already mentioned: fingerprint readers, voiceprint recorders, retina or iris scanners, face-recognition devices, hand-geometry assayers, even signature-geometry analyzers, which register pen pressure and writing speed as well as the appearance of a signature. ppealingly, biometrics lets people be their own ID cards—no more pass words to forget! Unhappily, biometric measures are often implemented poorly. This past spring three reporters at c’t, a German digital-culture magazine, tested a face-recognition system, an iris scanner, and nine fingerprint readers. All proved easy to outsmart. Even at the highest security setting, Cognitec’s FaceVACS-Logon could be fooled by showing the sensor a short digital movie of someone known to the system—the president of a company, say—on a laptop screen. To beat Panasonic’s Authenticam iris scanner, the German journalists photographed an authorized user, took the photo and created a detailed, life-size image of his eyes, cut out the pupils, and held the image up before their faces like a mask. The scanner read the iris, detected the presence of a human pupil—and accepted the imposture. Many of the fingerprint readers could be tricked simply by breathing on them, reactivating the last user’s fingerprint. Beating the more sophisticated Identix Bio-Touch fingerprint reader required a trip to a hobby shop. The journalists used graphite powder to dust the latent fingerprint—the kind left on glass—of a previous, authorized user; picked up the image on adhesive tape; and pressed the tape on the reader. The Identix reader, too, was fooled. Not all biometric devices are so poorly put together, of course. But all of them fail badly. Consider the legislation introduced in May by Congressmen Jim Moran and Tom Davis, both of Virginia, that would mandate biometric data chips in driver’s licenses—a sweeping, nationwide data-collection program, in essence. (Senator Dick Durbin, of Illinois, is proposing measures to force states to use a “single identifying designation unique to the individual on all driver’s licenses”; President George W. Bush has already signed into law a requirement for biometric student visas.) Although Moran and Davis tied their proposal to the need for tighter security after last year’s attacks, they also contended that the nation could combat fraud by using smart licenses with bank, credit, and Social Security cards, and for voter registration and airport identification. Maybe so, Schneier says. “But think about screw-ups, because the system will screw up.” Smart cards that store non-biometric data have been routinely cracked in the past, often with inexpensive oscilloscope-like devices that detect and interpret the timing and power fluctuations as the chip operates. An even cheaper method, announced in May by two Cambridge security researchers, requires only a bright light, a standard microscope, and duct tape. Biometric ID cards are equally vulnerable. Indeed, as a recent National Research Council study points out, the extra security supposedly provided by biometric ID cards will raise the economic incentive to counterfeit or steal them, with potentially disastrous consequences to the victims. “Okay, somebody steals your thumbprint,” Schneier says. “Because we’ve centralized all the functions, the thief can tap your credit, open your medical records, start your car, any number of things. Now what do you do? With a credit card, the bank can issue you a new card with a new number. But this is your thumb—you can’t get a new one.” The consequences of identity fraud might be offset if biometric licenses and visas helped to prevent terrorism. Yet smart cards would not have stopped the terrorists who attacked the World Trade Center and the Pentagon. According to the FBI, all the hijackers seem to have been who they said they were; their intentions, not their identities, were the issue. Each entered the country with a valid visa, and each had a photo ID in his real name (some obtained their IDs fraudulently, but the fakes correctly identified them). “What problem is being solved here?” Schneier asks. Good security is built in overlapping, cross-checking layers, to slow down attacks; it reacts limberly to the unexpected. Its most important components are almost always human. “Governments have been relying on intelligent, trained guards for centuries,” Schneier says. “They spot people doing bad things and then use laws to arrest them. All in all, I have to say, it’s not a bad system.” The Human Touch ne of the first times I met with Schneier was at the Cato Institute, a libertarian think tank in Washington, D.C., that had asked him to speak about security. Afterward I wondered how the Cato people had reacted to the speech. Libertarians love cryptography, because they believe that it will let people keep their secrets forever, no matter what a government wants. To them, Schneier was a kind of hero, someone who fought the good fight. As a cryptographer, he had tremendous street cred: he had developed some of the world’s coolest ciphers, including the first rigorous encryption algorithm ever published in a best-selling novel (Cryptonomicon, by Neal Stephenson) and the encryption for the “virtual box tops” on Kellogg’s cereals (children type a code from the box top into a Web site to win prizes), and had been one of the finalists in the competition to write algorithms for the federal government’s new encryption standard, which it adopted last year. Now, in the nicest possible way, he had just told the libertarians the bad news: he still loved cryptography for the intellectual challenge, but it was not all that relevant to protecting the privacy and security of real people. In security terms, he explained, cryptography is classed as a protective counter-measure. No such measure can foil every attack, and all attacks must still be both detected and responded to. This is particularly true for digital security, and Schneier spent most of his speech evoking the staggering insecurity of networked computers. Countless numbers are broken into every year, including machines in people’s homes. Taking over computers is simple with the right tools, because software is so often misconfigured or flawed. In the first five months of this year, for example, Microsoft released five “critical” security patches for Internet Explorer, each intended to rectify lapses in the original code. Computer crime statistics are notoriously sketchy, but the best of a bad lot come from an annual survey of corporations and other institutions by the FBI and the Computer Security Institute, a research and training organization in San Francisco. In the most recent survey, released in April, 90 percent of the respondents had detected one or more computer-security breaches within the previous twelve months—a figure that Schneier calls “almost certainly an underestimate.” His own experience suggests that a typical corporate network suffers a serious security breach four to six times a year—more often if the network is especially large or its operator is politically controversial. Luckily for the victims, this digital mayhem is mostly wreaked not by the master hackers depicted in Hollywood techno-thrillers but by “script kiddies”—youths who know just enough about computers to download and run automated break-in programs. Twenty-four hours a day, seven days a week, script kiddies poke and prod at computer networks, searching for any of the thousands of known security vulnerabilities that administrators have not yet patched. A typical corporate network, Schneier says, is hit by such doorknob-rattling several times an hour. The great majority of these attacks achieve nothing, but eventually any existing security holes will be found and exploited. “It’s very hard to communicate how bad the situation is,” Schneier says, “because it doesn’t correspond to our normal intuition of the world. To a first approximation, bank vaults are secure. Most of them don’t get broken into, because it takes real skill. Computers are the opposite. Most of them get broken into all the time, and it takes practically no skill.” Indeed, as automated cracking software improves, it takes ever less knowledge to mount ever more sophisticated attacks. Given the pervasive insecurity of networked computers, it is striking that nearly every proposal for “homeland security” entails the creation of large national databases. The Moran-Davis proposal, like other biometric schemes, envisions storing smart-card information in one such database; the USA PATRIOT Act effectively creates another; the proposed Department of Homeland Security would “fuse and analyze” information from more than a hundred agencies, and would “merge under one roof” scores or hundreds of previously separate databases. (A representative of the new department told me no one had a real idea of the number. “It’s a lot,” he said.) Better coordination of data could have obvious utility, as was made clear by recent headlines about the failure of the FBI and the CIA to communicate. But carefully linking selected fields of data is different from creating huge national repositories of information about the citizenry, as is being proposed. Larry Ellison, the CEO of Oracle, has dismissed cautions about such databases as whiny cavils that don’t take into account the existence of murderous adversaries. But murderous adversaries are exactly why we should ensure that new security measures actually make American life safer. ny new database must be protected, which automatically entails a new layer of secrecy. As Kerckhoffs’s principle suggests, the new secrecy introduces a new failure point. Government information is now scattered through scores of databases; however inadvertently, it has been compartmentalized—a basic security practice. (Following this practice, tourists divide their money between their wallets and hidden pouches; pickpockets are less likely to steal it all.) Many new proposals would change that. An example is Attorney General John Ashcroft’s plan, announced in June, to fingerprint and photograph foreign visitors “who fall into categories of elevated national security concern” when they enter the United States (“approximately 100,000” will be tracked this way in the first year). The fingerprints and photographs will be compared with those of “known or suspected terrorists” and “wanted criminals.” Alas, no such database of terrorist fingerprints and photographs exists. Most terrorists are outside the country, and thus hard to fingerprint, and latent fingerprints rarely survive bomb blasts. The databases of “wanted criminals” in Ashcroft’s plan seem to be those maintained by the FBI and the Immigration and Naturalization Service. But using them for this purpose would presumably involve merging computer networks in these two agencies with the visa procedure in the State Department—a security nightmare, because no one entity will fully control access to the system. Sidebar: How Insurance Improves Security “Eventually, the insurance industry will subsume the computer security industry….” Equivalents of the big, centralized databases under discussion already exist in the private sector: corporate warehouses of customer information, especially credit-card numbers. The record there is not reassuring. “Millions upon millions of credit-card numbers have been stolen from computer networks,” Schneier says. So many, in fact, that Schneier believes that everyone reading this article “has, in his or her wallet right now, a credit card with a number that has been stolen,” even if no criminal has yet used it. Number thieves, many of whom operate out of the former Soviet Union, sell them in bulk: $1,000 for 5,000 credit-card numbers, or twenty cents apiece. In a way, the sheer volume of theft is fortunate: so many numbers are floating around that the odds are small that any one will be heavily used by bad guys. Large-scale federal databases would undergo similar assaults. The prospect is worrying, given the government’s long-standing reputation for poor information security. Since September 11 at least forty government networks have been publicly cracked by typographically challenged vandals with names like “CriminalS,” “S4t4n1c S0uls,” “cr1m3 0rg4n1z4d0,” and “Discordian Dodgers.” Summing up the problem, a House subcommittee last November awarded federal agencies a collective computer-security grade of F. According to representatives of Oracle, the federal government has been talking with the company about employing its software for the new central databases. But judging from the past, involving the private sector will not greatly improve security. In March, CERT/CC, a computer-security watchdog based at Carnegie Mellon University, warned of thirty-eight vulnerabilities in Oracle’s database software. Meanwhile, a centerpiece of the company’s international advertising is the claim that its software is “unbreakable.” Other software vendors fare no better: CERT/CC issues a constant stream of vulnerability warnings about every major software firm. Schneier, like most security experts I spoke to, does not oppose consolidating and modernizing federal databases per se. To avoid creating vast new opportunities for adversaries, the overhaul should be incremental and small-scale. Even so, it would need to be planned with extreme care—something that shows little sign of happening. ne key to the success of digital revamping will be a little-mentioned, even prosaic feature: training the users not to circumvent secure systems. The federal government already has several computer networks—INTELINK, SIPRNET, and NIPRNET among them— that are fully encrypted, accessible only from secure rooms and buildings, and never connected to the Internet. Yet despite their lack of Net access the secure networks have been infected by e-mail perils such as the Melissa and I Love You viruses, probably because some official checked e-mail on a laptop, got infected, and then plugged the same laptop into the classified network. Because secure networks are unavoidably harder to work with, people are frequently tempted to bypass them—one reason that researchers at weapons labs sometimes transfer their files to insecure but more convenient machines. Sidebar: Remember Pearl Harbor “Surprise, when it happens to a government, is likely to be a complicated, diffuse, bureaucratic thing….” Schneier has long argued that the best way to improve the very bad situation in computer security is to change software licenses. If software is blatantly unsafe, owners have no such recourse, because it is licensed rather than bought, and the licenses forbid litigation. It is unclear whether the licenses can legally do this (courts currently disagree), but as a practical matter it is next to impossible to win a lawsuit against a software firm. If some big software companies lose product-liability suits, Schneier believes, their confreres will begin to take security seriously. Computer networks are difficult to keep secure in part because they have so many functions, each of which must be accounted for. For that reason Schneier and other experts tend to favor narrowly focused security measures—more of them physical than digital—that target a few precisely identified problems. For air travel, along with reinforcing cockpit doors and teaching passengers to fight back, examples include armed uniformed—not plainclothes—guards on select flights; “dead-man” switches that in the event of a pilot’s incapacitation force planes to land by autopilot at the nearest airport; positive bag matching (ensuring that luggage does not get on a plane unless its owner also boards); and separate decompression facilities that detonate any altitude bombs in cargo before takeoff. None of these is completely effective; bag matching, for instance, would not stop suicide bombers. But all are well tested, known to at least impede hijackers, not intrusive to passengers, and unlikely to make planes less secure if they fail. From Atlantic Unbound: Flashbacks: “Pearl Harbor in Retrospect” (May 25, 2001) Atlantic articles from 1948, 1999, and 1991 look back at Pearl Harbor from American and Japanese perspectives. It is impossible to guard all potential targets, because anything and everything can be subject to attack. Palestinian suicide bombers have shown this by murdering at random the occupants of pool halls and hotel meeting rooms. Horrible as these incidents are, they do not risk the lives of thousands of people, as would attacks on critical parts of the national infrastructure: nuclear-power plants, hydroelectric dams, reservoirs, gas and chemical facilities. Here a classic defense is available: tall fences and armed guards. Yet this past spring the Bush Administration cut by 93 percent the funds requested by the Energy Department to bolster security for nuclear weapons and waste; it denied completely the funds requested by the Army Corps of Engineers for guarding 200 reservoirs, dams, and canals, leaving fourteen large public-works projects with no budget for protection. A recommendation by the American Association of Port Authorities that the nation spend a total of $700 million to inspect and control ship cargo (today less than two percent of container traffic is inspected) has so far resulted in grants of just $92 million. In all three proposals most of the money would have been spent on guards and fences. The most important element of any security measure, Schneier argues, is people, not technology—and the people need to be at the scene. Recall the German journalists who fooled the fingerprint readers and iris scanners. None of their tricks would have worked if a reasonably attentive guard had been watching. Conversely, legitimate employees with bandaged fingers or scratched corneas will never make it through security unless a guard at the scene is authorized to overrule the machinery. Giving guards increased authority provides more opportunities for abuse, Schneier says, so the guards must be supervised carefully. But a system with more people who have more responsibility “is more robust,” he observed in the June Crypto-Gram, “and the best way to make things work. (The U.S. Marine Corps understands this principle; it’s the heart of their chain of command rules.)” “The trick is to remember that technology can’t save you,” Schneier says. “We know this in our own lives. We realize that there’s no magic anti-burglary dust we can sprinkle on our cars to prevent them from being stolen. We know that car alarms don’t offer much protection. The Club at best makes burglars steal the car next to you. For real safety we park on nice streets where people notice if somebody smashes the window. Or we park in garages, where somebody watches the car. In both cases people are the essential security element. You always build the system around people.” Looking for Trouble fter meeting Schneier at the Cato Institute, I drove with him to the Washington command post of Counterpane Internet Security. It was the first time in many months that he had visited either of his company’s two operating centers (the other is in Silicon Valley). His absence had been due not to inattentiveness but to his determination to avoid the classic high-tech mistake of involving the alpha geek in day-to-day management. Besides, he lives in Minneapolis, and the company headquarters are in Cupertino, California. (Why Minneapolis? I asked. “My wife lives there,” he said. “It seemed polite.”) With his partner, Tom Rowley, supervising day-to-day operations, Schneier constantly travels in Counterpane’s behalf, explaining how the company manages computer security for hundreds of large and medium-sized companies. It does this mainly by installing human beings. The command post was nondescript even by the bland architectural standards of exurban office complexes. Gaining access was like a pop quiz in security: How would the operations center recognize and admit its boss, who was there only once or twice a year? In this country requests for identification are commonly answered with a driver’s license. A few years ago Schneier devoted considerable effort to persuading the State of Illinois to issue him a driver’s license that showed no picture, signature, or Social Security number. But Schneier’s license serves as identification just as well as a license showing a picture and a signature—which is to say, not all that well. With or without a picture, with or without a biometric chip, licenses cannot be more than state-issued cards with people’s names on them: good enough for social purposes, but never enough to assure identification when it is important. Authentication, Schneier says, involves something a person knows (a password or a PIN, say), has (a physical token, such as a driver’s license or an ID bracelet), or is (biometric data). Security systems should use at least two of these; the Counterpane center employs all three. At the front door Schneier typed in a PIN and waved an iButton on his key chain at a sensor (iButtons, made by Dallas Semiconductor, are programmable chips embedded in stainless-steel discs about the size and shape of a camera battery). We entered a waiting room, where Schneier completed the identification trinity by placing his palm on a hand-geometry reader. Sidebar: Further Reading Brief descriptions of recommended books. Beyond the waiting room, after a purposely long corridor studded with cameras, was a conference room with many electrical outlets, some of which Schneier commandeered for his cell phone, laptop, BlackBerry, and battery packs. One side of the room was a dark glass wall. Schneier flicked a switch, shifting the light and theatrically revealing the scene behind the glass. It was a Luddite nightmare: an auditorium-like space full of desks, each with two computer monitors; all the desks faced a wall of high-resolution screens. One displayed streams of data from the “sentry” machines that Counterpane installs in its clients’ networks. Another displayed images from the video cameras scattered around both this command post and the one in Silicon Valley. On a visual level the gadgetry overwhelmed the people sitting at the desks and watching over the data. Nonetheless, the people were the most important part of the operation. Networks record so much data about their usage that overwhelmed managers frequently turn off most of the logging programs and ignore the others. Among Counterpane’s primary functions is to help companies make sense of the data they already have. “We turn the logs back on and monitor them,” Schneier says. Counterpane researchers developed software to measure activity on client networks, but no software by itself can determine whether an unusual signal is a meaningless blip or an indication of trouble. That was the job of the people at the desks. Highly trained and well paid, these people brought to the task a quality not yet found in any technology: human judgment, which is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well. When I asked Schneier why Counterpane had such Darth Vaderish command centers, he laughed and said it helped to reassure potential clients that the company had mastered the technology. I asked if clients ever inquired how Counterpane trains the guards and analysts in the command centers. “Not often,” he said, although that training is in fact the center of the whole system. Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier’s view, is a really terrible idea.

———–

washingtonpost.com

FCC OK Unleashes XtremeSpectrum

By Michael Bruno Washtech.com Wednesday, May 29, 2002; Page E05

It’s been a long wait for Vienna-based XtremeSpectrum Inc.

The company has been developing semiconductor technology for wireless transmission of information since it was first funded in November 1998. But the ultra-wideband technology, caught up in a 3 1/2-year examination by the Federal Communications Commission, was just approved a month ago. The company now plans to ship its ultra-wideband chips to its business partners in the next two months.

The move means that by Christmas 2003, consumers may be able to wirelessly transfer movies, digital photos, MP3 clips and other large multimedia files between their computing devices at speeds 10 times faster than the current leading technology.

It also means that XtremeSpectrum hopes to become a leading provider of consumer-focused UWB technology, a field some analysts believe will burgeon soon.

UWB is the latest technology to take on the personal-area-network market, the mass of cables and electronic devices that pervades many homes and small businesses. For the past few years, users have had the option to go wireless, but the trade-off was that their data transfer speeds were not as fast.

Devices such as digital TVs, personal data assistants and MP3 players all use data formats where the speed of the data flow ranges from thousand of bits per second, such as MP3 at 320 Kbps, to millions of bits per second, such as DVDs at 10 Mbps.

Up to now, users had to choose from three formats — Bluetooth, Wi-Fi (802.11b) or 802.11a — to connect their equipment, and each has a downside. Bluetooth, once promoted by big-name tech companies, requires little power but offers speeds of only around 1 Mbps. Wi-Fi, the most prominent of the three technologies, offers speeds of 11 Mbps but needs more power. And 802.11a offers speeds of 54 Mbps but requires lots of power.

On the other hand, UWB promises speeds up to 100 Mbps and requires low power. A stand-alone device can be powered with a single AA battery, according to XtremeSpectrum.

The difference is in how the technology works. Traditionally, a carrier, such as a radio station, has an assigned frequency. UWB operates across a wide gamut of spectrum — 3.1 to 10.6 gigahertz and 24 GHz — and pulses the information instead of carrying it.

“We believe this will be a serious threat to Bluetooth and 802.11,” said David Hoover, an analyst at the Precursor Group in Washington.

Gemma Paulo, a wireless analyst with Arizona-based market research firm In-Stat/MDR, is less sanguine. She said UWB could complement Bluetooth but that it is “not really” a serious threat because federal regulations say it must limit its effectiveness to within 10 meters — although that limitation could be loosened.

According to In-Stat, the home networking market is expected to reach $3.5 billion in 2004 and $4.9 billion in 2006. The wireless portion of that market should hit $2.5 billion in 2004 and grow to $3.7 billion in 2006.

Neither Precursor nor In-Stat provide consulting or investment banking services, the analysts said. Their respective research groups also do not have financial relationships with the companies they cover.

The UWB concept was first developed in the 1950s but didn’t get anywhere until the late 1970s when the Defense Advanced Research Products Agency, a research and development organization for the U.S. military, became interested. In other forms, UWB can be a radar technology that can “see” through walls, forests and under ground.

“They got very interested in ultra-wideband because of its very low cost,” said Robert J. Fontana, president and founder of Germantown-based Multispectral Solutions Inc.

Multispectral Solutions has completed 64 contracts on UWB systems, such as ground-penetrating radar, with the military since late 2000. The 15-person company has been profitable from the start, and Fontana predicts that annual revenue will grow from almost $3 million to $4.5 million or $5 million as the federal government beefs up homeland defense efforts.

But before UWB could be applied commercially, the FCC had to approve it, and that was a long and controversial process. Since UWB spans a range of frequencies already used by wireless phone carriers and various federal agencies, including the global positioning system community, several established interests saw UWB as competition or merely interference. It took the National Telecommunications and Information Administration from September 1998 to February 2002 to negotiate a compromise. The FCC finalized its approval on April 23.

Because UWB pulses a low-power signal across a swath of radio spectrum, rather than streaming a signal on a specific frequency, it would not interfere with broadcasts on any one band.

“It probably produces less interference than a hair dryer being turned on,” said Rich Doherty, an analyst at the Envisioneering Group of Seaford, N.Y.

Still, the FCC is permitting its use in stages; the radio-frequency noise from a UWB device must be2,000 times lower than that emitted by a personal computer, baby monitor or garage door opener. If that produces no interference with other systems, higher levels of power — and increased range of effectiveness — may be approved.

Likewise, because UWB does not boost a signal on a particular frequency, UWB providers do not have to use equipment needed to carry a signal, which in turn knocks down the cost of UWB products.

XtremeSpectrum invested heavily in winning approval of UWB. Although Martin Rofheart, XtremeSpectrum chief executive and co-founder, declined to discuss how much was spent lobbying the government, the company hired 18 people for the effort.

“It was huge,” said analyst Hoover. “They spent a good portion of their [money] on lobbying.”

It was worth it, Rofheart said. Because XtremeSpectrum — formed a month after the regulatory debate began — was so intimately involved in the regulatory process, its chipsets were ready as soon as the FCC gave the final go-ahead.

“We’re trying to beat everyone to market,” Rofheart said.

“They basically designed their [chipset] around how they thought the FCC was going to rule,” analyst Paulo said.

Rofheart won’t discuss revenue projections for 57-person XtremeSpectrum, but he said the company won’t start counting sales until next year when its manufacturing partners start selling their consumer products during the holidays. He expects profitability in 2004.

Meanwhile, the company will rely on its venture capital. Funders include Cisco Systems Inc., Motorola Inc., Texas Instruments Inc., Alliance Technology Ventures, Granite Ventures and Novak Biddle Venture Partners. XtremeSpectrum officials have declined to discuss how much they have raised but plan to announce more funding, including new investors, within a month.

That’s good news since the competition is growing. Multispectral Solutions is expanding from government sales to the commercial market. Fontana said his company would introduce geolocation services and audio networking, such as audio systems in churches and arenas, over the next six months.

XtremeSpectrum’s leading rival, Time Domain Corp. of Alabama, has said its PulsON chipsets also will be available to its partners this year. Time Domain, which has an office in the District, is focusing on wireless broadband links and precision radar products.

According to analyst Hoover, Time Domain and XtremeSpectrum are sitting pretty: They are the leading companies in a marketplace that looks to take off.

“They definitely have their foothold,” he said. “They’re going to be around.”

Paulo with In-Stat said XtremeSpectrum has the edge.

“Time Domain wants to be in the consumer space, but they don’t seem to have an organized focus,” she said. “XtremeSpectrum is the only company that seems to know how to play in the commercial realm. The other companies seem to be a little bit more disorganized.”

© 2002 The Washington Post Company

———–

URL: http://zdnet.com.com/2100-1106-848203.html

A huge exodus from San Francisco may be under way as high-tech companies pack their bags for cheaper North American cities and regions, according to a study.

San Francisco is the most expensive North American city for a high-tech company do to business, with an estimated average cost of $43 million a year, according to The Boyd Company, a consulting firm that advises major companies on location planning. For example, a company relocating to Baltimore from San Francisco would see a savings of about 21 percent, according to the study’s figures.

And as if that’s not incentive enough for companies to relocate, an increase in government spending on defense, centered in the metro Washington, D.C., area, and the lure of cheaper operating costs north of the U.S. border, are about to siphon more business out of Northern California.

“I have never seen a decline so rapid,” said John H. Boyd, talking about the conditions that precipitated the study.

The numbers for the study were based on the average cost of operating a 500-employee facility.

Boyd, who has done location planning for 27 years as president of The Boyd Company, said he has watched with amazement as the unemployment rate in San Francisco has risen from 1.7 percent in January 2001 to 7.5 percent in January 2002. That figure doesn’t compare favorably with the national average of 5.6 percent in January, Boyd said.

Things may get worse, he said, as companies head east and north, following the two biggest money trails of the post-Sept. 11 economy.

Venture capitalists “are saying, ‘Show me the money,’ and companies are concluding they have to be competitive on a global scale,” Boyd said. In an economy where it is close to impossible to cut costs, cost reductions have a new importance, and site selection has become more critical.

“Canada is emerging as an alternative location for U.S. high-tech investments in the recessionary economy,” Boyd said, citing a lower exchange rate, the elimination of tariffs under NAFTA (North American Free Trade Agreement) and the absence of corporate health care costs in a country with a national health care system. Several companies have already caught on to the trend: Mountain View, Calif.-based Intuit and Houston-based Compaq have both listed their Calgary, Alberta, facilities as among their most profitable, Boyd said.

“Many companies in the (San Francisco) Bay Area are also looking to Washington because of the vast government spending for the war on terrorism,” Boyd said. John Hopkins University, which has locations throughout the Baltimore-Washington area, “is the center for bio-terrorism research, and the NSA (National Security Agency) is becoming the catalyst for billions and billions of dollars in electronic surveillance and Internet security spending by the federal government,” he added.

“It’s like Silicon Valley is returning to its roots; it was founded in the defense industry in the 60s,” Boyd said.

Of the individual cities being considered, Baltimore; Vancouver, British Columbia; and Calgary are considered some of the most attractive. Baltimore was the cheapest U.S. location included in the study, at $34.4 million a year. Vancouver was the highest-priced Canadian city, at $35 million, and Calgary was the lowest, at $27.7 million.

Santa Clara County, Calif., which includes San Jose, Calif., and most of Silicon Valley, came in second to San Francisco with costs of $41.7 million. New York was next, at $40.9 million and then Boston, at $39 million.

Of course, not every city in North America was considered. The study takes factors such as pre-existing technology centers, ease of travel, and other nuances into consideration. The Boyd Company has spent the last nine months doing everything from number crunching to interviewing mayors to come up with the survey cities, which are likely to become targets for expansion or relocation by the consulting firm’s clients.

Though Boyd would not disclose which companies are considering relocation, he listed Compaq Computer, Chase Manhattan Bank, Pitney Bowes and Time Inc. as clients.

“These cities included in the study were not chosen at random; you will see them on the short lists of corporate-site seekers over the next 12 months,” he said.

Only worthy of forwarding because of the JMM statistic: 1,400 pieces of spam per day!

-Ian.

—-

http://dailynews.yahoo.com/htx/cn/20020205/tc/net_surfers_set_out_to_squelch _spam_1.html Net surfers set out to squelch spam By Stefanie Olsen CNET News.com

Larry Kilgallen got so fed up with junk e-mail that he finally decided to do something about it.

Kilgallen, a Cambridge, Mass., business owner, says he takes about five minutes each day to fire off e-mail complaints to spammers and Internet service providers that relay their payload to his in-box.

“It’s civic duty,” said Kilgallen, who uses a free online reporting service called SpamCop to help filter the junk and identify the culprits. “It probably takes me 10 seconds to report a spam. But the only reason the filtering is good is through the people who report it.”

The battle against junk e-mail, or spam, has numerous allies: Legislators have enacted laws targeting it, trade groups have crafted voluntary guidelines to govern it, and software developers have created weapons of mass deletion to thwart it.

Last week, the Federal Trade Commission said it plans to launch a “systematic attack” on deceptive e-mail, including law enforcement action against spammers.

But as is often the case, the last line of defense lies with consumers like Kilgallen, who are increasingly using spam filters supplied by ISPs, Web-based mail programs and software developers.

Their self-appointed task is daunting. Last year, the number of spam attacks to mailboxes increased by nearly 200 percent, according to filtering company BrightMail. Spiritual-related e-mail was the fastest-growing form of junk to consumer in-boxes.

Looking ahead, experts predict junk e-mail will soon grow to incomprehensible volumes. Within four years, consumers can expect to receive an average of 1,400 pieces of junk e-mail per day, according to Net researcher Jupiter Media Metrix.

So what’s a Web surfer to do until the federal government outlaws the practice? One option is to grin and bear it; another is to embrace a growing range of desktop anti-spam tools.

Either way, spam veterans say Net surfers shouldn’t expect much relief, noting that even the best filters have vulnerabilities.

“With every advance in spam filter technology, spammers constantly invent ever more ways to circumvent filters,” said Steve Linford, director of the London-based Spamhaus Project.

Sisyphean task That hasn’t stopped software developers from trying.

The onslaught of unwanted e-mail has inspired many types of filter tools, including e-mail forwarding services, software plug-ins, and built-in filters for Web-based mail such as Yahoo Mail or for applications such as Microsoft Outlook.

Emailias, launched last fall, is designed to shield a consumer’s primary e-mail address from spammers. Emailias or other services, such as SpamMotel or Mailshell, allot an unlimited number of fake, or alias, addresses for the consumer to use when filling out forms, posting to newsgroups or signing up to mailing lists, where they can subsequently be “harvested” by spammers.

For $4.95 per month or $19.95 per year, Emailias’ plug-in sits in a browser’s “favorite links” or on its task bar. When consumers are asked for an e-mail address, they can click on the link to retrieve a pop-up window with an address specialized for that page.

E-mail sent to that address is forwarded to the consumer’s primary account. Subscribers can discontinue the address at any time–for example, when an e-commerce company sends unsolicited mail from “partners.”

Another tool, Novasoft’s SpamKiller, costs $29.95 and is one of the most popular tools at Download.com, a site run by CNET Networks, publisher of News.com.

Among other filtering techniques, the software lets consumers block messages by the sender’s address, message subject or headers, and message text. For example, customers can dump all e-mail with the words “make money from home” within it.

SpamCop, Kilgallen’s choice, costs $3 monthly, with a free service for reporting spammers. It filters mailboxes based on “whitelists,” or a list of acceptable addresses to receive mail from, and “blacklists,” unacceptable sources of mail. The service filters the IP addresses used by rogue marketers in real time so complaints may help improve the filters. With the account, subscribers also get an alias address.

Even with regular filter updates or new blocking inventions for consumers, however, spammers often find a way to infiltrate the most guarded in-boxes.

A method called “harvesting” involves scraping e-mail addresses posted in newsgroups or message boards, from which the spammer compiles a bulk-mailing list.

“Nefarious people have created robots to go and harvest your e-mail address from discussion groups and then spam you,” said Paul MacIntosh, chief technology officer of New Jersey-based Emailias. “Normally, an address will get tainted, and there’s no way to take back that address or stop the spam other than changing that address.”

Spammers may also use what’s known as a “dictionary attack” in which they guess every possible user name in a domain.

On the opposite extreme, spam filters are frequently accused of being overly zealous in weeding out e-mail, capturing good messages along with the bad. Filters have been known to redirect e-mail from a company’s help desk from the in-box into a “killed” e-mail box, for example.

Thor Ivar Ekle, creator of SpamKiller, admitted that his system is designed to catch 97 percent of mass e-mails, including help-desk mail.

Some consumers say that this is reason enough to declare spam filters a failure.

“I have plenty of client filters, and I still see lots of spam slip right through…and lots get trashed. It’s a losing battle from the consumer side. It’s in the hands of the ISPs,” said one woman who is a self-professed spam fighter.

A higher-level solution Three years ago, most ISPs saw spam filters as dangerous or censorious because they could block valid e-mail. But in the last two years a dramatic rise in spam and complaints from customers has prompted a shift.

Now, behind the scenes, many Net access providers and anti-spam agents are laboring to block spam from moving through Internet pipelines. The all-hours battle is costing ISPs an enormous amount of time and resources. Last year, the European Union estimated the global cost of spam at $8 billion annually.

“The ISP industry attitude changed from ‘We won’t filter spam’ to ‘Which filters shall we use?'” Spamhaus’ Linford said.

America Online calls junk e-mail “public enemy No. 1” on behalf of its 34 million subscribers. Despite its in-house spam team working to block known bulk mailers and the plethora of filtering options it gives consumers to manage e-mail, AOL spokesman Nicholas Graham said commercial e-mail still manages to creep into mailboxes.

ISPs such as EarthLink, MSN, AT&T WorldNet and Verizon Communications (NYSE:VZ – news) have enlisted spam-filtering software from San Francisco-based BrightMail to help shield consumers from bulk mail. About a third of ISPs also use block lists based on the worldwide DNS (domain name system) to refuse spam at their mail servers before it gets into subscriber mailboxes.

Well-known blocklists from groups such as the Mail Abuse Prevention System and Spamhaus work to keep track of IP addresses used to send spam, in an effort to block them altogether.

BrightMail’s service, which operates a spam-detection center called BLOC, works by updating “mail rules,” or filtering guidelines for the newest spam senders, every five minutes to seven minutes and sending them to customers.

Such systems are focused on trying to pinpoint patterns in incoming mail and filter based on repetitions and keywords.

But filtering systems that let consumers block e-mail based on the wording contained within the message often fail because spammers are always tweaking language. For example, a consumer may set up a filter on “win a free car.” But after using that terminology, the spammer might tweak the language to say “won a free car.”

Some state laws, including those in California and Washington, give consumers some legal recourse against junk mailers, but many anti-spam advocates say they don’t root out the problem. Because the laws require consumers to “opt out” of receiving junk mail, advocates say the action costs people more time than they have.

In some states, marketers are required by law to add the prefix “ADV:” to commercial e-mail. But spammers are learning to beat the system. They get around filters by using variations such as “[Ad V]” or “.”