WIRED ON FRIDAY: In an ironic twist, Web veterans once seen as a national security risk by authorities are at heart of new security drive, writes Danny O'Brien
A heavy police presence surrounds the RSA data security conference in downtown San Jose. The city's finest patrol the entrances, padded out like American footballers, and photo IDs are demanded with menaces at the door.
Richard Clarke, President Bush's new cybersecurity czar, is in town to meet the computer security industry's wisest minds, all to better protect the Net from terrorists. Silicon Valley brandishes its few policemen, to show the federal government that they can keep the bad guys out of the way.
All the more peculiar a scene given that, a decade or so ago, wings of the US government would have labelled the experts as the "bad guys".
"We reject kings, presidents, and voting." Sitting in a booth inside the embattled convention centre, Dan Geer recalls the subversive words of MIT colleague Dave Clark. Together with its softer conclusion: "We believe in rough consensus and working code."
Dan Geer quotes a great deal: old friends, unnamed security sources, Isaiah Berlin, Matthew 7:13. When he does, he looks, with his prolific sideburns, open-mouthed smile and faint archaisms of a Tennessee accent, like the gleeful patriarch of a young sect reciting his authorities.
Geer is a patriarch. While only 51, he is of the heroic generation of academic engineers that built the modern wired world. At MIT he helped design Project Athena, one of the first experiments in a networked computer. (Dave Clark was chief architect for an obscure allied project called the internet.) To do so, they followed those principles of open discussion and public documentation.
He's also been heavily involved in computer security for 25 years. But while the creators of the young internet gained a relatively easy acceptance for their ideas of transparency, the rebellious attitudes of his generation did not fit so well with the spies and spooks of "national interest".
After they first appeared in the security literature, America's intelligence services spent 20 years fighting Geer's colleagues determination to expose and fix the problems of protecting the new networks.
Up until then, security had been largely the monopoly of the shadier government agencies. Rough consensus, they had never needed before; and working code, out in the open, was the last thing they wanted.
The National Security Agency (NSA) saw the new generation as a risk to national security; even, at one stage, classing some of their analyses as munitions too dangerous for export.
But now Geer sits an honoured guest of the conference, at the head of multimillion pound company @stake. This conference is sponsored by RSA - the company formed by the academics who invented those dangerous munitions. Business and government together have learnt to listen to them.
The NSA has a booth too. Geer's is bigger.
But in the new atmosphere, won't the NSA's more secretive approach finally win? Can the freewheeling times of "rough consensus" really work after September 11th?
"There's less trust now," he concedes. "We waste resources checking what we used to assume".
But Geer feels that openness is more important than ever. He's working with the government to pool the industry's knowledge, helping to set up an Information Sharing and Analysis Centre for responding swiftly to and learning from attacks on the Net.
"They're limited nationally," he complains with a shrug. "Deutsche Telecom isn't allowed to participate. Ridiculous."
But what are the terrorist threats to the internet? Will it be designer computer viruses? Invasions by password-cracking mercenaries? Economic "denial of service" attacks that jam the internet so that no legitimate work can proceed?
Geer has his own nightmares.
"I worry about cascade events - small disasters that cause chain reactions of other disasters. My early background is in biostatistics, the spread of epidemics. You learn there that, well, smallpox notwithstanding, you never get rid of anything. But also you can have herd immunity. Even if some of your population are vulnerable to attack, if enough have some immunity, you can stop the infection from spreading. We have to build up that immunity."
Geer has continued to pursue his generation's approach to that problem.
One of his company's most celebrated acts was hiring an underground "hacker think-tank" who called themselves L0pht Heavy Industries - and who went by pseudonyms like Kingpin, Mudge and Weld Pond. @stake encouraged them to continue as a research lab what they'd be doing as a hobby: finding flaws and security backdoors in Microsoft and others' software. Every bug was reported to its vendor and, shortly afterwards,publicly. Microsoft and the other software houses protested vehemently, of course. But every flaw was fixed. And the herd immunity, claims Geer, increases.
Nowadays, Microsoft and Geer's company are working together to formalise the process. It seems to be a move that the cybersecurity czar approves too.
"We're all more interconnected now," says Geer. Then, unexpectedly: "I think that increases the danger."
Geer is a man who treasures his independence. He has one last story, almost to save himself from worrying that interdependence will lead to disaster:
"A multinational's security chief recently spoke to me. He said he'd managed to fend off 70,000 inbound viruses to their network. He'd also stopped 500 viruses from leaving his network, and spreading to other companies. And he said he was prouder of stopping the 500," Geer smiles.
You can tell that's the sort of interconnected attitude he'd like to see spread.