Q: There are calls to ban all encryption or to require government backdoors in all encryption products.

A: It ain't gonna happen.

Q: You don't think so?

A: Who designs all this encryption? Vendors. It ain't gonna happen. The whole thing about policy is, how do you enforce something like that? They might be able to get away with it with hard devices like a phone, or some kind of encryption products like that that are devices. But in terms of software? No way.

Q: What's the primary obstacle to doing so?

A: It just defeats the purpose. It's the same problem they had with the Clipper Chip and the key-escrow account — that nobody really trusts the government. If you're doing a secure session on the Internet, if I'm doing my credit card, just the fact that the government has a backdoor, it's like, well, I'd just rather not use it. I think the real key is enforcement. To get vendors, to get users to buy into this is just impossible. How would I manage to have two keys, one key for the government and one key for the user? The ability for them to listen in — it would just be a nightmare.

Q: How much do you think having government backdoors for encryption actually makes the encrypted stuff less secure?

A: It's just another vulnerability. The vulnerability is that there is a backdoor now. Security, to a lot of people, is perception. They don't really know about encryption — they just know that, when the blue key is lit, their credit card is protected. Now, you're telling them that there is a backdoor that the government has. The perception, in my opinion, would be lost right away, no matter how easy or hard it is to manage. I think people would kind of lose faith in doing electronic commerce on the Internet — all the stuff they're doing today, which is a reach for a lot of people.

The fact that the government can listen in to your commerce — I know they can already listen in to your phone, but the fact that they can actually tap into your secure sessions, or your e-mail ... E-mail is a perfect example. E-mail is in the clear, typically. They can already do that. A lot of people don't realize that.

Q: What about VPNs?

A: VPNs is another one. VPNs are peer-to-peer connections, so for the government to have a key, they'd have to be in the middle of the stream. And I think it's been a hard enough road to get people to use encryption on the Internet. SSL is very much accepted on the Internet as a means of doing secure transactions. VPN is coming out as a way to, from your home, get into your corporate network transparently. The fact that the government has the ability to sort of have a backdoor to that, I think, would just irk people.

Q: Aside from the issue of perception, how much of a real weakness does having backdoors introduce as a matter of penetration?

A: If I was a hacker, and I knew a lot of people were using SSL and VPNs, that's what I would go after. I would go after that backdoor. I'd take my time I spent on hacking Microsoft and focus it on these protocols people are running. And once I figure out how to subvert the backdoor, I would, of course, publish it to the world. And that's not cool.

If the government says, "We need a backdoor to SSL, and here's how it's going to work," if the hackers figure out a way to subvert that, they can get in without being an authorized user. That is a coup for the hackers.

Q: How possible do you think it is to control encryption, when there are so many other countries producing encryption products?

A: In France, you supposedly can't use encryption, but what does that mean, "can't"? How do they really know what you're doing? They can say you can't have any encryption software in your PC — you turn your back and download something.

Q: What kinds of changes are you seeing in the last week among your clients, in the way they do business or security?

A: To me, it raises the bar on security, but it's going to be a while before they finally buckle down. Everyone is still in shell-shock mode. We're a professional-services company. Our New York office is a shambles, because all the contracts we were going to close are on hold. Some of these guys are gone. Everybody's just shell-shocked. They don't know what to do. We're actually trying to develop some products to do rebuilding, meaning a lot of people are interested in having redundant networks now. If you had something in the World Trade Center, it's gone.

In terms of security, nothing much has changed. I had another call saying they were afraid of hackers, like looting, and I said, "No, they're not." All the hackers are hacking in the Middle East right now. I go on the hacker sites all the time, and the first thing they all say is, "I can't believe what happened — let's go get these guys." They're trying to send a signal over there by shutting them down wherever they can.

Q: Do you thin the sudden increase in attention to security will make a difference in the development of technology — things like VoIP and IP6?

A: No, I really don't. I think those are more political battles than they are technology battles. I think the biggest thing this terrorist thing did was focus on redundancy, business continuity. The biggest assets to companies is people. It's not the computers, it's not the data. This is one of those things where we lost a lot of people. People are trying to deal with that before they even think about adding a new network, or a new server to their farm. What do they do? We actually had a couple of people there, and they got out — but where do you go to work the next day? I think people are mostly dealing with that.

Q: One of the other things in the bill this week is the Carnivore packet-sniffing system. What do you hear about that?

A: I don't have a problem with that. If I knew the government was reading my mail, I'd encrypt it. Then they're going to say you can't encrypt it. Then what are they doing to do? Delete it? Not let it go through? Security, to me, is policy and enforcement. You need to enforce it.

Q: How much do most companies know about data security?

A: Companies say, "I want to put up a firewall to stop you," but they don't really know why they need it. It's a perception thing again, so we need to educate them. What are you trying to protect? What's the value of what you're trying to protect? Is it a network-security problem? Is it an applications-security problem? That's what most things tend to be.

Q: At the applications layer, that's where most cracks are happening.

A: Because you need to allow people onto the platform, you need to allow people onto the network. There are so many holes punched in the firewalls, there are so many VPNs coming in from remote users and extranet partners, that boundaries are dropping. The closest you can put the security to the resource you're trying to protect, the better. If we're going to open up the gates of networks, you need to put the security farther back in the chain. And they're just not doing that yet.

Q: Do you think we're likely to see a reconsideration of how much corporate equipment and network is connected to the open Net?

A: Because of this? No. This is a physical-security issue, like the earlier bombing at the World Trade Center.

Q: Say the government does mandate key escrows or backdoors and is serious about enforcing it. What does that do to installations you've already got out there?

A: Anyone who has encryption software out there is going to have to have an update. There's going to have to be a management mechanism that allows somebody to come in and put a tap in, or the ability to capture the traffic and have a key to unlock it. One of the problems with the Clinton escrow thing was that none of the vendors could agree on how to do it. The government says, "Do it," but they don't tell you how to do it. Nobody could come up with a solution. I think, when it came right down to brass tacks, the industry could not solve the problem ... Everybody just kind of backed off.

Q: But now you have a public climate that...

A: You have a public climate to pass the law. But you don't have the four years it takes to get it out there. This is going to die down.

Q: Is this going to change the way we design the topography of our data network, to make them more redundant and survivable?

A: That technology has been out there — the ability to have hub sites, to do load balancing on the whole network. And a lot of the data centers are remote. They're in Dallas, Virginia, they're not in New York. I don't think they lost a lot. I think on the Internet, in terms of media, the delivery was pretty good.