Since September 11, security has become priority No. 1. What measures are the most effective?

The most important thing you can do is to start paying attention. You need to monitor your security all the time—that is better than any preventive measure. I can prevent yesterday's attacks, but it's tomorrow's attacks that worry me. Those are the hard ones.

And yet there's no shortage of companies selling solutions.

I'm very frustrated by the companies that have been saying, "If you'd just used my product then the World Trade Center incident wouldn't have happened." That's absolute nonsense. That assumes the attackers weren't able to modify their attack. They went out and they tested, they practiced, they saw how security was. If security was different, the attack would have looked different. There is no magic thing I can give you to make you secure, but if you pay attention you're more likely to find what's going on.

In your most recent Crypto-Gram, you wrote: "It's easy and fast, but less effective, to increase security by taking away liberty. However, the best ways to increase security are not at the expense of privacy and liberty." That recalls a recent editorial cartoon depicting someone sitting at a computer screen that displayed two buttons, "Freedom" and "Security," with the caption "Pick One."

Right, but that's not it. That bothers me a lot that people believe that.

Polls suggest that most Americans are willing to give up civil liberties for security.

And they're willing to give it up in this cargo-cult mentality—"If I sacrifice my freedom and go through the motions, I will magically be safe again"—without any thinking about "Am I actually getting safety?" Some of the best security measures don't sacrifice freedoms. Only the sloppy, hasty, and ill-thought-out ones do. Interning the Japanese worked, to some degree it worked, but it's not something we do.

After the attacks, several biometrics companies saw their stocks surge. Can biometrics enhance security?

Putting a biometric scanner on the front door of your building might be a good thing, but using it to find terrorists in a crowd is just plain stupid.

Suppose this magically effective face-recognition software is 99.99 percent accurate. That is, if someone is a terrorist, there is a 99.99 percent chance that the software indicates "terrorist," and if someone is not a terrorist, there is a 99.99 percent chance that the software indicates "nonterrorist." Assume that one in 10 million fliers, on average, is a terrorist. Is the software any good?

No. The software will generate 1,000 false alarms for every one real terrorist. And every false alarm still means that all the security people go through all of their security procedures. The false alarms in this kind of system render it mostly useless. It's the boy who cried wolf increased one-thousandfold.

The question is, of all the things we can do, what are we going to do with limited money, limited resources, etc.? Everything has some use. Grounding all aircraft forever has some use, right? It's actually a pretty good security measure. We have to decide: Do we want to do that? Terrorists use lots of things. They used aircraft, skyscrapers, credit cards, telephones, computers. They didn't use cryptography, it seems. We could ban any one of those things. We could ban box cutters. You just have to decide what's worth banning.