Flashes of Panic

We had a visit this weekend from Bruce Schneier, as part of the ongoing EPIIC project here at the University. I missed the panel discussion yesterday due to a prior commitment, but at the urging of a professor (multiple emails to the class list,) I figured out which building on campus would hold the second “break-out session” (for CS students only,) and got myself over there on a Saturday morning. (Saturday morning isn’t much of a feat. It’s finding a building on campus which isn’t either the CS building, the library, or one of the hidden corners associated with MPOW which is difficult.)

The students there were from my security class and a cryptography class being taught this semester as well, using one of Schneier’s books. The professor in attendance (from the crypto class) implied that the former was a grad class and the latter an undergrad course, which was an interesting characterization considering that I’ve not seen much sharp division in the catalog; most of my classes so far have been mixed.

Schneier implied that missing the panel he’d been on hadn’t been a big loss due to a pretty scattered subject matter, and only rehashed a few points from it, one of them having to do with the old security theory about risks and mitigation: one considers the cost of “getting whacked,” multiplies it by the annual probability of an incident, then compares that with the annual cost of mitigation. If mitigation is cheaper, you invest in prevention; otherwise, you accept the risk. He pointed out that in the case of terrorism, the cost is enormous—nearly infinite, in fact—while the probability is close enough to zero that it’s much smaller than the rounding error in any available statistics. Someone implied yesterday that the result of this math was zero; Schneier’s contention is that in fact it is whatever you want it to be: a little fudging with the data gives a massive change in the result. “People win the lottery every week,” he reminded us, “but statistically, nobody ever wins.” His suggestion is aggregating risks until there are enough numbers to work with.

His continuing theme for the talk was that people don’t understand how to think about security. He cited Ross Anderson in particular, and the idea that programmers code for “Murphy’s computer” (preparing for anything which could go wrong) instead of “Satan’s computer” (where there’s an intelligence looking for the one worst thing which could go wrong.) The fact that an attacker can survey the defenses and then pick the weakest spot should always be kept in mind when analyzing any security efforts, and it really highlights the futility of efforts like “protecting the Olympics” and so on.

He also suggested that “educating the users” wasn’t going to be a good security solution because there’s no good message to educate them with. The “right thing to do” from a security standpoint keeps changing, so the messages from the user-education sources will keep changing, and the users aren’t likely to learn any of them. Not a great situation.

It wasn’t a revelatory experience, but I was glad I spent the time to go; it was a refreshing new perspective on the things we’re discussing in class.

Now Playing: Old Time Sake from Back to Me by Kathleen Edwards