Passivity vs. Security

Wednesday, April 10, 2013

Security expert Bruce Schneier describes an amusing example of a student quickly and elegantly eviscerating a cryptographic scheme his teacher had used in his classes for years. (The instructor encoded letters of the alphabet by means of the phone numbers of individuals whose last names started with them.)

I still use this example, with an assumption that there is no reverse look-up. I recently taught it to my AMSA students. And one of my 8th graders said, "If I were Bob, I would just call all the phone numbers and ask their last names."

In the fifteen years since I've been using this example, this idea never occurred to me. I am very shy so it would never enter my mind to call a stranger and ask for their last name. My student made me realize that my own personality affected my mathematical inventiveness.
Scheier holds this out as a "great example" of what he calls "the security mindset". Needless to say, this made me curious as to what, exactly, he meant by "security mindset", and whether he was speaking of the student or, perhaps, the professor (and, by doing so, making some kind of sarcastic comment on the general state of his field).

He was speaking of the student, and I found what he called the "security mindset" as well as what he had to say about it very interesting.
Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.


... Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. ...


That part's obvious, but I think the security mindset is beneficial in many more ways. If people can learn how to think outside their narrow focus and see a bigger picture, whether in technology or politics or their everyday lives, they'll be more sophisticated consumers, more skeptical citizens, less gullible people. If more people had a security mindset, services that compromise privacy wouldn't have such a sizable market share -- and Facebook would be totally different. Laptops wouldn't be lost with millions of unencrypted Social Security numbers on them, and we'd all learn a lot fewer security lessons the hard way. The power grid would be more secure. Identity theft would go way down. Medical records would be more private. If people had the security mindset, they wouldn't have tried to look at Britney Spears' medical records, since they would have realized that they would be caught. [bold added]
I think that what Schneier is describing is what Ayn Rand would have called an active mind. (She might have called "closed" and "(wide) open" minds two sides of the mental passivity coin.) He is focused on matters of security for the most part, but note that he sees this kind of integrative functioning as more broadly applicable than just his particular field, and not just because people can and should think more actively about their own privacy and security.

-- CAV

No comments: