Shostack + Friends Blog Archive


Security is an Empirical and Social Science

In reading Mordaxus’ post “Quantum Crypto Broken Again,” I was struck by his comment:

It is a serious flaw because one of the main arguments about quantum cryptography is that because it is “physics” based as opposed to “computer” based, that it is more secure than software cryptography.”

Firstly, security is almost always an outcome of the combination of science, engineering and the socio-legal context in which the engineering is deployed. Let’s assume that the science and engineering on the SUX-8000 Quantum Key Distributor are perfect, and the SUX has t three lights: power, carrier and tampering. When the tampering light starts blinking, one of two things can happen. First, Alice will continue to use the bits, because her operations manual doesn’t say what to do. Alternately, she’ll call Bob and say “Hey Bob, is your SUX blinking red?” At this point, we’re out of the realm of unobservable spin (or perhaps not–quantum crypto does seem to involve a tremendous of spin which is hard to interact with). But then we’re out of the realm of particle spins and into the realm of human activity which gives meaning and relevance to the physics.

I’m not going to delve into the physics of it. I know enough to know that I don’t play there. But I can listen and understand people who play at the engineering level. There are issues with the orientation or changes in orientation of the mirrors, or with bursts of unexpected photons down the fiber, and these lead to a whole slew of attack vectors which may or may not be practical. The quantum cryptographers call these cheating. I call them security engineering.

Finally, on the socio-legal level, what action Alice and Bob take is first determined by their personal relationship. If they’re husband and wife, they might have some spare bits available from last time they were in the same place. If they’re co-workers, perhaps they have a boss who can help them get secure bits. But maybe Alice works at a stock exchange, and Bob at a bank. There might be some urgency, and there might also be economic or legal consequences to shutting down the communication lines.

This is one of the key points Andrew and I made in the New School: that the technology is embedded in a human context, and we need to examine it as such. That idea is embodied in a paper by my friends Sarah Blankinship, Tomasz Ostwald and Jon Pincus, “Computer Science is a Social Science.” (Link points to a draft, a fuller version is forthcoming.)

Claims that a technology is secure absent the social and legal contexts which give security meaning are no longer just irksome: they actively detract from progress in the field.

5 comments on "Security is an Empirical and Social Science"

  • Gunnar says:

    “I don’t do defense; I do security. When you talk defense, you talk containment and mutually assured destruction. When you talk security, you talk collaboration and networking. This is the future.”
    -Tom Barnett

  • shrdlu says:

    I’d be one of the first to agree, with one caveat: you have to be careful not to replace technology hacking with people hacking. “If we just use the right models, how can we make humans behave the way we want our technology to behave?”

  • “every day, computers are making people easier and easier to use”.
    I’d extend this outside of the computing realm into the financial world too – e.g. that risk management is a social science, not a financial science, and that those who are trying to model risks just with spreadsheets or numerical algorithms are deeply out of touch with the underlying assumptions that will bite them (are biting them) when the time comes.

  • Nice post. Security has many definitions. Anyone familiar with the NSA knows that they have historically recruited Poli Sci graduates for a reason. The social side of science is most relevant when dealing with humans. However, risk management does not always need to involve the human element and it is best to avoid going to extremes in either direction.

  • “When you talk defense, you talk containment and mutually assured destruction. When you talk security, you talk collaboration and networking.”
    What kind of nonsense is that? Sounds like someone either really confused or stuck in an old rusty and threadbare Cold-War paradigm.
    Defense definitely does not imply “mutually assured destruction”. That is a rare and extreme form of defense where limited control options are available.
    For example in football (soccer to some) defense involves collaboration and networking. Defense in health involves extensive collaboration and networking. Hobbes and Locke argued that self-defense is the highest necessity in pursuit of security. So philosophically when you talk security you will eventually talk defense.

Comments are closed.