Working Up

by Dwayne Phillips

I often see claims that software systems will be secure, i.e., only authorized people will be able to see the information. Just as often I see cases where “secure” software systems are broken and the data are spilled onto the floor for all to see. Why? I believe it is a simple numbers game.

All minds are not created equal. There are some of us who are much smarter than me. Folks like me, however, like to think that there is some sort of average mind out there (and of course I am a little to the left of the average mind). Given the great average mind, what makes the difference among groups of people is which group is larger. On average, we like to think, 50 average guys have more brainpower than 20 average guys. I am sure there are cases where one brilliant person can out perform 50 average persons. Those cases, however, are exceptions.

Now let’s go discuss software security. Consider WiFi access on commercial airplane flights. The nice airlines didn’t want people to be watching “objectionable” materials on the Internet. Such material would offend some of the paying customers. Hence, the airlines put “filters” in their systems that would block the objectionable material. People broke through those filters the first morning.

How did they do it? Simple – the numbers game. The number of people trying to break through the filters was much greater than the number of people building the filters. In math, it looks like this:

# of filter breakers >> # of filter makers

The symbol “>>” reads, “is much larger than.”

Why not just increase the number of filter makers? It costs too much. How did the number of filter breakers become so large? There are a large number of programmers (potential filter breakers) out there. A large enough percentage of these potential filter breakers found the challenge issued by the airlines too great to resist.

Let’s move to online election software. It is “secure,” right? I mean their are programmers who write the election software who put in security features, right? Yes there are. And as with the airline filters:

# of security breakers >> # of security makers

Let’s move on to one day promised when every-one’s health records will be available (via the Internet, what else?) to any doctor (with the right passwords) anywhere. These health records will be secure. What are the odds that

# of security breakers >> # of security makers???

There is the wish that a few of the security makers are brilliant, and their brilliance will be enough to overcome the large numbers of average security breakers. Let’s consider that for a moment. National electronic health records will be a government project. How often do we see individual brilliance on government projects. Oh well, it was a thought.