Cybersecurity as Zen Exercise

I am preparing a second edition of my little book The Art of War of Cybersecurity, by Thomas Reynolds.   Most cybersecurity books merely tell about cybersecurity, maybe give some tips and techniques, and overall rely on hope that the reader's ordinary thinking will turn out to be good enough. This book instead, like the original Chinese Art of War, leads the reader through the process of clear-minded cybersecurity thinking. It is useful for individual review, and also for organizational or group use as a knowledge management tool, helping to establish a cybersecurity-aware culture of efficient, productive, shared common understandings.

From the Preface:

An image of the book's cover, bright red with mustard gold lettering
 and a graphic of symmetrically opposed leaping dragons created by artist
 Jim Farr (aka Dauber) in gold leaf

"We have to learn to think like the attackers" is
sometimes said by people concerned about
computing security.  That is an expression of people
inside a box trying to guess what outside-the-box
thinkers might do next.  Cybersecurity is a very
recent field, considered in terms of the development
time lines of more fundamental social and cultural
forms.  The field does not have even a general,
agreed-upon taxonomy.

I have taken seriously various calls for better
cybersecurity thinking, and have brought to bear
upon the task my own—perhaps unusual in this
field—background in thinking about thinking.
 

The book's Glossary section may be informative to people who are not computing experts.

More information and the book itself are available at bookstore.trafford.com/Products/SKU-000155732/The-Art-of-War-of-Cybersecurity.aspx. (The original URL, stated in the book's front matter, www.trafford.com/07-1219, seems not to work anymore.)

Librarians can efficiently find the US Library of Congress classification via the book's Library of Congress Permalink record. In Canada's AMICUS National Library Catalog, the record is easily found by a brief search.

A nice scholarly version of the original Sun Tzu Art of War is The Denma Group's translation, which aims to reproduce in English as directly as possible the Chinese of the earliest extant original texts. This is useful for anyone trying to work out for him- or herself the original thinking. Information about this translation is at www.shambhala.com/the-art-of-war-156.html. Background materials supporting the Denma translation, including Chinese content of original texts, are available at learn.bowdoin.edu/suntzu.


Whoami

I am an independent scholar and researcher. I have spent much of my life as a student, learning the best information about what interests me. As a result I have multiple graduate degrees. I have never found alluring the idea of publishing just to accumulate a large personal bibliography. What I have published has been aimed to strike at the roots of significant problems, for example in computing and physics. Links to examples are below. I am currently working on questions in sociodynamics, computer science, and physics, as well as on projects in the fine arts.

 


Other Projects

Time in Physics

A longstanding and presently active interest is the status of time in physics, and related questions about optimal conceptual models. This is relevant to quantum computing, and coheres with my interest in temporal logic. I gave a couple of Physics colloquium talks in the USA and Europe in 2010, discussing ways of thinking about time; and in September 2014 I presented a poster on the topic of the relation of time and light, at the biennial DICE2014 International Workshop Spacetime - Matter - Quantum Mechanics in Castiglioncello in beautiful Tuscany in Italy. The associated Proceedings paper, "Spacetime representation of electromagnetic radiation in a (2+1)-dimensional universe" is in the DICE2014 Proceedings at iopscience.iop.org/1742-6596/626/1/012072. The Proceedings Table of Contents is at iopscience.iop.org/1742-6596/626/1.

At DICE2016 in September 2016 I presented a poster on a different aspect of the overall issue. That paper, "Is Direct Measurement of Time Possible?", is in the DICE2016 Proceedings at iopscience.iop.org/1742-6596/880/1/012066. That Proceedings Table of Contents is at iopscience.iop.org/issue/1742-6596/880/1.

Software (In)security

Software (in)security is an extremely important problem in computing. After all, software is what makes hardware do everything it does. After tiring of seeing and hearing the same, over and over repeated, legitimate worries about insecure software, I took a more comprehensive look at that entire ecosystem. I arrived at the opinion that systematic change was needed to achieve the goal that programmers be familiar with how to write secure code. But systematic change is not easy, and can result in many unanticipated effects. What I came up with was a definitive proposal which works within currently established systems and is simple to conceptualize. It allows for widespread profitable involvement of diverse stakeholders, plus staged implementation with built-in opportunities for adjustment during both adoption and ongoing functioning.

The essentials of the proposal were stated in my Letter published on page 6 of the December 2010 issue of IEEE Computer magazine, accessible at www.computer.org/csdl/mags/co/2010/12/mco2010120006.pdf, or via the December 2010 issue Table of Contents at www.computer.org/csdl/mags/co/2010/12/index.html.

Simply stated, it is a proposal to institutionalize secure software as an expectation of the global software engineering community, an expectation by that community itself and by the wider social and economic systems which that community serves. This is analogous to the baseline expectation of aeronautical engineering that airplanes should not crash.

The aim is that programmers' basic habits include security awareness from the beginning and in everything they do. This is accomplished by the simple addition of requiring that secure coding methods be used in all computer science courses involving programming by computer science majors, making that a condition of accreditation of the Departments offering those courses. Courses targeted at more focused security knowledge would remain necessary. But any approach less fundamental, uniform, and impartial than requiring basic secure coding everywhere leaves the situation be like playing whack-a-mole as problems appear.

After a reasonable amount of time for the requirement and supporting processes to be phased in and for graduates to move into industry, the software ecosystem would contain an expectation that measurable security awareness would be at least in the professional repertoire of college graduates in computer science, and those professional programmers would be role models for all software authors. Communication about security issues would be more efficient and effective as familiarity with the vocabulary, ideas, and attitude of secure coding could become assumed. All this would bring the field of software development into alignment with engineering in general.

Although the immediate response in the December 2010 issue was positive, I have not seen evidence of significant movement to actually implement that proposal or anything similarly comprehensive, maybe because most people are occupied thinking in terms of their own particular pieces of the puzzle. My own attention is occupied with other goals, but the idea stands in case anyone might want to pursue it.

I did lead a session "Learning Secure Coding in College?" at BarCampAlbany in February 2011, discussing my software security proposal and seeking feedback about it from students and programmers there. The feedback was positive. (Barcamps were low key, ad hoc, community events—semi-planned, self-organizing conferences for exchange of information about computing and computing-related topics.) Along with many handouts, I included an index list of URLs associated with those handouts. Although not all of that list should be expected now still to be live URLs, it and a brief summary of the session is available here in case it might save a little effort for someone wanting to learn about developing secure software.

Miscellaneous Other Cybersecurity

A major question in the fully connected world is the question of the extent to which one's computer or smart device camera(s) and microphone(s) are really under one's own control. As is now well known, the answer to that question is: "Not as much as most people want." At the 2015 Privacy Enhancing Technologies Symposium, PETS2015, in Philadelphia, Pennsylvania, https://petsymposium.org/, I gave a rump session short talk presenting an ad hoc, least-effort tactic to protect one's privacy in that regard. It is simply to put a piece of cheap, convenient, ubiquitously available, easily removable and replaceable, "invisible" scotch tape over the microphone or camera lens when it is not being used, which for most people is most of the time.

At PETS2017 in Minneapolis, Minnesota in July 2017, https://petsymposium.org/, my rump session talk briefly reviewed observations of myself and of others using the tactic I had presented in 2015. I concluded that an optimal solution to the problem actually would be a simple physical switch, physically interrupting power to built-in cameras and microphones. Convenience certainly would be much better than with maintaining pieces of tape over the camera lens and sound sensors, and assurance would be very much better than for software-mediated switches. Purism, https://puri.sm/, a company which has spent years thinking about, designing, and then actually manufacturing hyper-secure equipment, sells their computers and phones with such built-in physical switches.

A presentation I gave a while ago, in 2011, highlighted a cultural issue which remains significant. It was focused on the problem in cybersecurity, of practicing what we preach. I gave it at the 2011 Symposium on Usable Privacy and Security, SOUPS2011, at Carnegie-Mellon University. (cups.cs.cmu.edu/soups/ for the 2011 and other old symposia; www.usenix.org/conferences/byname/884/ for the symposia now that SOUPS is under the aegis of USENIX.) This was a Lightning Talk, a compact statement on a problem. I began by giving the audience—composed mainly of technical cybersecurity researchers and practitioners—a very quick overview of the fundamental elements of a sociological understanding of the world{1}. I noted the importance of building a consistent, broad social culture for computing and information security if we really want to achieve private and secure experiences for all users. This includes ourselves being role models for behavior within a cyber-secure culture. Then I brought the audience's attention to the lack of secure https web registration for SOUPS2011 itself, and noted that apparently I had been the only registrant to try to avoid that insecurity. My few slides make more sense with my scripted brief remarks. Both are available here

{1}  I once studied, and maintain a continuing interest in, formal mathematical sociology, and find it relevant to my cybersecurity interests. A comprehensive basic introduction to this field, written a few decades ago but still valuable, is Mathematical Sociology by Thomas J. Fararo, with whom I once studied.


And I always enjoy doing a little photography (I will add some new ones to these, but I am too busy right now):

 
 
 Northeast Autumn     A photo looking up through bright yellow, orange, and red autumn
 leaves of a sugar maple tree, to a clear blue midday sky, in the
 Northeastern United States in Autumn.
Lake George Shore

A photo looking
 out to a shining, rippled, blue lake, through tree trunks and leaves
 silhouetted by the bright sun over the lake, in Autumn in upstate New York
 in the United States.
 
 
 
Westerwald Germany Abandoned Quarry

A photo of
 a small pond in an abandoned quarry in the Westerwald, Germany, with brightly
 lit thin grasses in the foreground at the image sides, lily pads and blossoms
 behind the grasses in the image middle, and low-hanging dark green
 tree leaves bordering the back of the pond at the image top edge.
 
 
 
Bulguksa, Gyeongju

A photo of some
 traditional tiled roofs, both near and distant, in a several hundred years
 old Buddhist temple area in Korea, during a light, misty rain, the curved
 shapes and linear forms standing out visually and texturally from summer
 tree leaves and a high wall made of large stones.
 
 
 
Namsangol, Seoul

A photo of a few
 traditional structures in an old upperclass housing compound historical park
 area in Seoul, Korea; visible in the distance, through a roofed gateway in
 a low stone wall, is a teacher photographing a small group of young
 children.
 
 
 
Fujisan From Peace Park Temple, Gotemba

A photo of Fujisan (Mt. Fuji) in the far distance, on a hazy summer
 day, viewed from a relaxed position within an open, paved area of the
 grounds of a modern Peace Park Buddhist temple in Japan.
Nara Shrine

A photo of a Shinto shrine by a path in the woods at Nara in Japan,
 the red, wooden components of the temple dominating the image.
 
 
 
Sendai Train Station

A photo of a
 Salaryman about to decide to enter the more upscale of two small restaurants
 side by side, with the usual displays, in the main train station in Sendai,
 Japan, an image in which no faces are quite visible.
 
 

© Page and images copyright Thomas Reynolds 2022.

Comments about this website are welcomed and can be sent to tracm2(*the_usual_"at"_symbol*)acm.org.  Please prefix the email subject line with "WEB".

URL: cogitage.pairsite.com/         This page is always Under Construction.