crypto and security
I just finished Neal Stephenson’s 900+ page book Cryptonomicon. I’ve since (and during the long read), been dwelling more on information security. Even though the book is fiction, it points out there’s been this hidden effort of espionage and information gathering, long before NSA’s recent accomplishments.
The book’s an epic story in two timelines, mixing historical events with fictitious ones. There’s fictitious interpretations of real people and unreal characters. It spans Europe, North America and East Asia, during the second World War and the end of the 90’s. There’s Alan “Türing” and Douglas MacArthur. Reagan and Yamamoto make an appearance, as do the world’s first digital computers.
The book’s main theme is cryptography, information security and wartime intelligence. There’s a bunch of characters, and some of them represent a regular dudes’s viewpoint from the 40’s and 90’s. And then there are the autistic nerds as well. Wartime depictions are mostly about espionage and counter-intelligence, whereas the modern era deals more with computers, data storage and traces, digital signals and underwater cables. There’s a lot of seemingly irrelevant pages in those 900 that go into detail about warfare, colonial history, diving and so on.
The whole thing somewhat reminded me of Michael Douglas’s character in the movie Wonder Boys. His character, a writer, cannot make decisions in writing his book. He’s in the midst of writing a 3000+ book with similar, ridiculous details. Unlike him, Stephenson manages to keep his details sufficient and not overbearing.
It’s definitely the longest book I’ve read, but wasn’t boring at all. Some of the detailed stuff in there is quite geeky, and perhaps easier for me to digest. This genre has potential for serious cheesiness, especially in the IT-related stuff from the late 90’s. But to my surprise, there was none of that. Stephenson avoids those Hollywood hacker cliches and sticks to those realistic but not-so-cool facts.
Cryptonomicon goes into great details on analogous code encryption and breaking during the forties. It’s easier to envision regular people deal with randomness, encryption keys and security, when everything wasn’t so complicated yet. The main characters working on cryptography are described as somewhat autistic, which I suppose has it’s roots in reality. I did go and look for some basic cryptography lessons at Coursera, and soon enough found myself in deep waters of math and probability theories.
Regular things like public/private keys become more understandable, when their origins in manual processing of messages are described in detail. Today, the process is identical, but automated. The automated pleasantness is what makes security issues so vague and effortless for most, and therefore too easy to disregard or forget.
information security #
All this reignited my interest in the cryptography and security field. For example, I’ve subscribed to Bruce Schneier’s Crypto-Gram newsletter for a year or so, but never took time to properly read those. Istarted properly reading them, and have since went back and read some the older ones. Surprisingly enough, Cryptonomicon had an appendix by Schneier himself, in which he detailed how he created a cipher based on a deck of cards for the book.
This is yet another field where one can invest into and never stop learning. It’s one of those topics that is supplementary to my daily hurdles with programming, and therefore would be useful to learn more in depth. But it’s one of those things of our time. Everything has become so complex, that thorough knowledge of a subject requires a lifetime of study. Partial knowledge is still helpful, though, and common sense and best practises can fill in the rest.
levels of security #
What’s disheartening about information security, is that there is always someone with more time than you to work on your vulnerabilities. Investment on security is also somewhat hard to estimate. It’s difficult to tell if you’ve overspent on security, as the line between too much and enough is invisible. Less than enough is of course easy to distinguish, and when that line has been established, the situation might be catastrophic.
Heightened security usually has a drawback in some other area. For example, lessened usability or conveniency, or reduced privacy. The gained security should outweigh the generated inconveniences.
Lastly, once more from Schneier, on [how to think about security]:(https://www.schneier.com/crypto-gram/archives/2002/0415.html#1)
- What problem does it solve?
- How well does it solve the problem?
- What new problems does it add?
- What are the economic and social costs?
- Given the above, is it worth the costs?