📰 🔐 Complexity, Assurance, and Airplanes

Recent tweets from the President have brought the issue of complexity to the front of the news cycle. In response to the second crash of a Boeing 737 Max 8 Jet, the President tweeted:

Airplanes are becoming far too complex to fly. Pilots are no longer needed, but rather computer scientists from MIT. I see it all the time in many products. Always seeking to go one unnecessary step further, when often old and simpler is far better. Split second decisions are needed, and the complexity creates danger. All of this for great cost yet very little gain. I don’t know about you, but I don’t want Albert Einstein to be my pilot. I want great flying professionals that are allowed to easily and quickly take control of a plane!

So is the President right or wrong. Before I answer that, let’s explore the question of complexity and the risk that it brings. Any cybersecurity security expert worth their salt can tell you the three characteristics of a reference monitor:

  1. Always Invoked / Non-Bypassable.
  2. Tamper-proof.
  3. Never eat at a place called “Moms” Small enough to be easily understood and evaluated.

Why is that last point there? Simply, because complexity is the enemy of assurance. We’ve all heard of “feeping creaturism” — the way that software vendors keep adding in features to sell a product while not fixing known problems and making the product more reliable. This is because adding features sells products, while adding assurance does not. But the more and more features and capabilities you put into the code, the less assurance you have in its correctness. Logically, this makes a lot of sense: each feature has multiple inputs and options, each creating a new path through the code, and very quickly it becomes impossible to test all code paths. Simpler code means fewer code paths, meaning more reliability. Complex code means code that wasn’t completely tested in every possible situation, and as Hoare pointed out, once you find the first bug, you have an infinite number.

We are adding more and more complexity to the software we use every day. Remember the Toyota unintended acceleration problem? That turned out to be a software bug (which they claimed was a carpet mat problem, but they updated the software at the same time) from a rare complex interaction. Cars today have even more complex software, what with all the sensors monitoring things for safety. Most of the time these work, but there have been cases where problems have been identified due to software errors. Subaru, in fact, just had a recall to fix the software on the head unit related to the rear camera.

Airplane software is equally complex. When the Airbus Jets first came out, they were revolutionary in that they were “fly-by-wire”. In other words, instead of multiple physical hydraulic lines to control the rudders and wing surfaces, there was an electrical signal that went to the other end of the plane. Many people didn’t trust fly-by-wire and only flew the Boeing. It took multiple flights to convince the public of the safety of the systems, and now all modern jets use fly-by-wire.

So, are airplanes too complex to fly? Airplanes are controlled by software, and that software is very complex. But statistically, airplanes are safer than they were in the days when there were only simple physical controls. Similarly, cars are more complex, but they are statistically safer than vehicles from the 1950s and 1960s.

But that doesn’t mean the complexity doesn’t cause problems. In fact, it looks like Boeing is already adjusting the systems in the Max series: instead of just using one sensor to control nose down, they are using multiple sensors.

Now, let’s go to the second part of Trump’s statement: do you need a computer scientist from MIT to fly a plane? Flying a jet — even an older one like a Boeing 707 — is very different than flying a private two-seater Cessna. The number of systems that must be monitored are immense, and you need a strong understanding of the physics of flight. You don’t need to be a computer scientist — after all, you’re not programming the systems — but you do need to be comfortable with technology and have a strong understanding of physics. Given the choice, you want a pilot with lots of experience (and no mental problems) flying the plane; not a rookie MIT computer scientist. However, you might want that scientist writing the software.

Lastly, there is one other assertion in Trump’s tweet we need to address: “old and simpler is far better.” No, it isn’t. Old and simpler — both in technology and people — cannot grasp the complexity of today’s split second world. You want someone nimble, who truly has a deep understanding of the system. You want someone with years of experience with that technology at the helm.

Yes, those last two sentences were an allusion. As was the point that you need a pilot with no mental problems.


📰 🔐 Cybersecurity: News and Sausage to Chew Upon

I haven’t done a news chum posts in a while, and the articles of interest are accumulating. So here’s a collection of articles that caught my eye, all dealing with cybersecurity:

  • Password Managers. Recently, there was an article about vulnerabilities related to common password managers, the gist of which was: All password managers are vulnerable to attack. Many people took that as an excuse to trigger their risk aversion, and to run away from password managers. Bad thing to do. The attacks in question all required physical access to the machine in question. Vaults in the cloud were safe. Further, if you had physical access to the machine, then a complicated attack to look at a residual password in a buffer is the least of your worries. This is a clear example of people not understanding the risks. The upshot: Use password managers. They make it so that you have longer, more complex, passwords in use; they also encourage the use of one password, unpredictable, per site. They are much more secure than algorithmic generation by humans, or writing things down.
  • Choosing Good Passwords. Another password related article looked at the surprisingly common password “ji32k7au4a83”. This is a good example of why a password that looks strong might not be. In this case, the password turned out to be the ASCII representation of the characters you get when you type the Chinese for “My Password” on a specific Taiwanese keyboard. I could imagine similar problems for Hangul, or possibly other representations. This is yet another argument for using password generators (I recommend Lastpass, but other good tools are the XKpasswd generator and the nonsense word generator… and for good measure, the username generator from Lastpass, if you don’t want to have the same username everywhere).
  • I Am Not A Robot. Some of us remember the days when everyone used a CAPCHA that required you to recognize letters and enter them in order to prove that you were not a bot. But you don’t see those very much anymore. You may see tests that require you to recognize what is in images, but even those are getting fewer. That’s because it is getting harder and harder to prove you are not a robot, and CAPTCHAs are having trouble catching up. Somedays, it seems that the only thing computers can’t reliably recognize is porn (but then again, neither can humans, and imagine the CAPCHAs). What you do see is a simple checkbox that “I am Not a Robot”. But why does something simple work. There’s actually a great explanation, which involves all the information your browser collects, and all those cookies you don’t think about track, that a bot does not have. Who knew?
  • Forgetting the Past. Recently, Gene Spafford (a grey-beard I know well from the days of USENET) visited the RSA conference. His reaction was very interesting, and reflected the feeling that many of us grey-beards and CBGs and other professional old-codger terms have: the youth of the cyber industry have forgotten what was done in the past. I’ll note that luckily, the people behind the Annual Computer Security Applications Conference haven’t, and we are starting to plan the 2019 Conference (web pages should be updated soon) that will include both new research, and reach-back into the relevant history. We’ll be doing our 2nd year in San Juan PR in December; mark your calendars now.
  • Listening and Privacy. We often use our computers thinking we’re the only ones who see what we are typing, just as we talk out in public as if we are the only one listening. Both are pretty far from the truth. Hopefully, you know that most public wireless access is not secure, and the best way to secure it is through the use of a VPN. Virtual Private Networks make sure that communication between your computer and a trusted endpoint are secured, and claim to provide security from that endpoint to your ultimate destination on the web. How much can you trust them? It depends on the VPN you choose, as some are better for privacy than others. But what about the real world? When you discuss things on the bus or the subway, how secure are you? Not very. One instructor gave their students an interesting assignment: find out as much as you can about that stranger sitting next to you on the bus, using only public information. They found out quite a bit by listening to the public side of phone conversations, looking at visible screens, and noticing other aspects of the person. Sherlock Holmes in the wild. But that’s not the only risk. It turns out that your hard disk might be eavesdropping as well. Sound waves create movement in disk heads, which can be monitored by sensors in the disk. So when will those concerned about eavesdropping move to SSDs to get rid of that risk?
  • AntiVaxxers and Cybersecurity. A meme has been going around asking why we are willing to inoculate our computers against viruses and malware, but not our children? As memes go, it makes an interesting point — but misses some of the differences between computers and the human immune system. Vaccines are a great example of how we train our immune system to work for us by exposing it to the potential malware — in a neutered form — to train it to recognize the real thing. Traditionally, humans have been great at this: that’s why babies crawl around and put things into our mouths — the exposure makes our immune system stronger. In fact, our current antiseptic and germaphobic environment has both weakened our immune response, and trained it to overreact. So yes, pick your nose and eat it, but not in public where anyone can see you. But I digress. Think about this in terms of computers. We install an anti-virus or anti-malware program; this is the equivalent of installing an immune system in our computer. But the success of that system depends on the collection of malware signatures that it downloads regularly. These signatures are benign snippets of code DNA that allow for safe identification of dangerous code. Exposure to those benign snippets is vital if our computer immune systems are to work, and we don’t lose the system. Similarly, vaccines allow our natural anti-virus mechanisms to recognize the malware that try to invade us — and more importantly, they protect those systems that — due to specialized wetware — cannot install the anti-virus. In short: Vaccinate your kids and yourself to protect those around you, as well as yourself.