"We could teach someone else everything from the bare circuitry, up to the human-computer interface and how it all worked and how it all fit together. I would contend that there's no person alive who can do that anymore because the systems have gotten so complex." You said it man. We're boned.

General public: No one understands how AI systems work! People who work in cybersecurity: I got bad news for you about non-AI systems, too.

Brilliant talk by Prof. Spafford. Thank you to Sean, the esteemed Professor and anyone else who helped in making this happen.

You mention that being completely secure is impossible so therefore it can't be the definition, but i feel having an impossible (ideological) target as your definition should be acceptable. Referring to the cyber security of a system isn't a yes or no question - it's a scale of how secure it is, so even though 100% is unobtainable, that doesn't prevent us from having a scale.

Regarding the definition or design of safe state and operations in a program: Over the years there have been a lot of research into formal specifications, mathematical-like proofs of program correctness etc., but it seems that when the program gets "big enough" the main problem becomes how to define the desired behavior because the requirements are more abstract and not easily defined formally. I still fine formal methods and program proofs very useful in smaller, low-level components, because if I can expect them to work as specified I can use my brain power to consider the higher-level complexities.

Crazy logging into youtube and seeing one of my former Purdue professors here... Spaf is a genius, and is the one who started me on my interest in the topic of ethics around AI.

YOOOO!!! i recognize spaf, he gave an ethics lecture at Purdue for cs grad students that i attended like a year ago :> he seemed really nice and it's so cool to see him on this channel!

Complexity as a whole will tend towards infinity. Complexity in information systems, as a whole, is analogous to entropy in thermodynamics. Deploying more information systems lead to greater complexity. The best that we can hope for is to reduce the rate of increase.

This is great! I'd love to see more videos like this that address the fundamentals of cybersecurity/InfoSec. Please bring Mr Spafford back for more! Also consider interviewing the authors of the textbooks he referenced.

Such a succinct explanation of the myriad of issues, thanks for sharing!

We live in an anti-security world. Browsers run executable JavaScript with asking permission, websites frequently rely on said JavaScript, every little object or service has an app, games and apps almost always expect network access, and so on. Security is hard to do technically and inconvenient to practice.

This is such a great video. Thanks for sharing. This should be mandatory viewing for any executive involved in funding cybersecurity within their organization.

Interesting approach to the topic, thank you for the presentation and the book recommendations.

To my opinion what is not covered is what is _cyber_ risk, what constitutes as _cyber_? Imagine a situation: a criminal wants to steal, say, a diamond in a room behind some door with an electronic/computer combination lock. There are, for example the following options: a) just smash the door b) use social engineering to get access to mail of a person and use it to find the number combination c) hack the lock d) brute-force this lock. Which of these would be a breach of a "cyber security"?

Spaf! I'm so happy to see him on your channel!

Excellent video, thanks too you both. 🥰😃

So how far back is first principles? Creating a new processor instruction set, and then inventing a chip that runs it?

Meteor collision event warning, IT staff: "We've been preparing for this all our lives."

Just to check, is the y-axis at 12:00 labelled upside-down? Surely the *less* you spend, the more risk you take? 🤔

That the number of programmers doubles every five years is significant concern. Junior programmers are prone to make security mistakes until they've encountered them personally. Building secure systems comes with experience. And keeping up-to-date on threats is a problem for those of us who have been in the field for decades.

MORE VIDEOS LIKE THIS !

simplicity and correctness. We are finished the exploratory time. We understand the problems well enough, now it is time to create the simplest, most pure and correct solution. I am working on this currently

GREAT VIDEO !

Are any of the books by Bruce Schneier relevant to the field of cyber security?

It should be noted that defining cybersecurity cannot be the same as defining fields of discovery such as math and science. Cyber Security is a human creation that is ever evolving.

After years of accepting identified risks, corporations have a huge accumulated IT security debts that are never revisited until systems are replaced (and not even then). This is a measurable metric and yet does not result in better security.

The defnition of "security" is an issue in US politics, too, where many say, "border security," to describe preventing people from crossing without legal authorization, while others use the term to mean that people who cross the border are not in danger of being harmed while doing so. Similarly, some use, "election security," to describe an election system that prevents ineligible votes from being cast, while others seem to use it to describe a system that prevents those who are not authorized to tally votes from independently validating the election results.

Wrt secure systems, there are nuclear bimb proof data centres. I guess you have to put a limit and come up with some risk/cost analysis.

One would hope that Spectre / Meltdown and its relatives would have woken up the industry. The fact that essentially the same security hole exists in completely different CPUs with completely different architectures from completely different manufacturers *must* be a wake-up call! This could only happen because there has been a complete failure across the entire industry to try and understand the ramifications the ever more complex interactions caused by piling ever more complex optimizations on top of ever more complex features. Security needs to be implemented from day 0 as an overarching goal.

So code scanning tools won't save us.

One of the biggest misconceptions about cyber security is that you can go to school to learn how to do it, then once you graduate your done learning... Cyber security is a forever changing and rapid changing landscape. Pretty much everything you've learned in cyber security school will be useless in 5 to 10 years or less. You MUST forever be learning the new threat landscapes and attack vectors while your working in the industry, not just while your taking classes in school. Pretty much the only attack vector that is guaranteed not to change is social engineering.

Computational irreducibility says good luck specifying all states

Please do a video about sim-swap scam methods

I never understood the trope of documentaries to cut in the interviewer nodding... why do you do that?

This man helped to build the internet

If a piece of software auto-starts itself, its creator is more focused on software and not on security. There is a pandemic of applications that from their point of view thinks that they should just run all the time.

Where is the chained printer paper?

I absolutely hate that the word "cyber-" has become prominent as a prefix for this field. Back when I had my education in computer security, we did not use it. We used "cybernetics" to denote control systems, staying away from how it was misused in sci-fi novels.

So, you're saying that my free version of AVG is not gona save me from covid od aliens with covid? Damn!

Cyber security maps to medicine if the more we knew about medicine, the less old and more sick we got. If anybody thinks this will ever get better, I have got some bridges to sell to you.

Great point about software people use all the time. If Microsoft software suddenly destroys all your data, too bad. LLC, maximum $5 liability..

I disagree with the professor's use of "sunk cost" over and over. Not wanting to move to a different system even if it is more secure is not necessarily a problem of a "sunk cost", it can be perfectly rational. As the professor noted earlier when talking about unclear definitions of security, security can be an economics issue. Imagine you're a company that already has a system built on an insecure platform that you're already making money from, and you're evaluating if you should switch to a different system for better security: Why move to a new, unproven system that is supposedly secure, but will require brand new and expensive development to adopt, when a company already has access to a "good enough" system with an established ecosystem and experienced developers for free? Even though it has issues that will need extra development to fix up / patch up, those are fixes / patches that can be applied to a system now, allowing the company to continue to have a revenue source from customers instead of going dark to spend years of development to switch to the new thing while their competitors steal all of its customers.

I hope that one day computer science students realise that computer science won't give them a good job but Cybersecurity and IT does.

Something, something, $5 wrench.

It's all about the data. It's confidentiality, integrity and availability of data that defines the field. The wires and tin deliver some of the controls. That's security 101 but didn't even get a mention.

yes

🗿

first

The greensreen is not doing this gentleman any favors

Sixth

hi mom

First

Using psychology as a field that is rigorous and has standards without myths and misconceptions is very funny, probably the worst example of a field that does not have those.

As a programmer, this has a lot of overlap with something that I can only describe as the "dependency and versioning" umbrella problem. It's feels absurd when realize how much of our modern world is held together by legacy of chewing gum and string. With the countless permutations present in our systems and environments, it's a miracle things work as well as they do. I wonder if the problems it causes will ever grow to out-weigh the sunk cost enough.

First

first