Do Not Trust Experts – from Brexit to Internet
Category : security
I was recently reminded of “Breathe-o-Smart” from The Hitchhiker’s Guide to the Galaxy, which breakdown lead to “Great Ventilation and Telephone Riots”.
The marketing line of Breath-o-Smart Inc was:
One of the smartest features of the Breathe-o-Smart is that it cannot possibly go wrong. So. No worries on that score. Enjoy your breathing now, and have a nice day.
When the company installed Breath-o-Smart in a building, it blocked the windows so they couldn’t be open, because … nothing can possibly go wrong. So far so good. The first sign of something not quite right was when Breath-o-Smart Inc put out a statement:
“… best results were achieved by using our systems in temperate climates …”
Becoming … realistic
The reason I remembered this was that I realized how much we tend to trust “the experts” without any particular reason, except that their title contains “expert”. While it’s quite right to say that education is the way to improve society, it’s not quite the same as claiming that all people with a university degree are equally smart … experts. I believe there are two types of experts.
- real deal – people who come up with new ideas, scientific theories and methods. These people help putting the new ideas into practice. They understand the problem and know limitations of the new methods.
- followers – people who forgot or don’t care about limitations and just use the new methods. They are experts, but only in using the methods. They will have spreadsheets, mathematical models, detailed procedures how to use the methods.
The problem is that after a couple of years, the only experts left are from the second category and followers become the masters. It’s not necessarily a bad thing – we need those people. What I see as an issue is similar to the Breath-o-Smart marketing message and I would word it as:
They believe they know not because they understand but because they think they can extend the past into the future.
It’s like saying “This volcano didn’t erupt for 150 years so we know it will not erupt for another 150 years, or never, and here is the prediction based on a model that worked perfectly for the last 10 years.”
I don’t envy public opinion pollsters these days but on the other hand, I do think they are not quite straight about their abilities. Here’s one reason for that.
Almost every day in the run-up to the UK Brexit referendum, we got a new public opinion poll. When you looked beyond the main 2 numbers (for / against), the sample they used for each such poll was usually between 1,500 and 3,000 people. They claimed, they could extrapolate that to the whole of the UK.
Fair enough, they must have very good models of the society. But do they really? It they really trusted them, how could the same people stubbornly stick with their pre-referendum estimates after they got data about real results from 2,000,000 people – not ten times or hundred times, but thousand times more people. There is no “expert” excuse, in my opinion.
World of Security
Computer security is no different from any other part of our life. Actually, there is one difference, which is based around the fact that the nature of computers makes everything happen much quicker. Disasters as well as recoveries.
One Friday evening, I wanted to order a take-away and I couldn’t. All hundred or so restaurants in Cambridge (UK) “closed” because someone attacked a company in California. On the bright side, they all re-opened the next day.
There are two things scary about this:
- there are people out there (and not only government agencies) who can shut and open any part of the internet at their will, whenever they want; and
- there are people out there saying it can’t happen because it hasn’t happened (properly) yet.
I’m not sure who I’m more afraid of.
There is another dark side of recent security incidents – the most visible ones are “simple” denial of service attacks. These are high impact events, blunt, with short-time effects except one. People think that protecting themselves is out of their hands, they are powerless, and someone else will always help them.
I would urge you to think about an impact a targeted attack can have on your business. What is important for your business and what you can operate without for a couple of days, a week, or a month. When I say you can be a target, it is not because your are important, but because you just happen to use a particular technology (software or even hardware devices).
I guess what I try to say is …
The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.
— Douglas Adams, Mostly Harmless