Re: employment market for applied cryptographers?
On Sun, Aug 18, 2002 at 01:46:09AM -0400, dmolnar wrote: | | | On Sat, 17 Aug 2002, John Kelsey wrote: | | Also, designing new crypto protocols, or analyzing old ones used in odd | ways, is mostly useful for companies that are offering some new service on | the net, or doing some wildly new thing. Many of the obvious new things | | I agree with this as far as crypto protocols go. But one thing to keep | in mind is that almost all protocols impact security, whether their | dsigners realize it or not. Especially protocols for file transfer, print | spooling, or reservation of resources. most of these are designed without | people identifying them as crypto protocols. | | Another thing that makes it worse -- composition of protocols. You can do | an authentication protocol and prove you're you. Then what? Does that | confer security properties upon following protocols, and if so what? Why does the CEO care? Is it economic to answer these questions? Do these questions terminate or go on forever? Do good security experts ever say its secure? Or do we keep finding new and better holes that require more engineering work to fix? As Eric used to say, all security is economics. Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: employment market for applied cryptographers?
At 12:57 PM 8/16/02 -0400, Perry E. Metzger wrote: ... I've seen very high rates of unemployment among people of all walks of life in New York of late -- I know a lot of lawyers, systems administrators, secretaries, advertising types, etc. who are out of work or have been underemployed for a year or longer. I'm not sure that it is just cryptographers. This is my experience, too. A huge number of the people I know around here (RTP area, mid-North Carolina) are out of work, or are worried that they soon will be. This set of people includes only one cryptographer (and he's got a job). Always keep in mind when you hear the latest economic statistics that measuring the size of the US economy, or the number of unemployed people, is partially voodoo. Also that regions and industries can vary enormously in how their economy is going. Areas where a lot of jobs are in the computer or travel industries, for example, are going to have a lot of unemployment, as this area does. And also, it's important to note that most of us in this field might move to a different field (e.g., more general software development, teaching, etc.) rather than live without paychecks for a long time. Or might decide that now is the time to go back to school. Unemployment stats measure (if I'm remembering it right) only people who are not working, but are actively looking for work. (I don't know what definition is used to decide if you're really looking or not.) I feel very fortunate to still have a job, given all that's going on in this industry. Perry --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED]
Re: employment market for applied cryptographers?
At 04:21 AM 8/16/02 -0400, dmolnar wrote: ... Don't forget schedule pressure, the overhead of bringing in a contractor to do crypto protocol design, and the not-invented-here syndrome. I think all of these contribute to keeping protocol design in-house, regardless of the technical skill of the parties involved. Also, designing new crypto protocols, or analyzing old ones used in odd ways, is mostly useful for companies that are offering some new service on the net, or doing some wildly new thing. Many of the obvious new things have been done, for better or worse, and few companies are able to get funding for whatever cool new ideas they may have for the net, good or bad. And without funding, people are a lot more likely to either decide to do the security themselves, apply openSSL and a lot of duct tape and hope for the best, or just ignore security. Sure, it may cost a lot later, but they're going broke *now*. -David --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED]
Re: employment market for applied cryptographers?
On Fri, 16 Aug 2002, Adam Back wrote: failure to realise this issue or perhaps just not caring, or lack of financial incentives to care on the part of software developers. Microsoft is really good at this one. The number of times they re-used RC4 keys in different protocols is amazing! Don't forget schedule pressure, the overhead of bringing in a contractor to do crypto protocol design, and the not-invented-here syndrome. I think all of these contribute to keeping protocol design in-house, regardless of the technical skill of the parties involved. It takes a serious investment in time to qualify a consultant. If having the protocol right isn't a top priority, that investment won't be made...and I'd guess that designing a new protocol isn't common enough to merit a separate job/new hire in most organizations. -David
Re: employment market for applied cryptographers?
Hey, this is off-topic for DRM-punks! ;) more seriously: I think the fundamental issue is that crypto doesn't really solve many business problems, and it may solve fewer security problems. See Bellovin's work on how many vulnerabilities would be blocked by strong crypto. The buying public can't distinguish between well implemented and poorly implemented crypto; the snake oil faq has helped a lot, but now you need to distinguiish between well and poorly coded AES. Is there a business case for doing so, or should you just ship crap? AdamS On Fri, Aug 16, 2002 at 02:23:05AM +0100, Adam Back wrote: | On the employment situation... it seems that a lot of applied | cryptographers are currently unemployed (Tim Dierks, Joseph, a few | ex-colleagues, and friends who asked if I had any leads, the spate of | recent security consultant .sigs, plus I heard that a straw poll of | attenders at the codecon conference earlier this year showed close to | 50% out of work). | | Are there any more definitive security industry stats? Are applied | crypto people suffering higher rates of unemployment than general | application programmers? (From my statistically too small sample of | acquaintances it might appear so.) | | If this is so, why is it? | | - you might think the physical security push following the world | political instability worries following Sep 11th would be accompanied | by a corresponding information security push -- jittery companies | improving their disaster recovery and to a lesser extent info sec | plans. | | - governments are still harping on the info-war hype, national | information infrastructure protection, and the US Information Security | Czar Clarke making grandiose pronouncements about how industry ought | to do various things (that the USG spent the last 10 years doing it's | best to frustrate industry from doing with it's dumb export laws) | | - even Microsoft has decided to make a play of cleaning up it's | security act (you'd wonder if this was in fact a cover for Palladium | which I think is likely a big play for them in terms of future control | points and (anti-)competitive strategy -- as well as obviously a play | for the home entertainment system space with DRM) | | However these reasons are perhaps more than cancelled by: | | - dot-com bubble (though I saw some news reports earlier that though | there is lots of churn in programmers in general, that long term | unemployment rates were not that elevated in general) | | - perhaps security infrastructure and software upgrades are the first | things to be canned when cash runs short? | | - software security related contract employees laid off ahead of | full-timers? Certainly contracting seems to be flat in general, and | especially in crypto software contracts look few and far between. At | least in the UK some security people are employed in that way (not | familiar with north america). | | - PKI seems to have fizzled compared to earlier exaggerated | expectations, presumably lots of applied crypto jobs went at PKI | companies downsizing. (If you ask me over use of ASN.1 and adoption | of broken over complex and ill-defined ITU standards X.500, X.509 | delayed deployment schedules by order of magnitude over what was | strictly necessary and contributed to interoperability problems and I | think significantly to the flop of PKI -- if it's that hard because of | the broken tech, people will just do something else.) | | - custom crypto and security related software development is perhaps | weighted towards dot-coms that just crashed. | | - big one probably: lack of measurability of security -- developers | with no to limited crypto know-how are probably doing (and bodging) | most of the crypto development that gets done in general, certainly | contributing to the crappy state of crypto in software. So probably | failure to realise this issue or perhaps just not caring, or lack of | financial incentives to care on the part of software developers. | Microsoft is really good at this one. The number of times they | re-used RC4 keys in different protocols is amazing! | | | Other explanations? Statistics? Sample-of-one stories? | | Adam | -- | yes, still employed in sofware security industry; and in addition have | been doing crypto consulting since 97 (http://www.cypherspace.net/) if | you have any interesting applied crypto projects; reference | commissions paid. -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: employment market for applied cryptographers?
Adam Back [EMAIL PROTECTED] writes: Are there any more definitive security industry stats? Are applied crypto people suffering higher rates of unemployment than general application programmers? (From my statistically too small sample of acquaintances it might appear so.) Hard to say. I've seen very high rates of unemployment among people of all walks of life in New York of late -- I know a lot of lawyers, systems administrators, secretaries, advertising types, etc. who are out of work or have been underemployed for a year or longer. I'm not sure that it is just cryptographers. Always keep in mind when you hear the latest economic statistics that measuring the size of the US economy, or the number of unemployed people, is partially voodoo. When was the last time you saw any estimate of the margin of error on the supposedly scientific measurement of quarterly economic growth? How many illegal immigrants are being polled in the employment stats? How much of the revenue of underground businesses gets counted in the GDP figures? (I myself am unemployed at the moment, but voluntarily so I suppose I wouldn't count in the statistics -- starting a company during a recession turns out to be a great way to burn yourself out out, so I decided to take some time off of working. Haven't given much thought to what I'll do to find a job when I decide I want one again...) Perry
RE: employment market for applied cryptographers?
Having devoted security personnel is a low priority at most companies. General engineers will be tasked with figuring out how to incorporate security and cryptography into products. I have visited many a company where I am talking to a room full of very sharp engineers, but there is a fundamental lack of understanding of cryptographic primitives and their applications (let alone high-level protocols using those primitives). At large companies, having a few strong security engineers that can provide support to the various engineering areas should be a norm (if anything, from a liability perspective). At small companies, having security engineers who are also capable of general engineering is a good balance. It seems lately that neither is occurring, but this will probably correct itself as security becomes a military/gov't-demanded-(bank-demanded-)corporate-demanded-consumer-d emanded feature. Of note, in my (Washington DC Metro) area there has been plenty of demand for cryptographic/information assurance/security engineers. -Andrew PS One (vague) example of the blunders that occur... A friend of mine worked for a company and wanted me to meet a few of their engineers. We started talking about cryptography and the engineers told me a story. It seemed that this company had wanted to add encryption to their communications products and some engineers were tasked with building this feature. These engineers did some digging and they discovered asymmetric and symmetric cryptography. Since asymmetric cryptography seemed better, they decided to use it (RSA algorithm) to encrypt/decrypt the traffic. (Bad idea.) (of note, this was eventually changed to using a public key-based key exchange of symmetric keys. These symmetric keys were then used by a symmetric algorithm to encrypt/decrypt the traffic. I do not know the details of the protocol used or if it was standards-based.) Using this example, bringing on a (probably contract) cryptographic security engineer would have saved a great deal of time and effort.
Re: employment market for applied cryptographers?
On Fri, 16 Aug 2002, Adam Back wrote: failure to realise this issue or perhaps just not caring, or lack of financial incentives to care on the part of software developers. Microsoft is really good at this one. The number of times they re-used RC4 keys in different protocols is amazing! Don't forget schedule pressure, the overhead of bringing in a contractor to do crypto protocol design, and the not-invented-here syndrome. I think all of these contribute to keeping protocol design in-house, regardless of the technical skill of the parties involved. It takes a serious investment in time to qualify a consultant. If having the protocol right isn't a top priority, that investment won't be made...and I'd guess that designing a new protocol isn't common enough to merit a separate job/new hire in most organizations. -David
Re: employment market for applied cryptographers?
Adam Back [EMAIL PROTECTED] writes: Are there any more definitive security industry stats? Are applied crypto people suffering higher rates of unemployment than general application programmers? (From my statistically too small sample of acquaintances it might appear so.) Hard to say. I've seen very high rates of unemployment among people of all walks of life in New York of late -- I know a lot of lawyers, systems administrators, secretaries, advertising types, etc. who are out of work or have been underemployed for a year or longer. I'm not sure that it is just cryptographers. Always keep in mind when you hear the latest economic statistics that measuring the size of the US economy, or the number of unemployed people, is partially voodoo. When was the last time you saw any estimate of the margin of error on the supposedly scientific measurement of quarterly economic growth? How many illegal immigrants are being polled in the employment stats? How much of the revenue of underground businesses gets counted in the GDP figures? (I myself am unemployed at the moment, but voluntarily so I suppose I wouldn't count in the statistics -- starting a company during a recession turns out to be a great way to burn yourself out out, so I decided to take some time off of working. Haven't given much thought to what I'll do to find a job when I decide I want one again...) Perry
Re: employment market for applied cryptographers?
Hey, this is off-topic for DRM-punks! ;) more seriously: I think the fundamental issue is that crypto doesn't really solve many business problems, and it may solve fewer security problems. See Bellovin's work on how many vulnerabilities would be blocked by strong crypto. The buying public can't distinguish between well implemented and poorly implemented crypto; the snake oil faq has helped a lot, but now you need to distinguiish between well and poorly coded AES. Is there a business case for doing so, or should you just ship crap? AdamS On Fri, Aug 16, 2002 at 02:23:05AM +0100, Adam Back wrote: | On the employment situation... it seems that a lot of applied | cryptographers are currently unemployed (Tim Dierks, Joseph, a few | ex-colleagues, and friends who asked if I had any leads, the spate of | recent security consultant .sigs, plus I heard that a straw poll of | attenders at the codecon conference earlier this year showed close to | 50% out of work). | | Are there any more definitive security industry stats? Are applied | crypto people suffering higher rates of unemployment than general | application programmers? (From my statistically too small sample of | acquaintances it might appear so.) | | If this is so, why is it? | | - you might think the physical security push following the world | political instability worries following Sep 11th would be accompanied | by a corresponding information security push -- jittery companies | improving their disaster recovery and to a lesser extent info sec | plans. | | - governments are still harping on the info-war hype, national | information infrastructure protection, and the US Information Security | Czar Clarke making grandiose pronouncements about how industry ought | to do various things (that the USG spent the last 10 years doing it's | best to frustrate industry from doing with it's dumb export laws) | | - even Microsoft has decided to make a play of cleaning up it's | security act (you'd wonder if this was in fact a cover for Palladium | which I think is likely a big play for them in terms of future control | points and (anti-)competitive strategy -- as well as obviously a play | for the home entertainment system space with DRM) | | However these reasons are perhaps more than cancelled by: | | - dot-com bubble (though I saw some news reports earlier that though | there is lots of churn in programmers in general, that long term | unemployment rates were not that elevated in general) | | - perhaps security infrastructure and software upgrades are the first | things to be canned when cash runs short? | | - software security related contract employees laid off ahead of | full-timers? Certainly contracting seems to be flat in general, and | especially in crypto software contracts look few and far between. At | least in the UK some security people are employed in that way (not | familiar with north america). | | - PKI seems to have fizzled compared to earlier exaggerated | expectations, presumably lots of applied crypto jobs went at PKI | companies downsizing. (If you ask me over use of ASN.1 and adoption | of broken over complex and ill-defined ITU standards X.500, X.509 | delayed deployment schedules by order of magnitude over what was | strictly necessary and contributed to interoperability problems and I | think significantly to the flop of PKI -- if it's that hard because of | the broken tech, people will just do something else.) | | - custom crypto and security related software development is perhaps | weighted towards dot-coms that just crashed. | | - big one probably: lack of measurability of security -- developers | with no to limited crypto know-how are probably doing (and bodging) | most of the crypto development that gets done in general, certainly | contributing to the crappy state of crypto in software. So probably | failure to realise this issue or perhaps just not caring, or lack of | financial incentives to care on the part of software developers. | Microsoft is really good at this one. The number of times they | re-used RC4 keys in different protocols is amazing! | | | Other explanations? Statistics? Sample-of-one stories? | | Adam | -- | yes, still employed in sofware security industry; and in addition have | been doing crypto consulting since 97 (http://www.cypherspace.net/) if | you have any interesting applied crypto projects; reference | commissions paid. -- It is seldom that liberty of any kind is lost all at once. -Hume
RE: employment market for applied cryptographers?
Having devoted security personnel is a low priority at most companies. General engineers will be tasked with figuring out how to incorporate security and cryptography into products. I have visited many a company where I am talking to a room full of very sharp engineers, but there is a fundamental lack of understanding of cryptographic primitives and their applications (let alone high-level protocols using those primitives). At large companies, having a few strong security engineers that can provide support to the various engineering areas should be a norm (if anything, from a liability perspective). At small companies, having security engineers who are also capable of general engineering is a good balance. It seems lately that neither is occurring, but this will probably correct itself as security becomes a military/gov't-demanded-(bank-demanded-)corporate-demanded-consumer-d emanded feature. Of note, in my (Washington DC Metro) area there has been plenty of demand for cryptographic/information assurance/security engineers. -Andrew PS One (vague) example of the blunders that occur... A friend of mine worked for a company and wanted me to meet a few of their engineers. We started talking about cryptography and the engineers told me a story. It seemed that this company had wanted to add encryption to their communications products and some engineers were tasked with building this feature. These engineers did some digging and they discovered asymmetric and symmetric cryptography. Since asymmetric cryptography seemed better, they decided to use it (RSA algorithm) to encrypt/decrypt the traffic. (Bad idea.) (of note, this was eventually changed to using a public key-based key exchange of symmetric keys. These symmetric keys were then used by a symmetric algorithm to encrypt/decrypt the traffic. I do not know the details of the protocol used or if it was standards-based.) Using this example, bringing on a (probably contract) cryptographic security engineer would have saved a great deal of time and effort.
