keys. He describes the keys, and says if the two men find them they will receive a reward. They begin to help search. Other people come by and they too are drawn into the search. Soon, there is a crowd combing the lot, with an air of competition to see who will be the first to find the keys. Periodically someone informs the crowd of the discovery of a coin or a particularly interesting piece of rock.

After a while, one in the crowd stands up and inquires of the fellow who lost his keys, “Say, are you sure you lost your keys out here in the lot?” To which the man replies, “No. I lost them in the alley.” Everyone stops to stare at the man. “Well, why the heck are you searching for them here in the parking lot!?” someone exclaimed. To which the man replied, “Well, the light is so much better here. And besides, now I have such good company!”

iLLustration by Jon han

There are many lessons that can be inferred from this story, but the one I stress with my students is that if they don’t properly define the problem, ask the right questions, and search in the proper places, they may have good company and funding, but they

shouldn’t expect to find what they are really seeking.^a

So it is in research—especially in cyber security and privacy. We have people seeking answers to the wrong questions, often because that is where “the light is better” and there seems to be a bigger crowd around them. Until we start asking questions that better address the problems that really need to be solved, we shouldn’t expect to see progress. Here are a few examples of misleading questions:

• How do I secure my commodity operating system against all threats?

• How do I protect my system with an intrusion-detection system, data loss and prevention tools, firewalls, and other techniques?

• How do I find coding flaws in the system I am using so I can patch them?

• How do we build multilevel secure systems?

Each of these questions implies it can be answered in a positive, mean-

a Another story that resonates with my students is http://spaf.cerias.purdue.edu/Archive/race- horse.html.

ingful manner. That is not necessarily the case.

We have generally failed to understand that when we build and deploy systems they are used in a variety of environments, facing different threats. There is no perfect security in any real system—hardware fails, people make mistakes, and attacks outside our expectations may defeat our protection mechanisms. If an attacker is sufficiently motivated and has enough resources (including time), every system can be defeated in some manner.^b If the attacker doesn’t care if the defeat is noticed, it may reduce the work factor involved; as an obvious example, an assured denial-of-service attack can be accomplished with enough nuclear weapons. The goal in the practice of security is to construct sufficient defenses against the likely threats in such a

b There are many books on this topic, and the basic premise is at the heart of nearly every big heist movie, including Ocean’s 11, The Italian Job, and The Thomas Crown Affair. For some interesting, real-life examples outside computing, I recommend the book Spycraft by Robert Wallace and H. Keith Melton.