Lispian Random meanderings on whatever catches my fancy

Ph.D.s, Focus, and the Loss of the Infinite

I’ve been trying for a long while to put into words why I became disenchanted with the Ph.D. process, and why that was one reason — though not the overriding reason — why I terminated my pursuit of a doctorate. But today, sitting back and reading a bit of Thomas Aquinas I came to a sudden epiphany. The reason is straightforward, and ironically was told to me by a dearly departed friend years ago. The problem, is that Ph.D.s are too narrowly focused. Or, as Jim Anderson so eloquently put it way back when, “Some of the stupidest people I know have Ph.D.s.” He bemoaned their inability to grasp the larger picture, instead focusing on minutiae, some small problem ignoring all else. Sometimes ignoring reality itself and coming up with a “solution” that worked only within some fantastical model that had little relation to how the real world functioned.

Now Jim, like myself, was an old grey beard of security. In fact, I would argue that Jim was responsible for what today is called “information security”. The very foundations of computer security were formulated and documented by Jim way back in 1972. I was fortunate enough to work with Jim on-and-off from 1987 through 1994. His passing a couple years back was truly sad.

And Jim, being more of a big picture kind of guy, never earned his Ph.D. He published the seminal work of computer security: Computer Security Planning Guide in 1972. Although I find the word “seminal” overused today, I believe anyone in computer security would easily assert it was a seminal paper. In fact, its very ideas still form the foundations of IT security. Although some may smile at the though of the Reference Monitor, it is still at the core of security technologies today. And I can state that in a distributed environment it’s purpose is only reinforced, especially when viewed from the modern interpretation of PDPs and PEPs.

Thus, Jim was a big thinker. He looked at the larger picture. It’s something I deeply admired in Jim and it was something that drove — and drives — my IT security research. Why focus on some small piece when the problem is much larger. When the problems can’t be resolved via a given technology — say, cryptography — but must be addressed by an attempt to combine social and engineering solutions. So long as people remain within the IT mixture the problems will continue to have deep social fractures that need to be understood, modeled, and properly addressed.

But many Ph.D. programs today demand you focus on a single problem. That was a problem for Jim. It’s a problem for me. And I would argue that Jim’s 1972 treatise is easily the most influential computer security document, ranking up there with Claude Shannon’s A Mathematical Theory of Computation in terms of overall impact and influence on where IT security has gone.

Of course, another problem is the fairly recent attempt to create a mathematics of IT Security. You see this pseudo-math in a lot of papers on IT Security. It’s all rather laughable. It’s attempting to formally define something that is totally non-deterministic. Computer/IT Security is a flow-control problem. And unlikeĀ  flow-control that has mathematical models and is thus computational, security is non-deterministic because the main cause of the flow are humans. And humans are, well, non-deterministic. They simply will not do what you want and will, in fact, do exactly what you don’t want them to do. They’ll stress systems, find ways around “security solutions” that aggravate them, and generally act in irrational ways — which seem perfectly rational to the end-user ;-).

Jim understood that. Too many today don’t. And thus you see this pursuit of perfection. This attempt to quantify everything. To focus on a small piece of the problem as if that will somehow result in a solution. And to preclude anyone from looking at the larger picture.

It’s not as if I don’t comprehend the need and desire to focus on particularly vexing problems. I’m good with that. But why are we totally ignoring those amongst us who would better solve the larger problem?

I think I know. It’s an issue of “research”. Many academics today believe that research is divided into well defined silos: pure research, applicative research, etc. To that I say “bah!”. Research is research. It will all, ultimately, be applicable. G.H. Hardy famously stated that he focused on “pure mathematics” because it meant that “[He has] never done anything ‘useful’. No discovery … made, orĀ  likely to [be made], directly or indirectly, for good or ill, [will make] the least difference to the amenity of the world.” He was quite wrong. His work is applicable to a wide variety of studies ranging from physics to computer science.

Hence, if you want to focus on something a bit more loosely defined, that’s less formal, it is still good research. If you want to focus on problems at hand, they’re also good things to study. Especially in computer security where just about every problem is open and will remain open so long as we have to deal with end-users, especially today when they’re highly integrated into the fibre of the networks and are very very interconnected.

So when I think about what I like doing I realize I lack focus, enjoy dealing with ongoing open research areas, bemoan the application of “formality” to something that is actually a fuzzy social problem, and that requires a deep philosophical viewpoint, one that looks out to the infinite in a realistic way. And that’s anathema to the Ph.D. process, or at least the one I’ve dealt with.

So what is it that I want to focus on? The social aspects of information flow within large networks and how that information flow can be reasonably well secured to ensure things like privacy and accountability. And this is of paramount importance as more and more people move their once private affairs to the internet. As they dump pictures, documents, journals, etc. online for everyone to peruse. As they work and attempt to separate what is “personal” from that which is actually “work related”. It’s all blurred and that blurriness inevitably allows malcontents and miscreants to wedge malicious software and social engineering into the gaps causing/wreaking havoc.

Besides, those big picture problems are cool. I simply cannot comprehend why anyone would want to study some small piece of minutiae. To examine some aspect of, say, cryptography for 4 years and then write a treatise on it. I simply couldn’t care less. It’s just “details”. Perhaps this is a result of my entrepreneurial streak. My attitude is you just hire people to deal with details, or things you don’t like doing.

One example might help. During my aborted Ph.D. studies I had to study combinatorics. I frankly couldn’t care less for combinatorics. When asked how to solve a problem I said “I don’t care.” I remember being asked how I’d deal with that problem were I facing it as a professor, say. I said “I’d look it up in a book or find someone who cared.” Not the right answer, it seemed. Supposedly, I should have had a deep caring for combinatorics — and a bunch of other esoteric gibberish I could have just looked up in a book. To me it was all akin to them asking me to memorize and then regurgitate the phone book. The point would be, what?

In the end it seems that parts of the academic establishment are truly what Jim bemoaned, focused on minutiae, disinterested in the big picture, unwilling to reward those who truly can think as opposed to those that can regurgitate useless statistics, meaningless formulae, etc. Ultimately, their loss.

And I’m not alone. I’ve found out from many friends and colleagues that there are a lot of people who’ve abandoned their Ph.D.s for the same reason. More the pity.

I will therefore take Mark Twain’s famous advice and never let my schooling interfere with my education.

Comments are closed.

July 2009
« Jun   Aug »