The 04-2010 issue of the Delta featured an article by Thomas Homer-Dixon ‘De Nieuwste Wetenschap’ (‘The Newest Science’ [1]). While I found the article well written and thought-provoking, I disagree with its conclusions and would like to present an alternative view.
In his article Homer-Dixon examines the master science of our times, i.e. the ‘dominant scientific discipline of a historical epoch’ that has likely ‘produced the most spectacular discoveries and technologies’. He argues that while chemistry was the master science of the 18th and 19th and physics that of the 20th century, ecology will be the master science of the 21st. This prediction is based on his observation that the mechanical world view, originally based in Newtonian physics and extended to the social and economic sciences in the second half of the 20th century, is increasingly inadequate to describe an ever more complex world. Systems like fish populations or the financial economy (to use his examples) show properties that make them difficult to describe with simple causal models of a few variables. Homer-Dixon concludes that we need a new scientific paradigm, based on ideas rooted in ecology and complex adaptive systems theory. These new approaches, according to him, are more ‘messy’, exhibit ‘causal openness’, accept ‘unknown unknowns’, and might not even ‘truly qualify as a theory, in a strictly scientific sense’.
What Homer-Dixon fails to see, in my opinion, is that some of the very properties of complex systems that according to him make them unfit for a physics-like description were in fact first discovered and understood in the physical sciences: non-linear behavior, feedback control, and bi-stability, are all well-known to physicists (and engineers alike) and areas of active research. The theory of complex adaptive systems – that Homer-Dixon favors – was developed in no small part by the physicist/computer scientist John Holland and physics Nobel laureate Murray Gell-Mann. Gell-Mann proposed the quark model of subatomic matter and wrote an accessible account of his quest to understand both the simple (particles and symmetries in high energy physics) and the complex (evolution, language, thinking) [2]. Another theoretical physicist and Nobel laureate, Robert Laughlin, is one of the leading advocates of emergence as a key scientific principle [3].
However, my point is not that we (or physics, for that matter) already have all the answers. My point is that we should not stop trying to pursue them! The fact that simple explanations have failed us in some areas means, in my mind, that we need better models, not that we should give up modeling. It is like in the famous Einstein quote: Make everything as simple as possible, but not simpler.
On a side note, I would pose that the current financial crisis (and quite possibly the depletion of cod fisheries in North America) can teach us more about human greed and misaligned incentives than about failures in modeling. I agree with Homer-Dixon that we should make our systems more resistant, build in resilience. But to this very end it is crucial to make quantitative models in order to identify which variables make a system most vulnerable.
Physics achieved its dominance by developing accurate and predictive theories that, importantly, enabled powerful technologies. At the heart of it is the ‘physical method’ of mathematical modeling and comparison to quantitative empirical observation and experiment. I do believe that biology (not just ecology) has the potential to become the master science of the 21st century, but only by embracing the physical method. This method, when applied ethically, has served us well in the past and will continue to do so in the future.
Jan Lipfert studied physics and economics in Heidelberg (Germany), Uppsala (Sweden), and Illinois (USA). During his PhD in physics at Stanford University he specialized in theoretical and experimental biophysics. Currently, he is a post doc and Veni fellow in the new department of bionanoscience at the TU Delft.
- Thomas Homer-Dixon ‘The Newest Science’ (2009)
(www.homerdixon.com/download/the_newest_science.pdf) - Murray Gell-Mann The Quark and the Jaguar: ‘Adventures in the Simple and the Complex’ (1995)
- Robert B. Laughlin ‘A Different Universe: Reinventing Physics from the Bottom Down’ (2005)
To win any war you must know your enemy, yet it seems we know very little about these cybercriminal organizations.
“I don’t personally see it as a war. The criminal gangs that now control most hacking will be replaced by others. We know our e nemy and know it will be someone else tomorrow. Information security isn’t warfare, but rather simply using commonsense to protect what is of value to you.”
But enemy agents do launch relentless attacks on our money.
“Indeed, it’s a form of economic warfare. Internet started on a basis of mutual interest and openness. Internet is now evolving into a collection of mutual trusting private networks. The openness will disappear.”
What’s the profile of a guy working for a cybercrime ring? Is it just some computer geek sitting around in his underwear at home firing off zillions of spam mails and hacking around? “Sure, there are lots of geeks in underwear involved. Hacking is still high tech, so you need lots of nerds pulling all-nighters to get the job done.”
So they’re not highly educated, super computer geniuses, as Hollywood likes to portray them?“No, fortunately, the highly educated people work on our side, finding vulnerabilities in information systems and smart cards and helping to fix them. But of course, just as in other branches of crime, there are really clever people involved. Cybercrime has quickly evolved from idealism to profiteering.”
Are legitimate companies involved in cybercrime?“Not here in Western Europe. But in Eastern Europe and Asia there are probably legitimate business involved for laundering money.”
So cybercrime is a very profitable, mafia-controlled business? “Yes, it’s organized crime and very profitable if you steal enough credit card numbers. A botnet is worth money, and a piece of malicious software is worth money. People in this ‘business’ specialize.”
Assuming you caught someone, are there laws in place for prosecuting these criminals internationally? “Internationally it’s a problem. The EU, USA, Australia and others have pretty good cybercrime laws, but many other countries do not. There have been convictions for setting up and controlling botnets, however.
It seems that institutions, like TU Delft, are so passive, just erecting defensive walls, reacting to attacks, rather than proactively fighting the ‘evil doers’? Would you agree? “It’s a bit of both. As a single institution, you can’t do very much, but we contribute, through SURFnet and other ways. On the national level, several organizations are trying to make a difference: OPTA is the number one spam fighter, while NICC -the National Infrastructure to Combat CyberCrime – tries to organize various sectors, like banking. This results in efficient reactive powers, but also in pressure, internationally, for cooperation.”
If offense is the best form of defense, why doesn’t TU Delft go on the attack to better protect itself? “There is some research going on in these fields, but the bottom-line is that the technology for making this a better world is already there, but we just don’t use it, because it’s very expensive and useless unless everyone else is also using it. Discipline and hygiene are other reasons why we’re not doing better. There are just a few simple security things to remember, but we always forget. The most important is: Don’t take cookies from strangers!”
But surely if these cybercriminals are no match for TU Delft’s brightest IT minds, why not lob some dirty, computer-crashing bombs back at them?
“I wouldn’t want to do that. We’re bright, but not that bright. Such action would immediately backfire. First, you don’t always know who to throw a bomb at, so the collateral damage would be enormous. Second, we’re a legitimate business and therefore restricted by law. Thirdly, we’d draw fire from every hacker worldwide. A good defense is to keep a low profile, at least lower than your neighbors. When ABN-AMRO bank was in the news recently with their merger with Fortis bank, they immediately drew several new phishing attacks; they were under heavy fire because at the time they were very high profile.”
If not offensively, then how will Internet security defense evolve?“We’ll probably see a separation in Internet networking, with a trusted part, with trusted e-mail, and an untrusted, or not yet trusted, part.
When attacked, does the TU actively investigate to try to find out who is behind the attack? “For the more serious attacks, we start an investigation to discover the source, the way we were attacked, and who did it. Depending on the information found, we’ll then go through security incident channels, through SURFnet-CERT, or to the police. But these are very time-consuming investigations with limited results.”
Experts thought the Conficker worm would start a new, devastating phase on April 1 – April Fools Day. Was that an especially tense day for you?“April 1 was pretty much like all other days, although we did keep an eye open for jokers among us. The Conficker case did make me monitor news sources an extra time. Fortunately, not much happened.”
What makes Conficker so infamous and potentially destructive?“Conficker is a computer virus in the form of a backdoor; it can control the infected PC, and collects PCs into a botnet. The botnet controller then can update ‘his’ machines – which was scheduled to happen on April 1 – and he has command and control capabilities and can therefore have these machines perform tasks at will. Conficker uses a vulnerability in Microsoft that has been known for some time. A fix was created for this security hole, the bug, that Conficker uses, and this fix was applied on TU Delft computers last year, so we’re pretty confident we won’t have too much trouble on our TU Delft PCs.”
But student PCs in student houses and laptops remain vulnerable to Conficker attack?“Yes, student house PCs and laptops also use the TU’s ICT network, but they’re not managed by TU Delft. We’ve seen an increasing number of student systems infected with botnet stuff, like Conficker and others. These systems are primarily infected because they’re ill maintained, they’re behind with software patches and don’t run up-to-date virus scanners. And there is absolutely no reason for this, since TU Delft provides all such software and updates free of charge. If infected with a botnet, a computer is isolated and must be completely reconfigured. I you haven’t backed up your files, bad luck for you.”
As an information security expert, do you have access to classified Internet security information? “The information security community has an extensive ‘network’ for sharing information – some is public, some not. The April 1st Conficker alert didn’t come as a surprise. Conficker has been extensively researched, although they haven’t found the owner, the author, yet, and hackers have stopped signing their work.”
Which isn’t surprising, since Microsoft is offering a $250,000 reward for the Conficker creator’s head.“Indeed, Microsoft’s reward is proof that the legitimate world is joining forces to address these threats. By explicitly stating it is illegal, criminal, they’re sending a message to all those who are somehow related to organised cybercrime to step back; it’s a message that big organisations and governments are taking cybercrime seriously and working together to mitigate it.”
Comments are closed.