Me and my text editor of choice
Hello. My name is Justin Wong, and I am a studying Computer Engineering. I’ve had interests in both hardware and software, so I believe that this was a middle ground between Electromechanical Engineering and Computer Science. Though I don’t have any particular career in mind, I do know that Probability and Statistics Is related to both general engineering practices and computer security.
A particular burden of engineers is Murphy’s Law, that is “whatever that can go wrong, will go wrong”. While it may be pessimistic to assume 100% probability of failure, it’s a rule we are forced upon us when a person’s safety is at risk. Considering the recent news concerning certain Samsung phones, the recall for the affected devices is only natural acceptance of Murphy’s Law given that no one wants an incendiary device on their body. Every element of consumer device must be built with safety in mind, from the power source to the cryptographic practices.
While Murphy’s Law is rather tough when it assigns a 100% probability of failure, engineers can only at best mitigate harm to acceptable levels. When machines are often replaceable, we design them take the blows in our place. Consider an every day power supply for a laptop or phone charger. Within one of these devices is likely to be a fuse, a kind of weak point for controlled failure. Should there be any hazards like a faulty cable, fuses are designed to render the device inoperable and prevent further harm such as electrical fires.
When it comes to software, one field of interest that heavily relates to Probability and Statistics is Computer Security. I’d like to discuss to a particular situation we all have experienced: password security. We all should know by now that that passwords strength is all about combinations and permutations, but consider this problem for the server. How does a service keep your password private, but at the same time know when to let you in?
Given Murphy’s Law in the context of password security, we assume that evil doers already have full access to your database. Assume that there is a spy masquerading as an employee. Therefore, saving everyone’s password in plain text is a terrible idea! Encrypting passwords analogous to locking them with a key, which can be stolen. Given that our spy can steal the keys and read any password, he can read every password!
The currently accepted practice is to put the password through kind of a one-way function called a “salted hash function”. This is an analogous to mixing paints, also a generally irreversible process. The user picks a color to be their password while we pick another random color for each user (using the same color for everyone will only lead to the previous situation). We only keep a copy of our random color and that of the mix. When a user signs in and gives us a copy of their colored paint, we mix it with our random paint and check if it matches with the mix. Since the user’s password was never saved, our spy will have trouble figuring out the original color. Still, this does not protect against weak passwords; evil doers will try all common possibilities. But by implementing this system, the number of compromised accounts will be limited.
Perhaps the most encouraged practice for good password is the use of passphrases, that is a series of random words in place of complex and hard to remember passwords. Easy to remember, with just as many combinations. Assuming you choose 4 out of 10000 words in the English language, that is already 10^16 combinations, comparable to the 10^15 combinations of 8 letters, numbers and symbols.
While engineers can’t prevent all possible forms of failure, we do our best to limit it to those of which will not endanger the consumers. Otherwise, we can only encourage safe practices like not yanking on cables. For computer security, I’d encourage the use of long passphrases in place of passwords. With increasingly powerful computers, length becomes the primary factor for password strength. In the event of catastrophic failure, we must accept full responsibility.
