Proceed with gaussian*

Nessie the Bell Curve monsterSince reading Nicholas Nassim Taleb’s The Black Swan, I’ve been seeing gaussian fallacies everywhere. Let me back up a bit and explain: the story goes, Europeans observed that swans were white throughout all of Europe, which they extrapolated that into a theory that all swans around the world must be white. But when explorers came to Australia and discovered a Black Swan, their theory was immediately invalidated. The implication is that Black Swans can happen anywhere, at any time to invalidate theories and models.

This applies to technology. Experts want us to think that just because the 128-bit encryption standard used to protect our personal data takes a supercomputer a squillion lifetimes to crack, it means that the systems protecting our sensitive information are secure. Yet the recent of Sony Playstation accounts, adding to the growing list of major security breaches in recent months, tells an entirely different story.

Admittedly there are many factors other than encryption that can be to blame security breaches, but in terms of how security is marketed to the general population, we’re usually told that encryption is the primary means of protection, right? (That little lock icon in your browser? That’s encryption. Facebook suggesting that you switch to using https? Yep, encryption.)

What’s to say an event from either extreme of the bell curve won’t happen in the first 20 seconds? Just because it takes a computer an eternity to crack the code, doesn’t mean that the result will only be known at the very end of the calculation process. For example: I pick a random number between 1 and 1,000,000,000,000 and ask you to guess it. In the absence of any other limitations (i.e. time restrictions) you could either take potshots at it by selecting numbers at random, or you could just start by guessing 1, then 2, then 3… and so on. If that random number happens to be 12, the second approach would have gotten you there in mere seconds.

But I digress. The point is, we’re being fed a Gaussian fallacy with encryption. The real threats are whatever means hackers and other nefarious types are using to bypass security – those are the “black swans”. I daresay the same thing applies to password selection. Is “password” really that much less secure than “Gh$h26Sd!0” if the vector of attack is a colleague installing a keylogger on your computer?

Post back in the comments here if you see any examples of Gaussian fallacies in your life.


* The title is obviously a pun on “proceed with caution”. I know “Gauss” rhymes with “house” rather than “horse” but I’ve always pronounced it “gore-shan” for whatever reason.