Hacker News new | ask | show | jobs
by tptacek 5601 days ago
The best security researchers in the world are almost uniformly not trained in mathematics. Here's a short list of top-tier researchers. Spot the mathematicians!

* Mark Dowd

* John McDonald

* Alex Sotirov

* Dino Dai Zovi

* Charlie Miller

* Michal Zalewski

* Aaron Portnoy

* Dave Aitel

* David Litchfield

* Barnaby Jack

This doesn't invalidate the blog post, but I will go on to suggest that quite a lot of people with extensive formal training in mathematics either (a) have/had careers in software security with less spectacular results than e.g. Aaron or Michal or (b) have produced, despite incentive to the contrary, some really crappy code.
5 comments
bigmac 5601 days ago
Leaving off the top cryptographers from a list of security researchers seems a bit disingenuous. However, including cryptographers might make Colin's argument trivially obvious, since so many of the top crypographers come from mathematics backgrounds. Therefore, I'll just add Rolf Rolles to your list, and note that he does come from a mathematics background.
link
tptacek 5601 days ago
Neither Colin nor Schneier was talking about cryptography. Cryptography and security are not the same thing.

Rolf Rolles is a very smart guy, but he's not a security researcher; he works in content protection and reverse engineering. Having said that: sure. That's one. One. :)

link
cperciva 5601 days ago
Charlie Miller

You mean the Charlie Miller who has a PhD in mathematics, right?

Also, did you seriously just write a list of top-tier security researchers which didn't include djb?

link
tptacek 5601 days ago
I didn't know Charlie had a math degree! That's two. :)

Rolf Rolles is more of a security researcher --- a lot more --- than Daniel Bernstein. But I'll concede it! He's a third.

We're at 3. Do you think I can't name 10 more notable security researchers, justifying each of them, to back up my point here?

link
cperciva 5601 days ago
Rolf Rolles is more of a security researcher than Daniel Bernstein

I think we'll have to agree to disagree here. But given our different focuses in security, it's not all that surprising that we have different definitions of "security researcher".

link
leif 5601 days ago
Whether they have "Mathematics" on their diploma is immaterial; I'd bet good money that most of these guys took some real serious math classes in school.
link
eru 5601 days ago
I presume you mean at university? There are no serious math classes at school.
link
leif 5601 days ago
a university is a school, why are you trolling
link
socksy 5599 days ago
It might have been a genuine mistake - University and school are not really interchangeable terms here in the UK.
link
eru 5599 days ago
Indeed. Though I should probably have been more generous with my input. (And growing up in Germany, a school is something completely different from a university there.)
link
levigross 5601 days ago
The author of the article was referring to a method of learning a proper security mind set. Its a classic self learning vs classroom based learning.....
link
basugasubaku 5601 days ago
How about Dan Boneh and David Brumley? They are security researchers with strong backgrounds in mathematics.
link