In days of yore, when I was but a wee bairn dweeb, I used to compete in mathematics.

While my pint-sized contemporaries passed the time playing soccer, getting in fist fights, and generally being the obnoxious little nuisances one would expect of kids their age, I stayed at home and worked on math problems. No, that’s an understatement. I solved math problems with motherfucking gusto.

My parents, bless ‘em, indulged my odd fascination with all things numerical and dutifully chauffeured me from one competition to the next, no doubt wondering whether my time would have been better spent chasing girls instead of imaginary numbers. I, of course, remained steadfast: a girl who couldn’t appreciate my unrestrained jubilation at first understanding the proof of the central limit theorem, that Pretentious Pontiff of Probability, was not a girl worth chasing.

I eventually won a bunch of those competitions and went on to study theoretical math and computer science at a place whose mathematicians drink their coffee straight out of their donuts. (If you smiled, you’ve taken too much math. Good on you.)

Right, security.

Bruce Schneier wrote an essay for Wired a few days ago, discussing a particular affliction of security folk: an always-running mental thread that’s considering ways to break, evade and subvert every system in sight. Says Bruce:

Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.

Everyone has at some point had to explain to a stranger, in a single sentence, what they do in life. I tell people I’m paid to be paranoid — half as a joke, but half because it’s entirely true. Security people live in a constant state of directed, focused paranoia, and it’s fairly much impossible to switch that off when you head home after work. Colin Percival, however, thinks this mindset isn’t unique, and might even be inherent in being a mathematician:

[T]he sort of edge cases which mathematicians are trained to think about in writing a proof are exactly the sort which cause most security issues. Very few security problems “in the wild” are the result of bugs which are tripped over all the time — such bugs don’t survive long enough to cause problems for security. Rather, security issues arise when an unanticipated rare occurrence — say, an exceptionally large input, a file which is corrupted, or a network connection which is closed at exactly the wrong time — takes place. … If you want someone to understand security, just send him to a university mathematics department for four years.

My award-winning, non-girl-chasing record of mathematical dweebery and I respectfully disagree.

Mathematical problems can be exceedingly hard and require a meticulous, uncompromising attention to detail, yes. But the problems themselves are very well defined. They’re unambiguous beyond a shade of doubt. Security — isn’t.

Give me any math problem, and I can formulate it in such a way that a mathematician can go off, work on it without asking me further questions, and produce a solution that, if correct, will remain correct for the rest of time. In other words, mathematicians solving a particular problem are designing a solution against a well-understood and reasonably immutable set of requirements.

People who attempt to build secure systems have no ultimately well-understood (let alone immutable!) requirements to design against. Economics aside, a good approximation for what they’re attempting to build is to say that “a secure system is one that survives all relevant attacks that people in our field have come up with thus far”, but it’s clear that a system successfully meeting that goal can simply cease to meet it any given day. Thus unlike with a math problem, you fundamentally can’t evaluate the quality of a security system if you don’t become familiar with the state of the art of attacks against security systems, and you can’t do that unless you realize that these attacks have each brought down a system previously considered impregnable. No amount of mathematical training will rescue you here: to be good at security, you need to grow a specific, attack-driven security mindset.

When you think about it this way, it should also be no mystery why security practitioners approach new systems with extreme caution, and laugh at the very notion of security that hasn’t been vetted by the community: if, by the time you’ve gone through dozens of broken systems and their corresponding attacks, you still think you’re smart enough to write and vet a new system all by yourself, you’re either very brave or very daft.

Neither of those mean you’re a bad person, but mathematician or not, both mean you shouldn’t be designing security systems.