employment market for applied cryptographers?

Adam Shostack adam at homeport.org
Fri Aug 16 08:59:16 PDT 2002 

Hey, this is off-topic for DRM-punks! ;)

more seriously: I think the fundamental issue is that crypto doesn't
really solve many business problems, and it may solve fewer security
problems. See Bellovin's work on how many vulnerabilities would be
blocked by strong crypto.  The buying public can't distinguish between
well implemented and poorly implemented crypto; the snake oil faq has
helped a lot, but now you need to distinguiish between well and poorly
coded AES.  Is there a business case for doing so, or should you just
ship crap?

AdamS

On Fri, Aug 16, 2002 at 02:23:05AM +0100, Adam Back wrote:
| On the employment situation... it seems that a lot of applied
| cryptographers are currently unemployed (Tim Dierks, Joseph, a few
| ex-colleagues, and friends who asked if I had any leads, the spate of
| recent "security consultant" .sigs, plus I heard that a straw poll of
| attenders at the codecon conference earlier this year showed close to
| 50% out of work).
| 
| Are there any more definitive security industry stats?  Are applied
| crypto people suffering higher rates of unemployment than general
| application programmers?  (From my statistically too small sample of
| acquaintances it might appear so.)
| 
| If this is so, why is it?
| 
| - you might think the physical security push following the world
| political instability worries following Sep 11th would be accompanied
| by a corresponding information security push -- jittery companies
| improving their disaster recovery and to a lesser extent info sec
| plans.
| 
| - governments are still harping on the info-war hype, national
| information infrastructure protection, and the US Information Security
| Czar Clarke making grandiose pronouncements about how industry ought
| to do various things (that the USG spent the last 10 years doing it's
| best to frustrate industry from doing with it's dumb export laws)
| 
| - even Microsoft has decided to make a play of cleaning up it's
| security act (you'd wonder if this was in fact a cover for Palladium
| which I think is likely a big play for them in terms of future control
| points and (anti-)competitive strategy -- as well as obviously a play
| for the home entertainment system space with DRM)
| 
| However these reasons are perhaps more than cancelled by:
| 
| - dot-com bubble (though I saw some news reports earlier that though
| there is lots of churn in programmers in general, that long term
| unemployment rates were not that elevated in general)
| 
| - perhaps security infrastructure and software upgrades are the first
| things to be canned when cash runs short?  
| 
| - software security related contract employees laid off ahead of
| full-timers?  Certainly contracting seems to be flat in general, and
| especially in crypto software contracts look few and far between.  At
| least in the UK some security people are employed in that way (not
| familiar with north america).
| 
| - PKI seems to have fizzled compared to earlier exaggerated
| expectations, presumably lots of applied crypto jobs went at PKI
| companies downsizing.  (If you ask me over use of ASN.1 and adoption
| of broken over complex and ill-defined ITU standards X.500, X.509
| delayed deployment schedules by order of magnitude over what was
| strictly necessary and contributed to interoperability problems and I
| think significantly to the flop of PKI -- if it's that hard because of
| the broken tech, people will just do something else.)
| 
| - custom crypto and security related software development is perhaps
| weighted towards dot-coms that just crashed.
| 
| - big one probably: lack of measurability of security -- developers
| with no to limited crypto know-how are probably doing (and bodging)
| most of the crypto development that gets done in general, certainly
| contributing to the crappy state of crypto in software.  So probably
| failure to realise this issue or perhaps just not caring, or lack of
| financial incentives to care on the part of software developers.
| Microsoft is really good at this one.  The number of times they
| re-used RC4 keys in different protocols is amazing!
| 
| 
| Other explanations?  Statistics?  Sample-of-one stories?
| 
| Adam
| --
| yes, still employed in sofware security industry; and in addition have
| been doing crypto consulting since 97 (http://www.cypherspace.net/) if
| you have any interesting applied crypto projects; reference
| commissions paid.

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cypherpunks-legacy mailing list