What should we do when the experts change their minds?

Last week, KJR talked about NIST changing (or is it “updating”?) its recommendation regarding its longstanding advice to change passwords frequently.

The question of the hour is, does NIST changing its recommendation make it a more trustworthy source of expertise, or less?

The two obvious and most popular answers boil down to:

More worthwhile: I’d rather take advice from someone who’s constantly learning more about their field, than from someone who learned something once and decided that’s all they need to know.

Less worthwhile: Why should I rely on advice that’s constantly changing? I’d rather rely on positions that don’t change with the time of day, phase of the moon, and the sun’s position in the zodiac.

Before continuing down this path on the information security front, let’s explore a better-known subject of ongoing controversy — the role of dietary fat in personal health.

There’s been a lot written on all sides of this question, so much so that it’s easy to figure that with no medical consensus, what the hell, I’m in the mood for a cheeseburger!

Me, I take a different position: I’m in the mood for a cheeseburger! Isn’t that what pills are for?

No, say the skeptics. There’s published research showing that statins don’t provide much medical benefit and, for that matter, that saturated fats aren’t at all toxic.

As my pre-statin LDLs were way out of whack, I have a personal stake in this, and so here are my personal guidelines for making sense of personal health, information security, or pretty much any other highly technical subject:

Ignore the divisive. Divisive language is easy to spot. Phrases like “The x crowd,” with x = a position you disagree with (“The first amendment crowd,” or, adding 1, “The second amendment crowd” are easy examples.

This sort of ridicule might be fun (strike that — it is fun) but it isn’t illuminating. Quite the opposite, it’s one of the many ways of dividing the world into us and them, and defining the “right answer” as the one “we” endorse.

Fools vs the informed vs experts. Fools believe what’s convenient. The informed read widely. Experts read original sources.

Fools … perhaps a better designation would be “the easily fooled” … have made confirmation bias a lifestyle choice. Faced with two opposing points of view they’ll accept without question the one they find agreeable while nitpicking the opposing perspective to death.

Those of us who try to remain informed read widely. We choose sources without obvious and extreme biases; that go beyond quoting experts to explaining the evidence and logic they cite; and that provide links or citations to the original sources they drew on.

Especially, we deliberately counter our own confirmation biases by looking skeptically at any material that tells us what we want to believe.

Experts? They don’t form opinions from secondary sources. They read and evaluate the original works to understand their quality and reliability in detail.

There’s always an expert. Want to believe the earth is flat? There’s an “expert” out there with impressive credentials who will attest to it. Likewise the proposition that cigarettes are good for you, and, for that matter, that Wisconsin has jurisdiction over the moon on the grounds that the moon is made of cheese.

Just because someone is able to cite a lone expert is no reason to accept nonsense … see “confirmation bias,” above.

Preliminary studies are interesting, not definitive. For research purposes, statistical significance at the .05 level is sufficient for publication. But statistically, one in every 20 results significant at that level is due to random chance.

Desire to learn vs fondness for squirrels. Ignoring new ideas and information is a sign of ossification, not expertise. But being distracted by every squirrel — changing metaphors, jumping on every new bandwagon because it’s new and exciting — isn’t all that smart either. Automatic rejection and bandwagoning have a lot in common, especially when the rejection or bandwagon appeals to your … yes, you know what’s coming … confirmation bias.

Ignoring changing conditions. No matter what opinion you hold and what policies you advocate, they’re contextual. Situations change. When they do they make the answers we worked so hard to master wrong.

The world has no shortage of people who refuse to acknowledge change because of this. But relying on answers designed for the world as it used to be leads to the well-known military mistake known as “fighting the last war.”

Except that nobody ever fights the last war. They prepare to fight the last war. That’s why they lose the next war.

These are my guidelines. Use them as you like, but please remember:

I’m no expert.

I usually define “expert” as anyone who knows enough more about a subject than I do that I can at best barely understand what they’re telling me.

Regrettably, this means, through the miracle of recursion, that when I claim to be an expert that pretty much means I at best barely understand what I’m talking about.

And so it came to pass that regular correspondent Will Pearce, in response to last week’s KJR, and in particular my advice regarding key rotation (“Bob vs the cloud,” 6/4/2018), kindly commented, “It sounds like your information on password security is a bit old.”

It turns out NIST has revised its security guidelines. Its source document is, shall we say, information-dense (translation: you won’t be able to just skim it). Mr. Pearce suggested a more readable summary to accompany it (“Time to rethink mandatory password changes,” Lorrie Cranor, Federal Trade Commission Chief Technologist).

The very short version: Not only does frequent password expiration provide no additional security, but it’s often counterproductive: Faced with the need to change passwords on a regular basis, many users choose less secure keys, often easily guessed permutations of previous keys.

A bit of additional research revealed that the complementary practice of asking security questions for password recovery (“What is your mother’s maiden name?”) is pretty much pointless given how few secrets any of us have any more and given our natural inclination to choose questions whose answers we’re most likely to remember later on (see “Google Study Shows Security Questions Aren’t All That Secure,” Frederic Lardinois, Tech Crunch, 5/21/2015).

I wasn’t able to find a good source for the question of whether frequent administrative and cryptographic key rotation is still considered good practice.

All of this led me to reconsider my definition of “expert.” Seems to me an expert is someone who, faced with new evidence and logic, reconsiders their beliefs, opinions, and practices. In particular they use the new evidence and logic as a pry bar, to expose to themselves the hidden assumptions on which their current views are based.

Start with the average non-InfoSec specialist’s mental image of who we’re protecting ourselves from. Very likely it’s the standard Hollywood introvert-living-in-his-mother’s basement. But as the estimable Roger Grimes (among others) has pointed out from time to time, these days you’re actually defending yourself against state actors and organized crime syndicates. That puts a very different face on the threat.

As Roger also points out, in a thoroughly depressing article titled, “5 computer security facts that surprise most people,” (CSO, 12/5/2017), 99% of all exploits are “… due to unpatched software or a social engineering event where someone is tricked into installing something they shouldn’t.”

What this means to you: On a personal level you should keep your OS and applications updated. It appears the risk from installing bad patches is lower than the risk of failing to install the important ones.

And, you should take care to avoid falling victim to Trojans and phishing attacks. In particular, inspect any link in an email before clicking on it to make sure it makes sense. This isn’t at all hard. If you receive an email purporting to be from Amazon.com, roll over any links in the message to make sure they point to somethingorother.amazon.com/somethingelseorother. Or, ignore the links altogether and navigate to whatever it was that caught your interest.

On the corporate side, other than the key rotation/password expiration issue, last week’s advice still holds, in particular the points about patch management and frequent white-hat phishing attacks used to educate employees about the same phishing attacks they need to be alert to at home.

And now, the moment you’ve been waiting for. Last week I mentioned my personal financial management software dilemma, and whether to acquiesce to the trends and use a cloud-based service. In the comments, Walt Etten was kind enough to endorse Moneydance, which, in exchange for a $49.99 license fee, stores data locally.

It’s a stark choice. On the one hand it appears there are several worthwhile free cloud-based alternatives (google “free personal financial management software”). On the other there’s Quicken or Moneydance.

It’s the classic dilemma: I can get what I want for fifty bucks, or I can come close to it for free.

It’s a tough, tough call.