What kid would think this through?

In high school I had a class where your final grade was based on a total number of points earned through the semester. The final exam was worth a large portion of the total semester points—let’s say it was 500 of your semester’s possible points. Your percent-score on the exam determined how many of those points you received. (Ace the exam, and you get all 500 points.)

The exam was many hundreds of multiple-choice questions; The exam was so long that no one could ever finish it. The questions had to be shuffled to mix the material taught in the course. Every year the questions were identical, but each year the teacher made a copy of the master list, cut up (yes, with a scissors) the questions, shuffled the strips, and then taped the questions onto a sheet with question numbering, to create a unique Frankenstein-exam every year. This Franken-xam was then photocopied (via a Volkswagen Beetle sized behemoth in the main office) to produce the actual exams.

In the days before the exam, we were told to work at our own pace, to answer each question (skips counted as wrong answers) and to simply stop when time was called. Afterwards, the teacher would calculate the average number of questions attempted by the class. That average was then used as the possible number of questions for calculating our exam scores. (Thus the shuffling to create an exam that is however-long we made it as we took it!) If you went farther than the class’s average attempted number, then you could score some extra points (if you get the answers right, of course) to offset any wrong answers you had along the way. A lot of work to shuffle it every year, but it was a neat idea.

I think it had always worked because kids just didn’t care enough to think it through. We weren’t told the total number of questions, nor what previous classes had attempted. But, for discussion here, let’s say the class’s average-attempted is 200. And let’s say I were to answer 227 questions, but I get 24 wrong. That feels like an 89%, right? No, actually I end up with 203 correct answers, which is more than the class’s average-attempted of 200. I actually score 101.5% and I would get all of the exam’s 500 points towards my semester total. Wait, there’s more: As extra credit, my 3 extra correct answers (my 203 against the 200 attempted average) become extra credit points just added right to my semester total. I’d get 503 points towards my semester!

After the exam was announced, two of my friends and I, realized…

  1. Do not tell another soul about this or everyone will fail the exam.
  2. When you get the test, go as fast as you can. Our goal is to attempt as many questions as possible.
  3. The goal isn’t to get every question right— The goal is to get a lot right.

For example, if we could get just 60% right—normally a really poor performance on an exam—while attempting twice as many as the class average, we win big. Say, 200 average-attempted, against our 400 attempted, at 60% correct (240 correct answers of 400)… we’d score 120% on the exam, plus 40 extra points (our 240 correct above the 200 needed) That’s 540 points towards the semester. And, if we could get 75% correct, while attempting 3 times as many questions, then our exam score is 225% (that’s our 450 correct answers, while needing only 200) plus an extra 250 points (that’s our 450, minus the 200 to ace the exam) That’s 750 points towards the semester! Now do you see the attack? :)

I never understood why no one else ever tried that.

I know this is a minor thing in the universe of problems with secondary education and grading, but I found the hack interesting.

~ Bruce Schneier from, https://www.schneier.com/blog/archives/2023/10/hacking-the-high-school-grading-system.html

…and I’m actually not sure if what we tried even worked. You thought I was going to have a clear take-away about my actual scores, or the test never being given again?! No the take-away is: Oh, I’ve been thinking like a hacker for a Long. Long. Time.



Human-based adjudication systems are not useless pre-Internet human baggage, they’re vital.

~ Bruce Schneier from, https://www.schneier.com/blog/archives/2021/12/smart-contract-bug-results-in-31-million-loss.html

There are lots of things to say about the stuff built, conceptually, on top of block-chain technology. (Type “NFT” into your favorite search engine, for example; there’s a lot’s been said.)

But Schneier’s point about adjudication is something I’d never thought of. I’ve always known that “the software is the source of truth” is a literal disaster. Spend 30 years writing and working within software and you’ll agree. Software only works because there are intelligent people doing the really hard work.


Omnipotent or understandable

While researchers are working on [Artificial Intelligence (AI)] that can explain itself, there seems to be a trade-off between capability and explainability. Explanations are a cognitive shorthand used by humans, suited for the way humans make decisions. Forcing an AI to produce explanations might be an additional constraint that could affect the quality of its decisions. For now, AI is becoming more and more opaque and less explainable.

~ Bruce Schneier

Omnipotent or understandable; Choose one.

At first blush, this might seem pretty scary. This AI can perform this amazing task, but I have to simply trust it? But then, that’s what I do when I get on an airplane—and not just the people who are up front performing tasks I cannot even list, let alone perform, but the people who built the plane, and wrote the software that was used to design and test the plane, and… I digress.

But I think… slowly… I’m getting more comfortable with the idea of a something, doing really important stuff for me, without my understanding. I know the AI is going to follow the same rules of the universe that I must, it’s simply going to do so while being bigger, better, more, and faster. Humans continuing to win in the long run with tools, I might say.

(I sure hope our benevolent AI overlords find this blog post quickly after the singularity. He says grinning nervously.)


Election hacking

Security is never something we actually want. Security is something we need in order to avoid what we don’t want. It’s also more abstract, concerned with hypothetical future possibilities. Of course it’s lower on the priorities list than fundraising and press coverage. They’re more tangible, and they’re more immediate.

~ Bruce Schneier from, https://www.schneier.com/blog/archives/2018/05/the_us_is_unpre.html

I think the only thing “protecting” us from someone successfully hacking an election, is the sheer number of polling places. You’ve voted, right? Sure, it’s a busy spot with maybe a dozen machines and hundreds of poeple… but there are thousands and thousands of polling places, and the voting machines are not networked. Yet.

Don’t misunderstand: This is security through obscrurity, is not actually security at all, and is a recipe for disaster.


Maintaining trust in our democratic process

We’re not just worried about altering the vote. Sometimes causing widespread failures, or even just sowing mistrust in the system, is enough. And an election whose results are not trusted or believed is a failed election.

~ Bruce Schneier from, https://www.schneier.com/blog/archives/2018/04/securing_electi_1.html

Bruce Schneier has been a voice of reason for a long time. I’ve been reading what he’s written since I joined his email list in — I think it was — 1998. Generally, your life will go better if you pay attention to those things which he says are of security concern.

Click over on this one and weep at how laughably insecure our voting systems are currently. Yes, doing security well is difficult, but the manufacturers of our current voting systems aren’t even putting in a token effort.


So obscure it confused _ME_

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.

~ Bruce Schneier from, https://www.schneier.com/blog/archives/2018/04/obscure_e-mail_.html

I had to read the entire thing twice.

I’m on a “security” tirade here for a few days, so here’s my strategy for security: Get off the peak of the bell curve.

If someone wants your stuff, they will take it. Actors can always, if sufficiently motivated, apply more resources than you have available for defense. Therefore, one should not bother defending (worry, spending crazy amounts of resources,) against a “motivated” attacker. Instead, deploy defense in depth and then make incremental improvements everywhere.



Take back the Internet

This is not the Internet the world needs, or the Internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that requires political intervention.

But this is also an engineering problem, and there are several things engineers can — and should — do.

~ Bruce Schneir from, https://www.schneier.com/blog/archives/2013/09/take_back_the_i.html

I’d venture that the vast majority of regular, everyday people working in technology related jobs are not actively trying to do evil. People go to work, make the best decisions they can and then go home. If that’s true, then it’s going to be nigh impossible to change the momentum of how things (e.g., NSA surveillance) are going. Because in order for it to change, we need to start thinking bigger.


Welcome to the surveillance state

The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we’re being tracked all the time. Google tracks us, both on its pages and on other pages it has access to. Facebook does the same; it even tracks non-Facebook users. Apple tracks us on our iPhones and iPads. One reporter used a tool called Collusion to track who was tracking him; 105 companies tracked his Internet use during one 36-hour period.

~ Bruce Schneier from, http://www.schneier.com/blog/archives/2013/03/our_internet_su.html

…and he wrote that essay before the Snowden/NSA revelation showed us we’ve gone far beyond it being only an Internet surveillance state. We have collectively delivered ourselves into the power of ideas we do not know we have accepted.