back to article Security pioneer Ross Anderson dies at 67

Venerable computer scientist and information security expert Ross Anderson has died at the age of 67. His family broke the news to Anderson's friends and colleagues at the University of Cambridge, where he worked as a professor of security engineering and senior research fellow at Churchill College. He passed away unexpectedly …

  1. perkele

    Taken before his time. But I've noticed - getting older myself - those looked up are disappearing as old Father Time catches them.

    I'm no spring chicken (in my 50s) either.

    1. Arthur the cat Silver badge

      He was two years younger than me. Gulp.

      1. wookey

        How fit are you?

        I've only just found our that Ross died (bummer - he was always an interesting, if highly opinionated, bloke), but he was looking very tubby last time I saw him (8 months ago) so keeling over, presumably of a heart attack or stroke, is not a huge surprise. Sitting in front of computers all day is not good for any of us, and some preventative measures can go a long way to actually reaching retirement age.

        Maybe he did it just to annoy the University :-)

  2. Anonymous Coward
    Anonymous Coward

    Retiremant Age

    The debate at Cambridge around forced retirement is a bit more nuanced then just getting rid of old(er) people who are cluttering up the ofifice. It's about giving opportunity for fresh blood to enter the workforce. If no-one's leaving, how can a newbie get their foot in the door?

    A healthy organisation has a broad mix of ages, genders, abilities, skills, experience, etc. Cambridge admits its higher ranks are too full of old(er) men. Forcing people to retire at 67 is one way to make room for fresh blood. But it does mean you loose people with decades of experience which is highly valuable.

    There is no simple, perfect answer.

    1. Jellied Eel Silver badge

      Re: Retiremant Age

      The debate at Cambridge around forced retirement is a bit more nuanced then just getting rid of old(er) people who are cluttering up the ofifice. It's about giving opportunity for fresh blood to enter the workforce. If no-one's leaving, how can a newbie get their foot in the door?

      Fresh blood and newbies wouldn't and shouldn't be expected to 'enter the workforce' at senior research levels or professors, unless they were exceptional students. Those senior posts should be a meritocracy, especially in an academic environment. This is one of those 'controversial' topics Anderson would argue about. Plus it's a security engineering department. If one cannot work out a way to create a vacancy and get a foot in the door, it is probably not the department for you.

      1. Robert Carnegie Silver badge

        Re: Retiremant Age

        You're reminding me of the fictional (?) path to promotion at Unseen University, where someone senior does have to, uh, vacate their position. And they're usually at least as aware of this as the postulant is. But perish the thought, in this case.

      2. Ken Hagan Gold badge

        Re: Retiremant Age

        Sadly the state of academic funding means that each new entrant at the botttom displaces someone on the next level up and so on until, yes, someone at the top needs to move out to make space.

        1. Michael Wojcik Silver badge

          Re: Retiremant Age

          I don't know about Cambridge, but at every university I attended or worked at, the situation was far more complicated than that. Departments certainly could get additional lines, if they could justify them.

      3. Jedit Silver badge
        FAIL

        "Fresh blood shouldn't be expected to 'enter the workforce' at senior research levels"

        No, they shouldn't. However, you might have considered that for anyone other than a newbie to attain those levels, they must already be in a lesser existing post. If the people at the top aren't making way for the people one level below them, the lesser posts also remain full. And thus it proceeds all the way to the bottom, where newbies can't gain an entry level position to get on the ladder because those positions are already filled by people who have been unable to get promoted out of them. Which is the OP's point, that you completely ignored.

        1. Michael Wojcik Silver badge

          Re: "Fresh blood shouldn't be expected to 'enter the workforce' at senior research levels"

          for anyone other than a newbie to attain those levels, they must already be in a lesser existing post

          Also not true, at the universities I've been associated with. Senior hires are not uncommon.

    2. Anonymous Coward
      Anonymous Coward

      Re: Retiremant Age

      There are a couple of points Ross would make. First is that a retirement age of 67 prevents someone from taking on a 5 year research grant at 62.1, since the conditions of the grant mean you must have employment for the duration of the grant. That is a major impediment to a research career, and why Ross took up a post at Edinburgh which has no specific limit.

      The other is that there is no actual evidence for such a policy having the effect of younger people getting advancement faster. Ross had numbers on this.

      1. Vincent Ballard
        Thumb Up

        Re: Retiremant Age

        Before reading your post I had been thinking that I recall various professors emeriti floating around, still enjoying themselves and probably making useful contributions, so I was unsure that retirement from official administrative responsibilities would have much effect, but the issue you raise about grants more than clarifies that uncertainly. Thank you.

    3. Snowy Silver badge
      Holmes

      Re: Retiremant Age

      Sure if your pension will support you giving up work is easy, if not not so easy.

      1. MJB7

        Re: Retiremant Age

        UK academics are on a career-average pension now. That's not quite as generous as the previous final-salary pension, but it's still very comfortable.

    4. Anonymous Coward
      Anonymous Coward

      Re: Retiremant Age

      Disagree. I think pay should taper off thoughbtowards retirement and provision by pension companies should allow for this. The trouble with older folks in senior positions sticking around isn't the space they take up. Its the money they cost.

      If it was possible to start tapering off pay at say 50 and taper in pension while still working. It would be less of an issue.

      1. Jellied Eel Silver badge

        Re: Retiremant Age

        The trouble with older folks in senior positions sticking around isn't the space they take up. Its the money they cost.

        That's only an issue if you're stacking dead wood. Another issue is this comment from the OP-

        A healthy organisation has a broad mix of ages, genders, abilities, skills, experience, etc. Cambridge admits its higher ranks are too full of old(er) men.

        Which is the DEI bollocks. Equality says everyon's equal, but DEI says you need a 'broad mix', which implies differences. So get rid of the old(er) men to fill quotas. Which is back to the way academia should be a meritocracy. Anderson wasn't exactly old for academia, which makes his passing all the more sad. He was also hugely respected, and attracted a lot of students, funds and PR to his department and university.

        Which is how it probably should work. Once upon a time there were a bunch of academics who wanted to do things differently, so they left Oxford, settled in the swamps and Cambridge was born. And then steadily expanded, adding new colleges as it's academics convinced wealthy patrons to part with their cash. Colleges aren't necessarily limited by their capacity or salary, they're limited by the ability of their fundraisers to bring in the money & students to expand. If academics aren't bringing in the money, because they aren't performing, just fire them.

        1. Anonymous Coward
          Anonymous Coward

          just fire them

          It's not that simple.

          Most UK academics of Ross Anderson's generation have tenure. Firing them is close to impossible.

          The younger generation of academics rarely get tenure. Many are on short-term contracts (3-5 years tops) tied to research grants. When their research money dries up, they're automatically out of a job. There's no need for a university to fire them or even pay redundancy.

          1. Jellied Eel Silver badge

            Re: just fire them

            The younger generation of academics rarely get tenure. Many are on short-term contracts (3-5 years tops) tied to research grants. When their research money dries up, they're automatically out of a job. There's no need for a university to fire them or even pay redundancy.

            Yep, that I think is a different problem. So figure on teaching. UK students get charged £9,250 a year. Figure on say, 10% of that going towards teaching staff costs and £50k salary, you'd need >50 students to pay one teaching position.. and the students wouldn't get much tuition with class sizes that large. I've no idea what UK university's overheads are like, but I've seen plenty of reports that suggest they're rather bloated with overheads. So to improve funding, fees have to increase.. which then hammers students.

            Then as you say, there's the research side, and I've heard plenty of horror stories around that. Like researches being charged for lab and other services, the costs for those being constantly hiked to cover University overheads leaving not a lot of money to do the actual research, or pay the reasearcher.. Especially when in some fields, lab, materials or even just energy costs are high. So a rather wicked problem to try and solve. Personally, if I were ever to become rich and shameless, I'd love to be a patron. I've always been fascinated by what lies beneath, so been pondering using geophysics, photgrammetry and earthquakes to semi-passively create a 3D model, and find me a proper man-cave. But much as I'd love to dump that onto a post grad, I can't afford to sponsor one. But maybe with an online crowd-funding or online patronage system, reasearchers could get paid. Especially if governments also included nice tax breaks.

  3. Anonymous Coward
    Anonymous Coward

    Great loss

    His papers, books, and talks are well worth the study. (I have all three editions of his magnum opus -- the second is online.)

    1. Michael Wojcik Silver badge

      Re: Great loss

      Easy enough to find, but since I already have it open in a tab: Security Engineering, 2nd ed.

  4. andy 103
    Pint

    Serpent

    I first became familiar with Ross Anderson in the early 2000s with his work on Serpent.

    The summary being it lost out to Rijndael in an AES competition, despite the fact Serpent was more secure. I think the reason it lost was along the lines of it was slower than Rijndael but at the time they were using something like a 200 MHz Pentium to benchmark, since that was common hardware at the time. He wrote quite a long explanation which essentially said in the future that would no longer be an issue because - like many others - he knew 200 MHz Pentiums would be surpassed very quickly. He was ahead of his time and had done a proper job - it was (and still is) impressive.

    The pages about that project are still on his Cambridge personal website. As far as I know the code for Serpent was GPL'd and publicly available for others to use.

    1. twellys

      Re: Serpent

      *Think* also Rijndael had the option of 256-bit whereas Serpent only had 128-bit.

      1. dinsdale54

        Re: Serpent

        The AES spec determined that all entrants would use a 128 bit block size and at up to at least 256 bit key size. I believe Rijndael did offer larger block sizes but once it became AES that feature was dropped.

        At the time, encryption was very CPU heavy. No custom functions in mainstream CPUs like today. We sold quite a few nCipher cards to customers wanting to run VPNs and suchlike. Limited use cases for them these days.

  5. Tom Paine

    A towering figure

    I haven't much to add to the excellent obit (thanks Connor), except to +1 that Security Engineering is an absolutely essential book for the shelves of anyone with even a non-professional interest in infosec; and to note that one reasonable proxy for measuring his significance might be the number of times he was involved in stories reported here on the Reg.

    (Sadly and inappropriately, I can't get DuckDuckGo to do the equivalent of the chocolate factory's "site:.." flag.)

    https://www.google.com/search?q=%22Ross+Anderson%22+site%3Atheregister.co.uk

    1. Jonathan Richards 1 Silver badge

      Register coverage (was Re: A towering figure)

      Startpage will do it without blabbing to G°°gle:

      https://www.startpage.com/sp/search?q=%22Ross+Anderson%22+site%3Atheregister.co.uk

      There are more hits with the term site:theregister.com, too.

    2. Blazde Silver badge
      Unhappy

      Re: A towering figure

      Security Engineering was - I think - my second ever purchase from a still burgeoning online book store named after a famous big forest. July 2001. One of those rare items you get disproportionately excited about receiving. Like a kid lusting after a toy for months finally waking up on Xmas day. Over the next few weeks poring over it, studying ever page and following numerous references, a kid hacker turned into an adult proud to now call a contentious hobby an 'engineering profession' and with a much, much broader perspective on the subject.

      He's left a huge legacy. I'm sure I'll be stumbling upon his papers and enjoying them for decades to come.

      My condolences to his family, and all who knew him personally.

  6. Alistair Kelman

    Ross - the bane of politicians and PR journos

    Ross was really special - he gave no quarter to politicians or PR journos whose arguments and defences were filled with "special pleadings". All of us in the security community are going to miss him and his generosity with ideas. He could truly inspire great insights. One of his greatest gifts was in how he negotiated with Wiley, his publishers, so that his book Security Engineering is not locked away in a copyright ghetto. Instead earlier editions are available to freely download and the current edition has a limited life as a premium publication. His lectures contained infectious humour. I commend to everyone his fifteen lecture series which he made available during lockdown to everyone who was interested in these topics via the web.

  7. Peter Gathercole Silver badge

    A real loss.

    I first noted his work when he first talked about Palladium/Next-Generation Secure Computing Base, which is not-so-slowly finding it's way into mainstream computing devices.

    He predicted what we are seeing now with locked boot loaders and the ability of manufacturers to prevent 'unauthorized' software running on a system years before it actually started happening.

    Considering he was only a few years older than I am now, it makes me think both of how little I've achieved in comparison, and of my own mortality.

    1. Ken Hagan Gold badge

      Re: A real loss.

      Surely one man's locked boot loader is another man's secure device, at least in the embedded space where it isn't reasonable to ask the (absent) user to type in a cryptokey (on an absent keyboard) during the boot process.

      1. Peter Gathercole Silver badge

        Re: A real loss.

        I can understand there is a place for locked boot loaders in certain types of device. What he (and I) were worried about was the ability to prevent a device you own being used for a purpose that the original manufacturer/OS provider don't want it used for. And on top of that, because of the chain of trust from hardware to application, it could allow data and applications to be controlled by the manufacturer or original software provider to the detriment of the owner of a device. This was clearly his fear in his articles of the time.

        The classic example is the original Microsoft Surface, which for a long time was incapable of being used with anything other than Windows because of the trust model, boot loader and version of Windows installed.

        The worry was a consumer computer environment where Linux and/or other non-approved OSs could be squeezed out. It is only because the organizations controlling the certificates enrolled into the TPM allow a shim loader certificate to be enrolled that certain devices are still able to run Linux. If that is disallowed, Secure Boot is enforced, and the ability to enrol your own certificates is taken away, you're not going to get a non-approved OS to run!

        Progress towards this has slowed, but there are still signs that there is movement. I recall a relatively recent story on The Register about a Lenovo laptop that would not allow Linux to be installed.

        The one thing that is now a mitigation is the rise of more powerful Arm and RiscV processors able to be used for general computing that are unlikely to have this built in.

  8. Anonymous Coward
    Anonymous Coward

    Very sad news

    The lecturer I remember most, and most fondly.

  9. Terrence Bayrock

    A real gentleman

    Had the pleasure of chatting with him over coffee at a security conference several years ago. Very knowledgeable and we hit it off, especially discussing security surrounding medical records and issues therein.

  10. Bear

    Memory Eternal

    Very sad news. Gone too early.

    Ross will be remembered for his passion and keen insight. He was always good to listen to and to speak with.

  11. Anonymous Coward
    Anonymous Coward

    Please correct Bruce's surname

    "Bruce Scheiner, another of Anderson's colleagues"

  12. SCP

    Condolences

    I only knew of Ross through his publications, but greatly appreciated the work he did to bring the topic of Computer Security into the public domain. His wider activity as a fearless expert in the field shone a bright light on concerns which many would have preferred not to be known about - and were again of great interest to the likes of me trying to maintain an awareness of the issues that affect important aspects of our lives.

    I have seen several accolades written by those who knew him personally, and this adds to the sense of loss. He leaves a great legacy, and I hope others will be inspired by his life and work.

    My condolences to his family, friends, and colleagues.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like