Taken before his time. But I've noticed - getting older myself - those looked up are disappearing as old Father Time catches them.
I'm no spring chicken (in my 50s) either.
Venerable computer scientist and information security expert Ross Anderson has died at the age of 67. His family broke the news to Anderson's friends and colleagues at the University of Cambridge, where he worked as a professor of security engineering and senior research fellow at Churchill College. He passed away unexpectedly …
How fit are you?
I've only just found our that Ross died (bummer - he was always an interesting, if highly opinionated, bloke), but he was looking very tubby last time I saw him (8 months ago) so keeling over, presumably of a heart attack or stroke, is not a huge surprise. Sitting in front of computers all day is not good for any of us, and some preventative measures can go a long way to actually reaching retirement age.
Maybe he did it just to annoy the University :-)
The debate at Cambridge around forced retirement is a bit more nuanced then just getting rid of old(er) people who are cluttering up the ofifice. It's about giving opportunity for fresh blood to enter the workforce. If no-one's leaving, how can a newbie get their foot in the door?
A healthy organisation has a broad mix of ages, genders, abilities, skills, experience, etc. Cambridge admits its higher ranks are too full of old(er) men. Forcing people to retire at 67 is one way to make room for fresh blood. But it does mean you loose people with decades of experience which is highly valuable.
There is no simple, perfect answer.
The debate at Cambridge around forced retirement is a bit more nuanced then just getting rid of old(er) people who are cluttering up the ofifice. It's about giving opportunity for fresh blood to enter the workforce. If no-one's leaving, how can a newbie get their foot in the door?
Fresh blood and newbies wouldn't and shouldn't be expected to 'enter the workforce' at senior research levels or professors, unless they were exceptional students. Those senior posts should be a meritocracy, especially in an academic environment. This is one of those 'controversial' topics Anderson would argue about. Plus it's a security engineering department. If one cannot work out a way to create a vacancy and get a foot in the door, it is probably not the department for you.
No, they shouldn't. However, you might have considered that for anyone other than a newbie to attain those levels, they must already be in a lesser existing post. If the people at the top aren't making way for the people one level below them, the lesser posts also remain full. And thus it proceeds all the way to the bottom, where newbies can't gain an entry level position to get on the ladder because those positions are already filled by people who have been unable to get promoted out of them. Which is the OP's point, that you completely ignored.
There are a couple of points Ross would make. First is that a retirement age of 67 prevents someone from taking on a 5 year research grant at 62.1, since the conditions of the grant mean you must have employment for the duration of the grant. That is a major impediment to a research career, and why Ross took up a post at Edinburgh which has no specific limit.
The other is that there is no actual evidence for such a policy having the effect of younger people getting advancement faster. Ross had numbers on this.
Before reading your post I had been thinking that I recall various professors emeriti floating around, still enjoying themselves and probably making useful contributions, so I was unsure that retirement from official administrative responsibilities would have much effect, but the issue you raise about grants more than clarifies that uncertainly. Thank you.
Disagree. I think pay should taper off thoughbtowards retirement and provision by pension companies should allow for this. The trouble with older folks in senior positions sticking around isn't the space they take up. Its the money they cost.
If it was possible to start tapering off pay at say 50 and taper in pension while still working. It would be less of an issue.
The trouble with older folks in senior positions sticking around isn't the space they take up. Its the money they cost.
That's only an issue if you're stacking dead wood. Another issue is this comment from the OP-
A healthy organisation has a broad mix of ages, genders, abilities, skills, experience, etc. Cambridge admits its higher ranks are too full of old(er) men.
Which is the DEI bollocks. Equality says everyon's equal, but DEI says you need a 'broad mix', which implies differences. So get rid of the old(er) men to fill quotas. Which is back to the way academia should be a meritocracy. Anderson wasn't exactly old for academia, which makes his passing all the more sad. He was also hugely respected, and attracted a lot of students, funds and PR to his department and university.
Which is how it probably should work. Once upon a time there were a bunch of academics who wanted to do things differently, so they left Oxford, settled in the swamps and Cambridge was born. And then steadily expanded, adding new colleges as it's academics convinced wealthy patrons to part with their cash. Colleges aren't necessarily limited by their capacity or salary, they're limited by the ability of their fundraisers to bring in the money & students to expand. If academics aren't bringing in the money, because they aren't performing, just fire them.
It's not that simple.
Most UK academics of Ross Anderson's generation have tenure. Firing them is close to impossible.
The younger generation of academics rarely get tenure. Many are on short-term contracts (3-5 years tops) tied to research grants. When their research money dries up, they're automatically out of a job. There's no need for a university to fire them or even pay redundancy.
The younger generation of academics rarely get tenure. Many are on short-term contracts (3-5 years tops) tied to research grants. When their research money dries up, they're automatically out of a job. There's no need for a university to fire them or even pay redundancy.
Yep, that I think is a different problem. So figure on teaching. UK students get charged £9,250 a year. Figure on say, 10% of that going towards teaching staff costs and £50k salary, you'd need >50 students to pay one teaching position.. and the students wouldn't get much tuition with class sizes that large. I've no idea what UK university's overheads are like, but I've seen plenty of reports that suggest they're rather bloated with overheads. So to improve funding, fees have to increase.. which then hammers students.
Then as you say, there's the research side, and I've heard plenty of horror stories around that. Like researches being charged for lab and other services, the costs for those being constantly hiked to cover University overheads leaving not a lot of money to do the actual research, or pay the reasearcher.. Especially when in some fields, lab, materials or even just energy costs are high. So a rather wicked problem to try and solve. Personally, if I were ever to become rich and shameless, I'd love to be a patron. I've always been fascinated by what lies beneath, so been pondering using geophysics, photgrammetry and earthquakes to semi-passively create a 3D model, and find me a proper man-cave. But much as I'd love to dump that onto a post grad, I can't afford to sponsor one. But maybe with an online crowd-funding or online patronage system, reasearchers could get paid. Especially if governments also included nice tax breaks.
Easy enough to find, but since I already have it open in a tab: Security Engineering, 2nd ed.
I first became familiar with Ross Anderson in the early 2000s with his work on Serpent.
The summary being it lost out to Rijndael in an AES competition, despite the fact Serpent was more secure. I think the reason it lost was along the lines of it was slower than Rijndael but at the time they were using something like a 200 MHz Pentium to benchmark, since that was common hardware at the time. He wrote quite a long explanation which essentially said in the future that would no longer be an issue because - like many others - he knew 200 MHz Pentiums would be surpassed very quickly. He was ahead of his time and had done a proper job - it was (and still is) impressive.
The pages about that project are still on his Cambridge personal website. As far as I know the code for Serpent was GPL'd and publicly available for others to use.
The AES spec determined that all entrants would use a 128 bit block size and at up to at least 256 bit key size. I believe Rijndael did offer larger block sizes but once it became AES that feature was dropped.
At the time, encryption was very CPU heavy. No custom functions in mainstream CPUs like today. We sold quite a few nCipher cards to customers wanting to run VPNs and suchlike. Limited use cases for them these days.
I haven't much to add to the excellent obit (thanks Connor), except to +1 that Security Engineering is an absolutely essential book for the shelves of anyone with even a non-professional interest in infosec; and to note that one reasonable proxy for measuring his significance might be the number of times he was involved in stories reported here on the Reg.
(Sadly and inappropriately, I can't get DuckDuckGo to do the equivalent of the chocolate factory's "site:.." flag.)
https://www.google.com/search?q=%22Ross+Anderson%22+site%3Atheregister.co.uk
Startpage will do it without blabbing to G°°gle:
https://www.startpage.com/sp/search?q=%22Ross+Anderson%22+site%3Atheregister.co.uk
There are more hits with the term site:theregister.com, too.
Security Engineering was - I think - my second ever purchase from a still burgeoning online book store named after a famous big forest. July 2001. One of those rare items you get disproportionately excited about receiving. Like a kid lusting after a toy for months finally waking up on Xmas day. Over the next few weeks poring over it, studying ever page and following numerous references, a kid hacker turned into an adult proud to now call a contentious hobby an 'engineering profession' and with a much, much broader perspective on the subject.
He's left a huge legacy. I'm sure I'll be stumbling upon his papers and enjoying them for decades to come.
My condolences to his family, and all who knew him personally.
Ross was really special - he gave no quarter to politicians or PR journos whose arguments and defences were filled with "special pleadings". All of us in the security community are going to miss him and his generosity with ideas. He could truly inspire great insights. One of his greatest gifts was in how he negotiated with Wiley, his publishers, so that his book Security Engineering is not locked away in a copyright ghetto. Instead earlier editions are available to freely download and the current edition has a limited life as a premium publication. His lectures contained infectious humour. I commend to everyone his fifteen lecture series which he made available during lockdown to everyone who was interested in these topics via the web.
I first noted his work when he first talked about Palladium/Next-Generation Secure Computing Base, which is not-so-slowly finding it's way into mainstream computing devices.
He predicted what we are seeing now with locked boot loaders and the ability of manufacturers to prevent 'unauthorized' software running on a system years before it actually started happening.
Considering he was only a few years older than I am now, it makes me think both of how little I've achieved in comparison, and of my own mortality.
I can understand there is a place for locked boot loaders in certain types of device. What he (and I) were worried about was the ability to prevent a device you own being used for a purpose that the original manufacturer/OS provider don't want it used for. And on top of that, because of the chain of trust from hardware to application, it could allow data and applications to be controlled by the manufacturer or original software provider to the detriment of the owner of a device. This was clearly his fear in his articles of the time.
The classic example is the original Microsoft Surface, which for a long time was incapable of being used with anything other than Windows because of the trust model, boot loader and version of Windows installed.
The worry was a consumer computer environment where Linux and/or other non-approved OSs could be squeezed out. It is only because the organizations controlling the certificates enrolled into the TPM allow a shim loader certificate to be enrolled that certain devices are still able to run Linux. If that is disallowed, Secure Boot is enforced, and the ability to enrol your own certificates is taken away, you're not going to get a non-approved OS to run!
Progress towards this has slowed, but there are still signs that there is movement. I recall a relatively recent story on The Register about a Lenovo laptop that would not allow Linux to be installed.
The one thing that is now a mitigation is the rise of more powerful Arm and RiscV processors able to be used for general computing that are unlikely to have this built in.
I only knew of Ross through his publications, but greatly appreciated the work he did to bring the topic of Computer Security into the public domain. His wider activity as a fearless expert in the field shone a bright light on concerns which many would have preferred not to be known about - and were again of great interest to the likes of me trying to maintain an awareness of the issues that affect important aspects of our lives.
I have seen several accolades written by those who knew him personally, and this adds to the sense of loss. He leaves a great legacy, and I hope others will be inspired by his life and work.
My condolences to his family, friends, and colleagues.