Cybersecurity as Zen Exercise

A little book I wrote a few years ago is The Art of War of Cybersecurity, by Thomas Reynolds.  Not just another tips and techniques book, it leads you through clear-minded cybersecurity thinking, rather than just telling about it and hoping for the best like most books.  It is useful for individual review, and also for organizational or group use as a knowledge management tool helping to establish efficient, productive, shared common understanding and a cybersecurity-aware culture.

From the Preface:

An image of the book's cover, bright red with mustard gold lettering
 and graphic of symmetrically opposed leaping dragons

"We have to learn to think like the attackers" is
sometimes said by people concerned about
computing security.  That is an expression of people
inside a box trying to guess what outside-the-box
thinkers might do next.  Cybersecurity is a very
recent field, considered in terms of the development
time lines of more fundamental social and cultural
forms.  The field does not have even a general,
agreed-upon taxonomy.

I have taken seriously various calls for better
cybersecurity thinking, and have brought to bear
upon the task my own—perhaps unusual in this
field—background in thinking about thinking.

The book's Glossary section may be informative to people who are not computing experts.

More information and the book itself are available at (The original URL,, should still work, too.)

Librarians can efficiently find the US Library of Congress classification via the book's Permalink record. In Canada's AMICUS National Library Catalog, the record is here.

A nice scholarly version of the original Sun Tzu Art of War is The Denma Group's translation, which aims to reproduce in English as directly as possible the Chinese of the earliest extant original texts. This is useful for anyone trying to work out for him- or herself the original thinking. Information about this translation is at Background materials supporting the Denma translation, including Chinese content of original texts, are available at

Other Projects

Software (in)security is an extremely important problem in computing. After all, software is what makes hardware do everything it does. After quite a while of seeing and hearing the same repeated, legitimate worries about insecure software, I took a more comprehensive look at that entire ecosystem. I arrived at the opinion that systematic change was needed to achieve the goal that programmers be familiar with how to write secure code. But systematic change is not easy, and can result in many unanticipated effects. What I came up with was a definitive proposal which works within currently established systems and is simple to conceptualize. It allows for widespread profitable involvement of diverse stakeholders, plus staged implementation with built-in opportunities for adjustment during both adoption and ongoing functioning.

The essentials of the proposal were stated in my Letter published on page 6 of the December 2010 issue of IEEE Computer magazine, accessible via the December 2010 issue Table of Contents at, or directly at

Simply stated, it is a proposal to institutionalize secure software as an expectation of the system, analogous for example to the expectation in aeronautical engineering that airplanes not crash. The aim is that programmers' basic habits include security awareness from the beginning and in everything they do. This is accomplished by the simple addition of requiring that secure coding methods be used in all computer science courses involving programming by computer science majors, and that that be a condition of accreditation of the Departments offering those courses. Courses targeted at more focused security knowledge would remain necessary. But any approach less fundamental, uniform, and impartial than requiring basic secure coding everywhere leaves the situation as like playing whack-a-mole as problems appear.

After a reasonable amount of time for the requirement and supporting processes to be phased in and for graduates to move into industry, the software ecosystem would contain an expectation that measurable security awareness would at least be in the professional repertoire of college graduates in computer science, and those professional programmers would be role models for all software authors. Communication about security issues would be more efficient and effective as familiarity with the ideas and vocabulary of secure coding could become assumed. All this would bring the field of software development into alignment with engineering in general.

Although the immediate response in the December 2010 issue was positive, I have not seen evidence of significant movement to actually implement that proposal or anything similar. I myself have other personal goals occupying my attention, but the idea stands in case anyone might want to pursue it.


I did lead a session "Learning Secure Coding in College?" at BarCampAlbany in February 2011, discussing my proposal and seeking feedback about it from students and programmers there. The feedback was positive. (Barcamps are low key, ad hoc events, semi-planned, self-organizing conferences for exchange of information about computing and computing-related topics.) Along with many handouts, I included an index list of URLs associated with those handouts. Although not all of that list should be expected now still to be live URLs, it and a brief summary of the session is available here in case it might save a little effort for someone wanting to learn about developing secure software.

Another presentation, later in 2011, was focused on a related problem in cybersecurity, practicing what we preach. It was at the 2011 Symposium on Usable Privacy and Security SOUPS2011, at Carnegie-Mellon University, This was a Lightning Talk, a brief statement on a problem. I began by giving the audience—composed mainly of technical cybersecurity researchers and practitioners—a very quick overview of the fundamental elements of a sociological understanding of the world. I noted the importance of building a consistent, broad social culture for computing and information security if we really want to achieve private and secure experiences for all users. Then I brought peoples' attention to the lack of secure https web registration for SOUPS2011 itself, which apparently I had been the only registrant to try to avoid. My few slides make more sense with my scripted brief remarks, which are available here

I have a longstanding interest in formal mathematical sociology, and find it relevant to my cybersecurity interests.  A comprehensive basic introduction to this field, written a few decades ago but still valuable, is Mathematical Sociology by Thomas J. Fararo, with whom I once studied.

A different kind of longstanding and presently active interest is the status of time and related questions about optimal conceptual models in physics. This may have relevance to quantum computing, for example, and coheres with work I have begun on temporal logic. I gave a couple of Physics colloquium talks in the USA and Europe in 2010 about time, and presented a poster in September 2014 at the DICE2014 Seventh International Workshop Spacetime - Matter - Quantum Mechanics in Castiglioncello in beautiful Tuscany in Italy. The DICE2014 Proceedings has the paper associated with my poster at; the Proceedings Table of Contents is at

I am also working on a few other projects, mostly related to practical computing problems or to theoretical computer science. One of those led me to a practical, least-effort tactic to deal with the privacy question of the extent to which one's smartphone or computer cameras are really under one's own control. The tactic is simply to put a piece of cheap, convenient, ubiquitously available, readily removable and replaceable, "invisible" scotch tape over the camera lens when it is not being used. I gave a rump session short talk-demo about this at the 2015 Privacy Enhancing Technologies Symposium PETS2015, in Philadelphia, Pennsylvania in late June - early July 2015,

And I always enjoy doing a little photography:

 Northeast Autumn     A photo looking up through bright yellow, orange, and red autumn
 leaves of a sugar maple tree, to a clear blue midday sky, in the
 Northeastern United States in Autumn.
Lake George Shore

A photo looking
 out to a shining, rippled, blue lake, through tree trunks and leaves
 silhouetted by the bright sun over the lake, in Autumn in upstate New York
 in the United States.
Westerwald Germany Abandoned Quarry

A photo of a
 small pond in an abandoned quarry in the Westerwald, Germany, with brightly
 lit thin grasses in the foreground at the image sides, lily pads and blossoms
 behind the grasses in the image middle, and low-hanging dark green
 tree leaves bordering the back of the pond at the image top edge.
Bulguksa, Gyeongju

A photo of some
 traditional tiled roofs, both near and distant, in a several hundred years
 old Buddhist temple area in Korea, during a light, misty rain, the curved
 shapes and linear forms standing out visually and texturally from summer
 tree leaves and a high wall made of large stones.
Namsangol, Seoul

A photo of a few
 traditional structures in an old upperclass housing compound historical park
 area in Seoul, Korea; visible in the distance, through a roofed gateway in
 a low stone wall, is a teacher photographing a small group of young children.
Fujisan From Peace Park Temple, Gotemba

A photo of Fujisan (Mt. Fuji) in the far distance, on a hazy summer
 day, viewed from a relaxed position within an open, paved area of the
 grounds of a modern Peace Park Buddhist temple in Japan.
Nara Shrine

A photo of a Shinto shrine by a path in the woods at Nara in Japan,
 the red, wooden components of the temple dominating the image.
Sendai Train Station

A photo of a
 Salaryman about to decide to enter the more upscale of two small restaurants
 side by side, with the usual displays, in the main train station in Sendai,
 Japan, an image in which no faces are quite visible.

© Page and images copyright Thomas Reynolds 2015.

Comments about this website are welcomed and can be sent to tracm2(*the_usual_"at"_symbol*)  Please prefix the email subject line with "WEB".

URL:         This page is always Under Construction.