The Page of Spaf's Analogies

Prof. Gene Spafford is a pioneer in information security. He is also notorious for his use of analogies to explain concepts from information security and other areas of computer science. This page attempts to document all such analogies. I request you to submit any you may know of that aren't already on this list. Some examples of sources are: personal communication with him, his books, his papers, speeches or talks by him, and press reports that quote him.

Note: These are analogies. Interpret them out of context at your own risk. Also, this list is maintained by me and I am solely responsible for its contents. Not Purdue University, not CERIAS, not the Computer Science Department, not COAST and certainly not Prof. Spafford.


Please email me. Please include as much of the following information with Spaf's analogy as you can: your name, your URL, source of the analogy (such as one of those mentioned above) and a URL with the analogy.
  1. "It's investing in sponges to clean up around where the dike is leaking."
      1. Wired News
  2. "It's sort of like in the days of Ralph Nader discovering that cars blow up and don't have seat belts - and the government is responding by making a huge investment to put officers on the highways to catch speeders."
      1. Wired News
  3. "It's like being pecked to death by ducks."
      1. Wired News
  4. "It's like getting into a relationship with no intention of going long-term. That's okay, provided you're upfront about it."
      1. Personal Communication
  5. "People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobody bought them."
      1. MSNBC News
  6. "If an auto vendor put in more horsepower instead of brakes, after a person crashed, they'd be sued."
      1. MSNBC News
  7. "Usenet is like a herd of performing elephants with diarrhea: massive, difficult to redirect, awe-inspiring, entertaining, and a source of mind-boggling amounts of excrement when you least expect it."
      1.   In"Gene Spafford's Departure (from USENET.)"
  8. "By analogy, the approach taken in 2281 is akin to banning the development and sale of automobiles to curtail drunk driving, or criminalization of the sale of paper and ink to prevent the possibility of libel."
      1. WIPO Letterto members of the Congress
  9. "Like the Spaniards bringing smallpox to the Incas."
      1. The Washington Post
  10. "...the government orders a hundred cigarette smokers, chosen at random, to be beheaded on live nationwide television. The result might well be that many hundreds of thousands of other smokers would quit cold turkey, thus prolonging their lives. It might also prevent hundreds of thousands of people from ever starting to smoke, thus improving the health and longevity of the general populace. The health of millions of other people would improve as they would no longer be subjected to secondary smoke, as the overall impact on the environment would be very favorable as tons of air and ground pollutants would no longer be released by smokers or tobacco companies."
      1. In"Are Computer Hacker Break-ins Ethical?"
  11. "By analogy, stealing cars and joyriding does not provide one with an education in mechanical engineering, nor does pouring sugar in the gas tank."
      1. In"Are Computer Hacker Break-ins Ethical?"
  12. "Arguing about the significance of newsgroup names and their relation to the way people really think is equivalent to arguing whether it is better to read tea leaves or chicken entrails to divine the future."
      1. In"Gene Spafford's Departure," contributed by GeneSpafford
  13. "Using encryption on the Internet is the equilvant of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."
      1. In"Quotes Concerning Computers and the Internet."
  14. "Secure web servers [cryptographically enabled web servers] are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police."
      1. In "Web Security and E-Commerce," anonymous contribution
  15. "You're proposing to build a box with a light on top of it. The light is supposed to go off when you carry the box into a room that has a Unicorn in it. How do you show that it works?"
      1. At Kevin's qualifying exam
  16. "Conducting research towards a PhD is like rowing a boat towards a harbour. You don't know what lies on the other side of the harbour. There could be dragons, or there could be nothing."
      1. Personal Communication
  17. "It's like someone reading the newspaper expresses concern over the rising incidence of lung cancer, so he decides to  start smoking 3 packs a day of unfiltered cigarettes.  When asked why, he points out that they're cheaper if purchased without filters."
      1. In emailto a mailing list
  18. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted."
      1. In emailto organizers of a workshop on insider misuse
  19. "Most organizations are like Ukranian dolls - each inside has another inside."
      1. In emailto organizers of a workshop on insider misuse
  20. "Many environments don't have a well-defined perimeter - they're like Klein bottles: everything is both inside and outside."
      1. In emailto organizers of a workshop on insider misuse
  21. "Perimeters that allow arbitrary content, VPNs and SSL connections, et al. though aren't really perimeters any more than a state line through a cornfield is an obvious border."
      1. In emailto organizers of a workshop on insider misuse
  22. " like saying that we are only going to look at Intrusion Detection systems that detect right-handed intruders."
      1. During panel discussion on insider misuse at the RAID'99 Workshop
  23. " like saying that we want you to fireproof our fireworks factory, but the walls of the factory are made of cardboard and you are allowed to smoke."
      1. During panel discussion on insider misuse at the RAID'99 Workshop
  24. " like going over to the other room and hitting them with a hammer."
      1. During panel discussion on insider misuse at the RAID'99 Workshop
  25. " as though we have got a hammer, and we are pounding on everything."
      1. During panel discussion on insider misuse at the RAID'99 Workshop
  26. "...consider McDonalds -- it is fast, cheap, and used by millions.   However, it also contributes to obesity, heart disease,  and (arguably) deforestation."
      1. In emailabout Windows supplanting other operating systems in Universities
  27. "...consider cigarettes -- giving the people what they want may be killing them."
      1. In emailabout Windows supplanting other operating systems in Universities
  28. "Architects cannot learn to design grand cathedrals if they are taught all their drawing courses using only an Etch-a-Sketch because the company struck a deal with the university..."
      1. In emailabout Windows supplanting other operating systems in Universities
  29. "...spousal abuse [in which] one person gets regularly beaten by the other, yet won't leave because of some sense of loyalty. The bond is often only broken by death."
      1. In emailabout Windows supplanting other operating systems in Universities
  30. "If you start a fire without intention to cause harm, but it burns down someone's house, you get charged with arson. "
      1. In emailexchange about what constitutes a crime
  31. "If you hit someone without intending permanent damage but he falls and hits his head on a sharp object, you can be charged with manslaughter if he dies."
      1. In emailexchange about what constitutes a crime
  32. "As a doctor, you don't have to give someone a case of diphtheria to learn how to cure it."
      1. At CERIAS inaugural colloquiumwhile speaking on teaching attack exercises in the classroom, contributed by Ben Kuperman
  33. "Progress in cutting a diamond is made not by polishing each individual facet to a perfect gleam, but in exposing each facet one after another. The whole gem must be revealed before its value can be discerned."
      1. Personal Communication as part of advice on conducting research towards a Ph.D
  34. " have thrown a pebble into the pond and the ripples are going to go much further than you could possibly ever tell."
      1. In profilearticle in Information Security magazine from 1999
  35. " searching for scraps of food, in a grungy dark room, full of psychotic people, like my graduate students, at least one of whom is in the audience right now..."
      1. During keynotetalk at ISOC's NDSS 2000, in revisiting Y2K issues
  36. "...some (Y2K) books were alarmist, something like the 'Dummies Guide to the Holocaust'..."
      1. During keynotetalk at ISOC's NDSS 2000, in revisiting Y2K issues
  37. "(Authenticated, yet malicious code is) like an intruder, that shoots you in the knee caps, sexually assaults you, ransacks your house, and then leaves a business card..."
      1. During keynotetalk at ISOC's NDSS 2000, in discussing mobile code
  38. " buy a car, and say that you don't care if it is made of cardboard or has any brakes, so long as it is cheap..."
      1. During keynotetalk at ISOC's NDSS 2000, in discussing software reliability
  39. "Those of us in security are very much like heart doctors -- cardiologists. Our patients know that lack of exercise, too much dietary fat, and smoking are all bad for them. But they will continue to smoke, and eat fried foods, and practice being couch potatoes until they have their infarction. Then they want a magic pill to make them better all at once, without the effort. And by the way, they claim loudly that their condition really isn't their fault -- it was genetics, or the tobacco companies, or McDonalds that was to blame. And they blame us for not taking better care of them. Does this sound familiar?"
      1. In acceptance speech for the NCSSA award at the 23rd NISSC in 2000, contributed by Rajeev Gopalakrishna
  40. "Trying to extract useful information from the Internet is like trying to sip from a firehose."
      1. Contributed by Chris Welch