One of his most memorable works, in my mind, is this masterpiece of an extremely polite yet absolutely scathing letter in response to attempts to get the university to censor inconvenient security research: https://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf
I always think back to this radio 4 interview [1] on the same topic when I think of Ross Anderson. Muttering "porky pies" at the end of the interview as it is claimed that this fraud has never actually been used.
Ross was one of the most influential people in my time at Cambridge, someone of whom I was very fond and whose work I still follow over a decade later. I am deeply saddened to learn of his passing.
His dry sense of wit and humour, his uncompromising pursuit of injustice and his loathing of foolhardy decisions made by the political or moneyed elites were evident in all he did and said. Misunderstood by some, I came to respect most his tenacity; at fighting the big guy – and, more often than not, prevailing with his typical grit, logic and determination. His work continues to inspire, especially since three decades after he founded the field he would go on to be recognised for internationally, in many business and industrial circles we are still making the same basic security mistakes, driven by the same flawed economic models as Ross predicted. His work is timeless.
When he spoke, I listened, and on those rare occasions he complimented my work, I did not take that for granted. It is a regret that I did not take the opportunity to do a PhD with him. Rest in peace.
This was really sad news; his Security Engineering probably did more than any other single textbook to influence my career and making me a better engineer in the process.
All the examples of bright people having made systems which turned out to be more brittle than the designers assumed really drove home the point that even 'simple' tasks are HARD.
As a close personal friend of Ross and a fellow Computer person, I know he would like everything you have said about himself and his huge contribution to Computer Science.
Both the positive and negative comments would make him smile, He knew and we often discussed late in to the night over a glass of red wine or two, his and others work, always interesting and always on point.
He was especially pleased if something he had written or commented on made someone else react. His view was 'well there talking about it now!'
My favourite moments were when he'd ask me over to stay and we'd sit late into the night discussing anything and everything.
I miss you already old friend.
My love and thoughts tonight are with his wife Shireen, his daughter Bavarni and his grandchildren.
I spent the afternoon yesterday (Wednesday) with Shireen and the whole family, joining us was Robert Brady another life long friend. Shireen and their daughter Bavarni obviously upset were the epitome of grace and calmness as one would expect from such a wonderful family. Ross would have been very proud of them!
Sorry for your loss. Just met him vicariously and watched his first "Security Engineering Lecture 1" and I miss him already. He seems like a genuine soul.
I just want to note here just how important Ross Anderson was, not just within the UK digital community, but globally. He was the model of a politically and socially involved computer scientist -- when I first heard of him in the 90s, he was doggedly trying to point out that the then security protections against ATM (cashpoint) fraud were too weak, and that the banks were blaming customers for leaking their PIN codes when in fact, those codes were eminently crackable.
After that, he was /the/ key figure in fighting restrictions on cryptography in the UK, putting together a coalition of CS experts in founding the Foundation for Information Policy Research, and then becoming one of the key (informal) advisors to the Labour party. As a gruff, Scottish socialist, Ross was tailormade to act as a counterbalance to the United States' heavy lobbying of the Blair administration to tow the line on making usable crypto illegal outside of the United States.
That had a global effect: opposition in the UK, at the time the US's strongest ally in many policies, limited the ability for the crypto restriction regime to spread. (After many years, it's notable that the main countries passing crypto restrictions during this period were those /furthest/ away from US support, rather than closest -- France, Russia, etc.).
FIPR and its successes spawned a strong, and experienced digital rights community in the UK early on. It was Ross and Caspar Bowden (who also sadly passed away far too early) who were crucial in encouraging this group to work with others in Europe to form EDRi, which remains the core of digital rights advocacy in Brussels. If you've ever wondered why the EU occasionally comes up with good cyberlegislation, it's because of the influence of EDRi -- and that coordination came from Ross and Caspar recognising that the real decisions were being made not in the UK or the US, but in the growing work of the European Union.
But at the same time as doing this political work, Ross was also building the foundations of a serious cybersecurity approach. He applied political, economic and social aspects to computer security models: his early writing on /where/ to put the liability for computer security flaws are still influencing approaches to legal liability now. He drew deeply from the actual use of technology: my favourite memory of him is him explaining how the Irish Republican Army actually passed around secrets under the nose of the British Army to a somewhat amazed BBC journalist.
Ross' high reputation allowed Cambridge University to lure Microsoft funding for their infosec department. The results of that collaboration indirectly led to CHERI, a capability-based security system designed by some of the brightest minds in the UK and beyond, and still for many of us the great hope for truly robust digital security.
Recently, Ross was still working on the cutting edge: the other week, Cory Doctorow pointed me to a paper he co-authored recently on how ML models might collapse in the face of ingested ML-generated content. When I devoted a chunk of a lightning talk to him at EthDenver, a prominent Filecoin ecosystem participant came up to me afterwards to thank me for highlighting Ross' work, as he had been instrumental in supporting her early career.
Ross was grumpy, unforgiving, a blistering writer of flaming emails, and sometimes oblivious of the effect his disapproval could have on others. But he pursued and achieved singularly useful advances in the field of information security, and in the wider, messier world of digital rights and global politics. He was mad at Cambridge for forcing him to retire at 67, and he was right -- not just from a political point of view, but from the truth that he still had so much to give. He died too soon.
This is a great summary. A huge loss, especially in the public arena, where the combination of vast expertise, academic authority, and the courage to speak truth to power is too rare.
He was also a gifted communicator - both his lectures and books were not just filled with insight, but compelling to watch or read, in stark contrast to much academic work.
Ross Anderson embodied a lot of positive principles in the security community. His book on Security Engineering (2nd edition is the biggest book on my bookshelf) patiently laid out principles of good security design, and tied it to examples in the real world for designs and bugs. Releasing old editions for free was the cherry on top for making his knowledge available to others.
Very sad to hear this. I remember emailing him about a newbie question I had about a topic in his Security Engineering book, and he responded very kindly with a detailed explanation that corrected my misunderstanding. Which was really lovely of him. A genius and a gentleman. Rest in peace, my condolences to all who knew and loved him.
I still remember an undergrad group project at Cambridge where we were in the Computing Lab discussing how we were going to build an online voting system - I said "We can worry about security later...." only to hear a deep Glaswegian brogue behind us "Oh Really?! Tell me more...." as we all turned around in horror. LOL
Very sad to learn of his passing. I came across his work after Bruce Schneier posted a link to a pre print of Ross’s Security Engineering tome. His clarity of thought and effortless navigation through this complex landscape has been inspiring.
Also discovered subsequently his fondness for traditional pipe music and that he busked in his younger years.
A great person - may others bear the light that he brought.
Ross Anderson was indeed a giant, not just in computer science, but also in his work on the politics and ethics of the influence of computing in our lives. The world is lessened by his passing, but his work lives on in those he has inspired.
I am a student of a professor who was a student of Ross Anderson. I learned a lot from security engineering books and his papers, and I'm saddened to hear of his passing.
22+ odd years ago I emailed Ross out of the blue. At the time I was working at a small startup attempting to build mobile banking infrastructure for rural poor in South Africa and elsewhere. I was after a copy of a paper he had mentioned in a talk and Ross replied with a blunt to the point email about how hard he thought the problem domain we were trying to tackle was (along with a pointer to the paper I had asked about). I remember being slightly annoyed by the initial tone of his response, but it got me thinking - then thinking a lot more. There were some very well thought out reasons behind his arguments. I replied a few days later with a detailed list of how we were addressing his concerns along with some others he hadn't mentioned but also acknowledging the areas we needed to dig into further. I didn't really expect an answer, after all, I didn't know him, but he had got me to think hard on key problems and I wanted to acknowledge that.
We got a lot more than a simple reply. We got his focused feedback, constructive criticisms, pointers to other work he thought was relevant, general support, some key follow up conversations on the phone, followed by introductions to folks he knew in industry who he thought could help (who would have never entertained us at that stage otherwise). While the startup eventually didn't make it, many of the ideas we worked on did. Of the folks that we met through that whole adventure, Ross was one of the standouts. Yup, he was very good people indeed and will be sadly missed!
This deserves a black bar. He was a pioneer in computer security and was essential in kickstarting the important field of security economics. So sad to hear about this.
Ross Anderson is a giant, but the discourse about whose passing does or doesn't merit the "black bar" is --- unintentionally, in virtually every case! --- toxic. You can mail hn@ycombinator.com with the suggestion. I share your sorrow, regardless.
