This is a testable assertion.
I've met a bunch of people in data security in the last few years. In fact, I do know one with a math degree and he's very sharp.
But I still think the premise is ridiculous. Math proofs are tall towers of lemmas and theorems existing in an insulated universe.
Logical and rational thought are critical, yes, but in real world security you must be very careful not to build your towers that high. Instead you need a defense-in-depth strategy, one which assumes at least some of your assumptions are going to be violated on a regular basis.
Seen in a crypto paper:
* An attack on [cryptographic primitive] A implies an attack on [cryptographic primitive] B.
* B is not the subject of this paper.
* Therefore, A is proven secure.
The problem is when cryptographers say something is "proven secure" it turns out not to mean that nobody can hack it, especially in an actual deployed system.
This is surprising to many people.
Folks without a strong math background, expecting to learn how to tweak file permissions or domain controllers or something were in for a rude surprise when we cracked open a textbook that consisted of mostly greek letters and pages of proofs and lemmas.
But having studied some hard maths in my undergrad, I walked away with a feeling I couldn't shake that much of it was form over function. We spent weeks showing proofs of very simple security circumstances "atomic changes to an access control list are provable secure" and then summed it up with "anything more complex than this, like nonatomic changes to an ACL are provably insecure".
And that was that. I came away very disappointed in the field as a whole, that instead of spending time pragmatically finding ways of improving security in an applied sense, we were spending an inordinate amount of time cranking through higher level maths that just showed the whole thing was hopeless in the end anyways.
Typical example: Require users to change a password once/month and there's a maximum of one month's time when a password thief has access to an account. True enough. So what do users do (and let's thrown in a requirement for at least one capital letter, at least 1 digit, at least one symbol, 9 character minimum)?
Month 1: Charlie1!
Month 2: Charlie2!
Month 3: Charlie3!
Month x: Charliex!
Meanwhile, formulations for password security that strike a reasonable balance between security and usability (and thus actually get used) are rejected immediately because of mathematical edge cases.
Here's my formulation for a balanced security approach for home users:
"Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password."
I can think of quite a few edge cases where this system will fail. Keystroke logging is the most obvious. In actual practice, there has not yet been a case of a password database being breached due to keystroke logging the master password (at least not among the market-leading password managers).
In actual practice, taking into account human factors, this system is more secure than that practiced by the vast majority of end users. And far more secure than rotating Charliex! passwords.
How would you know if this had happened?
And please - if anyone is aware of even a single known case among these 4 market leaders, please tell us about it.
There's also "hidden back door" risk. Programmers may code in means to get at data for code testing or government sharing purposes, which the security people may or may not fully understand.
I guess you could call these unwarranted assumptions (that insiders are always honest and that no back doors exists or are fully known if they do), but they don't seem amenable to mathematical modeling.
No idea what can get you to land in this zone (training or otherwise) but if you do fall in one you tend to be very good at whatever it is your brain is wired for.
I guess he might be on to something. Every philosopher I have ever read has always treated assumptions in a willy-nilly matter. Not to mention any decent legal opinion.
Good security requires critical analysis. The same thing can be said for jurists, inventors, supply-chain logistics...etc.
What a surprise the math guy thought math people have such insight. What's that saying about carpenters and their hammers? At least carpenters don't go around telling everyone that everything is a nail...
People just occasionally don't use the system correctly: that isn't the fault of the system (in terms of security).