Josh More – Starmind Blog

I recently picked up Harry Potter 6 on Blu-ray. While I've read all the books, I've generally not been much for the movies. (I prefer the pictures in my head.) However, there is a photographic beauty to these movies that is worth both the time and the money (especially when the box set of 1-5 was on 70% off recently)... so I'm watching them and remembering the stories.

As with most works of art, the easy path to drama is to create a security failure. It makes sense, after all. As a creator, you may have a need to push your characters at time, and the easy (lazy) ways to push a character are to create a situation for them to react to. Thus, viewing the worlds as if they are real is a bit unfair... but on the other hand, nitpicking is fun.

In the world of Harry Potter, there are several security situations. The world of magic has to be kept a secret from all the muggles, the evil people have to be kept out of Hogwarts, and what is kept in Gringotts must stay in Gringotts. In fact, we know that there is some sort of magical muggle spy network, as Dumbledore knows to investigate Tom Riddle prior to his acceptance into Hogwarts. Why this same network can't detect the attack upon Harry by the dementors in book/movie 5 is unclear. Clearly, they need to invest in redundancy for the system.

Similarly, Hogwarts seems to have a surprisingly difficult problem keeping students where they belong. It took until book/movie 6 before they put up a firewall around the school, and even then, attackers manage to encapsulate an attack within a legitimate source (Katie Bell) and also fail to Draco's VPN bypass (terminated by vanishing cabinet). It seems that magic should be able to do better.

In contrast, Voldemort clearly knows a lot about security. He makes backup copies of his soul, just in case something happens (like a backfiring killing curse). Granted, the restoration process leaves a bit to be desired. If he really cared about operational availability, he would have tested the process and avoided that whole 12 year delay issue. (And here I thought 24 hours to deliver backup tapes from the offsite repository was a long time.)

Similarly, given that it's been established that there is a thing called "a trace" that can detect when someone casts a spell. You'd think that they could use the same practice during quidditch matches to prevent the audience from interfering with the play... but they don't. As a result, there are all sorts of amusing and dramatically-appropriate hijinks.

Lastly, in an environment where a bunch of students are awash in teenage hormones AND are constantly playing with potions AND know that love potions exist, you'd think that there would be an emergency bezoar in each dormitory. But there's not.

It would be interesting to see what the world would be like if there were more audit-focused monitoring points, reactive responses points and preventative spells. However, just as in the real world, these sorts of technologies are tempered by the economics of the situation, in the fictional world, there is a trade-off with dramatic tension. Sure, there are a lot of things that Dumbledore could have done to increase the relative safety of his charges, but to do so would have drastically reduced the possibilities for dramatic tension.

This would have reduced the number of books from 7 to likely 1 or 2. In our universe, Dumbledore lives for six whole books. If he had been a more protective head of Hogwarts, Voldemort may have been defeated much more quickly and the series would have been reduced. So, like most people, Dumbledore made a self-interested decision that had ramifications outside of himself. He got to live longer and be in an incredibly popular series of books and as a result, many of his students were placed in some wonderfully dramatic jeopardy.  That's something to consider, I suppose, when there are security decisions that you have to make.

Tags: harry potter

Related posts

• No related posts.

While I am not a psychologist, it's becoming increasingly obvious that a good understanding of psychological issues is an important facet of a full security practice. These themed posts are likely to be incomplete, as I am just exploring some ideas and how they might apply to security.

---

In running through the List of Cognitive Biases on Wikipedia, I ran across the Pseudocertainty Effect. Simply put, this is the tendency of people to emphasize the positive over the negative when faced with a choice. The classic scenarios can be read at the Wikipedia link above and here.

Basically, this means that by phrasing a choice differently, you can guide people into making the choice you want them to. I've seen this used on the sales side of things, but I have to wonder whether it's an intentional abuse of this tendency.

As I see it, this effect is useful to note in both offensive and defensive capacity. On the offensive side, if you're needing someone to make a choice and you want them to take a risk, you emphasize the negative consequences, but if you want them to take a guaranteed path that may be incomplete, you emphasize the positive. For example, suppose you are pitching an idea to management. The idea has a 80% chance of success, but has a $10k cost. If you want them to accept your idea, you need to understand that the natural tendency would be to make the choice that preserves the certainty of saving $10k, rather than risking the 20% chance of failure. Thus, to be accepted, the proposal would need to either eliminate certainty altogether (perhaps tie the cost to averted loss offsets and phrase it as "between zero and $10k, depending on success") or focus on the certainties of the results. Thus, if the 80% projected success rate can be broken down into one set of guaranteed successes and some that are maybe 40% likely, the proposal can focus on $10k for a guaranteed success with a bonus opportunity for further improvements.

On the defensive side, you should be aware that it is natural to think this way and that others will try to exploit your tendencies along these lines. Whenever you are presented with a choice (well, one that matters anyway) you should ask yourself whether it is phrased positively or negatively. Then, knowing that you have a tendency to preserve positive outcomes but take risks to avoid negatives ones, flip the phrasing around and see if the other choice makes sense. If you find that your choice flips with the phrasing, then this bias is in play and you need to think things through more carefully.

Tags: bias, pseudocertainty

Related posts

• Bias Thursday – Déformation professionnelle (0)

We're all busy people. A security sprint should take no more than two hours... which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.

---

You've probably heard about some of the recent attacks against various websites. The problem here is that if one of the sites you use gets attacked AND they're not encrypting your password AND you're using the same password on other sites, then that one breach on one site can put all your other sites at risk. Of course, if you want to be on the Internet, you have to accept some risk... but it's hard to accept the risk when you don't know it's there. So let's figure it out.

1) Take twenty minutes and make a list of all of your Internet sites in a spreadsheet. Try to remember all of them, not just the common ones. There's a list below to get you started:

2) Go to the login page of each site and click on the "forgot your password?" link. Yes, this will reset your password, but that's the point.

3) Once the new password arrives in your email, look at it. Does it sound like something you'd pick for yourself? If so, there's a good chance that they're not encrypting their passwords properly. Create a "secure" column in your spreadsheet and mark them as "no".

4) If the password arrives and looks random, then they reset your password for you... which probably means that they can't access your password directly. This means that it's probably encrypted in the database. Mark these as "yes" in the "secure" column.

5) There is a drawback to this plan, and that's that all of your passwords will change. Most of the sites that you marked as secure will force you to change your password when you log back in. If they don't, change their "yes" to "no".

6) Now you have a list of all of your sites and know which ones are the more trustworthy. The last step to this sprint is to reset your passwords to something more secure. There are lots of articles and tools out there, and I see no need to add to the pile. All I'll say is that you should pick ones that you can remember and that aren't the same for all sites. If you want to use really complex systems, look into password wallet software.

7) Once all your passwords are changed, and you have an idea of how risky your sites are, you can proceed with your Internet life in relative security.

---

Sites to consider:

• Email: Gmail, Yahoo Mail, Hotmail
• Social: MySpace, Facebook, Livejournal, Twitter
• Professional: LinkedIn, Plaxo, Namez, Zoominfo, Notchup
• Images: Flickr, Photobucket, Smugmug
• Documents: Scribd, Docstoc, Instructables, SlideShare
• Shopping: Amazon, Zappos
• Bookmarking: Delicious
• Video: YouTube, Vimeo

Tags: password

Related posts

• Mythic Monday – The Sphinx (0)

Those of you that have seen the series Planet Earth are probably aware of the glow worm cave. (Those of you that have not have some TV watching to do.) This is a cave full of cute little glow worms that make a light pattern on the ceiling of the cave that is reminiscent of the night stars. It's a beautiful sight to stare up at those little glittering pinpoints of lights.

Of course, that's the tourist spiel. In actuality, the "glow worms" are larval gnats that produce mucus and spin out long threads to entrap moths. When a moth becomes deluded by the mights and becomes trapped in the sticky threads, the larvae pull up the moth and liquefy and suck out their internal organs. After secreting mucus and dining upon moths for up to a year, they transform into gnats whereupon they mate and die... which seems like a lot of work to me, but then, I tend not to be consulted in matters such of this.

However, the lesson here is a good one. Namely, it's probably not worth travelling all the way to New Zealand to visit the the phosphorescent snot worm cave. However, a deeper lesson is that light attracts bugs. (Sure, I could have blogged about the moth and the candle, but then I'd not be able to talk about glow worms.) If you want to know something about the insects that inhabit a cave, just put out a light and see what comes visiting.

We do that in I.T. security to help identify the attackers that are on the Internet. We call them honeypots, which is likely a reference to Winnie the Pooh (I hope), but since I am not (yet) linking children's literature to security, we'll ignore that bit for now. Instead, we'll take a quick look at the value of Lepidopterisy. Just as a scientist can look at the types of moths ensnared in sticky mucusy silk and learn a lot about the ecology cage, a security researcher can examine the malware and attacks found within a honey pot and learn a lot about the sorts of attacks that they may be subjected to.

By creating your own honey pot, you get a chance to deal with attacks before (hopefully) they impact your production systems. However, just like fungus gnats larvae don't ignore the moths that stumble into their "webs" (strings, really), in order for this to be effective, you can't ignore what gets caught in the honey pot either.

Tags: fungus gnat, glow worm, honey pot

Related posts

• Security Lessons from Nature – Autotomy (0)

In case you haven't figured it out, I fall back to blogging about an Aesop fable when I'm stuck for other things.  In this case, I am stuck underneath a cat and all of my mythological references are about half a meter out of reach. Luckily, many of Aesop's fables are available online. Like, for example, this one.

In this story, a sleeping lion is startled awake when a mouse runs across his nose. Looking all around for whatever woke him up, he checks all over his cave and finds nothing. A fox observes this behavior and, knowing that he can outrun a sleepy lion, makes fun of him for being afraid of a mouse. Attempting to safe face, the lion claims not to have been afraid, but more affronted by the bad manners.

As usual, Aesop completely missed the point of his story. Instead of being a droll observation of class structure of ancient Greece, it's obviously a better lesson for dealing with initial network probes. Probes are a fact of life on the Internet. All sorts of attackers on the Internet want to take over your systems. The first step is to send out a small probe and uncover various things about the potential targets. This is part of what firewalls are supposed to prevent.

A lion needs a few things as it sleeps. Air, probably being the most important. However, if it wishes to stay asleep, it helps to have a way to keep the mice out of the lion cave.

As an aside, I personally question how common it was for lions to sleep in caves. Modern lions don't seem to do this... though perhaps that has less to do with lion slumber preferences and more to do with a general lack of caves in subSaharan Africa.

So, if you have a lion that wish to keep vermin-free, it would help to put up some sort of chicken wire fence over the "cave", thereby allowing in air and preventing mice (and rats... it's a twofer!). In much the same way a firewall keeps out known malicious traffic so your servers can crunch their numbers in piece. Admittedly, our firewalls block worms. Worms are smaller and trickier than mice, which is why the firewalls are more complex and expensive than chicken wire.

Running without a firewall would be like trying to coax a lion into sleeping while they are being trampled flat by a veritable cascade of members of the family Muridae.

Tags: fable, firewall, fox, lion, mouse

Related posts

• Mythic Monday – The Aging Lion and the Fox (0)
• Mythic Monday – Aesop: The Dog, The Rooster and the Fox (1)