Security lessons from Nature – Eyespots

Now, butterflies aren’t generally considered to be terrifying.  Nor, unless you were chased by one as a small child, are peacocks.  And, though five of the six ends of a tiger are pointy, the tail is also generally viewed to be fairly innocuous.

Interestingly, all of these generally harmless examples protect themselves through the use of eye spots.  Butterflies often have them on their wings, so when they are fully unfolded, they resemble a face.  Peacocks have them all over their tails, so when they are fully spread out, they resemble the eyes of many creatures.  The white spots on the back of a tiger’s ears resemble eyes as well.

The theory in all of these cases is that an attacker will think they are being observed and halt an attack.  It may only cause a brief pause, but that might be just enough for the eyespotted animal to get away.

The security lesson here is twofold.

First of all, it’s a generally good idea to let an attacker think you’re paying closer attention to them than you are.  That way the attacker is more likely to move on to a victim that would be a little bit easier to take on.  Perhaps one that is paying a bit less attention.  Practically, the technique only works when it takes fewer resources to mount a pseudo-defense than it does to to mount an actual one.  This is one of the reasons that fake surveillance cameras are popular.  If there are 10 cameras in a place, it’s a lot cheaper for 8 of them to be fake, so long as an attacker doesn’t know which ones are which. It would not make sense to create a fake IDS system that detects security incidents and fakes a response, as it would take just as much work to fake a response as it would to make a real one.

The second lesson is that you have to pay some attention. After all, attackers aren’t stupid. If they figure out that the butterfly with the weird eyes isn’t really watching, the butterfly will be lunch if it doesn’t fly away soon. A distraction technique, be they eyespots or fake cameras are only good so long as the real eyes and real cameras are being used.

How you can you fake out your attackers?

Mythic Monday – The Sphinx

“Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”

That was the riddle asked by the Sphinx, a creature sent to Thebes to by Hera (or Ares).  When the riddle was answered incorrectly, the Sphinx would strangle and devour the challenger.  This went on for a while until Oedipus, who answered “man” and explained that the “time of day” was a metaphor for “time of life” and that the question refers to the stages of life: baby crawling, man walking, old man with a cane.  After this, the Sphinx (being unable to come up with another clever riddle) promptly killed herself.

Today’s myth is fairly transparently about password security.  The Sphinx made three basic errors that we can learn from:

Question/Answer Pairs

We’ve all seen the “security question” prompts.  They often ask about pets or parental surnames.  Sometimes they ask about special anniversaries.  In any event, if you are moderately findable online, a quick search of genealogy databases or photo-sharing sites can turn up answers to such questions.  To combat this, you can either hide all information relating to you, search it out online and remove it, visit public libraries and burn all the public records and brain-wipe all your friends… or you can answer the question nonsensically.  Just because the field says “mother’s maiden name”, doesn’t mean that you have to put that in there.  Maybe put in your favorite fruit instead.

Suppose the answer to the Sphinx’s riddle wasn’t “Man”, but was “Kiwi”?  Sure, the myth wouldn’t make much sense, and Oedipus would have become dinner rather than king, but the riddle would have much less guessable.

Short Answer

You know how irritating it is to have to have a password that is “at least 8 characters”?  Well, the reason is that there are people that can try all sorts of different words until they get in.  It’s as if someone in power (like, say, Oedipus) were sending numerous peasants to the Sphinx with random answers.  It would have gone something like this:

  • Sphinx: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
  • Peasant 1:  Umm, (checks list) an apple!
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 2: How about an eagle?
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 3: (looks about warilly) man?
  • Sphinx: Close, but we just changed the answer in the previous section.  (strangle) (OM NOM NOM NOM)
  • Peasant 4: (reads the previous section).  Kiwi!
  • Sphinx: Drat!  (strangles self and throws body over cliff)
  • Peasant 4: Yay!  I win.
  • Oedipus: (strangles peasant 4) (looks around warilly) Yay! I win.

So, the Sphinx manages to survive a bit longer, but is still undone because the answer is short and guessable.  Let’s protect against that by changing the answer from “Kiwi” to “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”  That’d be a lot harder to guess.  Hard enough the Oedipus might even run out of peasants before he gets to it.

Only One Question

Ah, but what if you have an exceptionally smart guesser.  Suppose they know something about the person choosing the password.  Even incredibly long passphrases have to be remembered, so odds are that a little bit of social engineering can be of use.  If we fully embrace anachronisms and have a Sphinx that is a Star Wars fan, odds are that the pass phrase would appear on the list of 30 Most Memorable ‘Star Wars’ Quotes. Similarly, if the Sphinx were known to enjoy Shakespeare, 200+ Famous Bardisms might be a good place to start. The point here is to pre-load the disposable peasants with likely answers, so that Oedipus can hit upon it while there is still a peasant to kill and claim the credit.

A clever Sphinx can protect herself by coming up with multiple riddles. In the security field, we’d call this multi-factor authentication, which we shorten to “know/have/are”. To extend our horribly-mistreated metaphor, the Sphinx would be highly secure if she:

  1. Something you know:
    • Q: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
    • A: “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”
  2. Something you have:
    • Q: “Do you have the key that unlocks this super special box that I borrowed from Pandora?
    • A: (peasant offers a herring that has been painted plaid)
      • Remember, the answer should be nonsensical and nontrivial.  A plaid herring covers both requirements in most instances.  Besides, it’s generally best to leave Pandora’s box closed.
  3. Something you are:
    • Q: “How do I know that you are truly you?”
    • A: (peasant shows the Sphinx that birthmark that Oedipus painted on his arm)
      • It’s very difficult to forge the “something you are” check, but it can be done if the verification technology is flawed, be it a fingerprint scanner that doesn’t check body temperature or a stupid Sphinx.

Thus, the only person that could get past the Sphinx would be someone that managed to prove their identity three different ways, which makes it extremely likely that the person allowed is the one authorized… or someone that has privileged information as to which questions will be asked and which answers are expected.  So, make sure that your questions and answers are reasonably secure, but also make sure that you don’t let anyone else know that they are.  Secrets are only good so long as they are kept secret.

That’s why the Sphinx had to kill herself, you know.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.