Angry Birds and Security

There are many exciting projects going on at my new company, so when I started this post I thought I might talk about the new security website we’re building or how we’re expanding our security offerings in 2012. But then I realized it’s December and December blog reading should be fun… so you get a post about improving your security with strategy lessons taken from Angry Birds!

In the world of Angry Birds, we have a small group of birds that are serially preyed upon by a kleptocratic monarchy of green pigs. In this world, the pigs steal the birds’ eggs and hide them in poorly-constructed shelters while the birds fling themselves at the pigs in efforts of destruction. Despite this vicious onslaught perpetrated by the birds, the pigs continue in their egg thievery, thereby allowing for a continuing series of episodes.

Clearly, there is room for improvement in terms of both offense and defense.

The Pigs

Let’s start by analyzing the Pig Empire. Their goal is to obtain eggs. It is implied they are for eating, raising the uncomfortable question as to where the pigs get their bacon. However, they are inefficient. If they were to take a lesson or two from real-life attackers, they would change their operations in the following ways:

1) Preparation

The root of their’ constant downfall is they expend insufficient effort on shelter construction. Even a cursory inspection of history would indicate a high likelihood of retaliatory avian attack, so it would be wise to prepare. The average shelter is shabbily built and falls to a mere handful of birds. If the pigs focused on quality over quantity, they could invest in sturdier materials and protect far more pigs. Building defenses prior to egg theft would result in a much more successful attack as well.

2) Planning

Another problem facing the pigs is the birds attack using a massive slingshot. I presume this provides additional impact force, but it does introduce a point of weakness. Modern attackers often focus on crippling their target’s ability to retaliate. In other words, if the pigs simply stole the slingshots when they stole the eggs, the birds would be seriously hampered in their efforts to counter-attack.

3) Sacrificial Hierarchy

It appears as though the pigs exist within a hierarchy consisting of a large king pig, a handful of mature leader pigs, some adult pigs and a large number of little pigs (that presumably cry “wee wee wee” all the way home). Malware teams have similar hierarchies, with the people funding development at the top, developers and project leaders below them, marketers below that and finally, those responsible for smuggling the money from your bank account overseas. If the pigs were to learn from this, they would hide their king and leaders in the best shelters possible, well out of reach of the birds, and draw their fire with an array of poorly defended little pigs. This structure allows for organizational continuity favoring the pigs and causes the birds to burn their resources inefficiently.

Common flaw of pig-based construction

A more secure design

The Birds

The birds seem to be structured as a loose confederation. Much in the way business owners band together to discuss and develop shared defenses, birds of more than one feather collaborate to combat the pigs’ designs. Just as there is room for improvement on the part of the pigs, there are areas where the birds could learn from the advice we give our clients as well.

1) Reduce Scope

First of all, the birds face the fundamental problem of constantly losing their eggs. The easiest way to protect against fundamental issues is to narrow the scope. If you’re protecting credit cards or health records, this means identifying the data and centralizing it for better protection. Now, in the case of eggs, there is clearly some risk from putting all one’s eggs in the same basket, but there is no rule that scope has to be limited that far. It could be limited to two or even three baskets. The key is to limit the scope as far as you can and then to boost the defenses around that area.

2) Improved Retaliation

Surprisingly, while the world of Angry Birds has a great many birds, none of them seem to be able to fly. This, as noted earlier, places them at significant risk from the loss of their slingshot. It also means their attacks must all originate from a single point. In the business world, we have several areas from which we can detect and respond to attacks. We detect attacks with technology, forward issues to security teams and law enforcement and, where needed, involve a judicial system. Similarly, an avian attack should be mounted from numerous locations. It should not require a specific bird attack from the East. Any flight-capabable bird should be able to respond to attack.

3) Agility

Agile security involves being aware of your environment, your capabilities and your attackers’ capabilities. You can then make defense plans and execute quickly in the case of attack. There are times when the appropriate response is to tighten security, others when one should involve law enforcement and still others where it makes sense to allow the attack and learn as much from it as you can.

In the case of the birds, while they seem to be masters of resource utilization (expending minimum force to achieve their goals), there is still room for improvement. Their technique works because they face an enemy that fails to adapt. If this ever changes though, it would be impossible to regain the eggs and the birds’ continued existence would be at risk. Simply reviewing the Pig Empire defenses and dynamically selecting the number, species and order of attack would allow a significant increase in agility.

Improved Attack Method Adapted To Environment

Conclusion

Perfect security is impossible so there are inevitable flaws on both the part of the birds and the pigs. While today’s birds are able to achieve their goals, if the enemy boosts their capabilities, the birds’ limited structure puts them at serious risk. The problem is that eggs keep getting stolen. If the birds improve their defensive strategy to such a point that egg theft drops significantly, the pigs might find it substantially easier to obtain sustenance from another source… Falldown 3D, perhaps.

Launching attacks is easier than defending against them. An attacker must only succeed once, but a good defender has to be vigilant all the time. A small improvement on the part of the pigs’ attack would place the birds themselves at risk of extinction. So it is essential that the birds improve their defenses and capabilities. With luck, they’ll manage to do this before things reach a point of criticality.

(This post originally published at the RJS Informer)

It’s a matter of trust

Warning: this blog entry covers sensitive current events and some of the links may use strong language.

When a big news story hits, do you ever notice a pattern or significant fact, that despite 24/7 coverage, everyone appears to be missing? The world has had three events in recent weeks get considerable attention throughout television, newspapers, radio and social media; and each of these events are catastrophes that occurred because of poor policy choice and unplanned reactions. Let’s briefly explore them.

PayPal v. Regretsy

Paypal is known to “freeze” the assets of somewhat questionable groups. However, many are saying they crossed the line by pulling the plug on a fundraising effort to get Christmas gifts for 200 children in need. Yep, you read that right. Paypal followed their policy and basically profited three times off of preventing children from receiving gifts. Is it surprising that this blew up in their face?

April Winchell, of the popular website Regretsy.com, wrote up her story and published it online with a follow-up. Not only did she get a massive movement behind her, but due to the fame of regretsy.com and the nature of what Paypal’s employee said, the story went viral and is being spread throughout Facebook, Twitter and other social networks. The story has been reported so widely,  there are now over 20,000 hits on Google with titles like:

– PayPal ruins Christmas for over 200 kids

– Paypal has no problem ruining Christmas for Children

– Paypal – The Christmas Grinch

There are posts claiming “Paypal is evil” and people should “stop doing business with them immediately.” On top of that, there is a public list of Paypal and Ebay employee phone numbers and email addresses being spread along with this story.

Carrier IQ
As we have covered previously, Carrier IQ is the company that writes activity-monitoring software for cell phone providers. Some call it the rootkit of all evil but others say it’s not so bad. The news started within a rather small technical community, but rapidly expanded throughout the internet and has resulted in a class action law suit and a senate inquiry. Carrier IQ’s customers are also being sued.

Pepper Spraying Cop

Most everyone today knows the story about the cop that sprayed pepper spray in the faces of protesters at the University of California-Davis. While such events happen often, the fact it was captured with cameras and posted all over the internet made it famous. The incident has started a national discussion about militaristic police forces, a personal investigation into Lt. John Pike and endless parodies.

What does this mean?

In each case, someone did something no rational person would do if presented with the given scenario. The various parties all defended themselves by citing law and policy, yet each instance caused a catastrophic public relations nightmare they may never be able to fix.

If you asked John Pike, weeks before the instance, if he would ever walk past a line of passive college students and cover them with pepper spray, I’m sure he would have said no. If you asked the CEOs of ATT or Sprint a month ago if they ever thought about tracking every single action their customers took on the internet, they would have dismissed the idea as ridiculous. If you asked the leadership of Paypal if they planned to steal money from impoverished children for Christmas, they’d have called you insane.

Yet, each of these events happened. Why? It comes down to policy. Policy’s role is to guide behavior. It sets expectations and makes individuals accountable. Sadly, the latter is often phrased in a negative manner so employees do the bare minimum to protect the organization and, in the process, open up the potential for these types of unfortunate events.

A better way?

Think about what would have happened if the Paypal representative had taken the call and responded with “That sounds like a good cause to me. I’m not authorized to allow it, but let me get my boss on the phone.” Maybe their officers wouldn’t have gotten inundated with spam and phone calls. Maybe their name wouldn’t be equated with thievery and evil. Maybe working with the offended party would be a better approach than a half-hearted apology.

Similarly, what if Carrier IQ had entered into discussions with TrevE about his findings and then worked with ATT and Sprint to resolve the issue instead of immediately going to the legal system (and getting trounced)? Maybe the whole issue could have been avoided.

Lastly, what if, Norm Stamper’s reforms of the police system gained traction? Maybe Occupy UC-Davis would have looked a lot more like Occupy Iowa City.

It’s a matter of trust

When I write policy for a client, the goal is to protect the business from mistakes made by employees. The goal is never to restrict employees to the point their only answer is always what the rule book states regardless of gray area. If you need something done exactly the same way every time, use a computer. They’re actually pretty good at repeatable tasks. People, in contrast, are really good facing unique situations and resolving them in creative ways. As soon as a policy prevents an employee from making improvements, there is no longer use for the employee. Just automate that job and be done with it. If that’s not your goal, your policy is broken. You can fix it by looking for scenarios which can be read literally and, as a result, cause catastrophes like the ones mentioned above.

There are many ways to fix these problems, once they’re found. Some businesses give their employees discretionary budgets. What if Paypal had said “Sorry for the mix up, and since it’s a good cause, here’s $100 to buy a kid a present.” Some businesses have an official PR escalation team. What if TrevE’s report hadn’t been met with hostility, but instead they said “Huh, good point. If we give you $1,000 can you give us some consulting on doing this better?” Some organizations create an expectation of personal responsibility, where it is illegal to obey an illegal order. Might that not have helped things at UC-Davis?

If you’re going to have people working for you, you have to let them be people. Let the policy be the guideline and trust them to follow the guidelines. If you do not trust your policy to guide, and not prescribe, action, you need a new policy. If you do not trust your people to be guided by a good policy, you need new people.

This blog entry was originally posted over at the RJS informer.