Mythic Monday – Alternate Worlds
- At October 12, 2009
- By Josh More
- In Mythology
- 0
There is an interesting thing about studying Myth. Looking just at origin stories, there is a basic belief that each culture has but one. However, this isn’t true. Most cultures have many stories. Historically, this may be due to the constant culture clashes of warring tribes, where differing cultures absorbed parts of one another and partially merged in order to avoid utter annihilation. Politically, it may be because no matter how the rulers divided the maps, the people stayed more or less the same, and gods and goddesses were simply added into hierarchies (until we got to monotheism and saints started to serve this role). However, sociologically, what’s fascinating is that the stories can conflict and still both be viewed as true.
The human mind, apparently, has a desire to know and believe in the one universal truth, but doesn’t seem to have to deal with the cognitive dissonance around conflicting worlds. This has even been studied:
An initial study involved 50 three- and four-year-olds. Each child sat with two experimenters, a toy bear, a toy doll and a central pile of toy blocks. The first experimenter, located to the right, introduced the child to the doll Mary; together they pretended it was her bath-time and the child used one or more blocks as bath objects, such as soap. Then the second experimenter, located to the left, introduced the child to Bruno the bear. They pretended it was his bedtime and the child used one or more blocks in the game, for example as a pillow.
The crucial part came next, as the first experimenter told the child that Mary had grown tired and needed to sleep, whilst Bruno had woken and wanted to wash. Rather than using the toy block already established to be a pillow in Bruno’s world, the children, regardless of age, nearly always reached for a new block from the pile to use as a pillow for Mary.
In short, kids seem to resolve the conflict by constructing an alternate world for each story. In their minds, anything can happen within one world, but events in one world cannot cross over to the other. This keeps things simple and easily understood. Sure, we play with the idea here and there. We cross genres in the movies, comics and literature. However, even within these genres, you’ll find that there is a not-insignificant number of people who can easily point out half a dozen logical flaws in each story. It doesn’t matter how careful you are, the flaws seem to inevitably exist and leap right out at anyone who cares to look.
So, it would seem that we’re wired to allow for almost infinite flexibility but only so long as it stays segmented. So I have to ask, why do we insist on tearing down the walls?
I’ve seen numerous envionments, where for one reason or another, there are a mix of technologies in play. This makes sense. There are good reasons to use both Microsoft and Linux operating systems in an environment. The same goes for firewalls (Cisco/Astaro), endpoint protection (Sophos/Bit9) and word processing (MS Office/OpenOffice). Each of these technologies is powerful and can bring definite business advantages.
However, point here is that each should be kept isolated, as much as possible. From a security perspective, one can use flaws in one product to escalate an attack on another. Operationally, trying to connect diverse systems means that you are making both of them work in non-intended ways, which means that subject matter experts in both tend to point fingers at one another.
That’s not to say that every technology should be kept isolated. Not at all. Technology tends to fall into specific worlds. There are three primary Linux worlds: Ubuntu/Debian, SuSE and Red Hat. Each of these worlds have their own repositories, and are built to be more or less complete. Microsoft Windows tends be a bit less well defined, but it still has it’s set of technologies that are designed to inter-operate with one another and not necessarily with anything else. Yes, you can try to force it… but as the article shows, we don’t naturally think that way, so there may be problems.
Mythic Monday – The Camel Seen For The First Time
- At October 05, 2009
- By Josh More
- In Mythology
- 0
Another Aesop fable is The Camel Seen For the First Time. You can read it here, here or here… but since it’s short, I’ll paraphrase it here. (While the actual text is public domain, the translations are, for the most part, not.)
When humans first say the camel, they found it frightening. It was huge, scary and humpy, so everyone fled. However, as time went by, people discovered that the camel was gentle. As they grew more familiar with it, they began to hold it in contempt and eventually allowed their children to lead it.
The intent of the fable is to basically show that familiarity breeds contempt. It is both a message that one should not fear things unnecessarily, and that one should not become so familiar with something that fear goes away entirely.
I think that this applies to technology as well. We often hear about new technology and how it can be paradigm-changing. However, when we first attempt to deploy such technology we are often baffled and confused. New technology can be incredibly complex and difficult to understand. It can take days of trial and error to figure it out, much less determine how to best fit the technology into your existing infrastructure.
Of course, once you’ve managed to get the technology working, it seems old hat and it is often baffling when new employees don’t pick it up right away. As time goes by, though, they learn the technology and eventually take over.
The lesson here, of course, is to learn from other camel trainers. If you just believe those that have gone before you, you can avoid the whole fear response and jump ahead to figuring out how to train the camel. Then you can get the technology quickly deployed and get on to learning about future species.
Mythic Monday – Nommo
- At September 28, 2009
- By Josh More
- In Mythology
- 0
Recently, I was reading about African mythology, I ran across the story of the sky god Amma and it’s creation of the half-human half-fish hermaphroditic creature Nommo, which split into four pairs of twins and, after normal mythical events, become the ancestors to the contemporary Dogon people. Due to mistranslations of early ethnographic studies, these creatures were identified as coming from Sirius, which if true, would indicate that the ancient Dogon people either had powerful telescopes (unlikely) or were visited by aliens (which some people seem to view as more likely).
Now, as I read this, I thought “hermaphroditic human/fish hybrid that some point to as proof as alien contact… I’ve got to blog about this!” Sadly, though, I just couldn’t come up with a good business or security angle (there’s something to the “one twin goes evil, so the other has to be sacrificed” story… but there are other such stories in myth that are far more accessible).
Then I started researching Binu shrines. The story goes that one of the Nommo twins was evil, and to make up for this, another twin had to sacrificed, dismembered and scattered all over the earth. Wherever a piece of Nommo landed, a Binu shrine was built. I was curious, and wondered what a Binu shrine looked like. Looking on Flickr, I ran across this photo by sunshinerythym. I looked at the terms of use and saw that it was marked “All rights reserved”, so I didn’t embed it. I sighed and moved on.
Shortly thereafter, I saw this page on the Sacred Sites of the Dogon, Mali. Well, that photo sure looks familiar, doesn’t it? It’s lightened up a bit, but it looks awfully close. And that link below it? Order Fine Print?
Very interesting.
Now, it is quite possible that sunshinerythym was contacted by the people that run SacredSites.com and gave permission for the photo to be used in this manner. I know that I’ve gotten requests to use my photos in such a way.
However, I also want to point out that there are some untrustworthy people out there who make money by selling other people’s work. If you post a photo in full resolution, anyone can download it and do whatever they want with it. If you license it appropriately, you can take legal action against them… but you have to catch them first. Of course, if you screw up your licensing, you probably don’t have a leg to stand on (unlike Nommo, who being half-human had legs (look, I tied it back in!)).
The security lesson here is that if you are generating content, be careful with it. Though I have chosen to make my full resolution photos available, I do so with the understanding that others may steal them. To help mitigate this, I have licensed them for non-commercial use only. For me, photos are fun, but not my main business. I am fine taking the risk if it means that zoos and similar educational organizations can use my photos to help other people learn. The point is that I know I am taking the risk to begin with.
The other security lesson is that if you are a business, keep track of rights of the things you use. If such use is not previously authorized, it could be construed as intellectual property theft and could be quite costly.
The mythological lesson less clear. :)
(Before writing this post, I sent an email to sunshinerythym, as we Flickr users have to help protect each other. It is quite possible that by the time you read this, the links may be broken.)
Mythic Monday – Elfshot
- At September 21, 2009
- By Josh More
- In Mythology
- 0
Before the germ theory of disease, Celtic farmers occasionally experienced cattle that would mysteriously sicken. At the same time, as they were clearing their land, they would find prehistoric arrowheads. Combining these two observations with the belief that elves were ever-present and often interfered with daily human life, the idea of elfshot arose.
It made perfect sense at the time. Based on the theories of the time and the available evidence, it was completely logical. Even Robert Kirk, an Episcopalian minister, analyzed the situation and explained it thusly in his The Secret Commonwealth of Elves, Fauns & Fairies:
These arms (cut by art and tools it seems beyond human) have somewhat of the nature of thunderbolt, subtly and mortally wounding the vital parts without breaking the skin, of which wounds, some I have observed in beasts and felt them with my hands.
So, since they couldn’t conceive of any way that such small arrowheads could be made (and since they lacked a John Whittaker), they came up with an idea and it effected the regional culture for centuries.
Sadly, the same behavior still exists today. Many times, when there is a security incident, there are a few clues here and there as to what is going on. It is very common to have a theory about what’s going on and then try to make all of the evidence fit it. For example, we hear a lot about foreign attackers, so when a system starts to behave a bit oddly, we often look first for an intrusion. In fact, odd behavior could be due to many factors. It’s not unusual for some systems to experience problems at times. It’s also not unusual for attacks to come from inside. Focusing too early on but one scenario can blind you to what’s really going on.
It’s better to consider all of the data independently and then start coming up with and testing ideas. This would allow you to spend less time running down the wrong path and be more efficient in uncovering the problem. That way, instead of spending centuries working under a theory that might not fit the best, you can maximize your use of time… and avoid needlessly blaming the elves for something that wasn’t really their fault.
Mythic Monday – The Linnet and the Bat
- At September 14, 2009
- By Josh More
- In Mythology
- 0
Aesop’s fable 75, sometimes called The Linnet and the Bat discusses a situation where a bat and a caged linnet* are discussing why the linnet sings at night instead of during the day. The linnet’s explanation is that he was singing during the day and that’s how he was caught and caged in the first place, so now he only sings at night. The bat observes that it’s a mite late for caution, since the linnet is already captured.
The point of the fable is supposed to stress the uselessness of regret. However, it applies equally well to system and network hardening. Many businesses will look into remediation after they have been attacked, when it is far easier to do the hardening work ahead of time. Sure, no one wants to spend money they don’t need to, but as with most things in life, it is far cheaper to invest in prevention than correction.
When you build a server, it takes but a few extra initial hours to apply hardening templates and an hour-or-so a month to keep it updated with patches. However, if an attacker gets in, the server will likely have to be completely rebuilt, losing time in addition to the business loss from the outage. Additionally, it is quite likely that the attacker would have gotten into other systems on the network, so the time spent correcting the problem is multiplied by the number of systems on the network.
Really, it’s better not to get caged in the first place.
* There is a great deal of linguistic controversial about the nature of the bird in this story. The problem is that the word bôtalis, which has been translated as “linnet”, “goldfinch”, “canary”, appears only in this one fable. That none of this matters to the point of the story only serves to illustrate the fact that Classicists have nothing better to do with their lives than debate over ornithological divisions, instead of spending their time on more practical endeavors… such as researching obscure myths and linking them to I.T. security.
Mythic Monday – Stables of Augeas
- At September 07, 2009
- By Josh More
- In Mythology
- 0
Cleaning the stables of Augeas, for those that do not recall, was the fifth labor of Heracles. His task, as one of many to gain the forgiveness of the gods for accidentally killing his wife and children, was to remove all the dung that was produced by the immortal cattle of King Augeas’s. Unlike most of his other labors, this one was deemed to be impossible, not due to the inherent danger but for the shear amount of work. On the positive side, if Heracles did it, he would get one tenth of the cattle.
Heracles managed the task by thinking outside of the box. Instead of cleaning the stables in the traditional manner, he rerouted two rivers to wash it all out (and, presumably, causing a fish kill somewhere downstream).I n one day’s work, Heracles managed to make the stables more efficient and eliminate many of the legacy problems equated with an unclean stable – bacteria, fungus, pests, misplaced pitchforks. Then, King Augeas was perfectly positioned to make improvements and run his stable better than ever before. Of course, he doesn’t do this… preferring instead to try to steal from Heracles and got killed.
But our security lesson today isn’t about Augeas (though “don’t tick off demigods” isn’t a bad general rule). Instead it’s about cleaning things up. Just as various threats lurk in manure and compound over time, the same applies to source code. If you develop software, I’m sure that your developers have come to you at various times and suggested that the code base be wiped clean and they be allowed to start over. Odds are that you’ve said “no”. Odds are that you were right.
It usually doesn’t make sense to throw work away and start over. Doing so would give your competitors a time advantage and while you’re making the newest whizz-bangiest system out there, you’re losing marketshare. However, if you let the bad code pile up too deeply, the internal threats will grow and you may not be able to handle them. Then, like King Augeas, you may choose to ignore the problem and hope for a hero to come by. In the meantime, other systems will be getting whizz-bangier and you’ll be losing marketshare.
So where’s there to do?
You basically have two options. You can hire yourself a hero (consultant) to throw away what you have and start over, which could cost you one tenth of your profits, or you could just get better at cleaning your own stable in the conventional manner. When your developers come to you, you know that it is impossible to clean the entire stable (code base), but you could allow them to clean a few stalls (modules). By taking such an approach, you can prevent pests (vulnerabilities) from mounting up without needing to worry about losing your stable entirely or even one tenth of your cattle.
So, your stables may never be completely clean, but they might be able to be kept “clean enough” so that the vulnerabilities don’t mount up and cause you problems.
Mythic Monday – Tricksters
- At August 31, 2009
- By Josh More
- In Mythology
- 0
Most cultures have a trickster figure of some sort. Though they go by many names: Coyote in North America, Anansee in Africa, Puck in Britian, Loki in the Germanic regions… and many others. In the stories, there is usually not much if any justification for the actions of the trickers… though their tricks usually fail in the end and they learn an valuable lesson along the way.
No matter what the story may be, the point often seems to be less the story itself and more about the learning. There are stories about ethics, significant social changes, developing new skills and personal growth. In almost every one, though, the lesson is learned by either the trickster character itself making a mistake or leading someone else into making a mistake. Then, inevitably, significant learning occurs.
In many ways, it’s all about attitude. Tricksters tend not to care much about others, being lead instead by their own desires and intuitions. They get an idea and run with it, ignoring all else, until their actions bring about their own downfall. In short, they are driven by curiosity, creativity and intelligence.
Tricksters break everything they touch, and sow discord everywhere they go, but they do make things happen. You probably know people like this in your own organization. They may be a bit narrowly-focused and their projects may have a significant number of… unintended consequences, but they manage to complete more projects in less time than anyone else.
Just as tricksters benefit a story, these personalities benefit an organization. In a developer, these traits create new products. In an administrator, they can produce significant efficiencies. In a security professional, they can protect an organization in ways never before though possible. Of course, they also cause a significant amount of chaos as they implement these changes without really thinking things through.
There are many organizations… especially in I.T… that have the occasional local trickster. Called “cowboys” or “lone wolves”, they are often thought of immature or unready for the business world. In many cases, this is right. It is extremely easy to look merely at the negatives, and as a result, these people are often the first on the firing lines.
However, just as security is all about balance, so is business. It is worth considering the long-term value of trickster-types. Maybe they won’t fit into the business over-time, and it’s best to let them go. However, maybe they can learn (possibly through a mythic journey of growth and pain). Maybe they can learn to temper their own erratic tendencies and put their creativity and curiosity towards the benefit of the business. Perhaps all they need is a bit of guidance. You’ll never know if you don’t try.
But remember, most cultures can only tolerate one or two tricksters. Fewer than that, and they would stagnate, but more than that and they would be destroyed by chaos.
Mythic Monday – Brünnhilde Sleeps
- At August 24, 2009
- By Josh More
- In Mythology
- 0
In Wagner’s Ring Cycle, Brünnhilde is cursed by Odin for fighting on the wrong side of a battle. She is put into a coma and hidden behind a wall of impenetrable fire until a rescued by a brave hero. (For those that want more detail, but don’t want to spend 15 hours listening to an opera, look here.) As is always the case in myths and legends, the hero shortly arrives, gets through the fire alright and rescues the “damsel” (who was truly a Valkyrie).
Now, the Ring Cycle is amazingly complex and even this tiny little bit lends itself to a great many security-focused interpretations (firewalls, penetration testing, identity theft), but today I want to look into encryption and steganography.
Essentially, when Brünnhilde upset Odin, he hid her inside a mortal woman (steganography) and isolated her from access to all but one person (the encryption key). Just as in business, there are risks inherent to Odin’s plan. If the encryption is too weak, Brünnhilde might be rescued by someone other than Siegfried, her intended. On the other hand, if it is too strong, or Siegfried happens to fall upon some trouble prior to the rescue, she might never be freed.
Luckily for aficionados of myth and fifteen hour long operas, literary convention protects us from a story involving Brünnhilde roasting behind a wall of flame for millennia or one in which she is rescued by Fred the Handyman. Alas for us though, literary convention does not protect businesses.
When a business protects it’s data with encryption, it takes the risk the the keys may be lost. If they are, it’s all up to the level of encryption used. If the encryption is too strong, the data is effectively lost (Brünnhilde sleeps forever). If, however, it’s too weak, the data may be recoverable by you (or your competitor, Handy Fred).
Similarly, Odin’s plan of hiding his Valkyrie within the form of a mortal woman is quite clever. However, it’s only useful so long as it is rare. If every mortal woman (or even a reasonably large percentage of them) were truly an otherworldly warrior woman, someone who wished to engage in the practice of uncovering the Valkyrie within (never wise) would simply need to get a decent sample of mortals and start decryption activities. In business, this would be like an attacker checking every file on a website for evidence of steganography. Once found, they would know which ones to check out for hidden data.
There are two main lessons to learn from this myth. First of all, if you encrypt something, be sure to have a key. If you think that there is a reasonable risk that your key may be lost (Siegfried did have a troubling habit of battling dragons and otters), it may make sense to make backup copies. Though having a stash of emergency backup heroes would make for a pretty poor myth, it is essential in the business world.
Quite to the opposite, while steganography works well in myth, it’s less effective in the business world. If you hide your vital data (or Valkyries) in other files (or mortals), it’s only useful so long as you remember where it’s hidden. If you want to share the vital data, you have to let others know where it’s hidden… and a shared secret is only good so long as both parties keep it and no third parties listen in. After all, if you have a secure channel through with to share the existence of the steganographic file, you might as well just share the data. Heck, even in the myth, the fact that we know that Odin hid Brünnhilde within a mortal means that the secret wasn’t kept.
That’s not to say that steganography is useless, but it is quite limited within a traditional business environment. Better, perhaps to focus on the encryption side and make sure that the data cannot be read even if found. Then you don’t have to worry about supporting back channels and can devote all your resources to protecting known data rather than trying to hide it. (On the defense side, being aware of steganography as a back channel is very useful, but protecting against it and using it operationally are very different things.)
So, in the end, it would be wise to use encryption where you can, not be distracted by steganography, and avoid Norse sagas as they never really work out well for anyone involved.
Mythic Monday – Superhero Teams
- At August 01, 2009
- By Josh More
- In Mythology
- 0
Some may call them movies for kids that never grew up, others may call them mythic legends of our time. Whatever your stance, you might have noticed that superhero movies have been quite popular in recent years. The most recent resurgence started with your basic theme of “ordinary person becomes a super hero at about the same time that an ordinary person becomes a super villain” (Spider-Man and Batman Begins). More recently, it has morphed into “superheroes teaming up to fight against teams of super villains” (Spiderman 3 and X-Men: The Last Stand).
While the literary quality of such films is debateable, the big security lesson here is that when you’re being attacked on many fronts, it helps to team up. At present, there are threats from all fronts. Uncountable authors release numerous malicious software packages every day. The malware adjusts its own code to avoid detection and spread. Moreover, the majority of companies are often under direct attack by foreign nationals and direct competitors. All of these attacks are growing more subtle, so the challenge is not just in foiling the attackers but also in detecting them. In order to stand a chance, we have to team up too.
So how does this work in practice?
One way is to do what you’re doing now, spend a bit of time each day reading security news from various sources. These can be blogs, podcasts or news sites. Another way is to join groups, whether they are local or online. Local groups tend to meet once a month. The online groups, in contrast, usually do not have a specific meeting time but are very issue-focused. One member may post a question and others will step forward and help to answer it. Some groups are a combination of the above.
Just as being a member of a superhero team isn’t a weekend job, there has to be an ongoing commitment to be successful in a security group. In many cases, it doesn’t really matter which particular group you join so long as you are committed to it. While different groups have their own respective foci, any of them will be better than nothing.
The following are groups that I personally use in my day-to-day work:
- ISSA Des Moines – A business-focused group focusing on education of the members.
- Iowa Infragard – An information-sharing effort between the FBI and businesses. Local chapters exist in other areas.
- SANS Advisory Board – Online group that assists its members with existing issues and helps guide the SANS certifications.
- Central Iowa Area Linux Users Group – Iowa-based group focusing on Linux and Open Source technologies. Other LUGs exist in other regions.
- Agile Iowa – Iowa-based business-focused group to discuss Agile development practices. It’s always good to get other points of view regarding what you are actually protecting.
There are, of course, others that I visit on the occasional basis, such as the Des Moines Web Geeks, and the Central Iowa Bloggers and The Virtualization User Group, but I realize that I have a limited amount of time, and it’s better to focus where I can be most effective. Over time, I may have to narrow my commitments even further.
We may not have an security-focused Justice League or Avengers team, but we also don’t have many lone-wolf security superheroes. So those of us that work in this field have to work together. I hope to see you there.
Mythic Monday – The Bunyip
- At May 18, 2009
- By Josh More
- In Mythology
- 1
Most folks in my culture don’t know much about the bunyip. That is, unless they saw Dot and the Kangroo as an impressionable youth, in which case they had nightmares for years… but I digress.
According to aboriginal legend, the bunyip lives in lakes and emerges at night to devour animals or people nearby. Like many monsters of this type, people were warned to avoid the rousing the wrath of the bunyip, or they would be eaten alive. In short, if you left it alone, it would leave you alone.
The thing, though, is that the lake has a bunyip in it. You all know it. You may be able to fool yourself into a false sense of safety, but you all know that to retain that false sense of safety, there are things that you must do (or not do). In the case of the bunyip, it’s a simple matter of not going out at night and not going near water. (The rules are different in the Dreamtime, but this blog doesn’t dive into the minutia of mythology (much)).
These days, most Western people disregard such monster stories. Our lives are such that we don’t need to invent such stories to explain away unknowns. When people vanish from our lives, they are much more likely to get hit by a car or die of old age then they are to mysteriously vanish in the night. This doesn’t mean, however, that we don’t make up stories. Quite the contrary, we make them up all the time, in exactly the same way.
How many times have you felt like your computer follows a strange set of rules? Maybe there is an incantation you go through to make something start (The desktop icon doesn’t work, so you click the start menu, navigate to programs, go to “Microsoft”, click on “Word”, cross your fingers and hope it starts). Maybe there are things that you do differently in your life (Don’t use that computer to access the Internet, it’s too slow, use the laptop from work instead.) Maybe you just warn others away from that particular system.
Maybe there’s a monster in your PC.
In the security field, we assign all sorts of names to these monsters: virus, worm, trojan, rootkit, backdoor, etc. We do this because, as monster hunters, it helps us to know what sort of creature we may be facing. It makes it easier to communicate tracking and hunting techniques. And sadly, just as in the stories, the monsters often win. Just when we think we have them figured out they turn out to have friends or be aligned with a trickster of some sort, then they come after us in force. It can be quite demoralizing.
However, we’re the experts, if we are so often stymied, what can you possibly do to protect yourself?
The first step is to stop hiding in your huts cowering from the night. If your computer is making you change your behavior, there’s a problem. Maybe it’s broken, maybe the app is poorly written, or maybe there’s a monster in there. The thing is, if you let your computer control you, you’ll never know if there’s a monster in the lake or if it’s just a floating log.
The second step, and one that would help us all a lot, is to start locking the lakes. Simply put, if you live in a world with monsters (as we do), it’s kind of stupid to invite them in. If you’re not running an antimalware system of some sort, you’re leaving your system open to be colonized by monsters. Similarly, if you visit other lakes that are likely to be infested with monsters, they just might follow you home. Practically, this means avoiding porn and gambling sites.
Lastly, if you think there may be a monster lurking around, you might want to consider calling in an expert monster hunter. We may not be as cool as the people in the movies, but we’ve got a fighting chance at getting rid of them. And after all, it’s better than being eaten in the night.