Mythic Monday – The Creation of the Aztec People

According to Aztec myth, after the previous inhabitants of the Earth had been turned into fish, the gods wanted to make more people.  Now, one would rationally expect that if the gods liked people so much, they wouldn’t have flooded the Earth in the first place and turned all the previous people into fish, but the Mesoamerican myths don’t seem to be much for rationality and forethought.

Anyway, to create the people, the gods need the magical bones where were guarded by the Lord of Death. After a fairly typical quest followed by a challenge and the reneging by the Lord of Death on the deal, the hero carrying the bag of bones fell to the bottom of a pit and the bones were broken. That, of course, is why the people come in a variety of shapes and sizes.

Of course, we are quite lucky that the Aztec hero was such a klutz. The numerous variations in humanity have rendered us resistant to various plagues. (Technically, this is only partly true as there is evidence that humans are more genetically identical than most animals (except for cheetahs), but we’re ignoring that here.) The more variation there is in a genome, the greater the resistance to threats. Though similar concern has been raised about the ongoing homogenization of our food supply and how it renders us vulnerable to threats. this blog is about I.T. and business security.

For quite some time, I have been arguing against homogenization within certain businesses. The current practice of having all systems identical makes things very easy to manage. It makes it easy for auditors to verify that proper security standards are in place. It also can tie into automatic patching plans and keep everything up to date. However, it means that every person in the organization has adapt themselves to the same software and that if an attacker manages to get into one system, they can march right into every other one.

Like all things, using system images is a tradeoff. It seems that many organizations implement imaging just because it’s best practice. Sure it solves some problems, but any change also creates others. Often, an imaging project identifies numerous applications to drop out of the environment. This is great for general security, as it reduces attack surface, but often many of these are there because they make the business more effective.

Given that the whole point of “the computer revolution” was that we are now able to adapt technology to our lives are very small levels. It seems like questionable logic to take devices that are capable of enhancing individual abilities and compensating for individual flaws and turn them all into identical machines and then force people to match them. Richard Bejtlich gets into this in more depth over in his post Let a Hundred Flowers Blossom.

My point isn’t that imaging is bad. In some environments, it’s a necessity. (Mostly regulated environments or those lacking a technically-skilled workforce who can select the appropriate applications to enhance their productivity.) It just shouldn’t be a goal without consideration of the total business impact.

After all, people are all different. If the technology is all the same, it obviously won’t work as well for some people than it will for others. The question to ask is whether the benefit of uniformity outweighs the cost of productivity.

Security in the Harry Potter World

I recently picked up Harry Potter 6 on Blu-ray. While I’ve read all the books, I’ve generally not been much for the movies. (I prefer the pictures in my head.) However, there is a photographic beauty to these movies that is worth both the time and the money (especially when the box set of 1-5 was on 70% off recently)… so I’m watching them and remembering the stories.

As with most works of art, the easy path to drama is to create a security failure. It makes sense, after all. As a creator, you may have a need to push your characters at time, and the easy (lazy) ways to push a character are to create a situation for them to react to. Thus, viewing the worlds as if they are real is a bit unfair… but on the other hand, nitpicking is fun.

In the world of Harry Potter, there are several security situations. The world of magic has to be kept a secret from all the muggles, the evil people have to be kept out of Hogwarts, and what is kept in Gringotts must stay in Gringotts. In fact, we know that there is some sort of magical muggle spy network, as Dumbledore knows to investigate Tom Riddle prior to his acceptance into Hogwarts. Why this same network can’t detect the attack upon Harry by the dementors in book/movie 5 is unclear. Clearly, they need to invest in redundancy for the system.

Similarly, Hogwarts seems to have a surprisingly difficult problem keeping students where they belong. It took until book/movie 6 before they put up a firewall around the school, and even then, attackers manage to encapsulate an attack within a legitimate source (Katie Bell) and also fail to Draco’s VPN bypass (terminated by vanishing cabinet). It seems that magic should be able to do better.

In contrast, Voldemort clearly knows a lot about security. He makes backup copies of his soul, just in case something happens (like a backfiring killing curse). Granted, the restoration process leaves a bit to be desired. If he really cared about operational availability, he would have tested the process and avoided that whole 12 year delay issue. (And here I thought 24 hours to deliver backup tapes from the offsite repository was a long time.)

Similarly, given that it’s been established that there is a thing called “a trace” that can detect when someone casts a spell. You’d think that they could use the same practice during quidditch matches to prevent the audience from interfering with the play… but they don’t. As a result, there are all sorts of amusing and dramatically-appropriate hijinks.

Lastly, in an environment where a bunch of students are awash in teenage hormones AND are constantly playing with potions AND know that love potions exist, you’d think that there would be an emergency bezoar in each dormitory. But there’s not.

It would be interesting to see what the world would be like if there were more audit-focused monitoring points, reactive responses points and preventative spells. However, just as in the real world, these sorts of technologies are tempered by the economics of the situation, in the fictional world, there is a trade-off with dramatic tension. Sure, there are a lot of things that Dumbledore could have done to increase the relative safety of his charges, but to do so would have drastically reduced the possibilities for dramatic tension.

This would have reduced the number of books from 7 to likely 1 or 2. In our universe, Dumbledore lives for six whole books. If he had been a more protective head of Hogwarts, Voldemort may have been defeated much more quickly and the series would have been reduced. So, like most people, Dumbledore made a self-interested decision that had ramifications outside of himself. He got to live longer and be in an incredibly popular series of books and as a result, many of his students were placed in some wonderfully dramatic jeopardy.  That’s something to consider, I suppose, when there are security decisions that you have to make.

Bias Thursday – Pseudocertainty Effect

While I am not a psychologist, it’s becoming increasingly obvious that a good understanding of psychological issues is an important facet of a full security practice. These themed posts are likely to be incomplete, as I am just exploring some ideas and how they might apply to security.

In running through the List of Cognitive Biases on Wikipedia, I ran across the Pseudocertainty Effect. Simply put, this is the tendency of people to emphasize the positive over the negative when faced with a choice. The classic scenarios can be read at the Wikipedia link above and here.

Basically, this means that by phrasing a choice differently, you can guide people into making the choice you want them to. I’ve seen this used on the sales side of things, but I have to wonder whether it’s an intentional abuse of this tendency.

As I see it, this effect is useful to note in both offensive and defensive capacity. On the offensive side, if you’re needing someone to make a choice and you want them to take a risk, you emphasize the negative consequences, but if you want them to take a guaranteed path that may be incomplete, you emphasize the positive. For example, suppose you are pitching an idea to management. The idea has a 80% chance of success, but has a $10k cost. If you want them to accept your idea, you need to understand that the natural tendency would be to make the choice that preserves the certainty of saving $10k, rather than risking the 20% chance of failure. Thus, to be accepted, the proposal would need to either eliminate certainty altogether (perhaps tie the cost to averted loss offsets and phrase it as “between zero and $10k, depending on success”) or focus on the certainties of the results. Thus, if the 80% projected success rate can be broken down into one set of guaranteed successes and some that are maybe 40% likely, the proposal can focus on $10k for a guaranteed success with a bonus opportunity for further improvements.

On the defensive side, you should be aware that it is natural to think this way and that others will try to exploit your tendencies along these lines. Whenever you are presented with a choice (well, one that matters anyway) you should ask yourself whether it is phrased positively or negatively. Then, knowing that you have a tendency to preserve positive outcomes but take risks to avoid negatives ones, flip the phrasing around and see if the other choice makes sense. If you find that your choice flips with the phrasing, then this bias is in play and you need to think things through more carefully.

Security Sprint – Internet Passwords

We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.

You’ve probably heard about some of the recent attacks against various websites. The problem here is that if one of the sites you use gets attacked AND they’re not encrypting your password AND you’re using the same password on other sites, then that one breach on one site can put all your other sites at risk. Of course, if you want to be on the Internet, you have to accept some risk… but it’s hard to accept the risk when you don’t know it’s there. So let’s figure it out.

1) Take twenty minutes and make a list of all of your Internet sites in a spreadsheet. Try to remember all of them, not just the common ones. There’s a list below to get you started:

2) Go to the login page of each site and click on the “forgot your password?” link. Yes, this will reset your password, but that’s the point.

3) Once the new password arrives in your email, look at it. Does it sound like something you’d pick for yourself? If so, there’s a good chance that they’re not encrypting their passwords properly. Create a “secure” column in your spreadsheet and mark them as “no”.

4) If the password arrives and looks random, then they reset your password for you… which probably means that they can’t access your password directly. This means that it’s probably encrypted in the database. Mark these as “yes” in the “secure” column.

5) There is a drawback to this plan, and that’s that all of your passwords will change. Most of the sites that you marked as secure will force you to change your password when you log back in. If they don’t, change their “yes” to “no”.

6) Now you have a list of all of your sites and know which ones are the more trustworthy. The last step to this sprint is to reset your passwords to something more secure. There are lots of articles and tools out there, and I see no need to add to the pile. All I’ll say is that you should pick ones that you can remember and that aren’t the same for all sites. If you want to use really complex systems, look into password wallet software.

7) Once all your passwords are changed, and you have an idea of how risky your sites are, you can proceed with your Internet life in relative security.

Sites to consider:

  • Email: Gmail, Yahoo Mail, Hotmail
  • Social: MySpace, Facebook, Livejournal, Twitter
  • Professional: LinkedIn, Plaxo, Namez, Zoominfo, Notchup
  • Images: Flickr, Photobucket, Smugmug
  • Documents: Scribd, Docstoc, Instructables, SlideShare
  • Shopping: Amazon, Zappos
  • Bookmarking: Delicious
  • Video: YouTube, Vimeo

Security Lessons from Nature – Glow Worm Cave

Those of you that have seen the series Planet Earth are probably aware of the glow worm cave. (Those of you that have not have some TV watching to do.) This is a cave full of cute little glow worms that make a light pattern on the ceiling of the cave that is reminiscent of the night stars. It’s a beautiful sight to stare up at those little glittering pinpoints of lights.

Of course, that’s the tourist spiel. In actuality, the “glow worms” are larval gnats that produce mucus and spin out long threads to entrap moths. When a moth becomes deluded by the mights and becomes trapped in the sticky threads, the larvae pull up the moth and liquefy and suck out their internal organs. After secreting mucus and dining upon moths for up to a year, they transform into gnats whereupon they mate and die… which seems like a lot of work to me, but then, I tend not to be consulted in matters such of this.

However, the lesson here is a good one. Namely, it’s probably not worth travelling all the way to New Zealand to visit the the phosphorescent snot worm cave. However, a deeper lesson is that light attracts bugs. (Sure, I could have blogged about the moth and the candle, but then I’d not be able to talk about glow worms.) If you want to know something about the insects that inhabit a cave, just put out a light and see what comes visiting.

We do that in I.T. security to help identify the attackers that are on the Internet. We call them honeypots, which is likely a reference to Winnie the Pooh (I hope), but since I am not (yet) linking children’s literature to security, we’ll ignore that bit for now. Instead, we’ll take a quick look at the value of Lepidopterisy. Just as a scientist can look at the types of moths ensnared in sticky mucusy silk and learn a lot about the ecology cage, a security researcher can examine the malware and attacks found within a honey pot and learn a lot about the sorts of attacks that they may be subjected to.

By creating your own honey pot, you get a chance to deal with attacks before (hopefully) they impact your production systems. However, just like fungus gnats larvae don’t ignore the moths that stumble into their “webs” (strings, really), in order for this to be effective, you can’t ignore what gets caught in the honey pot either.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.