Stop! Or My Mom Will Shoot

What does a bad 90’s movie have to do with information security? Well, not a lot as it turns out, but it does give me an opportunity to introduce something that came up in conversation at work recently.

One of the names for my role around the company has been referred to as the Chief Naysayer. Now, rest assured, this name was given with the utmost respect, as our team has an understanding of the importance of security and know that when I raise a concern about a potential security issue, it is really something we need to consider.

This actually got me thinking about the view that many people have of their information security department and staff. I believe there are many situations where we are viewed as the IT Police. Instead of laws, we run around with policies and guidance forcing changes to meet those needs and sometimes we can be rather confrontational while doing it.

I was joking with my co-worker, I don’t want to be the IT Police, I’d rather be the concerned parent. Instead of constantly responding with policy notes and making vague threats about what violating the policy will do, I’d rather make users stop and think to reflect on their actions. I envisioned the following exchange in my head:

Security Department: We need to implement these changes to our systems to ensure, we can provide proper monitoring of our resources.

IT Engineers: Okay, but this will take a lot of time. We know our old colleagues at this other organization don’t do this, and they haven’t had any security incidents.

Security Department: Well, if you colleagues went and jumped off a bridge, would you join them?

I’m actually now waiting for the right opportunity in a business meeting to drop that line when we get into a conversation about implementing changes for security. So, why do I think this method of performing security is better?

  1. People do not respond well to being beaten over the head. Old methods used by some amount to clubbing individuals until they relent to the demands made by policy makers.
  2. The old methods usually entails presenting a series of worst case scenarios to the users or implementation team in attempts to scare them into adjusting their behavior or fixing an implementation.
  3. These kinds of relationships ultimately end up in others fearing you, hating you, or both.

By acting like the concerned parent, we can try to approach problems using the same kind of logic that our parents used on us as children. (Note: I am not saying that users or engineers are children.) The idea being to try to present problems to them in a way they can understand and help them come to the same conclusion we already have made based on the requirements of policy and years of experience.

In the end, the goal should be to act more as a partner, but when we need to take on a role of “authority” it is probably better to take on the persona of the concerned parent.

Star Wars even taught us that strength and fear are not the way to get compliance.

the-more-you-tighten-your-grip-tarkin-the-more-systems-will-slip-through-your-fingers

The Un-[blank]-able Thing

In information security and hacker culture, companies and individuals will sometimes throw around the idea they’ve create an “unhackable” thing. This sort of phrasing is always intended as a sort of marketing ploy to tout their product’s security. Ultimately, any product with this descriptor gains the extra attention of hackers, who laugh at this idea of a “perfectly secure” product.

This phenomenon is nothing new. Another related example we still hear about today is the unpickable lock. A quick Google Books search finds Supplement to Encyclopædia Britannica (ninth edition) from 1889[1]. Despite many of the “unpickable” locks being bypassed or picked in some way, we still see this phrase today.

We’ve heard the phrase unbreakable encryption thrown around in recent years when government entities have attacked the encryption methods used on electronic devices. Ironically, the items they claim are unbreakable are really, “Not broken yet.” People who understand cryptography know that the only mathematically proven unbreakable cipher is the one-time pad[2].

Despite all this historical background to support the lack of an un-[blank]-able device, we still see this technological perpetual motion machine[3] being pushed. This week John McAfee offered $100k to break his unhackable crypto-wallet.

Like many products that claim to be unhackable, the details around the technology are vague at best. Everyone always claims some ‘proprietary technology’ that makes their solution unique to every one in the past. Reading the vague concepts behind the product, you can see how the claim tries to stand up, but there isn’t enough detail to make such a definitive statement.

This is where I think the problem with the un-[blank]-able thing ultimately lies. The item may be un-[blank]-able now, because the idea is something new or different from what people have seen before. This has historically been the case with the unpickable lock. Sure, the device that John’s team created may be “unhackable” now, but there is no guarantee it will stay that way and using the unhackable phrase puts a target on the device.

If you are interested in crypto-currencies, hardware, or security, I’d recommend going and checking out the challenge. The device is $120 and assuming you don’t brick-it in your attempts to hack it, you’ll at least have a nifty new hardware crypto-wallet for your Bitcoin or Monero. If you just like to watch the world burn, take the $120 and send one to someone you think will enjoy breaking it.

chopper-headbang
Chopper reacts to the unhackable claims