Monday, January 23, 2012

Invert, always invert

Charlie Munger, the less famous Billionaire partner of Berkshire Hathaway, is famous for his critiques of human psychology.  He constantly warns of common mistakes that people make, and suggests simple ways you can improve your thinking capability.

One of his basic maxims is: "Invert, always invert".  The idea is that by always looking at something in the same way, you get stuck in basic assumptions.  By inverting your perspective, you can often find radically new approaches to problem solving.

Let's take a look at how this might be applied to the world of computer security.

Many years ago, while reading the otherwise excellent DAK Catalog, I found a description of one of the most poorly designed security products I can imagine.  It was a password protection system designed for a dial-up phone system (yes, at risk of dating myself, this was pre-Internet).  Concerned about the possibility that an intruder would attempt a brute force attack, the designers of this product came up with what they thought was a very clever idea.  The first incorrect character that was entered would immediately disconnect the call.  No longer would it be possible for an intruder to try  hundreds or thousands of passwords at a go.  One strike and you're out, dial back and try again.

Let's think about what this means.

Suppose this product used a ten character password.  Further assume it can use upper and lower case letters, and numbers.  That gives you a total of 62 options per character, and 62 to the tenth power possible passwords, or roughly 839 quadrillion possible passwords.  On average, a brute force attack will guess it correctly after 419 quadrillion tries.  Assuming you could try ten times a second (which is a pretty aggressive assumption for a slow speed dial-up system), hacking this system using a brute force attack would probably require 1.3 billion years.

However, this system accidentally leaked critical information to the intruder.  As soon as you guessed the first character correctly, IT TOLD YOU THAT YOU WERE CORRECT.  That is, it failed to disconnect you immediately.  This means that on average, you can guess each character in 31 attempts.  Guessing the entire ten character password would likely take you 310 attempts.  Assuming you could try one combination per minute (much slower than before, as it forces you to redial each time), hacking this system would require a bit over 5 hours.


This is why it's difficult to build secure systems just right.  If you're not really careful, it's very easy to leak all sorts of unintentional information, sometimes using the very mechanisms that you think are making your system more secure.

This is a great example of a security flaw, because it provides an interesting clue about how we might invert our entire approach to security.

Let's go back to the original idea of a ten character password.  Let's assume that we don't leak any information to the would-be intruder to let them know how much progress they're making on cracking that password.  We still suffer from the same basic weakness: we tell the intruder when they have successfully guessed the password.

This sounds ridiculously obvious.  How can a legitimate user of the service function if they don't get access to their data when they type the correct password?  As soon as the data comes up, you know the password is correct.

Unless.. you invert the assumption.

What if every user id and password combination provided access to the system?  Note I didn't say "legitimate access", just access.  An incorrect id and password combination would take the intruder straight into a bogus screen, a concept known as a honeypot.  If this was a banking system, then it would provide access to an account with an imaginary name, holding imaginary sums of cash, and an imaginary history of transactions.

Could an intruder tell that all this was fake?  Probably.  Eventually.  They could research that name, and see if it was a legitimate person.  Look up that name at the account's address.  There's all sorts of things they could do.

It would take minutes at the best.  It might take hours.  Or days.  What a waste of time.  How is an intruder ever going to do a brute force attack if they have to spend minutes or hours or days on each guess, using human intelligence rather than a machine algorithm to detect if they've found a legitimate combination?  And all the while, alarm bells should be going off in the bank, warning administrators and police that somebody is attempting to snoop where they shouldn't be.  Choosing one wrong id and password is understandable.  Ten in a row is clearly a criminal.  And finding a legitimate account will take trillions (or more) of tries.

Clearly, this idea is more applicable in some contexts than in others.  It takes time and effort to create effective algorithms to generate realistic looking data (and especially to make sure that real data doesn't leak through).  For a bank system, which has highly structured, very valuable, and easily generated data, this makes sense.  For an online newspaper, not so much.  So it's not a silver bullet.  Still though, it's an interesting concept that can be combined with existing security technologies to drastically raise the difficulty for intruders, simply by inverting a basic concept.

Always remember to invert!

No comments:

Post a Comment