Charlie
Munger, the less famous Billionaire partner of Berkshire Hathaway, is famous
for his critiques of human psychology.
He constantly warns of common mistakes that people make, and suggests
simple ways you can improve your thinking capability.
One of
his basic maxims is: "Invert, always invert". The idea is that by always looking at
something in the same way, you get stuck in basic assumptions. By inverting your perspective, you can often
find radically new approaches to problem solving.
Let's
take a look at how this might be applied to the world of computer security.
Many
years ago, while reading the otherwise excellent DAK Catalog, I found
a description of one of the most poorly designed security products I can
imagine. It was a password protection
system designed for a dial-up phone system (yes, at risk of dating myself, this
was pre-Internet). Concerned about the
possibility that an intruder would attempt a brute force attack, the designers
of this product came up with what they thought was a very clever idea. The first incorrect character that was
entered would immediately disconnect the call. No longer would it be possible for an
intruder to try hundreds or thousands of
passwords at a go. One strike and you're
out, dial back and try again.
Let's
think about what this means.
Suppose
this product used a ten character password.
Further assume it can use upper and lower case letters, and
numbers. That gives you a total of 62 options per character, and 62 to
the tenth power possible passwords, or roughly 839 quadrillion possible
passwords. On average, a brute force
attack will guess it correctly after 419 quadrillion tries. Assuming you could try ten times a second
(which is a pretty aggressive assumption for a slow speed dial-up system), hacking this system using a brute force attack would probably require 1.3 billion years.
However,
this system accidentally leaked critical information to the intruder. As soon as you guessed the first character
correctly, IT TOLD YOU THAT YOU WERE CORRECT.
That is, it failed to disconnect you immediately. This means that on average, you can guess each character in 31
attempts. Guessing the entire ten character password
would likely take you 310 attempts.
Assuming you could try one combination per minute (much slower than before, as it
forces you to redial each time), hacking this system would require a bit over 5
hours.
Ouch.
This is
why it's difficult to build secure systems just right. If you're not really careful, it's very easy
to leak all sorts of unintentional information, sometimes using the very
mechanisms that you think are making your system more secure.
This is a
great example of a security flaw, because it provides an interesting clue about
how we might invert our entire approach to security.
Let's go
back to the original idea of a ten character password. Let's assume that we don't leak any
information to the would-be intruder to let them know how much progress they're
making on cracking that password. We
still suffer from the same basic weakness: we tell the intruder when they have
successfully guessed the password.
This sounds
ridiculously obvious. How can a
legitimate user of the service function if they don't get access to their data
when they type the correct password? As
soon as the data comes up, you know the password is correct.
Unless..
you invert the assumption.
What if
every user id and password combination provided access to the system? Note I didn't say "legitimate access", just access. An incorrect id and password combination would take the intruder straight into a bogus screen, a concept known as a honeypot.
If this was a banking system, then it would provide access to an account
with an imaginary name, holding imaginary sums of cash, and an imaginary
history of transactions.
Could an
intruder tell that all this was fake?
Probably. Eventually. They could research that name, and see if it was
a legitimate person. Look up that name at the account's address. There's all sorts
of things they could do.
It would
take minutes at the best. It might take
hours. Or days. What a waste of time. How is an intruder ever going to do
a brute force attack if they have to spend minutes or hours or days on each guess,
using human intelligence rather than a machine algorithm to detect if they've found a legitimate combination? And all the while, alarm bells should be going off in the bank, warning administrators and police that somebody is attempting to snoop where they shouldn't be. Choosing one wrong id and password is understandable. Ten in a row is clearly a criminal. And finding a legitimate account will take trillions (or more) of tries.
Clearly, this idea is more applicable in some contexts than in others. It takes time and effort to create effective algorithms to generate realistic
looking data (and especially to make sure that real data doesn't leak through). For a bank system, which has highly structured, very valuable, and easily generated data, this makes sense. For an online newspaper, not so much. So it's not a silver bullet. Still though, it's an interesting concept
that can be combined with existing security technologies to drastically raise
the difficulty for intruders, simply by inverting a basic concept.
Always remember to invert!