System Advancements at the Monastery

Bruce Schneier recently wrote a commentary, “Inside the Twisted Mind of the Security Professional.” To quote Bruce, “Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.”

I found myself coming back to Bruce’s words this week. I was trying to access a SSL site, and I was getting the warning message that the certificate authority was unknownn. Immediately, my mind went to a man-in-the-middle attack. I looked at the source code of the site, and could see the page was accessing a gif image from another server via SSL. The gif image was a 1×1 pixel that blended into the page background. The page coders were probably having problems with table spacing and used this technique, copying code from a server that had a self signed certificate.

I tried reporting it, and found that folks thought me quite mad. I guess they figured I was just getting hung up on a minor issue. After all, no one else was reporting it. I, on the other hand, could not help but realize that all those folks I reported this to had failed to notice the problem. They accepted the self signed certificate and went on to log into the site. They were not using single sign on. This, I found more troubling.

What could an invalid certificate indicate? As Billy Joel would argue, it comes down to a matter of trust. Now imagine if an person came up to you and claimed to be an Nigerian princess, who may just needs to move millions of dollars over to the US. To prove her identity, she pulls out a Nigerian library card. You are not likely to believe her. Now, if the President, the Pope, the Dalai lama, and a whole bunch of security people accompanying her vouched for her, you might be more willing to accept she is who she says she is. An unknown certificate authority can claim to be from any company and issue certifications for any machine. Anyone can create a certificate authority and start issuing self signed certificates.

How do you put this to use? Someone wanting to gain credentials and information from employees at the Acme Corporation might use a man-in-the middle attack. They create their own certificate authority, claiming to be the certificate authority “Acme Corporation Public Issuing CA 01.” People trust things with numbers in it. It seems more authoritative. They issue a self signed certificate for one of their machines, approve it through their certificate authority, and the place the certificate on a machine to be used as a proxy server. This proxy server will intercept communications between Acme employees machines and the Acme mail server. Employees thinking they are signing into the Acme mail server, will end up providing their credentials to the proxy server. The proxy server will use the credentials to sign into the real Acme mail server and transfer data back and forth to the employees. This is made possible by the employee accepting the self signed certificate. SSL and the certificate only insures the data is encrypted from the employee computer to the destination, which is the hacker’s web proxy.

How would a hacker redirect traffic? There are a few ways. Maybe an old time DNS cache poisoning or ARP spoofing. A more interesting way recently discussed by the fine folks at Google and Georgia Institute of Technology involves open recursive DNS servers. At the Network and IT Security Conference: NDSS 2008, David Dagon, Chris Lee, and Wenke Lee presented “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority.” They have discovered that there are over 17 million open recursive DNS servers. About 0.4%, or 68,000, are giving users false addresses to phishing sites. The point is, once an end user’s computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site.

A web developer having problems with a table format, creates a situation where employees trying to access a web page use a self signed certificate from a unknown certificate authority. What is the big deal? Is it just me that answers, “plenty!” Is my brain wired differently? No. Might Bruce be right? Security does requires a particular mindset. It it not unique to security folks, but exists because of the continuous challenges faced by security professionals. Put simply, security professionals share some characteristics. These characteristics exist in people whose job requires them to be constantly learning and are challenged with an ever changing work landscape.

Ed Boyden did a posting, “How to Think.” Now Ed is an assistant professor in the MIT Media Lab and MIT Department of Biological Engineering. He leads the Neuroengineering and Neuromedia Group. When he applied for the job at the MIT Media Lab, he was asked to write a teaching statement. He ended up composing rules to help students “be creative, thoughtful, and powerful in a world where problems are extremely complex, targets are continuously moving, and our brains often seem like nodes of enormous networks that constantly reconfigure.” Here are the rules:

1. Synthesize new ideas constantly
2. Learn how to learn (rapidly)
3. Work backward from your goal.
4. Always have a long-term plan
5. Make contingency maps
6. Collaborate
7. Make your mistakes quickly
8. Write up best-practices protocols
9. Document everything obsessively
10. Keep it simple

I will not go through the rules in detail. Ed’s blog is a fascinating informative site that should be added to everyone’s RSS reader. I did want to pay particular attention to the first rule. Ed’s complete description is:

Synthesize new ideas constantly. Never read passively. Annotate, model, think, and synthesize while you read, even when you’re reading what you conceive to be introductory stuff. That way, you will always aim towards understanding things at a resolution fine enough for you to be creative.

I would argue this is essential for everyone, especially when it comes to security. Put simply, think. Don’t passively move through life. When something does not work, ask why does it not work? Why is a site generating an unknown certificate authority warning? Stop it from occurring so employees don’t get use to clicking whatever they need to in order to get what they perceive as annoying messages to go away.

Ed’s post also serves as a warning. How many times in our busy information filled life, as we attempt to learn rapidly, do we end up reading passively? Sure, we may be obtaining the facts, but does memorization of facts really help? When I first started listening to podcasts, I was jazzed. There was this pool of people willing to give up their time and share their knowledge and experience for those willing to listen. These people challenged me to see IT from a different point of view. As I preached the benefits of listening to podcasts, I heard from others how they were just too busy to listen. Instead, to keep informed, they would read RSS feeds. I read RSS feeds also, but the knowledge transfer is completely different. When reading blogs posts, how frequently do we skim the titles, or the first few lines, and move on? Nielsen Norman Group researchers did a study involving newsletters. They found that the average time allocated to an email newsletter after opening it is just 51 seconds. People scan the text, with only 19% of newsletters being read fully. Eyetracking observations of users reading RSS news feeds showed that people scan the headlines and blurbs in feeds even more ruthlessly than they scan newsletters. One of the reasons I write blogs is because it requires me to stop and think. It is similar to reaching. One learns from teaching because you are forced to question and dive deeper into subjects. You are not just learning a subject, you have to understand it.

Jeff Moser wrote an interesting posting, “What Does It Take To Become A Grandmaster Developer?” In it, Jeff asks the reader to, “See how much of the following sequences of letters and numbers you can memorize in the next 20 seconds:”

• T, E, X, A, S, O, H, I, O, V, E, R, M, O, N, T, R, H, O, D, E, I, S, L, A, N, D
• 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41

Jeff provides a graph of how people performed:

The point being that the results are not based on innate or raw talent. People in Group 1 realized that the letter where grouped by state names “TEXAS”, “OHIO”, “VERMONT”, and “RHODE ISLAND.” The number sequence, Group 1 members probably realized were the prime numbers up to 41. When tasked with remembering, they did so by using the groupings, verses having to memorize each letter and number. The people in Group 1 were able to remembered less overall information but recall everything through these “chunks.” In terms of raw memory talent, one could argue Group 6 won by trying and remembering more letters and numbers, even if it was only 20% of what Group 1 perfectly recalled. The bottom line is that Group 1 performed the task. Thinking, not memorizing, is a major component of learning.

Anders Ericsson editor of the book “Cambridge Handbook of Expertise and Expert Performance” states:

Successful people spontaneously do things differently from those individuals who stagnate. They have different practice histories. Elite performers engage in what we call “deliberate practice”–an effortful activity designed to improve individual target performance. There has to be some way they’re innovating in the way they do things.

John Cloud, staff writer for Time, in an article “The Science of Experience,” examines Ericsson’s book. John summarizes:

Ericsson’s primary finding is that rather than mere experience or even raw talent, it is dedicated, slogging, generally solitary exertion — repeatedly practicing the most difficult physical tasks for an athlete, repeatedly performing new and highly intricate computations for a mathematician — that leads to first-rate performance. And it should never get easier; if it does, you are coasting, not improving. Ericsson calls this exertion “deliberate practice,” by which he means the kind of practice we hate, the kind that leads to failure and hair-pulling and fist-pounding. You like the Tuesday New York Times crossword? You have to tackle the Saturday one to be really good.

Philip E. Ross writes for Scientific America the article “The Expert Mind.” Philip writes

The conclusion that experts rely more on structured knowledge than on analysis is supported by a rare case study of an initially weak chess player, identified only by the initials D.H., who over the course of nine years rose to become one of Canada’s leading masters by 1987. Neil Charness, professor of psychology at Florida State University, showed that despite the increase in the player’s strength, he analyzed chess positions no more extensively than he had earlier, relying instead on a vastly improved knowledge of chess positions and associated strategies.

Learning is about developing chunks of knowledge. This is applicable to how we take in information. Guy Kawasaki, posted an interview with Garr Reynolds, author of “Presentation Zen: Simple Ideas on Presentation Design and Delivery (Voices That Matter).” Garr says, “The goal of the book was not to offer panaceas and rigid rules, but instead to encourage people to think differently about their visuals, the way they present them, and how they connect with audiences. My hope is that people find some things new in the book that stimulate their creativity–helping them to discover a more ‘enlightened’ and more effective approach to presenting.” It is all about getting people to think and be actively involved. Only then can learning occur.

The brain is not a dumping ground of facts. Way back in high school I knew a kid who could tell you the capital of every state. Nice kid, but what the heck was the point? He went away to college, had a real rough time, and fortunately eventually learned life is not about memorizing. Experience does not equal exposure to facts that we store in memory and spit out to impress people. Well, unless you are playing Trivia Pursuit. Expertise comes from continuously building and reorganizing chunks of memory. Experience is the development of these chunks of memory. When a certificate signed by an unknown certificate authority is presented, chunks of memory start forming. First, the brain pulls from system administration experience information concerning how certificate authorities can be created and self signed certificates can be signed. Another chunk pulled involves phishing techniques. Another chunk involves man-in-the-middle attacks. Another chunks involves subverting DNS results. The more experience, the more chunks. All continuously being reorganized.

While we may need to be “repeatedly practicing the most difficult physical tasks,” I do need to put up a cautionary note. Everyone reading this blog is human, as far as I know. Humans need to realize that the brain has its own requirements to help remember and organize. Gregory Kellett, a researcher at UCSF investigating the psychophysiology of social stress, writes, “”Relaxing for your Brain’s Sake.” Gregory makes many great points. Here are a few requirements to deal with stress:

• Stay in the moment – Since our conscious awareness is only able to take and process a finite amount of information at a time, fully engaging our senses limits the amount of (often stress generating) mental chatter our brains are able to entertain.
• Catch zzzzzzs – People who do not get enough sleep not only get more exposure to cortisol during the night, but also have higher resting levels of this stress hormone during the day.
• Get kinetic – Prolonged exposure to stressful situations can inhibit the brain’s ability to generate new neurons (neurogenesis). Exercise by contrast has been proven to promote neurogenesis, counterbalancing damage experienced under times of sustained “non-relaxation”.

So what is so bad about not getting any exercise, sleep, and being stressed out? To quote from Gregory’s post, “Stress and Neural Wreckage: Part of the Brain Plasticity Puzzle:”

Our brains appear to be most vulnerable to the effects of excessive stress in a region called the hippocampus. The hippocampus is a mass of neurons each with multiple branch-like extensions (dendrites and axons) which make connections (synapses) with other neurons all across the brain. Among other things, this region is important in dealing with emotions and consolidating new memories. As with all brain regions, its ability to adapt relies upon being able to alter the branching and connections of its neurons. The hippocampus is also one of the only regions of the brain known to be able to produce new neurons, a process called neurogenesis.

Sometimes, you just have to stop being caught up in daily life. Don’t be in automatic operation mode. Think. Form new ideas. Collaboration is the best way to be exposed to new ways of thinking and challenging your own thoughts. It is okay to make mistakes. In genetic algorithms you learn combining the worse performing algorithm with the best, will often yield the final solution. This is how false peaks can be overcomed. Exam and challenge yourself. Never stop doing so. Take time to sleep. Get some exercise and try to relieve some stress. Some very intelligent people have provided a roadmap above for better learning. It would be wise to listen, think about what has been said, and follow what makes sense.