Saturday, January 20, 2007
Security lessons of the evil overlords
Supervillains seem to have lousy security. Their worst enemies sneak around their castles undetected and eventually blow up everything the villains have worked for.
This sad state of affairs moved technical people to try to help. Many people around the net contributed to a handbook for evil overlords. Quite a few of the lessons learned apply to non-evil people as well.
It's in the form of a list of things that any budding evil overlord should promise himself never to do. Here are excerpts with a discussion of the security principles behind them.
# My Legions of Terror will have helmets with clear plexiglass visors, not
face-concealing ones.
Here, the fundamental mistake was to use uniforms as a means of
identification and authorization.
One of the oldest scams that intruders like to use is to dress up like a
phone company technician, walk in, and say "I got a call that you've been
having some trouble with the network. Where's the wiring closet?"
Either be able to recognize everybody's face (which is great for a small
organization) or challenge everyone who doesn't have a photo-ID badge.
Get positive identification before you let someone into your server room
who's wearing stormtrooper armor.
# The artifact which is the source of my power will not be kept on the
Mountain of Despair beyond the River of Fire guarded by the Dragons of
Eternity. It will be in my safe-deposit box. The same applies to the object
which is my one weakness.
That must have been one great sales presentation by Mountain of Despair
Secure Storage, Inc. Salesmen are not on your side. Don't shell out huge
amounts of money unless people that you're paying think it's a good idea.
And shiny high tech may not be best.
# One of my advisors will be an average five-year-old child. Any flaws in my
plan that he is able to spot will be corrected before implementation.
This can work. Imagine a five-year-old's questions; "Why?", "What if?", "How
does that work?", and so on. Those questions will cut through technobabble and expose snake oil.
# When I employ people as advisors, I will occasionally listen to their
advice.
Something I hear over and over from IT staff is that their bosses don't pay
enough attention when they want budget for tape backups or for upgrades.
# I will keep a special cache of low-tech weapons and train my troops in
their use. That way -- even if the heroes manage to neutralize my power
generator and/or render the standard-issue energy weapons useless -- my
troops will not be overrun by a handful of savages armed with spears and
rocks.
There's one horror story about a company that invested in shiny electronic
locks everywhere. When the power went out, the doors wouldn't open. All the
operators were locked out of the server room watching the battery backups
run down and all the machines turning off without a chance to save anything.
Also make sure you have a list of phone numbers handy so you can get hold of
people when email goes down.
# I will maintain a realistic assessment of my strengths and weaknesses.
Even though this takes some of the fun out of the job, at least I will never
utter the line "No, this cannot be! I AM INVINCIBLE!!!" (After that, death
is usually instantaneous.)
Similarly, never assume that any one security measure is immune to all
attacks.
# No matter how well it would perform, I will never construct any sort of
machinery which is completely indestructible except for one small and
virtually inaccessible vulnerable spot.
Attackers will attack at the weakest point, and the first one to find it
will share it with all his friends on the Internet. Concentrate on upgrading
weak points, no matter how boring, instead of trying to decide on the
perfect encryption algorithm.
# I will never build only one of anything important. All important systems
will have redundant control panels and power supplies. For the same reason I
will always carry at least two fully loaded weapons at all times.
Very few places can afford that, but spare batteries and extra backups are a
really good idea.
# I will not fly into a rage and kill a messenger who brings me bad news
just to illustrate how evil I really am. Good messengers are hard to come
by.
This is one of the most important lessons.
You want to hear about security problems, so you can fix them. Too many
companies treat people who report security issues as though they were
criminals. Those companies remain vulnerable.
# I won't require high-ranking female members of my organization to wear a
stainless-steel bustier. Morale is better with a more casual dress-code.
Similarly, outfits made entirely from black leather will be reserved for
formal occasions.
Employee morale matters more to security than most people think. Your sexual harassment policy is a security measure.
# If my trusted lieutenant tells me my Legions of Terror are losing a
battle, I will believe him. After all, he's my trusted lieutenant.
Again, bad news is one of the best services someone can give you. Good news
doesn't improve your security. If you don't trust your people enough to
listen to them, why did you hire them?
# I will only employ bounty hunters who work for money. Those who work for
the pleasure of the hunt tend to do dumb things like even the odds to give
the other guy a sporting chance.
Did you really think that hiring a "reformed hacker" was a good idea?
# I will make sure I have a clear understanding of who is responsible for
what in my organization. For example, if my general screws up I will not
draw my weapon, point it at him, say "And here is the price for failure,"
then suddenly turn and kill some random underling.
Punishing the innocent devastates morale. So does the sight of executives
who never get held accountable. See the comments about morale above.
# I will treat any beast which I control through magic or technology with
respect and kindness. Thus if the control is ever broken, it will not
immediately come after me for revenge.
The beasts you control through paychecks are in a position to do you a lot
of damage if you mistreat them. You can be tough without being abusive.
# My main computers will have their own special operating system that will
be completely incompatible with standard IBM and Macintosh powerbooks.
Well, hmm. That special operating system won't have had as much debugging
and security enhancements as a standard one. It's more cost effective to be
interoperable.
On the other hand, there are advantages to being in the minority. The Opera
web browser works great and few if any people bother attacking it.
# I will hire a team of board-certified architects and surveyors to examine
my castle and inform me of any secret passages and abandoned tunnels that I
might not know about.
When your security consultant says boring things like "inventory" instead of
selling you shiny equipment, pay attention. That older stuff that nobody
knows about will not have had security patches installed. Old equipment is
like abandoned tunnels.
# I will not strike a bargain with a demonic being then attempt to
double-cross it simply because I feel like being contrary.
Don't cheat on software licenses from a demonic software company.
# My Legions of Terror will be trained in basic marksmanship. Any who cannot learn to hit a man-sized target at 10 meters will be used for target practice.
What sort of training program do you have? Are your employees missing basic
skills?
# Before employing any captured artifacts or machinery, I will carefully
read the owner's manual.
Change the password from the factory default while you're at it.
# My five-year-old child advisor will also be asked to decipher any code I
am thinking of using. If he breaks the code in under 30 seconds, it will not
be used. Note: this also applies to passwords.
The password-guessing programs and codebreakers out there are better than
you think. Pick well-tested systems and don't try to invent your own.
# If my advisors ask "Why are you risking everything on such a mad scheme?",
I will not proceed until I have a response that satisfies them.
You appointed them advisors for a reason. They may be wrong, they may be
missing something that only you know (but why didn't you tell them so they
could give you good advice?), but if you have a good reason to overrule them
you should be able to explain it.
# I will design fortress hallways with no alcoves or protruding structural
supports which intruders could use for cover in a firefight.
Ask your local police department about "crime prevention through
environmental design".
# Bulk trash will be disposed of in incinerators, not compactors. And they
will be kept hot, with none of that nonsense about flames going through
accessible tunnels at predictable intervals.
At least get a shredder. Make sure that discarded disks, tapes, and memory cards really are unreadable.
# My security keypad will actually be a fingerprint scanner. Anyone who
watches someone press a sequence of buttons or dusts the pad for
fingerprints then subsequently tries to enter by repeating that sequence
will trigger the alarm system.
You'd be surprised how many ways there are to find the four-digit sequence
on a cipherlock.
# No matter how many shorts we have in the system, my guards will be
instructed to treat every surveillance camera malfunction as a full-scale
emergency.
Fix the false alarm problem instead.
# When I create a multimedia presentation of my plan designed so that my
five-year-old advisor can easily understand the details, I will not label
the disk "Project Overlord" and leave it lying on top of my desk.
Or on a laptop on the back seat of your car.
# If the hero runs up to my roof, I will not run up after him and struggle
with him in an attempt to push him over the edge. I will also not engage him
at the edge of a cliff. (In the middle of a rope-bridge over a river of
molten lava is not even worth considering.)
If your security situation turns into drama then you've already lost.
# If my weakest troops fail to eliminate a hero, I will send out my best
troops instead of wasting time with progressively stronger ones as he gets
closer and closer to my fortress.
Security measures that are too weak are counterproductive because they're a training system for opponents. Satellite TV providers made this mistake. A generation of people who wanted free TV gradually learned to crack tougher security measures.
# I will not use any plan in which the final step is horribly complicated,
e.g. "Align the 12 Stones of Power on the sacred altar then activate the
medallion at the moment of total eclipse." Instead it will be more along the
lines of "Push the button."
Usability is good security.
# I will make sure that my doomsday device is up to code and properly
grounded.
And that you have enough fire extinguishers.
# After I captures the hero's superweapon, I will not immediately disband my
legions and relax my guard because I believe whoever holds the weapon is
unstoppable. After all, the hero held the weapon and I took it from him.
Superweapons are not a substitute for a proven system.
# I will not ignore the messenger that stumbles in exhausted and obviously
agitated until my personal grooming or current entertainment is finished. It
might actually be important.
Lines of communication matter.
# I will not turn into a snake. It never helps.
There's no security lesson to that one. I just left it in because it's funny.
|
This sad state of affairs moved technical people to try to help. Many people around the net contributed to a handbook for evil overlords. Quite a few of the lessons learned apply to non-evil people as well.
It's in the form of a list of things that any budding evil overlord should promise himself never to do. Here are excerpts with a discussion of the security principles behind them.
# My Legions of Terror will have helmets with clear plexiglass visors, not
face-concealing ones.
Here, the fundamental mistake was to use uniforms as a means of
identification and authorization.
One of the oldest scams that intruders like to use is to dress up like a
phone company technician, walk in, and say "I got a call that you've been
having some trouble with the network. Where's the wiring closet?"
Either be able to recognize everybody's face (which is great for a small
organization) or challenge everyone who doesn't have a photo-ID badge.
Get positive identification before you let someone into your server room
who's wearing stormtrooper armor.
# The artifact which is the source of my power will not be kept on the
Mountain of Despair beyond the River of Fire guarded by the Dragons of
Eternity. It will be in my safe-deposit box. The same applies to the object
which is my one weakness.
That must have been one great sales presentation by Mountain of Despair
Secure Storage, Inc. Salesmen are not on your side. Don't shell out huge
amounts of money unless people that you're paying think it's a good idea.
And shiny high tech may not be best.
# One of my advisors will be an average five-year-old child. Any flaws in my
plan that he is able to spot will be corrected before implementation.
This can work. Imagine a five-year-old's questions; "Why?", "What if?", "How
does that work?", and so on. Those questions will cut through technobabble and expose snake oil.
# When I employ people as advisors, I will occasionally listen to their
advice.
Something I hear over and over from IT staff is that their bosses don't pay
enough attention when they want budget for tape backups or for upgrades.
# I will keep a special cache of low-tech weapons and train my troops in
their use. That way -- even if the heroes manage to neutralize my power
generator and/or render the standard-issue energy weapons useless -- my
troops will not be overrun by a handful of savages armed with spears and
rocks.
There's one horror story about a company that invested in shiny electronic
locks everywhere. When the power went out, the doors wouldn't open. All the
operators were locked out of the server room watching the battery backups
run down and all the machines turning off without a chance to save anything.
Also make sure you have a list of phone numbers handy so you can get hold of
people when email goes down.
# I will maintain a realistic assessment of my strengths and weaknesses.
Even though this takes some of the fun out of the job, at least I will never
utter the line "No, this cannot be! I AM INVINCIBLE!!!" (After that, death
is usually instantaneous.)
Similarly, never assume that any one security measure is immune to all
attacks.
# No matter how well it would perform, I will never construct any sort of
machinery which is completely indestructible except for one small and
virtually inaccessible vulnerable spot.
Attackers will attack at the weakest point, and the first one to find it
will share it with all his friends on the Internet. Concentrate on upgrading
weak points, no matter how boring, instead of trying to decide on the
perfect encryption algorithm.
# I will never build only one of anything important. All important systems
will have redundant control panels and power supplies. For the same reason I
will always carry at least two fully loaded weapons at all times.
Very few places can afford that, but spare batteries and extra backups are a
really good idea.
# I will not fly into a rage and kill a messenger who brings me bad news
just to illustrate how evil I really am. Good messengers are hard to come
by.
This is one of the most important lessons.
You want to hear about security problems, so you can fix them. Too many
companies treat people who report security issues as though they were
criminals. Those companies remain vulnerable.
# I won't require high-ranking female members of my organization to wear a
stainless-steel bustier. Morale is better with a more casual dress-code.
Similarly, outfits made entirely from black leather will be reserved for
formal occasions.
Employee morale matters more to security than most people think. Your sexual harassment policy is a security measure.
# If my trusted lieutenant tells me my Legions of Terror are losing a
battle, I will believe him. After all, he's my trusted lieutenant.
Again, bad news is one of the best services someone can give you. Good news
doesn't improve your security. If you don't trust your people enough to
listen to them, why did you hire them?
# I will only employ bounty hunters who work for money. Those who work for
the pleasure of the hunt tend to do dumb things like even the odds to give
the other guy a sporting chance.
Did you really think that hiring a "reformed hacker" was a good idea?
# I will make sure I have a clear understanding of who is responsible for
what in my organization. For example, if my general screws up I will not
draw my weapon, point it at him, say "And here is the price for failure,"
then suddenly turn and kill some random underling.
Punishing the innocent devastates morale. So does the sight of executives
who never get held accountable. See the comments about morale above.
# I will treat any beast which I control through magic or technology with
respect and kindness. Thus if the control is ever broken, it will not
immediately come after me for revenge.
The beasts you control through paychecks are in a position to do you a lot
of damage if you mistreat them. You can be tough without being abusive.
# My main computers will have their own special operating system that will
be completely incompatible with standard IBM and Macintosh powerbooks.
Well, hmm. That special operating system won't have had as much debugging
and security enhancements as a standard one. It's more cost effective to be
interoperable.
On the other hand, there are advantages to being in the minority. The Opera
web browser works great and few if any people bother attacking it.
# I will hire a team of board-certified architects and surveyors to examine
my castle and inform me of any secret passages and abandoned tunnels that I
might not know about.
When your security consultant says boring things like "inventory" instead of
selling you shiny equipment, pay attention. That older stuff that nobody
knows about will not have had security patches installed. Old equipment is
like abandoned tunnels.
# I will not strike a bargain with a demonic being then attempt to
double-cross it simply because I feel like being contrary.
Don't cheat on software licenses from a demonic software company.
# My Legions of Terror will be trained in basic marksmanship. Any who cannot learn to hit a man-sized target at 10 meters will be used for target practice.
What sort of training program do you have? Are your employees missing basic
skills?
# Before employing any captured artifacts or machinery, I will carefully
read the owner's manual.
Change the password from the factory default while you're at it.
# My five-year-old child advisor will also be asked to decipher any code I
am thinking of using. If he breaks the code in under 30 seconds, it will not
be used. Note: this also applies to passwords.
The password-guessing programs and codebreakers out there are better than
you think. Pick well-tested systems and don't try to invent your own.
# If my advisors ask "Why are you risking everything on such a mad scheme?",
I will not proceed until I have a response that satisfies them.
You appointed them advisors for a reason. They may be wrong, they may be
missing something that only you know (but why didn't you tell them so they
could give you good advice?), but if you have a good reason to overrule them
you should be able to explain it.
# I will design fortress hallways with no alcoves or protruding structural
supports which intruders could use for cover in a firefight.
Ask your local police department about "crime prevention through
environmental design".
# Bulk trash will be disposed of in incinerators, not compactors. And they
will be kept hot, with none of that nonsense about flames going through
accessible tunnels at predictable intervals.
At least get a shredder. Make sure that discarded disks, tapes, and memory cards really are unreadable.
# My security keypad will actually be a fingerprint scanner. Anyone who
watches someone press a sequence of buttons or dusts the pad for
fingerprints then subsequently tries to enter by repeating that sequence
will trigger the alarm system.
You'd be surprised how many ways there are to find the four-digit sequence
on a cipherlock.
# No matter how many shorts we have in the system, my guards will be
instructed to treat every surveillance camera malfunction as a full-scale
emergency.
Fix the false alarm problem instead.
# When I create a multimedia presentation of my plan designed so that my
five-year-old advisor can easily understand the details, I will not label
the disk "Project Overlord" and leave it lying on top of my desk.
Or on a laptop on the back seat of your car.
# If the hero runs up to my roof, I will not run up after him and struggle
with him in an attempt to push him over the edge. I will also not engage him
at the edge of a cliff. (In the middle of a rope-bridge over a river of
molten lava is not even worth considering.)
If your security situation turns into drama then you've already lost.
# If my weakest troops fail to eliminate a hero, I will send out my best
troops instead of wasting time with progressively stronger ones as he gets
closer and closer to my fortress.
Security measures that are too weak are counterproductive because they're a training system for opponents. Satellite TV providers made this mistake. A generation of people who wanted free TV gradually learned to crack tougher security measures.
# I will not use any plan in which the final step is horribly complicated,
e.g. "Align the 12 Stones of Power on the sacred altar then activate the
medallion at the moment of total eclipse." Instead it will be more along the
lines of "Push the button."
Usability is good security.
# I will make sure that my doomsday device is up to code and properly
grounded.
And that you have enough fire extinguishers.
# After I captures the hero's superweapon, I will not immediately disband my
legions and relax my guard because I believe whoever holds the weapon is
unstoppable. After all, the hero held the weapon and I took it from him.
Superweapons are not a substitute for a proven system.
# I will not ignore the messenger that stumbles in exhausted and obviously
agitated until my personal grooming or current entertainment is finished. It
might actually be important.
Lines of communication matter.
# I will not turn into a snake. It never helps.
There's no security lesson to that one. I just left it in because it's funny.
# posted by Frederick @ 12:53 AM Email to a friend:
Haloscan: they provide trackback