The Art of Security

Back in 1987, a colleague and I were using the large computer systems of the University of Leicester to run rather a lot of number crunching. Leicester had a large, well connected and well managed VAX Cluster which was ideal as a platform to collect password files and analyse them for erm… Statistics. It’s probably fair to say that we didn’t have permission to be using the Leicester systems but life was somewhat different then.

We’d been using this machine for a few months and one day we spotted that something was amiss. The Systems Manager of the machine had activated process accounting which effectively meant that everything we had done had been logged and there was a complete audit-trail of our naughtiness.

This was a long time ago, in the days before writeable CDs but we had an equally bad adversary in the guise of the system console of the VAX 8600 we were squatting on. In those days consoles looked like this:

We had a problem at this point, in that we didn’t really want the people at Leicester knowing what we’d been doing and at the same time we were somewhat stuck because it had all been printed out and you can’t remotely edit a teletypewriter trail. Although we’d turned off the accounting, and disabled any future accounting, we were in a little bit of a hole.

We pondered this for a while and came up with a nice and neat solution – We’d get the logs from the last week and we’d edit any traces of ourselves out – We’d then print this to the printer so that anybody looking back over it for however many days wouldn’t see us. A little bit of editing and a couple of hundred pages of printing later, we’d wiped all traces of our activity out. Taking the hint that we probably weren’t wanted, we politely left, breathing a small sigh of relief that we’d narrowly escaped detection.

A couple of years later, I was doing my postgraduate at Leicester University and I went for a drink with their Systems Manager, Pete Humble – I was a little more well known at this point as one of the “good guys” and we got to chatting about the old days and for some reason the subject of tracking a big hack a couple of years back came up. Pete told the story of how some people had been using his machines for nefarious activities but they’d always managed to evade any logging so nobody had a clue what they were doing.

Apparently he came up with the idea of setting process accounting on the miscreants and logging this all to the console. I grinned knowingly and smugly asked him how that went for him and was somewhat taken aback when he explained that those pesky kids had cleverly reprinted a few of days of sanitised logs to hide themselves BUT, that every night, he had marked the stack of paper on the edge with a thick red marker and when he saw that the evening had produced an extra foot or so of printout above the last red mark, he’d realised what had happened.

At that point, I bought the drinks for the rest of the evening and congratulated him on being the only person to have ever caught me, with something as apparently low tech as a red permanent marker pen.

Peet remained one of my best friends until he died a few years ago, and I like to think that he taught me a lot more than not to be too smug in underestimating lower-tech solutions.

Just as an amused aside for a Saturday afternoon – Back in 1998 I was building what was then Cellnet’s Genie System, it is now O2 but you can’t blame me for any of that, Genie was actually very good for its time.

I was bored one day and since Cellnet didn’t have anyone in charge of sex and pornography like BT then did, I couldn’t pass the buck on the username registration issue so I decided to do it myself. I sat down and made a list of rude words, I went round the office and asked everyone their favourite rude words, I polled IRC for various rude words and in the end, I had a pretty comprehensive list of rude words (which before you ask, I have now lost).

I decided to ignore the usual “Scunthorpe” issues, and just blanket ban registrations with any of them in – It wouldn’t tell them that they couldn’t use that name, it just told them that the username already existed.

I’d forgotten all about this about 6 months later until I got a call from the Cellnet support people up in Thurso – They had an issue with a user who couldn’t register and they’d tried to do it for her and still they couldn’t. They’d tried adding a 2, a 3 all the way up to 100 to her name and still, they kept getting told the user already existed. Nobody had been able to solve the problem, the poor user was upset that she had so many namesakes and I was just on the phone giggling which didn’t help at all.

I did fix it for her, as a one off, but to this day, the memory of poor old Jeanette Quimby still brings a smile to my face.

I first left the Commercial Security industry back in 1999 when I decided to create Recruitment.com. After I moved on from there, I ended up being interviewed for a directorship of a company making Intrusion Detection Systems.

They asked me a question which surprised me – It shouldn’t have but it did – “You haven’t done anything in the industry for over four years now. What makes you think that your skills are relevant?”

Maybe this is a problem with the whole concept of Commercial Security or indeed anyone who takes a wide view of security as interconnecting social and technological parts – I don’t think people know what it is. I think they are looking for ongoing training courses and certifications that give you letters after your name pronouncing that some random software company considers you to be an expert in something. I don’t have any of these and really I don’t want them. On the engineering side I am not going to mend a Cisco router myself and on the policy side, the various qualifications seem utterly meaningless and at odds with one another. The people who create these certifications are trying to push a methodology and singular methodologies are not always a good way to go.

I explained politely that very little that I do has changed much in the last few hundred years – Security is security, always has been, always will be. The methods of delivery differ but the concepts don’t. You can learn more about my type of security from sitting in the middle of a large castle and pondering why they built it the way they did. The inhabitants of the castle needed to be able to come and go and get about their daily lives, there were markets, shops and whole villages inside the larger castles and these communities needed protecting from outsiders and insiders alike. There’s nothing really new conceptually. Take the Trojan Horse – This was first deployed in name over 3,000 years ago and even then one of Troy’s very experienced voices was ignored when he said they should burn it. A fine example of management-override in action which can still teach us more real-world lessons than countless courses and certificates.

It is in the commercial interests of various corporations to have us believe that they can create expert security people by giving them a training course and a certification. They can’t, no more than military basic training can create a good soldier. Sandhurst and Westpoint teach the classics to the military officers of the future for good reasons – A firm grounding in history, an appreciation that you can learn from the past and an understanding that the last 4,000 years of human development were not just a waste of time; these are the tools that somebody needs to become a good security all-rounder. Then they need the experience of applying it, experience of where it goes wrong and experience of learning to live with the fact that most of the time, nobody will listen to them. Don’t worry – History will also teach that this was always the case as Laocoön would have pointed out if he hadn’t been silenced permanently.