Rogue One: The Best Star Wars Yet?

NewImageSomeone once asked me why I like Star Wars more than Star Trek. I was a bit taken aback, and he assumed that since I use it so much, I obviously prefer it. The real reason I use Star Wars is not that it’s better, but that there’s a small canon, and I don’t have to interrupt the flow of a talk to explain the scene where Darth Vader is strangling someone. But let’s face it, Star Trek was often better as science fiction. There are four or five bright lights that rank up there as some of the very best storytelling of the last few decades.

Trek at its most poignant was a transparent mirror to the world. The original series commented on Vietnam and race repeatedly in ways which let people see another way of looking at a situation. Moral nuance is easier to see when the ox being gored isn’t yours.

Rogue One is the first Star Wars with moral complexity. If you haven’t seen it, I find your lack of faith…disturbing. But when there’s a guy who cost you your limbs, your children, and threw the galaxy into civil war, throwing him in the reactor core isn’t a very complex choice. In fact, the whole “dark side” is a bit of a giveaway. In case you miss that, the Jedi were guardians of peace and justice throughout the galaxy. Are we clear yet? No? How about the Nazi uniforms? I could go on, but we’re gonna get to spoilers. My point is, the first four films were great action movies. Maybe we’ll see some moral complexity when someone finally gets around to filming the tragic fall of Anakin Skywalker, reputedly the core story of I-III. But I’m betting they’ll be action movies with talking teddy bears for the kids.

Speaking of morality, if you’re just now noticing that your political world resembles the Empire’s, or if you’re angry that the script seems to mock your party…maybe you should look at your world through that mirror and ask if you’re on the right side of morality or history. After all, that’s what makes for great science fiction. The opportunity to see the world through a new lens. And the fact is, the story was not substantially re-written. “Rogue One’s Discarded Dialog” and See 46 shots that were cut from Rogue One” show a story with a little less character, a little more army, but not a sympathetic, racially and species-diverse Empire. The movie wasn’t re-written as a commentary on 2016.

Structurally, Rogue One is a war story, not an action story. It’s not about the hero’s journey, or Luke growing up. It’s a story about the chaos that follows a civil war, and it’s messy and has characters who make choices from a set of bad options.

When Cassian shoots the fellow so he can escape at the start? Galen Erso’s decision to work on the Death Star, delay it, and insert a flaw (or two?) These are perhaps the wrong choices in bad situations. We don’t see why Saw Gerrera and the Rebel Alliance split. We see the Rebellion at its worst — unable to take action in the face of imminent destruction, and then impulsively chasing Rogue One into battle. (What Rogue One Teaches Us About the Rebel Alliance’s Military Chops is a great dissection of this.)

But we can look to Galen Erso’s decision to work on the Death Star, and have a conversation about what he should have done. Gone to a labor camp and let someone else build it with a better reactor core? What if that someone else had put more shielding over the thermal exhaust ports? (Speaking of which, don’t miss “The Death Star Architect Speaks Out,” and perhaps even my commentary, “Governance Lessons from the Death Star Architect.” I think the governance questions are even more interesting now, if the Empire were to conduct a blameless post mortem, but we know they don’t.) We can use that decision to talk, abstractly, about taking a job in the Trump Administration with less of the horrible emotional weight that that carries.

That mirror on the world is what great science fiction offers us, and that’s what makes Rouge One the best Star Wars yet.

Yahoo! Yippee? What to Do?

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.]

Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian Krebs summarizes what was taken, and also has a more general FAQ.

The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

Yahoo says users should change their passwords and security questions and answers for any other accounts on which they used the same or similar information used for their Yahoo account.

The New York Times has an article “How Many Times Has Your Personal Information Been Exposed to Hackers?

The big question is “How can you protect yourself in the future?” The Times is right to ask it, and their answer starts:

It’s pretty simple: You can’t. But you can take a few steps to make things harder for criminals. Turn on two-factor authentication, whenever possible. Most banking sites and ones like Google, Apple, Twitter and Facebook offer two-factor authentication. Change your passwords frequently and do not use the same password across websites.

I think the Times makes two important “mistakes” in this answer. [Update: I think mistake may be harsher than I mean: I wish they’d done differently.]

The first mistake is to not recommend a password manager. Using a password manager is essential to using a different password on each website. I use 1Password, and recommend it. I also use it to generate random answers to “security questions” and use 1Password’s label/data fields to store those. I do hope that one day they start managing secret questions, but understand that that’s tricky because secret questions are not submitted to the web with standard HTML form names.

The reason I recommend 1Password is that it works well without the cloud, and that means that a cloud provider cannot disclose my passwords. They also can’t disclose my encrypted passwords, where encrypting them is a mitigation for that first-layer information disclosure threat. (One of these days I should write up my complete password manager threat model.) These threats are important and concrete. 1Password competitor Lastpass has repeatedly messed this up, and those problems are made worse by their design of mandatory centralization.

It’s not to say that 1Password is perfect. Tavis Ormandy has said “More password manager bugs out today and more due out soon. I’m not going to look at more, the whole industry is crazy,” and commented on 1Password with a GIF. Some of those issues have now been revealed. (Tavis is very, very good at finding security flaws, and this worries me a bit.)

But: authentication is hard. You must make a risk tradeoff. The way I think about the risk tradeoff is:

  • If I use a single password, it’s easily compromised in many places. (Information disclosure threats at each site, and in my browser.)
  • If I use a paper list, an attacker who compromises my browser can likely steal most of my passwords.
  • If I use a cloud list, an attacker who breaks into that cloud can steal the list. If the list is encrypted, then they can still attack it offline. If the cloud design either sends my master password to the cloud, or javascript to the client, then my master password is vulnerable to an attacker who has broken into the cloud.
  • If I use a paper list, I can’t back it up easily. (My backups are on my phone, and in a PGP encrypted file on a cloud provider.)

So 1Password is the least bad of currently available options, and the Times should have put a stake in the ground on the subject. (Or perhaps their new “Wirecutter” division should take a look. Oh wait! They did. I disagree with their assessment, as stated above.)

The second big mistake is to assert that you can’t fully protect yourself in a simple, declarative sentence at the end of their answer. What’s that you say? It’s not the end of their answer? But it is. In today’s short attention-span world, you see those words and stop. You move on. It’s important that security advice be actionable.

So: use a password manager. Lie in your answers to “secret questions.” Tell different sites different lies. Use a password manager to remember them.

Seeing the Big Picture

This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company:

There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of running a company this big, you’re going to see, every day, things that are not as great as you would have hoped or wanted them to be. You have to figure out how to absorb that without losing your sense of optimism, which is part of leadership — without losing faith, without wanting to go under the covers and not come out, without being down or angry to a counterproductive level, and without demanding something of people that is unfair, inhuman, impossible. (“Bob Iger on Shanghai Disney, Parting With His Chosen Successor, and His Pursuit of Perfection“, Variety)

Note that he’s not saying ignore the problems; he’s not saying don’t get angry; he’s not saying don’t demand improvement. He’s saying don’t get so angry that it’s counterproductive. He’s saying be demanding, but be demanding in a fair way. He’s also saying that you can remain optimistic in the face of problems.

There’s lessons here for security professionals.

Do Games Teach Security?

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question:
Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments

Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card games designed for teaching various cybersecurity concepts. However, effectiveness of these card games is unknown for the most part and there is no study on evaluating their effectiveness. In this paper, we evaluate effectiveness of one such game, namely the OWASP Cornucopia card game which is designed to assist software development teams identify security requirements in Agile, conventional and formal development
processes. We performed an experiment where sections of graduate students and undergraduate students in a security related course at our university were split into two groups, one of which played the Cornucopia card game, and one of which did not. Quizzes were administered both before and after the activity, and a survey was taken to measure student attitudes toward the exercise. The results show that while students found the activity useful and would like to see this activity and more similar exercises integrated into the classroom, the game was not easy to understand. We need to spend enough time to familiarize the students with the game and prepare them for the exercises using the game to get the best results.

I’m very glad to see games like Cornucopia evaluated. If we’re going to push the use of Cornucopia (or Elevation of Privilege) for teaching, then we ought to be thinking about how well they work in comparison to other techniques. We have anecdotes, but to improve, we must test and measure.

Incentives, Insurance and Root Cause

Over the decade or so since The New School book came out, there’s been a sea change in how we talk about breaches, and how we talk about those who got breached. We agree that understanding what’s going wrong should be a bigger part of how we learn. I’m pleased to have played some part in that movement.

As I consider where we are today, a question that we can’t answer sufficiently is “what’s in it for me?” “Why should I spend time on this?” The benefits may take too long to appear. And so we should ask what we could do about that. In that context, I am very excited to see a proposal from Rob Knake on “Creating a Federally Sponsored Cyber Insurance Program.”

He suggests that a full root cause analysis would be a condition of Federal insurance backstop:

The federally backstopped cyber insurance program should mandate that companies allow full breach investigations, which include on-site gathering of data on why the attack succeeded, to help other companies prevent similar attacks. This function would be similar to that performed by the National Transportation Safety Board (NTSB) for aviation incidents. When an incident occurs, the NTSB establishes the facts of the incident and makes recommendations to prevent similar incidents from occurring. Although regulators typically establish new requirements upon the basis of NTSB recommendations, most air carriers implement recommendations on a voluntary basis. Such a virtuous cycle could happen in cybersecurity if companies covered by a federal cyber insurance program had their incidents investigated by a new NTSB-like entity, which could be run by the private sector and funded by insurance companies.

Threat Modeling the PASTA Way

There’s a really interesting podcast with Robert Hurlbut Chris Romeo and Tony UcedaVelez on the PASTA approach to threat modeling. The whole podcast is interesting, especially hearing Chris and Tony discuss how an organization went from STRIDE to CAPEC and back again.

There’s a section where they discuss the idea of “think like an attacker,” and Chris brings up some of what I’ve written (“‘Think Like an Attacker’ is an opt-in mistake.”) I think that both Chris and Tony make excellent points, and I want to add some nuance around the frame. I don’t think the opposite of “think like an attacker” is “use a checklist,” I think it’s “reason by analogy to find threats” or “use a structured approach to finding threats.” Reasoning by analogy is, admittedly, hard for a variety of reasons, which I’ll leave aside for now. But reasoning by analogy requires that you have a group of abstracted threats, and that you consider ‘how does this threat apply to my system?’ You can use a structured approach such as STRIDE or CAPEC or an attack tree, or even an unstructured, unbounded set of threats (we call this brainstorming.) That differs from good checklists in that the items in a good checklist have clear yes or no answers. For more on my perspective on checklists, take a look at my review of Gawande’s Checklist Manifesto.

Tony’s book is “Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis

Electoral Chaos

[Dec 15: Note that there are 4 updates to the post with additional links after writing.]

The Green Party is driving a set of recounts that might change the outcome in one or more swing states. Simultaneously, there is a growing movement to ask the Electoral College to choose a candidate other than Donald Trump to be the next President of the United States. Some surprisingly serious people are publicly making arguments for the Electoral College taking an active role, including law professors Sandy Levinson and Lawrence Lessig. Lessig’s essay at the Washington Post starts:

Conventional wisdom tells us that the electoral college requires that the person who lost the popular vote this year must nonetheless become our president. That view is an insult to our framers. It is compelled by nothing in our Constitution. It should be rejected by anyone with any understanding of our democratic traditions  — most important, the electors themselves. (“The Constitution lets the electoral college choose the winner. They should choose Clinton,” Lawrence Lessig)

Lessig’s piece links to Federalist #68, written by the newly popular Hamilton. Having the electoral college not vote for Trump, after Clinton conceded, and after the current President met with him, seems problematic at best. Trump promised to respect the results if he was elected, but yesterday tweeted claims that “millions” had voted illegally, which might lead one to expect that some had voted illegally for him, adding legitimacy to a recount or re-evaluation of results.

A Electoral College outcome other than Trump will be labeled a “stolen election,” and there have already been threats of violence by surprisingly serious people. Some of those who might engage in violence are already are engaged in disgraceful and un-American attacks on their fellow citizens based on race, creed, color, gender, or sexual orientation. They seem to treat the election as a “great disinhibition.” However, as horrifiying as those attacks are, and as many as there are, there are people who would not engage in such attacks but would call the election stolen. That would further undercut the legitimacy of the Federal government. (Chaos and legitimacy is topic that’s been occupying my thoughts for a while, but I have relatively little to say which is new.)

My take: the Electoral College exists for a reason. (See the above-linked Federalist #68). The best choice from a very bad set of possibilities is a “caretaker” government. The country is roughly evenly divided in hating either Clinton, Trump, or both. We should select a President who will not push for large changes or mess things up, and can start to address the real class issues which were exposed by the election. A middle of the road Republican and Democrat might be less unpalatable than other options.

Some relevant and interesting links:

Please keep comments civil. Additional interesting links are welcome.

[Update Dec 2: This is a thoughtful, left-wing consideration of the election, which makes the point that no single explanation is dominant. “Everything mattered: lessons from 2016’s bizarre presidential election.” Also, seven electors are now looking to strike a deal: “Teen becomes seventh ‘faithless elector’ to protest Trump as president-elect.” By the way, there’s probably an interesting story in how a 19 year old becomes a member of the Electoral College. Lastly, the Economist has an article on “Why an electoral college rebellion would be a bad idea.”]

[Update Dec 8: “Dump the electoral college? Bad idea, says Al Gore’s former campaign chairman.,” which includes the argument “it forces candidates to campaign in a variety of closely contested races, where political debate is typically robust.” Despite that, Texas Republican Elector Christopher Suprun has written “Why I Will Not Cast My Electoral Vote for Donald Trump.”]

[Update Dec 12: Videos: from one of the Hamilton Electors, Tucker Carlson vs. 2 Electors. “Electors demand intelligence briefing before Electoral College vote.”]

[Update Dec 15: “Virginia congressman calls for delay in electoral college vote,” and the open letter “Bipartisan Electors Ask James Clapper: Release Facts on Outside Interference in U.S. Election” now has over 50 signatures, and NBC is reporting that “Putin Personally Involved in U.S. Election Hack,” and that has to play into questions about legitimacy and the choice of Electors.]

Navigation