The Ancient Art of Cybersecurity

image created with HeroMachine 3

The supplicant comes to the venerable master and asks, “O Guru, how may I be safe on my computer? What tool must I install?” and is told, “Ah, Grasshopper, the security that may be installed is not the true security.”

Okay, I may have taken a little poetic license in the above, but it is a more or less accurate summary of a lengthy mail exchange I had recently. I don’t actually sit atop a mountain dispensing wisdom, but as a long time hacker and software engineer, with decades of history in the realm of computer and network security, people often come to me seeking advice on “cyber” security. Because of, and not despite, my years of experience, I am never comfortable answering the question. It may be useful for me to explain why.

Recently a friend passed along a number of inquiries on behalf of a friend of his who was being stalked by her ex-boyfriend. He was trying to hack her home network, and eventually had broken into her computer and vandalized her work documents. “Would {vendor name}’s anti-virus software help?” he asked. Well, yes, I suppose it might, in some circumstances, but as we have seen recently, third party add-on security software such as Symantec and Norton antivirus products can also be a vector for malware to get into the system. In order to do its magic, security software has to run with major privileges, and if it has a flaw, it can be a way for malicious software to get access to those privileges. And all software has flaws.

I found myself wanting to quote other “wise men” as I explained this. “With great power comes great responsibility”, to quote Spiderman. Rumplestilskin tells us that “Magic always comes with a price”. However you say it, putting your trust in a mere thing, relying on a thing to protect you, grants that thing power that can be used against you.

Far more important than some form of anti-virus software that will protect you from your mistakes, is developing the habit of not making mistakes. This means following rules like:

1. Never, ever, click on links or attachments in email or messaging apps.
2. Never accept any software that is offered to you. Only download software that you sought out and only from legitimate distributors, such as official app stores or directly from the creator of the software.
3. Keep your system, and the software on it, up to date on all security patches.
4. And so on.

If you don’t download or run malicious software, then software to scan for and remove malware is far less important. It is not the tool that protects you. It is you.

The first lines of the Tao Te Ching are “The Tao that can be spoken is not the true (or eternal) Tao.” I mimicked this in my advice by saying “The security that can be installed is not the true security.” True security is something that you do, not something that you have. It is a skill of being safe, that you learn.

Once you realize this—that it is a skill—another metaphor suggests itself, that of learning skills such as riding a bicycle. When you first try to ride a bicycle, there are many things that you have to think about and do: pedaling, stearing, balancing, and so forth. So long as you have to do each of these consciously, it is very clear that you do not yet know how to ride. You are merely trying. Once you have learned the skill, you just do it, you don’t have to think about it. As Master Yoda would tell us “Do or do not. There is no try.” So long as you are thinking about it, trying to do it, you have not mastered the skill.

So, I am asked, what is this “security thing that you do? Is there an exhaustive set of rules like the ones in the list above? #4 reads ‘And so on.’ What does that mean?” At this point I retreat into inscrutable master mode. There is no list. The rules that can be listed are not the true rules. The true “rule” is actually the skill of acting safely, of being careful, of recognizing and avoiding risk. So long as you are focusing on a list of do’s and don’ts, you are trying, you are learning to be secure, you are not doing, you have not mastered the skill.

This general point has been made many times. Bruce Schneier wrote about the “Security Mindset” more than eight years ago, and had been talking about it long before that. It was a major aspect of Steven Bellovin’s book Thinking Security: Stopping Next Year’s Hackers, targeted at security professionals last year. Still, what both of these folk are talking about is something of a hacker’s or professional’s take on the issue.

Schneier’s security mindset consists of looking at each new thing or situation and thinking, “How can I make this fail?” or perhaps, “How can I, or someone, make this fail to our advantage?” It becomes a special case of the hacker’s or engineer’s curiosity about how things work. But very few people want to be hackers or engineers, want to know how everything works, or breaks. They just want to use things that do work in order to accomplish work or to have fun.

I spent a good portion of the last several years working with ex-Navy SEALs, former SAS operatives, combat veterans and parts of the Homeland Security community. They don’t focus on quite the same thing, on the question of how things can be broken or misused. Rather, they talk of “situational awareness” or “threat awareness”, which to my mind is closer to the Tao of Security, the True Security, the thing that you do.

So, what is “situational awareness”? According to the Coast Guard’s manual on the subject, the simplest definition is “knowing what is going on around you.” You can learn about it from a number of sources ranging from the Coast Guard’s Team Coordination Training Guide to the Art of Manliness website. Perhaps one of the simplest and most straight forward overviews is “3 Effective Techniques…”. What each of these amounts to is the simple advice to know what is normal in any given situation and pay attention to anything that is different from that norm. Each points out that practicing paying this sort of attention will turn it into a skill that becomes second nature.

Returning to the skill, the Tao of Security, it can be seen as a martial art. For more than a decade now, I have been a Tai Chi player and for the life of me, thinking about or explaining what cybersecurity is or means seems more like Tai Chi than anything else. First of all, please note the terminology above. Those of us who practice the art call it “playing Tai Chi”. While Tai Chi can be used for combat, it is used more for health, exercise, and learning. These, of course, are the reasons that one plays games and sports, and why children play in general. We play to learn, to practice actions until they become skills.

When we learn a Tai Chi form, we repeat over and over gentle, purposeful movements until they become second nature. In so doing we learn balance and control of our bodies, and we develop practiced routines that can be used as a form of meditation. If we study it deeply, we may learn about pressure points and how to move powerfully. If we play “push hands”, we learn to yield, deflect and redirect; we train in underlying combat principles such as leverage, reflex, sensitivity, timing, coordination and positioning. No real world combat is conducted according to the rules, conventions and movements of push hands. Still, by playing push hands we learn principles, ways of moving and reacting that have very real world application.

Tai Chi is not alone in this. Martial arts experts of all sorts have relied on indirect ways of teaching, of training the student. This is what Mr. Miyagi was doing with “Wax on. Wax off” in the Karate Kid, albeit in an amusing way that is suitable for the movies.

A cyber attacker, any cyber attacker, wants to get you to run software for their purposes rather than yours or to reveal information to them without thinking about it. They want you to surrender control of your device or your information to them. Defending against them requires understanding a few simple things, and developing extremely strong habits.

One thing that you have to know is that actions like opening a Word, Excel, or PDF document run software, including software that might be embedded in the file. Clicking on links in a browser or opening an attachment also runs software. Manufacturers like Microsoft, Apple, Google and Adobe try to make running that software safe, but they cannot make it 100% safe. It is therefore really important to know where the software you are running and the files and attachments you are opening come from.

Returning to my discussion with my friend, I wrote, “Never, no, not ever, open attachments in email”, and was asked, “Even from trusted sources?” to which I had to reply:

“Well… how do you know that it’s really from them? What if someone else sent it and made it look like the trusted source did? There are ways, of course. You could confirm by another channel, such as the phone, that the supposed sender actually sent an email with an attachment. That would be safer, but, what if it was altered along the way? You and the sender could use an email system that signed and encrypted messages. That would be safer still.

“The easy rule is ‘no attachments’, but it is probably impossible to live up to that and get done what you have the machine for. In that case, you take as much care as you can, ask the supposed sender if they sent it and so on, then open the attachment, knowing, really knowing that you were taking a risk but decided that the risk is worth taking.”

How, then, is one to know what risks are worth taking? It’s all well and good to talk about learning the skill of cybersecurity, but where is one to learn it? The answer is two-fold. There are some general principles that everyone should know and practice. There are also some specific rules and precautions associated with the specific hardware and software an individual user needs. I can list a few of the basics, but for the rest, someone familiar with the types of computers, mobile devices, and networking hardware that you are using should advise you.

Guidelines for everyone

These guidelines are all special cases of the principle that the computer should always be doing what you want it to do, not what someone else wants. Remember, an attacker wants to get you to run software for their purposes not yours, or to reveal information to them without thinking about it. Think about it, and remain in control. That means:

1. Never, ever, click on links or attachments in email or messaging apps.
2. Never accept any software that is offered to you. Only download software that you sought out and only from legitimate distributors, such as official app stores or directly from the creator of the software.
3. Similarly, don’t accept advice or assistance with your systems that you didn’t seek out. No, Microsoft does not call you out of the blue on the phone to tell you about problems on your computer and offer to fix it. Windows that pop up on your screen recommending specific software are ads, and are highly suspect.
4. Keep your system, and the software on it, up to date on all security patches.
5. Make sure that everything of value to you is backed up. Frequently. Automatically. Multiple backups, stored in different locations, are best.

Guidelines for Specific Home Systems

For implementing these guidelines you will need a “guru”. Seek a professional or your local or family nerd. If you are using Apple products, the “Geniuses” at the Apple Store’s Genius Bar can help you. If you are running Windows, the folks at the Microsoft store or local computer store may help. For Android, Chromebook and other Google-based products, you will probably need a local or family nerd. If you aren’t a nerd and computer hobbyist yourself, you probably shouldn’t use Linux. If you do, whoever convinced you to do that must help.

1. The router, the device that allows the systems in your home to connect to the Internet, needs to be reconfigured to change the administrator password to something unique to that device and not just use the default password. If your guru doesn’t know why this needs to be changed, point them to this article.
2. Each computer that you have should be properly configured to operate in an appropriately secure fashion. If, like my friend’s friend, you know that there are people specifically targeting you, then security settings should be set to highly secure, and you should be taught how to use it with those settings. Otherwise, moderate security is probably appropriate.
3. Every computer, mobile device, and network device should be set to automatically install at least all security updates, and probably all software updates. If your guru doesn’t think you need to automatically install security patches, you probably have the wrong guru.
4. If you use many internet services, and need to create a lot of accounts, you should consider using a password manager such as LastPass. If you know you are under attack, this is a must. Also, LastPass (and some of its competitors) gives you a secure vault to store encrypted information in, in addition to passwords. This makes makes it much easier for you to encrypt important information.
5. If your system is compromised, you probably need to start from scratch. Have your guru reinstall the system and applications, and restore your data from backups. Before they start, they should make sure that your backups are usable.

And so, Grasshopper, the art of cybersecurity is the art of being safe, of being aware of your circumstances and of the threats you’re facing, of noticing the unusual and stopping to pay attention to it. It is a skill, like any other, that can be learned through play and practice. There are tools and weapons that can be used in aid of the skill, but they are not, themselves, important.

The specific tools that you use, and the specific operating environment, may determine some of the specifics of the habits you develop as you become a practitioner of the art, as you learn to play (and play to learn) cybersecurity, but the tools, the specific rules are not the True Cybersecurity—that is found within. The true cybersecurity is an awareness, a deliberation to one’s actions. It is care, attention, and balance. It is making sure to take only those risks that are necessary to getting the task at hand done, and to take them intentionally.

Go, find a guru, and learn the Way of Security, the Tao of Awareness.

So, who am I, anyway?

For those wondering who I am, and why I get these questions, perhaps a short introduction is in order. I started out hacking computers at MIT, Harvard and Stanford over the ARPAnet more than 4 decades ago, back in the days when routers and computers on the net still had guest accounts. A couple of years later, I caught the first intruder on Digital Equipment’s computer and was a member of the in-house teams that that dealt with intruders like Mitnick and the Chaos Computer Club on the corporate network.

After leading Digital’s end of the ill-fated Apple/DEC alliance, running a ten million node network for TV Guide, and being involved in a handful of start-ups, I worked for F4W, a company that specialized in communications equipment for emergency first responders, which got me started in the area of secure voice, text and data communications. This led me to jobs as VP of Engineering and Advanced Development at Silent Circle, a secure communications company. Since leaving Silent Circle I have been researching in the area of Machine Ethics. — Jim Burrows, Dec 29, 2016