Category Archives: Uncategorized

The Imitation Game – A Review

Warning: Spoiler alert!

I went to go watch “The Imitation Game” this weekend, on a bit of a whim. I know Alan Turing’s story rather well – having spent a lot of time in computer security will do that to you. Overall I thought the movie was really good – the acting, writing, and overall historicity were all very good.

Pros:

  • The movie spent a lot of time talking about his personal life, and what lead up to his suicide. I’d argue that this was as much a movie about the father of computers as it was about the historical (and unfortunately current) marginalization and criminalization of homosexuality.
  • I was impressed how the movie explained how reduction of keyspace works in rather plain english and simple examples. The math might be improbably difficult for the average person, but they managed to make it accessible.
  • They mention the Turing test – though thankfully there were no CAPTCHAs in sight.
  • The movie spent quite a long time explaining why you cannot use a single signal to make any decisions or the adversary will switch tactics and you’ll lose that one signal. I try to make this point all the time and yet I still people doing things like blocking countries at the firewall by IP address. If you are in security, and you take nothing away from this movie, let it be this – do not use a single signal to identify and stop fraud/hacking. You’re hurting the ecosystem by doing so. Yes, you.

There were a couple cons though… Some cons that actually made me cringe.

Cons:

  • At one point in the movie Alan Turing made the bear in the woods joke. Just about the time my eyes started rolling the audience burst into laughter – at this point I realized I was extremely jaded and should probably learn to live a little, hug a tree, run like a child or generally do something other than wince at old security jokes. But the reason I hate this joke is that is presumes that you can leave the woods once the bear has eaten your friend. Unless you plan to close up shop and leave the Internet, this analogy has always been a very dangerous one. Bears get stronger, and will get hungry again, and if you’re relying on running faster than an adversary who is dead you’re using the wrong analogy. I prefer the prairie dog analogy if you’re looking for silly analogies.
  • A big motivator throughout the movie was that at the end of the day a buzzer went off that meant that the Nazis had changed their encryption keys. So yesterday’s keys were “useless” and anything they had done had to be scrapped if they couldn’t complete it by midnight. Though it’s an interesting plot device it really doesn’t work that way. Decryption doesn’t stop at the end of the day, just because your key changes. If the adversary has the ciphertext and there is nothing ephemeral about the key, it can still be decrypted. Now if you’re going to make the point that the data loses value the longer it takes to decrypt – yes, I’m on board with that. But the movie didn’t explain that at all.
  • They don’t really talk about Turing’s other accomplishments, like the Turing Halting problem – which more or less describes the problem with blacklists and all kinds of other technologies. As a student of breaking crappy blacklists, this is one of his most useful accomplishments to my daily life. I really wanted to hear them mention it at least once, like they did with the Turing test. Alas!

I’d also point out that there were some other controversies about the historical accuracy as well that didn’t jump out at me as I watched it. Anyway, it was a really wonderful movie, despite the cons. I’d highly recommend it to people who want to know a bit more about our roots, and get a bit more familiarity with some of the core concepts that have brought us to where we are today. I love that we’re seeing more movies about real heroes and not the typical hollywood-manufactured superhero.

DHS and Cyberterrorism

The DHS was recently polled on what groups and attacks they are personally most concerned about. This comes from a pretty wide range of intelligence officers at various levels of the military industrial complex. This underscores how the military is thinking and what they are currently most focused on. The tidbits I found interesting are on pages 7 and 8:

https://www.start.umd.edu/pubs/START_UnderstandingLawEnforcementIntelligenceProcesses_July2014.pdf

The DHS seems to be most concerned about Sovereign Citizens and Islamic Extremists/Jihadists (in that order). The rationale isn’t well explained, but I would presume that physical proximity and the radical nature of Sovereign Citizen groups trumps the extremist nature of Jihadists. I’m speculating, but that would seem to make sense. It could also be a reaction to FUD, but it’s hard to say.

More interestingly, the threat they find most viable is Cyberterrorism. That makes a lot of sense, because Cyberterrorism is cheap, can be done instantaneously, can be done remotely, and can be done with minimal skills and at minimal risk. It’s really hard to tell what’s Cyberterrorism versus what is just a normal for-profit attack, and attribution is largely an un-solvable problem if the attacker knows what they’re doing. Also, even if you can identify the correct adversary, extradition/rendition are tough problems.

There’s not a lot of substance here, because it’s all polls, but it’s interesting to see that our industry is at the top of the US intelligence community’s mind.