Skip to content

Origins of “Information Security”

I’ve promised for a while, years really, to write-up the etymology of the word “hacker”. This always is a popular topic among the information security crowd. Although I regularly talk about it at conferences and put it in my presentations, the written form has yet to materialize.

Suddenly I instead feel compelled to write about a claim to the origins of the phrase “information security”. Credit goes to the book “Code Girls” by Liza Mundy, a bizarrely inaccurate retelling of cryptography history. While I don’t mind people throwing about theories of why hacker came to be a term, for some reason Mundy’s claim about “information security” shoves me right to the keyboard; per her page 20 Introduction to the topic:

[The 1940s] were the formative days of what is now called “information security,” when countries were scrambling to develop secure communications at a time when technology was offering new ways to encipher and conceal. As in other nascent fields, like aeronautics, women were able to break in largely because the field of code breaking barely existed. It was not yet prestigious or known. There had not yet been put in place elaborate systems of regulating and credentialing–professional associations, graduate degrees, licenses, clubs, learned societies, accreditation–the kinds of barriers long used in other fields, like law and medicine, to keep women out.

First of all, the reader now expects to see evidence of these “elaborate systems of regulating and credentialing” with regard to information security. I suspect Mundy didn’t bother to check the industry because there are none. Quite the opposite, the CISSP is regularly bashed as entry-level and insufficient proof of information security qualification, and experts regularly boast of having orthogonal degrees or none at all.

Second, she’s contradicting her own narrative. Only a page earlier she’s holding the field of code breaking as “storied British operation that employed ‘debs and dons’: brilliant Oxford and Cambridge mathematicians and linguists–mostly men, but also some women…”. So which is it? Information security was not prestigious and known, or it was a “storied” field of the highest caliber schools?

As an aside I also find it frustrating this book about recognizing women of code breaking calls Bletchley “mostly men, but also some women”. The British operation was resistant at first to women and the same dynamics as in the US shifted the balance, as the site itself will tell you:

The Bletchley Park codebreaking operation during World War 2 was made up of nearly 10,000 people (about 75% of this number was women). However, there are very few women of that are formally recognised as cryptanalysts working at the same level as their male peers.

Mundy dismisses this as “…there also were thousands of women, many from upper-class families, who operated ‘bombe’ machines…” almost as if she’s buying into a boorish and misogynist narrative dismissing the code breaking capabilities as “some women” and tossing out the rest as a bunch of wealthy knob turners. Who does she think went to Oxford and Cambridge? Meanwhile Bletchley historians tell us about the women “codebreaking successes and contribution to the Battle of Cape Matapan, which put the Italian Navy out of World War 2”.

Mundy also gives credit only to the British operation for breaking Enigma, which is patently false history as I’ve written about before.

So, third, she mentions the US resurrected its code breaking from WWI. This punches a hole through her theory that information security origin was 1940s. Not only does a link to WWI indicate the field is older, it begs the question why she would even suggest such a late start date when there are also sources linking it to the US Civil War and earlier?

Enigma cracking started at the end of WWI and the Polish put their top mathematicians on it because they recognized relevance to the threat from a neighboring state, as history tends to repeat. The British focused on Spanish and Italian code-breaking in the 1930s because Franco and Mussolini were more interesting to them as threats to their domain. Mundy hints at this on page 14 when she admits information security students of the 1940s relied on earlier work:

The instructors would be given a few texts to jump-start their own education, including a work called Treatise on Cryptography, another titled Notes on Communications Security, and a pamphlet called The Contributions of the Cryptographic Bureaus in the World War–meaning World War I…

Anyway, aside from these three fundamental mistakes, a core piece missing from her analysis is that the US fell behind on code breaking and had to catch up because of isolationist tendencies as well as white supremacists in the US pressuring their country to remain neutral or even assist with Nazi aggression. Mundy mentions this briefly on page 13 and sadly doesn’t make the political connections.

[Captain, U.S.N. Laurance Frye] Safford elaborated on the qualifications they wanted by spelling out the kind of young women the Navy did not want. “We can have here no fifth columnists, nor those whose true allegiance may be to Moscow,” Safford wrote. “Pacifists would be inappropriate. Equally so would be those from persecuted nations or races–Czechoslovakians, Poles, Jews, who might feel an inward compulsion to involve the United States in war.”

Again Mundy is citing information security field expertise that existed long before the 1940s. And you have to really take in the irony of Safford’s antisemitism and political position here given that it comes after Polish cryptographers already had cracked Enigma and were the foundation to Bletchley Park focus on German cryptography. Further to the point, as the NSA history of Safford claims, he saw himself as the person who actively tried to involve the United States in war.

He recognized the signs of war that appeared in the diplomatic traffic, and tried to get a warning message to Pearl Harbor several days before the attack, but was rebuffed by Admiral Noyes, the director of Naval communication.

Several days. A bit late Safford. Imagine how many years of warning he might have had if he hadn’t demanded “persecuted nations or races” be excluded from information security roles.

America was behind because it didn’t perceive itself a persecuted nation, it failed to expend resources on information security in a manner commensurate with the risk. There were pro-Nazi forces actively attempting to undermine or sabotage the US feedback loops by pushing a head-in-sand “neutrality” position all the way to Pearl Harbor.

By the time these “America First” agents of Nazi Germany were exposed and incarcerated, women simply offered a more available home front resource compared with men abruptly being sent to fight in field (same as in Britain, France, Poland etc). Of course women were as good if not better than the men. It was procrastination and the pre-war political position to allow aid Nazi Germany (GM, Standard Oil, etc) that created a desperate catch-up situation, opening the doors to women.

Information security formative days started long before the 1940s, but just like today the absence of feeling threatened led decision makers to under-invest in those who studied it, let alone those who practiced professionally without degrees or certifications. The question really is whether women would have been pulled into information security anyway, even if the US had not been under investing in the years prior. British history tells us definitively yes, as 75% of Bletchley staff were women.

Does that percentage sound high? Mundy herself says on page 20 that 70% of US Army and 80% of US Navy information security staff were women. Fortunately she doesn’t discount the Americans as wealthy knob-turners, and instead glorifies every American woman’s role as essential to the war effort. Mundy writes well, but her history analysis is lacking and sometimes even self-defeating.

Posted in History, Security.

Self-Driving Uber Murders Pedestrian

Although it still is early in the news cycle, so far we know from Tempe police reports that an Uber robot has murdered a women.

The Uber vehicle was reportedly headed northbound when a woman walking outside of the crosswalk was struck.

The woman was taken to the hospital where she died from her injuries.

Tempe Police says the vehicle was in autonomous mode at the time of the crash and a vehicle operator was also behind the wheel.

First, autonomous mode indicates to us that Uber’s engineering team now must admit their design decisions led to this easily predictable disaster of a robot taking a human life. For several years I’ve been giving talks about this exact situation, including AppSecCali where I recently mentioned why and how driverless cars are killing machines. Don’t forget the Uber product already was caught ignoring multiple red lights and crosswalks in SF. It was just over a year ago that major news sources issued the warning to the public.

…the self-driving car was, in fact, driving itself when it barreled through the red light, according to two Uber employees…and internal Uber documents viewed by The New York Times. All told, the mapping programs used by Uber’s cars failed to recognize six traffic lights in the San Francisco area. “In this case, the car went through a red light,” the documents said.

This doesn’t sufficiently warn pedestrians of the danger. Ignoring red lights really goes back a few months before the NYT picked up the story, into December 2016. Here you can see me highlighting the traffic signals and a pedestrian, asking for commentary on obvious ethics failures in Uber engineering. Consider how the pedestrian stepping into a crosswalk on the far right would be crossing in front of the Uber as it runs the red light:

Second, take special note of framing this new crash as a case where someone was “walking outside of the crosswalk”. That historically has been how the automobile industry exonerated drivers who murder pedestrians. A crosswalk construct was developed specifically to shift blame away from drivers going too fast, criminalizing pedestrians by reducing driver accountability to react appropriately to vulnerable people in a roadway.

Vox has an excellent write-up on how “walking outside of the crosswalk” really is “forgotten history of how automakers invented”…a crime:

…the result of an aggressive, forgotten 1920s campaign led by auto groups and manufacturers that redefined who owned the city streets.

“In the early days of the automobile, it was drivers’ job to avoid you, not your job to avoid them,” says Peter Norton, a historian at the University of Virginia and author of Fighting Traffic: The Dawn of the Motor Age in the American City. “But under the new model, streets became a place for cars — and as a pedestrian, it’s your fault if you get hit.”

Even more to the point, it was the Wheelmen cyclists of the late 1800s who campaigned for Americas paved roads. Shortly after the roads were started, however, aggressive car manufacturers manipulated security issues to eliminate non-driver presence on those roads.

We’re repeating history at this point, and anyone who cites crosswalk theory in defense of an Uber robot murdering a pedestrian isn’t doing transit safety or security experts any favors. Will be interesting to see how the accountability for murder plays out, as it will surely inform algorithms intending to use cars as a weapon.

Posted in History, Security.


Scientific American has a nice write-up of the theoretical physicist who discovered nuclear fission and was denied credit, yet assigned blame:

While the celebrity Meitner deserved was blatantly denied her, an undeserved association with the atomic bomb was bestowed. Meitner was outright opposed to nuclear weapons: “I will have nothing to do with a bomb!” Indeed, she was the only prominent Allied physicist to refuse an invitation to work on its construction at Los Alamos.

  • 1878 born in Vienna, Austria, third of eight children in middle-class family
  • 1892 at age 14 offered no more school, by 19th-century Austrian standards for girls. begins private lessons
  • 1905 earns PhD in physics from University of Vienna
  • 1907 moves to Berlin to access modern lab for research. denied her own lab because a woman, given an office in a basement closet, forced to use bathroom in a restaurant “down the street”
  • 1908 publishes three papers
  • 1909 publishes six papers
  • 1917 given salary and independent physics position
  • 1926 first woman in Germany to be made full professor
  • 1934 intrigued by Fermi work, begins research into nuclear reaction of uranium
  • 1938 Nazi regime forces her to leave Germany, because Jewish
  • 1944 Nobel prize awarded to the Berlin man who ran the lab she used for experiments

Amazing to see how determined she was and how she blazed a trail for others to do good. And yet the things she did, men wouldn’t give her credit for, while the thing she opposed was blamed on her instead.

Posted in Energy, History, Security.

Lost History of American Bourbon: Knob Creek

A friend recently went through my liquor cabinet and pulled out a mostly-empty bottle of Knob Creek. I had forgotten about it, although in the early-1990s it had been a favorite. It was introduced to me by a Milwaukee bartender in an old dark wooden dive of a bar on the city waterfront.

“I’ll take whatever” meant he poured me a glass of seltzer, stirred in a spoonful of very dark jam, threw an orange peel twist on top and told me “enjoy life, the old-fashioned way.” It sounded corny (pun not intended), especially when he also growled “this ain’t a bright lights and gin or vodka type place” (pre-prohibition, not a speakeasy).

“What’s with the jam?” I asked. He threw a thumb over his shoulder at a cast-iron looking tiny pot-belly stove against a black wall under a small brightly-lit window. I squinted. It was almost impossible to focus on except for its small red light. Steam was slowly rising from its top edges into the bright window. “Door County cherries” he said as he wiped the bar “pick’em myself. That’s my secret hot spiced mash.” This was an historic America, with heavy flavors from locally-grown ingredients, which contrasted sharply with what “popular” Milwaukee bars were serving (gin or vodka).

It was a very memorable drink. For years after I continued to have Knob Creek here and there, always thinking back fondly to that waterfront dive bar, and to the advice to avoid “bright lights and gin or vodka”. Knob Creek wasn’t exactly a replacement for the rye I really wanted, yet it was good-enough alternative, and I didn’t drink it fast enough to worry about its rather annoyingly high price of $15 a bottle.

Ok, so my friend pulls this old bottle of Knob Creek out of my cabinet. He’s drinking it and I’m telling him “no worries, that’s an old cheap bottle I can grab another…”. He chokes. “WHAAAT, nooo. Dude the Knob is one of Beam’s best, it’s a $50 bourbon. It’s the really good stuff.” Next thing I know my old Knob Creek bottle is in the recycling bin and I’m on the Internet wondering if I should replace it.

African-American Distillers May Have Invented Bourbon

A lot has changed in the world of American whiskey marketing since Knob Creek was $15

All the research I had done on Prohibition, a notoriously anti-immigrant white-supremacist movement targeting Germans and Irish, did not prepare me sufficiently for Jack Daniel’s recent adoption of its own history.

This year is the 150th anniversary of Jack Daniel’s, and the distillery, home to one of the world’s best-selling whiskeys, is using the occasion to tell a different, more complicated tale. Daniel, the company now says, didn’t learn distilling from Dan Call, but from a man named Nearis Green — one of Call’s slaves.

The real kicker to this Jack Daniel PR move is that it explains master distillers came from Africa, and slavery meant they ended up in regions that give them almost no credit today:

“[Slaves] were key to the operation in making whiskey,” said Steve Bashore, who helps run a working replica of Washington’s distillery. “In the ledgers, the slaves are actually listed as distillers.”

Slavery accompanied distilling as it moved inland in the late 18th century, to the newly settled regions that would become Tennessee and Kentucky.


American slaves had their own traditions of alcohol production, going back to the corn beer and fruit spirits of West Africa, and many Africans made alcohol illicitly while in slavery.

It makes sense, yet still I was surprised. And after I read that I started to pay attention to things I hadn’t noticed before. Like if you’ve ever watched “Hotel Rwanda” its opening song is “Umqombothi”, which has lyrics about a tradition of corn-mash used for beer in Africa.

Both the use of charred casks and corn mash foundations are being revealed by food historians as African traditions (even the banjo now, often associated with distilleries, is being credited to African Americans). Thus slaves from Africa are gradually being given credit as the true master distillers who brought Bourbon as a “distinctive product of the United States” to market.

Slave owners were not inclined to give credit, let alone keep records, so a lot of research unfortunately still is required to clarify what was going on between European and African traditions that ended up being distinctly American. That being said, common sense suggests a connection between African corn mash and master distiller role of African slaves that simply is too strong to ignore.

Prohibition Was Basically White Supremacists Perpetuating Civil War

If we recognize that master distillers using corn mash to invent Bourbon were most likely slaves from Africa, and also we recognize why and how Prohibition was pushed by the KKK, there is another connection too strong to ignore.

My studies had led me to believe anti-immigrant activists were behind banning the sale or production of alcohol in America. Now I see how this overlooks the incredibly important yet subtle point that master distillers were ex-slaves and their families on the verge of upward social mobility (Jack Daniel didn’t just take a recipe from Nearis Green, he hired two of his sons). The KKK pushed prohibition to block African American prosperity, as well as immigrants.

Let’s take this back a few years to look at the economics of prohibition. Attempts to ban alcohol had been tried by the British King to control his American colonies. In the 1730s a corporation of the King was charged with settling Georgia. A corporate board (“trustees”) was hoping to avoid what they saw as mistakes made in settling South Carolina. Most notably, huge plantations were thought to be undesirable because causing social inequalities (ironic, I know). So the King’s corporation running Georgia was looking at ways to force smaller parcels to create better distribution of wealth (lower concentrations power) among settlers. The corporation also tried to restrict use of Africans as slaves to entice harder working and better quality of settler and…believe it or not, they also tried to ban alcohol presumably because productivity loss.

These 1730s attempts to limit land grabs and ban slavery backfired spectacularly. It was the South Carolinian settlers who were moving into Georgia to out-compete their neighbors, so it kind of makes sense wealth was equated to grabbing land and throwing slaves at it instead of settlers themselves doing hard work. It didn’t take more than ten years before the corporation relented and Georgia regressed to South Carolina’s low settler standards. The alcohol ban (restricting primarily rum) also turned out to be ineffective because slaveowners simply pushed their slaves to distill new forms of alcohol from locally sourced ingredients (perhaps corn-based whisky) and smuggle it.

By the time a Declaration of Independence was being drafted, including some ideas about calling their King a tyrant for practicing slavery, it was elitist settlers of Georgia and South Carolina who demanded slavery not be touched. Perhaps it’s no surprise then 100 years later as Britain was finally banning slavery the southern states were still hung up about it and violent attacks were used to stop anyone even talking about abolishing slavery. While the rest of the Americas still under French, British, Spanish influence were banning slavery, the state of Georgia was on its way to declare Civil War in an expansionist attempt to spread slavery into America’s western territories.

So here’s the thing: the King’s corporation heads inadvertently had taught their colonies how slaves, alcohol and land were linked to wealth accumulation and power. White supremacists running government in Georgia and South Carolina (aspiring tyrants, jealous of the British King) wanted ownership for themselves to stay in power.

Prohibition thus denied non-whites entry to power and ensured racial inequality. Cheaters gonna cheat, and it seems kind of obvious in retrospect that prohibition by both the British King and the US government were clumsily designed to control the market.

The current era of bourbon enthusiasm is based on the products of about seven US distilleries. But before Prohibition, the US had thousands of distilleries! 183 in Kentucky alone. (When the Bottled-in-Bond act took effect in 1896, the nationwide count was reportedly over eight thousand). Each distillery produced many, many different brands.

Prohibition destroyed almost all of those historic distilleries.

From 8,000 small to 7 monster distilleries because…economic concerns of white supremacists running US government.

The KKK criminalized bourbon manufacturing. Thousands, including emancipated master distillers, were forced out of their field. Also in that Bottled-in-Bond year of 1896, incidentally, southern white-supremacists started erecting confederate monuments to terrorize the black population. By the time Woodrow Wilson was elected President in 1912 he summarily removed all blacks from federal government, which one could argue set the stage for a vote undermining black communities, and restarted the KKK by 1915. Prohibition thus arose within concerted efforts by white supremacists in America to reverse emancipation of African Americans, deny them social mobility, criminalize them arbitrarily, and disenfranchise them from government.

What’s War Got to Do With the Price of Knob Creek?

Have you ever heard of Otho Wathen’s defense of Whiskey during and after Prohibition?

Otho H. Wathen of National Straight Whiskey Distributing Co. points out: “The increase in 1934 (in drunken driver automobile accidents) for the entire country was 15.90 per cent. The increase in the repeal states, which included practically every big city where traffic is heaviest, was 14.65 per cent. …in the states retaining prohibition the increase was 21.56 per cent.”

I hadn’t heard of him until I read a blog post revealing that Knob Creek was a very old brand, bought inexpensively by National Distillers during the market collapse of Prohibition:

Knob Creek was first in use in 1898, by the Penn-Maryland Corp. I have looked through our archives here (I have the old history books from the companies we acquired when we purchased National Brands)

The blog even shows this “Cincinnati, Ohio” label as evidence of its antiquity:

This is an awkward bit of history, when you look at the origin story told by the Jim Beam conglomerate:

When the Prohibition was lifted in 1933, bourbon makers had to start from scratch. Whiskey takes years and years to make, but the drinking ban was overturned overnight. To meet their sudden demand, distillers rushed the process, selling barrels that had hardly been aged. Softer, mild-flavored whiskey became standard from then on. Full flavor was the casualty.

But we brought real bourbon back. Over 25 years ago, master distiller Booker Noe set out to create a whiskey that adhered to the original, time-tested way of doing things. He named it Knob Creek

They’ve removed the text about Knob Creek being a physical place. When I first bought a bottle it came with marketing that referenced Knob Creek Farm, a non-contiguous section of the Abraham Lincoln Birthplace National Historical Park. That’s definitely no longer the case (pun not intended) as all the marketing today says white distillers of Jim Beam are resurrecting pre-prohibition traditions, without specifying the traditions came from slaves.

From that perspective, I’m curious if anyone has looked into the Penn-Maryland decision to name its whiskey after an Abraham Lincoln landmark. Does it imply in some way the emancipation of distillers, which Beam now is claiming simply as pre-prohibition style? More to the point, if Jack Daniel is finding slavery in its origin story and making reference to the injustices of credit taken, will Beam take the hint or continue to call Knob Creek their recent innovation?

My guess, based on reading the many comments on the “post-age” Knob Creek now being made (the bottles used to say 9 year), Beam is moving further away from credit to master distillers who were emancipated by Lincoln. So I guess, to answer my original question, buying another bottle of Knob makes little sense until I see evidence they’re giving credit to America’s black master distillers who invented the flavor and maybe even that label.

In the meantime, I’ll just keep sipping on this 1908 Old Crow (Woodford)…

Posted in Food, History, Security.

Laws stopped cousin-marriage, not mobility

Collecting huge datasets for analysis has since the beginning of time been a good way to find insights. Recently some theories about safety and longevity of cousin marriage are being challenged by the power of big data systems:

researchers suggest that people stopped marrying their fourth cousins not due to increased mobility between different regions, but because the practice became less socially acceptable

“Less socially acceptable” is another way of saying laws against it were being passed. According to the seminal book on this subject, by someone with the same name as me, mathematical modeling show how those laws against cousin marriage were based in prejudice, not science.

Forbidden Relatives challenges the belief – widely held in the United States – that legislation against marriage between first cousins is based on a biological risk to offspring. In fact, its author maintains, the U.S. prohibition against such unions originated largely because of the belief that it would promote more rapid assimilation of immigrants.

Immigrants were barred from continuing their historic practices, much in the same way prohibition of alcohol criminalized Germans for their breweries and Irish for having distilleries. Keep these reports and books in mind the next time someone says cousin marriage is a concern for human safety or longevity.

Posted in History, Security.

More people dying in a fire: petroleum-based skin products to blame

An investigation has started to reveal that the practice of putting a distillate of petroleum (parrafin) on your body can lead to a very painful fiery death.

Firefighter Chris Bell, who is a watch commander with West Yorkshire Fire and Rescue Service, says the actual number of deaths linked to the creams is likely to be much higher.

“Hundreds of thousands of people use them, we’re not sure how many fire deaths might have occurred but it could be into the hundreds,” he said.

His concerns were echoed by Mark Hazelton, group manager for community safety at London Fire Brigade.

He said many fire services do not have forensic investigation teams able to properly assess the role of paraffin cream in fires.

In brief, repeated use of a petroleum-based oil in a cream causes soft furniture to become filled with the highly flammable substance. It’s essentially (pun not intended) pouring gasoline on your bed and chair, albeit very very slowly. Then when a fire starts, the outcome of dousing flammable oil is predictable. Product manufacturers haven’t yet been held accountable for this alarming rise in deaths linked to their ingredients.

Posted in Energy, Security.

Amazon’s About Face on GovCloud: “Physical Location Has No Bearing”

Amazon never seemed very happy about building a dedicated physical space, kind of the opposite of cloud, to achieve compliance with security requirements of the US federal government.

AWS provides customers with the option to store their data in AWS GovCloud (US) managed solely by US Persons on US soil. AWS GovCloud (US) is Amazon’s isolated cloud region where accounts are only granted to US Persons working for US organizations.

That’s a very matter-of-fact statement, suggesting it was doing what it had been told was necessary as opposed to what it wanted (destroy national security requirements as antiquated while it augers towards a post-national corporate-led system of control).

While that might have seemed speculative before now, Amazon management just released a whitepaper showing its true hand.

The other two “realities” are “Most Threats are Exploited Remotely” and “Manual Processes Present Risk of Human Error”…

I want you all to sit down, take a deep breath, and think about the logic of someone arguing physical location has no bearing on threats being exploited remotely.

First, vulnerabilities are exploited. Threats exploit those vulnerabilities. Threats aren’t usually the ones being exploited via connectivity to the Internet (as much as we talk about hack back), vulnerabilities are. Minor thing, I know, yet it speaks to the familiarity of the author with the subject.

Second, if physical location truly had no bearing, the author of this paper would have not bothered with any “remotely” modifier. They would say vulnerabilities are being exploited. Full stop. To say exploits are something coming from remote locations is them admitting there is a significance of physical location. Walls being vulnerable to cannon-balls does not mean cannons fired from 1,000 miles away are the same as from 1 mile.

Third, and this is where it truly gets stupid, “Insider Threats Prevail as a Significant Risk” again uses a physical metaphor of “insider”. What does insider mean if not someone inside a space delimited by controls? That validates physical location having bearing on risk, again.

Fourth, this nonsense continues throughout the document. Page six advises, without any sense of irony “systems should be designed to limit the ‘blast radius’ of any intrusion so that one compromised node has minimal impact on any other node in the enterprise”. You read that right, a paper arguing that physical location has no bearing…just told you that blast RADIUS is a critical component to safety from harm.

Come on.

This paper seems like it is full of amateur security mistakes made by someone who has a distinctly political argument to make against government-based controls. In other words, Amazon’s anti-government paper is an extremist free-market missive targeting US-based ITAR and undermining national security, although it probably thought it was trying to knock down laws written in another physical location.

Something tells me the blast radius of this paper was seriously miscalculated before it was dropped. Little surprise, given how weak their grasp of safety control is and how strong their desire to destroy barriers to Amazon’s entry.

Posted in History, Poetry, Security.

SHA-1 versus SHA-2 performance tests

Moving to SHA256 has become an increasingly common topic ever since SHA-1 went through the bad news cycle of being vulnerable faster than brute-force. Even in cases where not relevant, such as authentication mechanisms (SCRAM), it feels like only a short time from now regulators will push a SHA-2 family as minimum requirement. For most people that means moving to a 256 bit key length (SHA256) sooner rather than later.

Will SHA256 cause a performance issue when replacing SCRAM-SHA-1? It’s hard to say, given that many variables are involved in testing, yet generally we expect a 50% performance change with 256 bit key length of SHA-2 compared with 160 bit key length of SHA-1.

Assuming proper construction a larger bit size means more possible combinations, which means strength through slowing down brute force attempts. A cryptographic hashing algorithm is only as great as its ability to make truly unique, non-guessable, hashes. So here’s a way for you to compare speeds:

ubuntu17:~$ openssl speed -multi 2 -decrypt sha1 sha256

The 'numbers' are in 1000s of bytes per second processed
sha1            176979.32k   479049.54k  1017926.06k  1451719.34k  1652667.73k
sha256          144534.98k   302692.57k   576607.91k   697034.07k   740136.28k

Posted in Security.

Are Self-Organizing Maps Just an Exercise in Relativism?

The key to unlocking the power of a self-organizing map seems to be in this phrase by Diego Vicente:

…instead of a grid we declare a circular array of neurons, each node will only be conscious of the neurons in front of and behind it…

He offers the example of Uruguay

traversing 734 Uruguay cities only 7.5% longer than the optimal in less than 25 seconds

In other words, each node should dispense with attempts to measure on an absolutist grid and instead calculate its own position relative to other nodes in the immediate vicinity. Like modadism, but nodadism. Also like the difference between racing single-track on a mountain bike (stay ahead of the person behind, get in front of person ahead) and racing road bikes on a highway (pre-calculate best times of pursuit, rest and attack).

Diego refers to a node’s immediate vicinity as “moderate exploitation of the local minima of each part” of a larger grid. That makes perfect sense for anyone familiar with navigating by asking around. Ask a local which way to the closest next town, if you can find a trusted local. Don’t bother asking them for a way to towns they never see, and be able to recognize the difference.

The more I research flaws in AI security the more the world bifurcates into the grey and ill-defined transition from relative to absolute models of authentication and authorization. In between there are many exploits to be found.

The problem set here is called the National Travelling Salesman by mathematicians. Of course in security terms we should think of this as drone routes to destroy privacy (gather knowledge, if you prefer that angle) or an estimation of resources for a comprehensive integrity attack plan (defense, if you prefer that angle).

Posted in History, Security.

2018 AppSec California: “Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare”

My latest presentation on securing big data was at the 2018 AppSec California conference:

When: Wednesday, January 31, 3:00pm – 3:50pm
Where: Santa Monica
Event Link: Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare

Artificial Intelligence, or even just Machine Learning for those who prefer organic, is influencing nearly all aspects of modern digital life. Whether it be financial, health, education, energy, transit…emphasis on performance gains and cost reduction has driven the delegation of human tasks to non-human agents. Yet who in infosec today can prove agents worthy of trust? Unbridled technology advances, as we have repeatedly learned in history, bring very serious risks of accelerated and expanded humanitarian disasters. The infosec industry has been slow to address social inequalities and conflict that escalates on the technical platforms under their watch; we must stop those who would ply vulnerabilities in big data systems, those who strive for quick political (arguably non-humanitarian) power wins. It is in this context that algorithm security increasingly becomes synonymous with security professionals working to avert, or as necessary helping win, kinetic conflicts instigated by digital exploits. This presentation therefore takes the audience through technical details of defensive concepts in algorithmic warfare based on an illuminating history of international relations. It aims to show how and why to seed security now into big data technology rather than wait to unpoison its fruit.

Copy of presentation slides: UnpoisonedFruit_Export.pdf

Posted in Energy, Food, History, Sailing, Security.