Wednesday, August 13, 2008

Information Security Jedi: Form 0 Lightsaber Combat

I'm going to put my Star Wars nerd cap back on and talk about the parallels between information security and the star wars universe. In previous posts on the topic I introduced the concept that in our world, information is like the Force. Our tool kits become our lightsabers and how we choose to use those lightsabers can be compared to the various forms of combat used by the Jedi.

We cannot neatly tie each form of lightsaber combat to a discipline in the information security field, but there are a couple that do fit nicely that I'd like to point out. In this post, I'm going to talk about Form 0 lightsaber combat.

For the Jedi, Form 0 was not a form of lightsaber combat in the typical sense of the word. It has no attack forms because Form 0 is a term used for the defensive techniques a Jedi used to avoid lightsaber combat. It was the art of finding alternate means of solving a problem.

This is a very noble and important skill for a Jedi to have, but it doesn't really have any place in the world of information security. I mean, if someone is going to steal your data you're not likely to have an opportunity to talk them out of it. What do we call it when someone doesn't secure a system and instead tries to prevent anyone from attacking it to maintain security? Well I call it Security by Obscurity, and it is the bane of information security professionals everywhere.

I'm not going to spend any time talking about Form 0 in the information security world because it is completely useless to us. It doesn't help us to meet any regulatory compliance, it certainly doesn't help to keep anything secure (since by nature it is a lack of security mechanisms) and it isn't very effective since it is pretty much assured that someone is going to work their way through your obfuscation. It was the same way for the Jedi. Form 0 was great for avoiding conflict, but if someone swung a blaster around to a Jedi, he or she would quickly pull out their lightsaber and use a different form.

In the toolkit of a Form 0 practitioner expect to find lawyers that will sue anyone trying to research their product. Form 0 masters might use defensive techniques such as running services on non-standard ports, or changing file extensions so that it isn't obvious what the file is for.

No comments: