The Gordian Knot -- the original "hack" https://en.m.wikipedia.org/wiki/Gordian_Knot #AdversarialThinking #SecurityMindset

Speaking of #AdversarialThinking -- I realized this morning that the typical "how to lock up your bike" lesson you teach a child is a classic example of Adversarial Thinking.

The lesson usually goes like this: The naive approach to locking your bike is to lock your front tire to some kind of immovable anchor, say a chain-link fence, or a parking meter.

Of course, a little thought reveals that a thief can easily clip the chain link fence and walk away with your bike. Or lift it over the parking meter. Or, remove the front tire (even easier if you have those quick release thingies). In any case, the thief can quickly abscond with your bike. Maybe they can't ride away with it, but if their plan is to throw it in the back of a truck, they don't need to.

Thinking through this little exercise in AT brings us to the classic "proper" way to lock a bike -- through the frame and the front tire, and locked to an anchor that is both immovable *and* can't be simply slipped off, like a bike rack, lamp post, etc. Even if the tire is removed, it is still chained to the frame. Breaking the frame takes a lot of effort and destroys the value of the bike. Using a secure anchor that is at least as strong as the bike means that the anchor is not the weakest link.

I'd argue that basically every person who has ever learned this lesson (the easy way, or the hard way) has learned some AT-derived knowledge. Hopefully, most of them can generalize some of those ideas to the next time they have to lock something up.

I'm doing a lot of research & reading on #AdversarialThinking as part of my work to characterize AT with a team of experts.

Anyway, going down a rabbit hole, I ran into a reference to IBM's "Black Team," a legendary early QA/Red Team group at IBM that I had never heard about until today.

The Black Team is mentioned in a short chapter of the book Peopleware, and that chapter is largely summarized in this blog post: http://www.t3.org/tangledwebs/07/tw0706.html# The core of the story is 100% believable, but a number of the ancillary details seem like they must have grown more mythic in the passage of time (e.g., maniacal laughs, black clothing, and long moustaches that they twirled as they broke programs).

The other story I can find online (which is not part of the Peopleware chapter and frankly sounds more than a little apocryphal) talks about a nefarious attack on a tape drive: http://www.penzba.co.uk/GreybeardStories/TheBlackTeam.html (I believe that this trick was possible on some tape drive under some circumstances in the history of computing, but I doubt that it was demonstrated in such a spectacular fashion.)

Incidentally, the copy of Peopleware I have is an expanded one from 1999, but based on the preface to the second edition, I believe the chapter on the Black Team exists in the original 1987 edition. There are no references to any earlier sources.

Someday I'll write a whole thing on this, but one of my favorite examples of #AdversarialThinking involves the board game Axis & Allies. In the early game, it can be hard for the US to get involved in Europe, even though that's where the initial action is. This is mostly -- if I recall correctly -- because the mechanism for using units in another person's country is very inconvenient, and Europe is pretty well divided up.

Spain is on the board, and is also very easy to get to from the US, but Spain is neutral (or at least was on the version we played), and not only are there penalties for violating a country's neutrality, but of course the US stomping all over Spain to have a beachhead into Europe plays against the US's WWII image.

Anyway, one of our players decided that, when he played the US, he would just instantly violate Spain's neutrality, pay the penalty (which was minimal), and then attack the Axis powers directly. It was a great strategy that exploited bad rules to break the game.

Quick googling suggests that the rules have been revised in modern editions, including (iirc) that you simply *can't* violate neutrality. Well, that's one kind of bugfix!

📣 I'm super excited to announce that I'm looking to hire a postdoc to work with me on my CAREER project to identify and create an assessment for important components of Adversarial Thinking for cybersecurity!

Most people in the community think that "Adversarial Thinking" is an critical skill for cybersecurity practice, but since there's no definition there's no way to assess it in individuals, determine change over time, evaluate educational materials, find it in populations, and so on. My project aims to help fill that gap through 1) a Delphi process with experts, 2) the creation and validation of a non-technical assessment, 3) experimentation using the assessment, and 4) teaching computer security with Adversarial Thinking as the motivating principle.

Postdocs would help work on this project with me and my students, would help advise masters and undergrad students on research, and would also teach in our department. I would also mentor you and do my best to help you on your path.

We are especially interested in diverse candidates and people who are passionate about both cybersecurity and education. If you're looking to get into cybersecurity education research, this is a really great opportunity!

Please boost or share out of band with anyone you think might be interested, and email me at pahp@d.umn.edu with any questions.

https://drive.google.com/file/d/164f8dZ4LTe-YPyoKetyAwx0LR_kChS0Y/view?usp=sharing

#PostDoc #CyberSecurity #AdversarialThinking

What's your favorite anecdote, story, or explanation of the importance of #AdversarialThinking for #cybersecurity / #infosec?