Friday, December 7, 2007

Computer security explained

Many a times, I have been asked by people to explain computer security to them.People who are thoroughly non technical, who use computers and internet to just get their work done, who are not much into security, but who would like to keep their systems secure. I have tried many ways, the one that worked well so far has been to present an allegorical analogy that people can understand more readily.

This is the story I tell them:

One upon a time, there was this gentleman who saw a vast tract of land. He thought he would do something useful and productive with the land. He decided to setup a town there. He went to the king ( Microsoft ) and requested him to assign the land (Windows ) to him. The king agreed, albeit with a hefty monetary tribute, and named him governor of this town( granted him a license ). He also sent a few of his servants (programs like notepad, paintbrush ) who would let him get along smoothly.
The servants were trained for various purposes. While one was a good cook, the other was a good gardener, and likewise.
Soon, people started settling in this town ( data and programs ). Whenever the governor needed some special work done ( spreadsheet, word processor ), he would pay a handsome tribute to the king or his associates ( bought a license ) and ask them to send one of his specialist people( MSWord , Excel)
There were many other smaller towns around this town, some even in the neighboring kingdoms ( Other computers with different operating systems ). The neighboring towns were interconnected by good roads ( networking) and their people prospered with good trade and tourism ( advent of internet ). This got our governor thinking. He requested the king to build roads from his town neighboring towns. To use the roads, people needed chariots. The king's artisans made chariots and sold it to the governor.
However, people in another town built a nicer and cheap chariot ( Netscape). The king feared those chariots would rule the roads, and so, started giving away chariots for free ( Internet Explorer). To ensure that his chariot could run faster, he put charioteers in each chariot. These were no ordinary charioteers. They knew the way around the town very well. So much so, they could get the chariot right inside the governor's treasury, only if the passenger knew how and what to ask of the charioteer (Active X etc )
Now that the roads were getting a lot of varied traffic, the governor thought about managing it in a better way. The king had him designate each town gate ( port) for a specialized purpose to be manned by a specialized team( program using that port, like IIS using port 80 for a web server). So there was a gate which was used solely for moving agriculture produce The people manning the gates were trained by the king's people , and specialized in distinguishing good food grains from bad, and ensured that only the good stuff entered the town. (the programs responded to proper requests only) There was a different gate for household items, and a different one for tourists. ( like port 25 for SMTP email service , port 21 FTP file transfer service ),This led to a well organized system of entering the town for different purposes, and saved time and money for the visiting traders as well as residents.
However, local ironsmiths were having a hard time competing with cheap imports. They petitioned the governor and the governor ordered shutting down the iron trading gate. No one could now import iron into this town.
Some of the gates (like the pottery gate) were not used too much. Over the years the governor all but forgot about such gates. It just remained with the gatekeepers whiling away their time.
Now that roads had come up and chariots started to move around to neighboring towns and other places, the bandits in the forest around the town got interested in this town.(crackers) They hitched rides in the chariots that were going to or coming from the neighboring towns ( connection hijacking), befriended the charioteer (trust abuse), dumped the passenger , looked for any poorly manned gate (like our pottery gate ), fooled the gatekeepers, and sneaked in. Once in, they had the charioteer take them to the governor's treasury and decamped with his treasure. ( Computer compromised) The governor was irritated. He had the king create a moat (firewall) around his town, and had drawbridges installed. Only those gates which he explicitly permitted were to be allowed to be open and had their drawbridges lowered. ("default deny", allow selective access)
He also gave passphrases to all people in his town, and to all regular visitors and traders.(authentication)They were to speak out their passphrases aloud at the gate.If it was right, they were allowed in.
The bandits start arriving at the gate in hordes, and start saying out any and every phrase that existed/ they could think of. After many wild guesses, few of the guesses turned out to be right and the bandit who gave the right phrase could get in and steal stuff from the town(brute force ). To check this, he started issuing complicated long phrases in weird and foreign languages. Guessing the right phrase was still possible but would take a lot more time and effort (strong password)
The bandits then started eavesdropping on the visitor-gatekeeper exchange and steal the visitor's phrase to gain entry. To prevent this he started issuing non forgeable certificates to the traders(SSL certificates). He also installed a sound proof cabin at each gate so that the pass phrase cannot be heard outside (Encrypted communication). No one without the certificate was allowed to even attempt an entry. The system worked well till the time a lot of genuine but new traders start showing up. They were vital to the town's growth, but letting them in without proper validation was a risk. To help with this, he authorized 5 highly trusted people to setup offices in neighborhood towns and issue certificates to issue the non forgeable certificates to valid and genuine traders.( like Verisign and Thwate)
Of course, our governor had a huge and extended family living with him. The governor's relatives and family wielded as much power as the governor (privileged accounts), but unfortunately, some of them were quite gullible.
At times, the bandits succeeded in intercepting one of the governor's family members. They would befriend him, ride back to the town, have him call off the gate staff, and finally get fellow bandits in through the unguarded gates.
To counter this, the governed disempowered most of his relatives ( unprivileged user account). The gate staff would no longer obey them. For some of his work though, he still needed to empower some people, and he did empower a hand picked bunch of his loyal followers with various levels of authority (Selective access grant)
However, the governor soon discovered that some of the gate people had problems which prevented them from doing them job perfectly. For example, one of the gate manning teams had a person with a slight hearing disability, and another who had slight visual impairment (vulnerable programs) . Bandits could gain entry on this gate by displaying forged certificates and uttering words which sounded similar to the required phrase. (exploits)
Soon he discovered more problems with the gate people. Every time there was a problem with some gate person, the king would have that person examined, and if possible, help handling the problem.( patch releases)
Some of the bandits however were not interested in money. All they wanted was to vandalize the town (viruses). These bandits adopted a variety of ways to get in and wreak havoc. One would pose as a skilful mason, and when the governor let him in and asked him to work, the mason would wreck the town. One would pose as a beautiful dancer, enter the town and dig up the roads.
Fortunately, there were people in other kingdoms who knew these bandits by face (anti virus). The governor hired one of these people to protect his town. Every morning, the guard's kingdom's general sent him an album containing mug shots of newly discovered bandits (antivirus updates). That way, our guard was always up to date and knew of just about all vandal bandits.

1 comment:

Jithin K Rajeev said...

interesting and a smooth story to explain technical stuffs.