SDP 3: ECONOMY OF MECHANISM

Kip Boyle:
Hey everybody. Hi, welcome. This is Your Cyber Path. We’re the podcast that helps you get into cybersecurity or if you’re already into cybersecurity, to accelerate your career so that you can achieve your goals. And I’m here today with Jason Dion. Hey Jason. How are you today?

Jason Dion:
I’m doing great. How are you today, Kip?

Kip Boyle:
Well, it’s the end of July, so we’re talking about peak summer right now, and I’m about to do something that I’ve never done before, which for you, you’ve done so many times you probably can’t even count. We’re about to go on a cruise and even better, I don’t have to fly to go on the cruise. You have to fly to go because we’re going on one together. It’s an Alaska cruise. We’re taken off out of Seattle. It’s a week long. I am so excited because, I mean, to see the glaciers and do all that cool stuff, man, that is just… I’m so looking forward to that. And then you’re going to be there. A bunch of other people are going to be there. This is going to be a lot of fun, I think.

Jason Dion:
Yeah, it’s going to be a lot of fun. The way we set it up was Kip and I are going to go together, as you know obviously Kip, and then I’m bringing a couple of people on my team as well. So Susan, my COO, David, my CTO, and their families, were all going. We’re going to be doing some work, we’re going to be doing some play, and it’ll be a lot of fun as we plan the next year or two for both of our companies and our interactions together. And as you said, I love cruising. I go quite a bit. I used to work-

Kip Boyle:
That’s an understatement.

Jason Dion:
Yeah. Well, before I joined the Navy, I actually was working for the cruise lines, so I worked for Royal Caribbean and Carnival Cruise Lines, doing IT stuff onboard the ships. And I did that for about three years where I would do six to nine months on three to six months off and then do that over and over again. And I did three tours that way. And so just from that experience, I did like a hundred cruises. And then over the last 20 years since I’ve stopped working for the cruise lines, I’ve been on another probably 40 or 50 cruises. The last two years, my wife says I have a little bit of an obsession since I’m semi-retired now, and I’ve been going once every other month, so I’m trying to slow down a little bit. But when I found out Kip had never been on a cruise, I was like, “All right, Kip, we got to make this right.” So I’m like, “Kip, you’re going with me. We’re going on a cruise.”

Kip Boyle:
Yeah. And I’m really looking forward to it. I really appreciate the nudge and the support, and I think it’s going to be fantastic. I guess my big concern is that I’m going to love it so much that I’m going to turn into a cruisey and that’s all I’m going to want to do, but well, we’ll see what happens.

Jason Dion:
I think you’re going to love it. A lot of fun. We’re going on one of the big Royal Caribbean ships, so there’s so much to do and it’s just a great way to travel, in my opinion.

Kip Boyle:
No, I think the big irony for you is when you were in the Navy.

Jason Dion:
Yep.

Kip Boyle:
How much cruising did you do on actual Navy ships?

Jason Dion:
So not a whole lot. I was stationed on a ship for two and a half years, and I ran the networks on a large deck amphib, which is basically a mini aircraft carrier. We had about 3,000 people on board, and I was there for two and a half years. And for that two and a half years, I was out to see most of that time. But the rest of my career, as I got more senior, I did not do a lot of sea time because most of where I was working was the communications stations on the ground side or working at the National Security Agency when I was doing cyber defense, working with USCYBERCOM, Navy Fleet Cybercom and things like that. And so most of that was more me flying to a location, living out of a hotel room, fixing problems, and then flying back to home station.

I’ve only been on three or four Navy ships, but the biggest one was the one, I was there for two and a half years when I was on USS Wasp back in 2007 to 2009. So yeah, it’s not as much as you’d think. People always join the Navy. It’s like, join the Navy, see the world. You’re going to get on a ship and go over the place. And honestly, when I was on Wasp, we went on a five and a half month deployment and we only hit three ports, and we were in those ports for about three days each. So out of a five and a half month time, I was out to sea most of it and very little ports. Whereas when you go on a cruise ship, it’s a day at sea, two or three days in ports, a day at sea, two or three days in ports, and then you go home. So it’s just a different experience.

Kip Boyle:
It’s ironic that you had that experience. I had a similar ironic experience in the Air Force when my thought was joining the Air Force, see the world, same thing. And anyway, one thing led to another and I ended up working in classified computing. Well, why in the world would you set up a classified computing facility anywhere except in the continental United States? Or maybe Hawaii or Alaska or something like that. But it’s like you don’t need to take all the risk of setting up classified computing operations in foreign countries, just do it all back within our borders, and it’s just better. So I went nowhere. I went nowhere. I didn’t even fly. Did I even fly in an Air Force aircraft? I don’t think I did. Everywhere where I went, I flew commercial, stayed in hotels. It was the most corporate experience ever except I wore uniform and I loved it. It was great but just wasn’t what I was expecting.

Jason Dion:
Yeah, see, I had a different experience though, because I think I joined about 15 years after you. And so for us, I ran computer networks all over the world, and they were at the unclass secret and top secret level. So we had classified networks all over the world. I’ve run them in the Middle East, I’ve run them in Africa, I’ve run them in Europe, I’ve run them in Asia. I’ve run them out of hotel rooms during different exercises and operations we’ve done, including in the Philippines and down in Peru and things like that. And so we do take classified material all over the place now. We don’t just [inaudible] US because everything is so high tech and everything runs high tech at this point. So we have to-

Kip Boyle:
Yeah, that’s a good point. That’s a good point. It was very different for me because we were working with many computers and Unix was just starting to become a thing. So it’s pretty interesting. Just even a few years apart [inaudible].

Jason Dion:
Because that was more the nineties for you guys?

Kip Boyle:
Yeah, I was in on the nineties. Yeah.

Jason Dion:
Yeah. And for me, I got in early two thousands, so by that point, kind of 2000 was a switch where everybody started going into deployable computers and deployable machines and getting them on the Navy ships and all that kind of stuff. So for us, that’s why that shift happened over that 10 year period.

Kip Boyle:
Oh, well, what do you know? That’s why I missed out. Okay. Well listen, on the note of secure computing, what are we going to talk about today? Well, we’ve started a series of episodes and what we’re doing is we’re talking about something called security design principles. Now there are 10 OG security design principles and they were all published in a paper by a couple of guys called Saltzer and Schroeder back in 1975. And this is mind blowing to me that thinking about computer security back in 1975 is still relevant, more relevant than ever, actually in some ways today. There’s 10 of them so far. We’ve talked about least privilege, we’ve talked about psychological acceptability. Today we’re going to talk about one called economy of mechanism, which is a really weird name. What does that really mean, Jason?

Jason Dion:
Yeah, I mean, when you talk about economy of mechanism, really what we’re talking about is we want to use the economy, the cheapest, easiest, quickest solution that will do the thing you want to do. So for example, if I want to protect this pen, the quickest and easiest way for me to protect this pen would probably be to put it in my pocket and carry it with me all day long. Because if it’s in my pocket all day long, Kip can’t go in my office and steal my pen. Now if I don’t want to use that, which is a free solution because I have to watch it all day long, I might want to put it in my desk drawer over here and lock it and take the key with me. That again, is a very cheap lock. You could probably pick it, but for this pen, it’s only a $3 pen. I really don’t care. It can be stolen. It’s not a big deal, and you kind of make the thing based on what it is.

But if this was a top secret thumb drive with all the military secrets, I’d want to make it in a lock building with cameras, with guards, with safes and triple and double checks, all the different locks. And so the protection mechanism or control has to be simple and small to do the job, but if you need more, then you will do more. But it’s all about economy. Don’t overkill to protect something that doesn’t matter. That’s kind of how I look at economy of mechanism.

Kip Boyle:
Now, that’s completely reasonable. There’s another sort of wrinkle to this that I think is really important when it comes to digital security. Because the examples you gave are physical security. And I think the perfectly fine, the issue that we also have to pay attention to though, in my experience, is when you’re doing something digital, you have to be on guard that it doesn’t become overly complicated. Which human beings overcomplicate everything all the time. We always try to make everything super cool and super sophisticated and blah, blah, blah, blah, blah. No, stop. Don’t do that.

Because when something is too complicated, what it really does is… And there’s different words for this, but we can call it increase the attack surface. We can call it making something more vulnerable because it has more digital moving parts and so on and so forth. Let me read you a summary of economy of mechanism, not from Saltzer and Schroeder’s paper, but from a different paper by Michael Gegick and Sean Barnum, they published in 2005. And it says, “One factor in evaluating a systems security, that is to say its effectiveness, is its complexity. If the design, implementation or security mechanisms are highly complex, then the likelihood of security vulnerabilities increases.” And this is just a fancy way of saying keep it simple, stupid.

Jason Dion:
Yeah, exactly. I mean, if I’m going to write a piece of code and I’m going to write it in a thousand lines, or I’m going to write it in 50 lines, the thousand lines may have more protection, it may have a lot more extra checks and all those things. But it also is a lot more places where I could have screwed up when I coded it. And so it is 20 times more likely I make an error in a thousand lines of code as I do in a 50 line piece of code. And so like you said, KISS, keep it simple stupid.

In ITIL 4, which is one of the things I teach with IT service management, we talk about rolling out software products and programs and operating systems and services is one of our nine guiding principles is keep it simple and practical. And really what this means is that we want to focus things that create value rather than following complex processes just because they’re going to be there or have been used for a long time and ask why these complex steps exist unless there’s a solid current reason, you should stop doing them. Because all that extra work is just more places that’s either costing you money or more places you could be vulnerable. And so that’s why we’re talking about this economy of mechanism, I think.

Kip Boyle:
Right, right. And the way I think about it and I is, you know, don’t want to build a thousand dollars fence to protect a hundred dollars horse. Yeah. Easy that, I love that example, because it’s easy to imagine you could actually see this broken down horse behind this high security 12 foot fence with barbed wire, electrified with search lights. It’s like, no, no, no, you’re overdoing it.

Now, there’s a really practical example and relevant recent example that I want to talk about. This started in November of 2021, and this actually affected the security tools that I use. And so I think it’s a really great example to help people really understand the modern implications of economy of mechanism of why it’s still relevant today.

So in November of 2021, there was a security researcher who had discovered and published that he had been looking at the LastPass Android app, and what he found was seven embedded activity trackers. So he was doing code analysis, I think he was sniffing network traffic. And he found this, and it turned out that of those seven trackers, one of them was being used to gather data about the user of the app and you start pulling another thread. And what he found out was, is that LastPass was taking that data and it was using it to sell targeted ads so that when you use the free version of their app, you would see advertisements for different things. And that was how LastPass was monetizing the fact that you were using it for free as they were turning you into the product.

Now, okay, so we could talk about how that violates privacy and so on and so forth. And I think there’s a whole dimension there of troublesome stuff. But the real issue for me was I’m using LastPass as a security mechanism. LastPass put this code in there that had nothing to do with making the security mechanism better. In fact, they violated the economy of mechanism principle. We talked about this, you and I. And so from your point of view, Jason, how would you describe the risk that this security mechanism had this tracking code in it?

Jason Dion:
Yeah, for me, the big risk there is not the privacy issue or concern, as you said. But for me, it’s really the fact you have this extra code and every piece of extra code is something else that can be exploited. I see this a lot with a lot of different softwares and service applications. The game here seems to be like, let’s make as many features as possible. So if I’ve got an online word processor, I’m going to make it so I can have font colors and font sizes and highlights and strikethroughs. And you know what? Let’s go ahead and add in the ability to draw graphics in there too, and let’s put tables in there. Let’s do markup and markdown and all these different things. And by the time you look at something like Microsoft Word, you now have a thousand different features.

Well, that’s a thousand different buckets of code that are all there. And for me, for instance, I never use the mail merge feature in Word, but there’s a vulnerability in there because that is now a piece of code that could be attacked by somebody. And so when you’re looking at the software, more is not always better. Sometimes less is more and less is more secure.

Kip Boyle:
Especially if you’re talking about a security tool. Now, in the case of a word processor, what that means is that I have to apply security patches for functionality I never use. And wouldn’t it be nice if I could just sort of tick the boxes on the install and say, I don’t want all this stuff, uncheck, uncheck, uncheck, uncheck, and then I don’t have to be worried about patching stuff that I don’t use.

But when you’re talking about a security mechanism like a password manager, it only exists to secure passwords. And so as a security professional, I was offended actually that the makers of a security piece of software thought that this was okay. It told me that the people that were in charge did not understand these principles. They must not have even known that they exist. And so for me, I was like, “Nope, I’m out of here.” I’m not doing this anymore. I’m going to go to another password manager that doesn’t do this. And even if I have to pay some money, which I do, I’m happy to pay for an attack resistant password manager because that’s its purpose in life. And so that’s what I do. That’s what I do, is I pay for it so that I don’t have to have this extra code.

Now it turns out that this was released to the public, and so you can go and you can actually read some articles about this. And the thing is that LastPass was just like, “Meh, we don’t care. We’re going to keep doing this.” So even though the security community said to them, “Hey, let’s help you here. What you’re doing is not a good idea. Here’s why.” Explained it. And they didn’t care. They just kept doing it. So I was like, “Nope, not doing it. Kip’s out.”

Jason Dion:
I’ll play devil’s a advocate here for a second, but I think probably what was happening with LastPass, and they probably had a lot of discussions about this on the business side, and they were trying to figure out how do we make a go of this as a company. Because right now their model was freemium model. So under freemium model, you can get them for free, or if you want some additional features, then you pay the $4 a month or $50 a year to be able to get access to all those features.

And I think it’s kind of similar to the struggle we’re having right now with Twitter. If you look at Twitter. 90% of their business was ad supported revenue. 10% is people getting Twitter blue. And people complain about ads, but it’s like, well, you don’t want to pay the 10 bucks a month or whatever it is for Twitter blue, then you’re going to get ads. That’s kind of the way they make money. And I think that’s what LastPass was doing.

Kip Boyle:
 Absolutely.

Jason Dion:
For the last 10, 15 years, ads was the easy answer to make revenue, and that’s what they went with. But you’re right, from a security perspective, embedding ads into the product or tracking and selling that off to third party advertisers to be able to have them advertised to you later is not a great security thing. That’s adding extra code. But I can see why they made that decision to do it.

Kip Boyle:
I can too, because we see it in other dimensions. Let’s talk about free virtual private networks.

Jason Dion:
Oh yeah.

Kip Boyle:
So I can go get a free VPN and I can use it to circumvent geo restrictions and watch Netflix in the UK when I’m in the US and so on and so forth. But when I do that, I’m not using the VPN as a security mechanism. I’m using it as a content acquisition mechanism. It has really nothing to do with security. I’m just changing my IP address. And so if you get a VPN for free and you’re using it for actual security to actually stay secure, you’re going to be really disappointed because that’s not going to work. It’s really the same thing. If you have a free VPN and they’re monetizing your browsing history, that means that they’re not paying that much attention and don’t really care all that much about the fact that this is a security mechanism and it has all its extra code, it’s violating the economy of mechanism principle.

And anyway, so as you can see, I am very ranty about this, and I read in magazines where they review what’s the best VPN, what’s the best product password manager. They never talk about economy of mechanism. They never talk about security attack resistance. That stuff should be first. That should be the first thing they look at. But they don’t because they’re used to just dealing with just ordinary software, ordinary software as a service, ordinary freemium business models. And it’s like a hoard of Mongols that just run right over the way we think about things. And anyway, off my soapbox now.

Jason Dion:
Yeah. And I think you’re right, A lot of the stuff you look at like PC Magazine or Consumer Reports, they’re looking at on features, price and quality, they’re not looking at it from a security perspective necessarily, because that’s not the way they usually evaluate things.

Kip Boyle:
Exactly.

Jason Dion:
Or keep that kind of thing in mind too.

Kip Boyle:
Exactly. I’m happy to have features, usability and price for a word processor, perfectly reasonable, just not a reasonable set of filters for a VPN or a password manager or anything like that.

Jason Dion:
And going back to, we talked about keeping it simple. One of the things I thought was fun is about two years ago, I hired a automation firm to come in and help me do some backend automations in the business because we had so much going on, I didn’t have time to do it. So I’m like, let me bring these people in. They’re experts in it. They should know what they’re doing, blah, blah, blah. So they come in, we go through all the requirements, and one of the automations I wanted was that if somebody passed an exam, like their ITIL 4 Foundation, I get an email notification from PeopleCert. And I wanted to be able to say, okay, let me send an email to that person saying, “Congratulations, you passed,” or, “I’m sorry you failed. How can I help you?” And we had that for each of our different PeopleCert courses, which is about 12 different courses.

So if I was building that, I would’ve built out 12 different automations and it would’ve just started with, if cert equals this, then continue. If cert is this, then continue. And if it’s ITIL 4 Foundation, then was it a pass? Was it a fail? Do this action or do that action. Very simple, four or five steps.

Well, the team went off about two months later, they come back with what they were going to do. And had they done the simple way, it would’ve been done in two days. Instead, it took them two months. And what they gave me back was this big spaghetti diagram. Where it came in, it was like any email comes in, gets processed. Now is it here? Yes or no. Is it here? Yes or no. And it was bundles and bundles and bundles of if, then statements to make this whole thing happen. There had to be 50 decision points in this thing.

And they’re like, “I don’t know why the student who passed the exam is getting an email saying they failed the exam.” Because you made it too complicated. Stop. Make it simple. Because they wanted this one automation to rule them all instead of going, you know what? Let’s just make 12 automations. And the reason that we say in ITIL, make 12 automations is it’s actually simpler. If you have 12 automations with three decision points each, it’s much easier to troubleshoot and keep that logic going than when you start doing this convoluted system. So to me, I think about that when I talk about economy of mechanism and simplicity is keep it simple, keep it to the point and keep it low cost for the thing you’re trying to protect.

Kip Boyle:
Yeah. Yeah, absolutely. Okay. Well, I hope that we’ve completely unpacked this idea of economy of mechanism and what does it really mean? Because it is kind of a strange 1975 way of saying what we’ve been talking about.

Jason Dion:
Build it easy, build it to the right level.

Kip Boyle:
And by the way, Saltzer and Schroeder, they were academics. This was a paper that was released in the Association of Computing Machinery, some conference that they went to. So it can be a little weird to understand this stuff, but that’s why we’re unpacking it here in the Your Cyber Path podcast for you. Because listen, if you use these securities design principles in your work and you talk about them to your boss, to your peers, you’re going to sound super intelligent and you’re going to, you’re going to be doing really good work, and guess what? That’s going to accelerate your career.

Your boss is going to know and trust you even more because you are bringing this kind of discipline thinking into your work. And that’s what we want for you. We want you to take these lessons that we’re sharing with you, and we want you to kill it on the job. So if there’s anything we can do, anything else that we can do to help make you understand economy of mechanism or any of these other security design principles that we’re covering in this series of episodes, just reach out to us. Right, Jason? How do they do that?

Jason Dion:
Yeah. The easiest way to reach out to us is to go to yourcyberpath.com/ask A-S-K and we have a little tool there that you can actually record a voice message to us. So you don’t have to sit there and type out a thousand word email. You can simply just leave us a 30 to 60 second voice message, essentially, telling us about your situation, telling us about your question, and then we can respond back to you through voice or through email and give you that back, or even play those here on the podcast. One of the things we’ve been talking about, is taking a couple of those that we get in and ask us anything podcast where we go and take your questions and answer them on the podcast. So it’s a great way for you to be able to do that really quick and easily, and you do that over at yourcyberpath.com/ask.

Kip Boyle:
That’s great. So I don’t have anything else to share in this episode. Do you, Jason?

Jason Dion:
Yeah. Last thing I want to say is don’t forget to go over to yourcyberpath.com on the homepage. You can sign up for Kip’s mentor notes. His mentor notes come out every two weeks along with the podcast, and they cover interesting facts and tidbits about cybersecurity as well as things that you want to know to be better at your job and to get your next job. In fact, this discussion we had about LastPass today, that was actually started in a one of our mentor notes from last year. Kip actually talked about that when that actually happened back in 2021 and early 2022. So things like that, we’ll bring it to your attention and make sure you understand it. Even if we don’t talk about it on the podcast, you’ll get it through the mentor notes. So it’s a great resource, completely free, and you can join or unsubscribe at any time you want. So just head over to yourcyberpath.com on the front page and do that. Until next time, we’ll see you on the next episode of Your Cyber Path.

Kip Boyle:
Bye everybody.