SDP 8 OPEN DESIGN

Kip Boyle:
Hi, everybody. Welcome. This is your Cyber Path. We are the podcast that helps you get into cybersecurity. Or, if you’re already working in a cybersecurity career, then we’re going to help you level up. We’re going to get you that promotion that you’re looking for, or maybe you want to change jobs and work for a different employer. Either way, there’s probably some tasty increased compensation waiting for you, and we want you to get that as soon as possible. So that’s what we’re all about.

I’m Kip Boyle. This is Jason Dion right with me here.

Hey, Jason.

Jason Dion:
Hey, Kip. Nice to see you again.

Kip Boyle:
It’s great to see you.

What we’re going to talk about today is we’re going to continue a series that we’ve been doing on security architecture and design principles. I’m not going to repeat all the ones we’ve gone through already, because we’re getting close to the end of the 10 that we said that we would review. But what I will say is that these security architecture and design principles were originally published in a paper way back in 1975, if you can believe that. So think about it, in this career field where everything’s changing all the time, every day I get up in the morning and I’m like, “Okay, what do I don’t know today?”

Jason Dion:
Let me ask it.

Kip Boyle:
Here’s something from the dark ages of computing that we are still saying, “This is relevant.” Look, this is really super cool because with all the change that we have to deal with, having principles that don’t change, or don’t change very often, is super, super helpful.

Jason Dion:
And you know-

Kip Boyle:
So having said that, you can use these principles in your work. And if you do, hiring managers will really like it.

What were you going to say, Jason?

Jason Dion:
Yeah. I was just going to say, to me, you glossed over that 1975, right? I mean, that is so long ago. That’s before I was born, and I’m not a young guy. I’m 43 at this point, so that was before I was born. And I even think back to the internet, and if you think specifically about the worldwide web that we all use today, that is coined as a term in like 1994, 1995, so 20 years after this paper. And yet, this stuff is still relevant today. So it’s good stuff.

Kip Boyle:
Exactly. Yeah. I mean, the context for the computing is… 1975, it was big iron. It was computers that were so big, they filled an entire room. And nowadays, we don’t even know those kinds of computers even exist anymore. There’s very few of them. So even though the entire computing environment has changed, these principles are still relevant. And I would argue they’re even more relevant because the number of threats coming at us is even greater than it used to be when you had standalone computers in rooms that didn’t talk to any other computer, right?

Jason Dion:
Yeah.

Kip Boyle:
So things have only gotten weirder.

But the next principle we want to talk about, and the one that’s the subject of this episode is something called open design. Now, I know from working in this career field for a long time that whenever I talk about open design, people start to get twitchy. They don’t like open design. If you go to a software developer, you talk to an intellectual property attorney or something like that, they don’t want to put all their secrets on the internet. They don’t want their source code out there. And people who don’t work in this career field sort of have this idea that you should never share the design of your security controls. But that’s not true. And so that’s what open design is about.

Now, I want to read the definition of open design. And then you and I can unpack it so that everybody can benefit. All right, here it is. From the paper it says, “The protection mechanism should not depend on attackers being ignorant of its design to succeed. It may however be based on the attackers’ ignorance of specific information such as passwords or cipher keys.” So that’s the definition.

Jason, how should we start to unpack this?

Jason Dion:
Yeah. I think one of the first things we need to talk about is the fact when we talk about open design, we are not talking about open source. And there is a difference. And a lot of people hear open design, they go, “Oh, no. My code’s proprietary. I can’t share it because then people will know what I’m doing.” And that’s not what we’re talking about when we talk about open design. We’re talking about the mechanisms and the way that your security is built and the way your code operates, even at a big level to understand what the pieces are because that’s where you’ll be able to identify where those bugs are, and where those holes are, and where those vulnerabilities are so you can make it a more secure system.

There is this tug, as you said, this twitchiness that happened where it’s like, “Hey, I just built this really expensive brand new learning management system and we spent hundreds of thousands of dollars developing it. I don’t want to show people my code because I don’t want them stealing it and my competitors having that.” But not what we’re talking about. When we talk about open design, we’re really focusing on this idea that you want outsiders to come in and be able to see what you’re doing, because they’ll find the holes and they’ll be able make it more secure over time.

So this isn’t an open source proprietary discussion. You can have open design even if you are using proprietary code. And that may look like, if you’re a Facebook, or an IBM, or a Google, or one of these big companies, you’re sharing the source code across lots of layers of your organization so they can help you find those bugs even if you’re not sharing it outside of the organization. So we’ll bring that up first because that’s one of the things I think people get most worried about, and that’s not what we’re talking about.

Kip Boyle:
Can I tag on that for a moment, because some people might say, “Oh, well, you’re talking about a bug bounty program then.”

Jason Dion:
Nope.

Kip Boyle:
No, we’re not talking about that either, even though it’s related. It’s a cousin, perhaps, of a bug bounty program, but that’s not what we’re talking about either.

Jason Dion:
Yeah, exactly. And with a bug bounty program, a lot of times they don’t have access to the source code. In this case, with open design, you may or may not have access to the source code depending on how open your design is. One of the biggest places I see this is, when we start talking about encryption, but we’ll get there later in the episode [inaudible 00:06:01] we want to talk about where we see this go wrong, right?

Kip Boyle:
Yes, exactly.

Now, one thing that people say to me is, “Security design principles from 1975, how can that possibly be relevant to the work that we do today?” Well, let’s bring a current example that is high profile and has everybody in a tizzy, and let’s talk about how open design would have helped. So LastPass is a dedicated password manager. It’s been around for quite some time, and I used to recommend to my customers that they should use it. It had some really good features for team environments. And we felt, based on what we knew, that it was very attack-resistant. Turns out, that’s not true. And recently, and when I say recently, I mean in the past year, there was a data breach disclosure from LastPass where they admitted that all of their source code had been stolen as well as a giant cache of encrypted customer password databases that had been sitting on their service. This was all stolen. Now, password managers are always under attack. So the fact that they were attacked is not important. Everybody’s under attack all the time. That’s not the problem.

But the issue here is that, remember I said a moment ago, as far as we knew, they were attack-resistant. Well, the thing is, they never fully disclosed their design. And if you go over to another password manager, like 1Password, they have fully disclosed their design. So if you want to know, “Well, if I steal a 1Password user’s encrypted password database, how is it protected?” And 1Password has completely disclosed the architecture for how it’s protected. Now, they haven’t disclosed the source code necessarily, but they have described the number of times that they encrypt things and the different transformations that they go through. So on that basis, I said, “We’re switching to 1Password because they’ve actually disclosed enough for me to have a higher degree of trust that they actually know what they’re doing, and that they’ve done a really good job of making their product attack-resistant.”

So having opened up this real world scenario, Jason, I know you have some thoughts on this, what’s going on in your mind right now?

Jason Dion:
Yeah. So one of the things that I was thinking about is, I was going back to my old school days in late-’90s, early 2000s when I was actively working as a pen tester, so 20 plus years ago. And one of the things I saw a lot was, people tried to do this whole idea of security by obscurity. In fact, if you took the old security plus version three, version four, around 2005, 2007 timeframe, they talked about that as, “This is one of the ways you can have security is, you just become this weird thing that other people don’t expect. And therefore, they don’t think to look at it.”

Now, what I mean by security by obscurity, let’s say you’re running a web server kit and you want Jason not be able to find it. Well, if you go to yourcyberpath.com right now and you go on port 80 or port 443, it’s just going to open up the website because everybody knows that’s where it is, and that’s where the domain name is. If I wanted to hide my site, I can make it so there’s a special Your Cyber Path site at port 8888. So to get there, you’re going to have to type in, youcyberpath.com:88888. Now, it’s not really secure. It’s still sitting there. It’s open. Anybody can see it, but they have to know it’s there. And most people don’t go looking for a website over port 8888. They’re looking for it over port 80 or 443.

Kip Boyle:
Right.

Jason Dion:
So by having that kind of obscurity, you feel like you’re protected, but you’re really not because anybody can find it.

Kip Boyle:
No.

Jason Dion:
And so with these days, with things like Nmap, I can scan a 1,000 ports in a couple of seconds, and I’ll find out if you have a web server sitting there, or something else.

Kip Boyle:
Yes, absolutely.

Jason Dion:
The other thing is, people running things on weird servers like a web server on port 25, or an email server on port 80, or things like that. And that’s all part of the security by obscurity, and it doesn’t really give you any security. It’s just hiding you a little bit, right?

Kip Boyle:
Yeah. I mean, it’s an extremely low bar that makes you feel good, but you’ve got all this false security because, as Jason said, there’s so many ways that attackers can easily get over that extremely low bar that you’ve set up. Now, we’re not saying obscurity is a completely bankrupt idea. Obviously, when you talk about encryption keys, the fact that we keep them secret or private is an obscurity play, and same with passwords. So it’s not that obscurity isn’t helpful, but I wouldn’t use it alone on anything that I really value.

Jason Dion:
Exactly. And so that’s the whole idea here. And with LastPass, their whole thing was, “Hey, if we don’t tell people what our code is, maybe we’ll be a little more secure.” I don’t know if that’s really what they said. I wasn’t in their boardroom. I wasn’t in their design meetings.

Kip Boyle:
Right.

Jason Dion:
But you think that’s something like that. If I remember correctly, with the LastPass breach, what they ended up getting hit on was actually one of the third party features under their freemium model, like the ad supported tier or something like that, which never should have been in a security product to begin with, right?

Kip Boyle:
That’s right. That’s right.

Jason Dion:
We’ve got the whole different disruption. We talked about that in one of the previous principles of, minimize the functionality to just [inaudible 00:11:03] and secure the heck out of it.

Kip Boyle:
That’s right. That’s right. We did. And sometimes… And I don’t know if you’ve ever seen those demotivational posters. I don’t see them around too much. But I remember seeing one and it said, “Sometimes the purpose of your life is to serve as a warning to others.”

Jason Dion:
Yes.

Kip Boyle:
And it-

Jason Dion:
And I just don’t want to be that company. I don’t want to be the warning for anybody else.

Kip Boyle:
No. And I don’t want to pick on LastPass per se, because I don’t know anybody who works there. But their high public failures cannot be ignored. And I think anybody who has a failure, you can learn from it. Now, you’re making lemonades out of lemons, and really let’s try to learn from some of this stuff. So we’re not trying to bash them, we’re just trying to learn from what they’ve done. So that’s the thing with LastPass is, they got attacked. Nobody should be blamed for getting attacked. However, they didn’t publish their design in an open way, so they couldn’t benefit from other people giving feedback and saying, “Hey, you might want to reconsider this.” Or, “Oh, here, where you did that, all these other companies got nailed because they did that. It’s not a good practice. You should fix that.” And so in that way, publishing an open design can really, really help. And that’s just not a good idea, that’s actually how things work in practice.

So Jason, do you want to tell us about the Advanced Encryption Standard, AES?

Jason Dion:
Yeah.

Kip Boyle:
We all know about AES these days, but do you know how open design was used to select the Advanced Encryption Standard? Jason, you know this, right?

Jason Dion:
Yeah. I definitely know this, but only because I worked in the agency that helped with picking some of that stuff. Right?

Kip Boyle:
There you go.

Jason Dion:
And so in the old days when we used to make encryption things, the really big brains over at places like the NSA, the National Security Agency, would come up with their own proprietary encryption mechanisms, and they came up with things over time. I don’t know if they were the ones to develop it, but I think they were, DES, the Data Encryption Standard back in the ’70s.

Kip Boyle:
Yep. That’s-

Jason Dion:
And then that wasn’t strong enough, so we went to Triple DES, which extended our life cycle. And over time they realized, man, as computers get faster, this older style DES, which only had a 56-bit encryption key, can be brute force attacked and we can crack it. These days, with your computer at home, you can crack DES in a few minutes mostly. It’s not that hard, right?

Kip Boyle:
Right.

Jason Dion:
And so they did make a bandaid by doing Triple DES, where they encrypted, decrypted, and encrypted three cycles using different keys and all that kind of fun stuff. And they said, “Hey, we need to get a better standard.” And so they came up with a contest essentially, and it was sponsored by NIST, and there was a lot of participants across the federal government, including the NSA. And they came up with an open competition, said, “Hey, everybody put out what you think would be a great standard.” And it wasn’t, “Hey, there’s this black box and you don’t know what’s in it.” They literally showed you all of the code that makes up these standards. You can download the AES algorithm out there and look at the source code. It exists online.

And that’s not what makes it secure. What makes it secure is the length of the key. And as long as you don’t know that key, that algorithm is going to be secure. But the benefit of doing this is, by going through this process, not just can the developer say, “Yeah, this is good.” But everyone in the industry can look at it, they can attack it, they can figure out where the weaknesses are. As they went through this process to select AES, the Advanced Encryption Standard, there was a lot of different competitors in there including the Rivest Cipher collection, and we use RC4, for example, back in web encryption. And that had some weaknesses in it. And there was one called RC5 that was a competitor to AES. And there was a couple others. And ultimately, I think AES was chosen. And that became more [inaudible 00:14:35].

Kip Boyle:
Yeah. Okay. So AES… I think the actual algorithm was Rijndael, wasn’t it?

Jason Dion:
Yes. It’s a Rijndael cipher. Yep.

Kip Boyle:
Right. Right, right. Right. And so AES is like a generic term for the actual cipher that was chosen. So there were many different competitors. Well, the thing about this is that, it was all done based on open design. If you want to know how does the AES algorithm actually work? No problem. You can find out in all kinds of grizzly detail, right, Jason?

Jason Dion:
Oh, yeah. I mean, you can find white papers that are really in depth and tell you exactly how this thing works because everybody needs to know how to build the algorithm so everybody can use it, because it’s an open standard at this point that’s used pretty much across the world, except for a couple of countries that are on the prohibited list of getting high level of encryption. But in general, almost everybody in the world can get access to AES. And you use it on a daily basis, whether you know it or not. If you have a Windows computer using BitLocker, guess what? You’re using AES. If you’ve got an iPhone using FileVault, guess what? You’re using AES to do your data at rest encryption behind the scenes without you even doing anything. And what protects it is not the algorithm, it’s the key to that algorithm. And because every key is different, without the key, it would take years of brute force to try to get that data out until quantum computing is out. And then that’ll just throw a hole in everything, but that’s a story for another batch.

Kip Boyle:
I was about to say, are you trying to start a different episode in an episode? Don’t do that.

Jason Dion:
We’ll put that on the list for quantum computing for the future. We’ll talk about that in a future episode.

Kip Boyle:
It is important.

Jason Dion:
That is a big threat to encryption and modern techniques [inaudible 00:16:03].

Kip Boyle:
Yeah. It is important, but the NSA is on top of it. In fact, NIST just recently published some algorithms that they think are going to be quantum computing resistance. So there’s already some good work going on there. We’ll talk about that another time. But as we wrap up this episode, I just want to say that if you just stop for a moment and think, okay, here’s this advanced encryption standard published by NIST and supported by NSA, and they went with an open design. Now, if that doesn’t tell you the value of open design in the modern world, I don’t know what will, because I can’t think of a better, more compelling example.

So if you are facing a situation where you’re going to build something and you are on the project team or whatever, and you’re working as a cybersecurity analyst, you absolutely should be asking, “Are we going to do an open design? And if not, why not?” And you should encourage them to do an open design because, ultimately, you are going to get a higher quality result. It’s going to be more attack-resistant. So this is my encouragement to you. Now, if nobody listens to you and you don’t end up doing an open design, that’s not your fault. But I think we’re obligated to bring it up. We’re obligated to explain why it would be a good thing, although it’s not necessarily our risk. So we may not get the final answer.

Anyway-

Jason Dion:
One thing I’d say for open design is, for those of you trying to break into cybersecurity, this is an area that can actually help you break in and make a name for yourself. Every time a new protocol comes out, every time a new design comes out, every time a new advanced encryption algorithm is being developed, something like that, they put these things out for public comment and public review. And so you can go find what’s called an RFC, a Request for Comment, and when there’s a new standard, like Wi-Fi 6, they put out a Request for Comment on it, and you can go through that standard and read the 80 pages of documentation on what is Wi-Fi 6, and what’s included, and blah, blah, blah. And you can make recommendations. And now your name gets part of that.

And so when people start searching for your name, they’re going to see, “Oh, Jason worked on the Wi-Fi 6 standard. Oh, he must really know what he’s talking about.” Even though you may have had a very small part of it, but by being part of that Request for Comment process… Or, even like the NIST Cybersecurity Framework, early next year, they’re coming out with NIST Cybersecurity Framework version two, and there’s a lot of people who are helping build that. And if you’re part of that, your name’s going to get on there. And there’s projects like this that you can be a part of that will help get you notoriety, which will then help translate into more salary and more job offers later on.

In fact, Kip, you and I are working with Accolade as we’re building out new certifications, and we had a whole group of people who were helping us as we’re building out the Certified Cyber Resilience Fundamentals and Certified Cyber [inaudible 00:18:48] Practitioner certifications. We’re going to be doing some risk management certifications in the future and some other ones. So listeners, if you’re interested in that, definitely shoot us a message and you can get involved as one of our volunteers that’s helping build these things. And that also gets your name into those textbooks and other places, and that is going to pass additional things you could put on your LinkedIn that gives you credibility out there in the marketplace.

Kip Boyle:
So I guess, you could say in a way that Accolade is doing open design on its certifications.

Jason Dion:
Oh, we are. Oh, very much so. One of the things that we are doing as part of our certification process is, we are mapping out what does it take to take a certification from idea to final delivery in production? And you and I know what those processes are, because we just spent the last year doing it for the first certification, but we want to be able to share that with other people so they know these certifications aren’t just Kip and Jason wrote down 50 questions, and put it out there, and said, “This is a certification.” That is not what we did. We went through the whole long-drawn-out process to make it a worldwide recognized industry standard certification. And there’s a lot that goes into that, and we want to tell you about that on our Accolade website. So when you go there, you could see it and go, “Oh, that makes sense. That’s why this is important. It’s not just two guys with a good idea in the basement.”

Kip Boyle:
Not just.

Jason Dion:
Yeah, not [inaudible 00:19:56]. That’s [inaudible 00:19:56] to start, but then it goes further, right?

Kip Boyle:
That’s correct.

Jason Dion:
[inaudible 00:19:59] the way all great startups are. We all start with an idea, and then it’s how do you execute that idea that really makes the difference.

Kip Boyle:
Exactly.

Okay. Well, I don’t have anything else to say about open design. I think this one is pretty cut and dried. Anything else from you, Jason, on it?

Jason Dion:
Yeah, that’s it on open design. Other than that, I just want to say, thank you again, Kip, for spending another 45 minutes or so with me as we go through and do this podcast every week. And for…

Rephrase.

No, that’s it. I just wanted to basically say thank you to you for joining us again for another great episode of Your Cyber Path, both the audience and you, Kip, for joining us. I think it’s great the stuff that we are able to put out here and help people in their careers and help them figure out what they don’t know, and what they need to know, and where they want to go from here, and how to get better jobs, and better careers, and more money. Because at the end of the day, we want to be able to take care of ourselves and our families, and we know all of our listeners do as well. So that’s what we’re here to do, is to help you advancing your career.

Kip Boyle:
Definitely.

Jason Dion:
If you have any questions for us, you can always reach us at yourcyberpath.com/ask. That’s A-S-K. We have a little widget there that you can put in your questions. And in a future episode, we’re going to be playing some of those questions and responding to them live here on the podcast. So keep your ears out for those future episodes as they come out, and we hope you enjoy it.

All right. Thank you for listening to another episode. We’ll see you next time.

Kip Boyle:
Thanks, everybody.