Three decades ago, we had an ingenious solution to protect computer systems. Passwords were no longer needed, and that wasn’t even the most brilliant part of our solution. This ingenious solution would even eliminate the need to enter an user ID! Yes, we were brilliant and our solution was going to revolutionize the world forever! We found the golden egg, that huge pot of gold at the end of the rainbow. Parents were going to name their children after us. Nobel prize acceptance speeches had to be prepared. Fame and glory was coming our way!
The solution worked as simple as it was brilliant! No more passwords, no more user ID’s. Just 3 smart standard sentences that each user needed to type once, and from that our solution could identify unique patterns of typing certain combinations of letters. Our tests had shown that with 5 combinations of letters on a keyboard, we could identify every person due to the unique typing patterns. The 3 sentences to register a person had 50 combinations of such patterns so there were plenty unique combinations to pick from. From now on, every person could login to a system by simple typing off a randomly generated sentence which would have at least 5 identifiable sequences of letters and their patterns of typing.
We tested this over and over again. Fellow students, friends, family members. It worked flawlessly with every test. Have the test person type the 3 sentences to create a unique ID, store the unique patterns, and let the person login by typing a random sentence to identify the person. It worked! Not a single false positive or false negative. Not one! In total we had tested this over 5.000 times and it always worked. Party hats on, this was a major breakthrough!
We decided to demonstrate our brilliant and ingenious solution at a information technology conference. A befriended computer shop owner borrowed us a PC for the occasion. A fancy amber monochrome display, stunning 640 kilobytes of memory, a full flexed 8086 CPU, an enormous, very loud and sometimes bitchy 5 megabyte hard disk drive and a 5.25″ floppy drive. A monster back then, running the MS-DOS 2.1 operating system. Although we had originally developed our solution at the university’s mainframe, compiling our C program on this PC was (almost) as simple as breathing. We were all set and our prototype was more popular than we had expected. It felt like everyone at the conference wanted to test our solution, and everyone was surprised and impressed to see that it worked every time.
We kinda lost ourselves when one of the most popular magazines showed up at our small booth to do an interview. After the first shock and misplaced jokes to open up the champagne bottles, we challenged the reporter to test our system and he did. It worked! Of course it did, it always worked. Then he asked us if we were confident enough to have one of his buddies test our system. He was apparently some kind of expert for computer security. We weren’t impressed. By now we were approaching 6.000 positive tests. Bring it on!
A nerdy looking guy showed up, he could have been one of us, or a student like us from another university. We explained how our solution works but he didn’t seem to be paying much attention. This was the first time that someone just responded with “ok” without either showing disbelieve or surprise. We asked him a few times to try it but he seemed to be more interested in our PC. Instead of typing the identification sentences, he tried to stop the program by pressing escape, control-c, control-alt-delete and a lot of other things. He even tried to crash our ingenious and undefeated solution by overloading the keyboard buffer with fast random keystrokes.
HA! We thought of that, of course. C’mon man, we were smart enough to develop this ingenious solution, you really didn’t expect us to miss those simple tricks? No, he had to come up with something better than that. Something much better! We thought of everything! Almost everything, that is…
Rob, that’s the name of the guy who destroyed our path to fame and glory, smiled at us and reached to the back of the PC, pushed the reset button and kept smiling at us while the PC was rebooting… He knew it and we knew it. Game, set and match. Golden Goal. Check mate. Sudden death. Strike. K.O.
It was over and done. No Nobel Prize speeches, no negotiations with the tech giants, no bidding and overbidding to license our brilliant breakthrough and unbreakable solution. It was all over. Rob robbed us (no pun intended!)…!
In our enthusiasm over our solution, we had missed a couple of weaknesses and vulnerabilities, and after this sobering exposure by Rob we found weakness after weakness in what we had believed to be the unbeatable breakthrough solution in user identification and computer security. Identifying a person by recognizing unique patterns in typing wasn’t as reliable as we thought it would be. In our tests, we always had a very short cycle between the first identification and the confirmation of the identity of the person. We learned that the patterns of typing can change during the day, for example when a person gets tired after long hours of typing. We also discovered that a person with cold hands types entirely different than a person who feels comfortable. And many other influences we should have seen with our eyes closed, like injuries to name just an example. With these influences changing the patterns of typing, the risk of false positive and false negative increased significantly.
The biggest weakness was however our own attitude and the way we had tested so far. Always searching for positives to confirm our solution, we had completely failed to do negative testing. All tests on ourselves had always been done under exactly the same circumstances, in the same air conditioned computer room, always at night after a full day at the university. Because we had limited storage space available, we kept cleaning our database after every test. We would figure out compression of the data later, that wasn’t a priority at the moment. We had basically set ourselves up for failure and Rob just pushed us over the edge by exposing yet another weakness.
It got worse when we found out that others had already tried similar concepts, including a project sponsored by IBM, one of the tech giants we hoped would buy a license for our solution once we had launched it on the market. “Promising but not reliable” was the sobering judgement of that project by Big Blue. Nowadays we could have searched the internet before embarrassing ourselves but in all honesty, I doubt that we would have done so in our enthusiasm.
Rob was kind enough to contact us a few weeks later. We met him at a bar, had a few beers and paid close attention to what he had to say. “Learn to think like your enemy, learn to test like your enemy. Stop testing to confirm, start testing to break it”. My fellow students looked confused, I grasped the concept immediately and started to build the link to military thinking in a split second. The simulated enemy we called RED TEAM would attack the own forces, BLUE TEAM. The Red Team didn’t follow the playbook because everyone is prepared for that. The Red Team does the unexpected, hits you where it hurts, hits you where you least expect it. Military thinking. Every self respecting armed force has well trained Red Teams to simulate attacks and responses to unveil weaknesses. And every self respecting armed force trains their staff to embrace Red Team exercises, no matter how hard the beating might be. Because that is how you learn, that is how you improve, that is how you uncover weaknesses and solve them. Over and over again.
Recommended reading on Red Team benefits, and the costly consequences of not having proper Red Team testing in place, is the book Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko. In his thorough analyzes of Read Team from its early days in the Catholic Church, through military concepts all the way up the current implementations in companies and intelligence agencies, Micah shows the importance of this very special kind of critical thinking, and the challenges companies and organizations have faced during implementation and execution of Red Team testing. It takes courage to install a Red Team, it can take even more courage to accept the outcome. The toughest job of them all, however, can be being a member of the Red Team. You will not always make new friends as the Devil’s Advocate.
Red Team concepts have made their way into the business world. Penetration Testing of IT infrastructure for example. Executive teams embracing Red Team critical thinking to “battle test” their strategies. Red Team is all about breaking through your own enthusiasm and confidence, and getting the best in the business to find the vulnerabilities to be able to solve them. Sometimes the outcome of a Red Team test could even be that a promising project is dropped completely. Red Team is about prevention and improvement. Fix before you fail. Test before you pay!
I’ve come a long way since that very important lesson by Rob. Nowadays I do Red Team training myself and coach companies in the acceptance of the concepts and methods. I wasn’t happy when Rob showed how simple it was to disable what we thought to be unbreakable, and I didn’t have any pleasant thoughts about him at that moment and the days after that. It was Rob who contacted us later and taught us a very important lesson. A tough lesson I am now proudly passing on.
Thanks, Rob! You’re still the best Red Team player I ever worked with.