Mythic Monday – The Sphinx

“Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”

That was the riddle asked by the Sphinx, a creature sent to Thebes to by Hera (or Ares).  When the riddle was answered incorrectly, the Sphinx would strangle and devour the challenger.  This went on for a while until Oedipus, who answered “man” and explained that the “time of day” was a metaphor for “time of life” and that the question refers to the stages of life: baby crawling, man walking, old man with a cane.  After this, the Sphinx (being unable to come up with another clever riddle) promptly killed herself.

Today’s myth is fairly transparently about password security.  The Sphinx made three basic errors that we can learn from:

Question/Answer Pairs

We’ve all seen the “security question” prompts.  They often ask about pets or parental surnames.  Sometimes they ask about special anniversaries.  In any event, if you are moderately findable online, a quick search of genealogy databases or photo-sharing sites can turn up answers to such questions.  To combat this, you can either hide all information relating to you, search it out online and remove it, visit public libraries and burn all the public records and brain-wipe all your friends… or you can answer the question nonsensically.  Just because the field says “mother’s maiden name”, doesn’t mean that you have to put that in there.  Maybe put in your favorite fruit instead.

Suppose the answer to the Sphinx’s riddle wasn’t “Man”, but was “Kiwi”?  Sure, the myth wouldn’t make much sense, and Oedipus would have become dinner rather than king, but the riddle would have much less guessable.

Short Answer

You know how irritating it is to have to have a password that is “at least 8 characters”?  Well, the reason is that there are people that can try all sorts of different words until they get in.  It’s as if someone in power (like, say, Oedipus) were sending numerous peasants to the Sphinx with random answers.  It would have gone something like this:

  • Sphinx: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
  • Peasant 1:  Umm, (checks list) an apple!
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 2: How about an eagle?
  • Sphinx: Nope.  (strangle) (eat)
  • Peasant 3: (looks about warilly) man?
  • Sphinx: Close, but we just changed the answer in the previous section.  (strangle) (OM NOM NOM NOM)
  • Peasant 4: (reads the previous section).  Kiwi!
  • Sphinx: Drat!  (strangles self and throws body over cliff)
  • Peasant 4: Yay!  I win.
  • Oedipus: (strangles peasant 4) (looks around warilly) Yay! I win.

So, the Sphinx manages to survive a bit longer, but is still undone because the answer is short and guessable.  Let’s protect against that by changing the answer from “Kiwi” to “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”  That’d be a lot harder to guess.  Hard enough the Oedipus might even run out of peasants before he gets to it.

Only One Question

Ah, but what if you have an exceptionally smart guesser.  Suppose they know something about the person choosing the password.  Even incredibly long passphrases have to be remembered, so odds are that a little bit of social engineering can be of use.  If we fully embrace anachronisms and have a Sphinx that is a Star Wars fan, odds are that the pass phrase would appear on the list of 30 Most Memorable ‘Star Wars’ Quotes. Similarly, if the Sphinx were known to enjoy Shakespeare, 200+ Famous Bardisms might be a good place to start. The point here is to pre-load the disposable peasants with likely answers, so that Oedipus can hit upon it while there is still a peasant to kill and claim the credit.

A clever Sphinx can protect herself by coming up with multiple riddles. In the security field, we’d call this multi-factor authentication, which we shorten to “know/have/are”. To extend our horribly-mistreated metaphor, the Sphinx would be highly secure if she:

  1. Something you know:
    • Q: “Which creature in the morning goes on four legs, at mid-day on two, and in the evening upon three, and the more legs it has, the weaker it be?”
    • A: “My favorite of all the fruits is the kiwi… the fruit that needs a shave!”
  2. Something you have:
    • Q: “Do you have the key that unlocks this super special box that I borrowed from Pandora?
    • A: (peasant offers a herring that has been painted plaid)
      • Remember, the answer should be nonsensical and nontrivial.  A plaid herring covers both requirements in most instances.  Besides, it’s generally best to leave Pandora’s box closed.
  3. Something you are:
    • Q: “How do I know that you are truly you?”
    • A: (peasant shows the Sphinx that birthmark that Oedipus painted on his arm)
      • It’s very difficult to forge the “something you are” check, but it can be done if the verification technology is flawed, be it a fingerprint scanner that doesn’t check body temperature or a stupid Sphinx.

Thus, the only person that could get past the Sphinx would be someone that managed to prove their identity three different ways, which makes it extremely likely that the person allowed is the one authorized… or someone that has privileged information as to which questions will be asked and which answers are expected.  So, make sure that your questions and answers are reasonably secure, but also make sure that you don’t let anyone else know that they are.  Secrets are only good so long as they are kept secret.

That’s why the Sphinx had to kill herself, you know.

The Red River Zoo Needs Your Help

I know that many of you only read this blog for the security and business information.  However, I have hopes that you enjoy the Tuesday natural history musings, and in that vein, I want to make you aware of the situation going on in Fargo, ND.  This is a bit more personal that most of my other postings, but I hope that you’ll understand the reasons why this post has little to nothing to do about I.T. or security.

Some of you may have heard about the massive flooding in Fargo, ND. Well, for the moment, the Red River Zoo is safe, but many of the homes and businesses in Fargo are not. To help out, the zoo is accepting people’s exotic pets so that they can be cared for while the rest of Fargo flees. It’s a small zoo, but a good one. Some of you may recall the photos I’ve taken there.

This zoo is special. It’s fairly young and has a very small staff. Yet, they have managed to:

Russian Red Tree Squirrel (Sciurus vulgaris exalbidus)
Breed Russian Red Tree Squirrels (See the blog)

Pallas' Cat (Otocolobus manul)
Raise Pallas’ Cats

Sichuan Takin (Budorcas taxicolor tibetana)
Breed Sichuan Takins (See the blog)

Chinese Red Pandas
Raise Red Pandas

Panther Chameleon (Chamaelo pardalis) Tanuki/Raccoon Dog (Nyctereutes procyonoides) Black-Tailed Prairie Dog
Plains Bison (Bison bison bison) Black-tailed Prairie Dog (Cynomys ludovicianus) Surinam Horned Frog (Ceratophrys cornuta)

Along with many many others. (See the blogs for the porcupines and wolves.)

But here’s the thing. Unlike some of the larger zoos out there, this zoo is funded entirely with donations, and have managed to do one heck of job without using public funds. During and immediately after a disaster like what is impacting Fargo, the monies that are available tend to dry up. At the same time, we have a zoo that operates on a skeleton staff bending over backwards to save people’s pets. They need money to pay for the new animals and to keep things going until things start to get better.

I’ve made a quick PayPal account for them. I know that many of you are focusing efforts on things like:

These are all worthy causes, and I’m not asking you to take anything away from them. All I ask is that if you have a spare $5, $10 or $20, can you toss it towards the Red River Zoo to help feed some animals.

I’m going to let this run for a few weeks, sweeping the account every Friday. I’ll send them a check for whatever is there to help them operate during the crisis. When it’s all done, I’ll close the PayPal account. There will be no auction and not a lot of bugging. All I’m asking is:

  • If you can afford to drop a few dollars, please do so.
  • If you can direct people to this post, so that others can drop a few dollars in the account, please do so.

The donation button is here:



If you prefer to send a check, you may do so to:

Flood Contributions
The Red River Zoo
4220 21st Ave SW
Fargo, ND 58104

If you have any questions, please leave a comment.

Thank you.

Small Business Defense – Detect, Avoid, Leverage Business Relationships

If you’re dealing with a DDOS attack, I’m afraid that I haven’t much good news for you. Once it’s started, it may be a bit late to try to deal with it. Odds are, you’re best off just waiting it out. Failing that, you can try to change IP addresses on your external systems, however, that technique is less effective than it was and requires the assistance of your ISP.

No, the right way to handle this sort of attack is long before it starts.

These sorts of attacks tend to start a bit slowly, and can be recognized by a ramping up of traffic. However, in order to detect it, you have to first know what legitimate traffic looks like. Thus, for months before the attack, you have to be watching what’s coming in. You should know what “normal” looks like, so you can detect “abnormal”. Not only will this help you differentiate an attack from simply outgrowing your resources, but it will also help you identify how you are using your resources so you don’t waste your money.

Bear in mind that most Internet connections can only carry so much, and if your employees are using it watching YouTube videos, that leaves less for legitimate customers. The first rule is to know what you have and how it’s being used. To reference Tuesday’s post, you need to know how many rats are normal, so you know when you’re about to have too many of them.

Then, you can move on to attack avoidance. There are systems out there that are specifically designed to handle DDOS attacks, but let’s assume that you don’t want to pay for that. One quick solution is to use a set of proxies. These can be servers or network devices in a proxy configuration. The way these work is to simply receive connections and then balance them to the back-end server. Here, you can set up rules to drop illegitimate traffic to reduce what goes through to your server to a manageable amount. There are many technical ways to do this, and none of them are perfect… however, you don’t need perfect. You just need to drop enough traffic to get things working again. (In other words, you don’t need to stop all the rats, you just need to make sure that there’s enough grain for you and your family to eat.)

However, this solution only works assuming that the attack is somewhat small in scope. If the amount of traffic is overwhelming and your connection itself can’t handle it, having a set of proxies won’t help you much. You’ll need to call your ISP. This is why it’s good to have a good business relationship with your ISP. You should know the names and numbers of who you need to call, and you’ll need them to be technically competent. Ideally, you should be able to call them up, and say “I think I’m having a DDOS attack, can you block all traffic from Asia” (assuming that you don’t do business in Asia, of course :). This is like asking for international help in the face of a massive influx of rats.

The huge ISPs tend to have the technical skill, but lack the personal relationship. The really small ISPs will bend over backwards to help you, but may not know how. I suggest going for the middle of the road approach. Interview prospective ISPs and ask how they would handle this sort of situation. Ask if they can give you an emergency number that would always have a live person answering, 24×7. The good ones will, though they might charge you when you call after hours. This is well worth it.

In the end, you will have built an infrastructure that is resistant enough and built a business relationship that is flexible enough. The only way to be 100% protected against this sort of attack is to have more resources than the rest of the Internet combined, and that’s just not going to happen. This sort of preparation is fairly cheap, and worth a lot if you need to leverage it.

In the end, it’s cheap insurance.

Small Business Attack – Denial of Service

You get the call from your front-line people. Your web site is down and customers are complaining. You call your web folks and they can’t even get to the server. Then, your front-line people call you again and report that the entire Internet connection is down. You call your ISP, and they tell you that your line is up, but you’re getting a lot of traffic.

Their solution? Buy more bandwidth.

In fact, if you buy right now, you might even have it in a few weeks.

What has happened is a distributed denial of service attack. In this attack, the attackers leverage hundreds of thousands of machines and send traffic to a target. In this case, to your server. As it starts, people start to have problems with the web server. Pages will load erratically, customers will experience slowness and the server may start to reboot itself or lock up entirely. However, it doesn’t stop there. The attackers often don’t know when they’re successful, and the traffic just keeps coming. Soon, your Internet connection will fill up and stop responding. If you’re hosting offsite, the line usage may spike and drive you into over-utilization charges. Thus, in addition to losing potential sales for every minute you’re down, you may also be charged for the experience.

So, it sucks to be you, but what does the attacker gain? In the old days (you know, when the hills only went up), this was done out of spite. Someone had taken offense at something you or your company had done, and their solution was to make your life miserable. These days, it’s different.

These days, the attacker may be a competitor or someone hired by a competitor. They may be starting a campaign and want you out of the picture during the process. They may be trying to take one of your biggest clients and want to show that you’re unreliable. It may be a criminal organization using such an attack to hide a second, more subtle attack. It may be an employee that simply wants a day off.

In any of these cases, what are you going to do about it?

Security Lessons from Nature – Rats, Bamboo and Surprises

There are some plants that bloom several times a year, some that bloom every year and some that bloom every few years. However, there are also a few types of plants that bloom every few decades. This is generally viewed as a fairly big deal, and botanists get all excited and talk to bored people at parties* for hours on end about how special and wonderful it was, and how happy they are to have finally seen such a thing. Unless you’re a botanist, you probably wouldn’t care much.

* At least, at the sorts of parties that over-excitable botanists get invited to.

That is, unless you happened to live in Asia and the plant happened to be bamboo. Unlike the American century plant, of which individual members bloom every few decades and then die, bamboo has learned to do synchronized blooming. Now, as scary as it is when a bunch of people start synchronizing their swimming, it’s far worse when bamboo does it.

Granted, it’s not the bamboo so much as the rats.

When the bamboo blooms, it pollinates and then produces fruits and seeds. Suddenly, there’s a lot of food around and rats appear to devour all the bamboo fruits. In the process they, of course, tend to make more rats. So, for the course of a year or two, there are more and more bamboo fruits which result in more and more rats. This is all well and good until the bamboo suddenly all wise up and think “Wait a minute, what are we doing here? Rats are eating us!” and promptly go back to being placid grasses.

This leaves hundreds of rats, thousands of rats, millions and billions and trillions of rats… and no lovely little bamboo fruits to eat. Being more intelligent than the bamboo (and lacking the “hey, let’s all be grass again” gene), the rats promptly turn around and start eating everything else that they can.

In Mizoram, a state of India, this means eating the people’s crops. It means that the farmers who, for a generation or more have been easily able to feed their families and export enough to make a reasonable living are suddenly transformed into fighters that must defend their livelihood against a rampaging horde of rats. And really, there’s not a lot they can do about it. A farmer may take on a rat and win, but one farmer versus one thousand rats is much less of a sure thing.

Similarly, you may be able to defend your business against an attacker or two, but when those few attackers suddenly become a coordinated attack from thousands to millions of computers, you’re pretty much not going to win.

Distributed Denial Of Service (DDOS) attacks mostly target larger companies, but as bot nets become more affordable, the likelihood of an attack targeting you goes up. We’ll look at this in more detail tomorrow.

For now, just consider the problem facing the farmers Mizoram, and think that we don’t even know what diseases these rats might be carrying.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.