In 492 BC the Persian empire marched against the Greek world. Weeks before the first drop of blood would stain the Greek land, Athenians took the road to Delphi, to consult Pythia about the upcoming battles.
Athena cannot appease Olympian Zeus With her pleading words and shrewd mêtis,
Yet I speak this word, firm as adamant. Though all else within Attica’s border shall be taken
Even the secret places on divine Mount Kithairon, Far-sighted Zeus will grant to Athena a wooden wall.
It alone shall come through uncaptured: good fortune for you and your children.
But do not wait for the host of foot and horse coming overland!
Do not remain still! Turn your back and retreat. Someday you will yet oppose them.
O divine Salamis, you will destroy many women’s children When Demeter is scattered or gathered in.
Back in Athens, the words of the oracle were made public and an Assembly was convened to debate them.
If the Athenians obeyed the oracle to the letter, they would flee their land, avoid all contact with Xerxes’ forces, and found a new city far away, at “the ends of the earth.” Some professional diviners and older citizens indeed urged the people to abandon hope and emigrate. According to their interpretation, the gods had promised to protect their own temples behind the thorny hedge that encircled the Acropolis. This, they claimed, was the Wooden Wall of the prophecy.
Nothing could have been more disastrous for Themistocles and his aggressive naval policy than a sudden Athenian resolution to “turn their backs” on the Persians. It would be up to Themistocles himself to bend the prophecy to his purpose.
And when the Assembly met to debate the oracle’s meaning, he did just that. The Wooden Wall was not the palisade around the Acropolis, Themistocles said, but the navy. Its triremes, by now numbering two hundred, would be a wooden bulwark for the people’s defense. Apollo had revealed that this floating Wooden Wall would endure and bring benefits for generations to come. The Athenian citizens should man their ships, not to flee, but to face the Persians at sea.
Themistocles marched and sailed. In Salamis, the Persian fleet was destroyed. Salamis is considered one of the battles that have shaped the modern world.
Had the Persians successfully invaded Greece in 490 BC, EMEA history would be different.
Now, I hear the people that clicked this post wanted to learn about security.
Allegories were particularly favourable in Ancient Greece and I find myself charmed by the level of intricacy and witting that they require. I practice their art from time to time and this post seemed like a good excuse for me to do so.
Security engineers in virtually every organisation train their colleagues on the importance of securing their secrets. Sec engineers are like the oracles of Delphi.
Trying to predict the attack vectors of a system, constantly evaluating the situation that the system will be operating at, trying to assess the security of the system while always trying to please the manager and not cause a lot of discomfort.
Exactly like an oracle wants to please the priests while not causing a lot of discomfort to the king that came asking for a prophecy.
I have preached countless times on the importance of keeping one's secrets, well, secret.
Engineers listened. They implemented key stores. Or at least, they thought they did. Just like Athenians thought they understood Pythia, and they almost caused the Western civilisation to collapse under the pressure of Eastern forces.
Hadn't it been for Themistocles.
I want security engineers to stop acting like oracles and start working like Themistocles.
Do not preach of security, rather start working towards it. Make engineers understand how to implement security mechanisms and get to the extent of teaching them. Do not be a contributor to the "perceived security" effect.
In addition to allegories I also enjoy parables.
Parables are literary creations that allow one to transfer a message to her audience with an expressive and figurative way.
Let's examine the parable of "the insecure key store."
Software applications that implement cryptography need to create and store cryptographic keys and possibly certificates to properly operate and service their clients.
These keys and certificates might be stored in memory while the application uses them or stored in a permanent store for later use.
In either case, developers must take the appropriate security measures to limit the access to this store also known as keystore.
An insecure keystore bug allows an attacker to read cryptographic material such as keys and certificates from the keystore to use them during a cryptographic attack.
Once, in the city of Sparta, there was an engineer who was responsible for crafting a saferoom, so king Vrasidas can store all of his valuable pieces of information that his spies were collecting from all over Greece and Persia.
The engineer worked day and night and in a week, he had made the most fancy saferoom that any king has ever seen. A door so big and tough that it would take one thousand Persian horses ramming with their heads against it to even crack it. And walls so thick and tight that you couldn't even hear a thunder when you were inside the room.
On the door of this masterpiece, a large golden lock was installed. Crafted with the shinier gold which the engineer was able to find in all of Sparta.
The lock was created by the finest locksmith in the entire province of Lakonia. The key was so heavy that only a true king would be able to lift it and unlock the huge door of the saferoom.
When king Vrasidas saw the saferoom he was amazed. He gave to the engineer so much gold that he could build a house out of it.
The king went to his room for the night and he slept peacefully after all this time. He finally knew that his secrets were safe.
The next morning, a farmer walking by the side of the road passed by the saferoom, early in the morning.
The huge door was open! He walked with cautiousness towards the building thinking that the king has woken up with the first light of the day to study his documents.
The saferoom was empty. Completely empty. Not even a single piece of parchment was on the floor or hanging in the walls.
He started shouting until the city guards heard him and urged him to the king.
- "My king! The door! It was open. The saferoom. There was nothing inside, my king. My king, I know nothing more, please spare me!"
Vrasidas was pale. He was ready to collapse at his throne. He whispered to the ear of the guard that was standing next to him to fetch the engineer.
The engineer was sleeping in his house. Around him there were many hetaire. The guards dragged him, naked as he was, in front of the king.
- "What's the meaning of all this ?", the engineer managed to spell, naked and disorianted as he were.
- "I have lost all my parchments. Everything is GONE!", yelled the Spartan king.
- "That's impossible.", said the engineer. "The walls, the door, the lock would be admired even by the gods, my king.", shouted the engineer trying to excuse himself.
- "Do you have the key, my king ?", continued.
- "I have bedded with the key, like it was my wife, you fool. I have kept it under my pillow, along with my knife so that anyone that came for it would meet my blade!" the king raged.
- "May I see it, my King?" said the engineer.
King Vrasidas reached for the key in the chest that one of the guards were carrying up to this moment. he opened it with care, and gave the key to the engineer to inspect.
- "That's impossible. This can't have happened. Your saferoom can't be breached. This key is exactly like the one Aristarchos, the Lakonian locksmith gave to the Athenian lords, and their saferoom has NEVER been breached".
Now, modern engineers are no different species than the engineers of the past. They make mistakes and they can cause a lot of trouble.
The ancient Spartan engineer thought that by acquiring the same key as his Athenian counterpart, the saferoom for King Vrasidas would be unbreakable.
As this Java engineer thought that by creating a key store his secrets would be safe.
KeyStore keyStore = KeyStore.getInstance("JKS");
String fileName = System.getProperty("java.home") +
"/lib/security/myKeyStore.jks";
FileInputStream stream = new FileInputStream(new File(fileName));
keyStore.load( stream, "storeit".toCharArray());
He also forgot that java.home/lib/security may be readable by everyone.
Mistakes are commonplace. If you want to have a secure system, be like Themistocles. Act, before someone puts your city's defence under test.