Let’s get down to the business of dissecting what you can learn about information security from TFA. However—spoiler warning—I can’t discuss the movie’s infosec learnings without pointing out some of its scenes or plot points. If you haven’t seen it yet, you probably need to turn in your “geek” card, but more importantly, you should save this article for later.
TFA honors the original movies in many ways, including the presence of similar plot elements. In fact, the movie opens with a secret message (a star-chart) being hidden on a cute droid called ‘BB-8’ that gets lost on a sandy planet…sound familiar? In any case, this means that the newest installment shares some of the same security tips as the others, including the “security by obscurity” tip associated with hiding data on a cute droid, or the social engineering aspects of the Jedi mind trick. Today, we’ll concentrate on three tips we get to see in TFA.
Unlock Your Lightsabers with Biometrics
After the main characters, Rey and Finn, meet Han Solo, he takes them to the planet of Takodana to meet Maz Kanata. There, Rey begins hearing screams and having visions, which draw her to the basement where she eventually finds Luke Skywalker’s lightsaber. Upon touching the lightsaber, she has even more visions, as though she unlocked the device at her touch. Kanata says that Skywalker’s saber is calling to her.
While it probably works differently in fantasy worlds that have The Force, in the real world, having a device tuned to unlock at your touch is called biometrics. As the infosec community is continuing to realize how bad most users’ password practices are, biometrics have become a popular mechanism for authentication.
Biometric authentication is both convenient and relatively secure. Individual biometric tokens, such as fingerprints or retinas, really are unique and complex, making them challenging for attackers to copy. Additionally, this method is much easier than trying to remember a long complex password, let alone 50 complex passwords for all of your accounts.
Having said that, I want to warn you that real biometrics are probably not as infallible as The Force is at identifying people. There have already been many documented cases of hackers pulling fingerprints and using them to create gel-like copies that fool fingerprint readers. Worse yet, we can’t get new fingerprints or retinas, so if they are compromised, we can’t replace them.
So what’s the Jedi advice here? Biometric authentication is a great form of security, but only as an additional token of authentication. Biometrics should be an additional security layer, not a replacement for passwords. If you pair your normal password with a biometric credential, your login will remain Sith resilient.
Separate Keys for Public/Private Key Cryptography
During most of the movie, the characters are trying to save BB-8 and figure out how to decipher the star-chart hidden within him. Yet the chart seems incomplete, and the heroes can’t read it without a missing piece. Later in the movie, the second missing piece of the chart is unearthed, allowing the good guys access to the now-complete chart.
This brings to mind a very important concept supporting many aspects of infosec — public-key cryptography, sometimes also called public/private key crypto. In short, it’s a cryptography concept that relies on putting two different cryptographic keys in place for your communications. One you keep private, and share with no one, and another you share with anyone with whom you’d like to securely communicate. You don’t lose anything by sharing your public key because no one can actually decipher messages sent to you with this key unless they have access to that second private key.
Many of the secure communications you rely on today use this concept to build encrypted connections. Things like secure web communications (SSL/TLS), VPNs, and secure email all often rely on these keys on the backend.
While the good guys still wouldn’t have wanted the information within BB-8 to fall into the wrong hands, it would have done Kylo Ren little good without access to the “private key” that was hidden inside R2-D2. If you want to up your infosec Jedi skills, leverage public-key cryptography wherever you can.
Security Padawans Can Learn From and Exceed the Jedi Grey Beards
As an old guy watching the new version of my favorite space opera, I can’t help but notice the theme of the older generation passing on the torch (or The Force) to the younger generation. All our old favorite characters have their own parts to play in guiding the new heroes. Meanwhile, Rey, Finn, Poe, and hopefully even Kylo, will have to grow and improve based on what they learn from their elders in order to face their new challenges and prevail.
I often see this same generation gap in infosec. The grey beards have been through it all. They have accumulated a ton of security knowledge and experience over the years, and really do have a lot to teach. However, they also fall into old habits, and curmudgeonly think they’ve seen it all before. Meanwhile, the new infosec kids are excited and bring fresh new ideas. Sometimes their new notions are fruitful, other times they lead to dead ends that the grey beards have already traveled. If only these two groups would come together.
In short, one of best infosec tips I can give is to listen to each other, especially those experienced security professionals. Their experience can save time and heartache. Infosec padawans: you should keep an open mind. Don’t discount the advice of a grey beard, even if they seem cynical and antiquated. These grey beards have their own battle scars to prove their mettle, and their advice could save you some future battle scars. Grey beards: you also must listen to your padawans. Just as Rey gained Han’s respect with her bravery and skill as a pilot, you can learn about new twists to your own learnings and your padawan can help you avoid becoming set in your ways. Hopefully, in future movies, we’ll see Rey conquer new threats to the galaxy using her learnings from Han and Luke, and even teach the old guard a few tricks of her own.
Well, that’s it for now. On my fourth or fifth viewing of TFA, I’m sure I’ll glean a few more infosec tips, but for now, I’ll wait until the next movie. In the meantime, be sure to share a few of your own Star Wars security insights in the comments.