Tomatoes & Telegraphs | Epsode 273
I recently recorded a podcast with Carey Parker of Firewalls Don’t Stop Dragons.
We wrote this blogpost about the podcast episode, then ran ads on various social media for 90 days.
So far, this blogpost has been visited over 11,577 times by more than 9,786 people!
This podcast episode was also featured in the “Best of 2022” year-end review.
Carey has interviewed many interesting information security folks, including Jeff Moss (Founder of DEF CON / Black Hat), Bruce Schneier (cybersecurity guru and author), Cory Doctorow (author and activist), Troy Hunt (HaveIBeenPwned), Phil Zimmermann (creator of Pretty Good Privacy — PGP), and Dr. Andy Yen (Founder, CEO of ProtonMail).
This is information security as you’ve never heard it!
We talked about passwords, DiceWare, One-Time Pads, and how we can make information security products that are beautiful — like CASTALOT™ Dice.
Some questions that came up:
- How can the history of tomatoes 🍅 in America encourage information security professionals?
- What are One-Time Pads?
- What can car mileage efficiency tell us about One-Time Pads?
- How could the use of One-Time Pads (as originally invented) be extremely efficient? (you may have never heard this shiny new nugget of understanding before)
- How did the California Gold Rush influence the creation of the One-Time Pad?
- Who was 60 years late to the party?
- Why should information security products be beautiful?
- If Aunt Linda doesn’t want a black Faraday Bag on her entryway table, what kind of product would she gladly accept? (hint: we’ve got some striking visuals)
The time spent speaking with Carey was a lot of fun.
Feel free to grab a few tomatoes 🍅🍅🍅🍅 and join the conversation!
P.S. — If you’d prefer to read rather than listen, below is a transcript of the episode.
Firewalls Don’t Stop Dragons Podcast
with Anthony Collette | Posted on May 23, 2022
Anthony Collette: Hey, everyone, this is Anthony Collette from Loistava Information Security. And you’re listening to Firewalls Don’t Stop Dragons.
Carey Parker: Hello, everybody. Welcome back to Firewalls Don’t Stop Dragons. I’m your host, Carey Parker. Today is Episode 273 for May 23rd, 2022. And I’ve got a great interview for you today. Very, very interesting. I know, I know. I say that a lot, but this really is a very different kind of interview. And if you’ve looked at the title for this show, we’re going to explain to you what information security and passwords have to do with tomatoes and telegraphs. That will give you some indication of how this will not be your normal interview. But I’ll come back to that in just a second.
A couple of things before we start. First of all, update everything. Update your Windows, update your Chrome browser, update your Firefox browser, update your Apple stuff. There’s been a lot of really big vulnerabilities fixed recently, some of them pretty nasty. So just make sure that all your software is up to date. I mean, that’s just kind of a standing thing. But there has been a lot of stuff recently that you’re going to want to get fixed. Again if you kind of want to hear about those things, as I find out about them, I post most of the kind of urgent stuff like that on Twitter and Facebook. So, if you’re not already, you might want to follow me on one of those two platforms and also Mastodon as well. I know that’s not something a lot of people know about, but, you know, hey, if you’re into basically a more private version of Twitter, check out Mastodon and find me there as well. And if you just go to my contact page on Firewalls Don’t Stop Dragons, you’ll find all the different ways you can locate me there.
Now I am in the middle of a brand new Patron promotion. The Super Cool Dragon Challenge Coins are back. I haven’t had a promotion with these things since late last year, so if you missed it then, now is your chance. But it’s so much more than that, I’m not going to get to a lot of it here. Again, if you go to firewallsdontstopdragons.com you’ll find and just search on dragon coins and you’ll find the article. There’s information there, but I’ve really added some really fun new things for Patrons, so I’m really hoping that the value proposition has become even better. So you definitely want to check that out.
Now I’ve also got this super cool skunkworks project that I’ve been working on for many months now and I have been sworn to secrecy. It’s killing me. But you can get a little taste of what’s coming up by looking in the show notes. There’s a link to a Twitter post from one of my collaborators about The Amulet of Entropy. That is going to be really cool. I will be teasing more of that and officially releasing it in the coming, let’s just say this summer. But if you want to get a little teaser, look in the show notes for a link to that.
All right. So this interview I’ll be talking today with Anthony Collette from a company called Loistava, and they are putting together some cybersecurity products that are trying to bridge the gap between the dry, technical, boring, “nothing I want to think about” cybersecurity realm stuff and bring that to the masses. Honestly, same thing I’m doing. I’m trying to relate these things in a way that everybody can understand and appreciate, and they’ve got a unique kind of approach to that. And we’re going to talk a little bit about that today. But what we’re really going to talk about today is how they came upon this idea for this product they’re going to be creating and perhaps other products as well to kind of bridge the gap between the highly technical, dry world of cybersecurity and the reality that we as a society and as a people, need to understand the very basics of these things. And so how do we do that? How do we bring that to the masses? So anyway, we’re going to talk about that.
But along the way, he’s going to explain some really interesting histories about tomatoes and telegraphs that I will bet you have never heard of before. Along the way, we’re going to talk about things like, how do people choose their passwords? It’s not as random as you might think. And there’s actually a lot of psychology behind the way people choose their passwords when they’re not using a password manager and they have to come up with something that they’re going to remember. It’s not just simple. It turns out that there are some kind of emotional reasons behind what people choose as their passwords.
We’re going to talk about whether or not you should be changing your passwords. Of course, we’re going to talk about why you should be using a password manager. And we’re even going to learn about something called a One-Time Pad, which again, is kind of a dry cybersecurity subject. But we’re going to explain it in just a fascinating way with some interesting history going all the way back to the 1800s.
So with that as your teaser, let’s get into our interview today with Anthony Collette. Anthony Collette is a senior consent form editor at the largest institutional review board, IRB, in the United States. Mr. Collette analyzes complex medical documents, synthesizes the central concepts and translates technical jargon into relatable language. And it turns out these skills transfer perfectly to the task of analyzing and understanding the conflicting and often outdated advice given about passwords. So welcome to the show, Anthony.
Anthony Collette: Hey, thanks, Carey. It’s great to be here.
Carey Parker: We’ve had some really interesting discussions already by email, and I can’t wait to get into some of that stuff here. But I really like the fact that you take things from a very different perspective. At one point when we were talking about some of these things by email, I couldn’t help but think of the book Freakonomics. Have you ever read that book?
Anthony Collette: It’s been a long time ago, but yeah, I’ve read it.
Carey Parker: Yeah, but what I loved about the book was that it always had some very different perspectives on some, maybe some everyday things. And so I think the audience is really going to like this. Let’s start off by having you explain what you do for medical studies and then help us understand how that translates into what you’re doing with Loistava.
Anthony Collette: Great. Sure. People often ask me, what’s an institutional review board? It’s kind of an unusual, unusual thing. And basically, if you want to do medical research on a human being, you have to outsource some of the decision-making to an institutional review board. So an IRB is going to review, they’re going to approve, maybe they’re going to modify the research project. They could even reject it and not give permission to do it. And then they continue to monitor and review the research project as it progresses. So there’s going to be some sort of risk/benefit analysis they’re going to do and decide if the research should be conducted. And basically, the federal government has decided that some disinterested third party should make some of those decisions. So that’s what IRBs do. And then one of the big issues about research with humans is if you’re going to involve a human, you need to get their consent and they need to be fully informed about what they’re signing up for.
Carey Parker: Sure, makes sense.
Anthony Collette: One of the ways that happens is through this consent form, which is supposed to be like a surprise-free zone. You should give this potential participant everything they need to know in advance about what’s going to happen so that there won’t be any surprises. And IRBs came into being because there were a number of research projects over the years, starting in the 1940s that went really bad and people were hurt, people were injured, and some people even died. And so society just said, hey, we need to monitor this. We need to make the decision-making less conflicted. And we need to do this in a way that protects people.
And of course, the past two years, we’ve had quite the adventure with COVID and tons of medical research around COVID. In fact, just the IRB that I work with, we’ve reviewed over a thousand COVID research studies. So it’s been an adventure. But that’s what an IRB is. So that’s what I do.
My partner in this adventure, Trever, he’s a consumer product developer. So for 20 plus years, he’s been developing various consumer products for large national retailers. So that’s us. And, some of the projects or I should say our programs that Trevor has been involved in, in developing these consumer products, some of them have sold, these are large national retailers. So this is going to be like $100 million a year in one product category, in another product category, a program that he was directly involved in real heavily, was $400 million a year in private label products, consumer products that are private label. So these are store brand products. So that’s my partner’s specialty, is creating consumer products for wide distribution. So that’s the two of us.
Carey Parker: Yeah. So how did you guys get together? And what are you guys working on together?
Anthony Collette: So our thinking is . . . so as I was sitting in that IRB, surrounded by all that research, I wondered, I wonder if anybody does password research? Is that even a thing? Do people even do that? As it turns out, there’s lots of research about passwords and other security issues.
And one of the things I noticed was that as people in the industry, in the information security industry, go out into the community and measure, they take the temperature of people out in the community and measure the effectiveness of these outreach efforts. They don’t like what they find. They find that ordinary people are just not getting it yet. That these outreach efforts and these educational efforts just aren’t moving the needle far enough. People don’t understand yet even the fundamentals of information security. They don’t even know what a special character is. Something that might be totally obvious to you and to many of us, but to some people who don’t deal with these things day-to-day and don’t think about them, who don’t need to think about them much, or at least they haven’t yet. They’re not even getting the fundamentals.
Our thinking there is that there’s something missing in this dynamic. There’s all of this awesome advice that’s being given, but giving advice by itself doesn’t seem to be moving the needle well enough. And so we think what’s missing is a physical product that people can hold in their hand and that can focus their attention long enough for an idea to click. And so we think of these physical products that we’re creating, each one of them, we think of them as a catalyst to speed up the adoption of information security best practices.
Carey Parker: Well, we are definitely getting into that today with you, but you use some interesting stories to kind of bring these ideas home. And one of the ones that you mentioned there was just mind blowing was how you kind of compared what you just talked about to something that seems completely and wholly unrelated. And that is the story of how tomatoes became so popular in the United States. So what can cybersecurity evangelists learn from the history of the tomato?
Anthony Collette: Well, it’s really quite a story, really. So we start with this idea that information security folks are a bit frustrated by consumer perception and the lack of change in consumer behavior around cybersecurity best practices. And they’ve got good reasons to be stressed about that. So from our standpoint, as people who are interested in consumer behavior and consumer products and how consumer perception drives consumer behavior and how that can change, we looked into the history of tomatoes in America, which does seem pretty out there, doesn’t it? But when you think today and you look around, tomatoes are one of the most popular foods in the U.S. Just think about all the pasta sauce and the ketchup and the tomato sauce on pizza and tomato soup you’ve eaten in your lifetime. Right? All those tomatoes in salads and sandwiches. I mean, we as Americans, we consume this vast quantity of tomatoes. And there’s even something like 40 million Americans today, growing tomatoes in their own home gardens.
Carey Parker: I’m one of them. Yeah.
Anthony Collette: Yeah. There you go. See? But tomatoes were not always that popular. So we’ll rewind time a bit, and we’ll start the story on New Year’s Day in 1830. So it’s the start of a new year, a new decade. And most Americans don’t eat tomatoes. There’s a few people scattered here and there that eat them. But around the country, people don’t eat them. Some people grow them as a garden decoration, but they would never think of eating them. And they call them “Love Apples,” which is pretty funny. I don’t know why, but that was the nickname for them. So at this point in time, most Americans think tomatoes are unhealthy and possibly even poisonous. So there are some really funny stories from that period of people who wrote about their, how they hated the smell of tomatoes, the [sight of a] red tomato was just gross and how the smell of the plants was really nauseating. One writer from way back in that era wrote “Hardly two persons in a hundred on first tasting it thought that they would ever be induced to taste that sour trash a second time.” There was this really visceral negative reaction to tomatoes. Even Ralph Waldo Emerson said during that period that tomatoes were definitely an acquired taste.
Carey Parker: Huh.
Anthony Collette: So here we are leading up to the 1830s and ketchup, they had ketchup back then and they called it ketchup, but it was brown because it was made out of mushrooms. Kinda wacky, huh? So this is the setting. This is where consumers’ minds are. So that’s their perception and that’s their behavior.
But everything changes during the 1830s, during this one decade without radio and before TV and no Internet, American consumers’ perception of tomatoes changed completely. And that change in perception drove these massive changes in consumer behavior. So fast forward just a few years, it’s 1834 and there’s a doctor in Ohio named John Cook Bennett and he’s convinced that tomatoes are good for you. So he starts writing all these articles about the health benefits of tomatoes and his articles go viral. This is just like wild. Something like 200 articles are all over American newspapers, and some of these articles even cross the Pacific Ocean and they’re reprinted in Australia. And some of the articles cross the Atlantic Ocean and they’re reprinted in England. And he’s making all of these health claims about tomatoes, and this is newsworthy because up to this point no one ever, of any authority, was saying that tomatoes are good for you. And so here’s a medical doctor saying, “ya’ll need to eat these tomatoes because they’re good stuff!”
Carey Parker: And they’re not poisonous, apparently.
Anthony Collette: And they’re not poisonous. Right. That was shocking and newsworthy. And so he’s got hundreds of articles appearing all over the country. So all this news about the health benefits of tomatoes makes really good press.
So then the good doctor, from what I understand, it was just sort of a casual acquaintance. He bumps into a guy who’s a supplement manufacturer and just casually says to this guy, you know, maybe you should make a tomato supplement, a pill with some tomato extract in it, maybe people would like that. But as far as we can tell, this doctor, Dr. Bennett never sold tomato pills or anything. He just makes this casual suggestion.
Well, the supplement manufacturer says, hey, that sounds like a good idea. And he goes off and makes an extract of tomato pill. And those tomato supplements take off like crazy. It’s like this national craze for tomato pills, and then all of a sudden, you’ve got these various tomato supplement manufacturers all over the country, and they’re all advertising tomato supplements in the newspapers. And this is such a crazy frenzy that a war breaks out between these various tomato manufacturers and they’re suing each other and writing negative letters to the editor about how the other manufacturer’s stuff doesn’t have the right thing in it. And there’s this big war.
Carey Parker: Oh, man.
Anthony Collette: And then they decide, well, this war isn’t good for us. And so by 1839, the war is over. But by this point, basically, every local newspaper is carrying multiple ads for different brands of tomato pills. Weirdly enough, tomato supplements became the ’it’ product of that decade.
And so because consumers were exposed to all these stories about the health benefits of tomatoes, their perception of tomatoes starts to change. And they think, wow, tomatoes must be good for you if people are buying all these tomato supplements. Maybe we should try these tomatoes. And so sales of tomato seeds skyrocketed and people are starting growing their own tomatoes and eating them for breakfast, lunch and dinner.
And what’s interesting is that during this period, people’s perception of tomatoes was, it starts out as “it’s disgusting and poisonous and stinky.” And then their perception changes to that they’re “wholesome and healthy.”
In addition to that, the seeds being planted and people growing their own, all of a sudden, people had a lot of tomatoes. And if you’ve never cooked with tomatoes, what do you do with them? I mean, really, if your mom never cooked tomato sauce and you’ve never cooked tomato sauce and your neighbors don’t have a clue, what are you going to do with all those tomatoes? So there was this huge boom in cookbooks that had recipes about tomatoes.
So tomatoes became very, very popular and people even started making tomato jelly and tomato pie and tomato whiskey. And there was even tomato champagne for a while. So that’s just way crazy.
So the dynamic that’s interesting is in that period, as a consumer’s thinking around tomatoes was starting to change, they might have thought, “oh, you know, we should try those tomatoes sometime.” It was just kind of a fuzzy idea. But then someone placed a physical packet of tomato seeds in their hand, and then that physical product starts a conversation like, what do we do with these seeds? How deep do we plant them? How far apart? What kind of dirt do they like? Do they want a lot of sun or a little bit of sun? And then the thought turns into a conversation, and the conversation turns into a plan. And then they have a plan. So when the tomatoes show up, they’ve got to figure out what to do with them.
And then another physical product comes into their hand, which is the cookbook, which is going to solve their next problem, which is what to do with all the tomatoes.
So their experience with tomatoes goes from a fuzzy idea to a conversation to a plan, and that led to engagement. Not like engagement of mouse clicks, but real engagement, physical engagement in the real physical world.
And we think these dynamics map really well onto the present day landscape of information security issues among the general public, because from what we can tell, most people are either ambivalent or they’re sometimes irritated with it or they’re they’re just not persuaded by the advice that they’ve received. But what this story tells us is that a massive change in consumer perception and behavior is possible. So this brings us to the idea that it’s those physical things that led to engagement and led to a change in behavior. And we think that’s one of the things we should try to help move the needle. Those physical products focus people’s attention. And that’s what we would like to do with these physical products we’re making for information security, to make things that are physical, that are colorful, that are attractive, that act as a catalyst to speed up the adoption of cybersecurity best practices. So that dynamic is possible today, and we think that’s the point of using physical information security products.
Carey Parker: Okay. So I mean, passwords today. I mean, it’s got to be the bane of our modern digital existence.
Anthony Collette: Oh, yeah.
Carey Parker: We all hate them. And it turns out we’re also pretty bad at creating good ones. Why do people insist on choosing such horrible passwords?
Anthony Collette: Wow. It’s something, isn’t it? You know, I think that dynamic for a lot of people is: they’re using the Internet. They’re on a website doing what they want to do, when they want to do it, and then they’re interrupted. So, number one, I think people don’t like to be interrupted. So they’re being interrupted and then they’re being asked to do something they don’t want to do. Which is: create another password.
Long before passwords started, we already knew about human behavior — two things. At least we knew humans don’t like to be interrupted, and we knew most humans don’t enjoy memorization tasks. And so we’re already — two strikes — because we interrupted someone, and then we’ve asked them to do something they don’t want to do, and then we’re asking them to memorize this thing they’ve made. And all of that just doesn’t work well with human behavior. You know, we understand humans enough to know that people don’t like that.
So to make it easier, people just default to using the same passwords over and over again on different sites, which is now a really bad idea. It was never a good idea, but now it’s even more troubling. How is it possible, if you have 100 online accounts, how can you make 100 strong passwords and memorize them all? You just can’t. It’s just not possible.
So it’s not a surprise that people have thrown their hands up and given up on this. I mean, we’ve asked people to do an impossible thing. And one way of looking at it is to say, we’ve asked people to do something that’s impossible. They’ve recognized it’s impossible. So in a way, they sort of passed the sanity test and they’ve said, heck no, this is not possible. I can’t do it. I throw my hands up and I give up. I think that’s one reason that people use bad passwords.
Carey Parker: Well, you also pointed me to an interesting article from The New York Times about something I never really considered honestly. That is the emotional or maybe psychological aspects to how people choose their passwords. Tell us a little bit more about what they found there.
Anthony Collette: Yeah, that was from the New York Times Magazine, they did a really excellent story and a video to go with it called The Secret Life of Passwords. And maybe we can provide links to your listeners in the show notes. I’m pretty sure that the article itself is behind a paywall, but the video that goes with it, there’s a short, cool video. I think it’s available to everybody. But this was something about passwords, I had no clue that people were imbuing their passwords with such emotion. Because people were using their passwords as a motivational mantra or a swipe at the boss or, like a hidden shrine to a lost love or an inside joke. It really, really surprised me that people were using passwords, sort of like a tattoo. That it was like a private thing that was sort of intimate and compact and expressive. And the article talked about a former prisoner who used their [prison] ID number as a password as a daily reminder not to go back and someone who lost a baby before it was born, and they included that as a password, as a way to keep the lost baby part of their life.
Carey Parker: Yeah, it’s fascinating.
Anthony Collette: Yeah, it’s ways to use passwords that never, never occurred to me that people would do that.
Carey Parker: And yet, after I read the article, I totally understood. It’s like, yeah, I’ve seen that before. When I’ve talked to people about their passwords and what they should be doing with passwords and they tell me their passwords. That’s why they picked their anniversary or their kids birthdays or their grandkids birthdays or. It’s not just, it’s easy to remember, but it actually has an emotional bond for them.
Anthony Collette: Right. An emotional bond. When I was reading some of that password research, there’s something called associative passwords that were quite a thing once upon a time. And that’s where you intentionally associate, you include something in your password to intentionally associate it to yourself or maybe to the website you’re using it on or to the industry that the website is a part of. And you’re adding this association to the password to make it easier for you to remember. Which made sense back when we were trying to memorize all of our passwords. I mean, we kind of avoid that now to the best we can. But yeah, it is interesting that people do add these things into their passwords either as a reminder to themselves or as a way to memorialize someone that they care about or someone they lost.
Carey Parker: So obviously at this point, we know or certainly I would hope my audience knows because I’ve been beating the drum for a long time, is that your passwords aren’t supposed to be guessable. Which means that everything we just talked about is anathema in terms of how you choose your passwords. So given all that, how should we be choosing our passwords? And then you talked about how we manage them all. How are we supposed to manage all these passwords?
Anthony Collette: Well, the way we look at it, the best thing for the most people, the best thing for most consumers would be to use a DiceWare passphrase to lock their phones, their tablets, their desktop computers, and then the password you use for every site, those are best to be in a password manager of some type.
So some people use the password managers that are built into their browsers, that’s very popular. Some people use password managers that are standalone and separate applications and certainly the standalone password manager applications that are built just for that, the consumer is certainly going to get more flexibility, more features. They’re going to be able to use them across different operating systems, in different endpoints. So a password manager that’s built to be a password manager is going to give the consumer more options. But it may be that the password manager that’s built into their browser may be easier to use.
So the point is, if someone’s willing to lock their phone or their computer when they walk away from it and use a password manager, all of a sudden that means 95% of the pain of passwords disappears. Because if you’re using a password manager, you’re free from the chore of thinking up passwords, you don’t have to think them up anymore. You’re free from the burden of memorizing them. You don’t have to worry about forgetting them. You don’t have the bother of typing them, and you’re free from the hassle of frequently resetting passwords that you’ve forgotten. So all of a sudden that combination of two things, using a password manager and locking your devices, that makes 95% of the pain of passwords go away. And that’s available right now, today. We don’t have to wait for some distant passwordless future to get here.
Carey Parker: Right.
Anthony Collette: This is available now.
Carey Parker: Right.
Anthony Collette: I wasn’t that familiar with using a password manager because, like a lot of people, when people kept telling me to use one, it sort of felt like an imposition. It’s like you’re giving me one more thing I have to do. I’m already busy. Why are you asking me to do something else? So it took a while for me to get around to trying one. And then when I tried it, it was just so good. It was startling. It was like, wow, this is awesome.
Carey Parker: Yeah. Oh, yeah. Makes a huge difference.
Anthony Collette: Huge, huge difference. And so that’s what we think, looking at the present landscape, that’s what we think most people should do is just don’t worry about memorizing. You don’t even have to memorize your passwords anymore. Really, you don’t even have to know what they are if you don’t want to. There’s options all along the spectrum. There’s all these different approaches you can take. It’s totally cool to write down and securely store some passwords if that’s what you want to do. But using a password manager is just awesome. It’s this super-effective, elegant solution to a big, gnarly problem.
Carey Parker: So you mentioned at the beginning, though, even with the password manager, you need to at least know and memorize one password. And that is the password manager vault password. So what’s your recommendation for coming up with a secure way of generating the vault password?
Anthony Collette: Sure. So that would be depending on how you’re doing things. You have, however you unlock your computer, and then for the passphrase to unlock your vault manager or your password manager should be something [a passphrase] between four and six words. And those words should be chosen randomly. And we think DiceWare is a great way to do this.
DiceWare is an awesome technology. It’s been around for 20 something years, 25 plus years. It’s evolved a little bit over the years. But basically you just roll these standard dice, five of them, and you come up with these five-digit numbers and you look them up in the DiceWare book and you use this really super-simple method to choose these 4 to 6 random words. And the point is the words should be chosen at random. And then you get this interesting phrase of words and you use that to unlock your password manager. For the folks who are using, let’s say a Chromebook, this DiceWare passphrase would be their password for their Google account. So you unlock your Chromebook with one passphrase and that is how you manage the built-in password manager there. If that’s your approach, if you’re using a Chromebook, which is really quite popular now. So that’s what we think is the best way to come up with a passphrase that you can then [use to] unlock your devices.
Carey Parker: All right. Well, you mentioned a little bit ago about changing your passwords periodically. And this has been something subject to debate for some years. And there was a famous story of a guy, I think it was at NIST, of the U.S. government, who I think kind of without thinking about it much threw this into the NIST guidelines for passwords, that became something of a legend for many years because now everybody says, Oh, it’s right there, we must do it. And then I think even he years later, he basically recanted and said, you know, I was dumb, I didn’t need to do that. But there are, and we talked about this a little bit. There are cases where you might want to consider that. So talk to us a little bit about what is the real strategy around whether or not I should be changing passwords and if so, how often?
Anthony Collette: Well, yeah, most people, we change our underwear every day. But you wouldn’t want to change your passwords every day. Right? So when do you change your passwords? I think the advice is mostly coalescing around the idea that you really don’t want to change your passwords unless there’s a good reason to change them. In the past, especially in corporate settings, we were forcing people to change passwords. Well, that was also very irritating because you’re doing something, you’re doing your job, and then you’re being interrupted and forced to make a new password. And so it was really common for people to make a tiny little change that really didn’t improve security at all. They might increment, they might put a 1 at the end of their password. And then when they’re asked to change it, they might change it to 2.
Carey Parker: Right.
Anthony Collette: They might increment up something like that. And these things just didn’t increase security, forcing these password changes on people. And so now I think the best advice we’re getting is that you should change your passwords when there’s a real reason to change them. I mean, if you decide you simply want to change your password, that’s fine. As long as you end up with a really strong password at the end, that’s fine. But when should you change them? Really, if you notice that a website is publicly letting the world know that there’s been a problem there, there’s been a breach of some kind. When that website gives an all clear one way or another, then you could go in and change your password. If you think someone has simply become aware of a password or you’ve left a password around or something, you notice something in particular that you think, Ah, one certain password has been compromised. Of course, change it. But yeah, I think the best advice we’re getting now is that forcing people to change their passwords didn’t do us much good and it’s really not very helpful. I can think of at least one information security expert who recently recommended, even though it’s kind of a pain, maybe we should change our passwords once a year just in case there’s been a breach that hasn’t been reported and we don’t know about yet.
Carey Parker: Right.
Anthony Collette: So that could provide some usefulness. But yeah, I think changing passwords is not something we should do very often.
Carey Parker: All right. Well, another common security topic and one that you and I have discussed a little bit in email in preparation for this was the notion of end to end encryption. And it’s still the gold standard today for private and secure communications. Computers do a lot of fancy stuff under the covers today using public key crypto and, you know, lots of fancy algorithms to keep our messages secret, which is great. But in talking about this, it turns out that there’s a really, really old technique, like pre-computer technique, that in many ways is superior to what we’re using now. And its history is absolutely fascinating. So if you would, please regale us with yet another story. What are we talking about here? And what’s the history?
Anthony Collette: Okay, so we’re talking about One-Time Pads. When you suggested talking about this, I was pretty excited about it because I think this is like this huge pile of information. And it’s so odd and it has such strange twists and turns. It’s such an interesting pile of stuff that’s great for storytelling. I’m not a great storyteller, but in any event, it’s a great pile of material. And I think maybe we’ve missed some opportunities to flesh it out a little bit and get a little more context to it.
But I’ll start this out by saying maybe we can just briefly touch on a couple of concepts and then just dive into the historical part of it.
But what if there was some friendly space alien that shows up and, you know, he’s friendly and, we’re talking to him about what life is like here on Earth and he’s telling us what life is like on his planet. And that’s great. And we mentioned music and he says, “What’s music? We don’t have that.” So, I mean, how would you explain what music is to someone? I mean, what is it? Is it just a bunch of notes that go up and down or last longer and shorter? I mean, what is music and how does it show up in the world? So, music shows up in a lot of different ways. You could be singing in the shower. It can be a jazz quartet, symphony performance, it can be fleeting. It could come into existence quickly and blink out of existence, or it could be more permanent, like sheet music or a CD. So a single concept can show up in the world in many different forms. And that was the first thing I wanted to mention.
And the second thing is what’s going on in the world of computer science? What’s the latest cutting edge work? And a lot of computer scientists are working on quantum computing. I’m no expert on quantum computing, but it’s an entirely different way to make computers work. And these new quantum computers can do all of these computations that we couldn’t do previously with the kind of computers we have now. And one concern about that is that these new quantum computers may obsolete some of our security technology that’s in place today.
And that’s a real concern to people and so I saw this article recently by two computer scientists who are working on quantum research, and they start their article off by saying, we’re working on the cutting edge of the new thing. But we want to mention that 140 years ago, someone invented a piece of technology that is still the best at what it does today. And I thought, wow, that’s really trippy. And also the concern is that as we move into this quantum computing future, One-Time Pads may have some new relevance because what the One-Time Pad does is not obsoleted by quantum computing. So One-Time Pads might have some new relevance in this new world that’s coming.
Carey Parker: We’ve said it multiple times now. What, just at least at a high level, what’s a One-Time Pad?
Anthony Collette: A One-Time Pad is something you add to and subtract from a message. If you look online, you’ll see a lot of information about One-Time Pads and it seems kind of convoluted and complicated and it is really sort of like you might think, well, that’s just too strange. I don’t want to do that.
But as the One-Time Pad was originally invented the first time, 140 years ago, it was much, much simpler and far more efficient than what you see online. The information you’ll see online now will tell you what’s been updated in the past couple of decades, that there was a guy named Frank Miller, who was a California banker and he invented the One-Time Pad. Well, that’s nice, but it doesn’t really give you much context about who he was or what he did. So I can tell you a little story about him and the context of where he was and who he was and what he was doing. And then we can dive into what One-Time Pads did for people in his professional life, especially because he was a banker.
Carey Parker: Yeah. All right, let’s do it.
Anthony Collette: If you wind back the clock to 1848. So it’s January in 1848. And we’re in California and there’s a guy and he’s building a sawmill, a lumber mill for someone on a piece of land in California and the lumber mill is using a river to power it.
And while he’s walking around, one day he notices some shiny stuff on the ground and he picks it up and he says, Huh, well, this is shiny. This might be gold. Well, it could also not be gold. So he and the owner of the land test it and oh, my gosh, this is gold. What’s the deal? Well, that’s the start of the California Gold Rush. And eventually they’re going to extract billions of dollars of gold from the land and from off the surface of the land and also from mining. So hundreds of thousands of people descend on California.
And there’s one guy in New York who’s a banker, a young guy, and he says, I don’t think I want to be a miner, but I want to sell stuff to minors. So he opens a mercantile or a general store. He leaves New York, travels to California, starts selling all this stuff to any scruffy, would-be minor that shows up. And then the successful minors are saying, hey, I’ve got a problem. I’m finding gold. What do I do with it? You can only put so much gold in your pockets. So this mercantile fellow starts providing gold storage services to these miners and other financial services. And all of a sudden, this becomes so successful, he turns his mercantile into a bank. And the bank becomes one of the largest in Sacramento. And Frank Miller, the guy who invents the One-Time Pad, Frank Miller’s father is a senior officer of this bank.
So young Frank Miller, the guy who invents the One-Time Pad, he goes off to Yale for a year. He enters the military. He’s involved in military intelligence. He’s involved in the investigation of the assassination of Abraham Lincoln. And then eventually he finishes up his military obligation and he comes home to his family in Sacramento. And he joins his dad there at the D. O. Mills Bank as a junior bank officer. So now we’re up to 1866.
So there he is, our newly minted junior bank officer. And what is he using to conduct business on a day-to-day basis? He’s using something called telegraphic codes. So it’s really not possible to understand the One-Time Pad and how it was first invented unless you have a little bit of a familiarity with these telegraph codes. Because when Frank Miller invented the One-Time Pad, he invented it to be used only with a telegraphic code. Everything else you see on the Internet is not what Frank Miller ever intended.
So there’s a really great fellow named Steven Bellovin from Columbia University. He’s written pretty much the definitive article about telegraph codes, and we can probably give a link to that. So this is a huge part of our information security history that we’ve forgotten. For over 100 years these codes were in use for like 180 years. But their heyday was about 100 years between the 1840s and the 1940s. So these telegraphic code books were everywhere. They were ubiquitous. Every business used them. If you were in live theater, you had a version of a telegraphic code for that. If you were a plumbing manufacturer, you had codes for that. If you were a law firm, you had a law firm telegraphic code. Newspaper reporters had their own telegraphic codes. Every industry had its own telegraphic code and everybody used it. And that’s how people communicated over the Internet of their day, which was the Telegraph.
So they used these telegraphic codes which were everywhere to lower the cost and then to secure the contents of their messages, because people were really concerned that they were sending these messages over the telegraph, but you couldn’t secure them. And the knowledge of how to use these telegraph codes was everywhere. This was just part of normal life, and new telegraph codes were reviewed in the regular newspapers, and telegraph codes were so familiar to people, ordinary people used them as after-dinner entertainment with their guests. So, I mean, how familiar do you have to be with a technology before you start using it to get some laughs and to have fun with it?
So this was a normal part of everyday life, but it’s sort of forgotten. It’s like we had this collective amnesia about them, right?
So if we go back to our newly minted junior bank officer, Frank Miller, at his bank, which is storing gold and conducting business as a regular bank and is a very big successful bank. So he would have used these telegraph codes every day in his business because you’re a bank, right? You’re sending payment instructions over the telegraph, you’re conducting business over the telegraph, and you want to do that in a secure way. Frank Miller, he invented this customized telegraph code for the banking industry. And then he said, I’m going to add an extra layer of security on top, which was the One-Time Pad. So this idea of adding something to the telegraph code wasn’t new, but that idea had some weaknesses. But Frank Miller looked at those weaknesses and he found a way to overcome them. It was just a flash of inspiration.
So what he said was, all right, when we send a telegraph message, we’re going to add something to the codes that we transmit over the telegraph. If what we add is completely random and we only use it once and never use it again, that’s going to give us some extremely strong security.
I don’t think he ever said I’ve just invented the world’s one and only completely secure means of communication. I don’t think he ever said that. He knew what he had created was extremely strong. And when the New York Tribune reviewed it, they said, this is the strongest telegraph code we’ve ever seen. So people recognized that it was something unique and something special.
But what he was after was a telegraph code and security system that any bank could use to conduct business with any other bank. And that’s what he created. Because the Wells Fargo banks had their own system that they used and the Chase Banks had their own internal systems. But he created a system that any independent bank could use to communicate with any other bank. And then he added this One-Time Pad on top of it. And he got more than he bargained for because he invented what is proven to be the only completely secure means of communication.
Carey Parker: All right. So let me stop you there, just back up a little bit. So picture a series of characters like, characters in a word or whatever that you might be typing onto the telegraph or codes, as you call them. And what this guy did is, if I wanted to transmit, let’s say, 100 codes, 100 characters, he creates this random other set of 100 characters and kind of adds them together so that it disguises the outgoing characters. And then if the other end of that conversation has the pad, they get the characters that it is using to transform them. It can reverse the process at the other side to get the original characters back. Is that about right?
Anthony Collette: Right. So in his day, what he would have done is he would have used a bunch of five digit numbers. And each five digit number, which is a telegraph code, relates to some content in a code book. And so he would have made a message with a bunch of five digit numbers, which is going to look like a bunch of zip codes. That’s exactly what it’s going to look like, just a bunch of zip codes. And then he’s going to take a page from a book, a page from a One-Time Pad book that’s also going to be five digit numbers. And he’s going to add those numbers to the original numbers, like the top row is this row of first row, those zip code numbers. They’re not zip codes, but they look like zip codes. And then he’s going to add those numbers to those numbers, but it’s going to be addition without carrying. And on the receiving end, it’s going to be subtraction without borrowing, which sounds odd, but it works out to be simpler math than what you learned in the fourth grade.
Carey Parker: Right.
Anthony Collette: It is profoundly simple, which is kind of funny when you think that modern encryption uses this outrageously complex math to do what it does, which is pretty awesome. But the kind of math you need for a One-Time Pad is profoundly simple. [Note: In his day, Frank Miller used modulo 14,000 arithmetic, because his codebook contained 14,000 entries. But over the past 100 years, users of One-Time Pads have employed modulo 10 math, which is extremely simple.]
Carey Parker: So another way to look at that would be, so if you had these numbers, let’s say you’ve got like a padlock and a padlock has a rotating padlock where you dial in the numbers by turning the dials and they go 0-9. And so you put the five numbers that you want to transmit, and then you rotate each of those dials by the other number, the number from the One-Time Pad. So what you’re saying for the not borrowing and not carrying means it rolls over. So if you take a nine and you add two to it, it goes to zero, and then to one it rolls over, right? And that technique, when you undo it, gets you back the original number. So if you subtract two from one, in that case, it gets you back to nine. Right?
Anthony Collette: Right. So you’re going to be using the same numbers or just going to add without carrying and subtract without borrowing. And at first, it seems odd, but it’s really simple to do. So yeah. That’s how that works. You know, there’s been over time, maybe in the past ten years that I’ve been looking into these things, there’s been a lot of stuff on the Internet that will talk about One-Time Pads, but it really gives you this wrong impression. There’s all this stuff about all these convoluted things you have to do. And that’s really not how it was when the One-Time Pad was originally invented.
And one of the things that comes up if you read much stuff online is that they talk about, well, the One-Time Pad is really great, but it’s terribly inefficient. And that’s why you won’t want to use it today and that’s why people might not want to use it today. But the truth is that as it was originally invented the first time and the third time, because there were different inventions of the One-Time Pad — as it was originally invented the first time, the use of the One-Time Pad could be outrageously efficient. And that’s not well known because people aren’t familiar enough with telegraph codes to know how the One-Time Pad was used with them.
So efficiency is a really important topic because, if you go shopping for a car and you’re in a dealership and a salesperson says, Well, this model gets 25 miles per gallon, and this one over here gets 32 miles per gallon. And there’s this other model over here. It’s really pretty, but it only gets three miles per gallon. Well, gas in some places costs five bucks a gallon now. Right? So you dismiss that car, right? Right out of the gate because it’s just too inefficient.
Carey Parker: So why aren’t One-Time Pads used more today?
Anthony Collette: I think this is one of the reasons, because we’ve been told over and over again that the One-Time Pad is always inefficient. So why would you want it? You wouldn’t want to use that any more than you want to buy a car that only got three miles to the gallon. But as Frank Miller originally invented the One-Time Pad, you could take five characters from a One-Time Pad, and that would encrypt 233 words or 1,363 characters from the codebook. And that’s an example of how efficient the use of a One-Time Pad could be when it was used with a codebook as it was originally intended. And that efficiency was possible based on how the code book was constructed, the information architecture of the codebook. So the point is we’ve misunderstood how efficient the One-Time Pad could be if it was used the way it was originally meant to be used. [Note: As far as I’m aware, this is the first time this has been discussed publicly.]
Carey Parker: All right. So. All right. Looking back, what do all these stories and they’re fascinating stories, but what do they tell us about our modern approaches to security, privacy and, you know, maybe technology in general? How do we take what we’ve learned here and use it to improve our lives going forward?
Anthony Collette: Well, there’s a lot to be learned from the history of what happened and what went down. And that can be useful for us. It can also be encouraging, like the story about consumer behavior around tomatoes and how consumers can change their thinking and then change their behavior. That should be really encouraging to us. That if we craft the right message and explain these issues the right way, people’s perceptions can change and so can their behavior. And that’s encouraging, I think.
Also, from our perspective, Trever and I are working on our business, Loistava, we believe that physical information security products can really move the needle. That we can create fun, colorful, interesting products, one of them is CASTALOT™ Dice, that’s a product we’ve created. These products, when they are placed in people’s hands and people use them, it focuses their attention and helps them adopt cybersecurity best practices quicker. We believe there are many opportunities to do that, and we’re just beginning to create products that help ordinary folks understand cybersecurity issues. And these products also act as a bridge between technical people and the general public to help them connect better.
We also want to create some physical products that help people become aware of the possibility that information security might be a career path they might want to consider. And we’re also looking into products that might help people secure the content of their messaging. So this is what we think we can learn from history and from what these other industries and the history of other industries have to offer.
Carey Parker: So I should have asked in the beginning, but where did you get the name Loistava? I know it’s got a background, but why don’t you explain where you got that from. And then tell us a little bit more about this CASTALOT™ Dice. What do people do with this product? What does it help them do?
Anthony Collette: Loistava is a Finnish word. I used to live in Finland and Loistava means brilliant or shiny, and those are the kind of products we want to make. Products that are shiny or attractive, I guess is another way to say it. Products that attract people’s attention, that they’re fun to use. And that’s what Loistava means.
Carey Parker: And so tell us how CASTALOT™ Dice works. Like, what is it? What does this product look like? How do I use it? What is it? What is it good for?
Anthony Collette: So CASTALOT™ Dice is a set of 14 large, specially designed dice. There are four uppercase letters [dice], four lowercase letters [dice], four numbers [dice] and two special characters, two special character dice. So when you roll these 14 large dice together, you get a 14-character, extremely strong password. And we wanted to do this to show people physically what it means to create a strong password. We think these kinds of passwords are some of the strongest you can make. That’s what CASTALOT™ Dice does. There are people who learn by hearing. And there are people who learn better by doing. And this is one way to encourage people to try something new and to think about it in a different way.
Carey Parker: So how can we get a hold of some of these dice? When will it be available and how do we get one?
Anthony Collette: Right! We’re in the early stage of a crowdfunding [pre-]campaign. Probably by late summer, our crowdfunding campaign will start and people will be able to back the campaign and get their own set of CASTALOT™ Dice.
Carey Parker: Very, very cool when that comes around, make sure you let me know when that is. And I’ll be sure to tell the audience about it.
Anthony Collette: Cool. I’ll do it.
Carey Parker: Well, Anthony, thank you so much for coming on the show and telling us those really, really interesting stories. It’s great to get that kind of historical perspective. It’s not something that we often do, and I really enjoyed that.
Anthony Collette: Well, thanks so much for having me. I really appreciate it.
Carey Parker: Wasn’t that fun? That was just really fascinating. I love those stories and all the history behind some of these things, and it’s just amazing to think, some of the stuff goes back to the mid 1800s and who remembered or knew that things like telegraph codes were so common that people would talk about them as a conversation piece over dinner?
So the CASTALOT™ Dice that he referred to is this product that they’re coming out with that will help people create really strong passwords. It’s not ready yet, so you’ve got to kind of pay attention to that. There is a link in the show notes. I recommend that you check that out if you want to see what the latest is on that and keep an eye on that project. It will be going into some sort of a Kickstarter campaign or something like that this summer where you can kind of put your order in to get yourself a set of these dice.
But in the meantime, if you want to kind of get a feel for what he means about generating passphrases, I created a site called d20key.com where you can use d20 dice, hence the name. That’s a 20-sided dice used in Dungeons and Dragons to generate passphrases. So it’s a similar concept, that’s just a different angle. So if you want to kind of get a flavor for what these things are, what a DiceWare passphrase looks like, check that page out. And there’s also some historical stuff there too. So while you’re waiting for your CASTALOT™ Dice, you might want to give that a look just to familiarize yourself with what it means to generate a passphrase randomly.
Anthony was kind enough to stay on for a little bit of bonus content, so my Patrons will be getting that in their special private podcast on Thursday. We talked a little bit about some really cool internal NSA training documents on secure communications that were brought to light, not really through a Freedom of Information Act, but something kind of similar to that.
And another product that he likes is called DFLEKT [Keyless Entry Protection, a beautiful information security product used to store key fobs and cellphones] and it’s spelled D-F-L-E-K-T, which is a Faraday cage. We’ll talk a little bit about that. But if you want to check that out, there’s a link in the show notes to that as well.
All right. So the Patron promotion with the super-cool Dragon Challenge Coins will be going on for another three weeks or so. Go to firewallsdontstopdragons.com or look in the show notes for a link to all the information about that. And we will be back to a new show next week.
And until then, everybody stay safe out there and don’t get caught with your drawbridge down.
- Anthony Collette: https://www.linkedin.com/in/tonycollette/
- Loistava Information Security website: www.LositavaInfoSecurity.com
- CASTALOT™ Dice Landing Page: https://www.castalotdice.com?utm_source=dragons1
- The History of Tomatoes in America: https://www.amazon.com/Tomato-America-History-Culture-Cookery/dp/1570030006/
- NY Times, Secret Life of Passwords: https://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html
- A Look at Telegraph Codes (Steven Bellovin): https://www.cs.columbia.edu/~smb/papers/codebooks.pdf
- DFLEKT Keyless Entry Protection: https://www.duku.co.uk/dflekt
- Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/
- Generate secure passphrases! https://d20key.com/#/
- Amulet of Entropy teaser: https://twitter.com/HackerBoxes/status/1523318662807298051?s=20&t=dwQFy7ieRMGjRCqgAR7btQ
- A History of U.S. Communications Security (Volumes I and II); the David G. Boak Lectures, National Security Agency (NSA), 1973: https://www.governmentattic.org/18docs/Hist_US_COMSEC_Boak_NSA_1973u.pdf
- An Excellent Overview of the History of One-Time Pads, by Dirk Rijmenants: https://www.ciphermachinesandcryptology.com/en/onetimepad.htm