ShmooCon 2011: A paranoid schizophrenia-based model of data security

Some of you know that when I’m not writing about security in my day job, I write a personal blog during my free time called THE OCD DIARIES, where the focus is on my struggle with Obsessive-compulsive Disorder.

While I’ve mentioned my work in that blog from time to time, I never mention it here. That’s with good reason. It is a personal pursuit, after all. Discussing one’s personal blog from his company’s pulpit would rightfully be seen as shameless promotion of something that doesn’t serve our customers.

Something’s different this time.

This is one of those rarest of occasions where bringing it up here serves a larger point for the security industry. Many of the security professionals I deal with read that other blog, and we often talk about the things they relate to.

So here we are at ShmooCon, a security conference in the nation’s capital, and the first speaker of the afternoon, Marsh Ray, uses the fragile mental condition as the basis of a talk called “A paranoid schizophrenia-based model of data security.”

I’ll be honest. I wasn’t planning to write about this one. I had my eye on other items further down the agenda that I thought would make for more interesting stories later.

But he got my attention as he described working in a psychiatric hospital some 20 years ago.

He told the story of Keith, a fellow who usually sat on the park bench strumming his guitar for spare change.

“Sometimes I would take a break from reading microprocessor manuals and listen,” Ray recalls in his talk description. “Keith had paranoid schizophrenia. He could explain how the world worked: ‘There is a great international conspiracy…’ he would say. Electromagnetic fields, government satellites, resonant dinner plates, you name it: he had it all figured out. This was back in the days of the 80386, when the CPU had only four levels of indirection in its addressing architecture. But something about the way he explained his world caused it to stick with me all this time.”

Ray noted how Keith couldn’t trust the conflicting information coming from different parts of the brain. He knew he was vulnerable and spent much time and energy thinking about it.

“Does this not also describe our current relationship with data security?” Ray asked. “Our architectures have become so complex that they are inherently susceptible to internal schism, leaving us vulnerable to sudden manipulation by shadowy external forces.”

This statement really blows me away. Here he is, talking about how the internal schism of modern technology leads to vulnerabilities that, if exploited, can make the technology malfunction in destructive ways.

Just like a human brain that’s weighed down by internal schism. The vulnerabilities become so overwhelming that it doesn’t take much for the challenges of life to exploit them, pounding the sufferer into a state of illness.

Ray noted that many of the things Keith predicted have come to pass. For example:

–Radio transmissions being monitored by satellite

–Underground markets emerging for the purpose of trading information

Look at your Android or iPhone. Look at the Internet in general. Someone many would call crazy was able to piece it together.

Fast-forward to the present, where security is often seen as a craft of paranoia. It makes sense. We spend all our time thinking about how technological disruption can lead to the ultimate calamities.

Somewhere in that paranoia, there’s a good possibility that people will come up with vital countermeasures to the problems that haunt us.

We have our firewalls, our intrusion detection systems, our penetration-testing tools. What kinds of tools can a paranoid schizophrenia-based data security model bring us?

It’s fascinating to think about.

You know it’s a good talk when the presenter can make security practitioners think deep and wide about their craft while busting down the stigma of mental illness at the same time.

You have my thanks, Marsh.

–Bill Brenner