Cybersecurity Magic: Parallel Structures of Design by Hackers and Magicians
Total Page:16
File Type:pdf, Size:1020Kb
Cybersecurity Magic: Parallel Structures of Design by Hackers and Magicians Samuel Sagan Honors Thesis Science, Technology, and Society Program Stanford University May 12, 2018 Advisor: John Willinsky, May 2018 STS Honors Program Director: Kyoko Sato Kyoko Sato, May 2018 1 Abstract Almost half of the American public has been a victim of a major cyber-hacking incident and cyber-crime now tops the Gallup Poll’s list as the crime Americans worry about the most. (Pagliery 2014; Riffkin 2017) Yet for many Americans, their vulnerability to hacking seems mysterious. How can so much cyber-crime occur when so many technical efforts are devoted to preventing it? One possible answer to this question might be that cyber-hackers take advantage of common human psychological traits that make us all vulnerable to deception and misdirection. The ability to take advantage of such human vulnerabilities is part of the art of deception in many realms, such as espionage, warfare, politics, theatre, and especially in performance magic. What are the similarities and differences between the process used by cyber-criminals to design their hacking attacks and the process used by magicians to design their magic tricks? I investigated these connections by collecting primary sources and interviewing a small number of magicians, “white hat hackers,” and individuals from the national security intelligence community to discover how they design their activities to take advantage of individuals’ common human vulnerabilities and new technology vulnerabilities. I present multiple case studies and then compare specific magic tricks with specific cybersecurity exploits, demonstrating how the design processes used by hackers have inherent structural similarities to those used by magicians. Furthermore, this research demonstrates the value in demystifying the design processes of hackers and magicians to produce better cybersecurity. 2 Table of Contents Introduction............................................................................................................4 Chapter 1: Literature Review................................................................................15 Chapter 2: Research Methodology........................................................................31 Chapter 3: Magicians and Hackers: Applying the Frameworks...........................38 Chapter 4: Conclusion...........................................................................................53 3 Introduction Three years ago, I noticed that my professor, Herb Lin, had “poor magician” listed as an avocational skill in his biography on CISAC’s (Center for International Security and Cooperation) website. Having performed as a magician for close to a decade, I decided to attend Professor Lin’s office hours to discuss this hobby of his. After we met to discuss our mutual interests in Magic and Technology, Professor Lin proposed that we conduct a research project comparing methods between hackers and magicians. Together, we designed a performance/lecture in which I would perform a magic trick and then Professor Lin and I would discuss relevant cybersecurity issues regarding the methodology or principles behind the trick that I had just performed. This lecture was conducted multiple times for professors, students, Congressional staffers, and reporters. Below is a link to the first performance: https://www.youtube.com/watch?v=zqgpaiK1xh8 Once I decided that I was conducting a Science, Technology, and Society Honors thesis, I looked into the underlying motivations and discoveries of this initial project to see whether there was further analysis to make. The project with Herb Lin simply compared similar methods used between cybersecurity individuals and magicians. After closer analysis, I realized that these similarities were not just coincidental, and that it’s possible that cybersecurity individuals and magicians actually use strikingly parallel structures when designing their exploits. Questions and Roadmap Through the previous project with Herb Lin, we know that magicians and hackers use similar methods of distraction and misdirection to conduct their exploits. However, how far does this correlation go? To what extent can inherent structural parallels be demonstrated between the 4 development and execution of cybersecurity and magic exploits? Is the relationship simply analogous or do the parallels with magic help uncover the thinking behind the methods of cyber- crime? Through the past iteration of this project and the conclusions drawn from this thesis, I have discovered that the design and ideation process behind magic tricks and cybersecurity exploits share intrinsic parallel structures. This initial conception of this thesis was informed by Barton Whaley’s 1982 article in the Journal of Strategic Studies, titled “Towards a General Theory of Deception.” In this journal article, Whaley compares magicians to military planners, but claims that the theory developed through this comparison could be applied to “diplomats, counter-espionage officers, politicians, businessmen, con artists, charlatans, hoaxers, practical jokers, poker players, gambling cheats, football quarterbacks, fencers, actors, artists, mystery story writers, or you or I in our everyday lives” (Whaley, 1982). Whaley does not include hackers or cybersecurity professionals, because these fields were in their infancy in 1982. In this thesis, I will both extend and test some of his theoretical ideas by applying his theories to the modern worlds of hacking and cybersecurity. Whaley writes that “all modern magicians recognize that magic is applied psychology” (Whaley, 1982). Cyber-hackers and scholars analyzing any field of deception should recognize that cybersecurity is often applied psychology as well. Whaley provides a quote from a magician: “David Devant’s motto: Give me a good "effect" and I'll find a way to do it” (Whaley, 1982, 190). This thesis is informed by this motto, as aim to discover whether the “way to do it” is a consistent between magicians and hackers. Magicians and hackers use similar methodology to design their exploits. However, are these similarities surface level, or are there inherent structural similarities between the design of a magic trick and a hack? This thesis aims to answer that question through analysis of existing 5 literature on magic, cybersecurity, and deceptive warfare and analysis of primary sources regarding the design process of particular magic tricks or cybersecurity exploits. Through my research, I have discovered similarities and parallels between magic and hacking, due to the fact that both are deceptive practices and exploit the same vulnerabilities. This thesis is divided into five chapters. In the introduction, I discuss the inception of this project and the realization that it could be taken further than in the initial project conducted during my sophomore year and discuss my personal design process for a magic trick. Chapter 1 provides a literature review of various academic and popular sources connecting deception in the fields of magic, cybersecurity and in some cases, military security. In Chapter 2, I use the context provided by the literature review to present two case studies, aimed at showing the reader specific examples of magic tricks directly paralleling cybersecurity exploits. Then, I develop my “Characterizing the Primary Exploit of a Trick and Hack” and my “Framework to the Conception and Execution of Magic Tricks and Cybersecurity Exploits,” and provide example narratives to put these frameworks into a real-world context. In Chapter 3, I use this established framework to breakdown and analyze both primary published sources and new interview sources and see how they fit within the framework that I have constructed. Finally, in Chapter 4, I discuss the takeaways and discoveries of this project within a wider context. Before diving into my literature review, I will provide three narrative examples of the design processes of magic tricks and one brief case study of a cybersecurity hack. I provide these examples to enable reader to see some elements of design in magic and cyber-hacking. Designing Magic Tricks Below are three examples of the design process behind magic tricks. The first two discuss personal examples of magic tricks that I have designed with a Human Vulnerability in mind, 6 while the third follows a magician designing a trick with a technological vulnerability in mind. In the first two narratives, I am occupying the role of a Human Vulnerability magician, while in the third narrative Alan Rorrison is occupying the role of a Technological Vulnerability Magician. The first example narrative will follow my personal process for designing a trick, specifically how I designed my own “Ambitious Card Routine.” The premise of an ambitious card routine at the base level is as follows: a card is selected, the card is memorized and placed into the center of the deck, the magician reveals that the card has risen to the top of the pack. Every magician is supposed to come up with his or her own method for performing this trick or some variation of it. When I sought out to design my own ambitious card routine, I wanted to make it new and exciting, but had no idea of how to revamp a trick and almost every magician knows, many of whom have their own variations. I realized that while the other magicians’ tricks were drastically different in style, execution and sleight of hand, the “punchline” of the trick remained constant, the card appears on the top of the