Vauban Star Fortifications

Bourtange Star Shaped Fort

Taking a blast from the past that still has some application in today's physical security landscape ...  Star Shaped Forts using the Vauban (military engineering) Principle.

Acute angles on the corners of a building are added to the architectural design to eliminate "dead zones" in which an adversary could hide or take refuge.  At the time of star shaped fortifications, all of the competing designs employed rounded towers or turrets at each corner, typically to house archers.  As a breaching force approached the rounded corner, they were able to hide from the archers using the fortifications intended to be an asset in favor of the defenders.

Acute angles, however, prevented the breaching force from seeking shelter along the very walls intended to shelter the defenders.  [See the illustration, below right.]

Modern applications against a well equipped modern adversary are very limited, since "air support" ruined traditional fort designs (adversaries can simply rain fire from above).  However, against a low tech insurgency, the classic star design still prevails.

There are also applications for the acute corners in modern civil architecture.

For example, an HVT (High Value Target) person, such as a celebrity, bank CEO, or anyone else that might typically employ a Private Security Detail, these corners help to deter snatch-and-grab and similar attacks by simply limiting the avenues of approach.  Col Jeff Cooper, famous for dealing with small arms fire, had a fascination with these acute angles to the extent that the term "Cooper Corners" was coined referring to this much older design.

In public civil architecture, there are obvious applications in places such as bank vaults, manufacturing facilities where the likelihood of espionage is high, and even public restrooms in semi-remote and semi-private, yet public places like city parks, where the likelihood of an after dark robbery or rape assault is high.  In the case of the park (along with a well designed layout of lighting, landscaping, and shrubbery) the acute angles may be just the trick to eliminate lie-in-wait hiding places.

The next time you are tasked with securing a high value asset at a physical location, being familiar with the acute angles of the Medieval star fort might be the exact tool you need to pull out of your security toolbox.

Classic Trust

Ken Thompson is on the left. That's not Adam Savage on the right.

If you work in computer security or software development, and you have never read Unix co-creator Ken Thompson's original 1984 speech "Reflections on Trusting Trust" then you are hereby obliged to at least read the following snippet for today's history lesson, which is just as relevant-- actually more so-- today:

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

Ken was referring to the trojan modifications he embedded into the C compiler, illustrating that you need to rely on more that source code, but the compiler, the assember, the loader, all the way down to the instruction sets of the CPUs.  Or as Schneier famously pitched: "security is a chain; only as strong as its weakest link".

Who operates on a completely self-built system from software to hardware?  We would venture to say: nary a soul.

Just a good reminder for a random Thursday, in case you forgot.

John Nash Crypto Letters

John Nash (inspiration for A Beautiful Mind) wrote letters to the US Government in the 1950s which have recently been declassified and released to the public. Now you can read for yourself how John Nash was essentially 20 years ahead of the world around him in his plans for a cryptographic system.

The questions to ask yourself are: Did the US Government sit on this devised plan? If so, why? If not, how long were they keeping it to themselves before moving on to something better?

One thing can certainly be learned from history: powerful governments and organizations have kept tight lips on the cryptography they use, and stay far ahead of the power curve. Simon Singh covers the topic well in his book: The Code Book. (If this topic is even partially interesting to you, then you should at least read that book, if not buy a copy.) At each step along the way in recorded history, there have been parties wishing to keep their communications confidential, and significant disparities in the technology to do so. Charles Babbage's scheme for breaking the Vigenère Cipher comes to mind.

RSA doesn't know Kerckhoff

I found this in RSA Security's guide for their Authentication Manager (a.k.a. RSA SecurID) application suite:

"This reference guide is meant only for security administrators and trusted personnel.
Do not make it available to the general user population."

So much for Kerckhoff's Principle from the world's leading cryptography vendor:

"[S]tated by Auguste Kerckhoffs in the 19th century: a cryptosystem should be secure even if everything about the system, except the key, is public knowledge."