ThreatNG Security

View Original

I AM NOT A BOT Episode. 3: “The Birthday Paradox”

I smirk at the Brute Farce Attack online headline while waiting for my teacher to let me into today’s Zoom class,

DIVERSE CYBERSECURITY PANEL HOSTS FIVE DIFFERENT KINDS OF WHITE MEN, AND ONE PAIR OF RAINBOW SOCKS.

Seconds later, popups of true diversity appear on my screen, including various shades of African, Asian, and Latin American.

This Cybersecurity program I’m in is designed to give minorities access to advanced tech training – education being the ultimate hack into the good ol’ boy network.

The face of my father pops up in the Zoom box of my mind. Today’s version is a lot younger than usual.

When he came to America in the late 1960s, my father struggled as a medical resident, mainly because he was earning just $150 a month. To support my mom and my older sister and my older brother, he had to take a second job.

His American counterparts, on the other hand, made $1500 a month. No second jobs needed. Probably got their rainbow socks for free.

“The Birthday Paradox,” my teacher opens with, “is a study of probabilities. Sometimes an event is more likely to occur than we believe it to be.”

Our cohort started with 22 students. Four abandoned ship after the first two weeks. What is the occurrence probability of such a drop off? High, I think to myself.

“In this case, if you survey a random group of just 23 people, there is a 50–50 chance that two of them will have the same birthday.”

We try it. No luck. None of our birthdays match. Maybe because we are down to 19 Zoom boxes.

“Ok. Now everyone think of a family member. A brother. A sister. One of your parents. One of their birthdays will likely match one from --”

-- Edamame chimes in. ZaeZae’s birthday matches his wife’s.

I type into the Zoom chat that NotSoShi’s birthday is July 1st. My father’s birthday.

“The occurrence probability of a birthday match moves close to 100% if you expand the room to 100 people,” my teacher says. “From 50/50 to almost 100 with a simple expansion.”

Various heads nod in their Zoom boxes.

“There is a high probability of a match because there are a finite number of options. There are only 366 possible birthday dates, which makes it easier to find someone just like you.”

“There is no one in the world like me,” ZaeZae touts on Discord.

“And this all relates to Password Cracking how?” my teacher asks.

An awkward silence follows.

“Think of what we learned yesterday about hashing. Remember why we hash, the importance of encryption.”

Try as I might, I can’t help but mentally detach from class, as I tend to do.

I do hear something about hashing algorithms.

I do hear something about taking an input of any length and producing an output of a fixed length.

I do hear something about the birthday attack and the creation of hash collisions.

I do smile as I see that ZaeZae has typed, “Uh … huh?” into the Zoom chat.

I focus on the “huh?”, which transports me to my parents and their “huh?”

I am transported back to me. Baby me that is, wrapped in swaddling clothes. That's because I was a “huh?” A mistake. An oops. My sister is 12 years older than me. My brother 10.

I look at a baby me and cry to myself, I been done trying to find that someone in the world like me.

I smile again when I look at my head. I smile at the fact that all babies are given the same rainbow colored beenie to warm their heads at birth. A lazy attempt to connect us all.

My mind’s eye clicks on to the rainbow socks crew from this morning’s Brute Farce Attack meme. I start to think that the biggest problem in the Cybersecurity industry is related to the Birthday Paradox we are studying. The biggest problem is that you have the same finite set of good ol’ boys’ minds trying to solve an infinite number of problems in the Infosec universe. And to no one’s surprise, these limited minds are failing.

Alpha. Omega.

Cybersecurity breaches have cost American companies billions of dollars over the last few years. According to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), nearly $600 million was paid out by US victims of Ransomware in the first half of 2021 alone.

Black Hats, as of course they are labeled, have tapped into Uber databases and have snuck into Los Angeles’s public school district. Just the other day, there was the Southwest holiday travel debacle caused by malware. Today, that was elevated into a nation-wide shutdown of air traffic control across all airlines.

A new McKinsey research study alarms that Cyberattacks have caused $2 trillion dollars of damage in 2022.

The same finite, exclusive set of “white hats” are losing to a rainbow of adversaries who are constantly trying to think up new ways to digitally attack us with each sun is shining and each birds are chirping.

Or … are these white hats covertly trying to cash in on the $2 trillion market opportunity that is cybersecurity technology and cybersecurity service?

“I don’t know, “ ZaeZae answers out loud to another of our teacher’s questions.

There are an infinite number of questions in this ever morphing industry. The good news, however, is that there really is just one answer to them all. One solution. One way to combat all the hacks and all the bad actors we have discussed over the past few weeks.

And if you think about it, there is just one way to address all of the ‘huhs?” and all the accidental collisions and all of the purposeful paradoxes this country has hashed out on the regular.

One answer. One understanding. And that answer, that understanding is that DIVERSITY MATTERS.