Cenzic 232 Patent
Paid Advertising
web application security lab

What Star Trek Predicts About The Future of Information Security

I had a funny thought while talking with some folks from Intel about what the future state of of information security would look like and how that relates to what our favorite nerdy show, Star Trek, has to say on the topic. This is meant to be a funny post, but there may be some truth buried in here somewhere too. Without further ado:

Physical security will always be a problem: How many times have we seen people open up random access panels on the Enterprise and start pulling out chips when something goes awry or just start swapping them out right and left? Crawling through tubes to get past obstacles and the like… all point to the fact that even the most sophisticated military war machine of the future won’t stop some teen aged acting ensign in engineering from taking over control of the whole ship in about 35 seconds.

Organizations will focus on secure transport and network security and will still ignore drive encryption and the insider threat: I don’t really recall any times where enemies were able to intercept any meaningful communications between the Enterprise and other federation ships. That must mean they are using TLS16/SSL34.0 in the future, which is good, but for some reason any schmuck diplomat from some third world (pun intended) alien race can get any information out of the computer he wants without ever even supplying a password!

PCI doesn’t stop hackers, now or ever: They don’t use money in the future. Probably because consumers are so sick of having their credit cards stolen is my guess. I’m also guessing based on how many holes still exist; SQL injection still exists even hundreds of years in the future. So currency, and therefore the payment industry had to go. Even Quark trades in gold-pressed latinum - you don’t see the Ferengi taking plastic.

Biba and Bell La-Padula security models will always be a good idea, but will still never be properly implemented: Seriously, the federation is pretty lax in their whole openness. I mean, should you really let people on your ship, carrying weapons, with no or minimal escort and allow them to use your computers, write to them, copy information off of them and so on? Balancing the prime directive and giving some industrial revolution era alien species access to a computer with the engine schematics to the warp core of the most advanced war ship in the fleet sorta seems a little out of whack. Maybe that’s what they get for not having money in the future - no one’s worried about losing their job.

The singularity is a non-event and will end up being a wash for security: I mean, Data is pretty cool, but he is really more than a oddity in the show. Sure, he’s saved the Enterprise a number of times, but he’s also pretty darned hackable in the future too. He’s been compromised more than most of the other people on the show combined. This is not a good outlook. Why they didn’t bother to root-kit him, I’ll never know. But if Data is the tipping point of a potential Skynet, I’m not too worried - he plays violin and he owns a cat.

Individuals will almost completely give up on the idea of protecting their privacy: Everyone on the Enterprise is pretty happy with the idea of carrying around RFID chips on their badges all the time, even when they’re off duty and getting some R&R and T&A on Risa.

Organizations will always ignore single points of failure, even after it bites them in the ass: I can’t even tell you how many times the Enterprise has managed to damage the one and only di-lithium crystal that they have on the whole ship. They know they can’t whip up a new one with the replicators but they still don’t carry even one spare. Then they end up being stranded or having to use the sensor array to catch radiation from some exploding sun or some other retarded plan that always manages to work out exactly perfectly, but always necessitates near death experiences in the process. Why, for all that’s holy, wouldn’t you just bite the bullet and pay to have two on board? Yes, I’m talking to you, Jean-Luk and you too Mr. CISO.

The iterative development model will be proven bad for security and quality exactly 1,000,000 times but will still be used in production anyway: How many times have we seen engineering making changes to the warp core while they are 200 light years from any star base or any other craft for that matter? And how many times has that gone smoothly again? No, it’s a bad idea now, and it will always be a bad idea. But then again, maybe you shouldn’t worry so much about keeping your data and integrity intact… it always manages to get fixed in an hour or so anyway, right?

Biometrics will always be used as a backup to password authentication - but both still suck: Sure, voice print recognition has been used a few times, as has hand scanners and even an iris check a few times. But the vast majority of times someone has entered in a password on the show (which incidentally is almost never - giving you an idea about how lax security will be in the future) it has been by saying it out loud. Hackers must be pretty un-inventive in the future because I’m guessing digital voice recorders are pretty easy to get your hands on.

Virtualization security is an oxymoron - even in the distant future: I mean, really, how many times has the whole damned ship been taken over by some overzealous holodeck character? Whoever wrote the holodeck hypervisor really needs to be put in a room with Worf for a few hours so he can explain with his batleth what the need for true physical and logical isolation is. Why some Sherlock Holmes character should have access to main memory, I’ll never know. Too bad we aren’t smart enough in the distant future to think about hardware isolation instead of relying exclusively on dangerously faulty software.

And with that, I’ll let you go back to your regular scheduled programming.

29 Responses to “What Star Trek Predicts About The Future of Information Security”

  1. Stephen Northcutt Says:

    I popped over for a laugh at the end of the night, but this is the most insightful analysis I have read in weeks. If I can encourage you to add one more bullet, love to see your take on the Kobayashi Maru.

  2. MikeA Says:

    Absolutly brilliant :) I see a quick browse through my StarTrek (and maybe even Stargate) collection (yeah, I’m a nerd, so what) looking for examples.

    This would make a fantastic presentation somewhere (a al Johnny’s “hacking in the movies”).

  3. Jean Christophe André Says:

    You totally missed the point… This is all about being heroes! ;-)
    And that also explains why “Real Life”™ people don’t buy spare or make backup either: they all want to be heroes too! :-D

  4. crazy_lil_white_guy Says:

    I was expecting at least 1 Borg/Google reference.

  5. RSnake Says:

    @crazy_lil_white_guy - haha… Yes, I guess Google has a re-branding effort somewhere in the future. Good point.

  6. Wladimir Palant Says:

    Actually, the Borg are really not about Google - they are the evolution of peer-to-peer networking. They are the living proof that peer-to-peer is the most resilient of all communication models, Napster forever!

  7. Eric Case Says:

    At the 2007 InfoSec World and Conference, Ira Winkler did a presentation entitled “Everything I Need to Know About Security, I Learned From Watching Star Trek.” It was a very fun presentation.

    Concerning the Kobayashi Maru, in Winkler’s presentation he says “Generally [Star Trek I] was a mess” and “Sometimes hacking can be the right answer.”

    Regarding the Borg ship Winkler says, “Small intrusions can start a major effect, you cannot ignore the little things.”

  8. Mrs. Micah Says:

    *raises nerdy hand* Um, it’s Worf.

    Sometimes I’ve considered building a password from the security codes so often uttered aloud in Star Trek. It’d be safer for me than for them. ;) (then I worry that people will figure it out because I’m just the sort of person to do that.)

  9. Jabra Says:

    Quality posting! I’m guessing you spent the weekend doing a Star Trek Next Gen marathon. Nice connections between Security and one of the best shows of all time.

  10. anonymous Says:

    As long as security professionals don’t have to wear red shirts, I’ll be okay.

    And Kobayashi Maru = insider threat. :>

  11. Ron Gula Says:

    Great post!

    In the Star Trek world it seems there were huge advancements in hardware (enough memory to store your atoms in a pattern buffer) but AI still sucks. Even after merging with an alien race on two occasions (VEGER and NOMAD) our code still sucks and can be outwitted or defeated by a human!

    –Ron

  12. Jon Tollerton Says:

    Also, no one will actually bother with backups, and the amount of data generated will continue to exceed any practical storage mechanisms.

  13. Alec Waters Says:

    The Kobayashi Maru was a straightforward con, wasn’t it? After visiting social-engineer.org, the Klingons:

    - Did enough background research on their prey to know a few details of the KM.
    - Then they made a pretext call to the Enterprise to establish credibility.
    - After gaining the trust of the crew, the Klingons obliged the Enterprise to help by spinning a cock-and-bull story about needing help with four flat tyres or something.

    “Step into my neutral zone”, said the Klingon to the Cadet.

  14. Alec Waters Says:

    You could probably get “identity theft” into the mix, too - the identity of the Kobayashi Maru was stolen by the Klingons in order to facilitate their little scheme.

  15. Christopher Vera Says:

    And let’s not forget in addition to the Engineering section, they let any unvetted alien on the bridge. Background checks, please!

    And dont get me started on all this voice-activated technology. Have you noticed every time an officer has to validate their passcode with the computer its in front of like, 50 people that are listening?

  16. D. L. Yonge-Mallo Says:

    *raises another nerdy hand* And it’s “Jean-Luc” and “Sisko”.

    – davinci

  17. dcj Says:

    As far as RFID, they are all Federation quasi-military, serving on a ship. Privacy? What’s privacy?

  18. Hannibal Says:

    this is absolutely brilliant :D I have to agree with every point. The times the enterprise - or any other space ship in the federation for that matter - was taken over by some scriptkiddy is not even countable by Int32. Really man.. I wouldn’t even store my personal data on the fucking mainframe where the “security” is teh tightest…

  19. David Clark Says:

    some funny stuff, but - have been a sci-fi head for long, but mainly Asimov and Clarke and Bester - (Tiger, Tiger). So, Star Trek never made it big in my life, because of all these story-line bloopers. Perhaps it’s a function of pragmatism.

    Think - in the time of 2001, A Space Odyssey, released in the early 70’s, with no digital equipment revolution yet in sight, the ‘war correspondent’ in the early boardroom scene, records the proceedings and delegates with a palm camera that is compact even by today’s standards …

    I guess the sight of all those Star Trek and Star Wars space craft doing manouevres that can only happen with lifting wings in an atmosphere and shooting a space cowboy variant of the Uzzi and bazooka just didn’t wizz across my synapses too well.

  20. Jadawin Says:

    > Have you noticed every time an officer has to validate their
    > passcode with the computer its in front of like, 50 people that
    > are listening?

    Only because you make the assumption that because you the mostly-omniscient ‘viewer’ can hear it, everyone in that room can hear it. If you wish to assume that’s it’s more secure, you can envision some sort of sub-vocalization, or even the idea that, without bothering to show it happening to the ‘viewer’, the Computer puts a form of ’shields’ around the head of the speaker after identification, blocking all sound and even obscuring the visual.

    Just depends on whether you want to point and laugh, or point and explain.

  21. Mr Spock Says:

    The capability for time travel has eliminated the need for forward planning. All security is now retrospectively applied, blocking and preventing security incidents after they would have happened. Luckily for us, the Klingons are unable to exploit time travel to the same extent, being preoccupied with the grammatical difficulties it creates.

    By the way, I believe you should note that my tricorder was modelled on your rather quaint “network analyzers”.

    Spock out.

  22. Andy Says:

    One more.

    They forget basic recovery procedures and have to figure them out again each time.

    When the Enterprise was infected with a computer virus, they didn’t know what to do. Everything was falling apart. They were spreading the malware to every ship they ran into.

    Finally the had a great idea. Reboot the computer and restore from backup. Nobody every thought of that before.

  23. ZenBlue Says:

    Who needs to study for the CISSP when this article sums it up!

    > any schmuck diplomat from some third world (pun intended) alien race
    == IT Consultant (the most insidious of insider threats)

    Prime Directive == Common Criteria?

  24. Amy Coulter Says:

    It seems a bit odd that only Jadawin brought the concept of Narrative - the fly-bat-worm model of individual consciousness - into the discussion. Which is not to say that the other responses did not further amuse, in the spirit of the exquisite post, in more or less fine style. But, except for Jadawin and Mr. Spock (and, I suppose, this one) the responses are, au fond, extrapolations from or reiterations of the original post. As for you, Spock, thank heavens someone sat up and paid attention in physics class, or mucked about in Godel, *and* can turn a sentence on a dime.
    For the post, thank you very much!

  25. strace Says:

    Awesomeness…

  26. Ed Says:

    Re: Andy - One more reason why the new BSG was so much smarter. They still had frakking backups and could use them :)

  27. ern3sto Says:

    My company is not very big company, but still, my bosses thought it’s absolutely necessary to have video surveillance in almost every room in the building.. so they do not have to ask by communicating device (today, mobile phone): Neelix, is everything alright with you? Is Kes still having her pointed ears?
    So in 24th century, capt. Janeway will still have to use enhanced mobile phone (”communicator”) to find out what’s going on? Is the meal finally cooked, Neelix? What’s the point with video surveillance system on Enterprise, was it too expensive for reduced budget of Star Fleet, so they gave up?

  28. Russ Says:

    You forgot that a 5 digit numerical code is apparently all that is necessary to gain complete remote access to a ship’s main computer, which can be used to lower their shields.

  29. RSnake Says:

    As a side note, to back up my claims about PCI in the future, it must be true, because star trek’s own Website has XSS flaws in it (dating back to 2006 - a la sla.ckers.org): http://www.startrek.com/startrek/view/search/result.html?type=article&search=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&category=