The Day My TV Reached Out and Masked Me

Photo of audience member in Society Mask

The Mr Robot Reach. The Horror,  masked.

On Monday, there was a tweet I couldn’t ignore.

The result, shown above, is both an act of protest (fsociety) and of acquiescence (read on).

My Twitter modality is largely unidirectional. I don’t expect responses to my actions. I don’t expect, and very rarely stumble into sustained dialog as a result of an RT or dashed-off reply.

Despite a more than passing resemblance between E Corp and NBCUniversal Cable Entertainment, when @whatismrrobot reached out, I did the unthinkable and provided a street address.  Yes — PII and all that. And over a weakly authenticated channel. No NDA. No opt-in. No privacy disclosure.

A Mr. Robot surrogate of some sort had somehow reached out through that noisy social network chatter. I lowered my guard, recalled recent hand-wringing over Season 3 ratings, responded with a guarded assent.

A day later FedEx announced a shipment from Los Angeles (yes, not a suburb), from Department “Mr Robot.” The rest is . . . well, very, very minor history. But memorable, in a Don Draper sort of way. A show known for its digital dystopia and destruction, decoy and dissolution did the unthinkable. It reached out and touched me.

Answer? Encrypted

TV is ordinarily a cold medium. If only Marshall McLuhan were around to offer a better explanation. But no. The API is undiscoverable. The answer, if there is one, is probably encrypted.

But please don’t delete me while I check anyway.

Analyzing the Beast that is Cybersecurity

Hyatt Regency walkway collapse (credit: Wikipedia Commons)

Hyatt Regency walkway collapse (credit: Wikipedia Commons)

What sort of beast is “cybersecurity” anyway?

Failure Analysis

Is it simply a variation of software failure?  According to this analysis, a security lapse is a software engineering failure, not technically different from an unintended “404” error or an “uncaught” exception.

Protection Analysis

Is it simply a failure to implement corrective measures? This analysis likens cybersecurity to physical security.  Facilities such as military bases or electric power plants are vulnerable targets. Rather than try to remove all the points of vulnerability, a virtual “layer” of physical security is drawn around the facility. The Department of Defense Physical Security Program provides a useful glimpse into this approach. Consider DoD 5200.08-R. A version last updated in 2009 is hosted by DTIC. To some extent, there is a reasonable analogy to protecting software.

Architecture Analysis

Is it a design failure? In architecture, it is not uncommon for architects to receive the blame for collapsed, or otherwise unsuccessful buildings. For instance, consider the failure of a walkway in the Kansas City Hyatt Regency hotel in 1981.  In this failure, 114 persons were killed, and initial blame settled on architects. A more nuanced view recognizes multiple sources of responsibility, including project sponsors, customers, auditors, and sometimes public officials and even politicians. This was the analysis made by one K. Bristol in a 1991 analysis of the Pruitt-Igoe towers project in St. Louis.

Regardless of which of these approaches is chosen, the relative contributions of alternative models for failure should be taken into account.  There is a tendency to focus excessively on the specific lapse (e.g., buffer underflow). Issues such as engineer training, IDEs, development frameworks, test environments and constraints imposed by sponsors and other stakeholders also deserve investigation, if not blame.