# Week 4 - Tutorial Notes - Houdini *** ## Objectives 📃 - Administrative Stuff - Case Study: - Final Notes - FAQ *** ## Administrative Stuff 📚 - Marking issues - Did everybody get their marks and email? - Roll page: - Regarding SGS and Something Awesome Submissions - All of this is kept in the roll page - ![](https://hackmd.io/_uploads/Hk1L-Xcga.png) - ![](https://hackmd.io/_uploads/SkON-X5xa.png) - All of this information is kept on this page. - Link to Something Awesome - Link to logbooks - Whether you elect yourself for SGS - Link you quizzes as well - Simplified Grading System - https://www.openlearning.com/unswcyber/courses/security-engineering-23t3/coursecovfefe/simplifiedgradingscheme/?cl=1 - **Deadline**: Start of Week 7 (Monday Week 7, 23 Oct 2023) - Law students aren't granted this. Only COMP6441 and COMP6841 students. (Soz Law Students ;-;) - Week 5 logbook, recording (1 min) - Week 5, 60 seconds recording maximum (not a hardcap, but keep it below 60 seconds) - Due the same time as your week 4 logbooks (The wednesday of week 5) - Summary of your progress so far, preferably more than a "I will start my project soon" - Method of submission: - Record yourself doing the presentation - Upload to youtube as a unlisted video - Link it into the roll page - The Week 4 slog secret extension: - Everybody gets an extension until Thursday Midnight tomorrow - Technically, I can't give this out so don't tell anybody 🤫 *** ## Case Study: Houdini, the magician who died 🧙‍♂️ <!-- Renowned stage magician Harry Houdini (1874-1926) was outraged by mediums after some of them attempted to con him during his despair at his mother’s death. He became a passionate debunker of mediums, delighting in publicly exposing fakes and frauds. Mediums are people who claim to be able to speak with the spirits of dead people, and at this time in history they were quite popular and many people, called spiritualists, believed their powers were genuine.  For example, bizarrely, Arthur Conan Doyle, the author who created the super rational Sherlock Holmes, was himself a spiritualist.   People consulted mediums to communicate (or so they thought) with their deceased loved ones.  Houdini hated these mediums - thinking they were unscrupulously taking advantage of people who were in grief. One of his most famous attempts at debunking was with the remarkable medium "Margery" aka Mina Crandon *** At the end of the first world war and the Spanish Flu many people had lost loved ones and had gone through terrible hardship.  The world must have seemed a bleak place.  I expect people looked for meaning or hope wherever they could find it, I suspect I would have. One of the first urban myths I know of started when author Arthur Machen invented and wrote a short story called "The Bowmen" about angels helping British soldiers at the Battle of Mons in 1814.   You can read a copy of the story [here](https://www.openlearning.com/unswcyber/courses/security-engineering-23t3/casestudies/houdini/The_Bowmen_Arthur_Machen). The story was published in a newspaper but it wasn't made clear that it was just fiction and soon many people were repeating it as a true story.  Arthur tried to correct the record but was never able - the story had a life of its own.  People wanted to believe it.  It was comforting to them. *** The (often terrific) magazine Scientific American offered a prize in the 1920s to any medium who could withstand scientific scrutiny.  They unmasked many fakes, but were there perhaps real ones as well as fakes?  The medium who came closest to winning the prize was "Margery" (Mina Crandon) - you should read about her, and about Houdini (what a remarkable person!), and about mediums in general in preparation for this case study.  Some initial readings are given below but you will probably want to read a bit further to find out what people believed and how they were tricked. *** --> ABSTRACT It is the 1920s and you are the great Houdini! Houdini hated so-called "mediums" taking advantage of grief stricken people trying to contact loved ones who had died and successfully undertook a personal mission to expose mediums as being fakes.  However Houdini (correctly) anticipated that after his own death it was quite likely that unscrupulous fake mediums would try to pretend his spirit was in touch with them, and they would claim that the dead Houdini was saying they were not fakes after all (!) So, to forestall them, he publicly announced that he would try to contact his wife Bess via mediums after his own death, and then he privately worked out a protocol with her to prevent the mediums from claiming his "spirit" was telling them messages to pass onto Bess, when in fact they were just inventing the messages. The purpose of the protocol was: to prevent mediums from cheating and successfully pass off false messages to Bess claiming they were from Houdini (after he had died) thus tricking the general public and/or Bess Sadly Houdini's actual protocol was flawed. QUESTION Can you do better?  In this activity suppose you are Houdini while he is still alive, and you and your trusted partner Bess are trying to devise an effective protocol. Q1. State and briefly justify the most important properties your protocol should have: Q2. Give your protocol <!-- *** ========== TUTOR NOTES ========== They are in 1920 - there are no computers or even non trivial calculators.  No advanced cryptography (RSA etc) has been invented yet. Houdini wants to expose fakes, and have the public realise that the fakes are fakes.  Exposing fake mediums by some protocol that would only convince him, Bess, or a mathematician, is not really any use. It may be tempting for them to talk about elaborate cryptographic solutions but keep nudging them back to thinking about what is really needed to achieve Houdini's purpose. Ideally ask questions that let them realise for themselves what they are overlooking rather than just telling them. Probably no one will have a perfect solution - that's fine.  Main thing is they realise what the weaknesses in each proposed solution are.  Likely they will come up with different protocols to deal well with different aspects but none that deal with them all - while that would be of no use in practice (weakest link) but great learning experience in this case study discussion.  Means they can leave the class still thinking about the best way of doing it (I'm still thinking about it after 20 years:) Gotchas This case study is unusual as people often quickly jump to a weak protocol which doesn't really achieve the desired outcome very well, and yet are very confident that they are correct and need look no further.  Students need to: - read the question to see what is really being asked, then - think carefully about what an effective answer would look like, and - have a healthy dose of doubt about everything their classmates and they themselves come up with. Some of the challenges the protocol needs to address (there will be many more too, please add in the comments below any interesting additional requirements brought up by your class.) - C: the goal is not: to establish secure communications with Bess.  So obsessing about encryption methods is likely to be a red herring. - I: the goal is not: to make sure messages from Houdini are not tampered with.  Just establishing contact with Houdini would be enough to settle the fake question once and for all. There is no need to ensure any messages are not altered. - A: one goal is: making sure that the messages are coming from Houdini.  So there is an authentication requirement. - Time: Look out for reply attacks - there needs to be some proof of "liveness" (ha!) or "timeliness", that the messages are being sent now (i.e. messages were created by him after he is dead rather than somehow have been generated by him while he was still alive and just being "delivered" after he was dead.) - Bess is flawed: she is just a person - she could forget things, be tricked by unscrupulous fakers, she is on our side now but who knows? She may well miss him terribly and eventually want to believe he is sending her messages. - Threat model: what powers, resources and motivation will the attackers have? - The fakers will be highly motivated to defeat this protocol.  Assume they will burgle, bribe, lie, use technology, research, do recon, attempt brute force, use social engineering on any human elements in the protocol etc.  There will be a lot of money in tricking this protocol - you'd be world famous and able to generate lots of money from credulous people so you'd be well funded (and already an expert in tricking...) - Repeatable: just showing that one medium is fake is not sufficient.  Just because they are fake doesn't mean the other contenders are (recall from the reading that many had already been shown to be fake, but the others were able to say oh yes they were fake but i am the real thing...).  You need to show everyone who tries to contact Houdini is fake.  So if you use shared secrets in the protocol make sure you have a huge supply of them (which is a hard thing to keep secret) or that you don't have to discard them after you make use of them (which means it might be hard to convince others that the faker being tested really did fail the test) - convince others: that's the main point of this - that when someone falsely claims to be communicating with Houdini you can convince EVERYONE that they are fake.  No point if the protocol just convinces Bess for example and people have to believe her when she says it was a lie.  People may not believe her for a whole range of reasons not least of which is that she and Houdini are known to want to sully the reputation of mediums and are the enemy of mediums so perhaps she is not being honest in what she says.  - The last point means the protocol has to be simple and convincing to observers - One additional point (from Lyria): Governments sometimes think they can prevent people lying or faking by passing laws against it. See all of the debates about how we can "stop" fake news (and Putin's latest attempt to stop news that disagrees with his propaganda). However, a protocol for governments (or digital platforms) to do this is as hard as this week's problem, even if they are well-intentioned. Not sure anyone wants to go there, but a potentially fun side track. --> *** ## Final Notes - Adam Smallhorn (RSA, Bits of work): https://www.youtube.com/channel/UCKdx-0jeuNbTYs-wx2PhrPA *** (These may get updated weekly so please go see the most recent document) ## FAQs - Can't make the tutorial? - Go to another tutorial in the same week (and just send me an email) - Who do I contact for (insert special thing here)? - Contact me first, Ill tell you what to do ## Deadlines - **Logbook Release**: Wednesday of every week - **Logbook Submission**: Wednesday of the follow week - **Something Awesome Idea Approval**: Friday Week 2 - **Something Awesome Half Way Presentation**: Wednesday Tutorial of Week 5 - **Class Notes Responsibility**: Week 7 Tuesday ## Contact Me - My Email: z5238611@student.unsw.edu.au - Because of the volume of emails: place the code in the subject line COMP6441/COMP6841/LAW3040 respectively and chances are I higher that I see it - I will respond within 24 hours, so don't expect any 3am immediate response - For LAW, any question about Something Awesomes, please contact Lyria, she will be the one marking and assessing you all ## Good Faith Policy - The "Don't be a dick" policy - If you are testing something on someone, always make sure it does not do genuine harm (physically, technologically, mentally). Always debrief your targets - Do not do anything illegal. Nuff said. (Had a previous guy try to break into airport security) - If you are unsure, feel free to email me ## Final Notes: - This is a very fun course and it truly is a course where you get as much out for however much you put in - I will post this on the tutorial group for your reference as a PDF - Good Faith Policy, don't forget it