In Rick n Morty Season 3 Episode 1, the writers guide us through a dizzying array brilliantly constructed Information Security allegory. I tried to encapsulate all this in a previous post but I missed one! Here I dig into and explain what I think is the information security joke behind Rick's Garage Flies.
|Summer trying to authenticate to Rick's Garage
Fly on the Wall
Later in the episode we see Rick actually use these files as an access key to his stuff. The joke here is that the flies were actually a form of steganographic and integrity-checked, non-identity based authentication i.e. it allows authentication in secret but doesn't produce evidence on who authenticates. Let's break down that loaded description:
- Steganography is used in security to hide the fact that people are communicating or that something hides a message. Here the steganography hides the "lock" to Rick's garage.
- Authentication is used to make sure access is granted to people with the right to access something. Only Rick who knows the order/orientation of the flies (the password) will successfully get access.
- Integrity-checked meaning it provides indication that someone who is not allowed to access something has accessed something i.e. here it produces indication that someone searched through Rick's garage!
- non-identity based; meaning should someone authenticate or not authenticate you will only be able to identify their action but not who they are. We see that Rick mistakenly blames Jerry for rifling through his garage; he is correct about the action not the who performed it!
The scene of Summer trying to "guess" the order of the flies no takes on a different tune. It was actually a demonstration of the systems effectiveness. Summer though guessing had to both guess what was being used as authentication and what is needed in order to authenticate. This state is what is most desired by information security engineers producing a system or attack surface that is as hard to access by attacks and hard to defeat given access is granted.
If security engineers don't achieve both they often suffer from the lack of either: being attacked because the are too easy to find; not being attacked enough and then being devastated once access is achieved.
That's it for now! Stay tuned for more!