the cups blog


Think Evil Tutorial Part 1

The Think Evil tutorial (slides) talks about how attackers and defenders react to each other.


As a first example we looked at casino cheating. Casinos have an interesting problem because 1) money is involved 2) there is no hope of negotiating with the attackers 3) determining the difference between a good and bad player is hard.

Card counting works and puts the odds in the players favor but it also makes the pattern of play more regular. This can be detected by wafting a player’s pattern over time. Anti virus does something similar, it recognizes the patterns of known viruses allowing them to block bad things. Similarly host based IDS recognizes good things and allows them. However, to do this you need to be able to differentiate “bad” from “good”.

Casinos have several defenses to even the odds back out. Two examples are reshuffling more often and using more decks both of which make it harder for card counters to get good enough odds. Windows XP used to be very open until someone wrote the Blaster worm. Then Microsoft released Service Pack 2 which turned all services off by default.

Casinos also sometimes just do nothing, many card counters are not good enough to bother about. In fact a card counter who are bad at card counting are a good thing since they think they can win which is exactly what casinos love. Security sometimes takes a similar opinion. If the cost of defending against something is more expensive than the thing being defended than it is not worth it.

The MIT Card-Counting ring made the observation that casinos look for individual players not groups. So they did card counting in groups. This works well because they are attacking the pattern matching strategy. Mimicry attacks are where the attacker makes their behavior look like known good behavior. The attacker can also use evasion where the defender is looking for known bad behavior so the attacker makes their behavior look different than the known bad. The goal of defense is to have complete coverage of all bad behavior. This is why anti virus companies are shifting towards exploit identification not signature identification because it is more general. MIT also made use of the fact that their attack was novel. It takes time for a security program to adapt to a new type of attack.

Roulette has an attack called “pastposting” where you change your bet after the ball has already landed. An anti-pastposting roulette wheel invented to prevent pastposting by raising an alarm if the bets are changed. To beat the system the players can mimic drunken players and continuously trigger the alarm until the dealer turns it off. Attackers can use malicious false positives to cause defenders to turn off alarms or start ignoring them. Reactions have a cost, the attacker may simply want to cost the defenders time, money or annoyance.

Even worse the dealer could be corrupt. If the attackers are friends with the dealer the dealer can do many things to make the players more “lucky.” Insider attacks are a security nightmare because the insider must be trusted and must have insider knowledge of the system. Insiders are also people which have all sorts of human weaknesses. There was a study where researchers traded candy for passwords (Note: those passwords were never verified). Casinos have cameras not just to watch customers its to also watches the dealers.

Some casinos are experimenting with RFID tags in the chips. This lets them track the chips around the casino and identify players that are winning or loosing.

You can win at Roulette because it is not a random process. Thorp also commented on this. If bets are allowed after the time the ball is thrown then you can use the phase and velocity of the ball and the wheel to predict where the ball will land. This works 40% of the time. Someone else also created a cell phone app that did this. In response the casinos made this illegal. Changing the attackers cost benefit analysis can also be used as a defense.


People are self-interested and typically act in their own self interest, if they understand their self interest. Each attacker has their own self interest and those interests can be very different.

You should always model an adversary as someone who is creative and innovative. Don’t underestimate your opponent. Security researchers get into a rat hole on tactics too early. Security experts spent too much time securing the door and don’t consider that the attacker wants something in the room and is uninterested in attacking the door and may just break a window.