Nobel Prize Winner, Safe Cracker, and Curious Character.

Richard Feynman — Nobel Prize Winning Physicist, supervisor of "human computers" on the Manhattan Project, and Bongo player — has long been a much loved role model to Physicists everywhere.

It wasn't just his brilliance, his ability to clearly explain complex subjects, or his iconoclastic behavior that garnered such a "fan base." He truly was a "curious character" (in more ways than one) to borrow the phrase from his biography "Surely you're joking Mr Feynman! Adventures of a curious character."

Dabbling in Security at the Manhattan Project

There were a number of experiences in his biography that are still just as relevant to security today as they were back then. Let's consider three incidents.

Writing down predictable passwords...and using them over and over.

Physicist Frederic De Hoffman had a set of nine locked filing cabinets containing the secrets of the Atomic Bomb. Feynman needed to obtain a particular document. As described in detail here, he checked around the office first and discovered that the secretary had pi written down on a piece of paper.

Why would a secretary need pi out to 5 decimal places?

That gave him the hint he needed, that perhaps Hoffman was using significant mathematical constants for combinations. It turned out that he was currently using Euler's number (2.718281828...) as the combination for all of the cabinets. Feynman left a note in one cabinet that said "When the combinations are all the same, one is no harder to open than another."

Exploiting Vulnerabilities and Common Passwords

As noted in this article and accompanying video, Feynman fiddled with the combination safes at Los Alamos and discovered that in order to open the safe you didn't have to try every possible combination. If the lock was set to 20, for example, setting it to 19 or 21 would also work because there was some tolerance in the dial. This reduced the number of possible combinations from a million down to just 8,000!

Of course, he would start with some commonly used numbers (birth dates, independence day, pi, etc) first, but if he did have to brute force the combination, it would take him about 10 hours or so. Because he realized that most people would choose a significant date, though, he often could brute force the combination in just 12 minutes or less!

Safe Image By Binarysequence (Own work) [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

Not changing the default password.

Feynman recalled that the General in charge of the entire project had this massive safe in his office. He was truly impressed by how solid and secure it appeared. However, at the end of the project as they were dismantling the base, there was a need to open the massively impressive safe to make sure there were no secrets still stored there.

The general was gone, and so they called in a locksmith to open the safe. Feynman had been thinking the man would spend hours trying to crack the combination, or would perhaps be forced to use a blowtorch to open it. However, just a few moments after going into the office, the locksmith came out and said that the safe was open.

Flabbergasted, Feynman asked how he had opened it so quickly. Well...wouldn't you know it, the General had never changed the combination from the default, which was 0 - 0 - 0.

Modern Day Security Best Practices.

That leads us to today. Here are some commonly accepted best practices today which dovetail nicely with Feynman's adventures:

1. Don't use the same password for every site

2. Don't use a short or easily guessed password - this includes passwords that may be significant to you, such as your date of birth or wedding anniversary.

3. Don't write down passwords for all to see!

4. Always change the default passwords when you obtain a new device - this applies to laptops which may come with no password set, routers and IoT devices with a default password, and so forth.

Better Still — Get a Password Manager

Having a password manager (don't use the browser password manager!) is a great way to resolve these problems, though you will want to pick one tough password that you can remember and further protect your password manager by using multi-factor authentication.

Bonus Security Lesson

As noted in the "Now I Know" article, a roommate of Feynman's actually did steal Atomic Bomb secrets and gave them to the Soviets, right under his nose! Ironic.

It's quite common that we forget about the insider threat.

We don't want to suspect our coworkers. It doesn't feel polite somehow. But it is a serious problem in many organizations, particularly in Healthcare.

If you'd like to learn more about the insider threat, check out this great brochure from the FBI. (This brochure on elicitation is quite fascinating as well!) Stay secure my friends!

If you would like assistance building out your Security program, please contact me!

References

1. https://nowiknow.com/why-stealing-americas-nuclear-secrets-was-easy-as-pi/

2. https://www.openculture.com/2013/04/learn_how_richard_feynman_cracked_the_safes_with_atomic_secrets_at_los_alamos.html

3. https://www.wired.com/story/best-password-managers/

4. https://www.techtarget.com/searchsecurity/definition/two-factor-authentication

5. https://www.fbi.gov/file-repository/insider_threat_brochure.pdf/view

6. https://www.fbi.gov/file-repository/elicitation-brochure.pdf/view