Fairy tales and firewalls: bridging myths with modern security with Luca Vigano

Secure Talk - Luca Vigano

Justin Beals: Hello, everyone, and welcome back to Secure Talk. This is your host, Justin Beals. If you've been joining me for these episodes that we record, you'll know that I have been working in computer science professionally for well over 25 years at this point, and certainly, I  have enjoyed every part of that professional work, especially inventing new product and delivering something from concept to value for a user. 

But before embarking along my professional career of computer science, I really believed that I wanted to work professionally in the theater and I spent a lot of high school time acting in college acting as well as learning scenic design and lighting design, directing and a lot of the aspects around what is broadly storytelling.

I've always been fascinated by storytelling. I think that we communicate it as humans in these constructive cycles of knowledge and information, and we replay the tropes and memes, if you will, the concepts and plots over and over and over again for completely different subject matter at times. 

But as a way of talking with each other and discussing our concerns of elaborating on what we are hopeful for and in identifying our commonalities, stories drive that communication, and great teachers invent ways of storytelling around concepts that don't lend themselves to a liberal arts interpretation, just like computer science. As I progressed in my career from being an engineer to being a CEO, to being a chief technology officer, and many of the roles in between, one of the most critical skills that I had was the ability to both construct and deliver effective storytelling, and around technology and the products that we offer. 

Recently, I was browsing the journals that I read on the computer science side, especially in cyber security, and I came across an  article called “The Cyber Security of Fairy Tales” and was instantly attracted to the concept. We have today a guest with us that's both impressive in their technical expertise around cybersecurity, but also an amazing teacher.

So I'm really excited today to introduce Luca Vigano. Luca is a professor at the Department of Informatics at King's College London. He holds multiple roles at the university, such as Inernational Engagement and Service Ambassador. Vice Dean, Enterprise and Engagement in M.E. S. faculty and head of the cyber security group within the Department of Informatics.

In his research.Professor Vigano focuses on developing formal and automated approaches based on mathematical logic to model and analyze security protocols, web services, web applications, socio-technical systems and cyber-physical systems. He works on explainable security, and he also integrates elements from plays, movies, novels, and popular culture artworks into his cryptography and security modules, which students find engaging and innovative. 

I had an exceptional time talking with Luca. I'm sure you'll enjoy as we crack open why fairy tales are so closely aligned with the concepts of cybersecurity. 

—---

Hello everyone, and welcome to SecureTalk. This is your host, Justin Beals. We have an exceptional guest with us today, Luca Vigano.

Luca, thanks for joining us today on SecureTalk. We really appreciate it. 

Luca Vigano: Oh, it's my pleasure, Justin. It's very nice to be here. 

Justin Beals: Excellent. Luca, you have a broad  set of work, research work especially. And one of my initial questions for you was really, what inspires you about the security work that you're doing?

Luca Vigano: So I've been working in security for more than 25 years now, and I have been passionate about it ever since, you know, I find security an exciting topic and very, very interesting topic, especially because of its diversity and the fact that you have to interact with a large number of different people, you know, I interact with fellow academics, with developers, with technocrats, but I also interact with the general public and in particular, I've been interacting more and more with the general public lately. 

So my, my main inspiration, my main passion project these days is how to explain security and cyber security and everything, you know, I mean, the Cybersecurity notions, the cybersecurity properties, the solutions, the attacks, the vulnerabilities, the fixes, and how to explain them to such a large variety of stakeholders and how to find the appropriate language to actually communicate that.

Justin Beals: Yeah.  it's interesting that you mentioned the broadness of the security topic. One of the things that I've learned in the past five or six years in, in working in security is it's almost like finance. When I think about a business, it touches every aspect of what a company does or an organization, you know, to your point. 

Luca Vigano: Absolutely. Yeah. 

Justin Beals: And in that framing, you know, we have these situations in my work as a CTO, and now as a CEO, I find myself having to, describe to people very technical concepts or complicated concepts in ways that isn't their expertise. And I think it must be as a teacher as well. You know, this is as part of that joy in providing that, that storytelling expertise for folks.

Luca Vigano: Exactly. And, you know, this is, this is what I noticed when I started teaching. security. And in particular, I've been teaching a variety of different courses. I taught network security. I taught system security. I  taught to some extent security engineering, but in the last few years I've been teaching cryptography.

And these are obviously very technical courses and rightfully so, you know, students need to have a solid background. So they need to know the mathematical concepts., they need to know the implementations, they need to know how to use different tools and everything, but they're also very dry. And, and sometimes it is not just a little bit boring. I mean, I think we can be honest, you know, sometimes it is a bit boring to explain these things and I can imagine how boring it can be for the students. But it is also, and I'm going to use that word again, dry. You know, students are often overwhelmed with a lot of mathematics, a lot of computer science, but it's not just that, there are also the technicalities and everything.

So I've been trying to use storytelling to make it a bit more interesting. But also challenge the students a bit more because, you know, sometimes I noticed students and even more so the general public, you  know, when I give my talks to the general public, you know, public science talks, I noticed that people are a little bit scared by all that technical language.

And so I've been using storytelling, I've been using, you know, films, in particular the huge amount of films about cyber security, about hackers and the like, but I've also been using other forms of storytelling and in particular fairy tales to try and make people understand that in many cases, things are indeed technical and they should be.

But the main ideas, you know, the foundational ideas, they are already present in our cultures, in our societies. Obviously they've been implemented, they have been made digital, let me put it this way, but the core ideas are there. And if people understand that, then, the fact that there is a technical language becomes a little bit less scary, and they can understand a bit better how it relates to them, to their lives, in particular, the general public, but also my students, you know, how they can actually relate what they know from their lives, maybe the movies that they've seen, or the fairy tales that they remember, to the actual digital reality.

Justin Beals: Yeah, certainly. I think that people need like,  a story, a plot, basically something to hang a concept on when we're learning, right? Like we  need a metaphorical approach, the bones to put the meat against when we're learning new things. Yeah.

And you, the thing that, I, you know, I was doing research for a guest of the podcast, and I love looking at academic papers that have recently been written in the security space. and I came across yours, “The Cyber Security of Fairy Tales”  and was just shocked. I was like, Oh my goodness, what an incredible topic. So maybe you can tell us a little bit about just how you came across this idea of utilizing fairy tales. Were there fairy tales that? You know, you were utilizing in class or did someone relate this to you?

Luca Vigano: So it really all started in my lectures. So I should start by saying that I'm the son of a computer scientist, my mother, and of a movie and theater critic, my father, and I'm kind of the perfect product, of my parents. So I have interest in computer science. Obviously, that's my job, but I've always been interested in, in computer science,  in theater, in movies, in storytelling. I'm also playwright. So, you know, I, I've always been interested in that. 

So when I started teaching at university, and I've taught at a number of different universities by now, I always try to, to, to bring in some references as I said, to the artworks, to movies in particular, because that is often, you know, an easier process point of connection with the students.

 However, I noticed that I'm getting older, and the movie references that I make might sometimes be a bit obscure for the younger generation. You know, I've been, I've been using in my cyber security lectures, I've been using movies like Casablanca or Spartacus or the Life of Brian and so on.

And. And to be honest, not every student has even heard of these movies. Obviously, if I talk about the Avengers or the DC comics, then yes, of course, they know what I'm talking about, but the older movies, they struggle at it. So I actually started doing research on this because I found it very interesting, and I found out that there are a huge number of colleagues, of academic colleagues, who have been researching how to use movies in particular, but also other forms of storytelling to convey technical concepts. 

So for instance, movies I use to teach business, to teach philosophy, to teach psychology, not so much for mathematics and mathematical subjects, but a little bit of that as well.

So I started learning and I started actually writing a number of books. papers myself on how to,  how to use movies, to teach cybersecurity. I did some experiments, you know, whether it works or it doesn't, and it often works, but not always. Sometimes you need a mediator, and so on. So I obtained some very, very interesting results. 

But I did notice that, indeed, some students, in particular the younger generation, they really struggled to understand some of the movie references because it works better if it is a movie you're already familiar with. You know, Star Wars, yes, because even though they were not born when the first Star Wars movies were  appeared, they have seen them probably, but the other ones not.

So I thought, okay, how can I fill that gap? How can I find something that is closer to them? And then somehow I immediately stumbled upon fairy tales because fairy tales are something that obviously, you know, a 20-year-old or something, they will have an ambivalent relation to fairy tales because they will love them because it reminds them of their childhood, you know, maybe their parents or the grandparents read out the story to them to allow them to sleep. So it works fine. But obviously now they also have the desire to be adults and, and, and, and, you know, a fairy tale is something for kids, but still it works. 

So I tried it with my students first, you know, I started sneaking in some fairytale references, and I noticed one additional thing which is very important.

So I've been working now for the last 11 years at King's College in London, and our student population is very diverse, is very international. And sometimes movies are not as international as we think them to be. Fairy tales, on the other hand, especially the classic fairy tales, they are incredibly international.

Because not only people will have probably seen the Disney version, or the Disney-related version, you know, not necessarily shot by Disney, but some, some other company, but, so the animated version, but they will have heard a variant of that story when they grew up, no matter in which part of the world they grew up.

You know, I found out one of my favorite examples, and I'm sure we'll discuss it later in more detail, is Cinderella. There are hundreds and hundreds and hundreds, I think almost close to a thousand variants of Cinderella throughout the world and basically every single culture. Has developed a fairy tale that is extremely similar to the main ideas in Cinderella.

Now, obviously, there are variants, there are differences, whether it's a prince or a sultan or somebody like that, or, you know, it doesn't matter, but the core idea is there. So I found that fairy tales are a perfect way to actually do that. And, by the way, I'm not the first one to have noticed that. I mean, there are, there is a plethora of books on how to use fairy tales for psychology in particular for, you know, for  philosophy and all these other things.

And, but I did find out that using fairy tales In technical subjects, and in particular is in cyber security is not such a common idea. I mean, there are a handful of people in the world who have been doing research in that. And I cite them in my paper, and I'm in contact with some of them, but for technical subjects, it's not that developed. 

So I thought, okay, let me try and contribute to that. And so I, started collecting, I have a huge database by now. I started collecting examples and after many years of teaching, I decided to write up a paper. I'm currently trying to write a book also on it because I think that it works.

Justin Beals: It is stunning to me in a way, and this is outside of the realm of security that culturally, humanity is more congruent than we think a lot of times, you know, the idea that the concept of the Cinderella story is told in a lot of different cultures.  To me is amazing in a way, because we think of these stories as more cultural appropriate to our time, space and population that we exist in, but the archetypes draw well beyond it.

It gives me a sense of shared humanity. What's really amazing to me, Luca, and this is outside of the realm of security, is that these stories cross cultural boundaries, cross time and across humanity. And, that, to me, gives me just a sense of shared culture for us as human beings. It's a sense of hope, I think when we see that.

Luca Vigano: Absolutely. You know, it, for me, it's a perfect metaphor of the fact that, you know, we are all on the cyber security boat. Right. So we, you know, to make our systems secure and prevent attacks from happening and the like, we all need to cooperate in one way or the other, you know, and it's not just different stakeholders, you know, the developers of a system or of an app, the people in marketing, the users, obviously they need to cooperate to make it secure, but I'm also thinking, you know, internationally, you know, we, we are an international community of users and we all contribute to making a system secure, or insecure.

And in that kind of sharing and that kind of community is exactly well reflected in the fact that we all share some basic stories that have becomes either part of our mythology or part of our fairy tales. And obviously fairy tales are a form of mythology. In many cases, actually derived from the myths and have been popularized to make them less about the gods and more about the humans.

But, that shared sentiment is something very, very important. And, you know, uh, many psychologists have written actually on the, on the power of fairy tales to really represent culture and myths and everything. So I think I'm, you know, I'm, I'm standing on the shoulder of. Many, many  giants here in using fairy tales for that, for that purpose.

Justin Beals: Okay. So let's crack into it. And I was talking with my team, uh, yesterday and I was talking to them about, Oh, I'm going to do this really amazing recording with Luca. And I said, and what I'm reading is paper, and I'm, it's talking about multi-factor authentication and fairy tales,  in part of the, the beginning of the paper, and they were like, no way.

There's, there's, how do you, how do you cross-connect fairy tales and multi-factor authentication? So, Luca, maybe you can help, them here and share this correlation. You have two fairy tales in the beginning of the book that helps exhibit, yeah, these relationships. 

Luca Vigano: So let me start with my favorite, also the most powerful one, Cinderella.

So in case people are not familiar, I'll give a very, very quick synopsis and explain why it is actually a story about multi-factor authentication. So Cinderella's mother dies, and her father marries again. Marries a woman who already has two daughters from a previous marriage, and Cinderella goes to live with the stepmother and the stepdaughters.

Now, there are many different variants of the story, but more or less, all of them agree that the father of Cinderella disappears from the picture at this stage. So basically Cinderella is living with her stepmother and the two stepsisters. But the stepmother and the stepsisters treat her poorly and basically use her as their maid.That's it. 

And so Cinderella lives in the ashes, literally, like her name says.  The prince gives a ball to Mary, and every maiden is invited, and Cinderella, by some magic, depending on which version of the story, the mother or a fairy godmother, it doesn't really matter, Cinderella goes to the ball. Uh, dances all night with the prince, who falls madly in love, but at midnight, when the magic is about to expire, Cinderella runs away, and in running away, she loses one of her glass slippers, and that is the only thing that the prince now has to do find who is that mysterious girl? 

So he orders the Grand Duke or one of the soldiers It doesn't matter to go and visit every single maiden in the realm and the kingdom and find the one girl whose foot fits the shoe now when I was a kid, I was a bit puzzled by this. I remember it very distinctly. I was very inquisitive, I was a little bit of a nerd. And I said, how is it possible that there is only one girl in the kingdom whose foot fits the shoe? I mean, it can only be if the foot is immensely huge or really tiny, but obviously, it's a fairy tale. It doesn't matter that much. And actually, in some variants , of the story, the shoe is magical and adapts itself to the owner.

But what is important is that the shoe is an authentication fact. So, the mysterious girl is going to be identified, or in other words, she will prove to be the mysterious girl by putting on the shoe. and if it fits, it's the girl that the prince has fallen in love with. If it doesn't fit, then we go on search.This is single authentication is not much different from me looking at my phone to unlock it because it sees the biometrics of my face or you are using my fingerprint or, you know, even typing in a password. And we all know that single authentication is weak. Because it's actually not that difficult to attack one single authentication factor, you know, people might guess my password, they might steal my fingerprint or, my face, or they might mimic it.

And indeed, this is what the evil stepmother decides to do. Because she wants one of her daughters, she doesn't know that Cinderella is the mysterious girl, but she wants that one of her daughters marries the prince. But the problem is that the daughter's feet are too big. So what she does is she mounts an attack by cutting off the toe of one first daughter's so that the shoe fits.

And later she will cut the heel of the second one. But there is a problem in doing so. The grand Duke is fooled into accepting this. girl as the mysterious girl. But when the shoe is on, and the prince thinks that he has found the mysterious girl, actually blood is dripping from the shoe. And if you have a good monitor, depending on the version of the story, it's either some birds or one of the soldiers who notices the blood, then the attack is thwarted because your monitor identifies, oh, there is an attack going on, there is blood dripping from the shoe, and they see that,, the foot has been mutilated. 

So, the attack is thwarted. They keep on searching when they finally, finally arrive at the place where Cinderella is working. So in the, in the ashes, in, you know, in the, in the kitchen, they let her try on the shoe and the shoe fits, but then they worry, Oh, could it be another attack?

You know, it could be somebody else pretending to be Cinderella, but Cinderella has the second shoe and that is the second authentication factor. So not only can she prove her identity by something that she is, so the size of her foot, which is one authentication factor, but she also proves it by another factor, namely she possesses the second shoe.So that is the second authentication factor. 

And multi-factor authentication also comes in handy when there is an attack Because in the Disney version of the story, some people would remember that actually, the evil stepmother shatters the glass shoe. So one authentication factor is failing, but the second authentication factor, so the shoe that Cinderella possesses, comes as the recovery factor.

So Cinderella is really a story about how you can authenticate using multiple factors and be sure that this is indeed the mysterious girl. 

Justin Beals: It is brilliant. I have to say, Luca, this corollary between the Cinderella story and multi factor authentication. I personally have struggled, and I've used multi-factor authentication for 25 years now in different realms, to explain to people why it was more valuable. T

hey're like, well, why do I have to do all this extra work? What is the point? And reading your paper and, and the story of Cinderella and starting to line up where multi-factor authentication was, I was like, Oh, I can so easily now explain this to any layperson. Like they will get why this sorts and attack? Yeah, 

Luca Vigano: yeah, and they will affect me. They will also be entertained. So it will be, and I've done experiments on this. You know, there is an entertainment factor and there is a sense of belonging in a sense. You know, they feel that they're part of the explanation because the story is so close to them.

I mean, almost everybody knows Cinderella.  Most people will have seen the Disney version or one of the many non-animated versions. You know, there've been a number of them over the years with, with real-life actors, and they all more or less respect this. Now what, you know, there are variants and everything, but it feels close.

Justin Beals: Well the, and the variants to me that are so interesting is, of course, I think about the Disney movie the most. I think that's how I was generally introduced to the story. Some of the variants are more grim, you know, with the hacking away of toes and things like that. Yeah. 

 Luca Vigano: You have passing the, 

Justin Beals: Those parts of the story really help illuminate the security risk in a way, and we see people that will go to extraordinary measures, of course, in the cyber security space to perpetrate the outcome that they want. So, you know, I want to quote you from your article. You state “repulsion and lack of trust might lead users interacting with systems in ways unbeknownst to the users and possibly even to the developers and administrators of the system.to be vulnerable attacks”. 

And the more I work in security, the more impressed I am that that the people problem is more important to solve sometimes than the technical problem. And even when we're developing a technical solution or finding a technical problem, that people are a part of the solution. Do you see this, you know, challenge of us acting as security professionals in engaging our constituents?Is that part of the inspiration here? 

Luca Vigano: It is exactly the starting point of the inspiration. So I think we absolutely need to see security as a socio-technical problem. So it is obviously a technical problem. You know, we need to come up with solid cryptographic algorithms. We need to use them in the appropriate way.

We need to have proper technical solutions. Absolutely. But it's also a social problem. You know, we cannot forget the human component, you know, and part of the reason is obviously we  there is a saying, you know, humans are the weakest link and, and they are, and they are, uh, and we need to recognize that, but I'm also a bit tired of many, security experts who end up blaming the users.

Obviously, the users are to blame, you know, they are part of the problem. But I think that in many cases if we are honest, it's we share, we security experts and I put myself in the mix, we do share the responsibility and the blame. Because, you know, if we don't explain things properly, If we don't involve the users in not necessarily the development of the solutions, but at least in the, in the society that we're trying to build when, when we actually want to protect the system or protect an application, we all need to cooperate.

And obviously, we can't. You know, I come from a very formal background.  I've been using formal methods and mathematics. That is what I mostly do in, my security activities. You know, I come up with formal models of systems, and then I use automated reasoning to try and find attacks or to prove the absence of attacks, which is not always possible, but in some cases, it is.

I come from a really mathematical background, you know, and I could give you a proof that there is an attack, or I could give you a proof that there is not an attack, but that proof will be written in, in a language that is very inaccessible to non-experts. 

Justin Beals: Yeah. 

Luca Vigano: And obviously, we can't use that language.

On the other hand, we can't even expect users to read manuals, especially now that we don't even give them a manual. You know, when you buy a smartphone these days, uh, you don't get a manual because the idea is that it is so intuitive to use that you don't need a manual. 

And in many cases it is. But for things that pertain to security, I think that the absence of a manual is a problem. Obviously, a full  manual would always also be a problem. So we need to find a different way. To communicate. And,and what I've been advocating is that we need to tailor the explanation to the recipient. And for some people, in particular, for laypersons, we need to change the narrative that we use, and we need to change the language.

It's not good to scare them. You know, we can't keep scaring them. You know, oh, you need to be careful because especially what I've noticed, especially senior citizen will then simply say, you know what, then I'm not going to do it at all. On one hand, we tell them you need to do Internet banking, which is great e-banking, you know, it's a, it's an advantage for everybody, but then we tell them about All the dangers. And then what I've noticed is that many, many citizens will simply say, Oh, you know what? I'm not doing that because I'm so afraid that I'm going to do a mistake. And then I lose all my money and, you know, my little pension and everything. So people are scared. 

Justin Beals: Yeah. 

Luca Vigano: And so we can't just scare them, you know, we can't, we can't just repulse them away from the systems. At the same time, we can also not tell them, Oh, but you absolutely need to learn because it is your responsibility. At some point, they'll say, I'm not going to do it, or they'll be so overwhelmed that they'll do mistakes simply because they're nervous and stuff like that.

So changing the narrative and changing the language is a good way to break the ice then to make them feel a bit more athey are part of the system, part of the problem. And then of course, in some cases, you will also need to give a technical explanation. So I'm not saying forget technical explanations, just saying, find a good, a good entry point, start a conversation, and then depending on what you need to achieve and who you're talking to, you can continue, you can become more technical or less technical, or you can just stop there.

In some cases, it's enough to stop there. 

Justin Beals: Yeah. I have this complaint as well, that so much of  The major breach alert is about the fear, uncertainty, doubt issue, you know,  and we terrify people in a way, whether they're users or even highly technical folks, software engineers, cybersecurity ourselves, you know, telling a horror story can be exhilarating in the moment, but I don't think it carries the same cultural kind of full circle of a story that has a beginning, middle and an end, an outcome in a way or a way of thinking that you're a part of the story. You have this phrase in, in your paper, you know, it's a wily and wicked world. And it was a wily and wicked world. I mean, maybe Red Riding Hood was a little more afraid of the wolf then we are of the identity theft, you know, do you think that our immense use of technology, especially digital technologies, has really changed that? I feel like we're living in the same, you know, humanity that we always have in a way. 

Luca Vigano: No, no, of course, of course we do. And, and that is, that is part of the observation, right?

So things have not really changed that much. I mean, the medium. Has changed, you know, the fact that much of our infrastructures and much of our communications are now on cyberspace, that is a huge difference, you know, compared to a few years ago where everything was on paper, but ultimately the main, the main issues, the main problems, they're very, very similar.

And that is exactly the similarity in fairy tales. You know, many of the fairy tales are about identity, proving that you are indeed who you claim to be. And they are about authorization. You know, what are you allowed to do? They're about confidentiality, about secrets being kept or not kept. They're about integrity, you know, letters.

Many fairy tales that are letters that either the devil or some, some. Evil man or woman changes the content of the letter to make something bad happen so that the recipient thinks that the sender is not in love with them anymore, or something like that. These are exactly the problems that we encounter online, at least the main idea.

Then of course, technology has changed it because it has changed the way we communicate. Great. But the main idea is still there. Technology has provided also a huge number of solutions, but actually, many of the solutions are inspired by things that we have been doing all along. You know, the fact that a good way to authenticate yourself is to have a secret that you only reveal in certain moments and only to certain people, which is the basic idea behind the password, that is something that exists already in our mythology, you know, it exists in the Odyssey, it exists in the Epic of Gilgamesh, and many books that were written thousands of years ago. 

So, yeah, there is this fantastic dichotomy between, you know, the, let's say the real world and the cyber world, but they're actually much closer than we think that they are.

Justin Beals: Yeah, actually, and on that point, especially around passwords, I wanted to dive into another fairy tale that you write about. I thought it was brilliant. Can you tell us a little bit about Alibaba and the 40 thieves? 

Luca Vigano: Of course. I mean, Alibaba and the 40 thieves is a gold mine for cybersecurity. I mean, it's so full of references and everything.

I mean, to be fair, it's also one of the longest fairy tales that we know, you know, it's about 40 pages, whereas Cinderella is eight or 10 pages or something like that. 

Justin Beals: Yeah, 

Luca Vigano: So basically what I mean, let's, let's talk about passwords. So what happens is, you know, Alibaba is a poor woodcutter, and he goes into the woods like in every good fairy tale.

Somebody at some point goes into the woods and, uh, and he is cutting wood when he hears the noise of some horses. And so he hides on top of a tree and he sees 40 thieves on 40 horses coming and stopping in front of a rock. And the, the head of the, you know, the first thief, let me put it this way, you know, the master of the thieves, he opens the rock by uttering, The magic words open sesame, which is the password.

So the rock opens and it reveals that there is a cave inside. So the thieves disappear inside the cave. They, we don't see them, or in some story we see it. They,, deposit the lute of the latest robbery, and then they exit. And when they exit the chief of the thieves says. The password to close it, namely close sesame.

So these are the two passwords. Now, what happens is that Alibaba is hiding on top of a tree. He has essentially eavesdropped the password. So now he knows the password because he has listened to that. So what he does is he climbs down and he's curious. He says, open sesame, close sesame. The cave opens, he enters, he finds this huge amount of, you know, gold pieces and treasures and everything, but he is an honest man.

I mean, he is very, very poor. He needs to feed his family, but he is fundamentally honest. So the only thing that he takes is a small bag of gold coin. And just so he leaves the cave, closed sesame, he returns home. Alibaba has a brother called Kasim, and Kasim is not only rich but also extremely greedy, so much so that he gives none of his money, to Alibaba.

And he finds out, I mean, I'm making a very long story short, Kasim finds out that Alibaba has actually found some gold pieces. So what he does is he coerces, which is, again, a kind of attack. So he forces into Alibaba into revealing what happened and into revealing the password to the cave. And so he decides, Qasim decides, okay, I'm going to become even richer.

So he takes two donkeys in order to, you know  to bring home as much treasure as possible, goes to the cave, says the magic words, open sesame. The cave opens, he enters, and he is blinded. I mean, it's, it's a wonderful passage in the fairy tale. He is blinded by all the gold, by all the jewels and everything.

So much so, That when the cave door closes behind him, he forgets the password. And again, who of us has not forgotten a password? Right? 

Justin Beals: Yeah. 

Luca Vigano: He starts inventing, you know, different variants because he remembers it's open something, but he doesn't say Sesame. He says a number of different things. And while he does so, the thieves come back, they open the door, and they find to the cave, they find him inside the cave, and they kill him. Yeah. And then the story goes on in a number of different ways, and you know, I think we can't use all the time to talk about it, but you know, it is about eavesdropping, it is about passwords, it's about coercion, and then later there is a whole part of the story that is about anonymity, and, attacks over multiple steps, so basically advanced persistent threats about masquerading and the like, but I found this example of the password and of somebody who forgets the password.

I mean, how much more human can you be? I mean, he's greedy. Yes. And then, I mean, he dies, unfortunately, killed by the thieves, but you know, it's, it's what happens to greedy people in fairy tales, but I found it so brilliant that he forgets the password. I mean, we have all done it. Right. If we're honest.

Every single one of us has forgotten a password at least once in our lives. Maybe not because of greed, but you know, it happens. 

Justin Beals: I found this story so brilliant, both for the password side, the coercion aspect, which was absolutely intriguing. The, way the hack was perpetrated by two different actors.

You know, we have Ali here taking a little bit of gold. Not making a big impact, being very small and another style of hacker that is like wallowing in a big way.  It was really brilliant, and in reading it, I could see, and I can sit here in this conversation Luca and take in this story and also learn a lesson.

Maybe that's the point of the fairy tale at the end of the day, right? 

Luca Vigano: That's exactly the point, you know, what, what does it teach us about the world we live in? And surprisingly, you know, fairytales teach us a lot about the digital world we live in. That is, you know, that is what astonished me. But what I also find so fascinating, you know, that they talk not just about morality.

I mean, many fairytales, you know, are really about you should not be greedy because if you're greedy, bad things will happen to you. Or, you know, you should be, you should love, your neighbor in a sense, which is the message of many religions, but also of many fairytales and the like. So it works perfectly in that way, but it also works, I mean, not every single fairytale, but many fairytales tell a story about the digital world we live in as well. And that is fascinating. 

Justin Beals: Yeah. I wanted to empower, especially our, listeners that are security leaders and trying to educate their constituents around security issues and challenges. A couple things, you know, I studied a lot of theater in school, I was really interested in it and I was surprised to find an Anton Chekhov quote in your paper. And you say, and this is a loose quote, so I'm a little careful, but what I read is, “Don't tell me the moon is shining, show me the glint of light on broken glass”. Can you talk to us a little bit about the for security experts show versus tell in their work?

Luca Vigano: So, absolutely. I mean, I should say, you know, I'm a playwright myself. I love, I mean, I love Anton Chekhov both as a playwright. I mean, I think he has written some of the best plays ever written, but also, I love his literary works, you know, his short stories and the like. And  this quote, which is not as you say, it's not  exactly what he wrote. It comes actually from a letter that Chekhov wrote to his brother because his younger brother had also literary ambitions. And, and so Chekhov gave him the following advice. He told him, listen, you know, you could tell me that something is happening. You know, you could describe it, you could say, Oh, the moon was shining, but that is boring.

That is not going to, especially in theater, but also in you know, in prose, that is not going to intrigue me as a reader or as an audience member because, because you're telling me a fact. And that's it. It's much more intriguing if you don't tell me the moon is shining, but you tell me, and you show me things like, you know, there are, there is some broken glass, and there is a glint of light coming through the window on the broken glass, and it's nighttime.

So that I, the audience member, I'm forced to seek, let that seek into, into me, and I'm forced to make the inference, aha, it is because the moon is shining. And this is one of the examples of a literary technique called show and it's a literary technique that many writers use. I mean, Hemingway was a master of that.

Stephen King is a master of it as well because the point is you can write in a very, let's say 19th-century style. You know, I'm thinking about authors like who I really like, you know, like Victor Hugo or  even Charles Dickens who go page after page after page of description of, you know, the, the street where the main character is walking.

And that is brilliant prose. But often very, very detached from the emotions of the audience, whereas, and that is what, what is called telling, you know, you tell me that something is like that. And I nod my head, and I say, okay, yeah, I believe it. But if you show it to me rather than, telling or, even better, if you tell and show me at the same time, then I, I'm much, I, the audience member, the reader and much more intrigued, much more involved.

I am part of the problem. I'm not not the problem. I'm part of the story, you know because I need to fill in the gaps. I need to do a mental effort. And that mental effort is a rewarding mental effort. It's not one that, unless you're really way too abstract, it's not one that is too onerous for me as a reader.

And, so there are dozens of books written about show and tell and everything. And I thought that we should try to do something similar also for technical works. And indeed, there are a few people who have, who have, you know, investigated how it can be used for technical works. And I started thinking, okay, we should do it for cyber security.

You know, I'm all for technical explanations, telling, but I think that in many cases, we first need to start with showing fairy tales, movies, even music. You know, there are some songs about cyber security, which are a perfect entry point. And once you have captured the audience, then you can tell them. 

Justin Beals: Yeah, I think I don't want to sit through another boring security training again in my life. I'm going to work with R. C. So to bring in some fairy tales to the next one, um, Luca, this is an incredible topic. I want to highlight, though, for our audience that you're a deeply technical researcher. I'm still pouring through some of your papers that are very mathematical and doing my best to translate it.

And we have to circle back, but what are, what are some of the next things that you're working on? What can we look forward to for me? 

Luca Vigano: So, well, first of all, I'm continuing the work on fairy tales. As I said, you know, I'm trying to, to, to expand my paper into a book, but I'm also, you know, giving a lot of talks.

So, uh, yesterday I gave a talk at a science festival here in the UK at Canterbury festival. I've been talking in schools. I'm talking to senior people,  because that is a, not only a very good way to, to disseminate. the work, but also I get a lot in return. So many people come to me after the talk and say, Oh, do you know this fairy tale that my grandmother used to tell me?

And then my database grows and grows and grows. So it's perfect. So that's for sure. But I'm also working exactly on what I mentioned earlier on, namely social technical cybersecurity. So what I've been doing, and I have a couple of PhD students and a couple of postdocs who are helping me do that in addition to my colleagues in the UK and in other parts of the world is I have been working on how can we come up with mathematical models of the way in which users interact with the system. 

And this is in addition to usable security, you know, which is a fantastic discipline, a fantastic area of work that many of my colleagues are working on, which I find very, very interesting. But the idea for me is really to say, you know, I can come up with a mathematical model of the way, for instance, agents exchange messages In a security protocol, you know, when you do single sign-on or you authenticate yourself, you exchange messages using cryptography and great. 

So I can do that, especially if these agents are programs because I know their structure. I know the code or I know their specification and I can do that. Now humans are a bit weird.

Especially lay people are a bit weird because, you know, if the, if the, the program, the protocol expects, let's say, a button to be pushed at a certain point, and this program is executed by a machine, by a program, you know, another program, the program will, the machine will push the button unless it is an attacker, but that is different.

But if it is an honest agent, it will do as told. Humans maybe will maybe push the button twice or not push it at all, or maybe push the button to the left or the one to the right. And they might do so for a number of reasons, you know, because they're curious, because they don't really understand the instructions because they Misunderstand them or maybe because some cases, you know, they're stubborn and I think, Oh, I know best.

 I need to push this button, not the other one. So I've been trying to come up also working with psychologists, come up, with models of these kinds of behaviors and how to feed these mathematical models into the tools that I use for the analysis so that we can cover also the cases of the attacks.that result to the mistakes of the, from the mistakes of the humans. 

So there are a number of us working on similar topics. And I think that this is becoming more and more prevalent because it's not just for protocols, it's for cyber physical systems, it's for all the systems where you have human interaction.

So I think that that is really one of the areas in security that will become more and more important as we move towards an autonomous world, but also a world that is semi-autonomous. So you have the presence of human beings who interact with programs. You know, I'm thinking about self-driving cars, where you also have a human at the wheel, and the human can override and stuff like that.

So there, you really need to understand what are the possible problems that can arise from the interaction. 

Justin Beals: Yeah, as so much of our data science work and machine learning also moves into replication from a database of human activity, we're going to just see those typical human behaviors and semi-autonomous ways be replicated.

We're going to see it out in the real world. Yeah. Luca, brilliant work. I am, uh, love this conversation and really appreciate it and look forward to chatting again as, as your work progresses in the future. Thank you for joining us today. 

Luca Vigano: Oh, thank you. It's been a pleasure.