Cybersecurity and Shakespeare - a brief look at how technology can prevent tragedy

Shakespeare, famously, shunned computers. Like some sort of retro hipster, he didn't write his plays on a laptop, refused to use spellcheck, and didn't register his copyright on the blockchain. Lord, what fools these mortals be!

What would Shakespeare's plays have been like if their characters understood basic cybersecurity? Now, it is true that very few of his plays feature computers, but modern cybersecurity is more about human behaviours than it is any specific technology.

Verifying messages

Who sent this letter? Has it been tampered with in transit? Are its contents genuine? These are all questions we should ask whenever we receive a message. Understanding the provenance, integrity, and authenticity are all important strategies which help us stay safe.

Alas! Poor Malvolio does no due-diligence on the letter he supposedly receives from Olivia. The contents, forged by Olivia's maid Maria, convince him that Olivia is in love with him.

Now, in fairness, Maria says:

I can write very like my lady your niece: on a forgotten matter we can hardly make distinction of our hands.

Malvolio does his best to verify that the message is written by Olivia:

By my life, this is my lady's hand these be her very C's, her U's and her T's and thus makes she her great P's.⁰

But this is a message he has literally found on the ground. It isn't delivered directly to him. There's no wax seal (although Maria might have stolen that).

The nearest Malvolio comes to authenticating the message is noticing that it says:

Remember who commended thy yellow stockings, and wished to see thee ever cross-gartered: I say, remember.

He thinks back and comments:

She did commend my yellow stockings of late, she did praise my leg being cross-gartered;

This is a trick that every scammer uses. Find a piece of common knowledge and weaponise it. Whether it's knowing the first few digits of your credit card (common across banks) or knowing that you had a recent transaction at Amazon (statistically likely) - scammers will make you think they know some secret information about you. How many people were around when Malvolio heard Olivia commenting on his stockings? Did he even notice Maria hanging around the background?

Similarly, in King Lear, Edmund forges a letter from his brother and presents it to Gloucester, his father. Gloucester cannot believe the letter's treasonous contents and attempts to verify the message:

GLOUCESTER: My son Edgar! Had he a hand to write this? a heart and brain to breed it in? When came this to you? Who brought it?

These are excellent questions!

EDMUND: It was not brought me, my lord; there's the cunning of it; I found it thrown in at the casement of my closet.

Imagine that you have received a forwarded email. The contents at the top you can verify, but the quoted content may be a forgery. So Gloucester tries another method:

GLOUCESTER: You know the character to be your brother's? EDMUND: If the matter were good, my lord, I durst swear it were his; but, in respect of that, I would fain think it were not. GLOUCESTER: It is his. EDMUND: It is his hand, my lord;

Does Gloucester not know his own son's handwriting? He has outsourced verification to the person presenting the message and makes no attempt to further authenticate this letter of dubious provenance. He is, as Edmund comments, "A credulous father!"

Now, Shakespeare didn't have access to DMARC¹, but the basics of message verification are universal. Sender verification needs to be completed and extraordinary claims require extraordinary evidence.

Identifying People

It seems that every play by Shakespeare involves mistaken identity. For some reason that I don't understand, Queen Elizabeth refused to issue her subjects with biometric identity cards conforming to ISO/IEC 19794-2. She was a cream-faced loon.

In Comedy of Errors, the various Dromios would not have received such abuse if only their masters and mistresses had bothered to engage in positive identification. In a zero-trust architecture, the servants' credentials should have been repeatedly checked before every interaction.

ANTIPHOLUS OF SYRACUSE: This purse of ducats I received from you, And Dromio, my man, did bring them me. I see we still did meet each other's man, And I was ta'en for him, and he for me, And thereupon these errors are arose.

It's really easy to take something on trust. Just because a user in your system looks legitimate, it doesn't mean that they are who you think they are:

DUKE SOLINUS: Stay, stand apart; I know not which is which. ADRIANA: Which of you two did dine with me to-day? ANTIPHOLUS OF SYRACUSE: I, gentle mistress. ADRIANA: And are not you my husband? ANTIPHOLUS OF EPHESUS: No; I say nay to that.

Back to Twelfth Night. Viola would never have been able to assume a new identity and found work if Duke Orsino had checked her ID. Indeed, any of the hundreds of mixed-up characters could have been unmasked, if only people were prepared to challenge them.

What have we learned today?

This is a blog post written by an idiot, full of sound and fury, signifying nothing.