{"id":18490,"date":"2021-06-24T21:30:28","date_gmt":"2021-06-24T17:30:28","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/middle-earth-cybersecurity-dwarves\/18490\/"},"modified":"2021-06-24T21:30:28","modified_gmt":"2021-06-24T17:30:28","slug":"middle-earth-cybersecurity-dwarves","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/middle-earth-cybersecurity-dwarves\/18490\/","title":{"rendered":"Tolkien&#8217;s dwarves and their cybersecurity technologies"},"content":{"rendered":"<p>A couple of years ago, we <a href=\"https:\/\/www.kaspersky.com\/blog\/middle-earth-cybersecurity\/25846\/\" target=\"_blank\" rel=\"noopener nofollow\">reviewed the \u201cRing of Power\u201d botnet<\/a> created by famous cybercriminal Sauron (aka Annatar, aka Mairon, aka Necromancer). However, reports by famous cybersecurity expert J. R. R. Tolkien contain much more than just descriptions of the botnet\u2019s modules. For example, Tolkien frequently returns to information technology and security systems in discussions of the various races of Middle-earth. In particular, he describes several dwarven systems in detail.<\/p>\n<h2>The \u201cDoors of Durin\u201d backdoor<\/h2>\n<p>In the time of <em>The Lord of the Rings,<\/em> the ancient dwarven stronghold of Moria is deeply under the control of Evil. At some point, the dwarves became obsessed with mining Mithril (obviously a local cryptocurrency), let their guard down, and accidently unzipped and launched an ancient rootkit named Balrog.<\/p>\n<p>The rootkit, a part of an APT campaign, had remained in the depths under the mountains since the time of Melkor, a famous hacker and former leader of the group in which the abovementioned Sauron started his criminal career. The group may also have had some interest in Mithril (the Balrog rootkit and the dwarven mining operation didn\u2019t end up in the same place by coincidence), but that\u2019s not explicitly mentioned.<\/p>\n<p>Anyway, dwarves built every bit of Moria\u2019s infrastructure, including the western backdoor called Durin\u2019s Door, also known as the Elven Gate. But after years of abandonment, no one remembered the password that granted access through the gate.<\/p>\n<p>Tolkien presented the process of Durin\u2019s Door opening humorously: Gandalf, having arrived at the gates with the Fellowship of the Ring, reads the inscription, \u201cSpeak, friend, and enter.\u201d Naturally, the password is <em>friend<\/em>. In other words, the dwarves made the same mistake as many modern office workers do, and left a sticky note with the password right on the computer. The password strength is barely worth a sneer; imagine how well that would stand up to a simple brute-force attack.<\/p>\n<p>It is especially funny that the inscription tells us exactly who screwed up: \u201cI, Narvi, made them. Celebrimbor of Hollin drew these signs.\u201d In other words, the inscription contains not only the password but also a couple of logins that clearly belong to privileged users. Many people use the same passwords for accounts in different systems, and one can assume the practice is not alien to other races. It\u2019s likely someone could use these logins and password for deeper penetration into Moria\u2019s systems.<\/p>\n<p>It is not clear who made the mistake \u2014 dwarf developers or the Celebrimbor, a user \u2014 after all, the \u201cdoors\u201d\u00ad were made for trade and cooperation between dwarves and elves. I lean toward the second version; dwarves tend to have much better security practices.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kpm-download\">\n<h2>Steganography in a Thr\u00f3r\u2019s Map<\/h2>\n<p>Tolkien describes one interesting example of dwarven defense technology implementation in <em>The Hobbit<\/em>: When advanced persistent threat Smaug infected and overtook Erebor (Lonely Mountain), he forced the dwarves to flee their homes (again). Thror, king of the Durin Folk, left his descendants a map with instructions for accessing Erebor\u2019s systems through the backdoor (literally called the Back Door). He hoped that one day a team of security experts could eradicate the dragon infestation. The map\u2019s implementation is very interesting from a cybersecurity point of view.<\/p>\n<p>Thror wrote the instructions to gain access to the backdoor on the map, but to keep it secret he not only used Angerthas Erebor (and the dwarves were very reluctant to share their language even with allies), but also used the extremely complex moon-letters method for the inscription. This dwarven technology allows writers to inscribe secret text visible only in the light of the moon \u2014 and not only the moon in general, but the moon either in the same phase as on the day of writing, or at the same time of the year.<\/p>\n<p>In other words, Thror used some form of <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/steganofraphy\/\" target=\"_blank\" rel=\"noopener\">steganography<\/a>, placing secret information on a picture so as to make it not only unreadable but also undetectable to outsiders.<\/p>\n<h2>The Lonely Mountain backdoor<\/h2>\n<p>The Back Door\u2019s protection mechanism is no less interesting. To open it, you need a \u201ccurious silver key with a long barrel and intricate wards.\u201d However, according to instructions from Thror\u2019s map, the timing is also key: \u201cStand by the grey stone when the thrush knocks, and the setting sun with the last light of Durin\u2019s Day will shine upon the key-hole.\u201d<\/p>\n<p>How the dwarves implemented the thrush part of the technology is unknown \u2014 Tolkien didn\u2019t go into the details of the biotech \u2014 but what we have here is multifactor authentication, and cleverly implemented at that. Indeed, on Durin\u2019s Day, in the evening, the thrush knocked, the last ray of sunset touched the door, and a fragment of stone broke off, revealing the keyhole. In this case, the calendar was an additional security factor; on the wrong day, even having the key wouldn\u2019t have helped .<\/p>\n<p>Alas, Tolkien did not describe the mechanism for returning the breakaway piece to the door. Maybe the thrush took care of that part.<\/p>\n<p><input type=\"hidden\" class=\"category_for_banner\" value=\"glossary\"><br>\n\u00a0<\/p>\n<p>Of course, Tolkien allegorically depicted many more cybersecurity and information technologies in his books. As readers rightly pointed out after the first part, analyzing the telecommunication protocol of the infamous palantirs would also be interesting. Unfortunately, the professor did not leave detailed instructions, and scraps of information from his published drafts leave us with more questions than answers. Nevertheless, we will try to talk about them in an upcoming post on elvish IT.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Examples of the cybersecurity technologies and practices of Durin\u2019s folk abound in Tolkien\u2019s Middle-earth.<\/p>\n","protected":false},"author":700,"featured_media":18491,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1485],"tags":[1047,2462,2124,2463,2047],"class_list":{"0":"post-18490","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-special-projects","8":"tag-2fa","9":"tag-mfa","10":"tag-steganography","11":"tag-tolkien","12":"tag-truth"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/middle-earth-cybersecurity-dwarves\/18490\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/middle-earth-cybersecurity-dwarves\/23007\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/middle-earth-cybersecurity-dwarves\/9227\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/middle-earth-cybersecurity-dwarves\/24954\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/middle-earth-cybersecurity-dwarves\/22966\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/middle-earth-cybersecurity-dwarves\/22187\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/middle-earth-cybersecurity-dwarves\/25552\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/middle-earth-cybersecurity-dwarves\/25013\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/middle-earth-cybersecurity-dwarves\/30961\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/middle-earth-cybersecurity-dwarves\/9779\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/middle-earth-cybersecurity-dwarves\/40382\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/middle-earth-cybersecurity-dwarves\/17241\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/middle-earth-cybersecurity-dwarves\/17707\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/middle-earth-cybersecurity-dwarves\/26988\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/middle-earth-cybersecurity-dwarves\/31135\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/middle-earth-cybersecurity-dwarves\/27228\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/middle-earth-cybersecurity-dwarves\/24038\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/middle-earth-cybersecurity-dwarves\/29383\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/middle-earth-cybersecurity-dwarves\/29176\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/truth\/","name":"truth"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18490"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18490\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18491"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}