Part 2 – The Security Failures Of Star Wars: Attack of the Clones
4 min read
Ten years after The Phantom Menace is where Attack of the Clones begins. During that time the foundation of the Empire was being created in secret. The Republic is crumbling as thousands of worlds are breaking away in favor of the separatist movement. War is imminent and Senator Palpatine, now Supreme Chancellor, has been using the Senate to maneuver the system, distract the Jedi and do what he can to not reveal his ultimate plan.
Palpatine’s plan, once set in motion, put the Empire corporation on a path of accelerated equity growth, adding personnel by the thousands, acquiring ships and equipment as quickly as he could. However in order to grow that quickly several sacrifices had to be made in the internal operations of the corporation.
Through an investigation by Obi-Wan, after he realized a planetary system was deleted from the Jedi database, he discovered that a Jedi Master called Sifo-Dyas outsourced resource acquisitions to an offshore cloning facility on Kamino for an army ten years prior. That timeframe was the same time as The Phantom Menace. The problem was that Sifo-Dyas died prior to the events in The Phantom Menace and the Jedi Council did not authorize an order for an army of clones. The conflict on Naboo didn’t start yet so why would anyone order an army if they didn’t need one at the time. That’s because whoever ordered it knew they would need one later.
The assumption is Palpatine falsified documents, committed identity theft and made the order under false pretense to the Kamino facility. The supply chain vendor proceeded with the order as everything appeared legitimate. Even when Obi-Wan arrived the Kamino’s assumed the Jedi were there to inspect their order.
You also have to assume that Palpatine, under his Sith persona, approached Jango Fett to be hired as the clone army’s template. Jango told Obi Wan he didn’t know the name Sifo-Dyas but was approached by a man that called himself Tyranus. You can rule out Count Dooku, another employee of Palpatine on the Sith side, as Jango met up with Dooku later.
This was Palpatine’s plan all along. The only way to get tens of thousands of people to form an army in complete secret is to create them yourself. With the design flaws of the Trade Federation’s droid army he knew real soldiers were the correct solution. Grow them in an isolated part of the galaxy removes all risks of leaks, abandonment, and through an air-tight NDA with the Kamino’s the creation would be kept secret.
*** Side note about the Jedi database security controls ***
You have to assume Dooku deleted the records. He was a Jedi at one point which gave him unrestricted access to the database at the facility. He had to have had privileged access, escalated his access or used a compromised account. This exposes that the Jedi database doesn’t have multi-factor authentication, alerts on logins, forced authorizations to modify/delete data, or any logs. You can also deduce that there are no backups to verify. The Jedi’s arrogance on the security of their database made them miss simple operational procedures to ensure that the integrity of their data was protected.
*** End of Side Note ***
Using clones in this way does achieve Paplatine’s plan of quick and secret growth of personnel. On the down side, using clones has serious impact on future security design decisions.
- A single point of failure – Clones are based off one template. A real organic entity. Which means that all the attributes, characteristics, inherited traits, predispositions are all copied over. Depending on the quality of the cloning those traits could be amplified or twisted in a way that is unpredictable. The fact that the original source of the clone army was a bounty hunter, this raises significant risks long term. Think if the source template had a genetic chance for cancer that was missed in the screening process, your whole army would be wiped out.
- No biometric security controls, ever – Clones are 100% identical physically to the original template. That means the Empire can not deploy any security controls that rely on facial recognition, voice print, retina scans, fingerprints, physical body scans, dental records, employee photo badges and so on.
- Investment in physical trackers – Increased costs to implant chips and deploy scanners to uniquely identify each employee. They do use different colored uniforms to identify rank but how to you ensure that two soldiers don’t switch places? Through an expedited schedule focused on expansion and use of the resources in the field, the pre-Empire lost focus on how to run the business once it was in place.
Attack of the Clones shows that focusing on growth and expansion is possible but comes with a price. That being less than optimal focus on building a well rounded, wholistic business model. You can compare this to real world companies that went down the same path. Crispy Creme, once everywhere but crumbled under their own growth. Uber, spreading across the globe but with lackluster employee policies, marketing and internal operations. Twitter, the micro-blog kings but with no idea how to make a profit. MySpace, self explanatory. Blockbuster Video, a store on every corner but they ignored the changing times.
Some can do it, most cannot.
Next we’ll see how the plan comes together and the Empire goes public and fully operational.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com
