Musings of an infosec nerd

The Method of Loci

buckinghamIn my earlier post I mentioned that I was studying for my PA-DSS exam and that I was using a memory palace technique to commit the standard to memory prior to the exam. I'll find out in a couple of weeks whether it actually helped as the exam didn't actually ask a lot of questions that required rote memorisation of the standard.

UPDATE: I've just had the confirmation and I am now a PA-QSA. God have mercy etc.

I was asked by a friend about the kind of technique I actually used to build this, and I figured that it might be useful for other people as well so I felt a blog post was in order.

Wikipedia has a good write-up of the Method of Loci if you want to read all about the history and evolution of this type of memory mnemonic so I won't waste your time copy/pasting it here. I am going to detail how I came across this technique and where I have used it to help memorise large quantities of usually dull and boring information.

You may have noticed I used "dull and boring" above and this is where a technique like the memory palace really comes into its own. I'm sure that if you are anything like me then remembering things that you find interesting isn't usually a task at all, however if you have to keep 200+ security controls in mind when assessing a client then committing that kind of information to memory would seem like an impossible task.

In essence what the memory palace gives you is the ability to use the areas of your brain that handle things like visual, auditory and olfactory stimulation and tie them together in order to apply them to abstract concepts like security controls to enhance the information available for your brain to index on. The method that I like to use I first came across reading Derren Browns Tricks of the Mind. This method uses a building that you are familiar with and takes you on a journey through it room by room. In each room you place items and people who you can connect with the item being memorised. This may be a number, playing card, security control or pretty much anything you like as long as the visual image is distinctive.

I find that they way that my mind works means that If I have a lot to remember I cannot fit it all in one building and have it stay "real" enough to my brain to be able to recall all the items at a later date. Because of this I have adapted the memory palace technique to use what has been called by others the journey method. This still has you placing people and items in locations but has the advantage of not being tied to a single building, but rather a series of connected locations that exist, at least for the most part, in reality. This is all very abstract so I feel an example is in order. If you are a masochist and you happen to be trying to memorise the PA-DSS V2.0 standard then please don't use my example as a start, it won't stick. Make sure you construct your own journey and it will pay off in the future.

PA-DSS V2.0 1.1.1

I'm standing on the corner of Powell and Market street in downtown San Francisco. I look up at the road sign above the intersection and notice that the roads are named "1st Street" and "Track Avenue". In this area are a number of street vendors selling souvenirs and I walk over to the nearest one. He doesn't seem particularly reputable. He is taking payment from a customer and I notice that he has taken the customer's card and is swiping it though a mag stripe reader. "Do not store the full contents of any track from a card after authorisation"

PA-DSS V2.0 1.1.2

He turns the card over in his hand and I see that he is reading the CVV number from the signature strip and is writing that down in a notebook. "Do not store card CVV values after authorisation"

PA-DSS V2.0 1.1.3

He tells the customer that the mag stripe didn't work and he needs to know their PIN. He also writes this down in the notebook. "Do not store PIN or PIN Block after authorisation"

PA-DSS V2.0 1.1.4

While this is going on 4 police officers approach the vendor from behind and walk over to a number of buckets sitting behind the vendor that I can see are full of the same types of notebook the vendor is using. They talk for a moment and then set fire to the notebooks. "Securely delete any mag stripe, CVV or PAN data stored by  previous versions of the software"

PA-DSS V2.0 1.1.5

The vendor is upset at the arson going on behind him. The police officers go to arrest him for his flagrant disregard for the law, however before they can a representative from the vendors payment handler approaches them and informs the police officers that he actually asked him to store this data to help solve a problem the vendor was having processing payments, and that he was going to make sure it was all disposed of once the problem had been solved. "Securely delete any sensitive authentication data used for debugging or troubleshooting"

Here you have my loci for PA-DSS V2.0 control 1. It works great for me as I can easily close my eyes and place myself in that exact location. The further I go into my journey the more personal to me it becomes so please don't ask me about specific controls as even if I explained my loci it would make no sense to you at all. San Francisco was where I was doing the training for PA-QSA so it makes an obvious place to base my journey. I can remember the sounds and the smells (oh God, some of the smells) without any effort at all. I shall now forever associate the smell of Cannabis and despair with control 3. My hotel was in a very interesting neighborhood.

I hope this example of mine will help anyone else who is interested in trying something like this. If you have any questions then please leave a comment or hit me up on Twitter or G+ and I'll do my best to answer them.

The personal blog of a UK based penetration tester