|
1 \documentclass{article} |
|
2 \usepackage{../style} |
|
3 |
|
4 |
|
5 \begin{document} |
|
6 |
|
7 \section*{Handout 1 (Security Engeneering)} |
|
8 |
|
9 Much of the material and inspiration in this module is taken |
|
10 from the works of Bruce Schneier, Ross Anderson and Alex |
|
11 Halderman. According to them, a security engineer requires |
|
12 a certain mindset. Bruce Schneier for example writes: |
|
13 |
|
14 \begin{quote} |
|
15 \it ``Security engineers --- at least the good ones --- see |
|
16 the world differently. They can't walk into a store without |
|
17 noticing how they might shoplift. They can't use a computer |
|
18 without wondering about the security vulnerabilities. They |
|
19 can't vote without trying to figure out how to vote twice. |
|
20 They just can't help it.'' |
|
21 \end{quote} |
|
22 |
|
23 \begin{quote} |
|
24 \it ``Security engineering\ldots requires you to think |
|
25 differently. You need to figure out not how something works, |
|
26 but how something can be made to not work. You have to imagine |
|
27 an intelligent and malicious adversary inside your system |
|
28 \ldots, constantly trying new ways to |
|
29 subvert it. You have to consider all the ways your system can |
|
30 fail, most of them having nothing to do with the design |
|
31 itself. You have to look at everything backwards, upside down, |
|
32 and sideways. You have to think like an alien.'' |
|
33 \end{quote} |
|
34 |
|
35 \noindent In this module I like to teach you this mindset. To |
|
36 defend a system, you need to have this mindset and think like |
|
37 an attacker. This will include understanding techniques that |
|
38 can be used to compromise security and privacy of others. |
|
39 |
|
40 {\bf Warning!} However, don’t be evil! Using those techniques in the real |
|
41 world may violate the law or the university’s rules, and it |
|
42 may be unethical. Under some circumstances, even probing for |
|
43 weaknesses may result in severe penalties, up to and including |
|
44 expulsion, civil fines, and jail time. Acting lawfully and |
|
45 ethically is your responsibility. |
|
46 |
|
47 |
|
48 |
|
49 Don’t be evil! |
|
50 - Ethics requires you to refrain from doing harm |
|
51 - Always respect privacy and property rights |
|
52 - Otherwise you will fail the course |
|
53 - Federal and state laws criminalise computer intrusion and wiretapping |
|
54 - e.g. Computer Fraud and Abuse Act (CFAA) |
|
55 - You can be sued or go to jail |
|
56 - University policies prohibit tampering with campus systems |
|
57 - You can be disciplined, even expelled |
|
58 |
|
59 To defend a system, you need to be able to think like an |
|
60 attacker, and that includes understanding techniques that can |
|
61 be used to compromise security. However, using those |
|
62 techniques in the real world may violate the law or the |
|
63 university’s rules, and it may be unethical. Under some |
|
64 circumstances, even probing for weaknesses may result in |
|
65 severe penalties, up to and including expulsion, civil fines, |
|
66 and jail time. Our policy in EECS 588 is that you must respect |
|
67 the privacy and property rights of others at all times, or |
|
68 else you will fail the course. |
|
69 |
|
70 Acting lawfully and ethically is your responsibility. |
|
71 Carefully read the Computer Fraud and Abuse Act (CFAA), a |
|
72 federal statute that broadly criminalizes computer intrusion. |
|
73 This is one of several laws that govern “hacking.” Understand |
|
74 what the law prohibits — you don’t want to end up like this |
|
75 guy. The EFF provides helpful advice on vulnerability |
|
76 reporting and other legal matters. If in doubt, we can refer |
|
77 you to an attorney. |
|
78 |
|
79 |
|
80 |
|
81 \end{document} |
|
82 |
|
83 %%% Local Variables: |
|
84 %%% mode: latex |
|
85 %%% TeX-master: t |
|
86 %%% End: |