6 |
6 |
7 \section*{Handout 1 (Security Engeneering)} |
7 \section*{Handout 1 (Security Engeneering)} |
8 |
8 |
9 Much of the material and inspiration in this module is taken |
9 Much of the material and inspiration in this module is taken |
10 from the works of Bruce Schneier, Ross Anderson and Alex |
10 from the works of Bruce Schneier, Ross Anderson and Alex |
11 Halderman. According to them, a security engineer requires |
11 Halderman. I think they are the world experts in the area of |
12 a certain mindset. Bruce Schneier for example writes: |
12 security engineering. I especially like that they argue that a |
|
13 security engineer requires a certain \emph{security mindset}. |
|
14 Bruce Schneier for example writes: |
13 |
15 |
14 \begin{quote} |
16 \begin{quote} |
15 \it ``Security engineers --- at least the good ones --- see |
17 \it ``Security engineers --- at least the good ones --- see |
16 the world differently. They can't walk into a store without |
18 the world differently. They can't walk into a store without |
17 noticing how they might shoplift. They can't use a computer |
19 noticing how they might shoplift. They can't use a computer |
30 fail, most of them having nothing to do with the design |
32 fail, most of them having nothing to do with the design |
31 itself. You have to look at everything backwards, upside down, |
33 itself. You have to look at everything backwards, upside down, |
32 and sideways. You have to think like an alien.'' |
34 and sideways. You have to think like an alien.'' |
33 \end{quote} |
35 \end{quote} |
34 |
36 |
35 \noindent In this module I like to teach you this mindset. To |
37 \noindent In this module I like to teach you this security |
36 defend a system, you need to have this mindset and think like |
38 mindset. This might be a mindset that you think is very |
37 an attacker. This will include understanding techniques that |
39 foreign to you (after all we are all good citizens). I beg to |
38 can be used to compromise security and privacy of others. |
40 differ: You have this mindset already when in school you were |
|
41 thinking, at least hypothetically, in which ways you can cheat |
|
42 in an exam (whether it is about hiding notes or looking over |
|
43 the shoulders of your fellow pupils). Right? To defend a |
|
44 system, you need to have this kind mindset and be able to |
|
45 think like an attacker. This will include understanding |
|
46 techniques that can be used to compromise security and privacy |
|
47 in systems. This will many times result in insights where |
|
48 well-intended security mechanism made a system actually less |
|
49 secure.\smallskip |
39 |
50 |
40 {\bf Warning!} However, don’t be evil! Using those techniques in the real |
51 {\Large\bf Warning!} However, don’t be evil! Using those |
41 world may violate the law or the university’s rules, and it |
52 techniques in the real world may violate the law or King’s |
42 may be unethical. Under some circumstances, even probing for |
53 rules, and it may be unethical. Under some circumstances, even |
43 weaknesses may result in severe penalties, up to and including |
54 probing for weaknesses of a system may result in severe |
44 expulsion, civil fines, and jail time. Acting lawfully and |
55 penalties, up to and including expulsion, civil fines, and |
45 ethically is your responsibility. |
56 jail time. Acting lawfully and ethically is your |
|
57 responsibility. Ethics requires you to refrain from doing |
|
58 harm. Always respect privacy and rights of others. Do not |
|
59 tamper with any of King's systems. If you try out a technique, |
|
60 always make doubly sure you are working in a safe environment |
|
61 so that you cannot cause any harm, not even accidentically. |
|
62 Don't be evil. Be an ethical hacker. |
46 |
63 |
47 |
64 |
48 |
65 In this lecture I want to make you familiar with the security |
49 Don’t be evil! |
66 mindset and dispel the myth that encryption is the answer to |
50 - Ethics requires you to refrain from doing harm |
67 security (it certainly is one answer, but by no means a |
51 - Always respect privacy and property rights |
68 sufficient one). This is actually an important thread going |
52 - Otherwise you will fail the course |
69 through the whole course: We will assume that encryption works |
53 - Federal and state laws criminalise computer intrusion and wiretapping |
70 perfectly, but still attack ``things''. By ``works perfectly'' |
54 - e.g. Computer Fraud and Abuse Act (CFAA) |
71 we mean that we will assume encryption is a black box and, for |
55 - You can be sued or go to jail |
72 example, will not look at the underlying |
56 - University policies prohibit tampering with campus systems |
73 mathematics.\footnote{Though fascinating it might be.} |
57 - You can be disciplined, even expelled |
|
58 |
|
59 To defend a system, you need to be able to think like an |
|
60 attacker, and that includes understanding techniques that can |
|
61 be used to compromise security. However, using those |
|
62 techniques in the real world may violate the law or the |
|
63 university’s rules, and it may be unethical. Under some |
|
64 circumstances, even probing for weaknesses may result in |
|
65 severe penalties, up to and including expulsion, civil fines, |
|
66 and jail time. Our policy in EECS 588 is that you must respect |
|
67 the privacy and property rights of others at all times, or |
|
68 else you will fail the course. |
|
69 |
|
70 Acting lawfully and ethically is your responsibility. |
|
71 Carefully read the Computer Fraud and Abuse Act (CFAA), a |
|
72 federal statute that broadly criminalizes computer intrusion. |
|
73 This is one of several laws that govern “hacking.” Understand |
|
74 what the law prohibits — you don’t want to end up like this |
|
75 guy. The EFF provides helpful advice on vulnerability |
|
76 reporting and other legal matters. If in doubt, we can refer |
|
77 you to an attorney. |
|
78 |
|
79 |
|
80 |
74 |
81 \end{document} |
75 \end{document} |
82 |
76 |
83 %%% Local Variables: |
77 %%% Local Variables: |
84 %%% mode: latex |
78 %%% mode: latex |