Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho01.tex
changeset 169 2866fae8c1cf
parent 168 793ae8926a97
child 173 9126c13a7d93 
--- a/handouts/ho01.tex	Tue Sep 23 10:31:03 2014 +0100
+++ b/handouts/ho01.tex	Tue Sep 23 11:23:29 2014 +0100
@@ -38,13 +38,13 @@
 mindset. This might be a mindset that you think is very foreign to you
 (after all we are all good citizens and not ahck into things). I beg
 to differ: You have this mindset already when in school you were
-thinking, at least hypothetically, in which ways you can cheat in an
+thinking, at least hypothetically, about in which ways you can cheat in an
 exam (whether it is about hiding notes or looking over the shoulders
 of your fellow pupils). Right? To defend a system, you need to have
 this kind mindset and be able to think like an attacker. This will
 include understanding techniques that can be used to compromise
 security and privacy in systems. This will many times result in
-insights where well-intended security mechanism made a system actually
+insights where well-intended security mechanisms made a system actually
 less secure.\smallskip
 
 {\Large\bf Warning!} However, don’t be evil! Using those
@@ -58,19 +58,33 @@
 tamper with any of King's systems. If you try out a technique,
 always make doubly sure you are working in a safe environment
 so that you cannot cause any harm, not even accidentally.
-Don't be evil. Be an ethical hacker.
+Don't be evil. Be an ethical hacker.\smallskip
 
 
-In this lecture I want to make you familiar with the security
-mindset and dispel the myth that encryption is the answer to
-security (it certainly is one answer, but by no means a
-sufficient one). This is actually an important thread going
+In this lecture I want to make you familiar with the security mindset
+and dispel the myth that encryption is the answer to all security
+problems (it is certainly often part of an answer, but almost always
+never a sufficient one). This is actually an important thread going
 through the whole course: We will assume that encryption works
-perfectly, but still attack ``things''. By ``works perfectly''
-we mean that we will assume encryption is a black box and, for
-example, will not look at the underlying
-mathematics.\footnote{Though fascinating it might be.}
+perfectly, but still attack ``things''. By ``works perfectly'' we mean
+that we will assume encryption is a black box and, for example, will
+not look at the underlying mathematics and break the 
+algorithms.\footnote{Though fascinating it might be.}
  
+For a secure system it seems four requirements need to come together:
+First a security policy (what is supposed to be achieved?); second a
+mechanism (cipher, access controls, tamper resistance etc); third the
+assurance we obtain from the mechanism (the amount of reliance we can
+put on the mechanism) and finally the incentives (the motive that the
+people guarding and maintaining the system have to do their job
+properly, and also the motive that the attackers have to try to defeat
+your policy). The last point is often overlooked, but plays an
+important role. Lets look at an example. The questions is whether
+the Chip-and-PIN system with credit cards is more secure than the older
+method of signing receipts at the till.
+
+
+
 \end{document}
 
 %%% Local Variables:
sen-material