Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho01.tex
changeset 159 77cf0362b87a
parent 158 702fea7754eb
child 160 4cbd6ca025e6 
--- a/handouts/ho01.tex	Sat Sep 06 15:30:45 2014 +0100
+++ b/handouts/ho01.tex	Mon Sep 15 00:19:10 2014 +0100
@@ -8,8 +8,10 @@
 
 Much of the material and inspiration in this module is taken
 from the works of Bruce Schneier, Ross Anderson and Alex
-Halderman. According to them, a security engineer requires
-a certain mindset. Bruce Schneier for example writes:
+Halderman. I think they are the world experts in the area of
+security engineering. I especially like that they argue that a
+security engineer requires a certain \emph{security mindset}.
+Bruce Schneier for example writes:
 
 \begin{quote} 
 \it ``Security engineers --- at least the good ones --- see
@@ -32,44 +34,43 @@
 and sideways. You have to think like an alien.''
 \end{quote}
 
-\noindent In this module I like to teach you this mindset. To
-defend a system, you need to have this mindset and think like
-an attacker. This will include understanding techniques that
-can be used to compromise security and privacy of others.
+\noindent In this module I like to teach you this security
+mindset. This might be a mindset that you think is very
+foreign to you (after all we are all good citizens). I beg to
+differ: You have this mindset already when in school you were
+thinking, at least hypothetically, in which ways you can cheat
+in an exam (whether it is about hiding notes or looking over
+the shoulders of your fellow pupils). Right? To defend a
+system, you need to have this kind mindset and be able to
+think like an attacker. This will include understanding
+techniques that can be used to compromise security and privacy
+in systems. This will many times result in insights where
+well-intended security mechanism made a system actually less
+secure.\smallskip 
 
-{\bf Warning!} However, don’t be evil! Using those techniques in the real
-world may violate the law or the university’s rules, and it
-may be unethical. Under some circumstances, even probing for
-weaknesses may result in severe penalties, up to and including
-expulsion, civil fines, and jail time. Acting lawfully and
-ethically is your responsibility.
-
+{\Large\bf Warning!} However, don’t be evil! Using those
+techniques in the real world may violate the law or King’s
+rules, and it may be unethical. Under some circumstances, even
+probing for weaknesses of a system may result in severe
+penalties, up to and including expulsion, civil fines, and
+jail time. Acting lawfully and ethically is your
+responsibility. Ethics requires you to refrain from doing
+harm. Always respect privacy and rights of others. Do not
+tamper with any of King's systems. If you try out a technique,
+always make doubly sure you are working in a safe environment
+so that you cannot cause any harm, not even accidentically.
+Don't be evil. Be an ethical hacker.
 
 
-Don’t be evil!
- Ethics requires you to refrain from doing harm
- Always respect privacy and property rights
- Otherwise you will fail the course
- Federal and state laws criminalise computer intrusion and wiretapping
- e.g. Computer Fraud and Abuse Act (CFAA) 
-- You can be sued or go to jail
- University policies prohibit tampering with campus systems
- You can be disciplined, even expelled
- 
-To defend a system, you need to be able to think like an
-attacker, and that includes understanding techniques that can
-be used to compromise security. However, using those
-techniques in the real world may violate the law or the
-university’s rules, and it may be unethical. Under some
-circumstances, even probing for weaknesses may result in
-severe penalties, up to and including expulsion, civil fines,
-and jail time. Our policy in EECS 588 is that you must respect
-the privacy and property rights of others at all times, or
-else you will fail the course.
-
-Acting lawfully and ethically is your responsibility.
-Carefully read the Computer Fraud and Abuse Act (CFAA), a
-federal statute that broadly criminalizes computer intrusion.
-This is one of several laws that govern “hacking.” Understand
-what the law prohibits — you don’t want to end up like this
-guy. The EFF provides helpful advice on vulnerability
-reporting and other legal matters. If in doubt, we can refer
-you to an attorney.
-
- 
+In this lecture I want to make you familiar with the security
+mindset and dispel the myth that encryption is the answer to
+security (it certainly is one answer, but by no means a
+sufficient one). This is actually an important thread going
+through the whole course: We will assume that encryption works
+perfectly, but still attack ``things''. By ``works perfectly''
+we mean that we will assume encryption is a black box and, for
+example, will not look at the underlying
+mathematics.\footnote{Though fascinating it might be.}
  
 \end{document}
sen-material