Mercurial Mercurial > hg > sen-material / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho01.tex
author Christian Urban <christian dot urban at kcl dot ac dot uk>
Tue, 23 Sep 2014 10:24:38 +0100
changeset 167 d8657ff8cca1
parent 160 4cbd6ca025e6
child 168 793ae8926a97
permissions -rw-r--r--
typos

 \documentclass{article}
\usepackage{../style}


\begin{document}

\section*{Handout 1 (Security Engineering)}

Much of the material and inspiration in this module is taken
from the works of Bruce Schneier, Ross Anderson and Alex
Halderman. I think they are the world experts in the area of
security engineering. I especially like that they argue that a
security engineer requires a certain \emph{security mindset}.
Bruce Schneier for example writes:

\begin{quote} 
\it ``Security engineers --- at least the good ones --- see
the world differently. They can't walk into a store without
noticing how they might shoplift. They can't use a computer
without wondering about the security vulnerabilities. They
can't vote without trying to figure out how to vote twice.
They just can't help it.''
\end{quote}

\begin{quote}
\it ``Security engineering\ldots requires you to think
differently. You need to figure out not how something works,
but how something can be made to not work. You have to imagine
an intelligent and malicious adversary inside your system
\ldots, constantly trying new ways to
subvert it. You have to consider all the ways your system can
fail, most of them having nothing to do with the design
itself. You have to look at everything backwards, upside down,
and sideways. You have to think like an alien.''
\end{quote}

\noindent In this module I like to teach you this security
mindset. This might be a mindset that you think is very
foreign to you (after all we are all good citizens). I beg to
differ: You have this mindset already when in school you were
thinking, at least hypothetically, in which ways you can cheat
in an exam (whether it is about hiding notes or looking over
the shoulders of your fellow pupils). Right? To defend a
system, you need to have this kind mindset and be able to
think like an attacker. This will include understanding
techniques that can be used to compromise security and privacy
in systems. This will many times result in insights where
well-intended security mechanism made a system actually less
secure.\smallskip 

{\Large\bf Warning!} However, don’t be evil! Using those
techniques in the real world may violate the law or King’s
rules, and it may be unethical. Under some circumstances, even
probing for weaknesses of a system may result in severe
penalties, up to and including expulsion, fines and
jail time. Acting lawfully and ethically is your
responsibility. Ethics requires you to refrain from doing
harm. Always respect privacy and rights of others. Do not
tamper with any of King's systems. If you try out a technique,
always make doubly sure you are working in a safe environment
so that you cannot cause any harm, not even accidentally.
Don't be evil. Be an ethical hacker.


In this lecture I want to make you familiar with the security
mindset and dispel the myth that encryption is the answer to
security (it certainly is one answer, but by no means a
sufficient one). This is actually an important thread going
through the whole course: We will assume that encryption works
perfectly, but still attack ``things''. By ``works perfectly''
we mean that we will assume encryption is a black box and, for
example, will not look at the underlying
mathematics.\footnote{Though fascinating it might be.}
 
\end{document}

%%% Local Variables: 
%%% mode: latex
%%% TeX-master: t
%%% End:
sen-material