Instructor: Prof. Daniel Barowy

CSCI 331 Introduction to Computer Security

Thinking… … not feeling.

First thing this course is about:

Second thing this course is about:

How security is designed and implemented.

Security is a broad topic!

We do not have enough time to cover everything!

“security” = four essential ingredients

confidentiality (privacy) integrity

authenticity availability

We analyze the security of assets

Some assets:

• Data (email, photos, documents, …)

• Software (operating system, mail daemon, …)

• Things (computer, power grid, e911, …)

We analyze the security of assets with respect to adversaries

Some adversaries:• National governments • Organized crime • Thrill-seekers • Graduate students • Journalists • “Friends”

• Business competitors • [H]activists • Potential employers • Professors!! • Students!!!

Class activity:

1. Pair up with the person next to you. 2. Take 5 minutes to Google me. 3. What do you learn? 4. What don’t you learn?

We analyze the security of assets with respect to adversaries

We analyze the security of assets with respect to adversaries

who aim to achieve certain goals.

We call these scenarios threats. We call these scenarios threats.

We analyze the security of assets with respect to adversaries

who aim to achieve certain goals.

There are a few ways to analyze threats without emotions getting in the way.

• Damage to assets (e.g., email deleted). • Source of the attack (e.g., the Internet). • By effect on 4 security essentials:

• Confidentiality (e.g., info leaked!) • Integrity (e.g., info changed!) • Authenticity (e.g., info forged!) • Availability (e.g., info unreachable!)

Weaknesses in security are called vulnerabilities.

• Bad policy: user has the password “password”. • Bad implementation: program leaks passwords. • Weak crypto: eavesdropping on conversations. • Bad physical security: someone steals laptop. • Numerous others…

For example:

Risk analysis is the systematic analysis of threats to assets.

Confident-iality

Integrity Authen-ticity

Availability

E-Mail

Docs

Photos

Music

“Should I connect to airport wifi?”

Sadly, the state of the art in computer security is…

Attacks are easy.

Defenses are hard.

It’s hard to know your vulnerabilities.

It helps to think holistically.

Sadly: there is no good “theory of security”

You will never feel like you’ve mastered security.

Anyone who says they have is mistaken (or lying).

Sadly: there is no good “theory of security”

But thinking systematically and carefully effectively reduce the risks!

About the course

Three kinds of homework:

1. Programming assignments (“labs”) • Due roughly every two weeks

2. Reading & written responses • Due every week.

3. Final project • Checkpoint due roughly every two weeks

Two kinds of readings

1. Reading for the written responses (as mentioned before)

2. Background reading to be prepared for class / assignments

Note: The Cuckoo’s Egg is reading type 1. An easy read, but can’t be done in a weekend.

About the course

Two kinds of readings

1. Reading for the written responses (as mentioned before)

2. Background reading to be prepared for class / assignments

Note: The Cuckoo’s Egg is reading type 1. An easy read, but can’t be done in a weekend.

About the course

How to turn in assignments

Short demo in a moment.

Have you filled in the Google Form yet?

About the course

All handed-in work must be code

1. Programming assignments • C code or • Java code

2. Writing responses • LaTeX code (+ PDF file)

3. Project checkpoints • LaTeX code • C or Java code • Other files

About the course

You will commit to the GitHub repository assigned to you.

Sometimes, this repository will include starter code or a LaTeX template.

Let’s look at a sample writing assignment.

About the course

Office Hours in TCL 307

Thursday: 3-5pm

Friday: 4-6pm

This is hopefully athlete-friendly.

and by appointment

Electives do not get TAs!

About the course

The right attitude for success

You are the intrepid explorer.

I am your elder guide.

You want the adventure.

I want to stay home and putter around my office.

The right attitude for success

I am always eager to help as long as you’re the one doing the driving.

The right attitude for success

There are “good guys” and “bad guys.”

Something to know about security

Please do not be a bad guy.

Good guys don’t pull their punches with bad guys.

Something to know about security

I won’t either.

Computer security is intellectually stimulating…

and can be incredibly exciting.I hope you learn a lot and have a great

semester!

Questions?