Class 30:Security and Privacy CSCI 101 Fall 2010 Daniel Scharstein
Today • Security • Social Issues • Reliance on computers • DRM • Privacy
Computer Security • Physical security: protect from theft, keep data backups, control access with passwords • What makes a good password? Why? • Alternative: biometrics • Stolen laptops & identity theft • Remedy: chip to encrypt/decrypt hard drive “on the fly” • Access Privileges • Normal user vs. administrator / superuser • File protection • Memory access, memory protection
Modern Day Needs • Privacy/Confidentiality • Authentication (digital signatures) • Non-repudiation (should not be able to later deny having sent a message) • Data Integrity (accidental changes versus malicious ones - how to know if a packet or message is the same as the one sent) • Intrusion detection
Some issues: • How does the CS Server bj know you are as claimed? • How do you know you are logging on to the “real” server rather than an impostor? • How hard is it to be an impostor? • Wireless networks (which everyone wants) are a security nightmare • Access to tape backups can be both a blessing and a liability (every email you have ever written on a tape somewhere?) • Even when you think you have erased something from a hard drive, the data can still be recovered (in some cases) • There can be a “person-in-the-middle” • Who can you trust over the Internet?
Computer Security • Secure connections • Protect from malicious software (Malware) • Types of attack: • Virus • Worm • Trojan horse • Spyware • Phishing • Denial of service • Spam
Computer Security • Protecting security • Firewalls • Antivirus software • CERT • Encryption • HTTPS for secure web communication uses Secure Sockets Layer (SSL) protocol • Public-Key Cryptology (PKC) • Digital signatures
Societal Impact of Computing Technological advances ripple through society and raise new ethical and legal issues Dealing with these issues requires understanding of new technologies and their impact Examples: 1. Relying on computers for life-critical systems 2. Ownership and usage of intellectual property 3. Personal privacy
Reliance on Computers Therac-25 radiation machine (1985–1987) At least 5 patients died from receiving radiation overdoses Patriot Missile System (1991) Roundoff error that accumulated over time rendered system unable to target incoming scuds Windows 2000 operating system 63,000 bugs in 35,000,000 lines of code Bugs not considered “critical”
Some Questions What tasks should we entrust to a computer? Should a computer… Control a nuclear reactor? Fly an airplane? (e.g., Boeing vs. Airbus) Perform surgery? Be a psychologist? Who should be responsible for software mishaps? Should there be a licensing procedure for software engineers?
Digital Rights Management Technologies used by publishers or copyright owners to control access to and usage of digital data or hardware
DRM continued How can we protect the rights of both the producers and consumers of intellectual property?
Mining User Info Data mining is the automated extraction of hidden, predictive information from large databases Data mining using artificial intelligence and other methods, such as decision trees, neural networks, k-means clustering, and rule induction
Common Applications Web site personalization Credit card fraud detection Market basket analysis Beer and diapers story
Privacy Issues How much info about you is stored on computers? Who has access to it? Who should? Should companies be allowed to sell the data they collect about you to other companies? Should companies be allowed to profile you? e.g., deciding whether to approve a mortgage application What if they get inaccurate information about you? Are you worried about identity theft?
Privacy Threats • Individual data online • Spyware • Profiling, cookies • Presence technology: where you are, what you are doing • Employer monitoring • Health care information • Do you have privacy online? Do you / should you care?
Security vs. Privacy • Should encryption methods be published? • Rivest, Shamir, and Adleman (RSA, 1977) • Phillip Zimmermann: Pretty Good Privacy (PGP, 1991) • USA PATRIOT Act • Carnivore tool was used by FBI at ISPs until early 2000s • Magic Lantern: keystroke logging software developed by FBI • Should ISPs provide access to government monitoring? Should anti-virus software detect FBI tools?
Discussion questions • Should government be allowed to use technology to monitor online activities? • Does the use of these technologies conflict with the right to privacy guaranteed by the Fourth Amendment to the US Constitution? • Are these technologies a necessary evil in today’s world? • Should children have a right to privacy while surfing the Internet? • Should parents check the browser history on the family computer? Install a keystroke monitoring program?