1 Inspiration


1.1 Screencasts

1.2 Why is security important?

The contents of a man’s letters are more valuable than the contents of his purse.
- Lord Varys
Inspiration/varys.jpg
Not only that, now the contents of one’s bit-streams are also the contents of one’s purse…
Mention:
In 2023, the latter (money) is perhaps the most common goal of attack,
though it was not always.

1.3 Information is power.

Inspiration/infoIsPower.png
Inspiration/power_failures_avg.jpg
Inspiration/power_failures_long.jpg

1.4 Security/Privacy trade-off is an unnecessary illusion (usually).

Inspiration/security-fence.jpg
They’re usually not at odds.
Just do both instead!
The assertion that they are at odds is usually a concrete power-grab.

1.5 Privacy is security, but of different information.

e.g., security of meta-data, instead of security of message content
Inspiration/iphone.jpeg
This is a common mistake: “privacy is not security”
Privacy and security are not different concepts, just different data.
Privacy is indeed security, it just refers to the protection a broader set of data.
Mention: Apple’s recent example of “pseudo-security theater”

1.6 All security is ultimately either physical or cryptographic.

Inspiration/t3_5q59nd.jpeg
Data stored or transmitted on a physical medium can be protected behind a physical barrier.
Data stored or transmitted on a physical medium can be protected by encryption.
Data stored or transmitted on a physical medium can be accessed, or denied access, through an access control interface, present at a computer terminal endpoint.
What stops someone attempting to bypass the access control interface?

1.7 Much of cryptography is actually strong, though the whole system needs to be secure.

Inspiration/security.png

Inspiration/AI_security.png
What can a algorithm designer, programmer, or IT professional do to help?

1.9 Security is easy.

1.10 Security while still allowing the key people access is hard.

Inspiration/cg5954770f12b1b.jpg
Inspiration/security23.gif

The most clever tricks in modern security make access possible, in unexpectedly secure ways.
This is especially true of remote access.

1.11 Most thefts are employees.

1.12 Most “hacks” are actually internal compromises.

Inspiration/Employee-Theft-Statistics.jpg
For example, the DNC “hacks” were likely just leaks
(at least as far as a public executive letter written by the technical director of the NSA,
and other high-ranking security officials said…).

1.13 Security is often driven by cyclical arms-race phenomena.

Inspiration/arms.png
Much in security is arbitrary,
especially offensive security,
but there are general principles to emerge.
I hope to provide you that context,
which may not be obvious.
Often, students think they will be excited about offensive security,
only to realize that defensive security is more theoretically rich.

1.14 Security has progressed from tinkerers’ exploits to an affair of nation states and organized crime

Inspiration/arms_race.jpg
Security is now the domain of elite professionals,
who are required in virtually every industry,
including government.

1.15 Full stack understanding required

Inspiration/full_stack.png

The student experience:

1.16 The most domain-general principles within security are compartmentalization and layering

Inspiration/Thrive-D-compartmentalization.png
These principles of compartmentalization and layering for the purpose of security exist in:

Inspiration/qubes-components.png
Modern systems are often too complex to evaluate fully.
Further, modern systems often lack explicit trust (closed design).
Assuming that excess complexity and deficit of trust,
security by isolation or compartmentalization,
rather than security by correctness,
is likely a good strategy,
a crutch to minimize damages and losses.

1.17 This semester:

Though humans are the largest problem in security,
we will cover the technical components in this class
(this is CS; IST/BIT often covers the human component more).

By analogy, consider the difference between:
the medical professional who makes a business out of how to patch the unhealthy habits of a self-destructive patient who vapes, eats junk food, and sits around playing video games,
or a trainer/dietitian who optimizes the health and performance of an elite athlete who already eats well, sleeps well, and exercises.
Both have a place in medicine and industry,
and the helping former may actually be more impactful in the short-term.
However, we will generally avoid the former
(making your MS-Windows machine less insecure),
in favor of the latter,
(how to actually do security correctly).

We will also favor defensive over offensive security,
though will attempt to do justice to both.
Defensive security comes first.
i.e., learning defensive tactics to survive the nasty, arbitrary,
short-sighted attacks that arise in this computing environment,
that resembles Lord of the Flies / Prison Yard / Public School…

We will have several major sections of the course: ../Content.html