 Okay, folks we have batteries now, but they the speakers don't work anyway, so Stop on these much. I want I can turn up the volume as much I want, but nothing's happening. So You will all have to listen and I will have to yell Okay quick Announcements, so I just updated the auto grader to show you the output of your commands because so that that way to help you debug It should also show you any error messages that occur as well. So Maybe not I may have to fix that but I did this right before I came over here, but as you can see, so this is my Little test case so it's showing you all the output of your program so that you can compare it with what should be out I also installed rust I think but somebody want to check that I I just installed the rusty package. I want to do all that other shenanigans. So we'll see if that works Hey questions very hard to hear me Okay, maybe it was muted Okay, any other questions on the homework Mm-hmm It is probably your username the environment variable etc username is not getting transferred over You can actually Specify your environment variables on the command line Let me show maybe a brief demo So you have something like I can make bigger so you can actually see it So you're running like a command like we all like this right and then it's saying like your username doesn't exist so the other trick is So you can specify environment variables on the command line before the parameter or before the command that you want to execute so you can type your we shall name here and then space and your We all I think it's token And Then run the command and that should work without having to transfer anything over it's nicer If you transfer it over, but this little trick that will should just work without Needing to do that. Yeah Yeah, that's a good one. So you have to make sure it matches exactly, right? Another nice thing is that you I Would you can I would rather focus on solving the bandit levels because even once you get to level five or six You run reach out it gives you credit for all of the previous So don't let not be able to save those up stop you from continuing to move forward Yeah, it grade you it gives you progress like up to wherever you got to You run it when you're on level six. It gives you credit for levels one through six Exactly So do you know if would it matter if you use bash instead of zsh? I need to find those variables would still transfer over Possibly Yes Of assurance How do we trust that a system is secure how do you trust that a system is secure right so this is kind of Can we ever trust that a system is 100% secure? So we need assurance and we need to kind of convince ourselves and we need to think That kind of in in some sense It's not a binary you trust or you don't trust it, but how do you trust the system? And we kind of ended on tendency quantified, so what do you we all think? Can you put a number on? Would you want to put a number on insurance? Why would that be important or interesting? Yeah, that's great So you can prepare different strategies so you can say well if we go with rat a cost a million dollars and give us X level of insurance, but if we go it often be it cost 10 million dollars But gives us 2x assurance or whatever you want, right? So you can actually see what the return on your investment for your money would be Enables for competition between like different security systems and providers and what not yeah You can actually like measure how effective a security mechanism is and say okay If you implement this security mechanism, you'll creature assurance by You know why percent And it would be easy to compare these things instead of just having to make promises about what they should do and what they do Yeah, what else you can charge more. Yeah, you could or I may have said another way You can make a business justification for why you do investments in cybersecurity infrastructure, right? Without having a quantification What are you gonna say to the CEO when you say we need to increase our budget by $20 million and they say great. What am I gonna get to that money? What do you tell them more secure the fiber being secure before? So yeah, so it's it's all about that idea. It means you can set requirements like a bank has to be some percentage secure Yeah, so then you could Maybe have a standardized mechanism of depending upon the different Requirements so a bank would be a higher level of insurance than just a standard Maybe website versus a military installation means higher marks and insurance than other things Yeah, so the problem is it is very difficult to quantify this So this is why I like to solve the classes if you're able to solve this problem and come up with a way to quantify this You will be a very rich wealthy person who has made a good contribution to society Go ahead and think about that do that is a very very difficult problem Okay, so then if we can't quantify it then how do we increase our assurance? So what kind of things can help us increase our assurance in the security of a system? That's a good kind of standard things you can think about Engineering ideas. How do you know that your software does what it's supposed to do? Okay, so that's what you're testing with all the assurance with Software testing and what are you kind of testing in terms of security? So break it or does the system not do what it's not supposed to do Right, and is there any maybe no more abilities or other places that I go to buggy that lead to Comparising security of the system. Yeah, what other what other ways can we increase our assurance? Yeah, so setting Specifications, so being explicit our policies may be starting all the top right analyzing our policies are our policies Doing the security goals that our organization wants to do the mechanisms that we have in place actually Appropriately implement those policies Think about in software you think about at the design level. So is the system you know design securely is it? Implemented securely Yeah, so then we can think A lot easier for us to draw the analogy because you're writing a lot well Software and those kinds of projects and stuff. So what is a specification for a software system? Yeah, requirements on them What the customer wants yeah, well, what is the system supposed to do right so it could be through customer wants it could be various other avenues and so how do you define Specifications anybody have first-hand experience working at a company and you can share how you did specifications System Okay, so talk to the users Tickets in a ticketing system based on kind of what they're asking what features they're asking about and use those Specifications or a roadmap of what things We have a litter Meeting and national standards Depends on what the system is if it's an aircraft system There are certain standards and levels that you need to achieve. So maybe that directs our specifications Right, so and then we can also be thinking and we should be thinking about security even here at the specification level Right, so why is that important? Yeah, so you have a clear idea of the problem that you're going to solve you understand the context of the system in the broader organization and also So Word document right it's a lot easier to change before anything's actually built Right, so this is why it's really important to be thinking about security at the early stages of the software development life cycle Right way easier to catch errors here or maybe even know certain things that must be Part of the specification you can add security requirements to the specifications Cool so then after that point then we need to design the system. So then how does design work generally? Prototype maybe making a one-off prototype that does kind of just to get the feel for what the Designing What kind of security problems can come up in the design state Yeah, so how to protect it from all those threats that we talked about right you can think through all those threats or threats That are specific to your system you can say okay, what is this design doing to protect unauthorized access? Right, what is your system going to do to prevent somebody who's not an authorized user from accessing your data? If you just say well, we have a database and the password is admin admin But think well that we're really preventing some Unauthorized user from guessing that using a password and getting access to your system, right? So this is some change in the design phase of how the system should work Allowing it to be adaptable. Yeah, so maybe building in some notion that you need to change things And so how are the changes going to impact security? Yeah, that's great the other thing you're trying to verify here is Does the designs best satisfy the specifications? So why is this important? You're giving guarantees, say for a contract It's got to live up to them. Yeah, so you change later then you got to know what to change Yeah, so you think about it in a contractual manner right thinking like okay The specifications are literally coming from the customer and they are a contract of what you're going to build Then you need to make sure the design satisfies those specifications also in security aspects, too, right? There are security requirements in the specifications. You need to be able to understand How those Satisfy that so how are we going to prove that a design satisfies the specification? You can test it assessing through anything What can testing do demonstrate some functionality we're going to design you aren't you getting out of functionality yet? How do you want to find how many test case passes does that prove that the design follows the specification? There you go. So okay, so if we have some so there's a The credit card Companies have requirements called PCI compliance And there's a number of things you have to do to be PCI compliant that if they're going to trust you to store credit cards So maybe those are part of your requirements so you can validate the design against those requirements Yeah, that's good. Yeah, um, you might have your specifications might be written as like acceptance tests So if you're passing those acceptance tests, you're mainly specifications Yeah, so maybe a little so we don't have a system yet, so we maybe can't test it We can certainly test the design right we can think we can create test cases of does the Design satisfy the part of x or how does it do that for something there? Yeah, yeah third party audit audit review Third party. Yeah, so we can hire a third party to audit our design, right? And they can say does this design match the specifications Yeah, the point I wanted to get to in testing so testing is a great tool Testing can't prove that something is secure, but it can definitely Disprove that it's secure, right if you find a test case that allows you to violate the specification based on the time and you've definitely found a massive vulnerability in the system and again the important thing is before maybe even in the Coated ring by fixing it early in the design phase that will save you a lot of time in the future awesome Cool, then we have to actually implement it, right? So we have to write code build something that does what the design says it can do and what the specification says it can do So how do we know that the implementation satisfies the design? We can do some of the things we're already talking about passing, right? What else can't be placed that actually does these things plus We can ask the customers. Yeah, we can ask the customers, right? We can maybe put a prototype in the customer's hands and see what they think about the system Are they going to be able to tell us any of those security requirements? Probably not depends on who the customer is, right? But we definitely want to do that in terms of functionality And then we can use other things that we talked about, right? We can use hiring that, you know the same things that we talked about in design apply here Hire third party companies we could You know ourselves try to analyze our system for vulnerabilities in the actual implementation And then we can hopefully fix them before we've actually deployed them And now is this it so let's say we We've done, you know really good. We've done a really good design of our specification We've looked at it from security angles. We've looked at the design of our system We analyze and we have experts look at the design before we wrote any code We coded the thing up wrote a lot of test cases. We wrote acceptance cases. We put it in the hands of users Is the system then we have a high assurance that it is secure Do we want to vote? We may be saying we have a high degree of assurance I think we're well, and this is One of the key things to think about especially in terms of software development is even if you implemented something It's not necessarily done It needs to actually be deployed and run on a real system I'll tell you a personal story. So I use sort of in undergrad. I ran a website and I was having issues here installing something or whatever and to change the permissions on all the files on that system to be world readable rival and executable like chmod dash capital r slash 777 so just And it fixed the problem like all the permission problems went away Accept I logged out of that system and I couldn't log back in because my ssh key was world readable and writable Which ssh will not allow you to do it and lock with me So I had to file a ticket to get access to the system. They were like, uh, yeah, you shouldn't look like this So even if let's say I had or I got an app that was 100 secure If you throw in an environment where people misconfigure it Right, you can introduce security vulnerabilities that were not anywhere in your specification or design or implementation Right, so this is why it's important to think not stopping at the implementation but thinking through to deployment configuration And operation right you can have like in my example you have the best Um Providentiality is really important to your application. You are very careful about hiding user information But an administrator didn't know it was having errors when they installed it So they just made permissions All the permissions everyone has it half an hour works But you have these huge security hole that you didn't have in the design of the system So we kind of again have the same thing of how is the implementation deployed configured or operated? All right, and so, you know the thing is the real system these are real important critical parts and this is why um when we talk about hiding hiring a third party like hiring a Software or a system to do a penetration test you bring in a group of hackers and hire And they try to break in your system as it's deployed Right, so they're trying to break into the real system as it's deployed and configured and everything Because you don't want to rely on these assumptions of how it's going to be deployed. You want to test the real system So what are the other ways we could maybe? Prove or increase our assurance that now at this stage it actually is secure And so this is a One of the massive things and that's even thinking about in terms of thinking about the specification, right? The thing through well, what happens if somebody let's say you do this internally What if somebody finds a security problem in your application internally? What's the process like for fixing that? They already tell the story about this you can get selected out of the class in my head all I tell the story about How this is actually a major problem that I hear from companies that work in the industry So they have really great security teams that can like All kinds of fuzzers and find vulnerabilities in the software that their company writes And then what they do is they get you know, 50 to 100 Really important critical bugs that need to be addressed They send those over to the product teams by filing tickets or other reports or get other shoes or whatever And then the product teams do nothing because they have their features that they actually deliver And they just keep delaying the fixes on these vulnerabilities So no more ability is going to get stuck for months and months without getting fixed even internally And the problem is kind of this disconnect between What the security engineer sees this is really important the developer maybe doesn't because maybe they don't have the context Understand why this is such an important problem. And so it gets deep prioritizing features, you know lower on the tree And it just doesn't get fixed. So This is actually one of the key things of how you communicate like a real problem with developers because If you just say well, there's a crash on this line and it could lead to Somebody taking over our system There's a crash here. And by the way, here's an exploit Python script that you can put on against our app and it gives you access to the whole data Right, so these types of things Being able to communicate these things are really important. So Convincing people to fix things is really important. Hey, that was a long tangent. But So what other ways so we need to think about that fix cycle Because we know that you will come up. How do we address them? What are some other techniques we can do? Right, so we're thinking about extending the testing that we did at all of those stages of the life cycle down to now What is actually good for us, right? So we maybe we're validating on our own developer machines that Well, the system does what it's supposed to do and secure all these other things But this is already happening in this class. We have some faces of it. It works on my machine but it doesn't work on me Because the environments are slightly different. So So, yeah, we want to revalidate those assumptions and make sure we're not just assuming that it's secure when it's deployed We want to actually test is it really secure now that it's deployed? Yeah, maybe a way to fix this like during deployment and configuration Especially it's like a pipeline system Such that like if a change is made by a developer it gets run through that pipeline gets sent back to the developer if it fails And that way something isn't deployed that would break the system So we can maybe include Let's say in order to develop Say in our development and deployment pipeline if we include security tests or security assurance into there we can maybe at least hopefully Not reintroduce of our ability. So it's actually a great bug. I think it was I think it was 2011 that it's a Dropbox app. So anybody use Dropbox? You saw anything important on there? I saw everything on there. Literally my whole computer is on Dropbox I don't do I just work in my Dropbox so it automatically backs it up everything Anyways Then you would probably think that one of the core security mechanisms or security policies of Dropbox is You can't log in as another user Right? Probably like a core thing If only the user logs in should be able to access their stuff It turns out they accidentally pushed a fix or a bug They thought it was a fix but it was actually a bug to their website where they stopped checking passwords accidentally That's it so that you can log into the website and with any username And it would just was an email address and just log you in and I would have to report For that, you know In their credit it was only around for I think like five hours and they had logs of everyone that this happened to so that they were able to alert them So why do you think a bug like that got through? Like one thing is you think Dropbox does not have any tests I think biases are really important, right? They probably have test cases that test Log in right they say hey Create a user in the database with this username in this password and then try logging in with that username So would this behavior pass that test case? Yeah, because you can log in with that username and password You also log in with the same username in a different password, right? So the problem is not having those negative or the security test cases in there Really can let these types of vulnerabilities through and that requires a different kind of mindset when you're thinking about writing test cases Anyway, so I think it's relevant to the or is relevant to the discussion about Um adding security tests as part of the pipeline and maybe also The other way of thinking about that is maybe don't do a lot of assurance testing on necessary going into participation But maybe wait until you have a deployment or a Maybe a staging environment that is very very similar to your deployment that you can test on So you can catch those kind of issues there So we'll look towards the end of the semester we'll get into actual like implementation bugs that turn into vulnerabilities like bugs or overflows like you've never specified the design that Attackers shouldn't be able to overwrite the mouse other way Probably not You probably say something in the test application that you don't want any security vulnerabilities You know it's very easy for a developer to introduce behavior that actually is a security monitor and so You want to make sure you're checking for whole things. So at the design page you're going to think about They can even high level access control ideas about who can access what Right, you can think about for some of my promos, right? I think that's a good example, right? They literally have access to all of my files, right? So what can the admins do? What access do the admins have? Do they have google, gmail? So the question there is what can what are the access control policies around people at google for accessing email? Google's a huge company. Can anybody in that company access your emails? You would hope not And I know some people like people make you take this very very seriously. We work with uh Do research with them on this and they have to you know To run any type of analysis on people's emails. It has to go through several layers of review And you can only get access like I said a big window so you can't run So there's a lot of procedures and policies they put in place to Reduce that risk of a real employee getting access to their friends or you know, whatever Probably more likely Cool and the key thing that kind of underlies all of this and this is the I think you come away from this class and you just say well security is incredibly important and therefore it is the most important absolutely thing ever um, I think you're You'll be at a disadvantage because I think the key thing is always thinking about this in terms of cost benefit analysis Right because this is what organizations is what real companies have to do even governments So it used to be that the government would make their own, uh, like cpu's like solar carbon and hardware So why did they do that? Yeah, so that way they no one gets all the hardware but they Literally shown that you can uh create a cpu That if you execute a certain number of instructions It will give you full access to the computer to be a user space application You execute these 10 secret commands and then all of a sudden it brought you down so you have total control over the computer at the hardware level Other papers have shown that you can Hide the you can create a wi-fi chip that hides the ssig password in the physical noise Tolerance of the wi-fi signal so that somebody who knows what to look for can just steal the wi-fi password from there So yeah, these are all the types of backdoors that people can put it in the hardware That the government Wanted to avoid by making their own hardware, right? But they don't do that anymore. Why? Costs a lot of money like not just a lot of money like a lot of money We have the intel in town here, right? If you think about having to fabricate chips and keep up with the intel and amd the literal cost benefit analysis for that they said well, we can we can't really Just the five building our own hardware except maybe in very very specific circumstances So then what do they do? Yeah, so then they have to buy out the shelf equipment But then they now want more assurances from those companies, right? So then they need to figure out techniques of how do we increase our assurance that this hardware doesn't have backdoors and There's a whole bunch of issues there, but So what other factors can we consider this top-down? Didn't end up at that issue with the Yes, so that is uh spectra and meltdown so basically in the way, um Do we all know programming and if conditions please tell me this? Right so if you think about the cpu that piece of silicone It's executing instruction instruction instruction. It's even if condition. It doesn't know where to execute next So what it does it has a very smart mechanism called waiting until that instruction is done and then going back Cost you a lot in terms of performance So essentially what the cpu does is it guesses it says one way to guess that this branch is true And i'm going to start executing those instructions in the true branch And only if the original was all this correct will I actually say that yes all of these in fact otherwise I'll start over from the false branch for instance And it turns out the way this works with uh caches on cpu's if you can leak information As one process about either the operating system or about another process that you should never be able to touch So so they basically performance feature that exists on almost all cpu's that turns out has massive security implications So yeah, these are kind of bugs that happen in hardware So what other things do we need to think about and what factors should we be thinking about in terms of cost-benefit analysis? Yeah, accepting mitigating or transferring risk. Yeah, so accepting can you just try maybe a little bit more? um if a risk costs less than The fixed option then you accept the risk because it's beneficial then spending more than you need Right and we can maybe say that because we believe that the chance of this occurring is very low Right, so we can say we'll accept this risk and maybe There is a big impact it occurs when we believe the probability is so low that it's not worth Defending against or could be the opposite we may well make this likely to happen But it's only a cost of 10,000 dollars So why would we buy a million dollar system to protect a $10,000 problem? All right, what do we have on your side? Mitigating or transferring so mitigating or transferring risk, right? So what would be let's say transferring risk? Hiring an mssp Um, like hiring a managed security service provider. Ah, okay. There we go. Yeah, so yeah, we could basically either hire another company to do our security for us Only if they would actually accept the risk of high probability of something happening, which would be tricky We can also buy insurance Right, what does insurance do? Yeah, or in this case, so cyber you know, I think you call the cyber security insurance, right? You could buy that and you pay, you know, monthly fee or whatever and then if there is an incident they will cover mitigation and those kinds of things but They also would want assurances that your system is up to some level of confidence, right? So they're not going to insure you if you're just not doing anything, uh, correctly So it's interesting for them. They're not willing to accept the risk unless they can maybe try to minimize it as much as possible Yeah, what other factors can So get rid of the risky parts of your business basically you could say hey, we don't want to become our business is not accepting credit cards Our business is selling stocks online, right? We don't want to worry about credit cards So we'll outsource that to another company like strike because we can include in our web page So we never touch the credit cards all year and that's all we want to deal with Yeah, so those are Those are great things the other interesting thing here Actually, it's relevant except to this today Anybody use mobile ordering on starbucks app sometimes? So So when they were first developing this feature they now have this problem of how do we take credit cards in our app? Because now we have to worry about PCI compliance because this is like the starbucks head corporation When all of that credit card information was at each of the branches All right, so anybody use one of the first mobile ordering systems. Do you know how they solve this problem? Starbucks cards. Yeah, exactly. They said forget credit cards They said we want to try to launch this feature. Why complicated by adding the ability to Reload the credit cards and so you can put your starbucks gift card So they use what they already had and didn't Basically take on any more additional risks They try this feature and then when they saw that people really enjoyed it Then they have the ability to load up a starbucks card from a credit card Have this information from one of the people at starbucks. I'm going to try to get them in this semester to talk to you Who runs part of the security for starbucks and he kind of told me about the situation they had Cool, so kind of going along with that right we can think about risk analysis So important part of maybe trying to think through well, do we accept this risk? Do we mitigate it? Do we try to have somebody else take it is we need to ask well, you know, we did say well should Let's say a specific asset even be protected Right that seems kind of a silly way of thinking The answer I don't know it seems like oh you're going to security's last answer is probably yes, right But is that actually true? No, why not? So we need to give you yeah, you're not trying to protect that because that's Let's be more more concrete probably you're not trying to protect the media from unauthorized people editing pages Right because that's a fundamental part of the media You want to make sure functionality of the pages is locked in the media so that people can edit it Right, so you need that kind of information What else are Let's say think about this are all assets equally, so what I mean by assets It's important to define that What's that anything stored? I mean that is stored. What else? Objecting code that's good. Yeah Resources your business relies on resources business relies on it. You can think laptop servers cell phones Basically kind of anything yeah Yeah, anything that has value right could be an asset it could be the I don't know the rest of the day can't see each chicken or something, right? So we want to think well, what threats does it face right? Just when you talk about threats is why threat modeling and thinking about threats is so important We want to think well, what threats does this asset of this thing face and specifically what are the consequences if it's a tap So we could think maybe we I don't know. This is actually a difficult organizational question is How much do we secure and try to protect let's say the CEO's laptop? Let's say an intern who's here for three months doing marketing at least privilege. Yeah, we can think of like So, yeah, we need to think through What do they need to do their job, right? So the CEO probably needs much more access than the Marketing intern Other examples and the other types of things to think about is So trying to think of what level to protect an asset right if you're going to commit more resources than you have to actually secure An asset that has worked then it's probably not very important any other question I kind of want to tell you think about is does risk remain constant So you kind of analyze the situation say, okay, this is a A lot of risk here, so I need to think of a way to put some policies and mechanisms in place Even those tend to repeat. Okay. So yeah, so you can think of That the asset itself doesn't change or it may change, right? So the software that's running on it Yeah, that's a great point What and the other thing is even if the asset itself let's say remains a hundred percent set doesn't change at all right, so think about something like Google's next quarterly earnings Right. Is that confidential information? Why because they influence the stock price, right? So you're able to get access to that you could guess how the Investors would respond and so you can buy or sell or short who will stop the quarter Right, so that information and it's legally required to be taxed secret Right there are I don't remember exactly what the laws are I don't I think we require to keep that information private until when Until the earnings report and at that point, what is that information? Public to everyone which means if you think about let's say that data being on a server You really care about the confidentiality of that server Right up until the earnings report comes out And then when the report comes out, you actually don't care about that server much at all Right because there's literally no important information everyone on the earth has access to the information that's on that system Right or that if you think of the data as an asset you do it that way Right, so this is kind of again trying to reinforce the fact that these Rich doesn't remain constant. It's changes based on Context and what's going on so then how do we quantify risk? Quantify by the business impact, right? You could say What's the business impact maybe in terms of dollars multiplied by the likelihood that we think that this Event will occur What are some problems with that? I think the key is that there's a lot of complexity to that question right trying to answer What it would be impact We think like a phishing attack against an employee that gives somebody else access to their emails At that point now they can start sending out emails to the other employees of the company maybe Tripping them into so one of the It's called a bc business account for business email compromise So the idea is you break into like the CEO's email account and then you email accounting and say hey, I'm At such and such place. We need to transfer $40,000 to this account so that I can close this deal And you don't do this, you know, you need to have this done in the next 10 minutes or else I'm going to lose this deal And a lot of times that will just happen Right because the CEO demanded it and people are used to getting into the CEO's advance I heard a great story where a Penn testing team was testing a company and what they did is they called the CEO at night in the middle of the night and over and over until They got us like recordings of the person the CEO yelling And then they use that to Call the IT department and start yelling about not being able to access their email and that it says their password Not valid or shooting valid and so that each person with just a client hears a new password and just change the password So Yeah, you can you know, it's uh It can be difficult to quantify risk because uh, it's difficult. I think maybe we always predict what an attacker will do It's also I would say another risk here is that it's hard it's It can be kind of easy to justify Tweet numbers to make the risk be whatever you wanted it to be if you're trying to quantify the risk Right do we really Can you honestly say you understand the difference between something that has a point five percent chance of happening a point one percent or point zero one You know those kind of frequencies. It's so important that it's hard to kind of get an intuitive handle on what those mean Right and it's easy to say. Well, it could be a $10 million reach or it could be a $50 million reach It's hard to predict those in advance. You can kind of swing those whichever way you want Anyways, I think there are ways to quantify this I mean it's slightly more easier necessarily than insurance, but it's all can also be dropped Okay, uh last thing I think we're going to touch on Well, second the last thing in the overviews is we're going to talk about laws and customs. So why is this important to? security It is a requirement to credit so Frank are companies are very smart. They created a consortium And came up with these standards that they They've essentially self-inforced. So they say if you're going to hold our credit card data, you must buy by these PCI compliance Yeah, what other laws are there surrounding that? Yeah, so there's a lot of rules Around Yeah, so there's a lot of ones there's uh in the EU there's the gdpr Which specifies a lot of things around what kind of data can be helped where Anybody do any Maybe work in a company that doesn't need gdpr work They very for it. Yeah, was it fun? It's exactly the same thing I've heard Yeah, so it's really difficult because even things like my friend worked at a company and he was saying that Things like let's say I'm a group chat application Things like the name of the group can be considered personally personally identifiable information You have to make sure that either that data never leaves a data center that's in a certain company or that you have some process for Removing that information of replacing it with unique identifier and that's the data that you store in all of your analytics and everything Anyways, it requires a lot of rethinking of how to actually develop these applications that maybe were done this way for 15 You know 20 years HIPAA requirements, yeah, so HIPAA requirements control access to health information Right and govern so if you were a pretty company that wants to handle health records You'd be very familiar with all these requirements and these some lines. Yeah, what's the other one? Yeah Yes, I'm not as familiar but I know there are I don't I don't know if there are laws or FAA requirements Probably handle handle a little old That's one of their restrictions there on what type of things happen. Yeah, it's like compliance So like finance like terrorist funding prevention and like money laundering for me Yeah, so there's a lot of laws surrounding financial institutions and a lot of compliance laws there about things They need to report things. They needed to do and some of those are tied into terrorist laws, right Copyright laws. Yeah, we need to be familiar with those Make sure to not replace our own private version of the software Breaking copyright. What about all of you? Nobody's mentioned the one that I said I said every one of you Yeah, Herba, do you care about that? Like if your parents call me or email me which has happened And they say Why is my student doing bad in this class or whatever? I say, well, I'm sorry. I can't discuss any of I can't discuss a student's performance in class with anyone without the explicit approval of that student Right. So that's part of the purple laws is that your great small information is super confidential And I won't share that with anyone else without your implicit consent As soon as they know like we need to be Concerned about Yeah, any other ones? Arms control acts Oh, oh, uh, yeah, wow that's good Yeah, so and actually there was a big Fight in the 90s about cryptography and cryptographic algorithms So the US government tried to claim that those were subjects to arms control and export laws So we couldn't export those things except there was I remember there was a weird Loophole where because technically these algorithms are really just math and equations that you could But they were trying to classify software as an export that was Subject to these arms requirements What they would do is they would write programs and then print a book of the program And now a book can be sent to another company to suggest information And that's how they would share cryptographic algorithms and print out a book and send it out to other countries And that's how they would actually export these algorithms. Yeah Oh, what they'd do is they'd print them on shirts and classify it as art There you go. Or print it on a shirt and classify it as art. That's funny. Um, yeah, so we need to think Yeah, please Like Yeah, the Huawei thing goes, I think Also the cost-benefit analysis and the risk thing that we were talking about specifically with the government is relying on comment off the shell system So the government basically decided that Huawei is essentially controlled first The Chinese government has a lot of influence in Huawei. It's probably the best way to say that and Uh, so they didn't want to take the risk of taking on any hardware that could potentially be Compromised by the Chinese government And I think I don't know if they explicitly did a law around it, but they definitely have some policies and parts that Like even for us like researchers like we've had to accept a grant from Huawei Uh, and also have grants with other government Yeah, it's an important thing to think about so And specifically connecting to what we've talked about, right? So laws can kind of restrict your policies and mechanisms We talked about companies in the past that are not companies, but countries that have Laws regarding cryptography And kind of the other thing that I think about here is Um, so for instance, we can think about maybe even as a good case of the Talking about google and gmail, right? Is it possible for Privacy laws to restrict an admin from performing their job, right? The administrator or you can think about verbal laws if you You know your data as part of that is also protected under verbal laws and If you say well, hey, I have this problem with my e-mail An administrator may not be able to fix it or may not be able to go through several levels of authorization to get access To your e-mail so they can actually look into and define those and debug the problem, right? So it's not a so We have to be aware of these things because we need to make those proper trade-offs and restrict basically what we can do Um, what are what's the difference between like laws and customs? Customs are kind of like social policies in some sense like they're things that we've kind of agreed to One of the cases where I think this gets really weird is um, Anybody have a work laptop right now? Can your employer see all the websites I give a thing? You know for a fact, okay, I'll do that Yeah, right why why can they do that? I can't smooth on your traffic Web people Certificate on your device as trust anything from us the company and so that that way all of your encrypted communications they can essentially legally name in the middle because it's their devices they can do whatever they want with it Right where is that can vary based on different laws? It can vary based on different customs and one of the things I really like to think about this is this thing of There's a news article in 2017 About the micro chip micro chip implants for employees So a lot of companies they have like a badge that you use to get into various, you know access to the building those kinds of things This is how we want to put a micro chip in your finger That would act as your badge and say you could put your finger on the door and door would open and you could go to the Employee cafeteria What else? Like a bracelet I What happens if that goes off the lead? This Okay Yeah, but then do you tell them before you go through it in case it does go off or no, that's true You look like I forgot it's part of me now My body I was just thinking like it would be a lot less the virus knew all the capabilities of it, but Microchips are just super complex Think about anything like somebody said they could have a 5g chip in there That's connecting to AT&T that you don't know about and then the company has all of the access to every place you go I like the idea I had to make so many badges for people and it was so annoying. Yeah every time people forget a badge or lose a badge or Yeah, you have to make a new badge. So yeah, it's super interesting I have you suddenly had the idea that somebody can hack your finger. That's true. What are they gonna do with it? I don't know, you said they can't hack your card? They've gone through Google Maps and gone to places like Venn or something like that Yeah, you see how you're literally carrying a device in your pocket that's telling another company exactly where you've been the whole time I guess you don't want to be sleeping or popping out I don't think it's effective Like going around the RIMP already had problems before people have been able to like scan and take discrimination from people's credit cards and they had to come out with those aluminum wallets to prevent against it Yeah, you can assume it's well not assumed, but sure maybe they're even a better version or maybe they've done it Maybe it's not using RFID. I don't know if it's exactly RFID. So maybe it's a new thing that's better and more secure or something Yeah, what does this solve the like usually get fingerprint what you do is my only question for that because you could just be your friends aren't I mean 100 reliable for everyone It's also Yeah, that's interesting. I don't know but that may be much more expensive to deploy than using the standard things that already in Like people's cards. Yeah, it says they have 80 employees at their headquarters. Yeah There's like two example things. It doesn't sound like they're actually getting out of use out of it It's like swiping the building or paper I haven't I think they're still have this program in place Um, it's just a sorry to say I have no real opinion on the matter. Um, I mean, I think it's serious. It's super weird but I also think it's very cool out on this story about somebody who implanted a magnet under their skin And so they could feel magnetic fields like walking past the power generator because the electricity generates a magnetic So they like to develop this big sense Okay, the final thing we need to think about in terms of security is the humans, right? So we've talked a lot about the mechanisms and policies But at the end of the day humans are involved in a lot of these processes and procedures, right? So we want to know Who is responsible for security of an organization? Right, how does that impact what you can accomplish? If the person who is accountable for security doesn't have a lot of influence in their company Their advice may be like not heard by the top people or just ignored out, right? Yeah, so literally if you think about organizational structure, right of a company Who reports to who and who has organizational power over what? That has a very high impact on what security can do Right if security is a subsection of it So you have a security manager reporting an IT manager reports to the VKM engineering who reports to the CBO Right, that's a large chain where information has a flow about what security means Whereas if you have a CISO like a chief information security officer who reports directly to the CBO They have a lot more say in what goes on in the security of the organization, right? And specific things like how much budget do they have, right? How much organizational power do they have that's what we just talked about those are super important things to think about and You know the kind of closing thought here is that We need to be considering People and systems, right? It's not enough to just think about And it's This is the key thing is a lot of you are computer scientists and very much computer people is why you're going to class like this It's very easy to think in just in terms of systems and programs and like we talked about like automated Pipelines for security testing and automated deployments and those kinds of things But at the end of the day you have people, right? So when you're thinking about securing Maybe something larger than just a software system or even a software system We need to be thinking about the people that are involved in those systems And what can we do to help them? And it's also like we talked about with the phishing phishing examples, right? Phishing emails are a great example of something that are targeting human Some people I was very very close I almost sent path squires Oh, no, I didn't almost do that. What happened was I got an email from crowd squires Literally right before it was about board of plane and it said I'm gonna be without cell access or without access something I'm gonna be like Can you get can you get something for me or do something for me or something like that? And I've actually gotten some You know, there are some cases where you have to talk to a dean or like over the phone or whatever So I was like, yeah, sure, whatever you need like, let me know about board of plane all the while they responded Great For the first step of this But if you look like psychologically and I was in a situation where like I I had like a deadline where I was like just about to board of plane. I got an email on Mabel the mail app on the Mac, which by default doesn't show you the email address. It just shows you the person the Layout of the email is exactly like Kyle's emails look like And so yeah, I was very very close But then when I saw that I'm like, well, Kyle would never need this But that's not to say it doesn't happen I know very some people that actually fallen victim to this scam I know one person who's a A lawyer and they were dragging back from a case right around the holidays So they got an email from a partner that said, hey, I need 10 $100 iTunes gift certificates. And so they drove to the nearest grocery store But I just didn't get to do it and scratch them off. I think all of the codes said that And they said, great. I need another 10 And I didn't get that and it wasn't until a few days there at the holiday party and they were talking with other people They're like, yeah, it's super weird. Like so-and-so asking to do this like why don't they ask their admin or something to do that? And they're like, oh We know you get even smart people at the right time