 So I hate to spoil the surprise, but perfect security really is not possible. It's more of a matter of how much effort do you want to put into mitigating the types of risks that you have in your system. So on the one hand, we could have the zombie a copalypse at any moment now, but is it really worth preparing for this event, right? I mean, it's possible, but it's such a small percentage that maybe we shouldn't spend billions of dollars building infrastructure from a security point of view for something that won't happen very often. So let's take a look at security in practice and look at the top sort of issues that happen on a regular basis. Like I said, it's a cost-benefit analysis, right? So as you as an individual or working as an organization or a school have to evaluate what are the specific threats that we face in our environment and how should we protect against them? And really it's a trade-off between how functional you want the system to be or how invasive you want the security to be. So if you create a security policy that's too invasive or too irritating to your users, the users will actually rise up and undermine the security of the system. And they do that unconsciously, right? So here's a picture of somebody who has all their passwords written down on a sticky note because the passwords are so hard that they can't remember them. And now instead of having a secure system, somebody can go and take a picture of this sticky note with their phone and they've compromised the security of the system. And this pattern sort of generalizes to lots of things. In Windows, for example, when you have to do something administratively, it gives you a little message, do you want to do this and you have to click yes or no? But that irritates so many people that they just always click yes and it's as if the thing doesn't even matter, right? So they might as well not even have that feature in the operating system if it trains their users to always say yes. So this is a big issue with security and practice. And let's take a look at a couple issues that we actually can solve. And particularly, we solve these types of issues with encryption. So we had this lab last week with Wireshark where I had you take a look at HTTPS traffic or secure HTTP traffic. And you notice it was all just scrambled binary data, this application secure session data or whatever Wireshark referred to it. And what this basically means is if someone's looking at your traffic, this is called sniffing. Now, we talked about sniffing on an operating system, this is now sniffing on a network, right? Sniffing in general just means looking at traffic that's not yours or having access to resources that aren't yours. And so like I said, the way to get around sniffing is by encrypting your session and making all of the transmission scrambled basically. And the way we do that is with mathematics. So there's simple mathematical formulas. We'll take a look at one in the lab this week for scrambling or encoding a transmission. And this is called a secret key or particularly if we're using a symmetric encryption environment, we just have to pick one key that will both encrypt and decrypt the data. And the chances of guessing this key is really hard because it's such a big random number. But the problem here is how do you get a server and a client or two individuals to agree on what the key will be? It's not like they can just say, oh, by the way, I'm going to use this key because then somebody eavesdropping that communication has the key as well, right? So key distribution is a hard problem. And because of that, we have a more sophisticated method of doing encryption in the world today called public key encryption. So public key encryption helps deal with the fact that it's hard to distribute keys. And instead of just having one secret key, in this scheme, we're going to have a pair of keys. And in fact, we're going to make one public. We can just post it on the web or distribute it. We'll talk about key distribution in a minute. But the fact of the matter is it's okay for everyone to know your public key because all that enables them to do is encrypt messages to you. The other key you keep private and that's the key that you use to decrypt those messages. So the public and the private keys are actually more or less inverses of each other. If I encrypt a transmission with my public key, I can decrypt it with my private key and vice versa. If I encrypt with my private key, I can decrypt with my public key. Now, what's nice is there's all sorts of different techniques that we can use with these key pairs, not only encrypting messages but also establishing your identity. Let's look at a scenario where we want to establish identity. This is a technique called spoofing. So typically you're a user on the network and you want to go through and access some site on the internet like let's say Amazon.com. And there's actually techniques where a malicious user can come in. If they sit between you and the internet, they're able to trick routers into sending them to you first. So this user can go off to Amazon and become a man in the middle or a woman in the middle, however you want to look at it. So this person in the middle here is impersonating Amazon. In fact, they can even download their website, change it slightly and then send it on to you. And you think you're communicating with Amazon the whole time but you have this person who has spoofed the hub or switched between you and it is masquerading as this service. So maybe they're monitoring your credit card transactions or they're trying to purchase other items that you didn't choose and have them shipped to them instead and so forth. So digital signatures are what we use to deal with this. And typically when you go to a site like Amazon or you go to look at your grades on campus or you go to your bank, that little green lock lights up in the web browser that shows that there is a certificate for this site. And there's these authorities like Symantec or Komodo or GoDaddy which are basically trusted companies. Of course the trust has to start somewhere. And these people basically go through and verify the identity of other servers. So what happens is they take the public key of that site and they encrypt the public key with their private key. Now you have the public key of all these certificate authorities built into your browser. So you're able to decrypt the public key of say Amazon and then you know because you're able to decrypt that using a trusted authority that that public key actually does belong to Amazon. Now if you're able to establish a communication with Amazon and it's working back and forth with this public key that you believe is theirs then you know that they must have the private key and that's what establishes their identity. So like I said we use encryption keys not only for encrypting the traffic but also knowing that the person or the website on the other end is who they say they are. And both of those are important to deal with spoofing and sniffing. So in short let me just take it back to the textbook where it has a short discussion about legal issues and how can we prosecute people especially internationally who commit these types of crimes. The legal issues here are stealing information, eavesdropping, doing a denial of service or even a distributed denial of service internationally or also cyber squatting. By the way cyber squatting is where you go and you buy a bunch of domain names that are similar to another one like so instead of google.com you might try to get gogle.com. Just something where someone might get a typo for a site that they're trying to go to and then you can masquerade as if you are them. These are the types of laws that have come out over the years so the CFAA and the ECPA and the USA Patriot. By the way all of these are acronyms including patriots so you should go look up and see what they're seeing stand for and what they talk about. But basically typically people are prosecuted if they still quote anything of value or if they're doing any sort of monitoring or privacy breaches and cyber squatting people are usually prosecuted on trademark laws so you can't go take a domain name that's too similar to a registered trademark because you're violating the law in that sense. But you know there's a lot of gray issue in all of these and it's not a perfect system and we're going to continue to deal with these types of problems as a society for the years to come. Finally I just want to point out one useful site from the US government so this is from CERT and they're the computer emergency readiness team that's what CERT stands for. You can go to their website to this tips links here and it will show you a bunch of good computer usage techniques things you should do things you should not do to remain secure online and they also continue to come out with different advisories based on the threats of the day. So that's security in a nutshell we've looked at some of the issues and some of the solutions and common techniques and the things that I would really like you to focus on at least in this video is understanding what the CIA triad is and what those letters stand for how to define security and the different aspects of it and also what the most common threats and solutions to things are and particularly how we deal with sniffing and spoofing. So that's it for the week we'll see you in class tomorrow and in the lab on Friday.