 Alright, let's get right to it. So we left off on Tuesday talking about threats. What else are we talking about? We're talking about threats. How does it depend against them? What was that? Somebody over there? Because it's security. Yes, in the back, anyone? Yes, what's one of them? Conventionality. Security. What's the third one? Availability. There you go. You're already security experts. You're well on your way to becoming some. So, what we left off is we wanted to talk about a clicker that doesn't work. Oh, batteries are dead. That's right. Okay, so the system that we wanted to defend is a house. That's important. So, we want to defend the house. We're put in charge of defending this house. So, how do we deal about thinking about securing this? Maybe. Identify the threats. Identify the threats? How do you go about identifying the threats? Identify the entry points. Identify entry points. Let's get in closer. So, how do you identify the threats? Maybe we want to identify where people can enter the system or this house. What was that? Doors and windows. Doors and windows. Do you want to identify those? Try to think about how somebody could invade property. Think about how somebody could invade, but invade what? Yes, to find what this house does. Right, so that's an important thing that we're missing here. If I decide to defend a house, is it a tree house? Is it a one-bedroom apartment in a condominium complex? Is it a shared town home? Is it a one-story standalone house? Is it a two-story house? Is it a duplex? Is it the White House? Would you maybe think about threats differently if I asked you to defend your home versus the White House? You might have a different threat model in mind and different adversaries there. So, it's important that we kind of define what type, and do we only care about the house? It's a two-story house with windows and doors. This depends. Do you have a yard? What is the yard like? What's surrounding your house? Yes, we need to know the context of this house, right? We can't just think about the house in isolation and think of it, even though we will do that. You need to actually understand the system and the context of the system is being used. So, here we need to understand, is this a two-story house that's on a 10-acre property? Or for those that don't know metrics, it's very large. I don't actually know how to translate acres into other units. But it's a fairly large property where there's nobody else around it. Is it in a desert area like Phoenix, or is it in a wooded area? Is it instead in a subdivision or some kind of suburban housing, where there's going to be a very small lot with other houses all around it? And why are all of those things important to think about? You have different ways of providing security for those houses. Yes, so you may have different security requirements based on the house and where it is. If the house is in Phoenix, you may care about preventing scorpions from getting in. You may not care about that in other environments. And it also helps you think about the different threats. So different environments could have different threats. So if you know there's no houses around for miles, you may have different threats than you have neighbors that look directly into your apartment or your building. This could give you different types of threats. So what do you want to go with? Does anyone want to describe their house or a house that they know? The information they can find out. So we'll go with a two-story house, built-in three-car garage, so two garage door openers, a yard in the back, kind of classic suburban area. So there's other houses around. Not a cul-de-sac but on a standard kind of street. So what else do you want to know about this house so that you can understand it? All the entry points. What's an entry point? A place that a living thing can get through. What kind of living things? Animals or people. So is this just doors and windows that we're talking about? What else are we talking about? What was that? Pipes. Yeah, your water, the clean water, the sewage, those are all entry points into your house. What else? Ventilation. Ventilation. So your AC unit has to have some way of getting air in and out of your house. I'm actually not a construction expert, although it's funny we're in a construction building so we can probably go ask some people about all of these things. So we need to think about all of these types of things. We need to think about where are the doors, where are the windows, but we need to go further, right? We can't just think about those things that we think are standard, right? Doors and windows, that's how normal people get into a house. Because attackers are going to take the path that gets them into the house, right? Attackers are not restricted to use the most common path into the house, right? I mean if the front door is open, yeah, they'll just walk right in, right? But if the front door is locked and the doors and windows are locked and there are bars in the windows and whatever, we get into different mechanisms, right? And maybe they'll think about going in through the water system, which would be gross, or the sewer system, which would be even worse. But there's other ways that they could try to get into the house. What do we want to, yeah? I was going to say the walls, the density of the walls as well as the energy. Yeah, so depending on what type of threats we're facing, right? A wall is not an insurmountable, and we've all watched enough criminal caper movies and bank robbery movies to know that a wall is definitely not a complete barrier, but it's definitely more of a barrier than, let's say, a door or a window. So what type of threats do we want to think about? What types of threats can we think about as a group here for this house? So I guess we should take a step back. What are we trying to defend? People and possessions in the house. People and possessions in the house? So how do, that be phrased as like a high level kind of, what's our kind of goal? Data. Data? It's getting a little meta. Assets, so we care about the things in the house, we care about the assets in the house, we care about the people who may be, but do we care about all people in the house? If you enter the house, are you automatically cared about? That was a rude question. Yes, okay, so we care about the people who live in the house. Why is that a distinction then from who owns the house? Yeah, it could be renters living in there. So then, actually, the owner still may need to get into the house at certain points, but there are legal restrictions on when and how they can access the unit, right? And then, so there's the owners, there's the people who live in the house, and then anybody that they say that they want in the house, right? And the important distinction there is we don't really care so much about the people who aren't authorized to be in the house, right? We're not trying to defend them. Is that it? Anything else? Yeah, so actually, I guess you can kind of file that under the functionality of the house, right? Why do we have houses? Part of it is to protect us from the elements, right? Which is something that we kind of forget, although maybe we don't forget it so much from our inside of an air-conditioned room, right? So we want to, you know, yeah, so we could maybe think of securing the house by making it a giant metal box with no windows and only one entry point. That would probably not be pleasant to live in. So then, what kind of threats are we worried about? Or can we think about? Are you worried about aliens coming and abducting you from your house? Maybe. Let's go with why not. Why would you not be so concerned about that? It's a common threat and it's a highly improbable threat. I'd say we can consider aliens beaming you out of your house to be outside of the scope of our threat model, right? So we want to limit ourselves to things that we believe are physically possible. So that eliminates a lot of crazy threats that we can just say, I got somebody mad at you out of your house. Okay, well, that's a different type of threat model and that's a different type of threat. So what types of threats should we consider? Burglary. Was that breaking and entering? Burglary? So somebody who... Someone that we don't intend to come in. Yes, so somebody that... Yeah, we'll call an unauthorized person. So somebody that we do not... Or the person living in the house does not intend to be there shows up as burglary. But what about things like the fire department? If we want them there, what if your house is burning down and you're away and they can't reach you to authorize them to go inside your house? My house burns. That's not house burns. That's what I'm saying. It's a friggin' metaphor, dude. Security through burning. I think they have been applied to access those. Lots of houses burning. Yeah, so that's part of it, right? Because we want to think about these scenarios where maybe we don't authorize somebody explicitly to say yes you're allowed in my house but we kind of have a blanket policy. Fire department can enter that house or they will enter it if they have to. What about police? That's a tricky question. Your authorization or a higher authorization that supersedes you, the warrant, et cetera? Yes, so then that would get into legal aspects, right? Where they would need a warrant. They would have to go get a warrant and they have certain procedures and policies. They follow, but they do have a legal and I'm not a lawyer so I probably misuse terms. Authority were right to enter your house at that point. Right, so breaking and entering is kind of even that simple one. Yes. Pests? What was that? Pests. Pests. Like a scorpion? Yeah, I see. No, I should tell the story. Yeah, like environment or weather. Yeah, so environment or weather, so we want to make, how do we phrase that as a threat? So we're worried about people, unauthorized people breaking and entering or let's say we're worried about unauthorized people entering into the house. We're also probably worried about them breaking into the house and then leaving. Right, how does that differ from something like a prison? Anybody ever watch prison break the first season? You're only trying to get out and they're just trying to break in. Exactly, they're only threat models, people leaving, right? They don't actually care about people breaking in. I mean, I'm sure they would care, but not as much as they care about people getting out. Right, contrast that with the house, you actually care about both, right? You don't want unauthorized people to enter your home. You also don't want unauthorized people to leave your home, right, with the stuff. I don't know how you design it the other way, but you've got to be explicit and you want to think through all these threats to make sure you're covering these aspects. What else? Resources that are used by something in the house, like say energy, we want to make sure that neighbors or someone else wasn't stealing the power that we're paying for. Ooh, that's a good one. Yeah, I thought about that. So yeah, so there's certain, certain services, certain kind of inputs to our house, our water, our power, our cable box, satellite, whatever, right? So we kind of want to ensure that we have exclusive access to those resources and somebody isn't trying to siphon off those resources. That's a good one. So this is fun, this is a fun part, yeah. You don't want things falling into your house that you don't want to, let's say, practice into your house like a plane or something like that. Like a plane, okay? It's happened in the last two years. Could, yes. That's interesting. I'm not sure how to just protect it. Yes, but it goes back to the security component that we talked about, making sure that your house can properly shelter you. So this would kind of violate that. Who do you think about a tree falling? I think that's more in the realistic threat aspect, depending on where you look. A cactus falling. Yeah, so maybe it's important to think about the security, not just of the house itself, which we have been focusing on, but also the surrounding property, right? I don't want people to find my very gold bars in my backyard that's on my property, right? So that's actually a really good one. Let's ignore it a little bit for now and just say that we just want to focus on the house because we can go crazy with this. I don't want to go too crazy. What about exceeding authority? So somebody you allow to come in, but then they remove your credit cards when they leave. Okay, so good point. So is anybody allowed inside your house, allowed everywhere in your house? It shouldn't be. Right, so yeah, that's a good point. So there may be other, so there's not only other threats of an authorized party entering your house, but leaving with one of your assets that does not belong to them. But then there's also this component of authorized people entering your house, but entering areas that you don't want them to go into. You need to get better friends. Sounds like you need to get better friends. Yeah, that's a good, true statement. That our service is that which tries to link your stuff. What was that? That our service is that which tries to link your stuff. Get friends that don't steal your stuff. Our services, like you have someone come into your house to clean up or something. Exactly, yeah, so you hire a cleaning service to come in, they're only authorized essentially to clean your house, and they literally clean you up and steal everything. And you throw it through the crispy of water. Yeah, so that's actually, so yeah, so that affects your environmental comfort in your house, you could say. So somebody could, at a very coarse level, just take an axe to your power ports, right? I don't know if that would kill you right away, I don't know how. I'm a computer scientist on an electrical engineer. So yeah, they could do that, or they could, let's say, even something crazy, like hack into the power grid of the local, what do we have here, SRP, and then disable the power to your specific house and do that when it's 120 degrees outside you're gonna have a bad time. You might have pets you don't want out of the house. Ooh, good one. Yeah, so we may have pets, or we may have pets that we want free reign in and out of the house, right? So they have doggy doors that people install, but that has other issues. But yeah, so there may be living things, people, well, I don't think people, not maybe kids. I mean, I don't know, you probably don't want a kid to go outside of the house at all times whenever they want. What about people who allow to come in and then they refuse to leave? That's a good one. So people who you are authorized to enter your house and you've authorized them and want them to leave, so now they are not authorized to be there and they continue to be there. Yeah, so actually, there's this whole problem with squatters and squatters rights and there's a whole legal thing behind there. So yeah, it's interesting that that's actually, that situation comes up and people have to deal with it. Traffic around your house? Like also like major roads and things like that that may be near you, or maybe people or teenagers decide that they might drag race past your house. So maybe that would be, let's say, we didn't really talk about it, but currently, quietness of your house or you're being able to, there's a term, quiet enjoyment or something like that. Yeah, so maybe a part of that environmental thing if you want, you know, you want the house to be livable, right? And so it's so noisy. Yeah. Oh, arson, yeah, yeah. So people causing any kind of damage and I was thinking about the cars if somebody drives a car into your, apparently it looks like it only happens in movies, but... Do you know what happened to my house? Did it happen to your house? Yeah, I think I had a wall porch in mind. That's good. Yeah, so arson, so somebody burning down your property your insurance company might be worried about the threat of you yourself burning down your property for the insurance money. I get the threats that we, yeah, so pests, so not only, so we kind of talked about, I don't know, scorpions are pests for you, right, for the people living in the house, but you've got other pests like termites which actually cause active damage to the property and can completely destroy your property. Yeah, so I feel like you're kind of getting at like the privacy aspect a little bit, right? Like people seeing into your house? Yeah. I see, okay, so you could, so, yeah, so people coming into your house basically, or you could even think if the plans of your apartment or house are like public knowledge and listed publicly somewhere that people wouldn't know kind of the layout of your house. That's good. Yes. With like smart homes and stuff, for instance, you probably wouldn't want people taking control of your thermostat or that various stuff, so kind of the network inside your house. Yeah, so even if we, let's say, if we kind of abstract out a little bit up and say, you know, there's a lot of environmental controls and things that control the heat in your house, the water, these are kind of all kind of related, right? Yeah, so electricity, do you want to make sure that your authorized parties are in control of that? Yeah. So air quality, like, yeah, air quality, that's a huge thing here. I was actually shocked when I moved to Arizona and you had to replace your air filter every month. I didn't understand what they were talking about until I saw the desktops. Yeah, so that's a good one. So, yeah, we talked about different scenarios with authorized and unauthorized people, but the one we didn't talk about is you invite someone into your home and then they let in somebody else who is not authorized. Yeah, cool. Okay, you do this for a long time. So then what are some policies we should put in place in this home? What could we put into place? And what types of threats would these policies come back? So A and B, do we want to consider all of these threats are all threats equally valid? And threats, we just put a home security system in. So is that a policy or a mechanism? Mechanism. Mechanism, yeah. So a home security system would be a mechanism that you could put in place. I'm going to force what? So what would the policy be? Like, who's supposed to come in and who's not supposed to come in? So you want to describe the home security system you had in mind so we can... Just like one that basically you have to enter like a code. When you enter the house within 15 seconds of opening the door to verify it's who it is and you know it's allowed in the house or you know that person's allowed in the house. Cool. Okay, so this is a good example. So let's think... So the policy would be essentially something like... Who has access codes. Yeah, only people who know the code can enter the house. Right? And the mechanism would be a security system. Does everybody have experience with this system? With these systems? Raise your hand if you have. So yeah, so basically the idea is so what do you have to do? So as a mechanism what do you have to do every time you leave the house? So the apartment. You have to have the apartment. So that has to then be part of your policy. Right? So your policy should state only people who know the access code can enter the house and every time you leave the house you must arm the security system because if you don't arm it then it's basically useless, right? So depending on how you do this you can as soon as you open the door you have this kind of beeping sound and if you don't put the code into the system in a certain amount of time they may call the police and the police will come. So does this mechanism and this policy combat the threat of unauthorized people entering your house? To what degree? You had to make sure that all the windows were closed and all the doors were closed Why? Yes, so they put sensors on the doors and sensors in all the windows so that you have to start in a closed system state where all the windows are closed and all the doors are closed and then the sensors should be able to take when doors open or windows open and then they'll go off. So we need to know more technical details about the exact mechanism we're talking about. Because that can influence how we think about how effective this policy and this mechanism or how effective the mechanism is at implementing this policy. So let's think about the threats so this is kind of the unauthorized access threats that we talked about. So does this policy and mechanism combat the unauthorized people so let's say people you don't know entering your house? The passcode. As long as it, what does that mean? That people don't share it or guess it or I mean it figured out by the way that if your passcode is all there someone might figure it out pretty easy. Yes, so it can to a degree for people who don't know the codes let's say so the problem is there's not 100% the people who are unauthorized is not the same set as the people who do not know the code. Right, in the terms of sets. What else? Well it seems to me that the security system doesn't really prevent people from getting in it just catches them once they're there. Yeah, so that's a great point. So what type of mechanism would this be? The prevention or the detection? Unauthorized detection. Yeah, it's a detection mechanism. It's fundamentally not going to stop so if somebody breaks a window and gets in the alarm will go off but they're still in your house so they still have that time delta from whatever the police are called to when somebody comes to actually do whatever they want to do. So is this an effective or should we all go out and buy these things? If the, who was that in the back? Yeah, so the threats in your area warranted or if the assets that you're protecting warranted right, a lot of you are students and I remember graduating as a student all this crappy furniture I could just burn So, not to say that you guys don't have valuable stuff. So, yeah. I mean, we're also going to want to ensure that the windows, the coins ventures, etc. are secure at both. In the first place, do they have locks? Do they have? Yes, the policy of this mechanism didn't talk about anything about locks, right? So if we just have a security system that's the only mechanism we have in place on this house we didn't say anything about locks on doors. I mean, it seems kind of silly because we always think that doors have locks, right? But that's actually an explicit mechanism that needs to be added to a door because if you don't have that, then they're just doors that anyone can go and open. And you have their security system, so yeah somebody can get in. So it seems like that mechanism alone is probably not enough, right? Because it's only going to detect and literally anybody can get in. That's the only mechanism, yeah. It also wasn't specified that there was anything in the detective class was broken, so you could bust open the window and it wouldn't open the window. Exactly. So this is where security gets really interesting because it depends on the technical details of these systems, right? So this security system, I don't know if they use vibration to detect when windows open, but there's always those, I don't actually know if these tools exist. I have to assume they do in movies, but if anybody looks it up, the things that will go and cut the circle of glass from the window, right? There you're not vibrating or moving the glass. I'm pretty sure these sensors would not be able to detect that, but I don't know. I think they have the heat sensors. Cool, yeah, and I know some of the ones have motion detection cameras inside the house so they'll fire on any motion, but those are still also not potentially not foolproof. So what other policies and mechanisms do we want to add to make this system more secure? Maybe like, if you don't feel secure enough for your door, you maybe have a gated front yard or back yard in a way. Okay, so we're going to put a gate around the property to kind of maybe prevent people from getting in. Let's ignore the property for a second and just talk about the house. You could add a trap to that. Traps to the house? How do you ensure that only those traps go off on those who are unauthorized? Get a way to just arm them from the outside. Maybe if you know where it is you can sort of hook it or put it off again. So you can set up crazy booby traps in your house that people would have to disarm and you would have to tell people about. I think if you get into a weird family with any problems here you would not want to do. So do not do this in your house. I don't think we can have a mullible with alligators around here. Yeah, I don't know. Policy, just a policy issue. If you have children, the policy for them is they don't bring anybody in the house that as a parent you don't know about and have authorized. So part of policy, there's technical mechanisms, so the security system would be a technical mechanism. But this would be more of a human procedural mechanism where you say that's part of it. Part of policy, if you're living under my house my rules would be if you're under a certain age or just tagging the kids you cannot bring, you're not allowed to authorize parties. Only the adults could authorize parties. Yeah, that's a good addition to the policy. If you have neighbors, they can know your neighbors who's supposed to be in the house. So if they see someone that's not who they know is supposed to be there, they can call. Interesting. So yeah, that would be let's say a community policy in some sense, or a neighborhood policy where you kind of talk to your neighbors and you kind of say hey, you know, it would be great if we looked out after each other's places and if you saw you know, something happening to mine or somebody that was on, I think is unauthorized, at least that's an interesting and good idea. It depends a lot on your neighbors. Right, if they're better than your friends or not, yeah. Okay, so implement a curfew as a form of policy. So you only want certain people in at certain times. Does anyone want to add locks to this house? No, we didn't add locks. I think four locks. Four locks. What do you mean by four locks? I think locks on all the doors. Locks on all the doors, okay. So that would be a mechanism. What would be the policy to support that? Do you lock all the doors at night before you go to bed? Yeah, so at night before you go to bed? Before you leave. And then how do you allow unauthorized people then to access your house if you have locks? Do you allow authorized people to access your house? You have to give them the key and if you have the security system to code, right? You have to give them the key and the code in order to enter. Cool. So does the key system alone, does that implement the policy of only unauthorized people can access your house? Authorized people, yes. There are lock picks, yes. People as well as mechanisms that can pick locks. Yeah. If you lose your keys or somebody else that you give a copy to, gives their key to somebody that's unauthorized, then you're done. Yeah, exactly. So now the thing that allows you entering into the house is this key. And this key, anyone who has this key or what, is it actually that specific key? Yeah, what is it about the key? The particular grooves and shape on the front of the key. Wait, which one of these is not important? Right? So it's these little grooves on the key that move pins and certain things so that you can unlock the house. So that's an important distinction. Why? Yes. Right, so the important thing is it's not this physical key that is important. It's anybody who has this physical key. It's anybody who has a key with this specific pattern can get into my office or my house. So it's important to think about what threats are we thinking about. What's our threat model? Is our policy and mechanism actually covering this? Because like everyone said, if you lose your key anybody could get that key and then get into your place. If somebody steals your key and goes to a store to make a copy a duplicate of the key and then brings it back to you. You'll never actually know you lost the key but a copy of your key is out there. They've actually even found I wish I had a picture of this. So I know they used to you could do it with soap. So you can push the key into some soap or clay. You can get an imprint of the key and take a photograph of the key. So this is why I was worried about showing you guys the keys. I don't know that really. You could take a picture of that and there would actually be enough detail in there to have you reproduce the key. This actually happened in one of the New York newspapers. I can't remember which one posted, wrote an article about how does how do they call it the skeleton key. So this is a key that I think was in the subway system or something and they knocked all the doors because the janitors and the maintenance people had to get in and do things and they posted a picture of the actual key the actual size and so it was literally enough for anyone to create the key that did exactly that and so they had to change the key and change the locks. Which then brings up a good point. So we talked about unauthent. So the key is pretty good about as long as you can control the key then if only authorized people have access to the key then you're actually implementing your policy. But what about unauthorized people? So let's say you give your key to your friend you find out they ended up stealing money from you so you want to not allow them in your apartment or house. What do you do? You have to change the locks and redistribute keys to all authorized users. So pain. I remember actually when this happened to me is coming home from college I think my freshman or sophomore year and I tried my key in the door and it didn't work. It was one of the worst feelings ever. It's like oh they've changed the locks they've changed the lock and didn't even give me the key. We're telling you they changed it. So that was fine. You don't have to cry for it. It's okay. Yeah. So if you lose your key then you lose access to your house even though you are an authorized user of that house. So some of the policies that people put in place is we should have a spare key hidden somewhere around the house. Some people have fake rocks. There's fake rocks you can get to put spare keys in. Some people have key boxes outside their house so there's a combo there that you have to then remember and fill out and that opens to give you the key. So kind of a high level is this key idea a good thing? It's better than not having. I mean you can kind of point to empirical evidence that I have like five or six keys on my key ring and I'm sure most people have keys on their persons that these actually are in use and used by I'd probably say billions, it's not an understatement but there's all these problems. So this is important to think about is the threats. So what are the threats? Is your threat a criminal or is it like a criminal mastermind who's an expert lock pick who can pick your lock in five seconds? If you're worried about that level of threat then just having keys is maybe not enough. And we didn't even talk about different types of locks. We've all seen there's different, there's dead bolts there's normal really crappy ones that you can just use a credit card to do there's, you have the chain that you can put on the door which should prevent people even if they have a key from going in I guess I can tell a little story so I was stranded in London coming back from Europe so I missed my flight, made a delay to a bunch of flights and I had to wait in line for like three or four hours to get re-booked so they put me in a hotel, go to the hotel and this was right before school started so I had to do some work so I'm at the desk in the hotel room doing some work and then I hear somebody jiggling the door handle and I was like oh no thanks, I don't need any service or anything, thinking it was the maid or the housekeeping and so then all of a sudden the door swings open and I'm just like looking at this person and there's a guy standing there with a suitcase looking at me and I'm like can I help you and he's like yeah they said this was my room I'm like I'm sorry I'm already in here this is my room he's like okay I guess I'll go down to the front desk so he left and then I locked him, did the chain and they called the front desk and was like what the heck did you do and they were like oh our computer systems were down and people waited in a Google point of room and so now I'm always very good about putting those extra boxes those are important, that was weird you're already stuffing your room already stuffing your room, yeah that's a great job although at least there wouldn't be people there so I don't know why you could at least slowly walk away any other policies and mechanisms we want to talk about here, I think this is important to kind of think through different Texas scenarios think through not only things that we do in our day to day things but how that correlates and how that affects the threats that these policies and mechanisms are supposed to enforce you're really obnoxious to wallow is what a threat oh a mechanism I see so what would the policy there be like you don't want the muscle so that was actually interesting so a pet so you could maybe think of a mechanism that you hope would either alert when there's an intruder so some kind of parking so if it's annoying to wallow maybe that's a good alert mechanism or not, it depends on the fall because they're always parking exactly, yes yeah that's a good point yeah is insurance reasonable security mechanism how does so what's the, how does insurance protect you well it protects against loss I think, I was just mean about like the analog with like you know digital systems you know you have you have like CRC's and stuff to make sure that you don't lose your data or if you do lose your data there's a way to recover I think I mean in a similar way if something breaks there's not so much stuff you can replace it no harm no foul no harm no foul well, don't go and praise it it's not for you, it's like much right has anybody dealt with an insurance company before in a situation like this yes it definitely can be annoying and it's understandably wise so that's actually an interesting point so that could be part of your holistic threat so yeah so one thing so we talked about catastrophic damage buildings landing, trees landing on your house so your mechanism to try to defend against that your policy would be I want to be able to recover the value of my home if it's destroyed in these instances would probably be to get insurance so at that point you're saying okay I'm just going to pay a little bit of money and in case these things happen in case these things happen then we can I'll at least be covered in some sense yeah insurance is tricky because it's actually protecting you from the monetary loss and so if that's the only thing you're worried about then yeah but at the same time you also are worried about unauthorized people entering your apartment right I don't think you can buy insurance if somebody comes in and kills you well kills you life insurance it doesn't help you very much but yeah it's fun so what is the level of the threat I guess so the determination of the attacker how determined are they I mean a door lock if I kick hard enough might just kick the door open and be able to get in same with the sophistication you talked about earlier they're a master of the sort of like what I guess what are we trying to protect against could be my question what level of the threat yeah no that's my question I think it almost kind of ties into common depending on the level of the threat I'm willing to throw in defense mechanisms to this point but after that they really want that bad I have a backup your insurance okay you want to change my lead page go ahead I have a backup you can just paint it spray paint I'm just going to dump whatever you do and reupload my backup so you might care to only defend for a certain threshold yeah that's a great a great point and that actually then ties in so there is a complex interplay between insurance and your mechanisms because I know definitely on car insurance if you say I have an alarm system your insurance premiums go down because they have data that says this mechanism is actually effective at preventing car theft and so you can pay less money from your insurance that's a great point there's another hand here yeah we have to have multiple levels of mechanisms for your security say you'd have a guard then you have a door with a lock then you have a security system then you have a pitfall yeah so this layering mechanism right so you're trying to they get past the guard they get past the door get past security system and they got to deal with it unless the guard is busy playing with the dog and then it's trying to cover the case because when we talk about in the physical world it's different but when we talk about computer systems you can layer mechanisms in a way that's ineffective and could actually harm your system so yeah that's what I was trying to go with there but yeah that's a great point yeah layer so that's what we talked about right so just thinking about the securities alarm system right it's not enough we also want locks right so we want locks we want that so similar with your home you may you may have a threat that you don't want anyone to just break into your house but you then may also have a safe there that has an additional combination it's where you can put things like my gold bars or your one of the things you put in safe passports and yeah any kind of information you want or you may your threat model may be different so there's different types of safes you can buy there's some that drill down to the foundation that are really kind of crazy and there's some that are really small that are just for like I wanted just for fire basically it's a fire safe so I know somebody comes that can steal it and take it but that's kind of fine I don't keep any valuables in there I keep the documents that I want safe if there was ever a fire so yeah you certainly need to think about the different levels of threat yes yeah so that's another important thing so it's actually difficult to just think about these things in a vacuum when these are things that actually cost money right so a safe cost money a laser defense system cost money a security system cost money insurance cost money right so this is actually going to be kind of one of the themes is it really does depend on you your situation and the context so in the context of house it depends on the people who own the house the people who live in the house what's their different risk tolerance and what types of threats are they considering and what's their budget so the same thing applies in computer systems as well where you need to think about it's really easy as security people to think oh you've got to do A, B, and C and XYZ and go buy the latest laser defense system it's the best but you know you're talking about like a mom and pop shop that maybe probably shouldn't be worried about those things or maybe should it depends on the threats yeah exactly so like maybe for the safe a good example would be it's probably not where I wouldn't want to keep my wallet in the safe right the wallet you know my wallet is something I use every day I take with me and so going in and out of this so annoying that I've probably put in a bad password of all zeroes or something so that I would completely negate the properties there so you have to go balance that's a great point you have to balance the access and availability and usability of the security mechanisms with the properties that you're trying to enforce so for physical property we also do say I put deterrents there like saying that is my reality so that's great this is actually a common technique that some people do is they'll put a sign in their window that says secured by whatever home security system and not actually have that system so why do they do that deterrent deterrent what is it deterrent something that looks threatening so why would I care about deterrents if I somebody's super bent on breaking in what is deterrent going to do it keeps the people who are trying to look for easy targets yes so that's the key and this again depends on the context because if you're a house in the middle of nowhere deterrents is probably not going to stop somebody because it takes them a lot of effort to move on to the next victim but if you talk about a house in a cul-de-sac in some suburb there's 5, 10 other houses nearby and so they'll go for the one that is looks the easiest from the outside whether it is or is not or if you have a beware of dog sign you have a little chihuahua but it also bites people so you're ensuring that the people are aware that the dog is there but you're going to be like oh it's got to be a big dog and then you get a chihuahua and it bites the beware that the dog sign was there so you know that so you're playing multiple levels there there's multiple games that you're playing there you can even put up a beware of dog sign and not actually have a dog there's nothing that of course you're one of those barking dog doorbells that would be funny cool idea of thoughts let's do a good conversation I'm going to determine if you can have the automatic time what's the lines yes so you can have other types of mechanisms my favorite example of this is Home Alone where he pretends he makes has cardboard cutouts of people and he has a whole intricate system to show them moving with the lights on and so people come and are going to rob the house but they think that there's a big party and a lot of people in there so this deters them from leaving so yeah one technique would be having lights maybe go on on timers what's the downside there cost exactly yeah so it's again a cost reward trade off situation I know big thing is to depending on the system I mean I mean I mean I mean I know working you want data information super fast that's what makes other you know yours what you're trying to protect more valuable than competitions access manner than the competition so you have to weigh that balance yeah exactly so yeah so that definitely goes to the access availability functionality aspects right so if you put security measures in place that cause need to have to take 30 seconds to do what used to take a second right that can have a huge impact on the job on the alternative side there right you could say well it's a lot easier to get into your house it's a lot faster if you don't make keys or locks right so it's all about trade off there right yeah that's an excellent point so that's actually something that we often forget when thinking about securing systems as we think about we have to secure it at all times when really time may be a different you may have different for the house example you may have different mechanisms different policies in place let's say at night when you're not expecting any visitors so that's why you may set the alarm of the system when you're going to bed you may have different threat models and policies and mechanisms if you're going away on vacation for a week right then it may be worthwhile to set up timers with lights and do kind of other types of things so yeah and even this applies to business as well so this is something that is actually kind of an active area of research is not all assets are valuable at all times so you think about a company who's about to release their quarterly earnings that document is stored somewhere on one of those systems and if somebody outside the company knew what those results were they could buy the stock in relation to how the results corresponded with analyst expectations so that data is incredibly valuable on the days leading up to it so you know if you were in charge of that system you'd want to make sure that you were focused on the state to do that data but on the day that those results are released then you don't care at all right people could break in and get that data because that data is public at that point other things happen with exams and exam answers right before a test the exam and the exam answers are incredibly important after you've taken the exam and after it goes to the makeup it's less important right and actually sometimes we give you those things right context and time the situation all play into this it's a good discussion okay cool so we kind of so we touched on this too maybe we can bring this back a little bit to what we were talking about in our discussion earlier so the goals of having a security policy so what do you want to do with your what are you trying to do what are some things you're trying to address with your security policy what was the security alarm system doing detecting so it was detecting threats or attacks what other types of things so is there really what was that detect and authorize users higher level what's that trying to do ooh that's a good one we didn't talk about so we may actually want an audit log or some kind of log of what's happening so that we can answer we can't really detect or prevent but more try to investigate what happened after the fact so if we detect that and attack a curve we can say okay how did this happen so we can fix the system yeah that's good so what about so what if our the house is a hard example I feel like a lot of the things you can get around and their kind of detection I think the key I think the key example is pretty good so the key example is if you have locks on your doors and use keys is that a detection mechanism what was that right so it's not detecting anything unless you have some crazy sophisticated system that tells you when somebody's breaking into it but really it's about trying to prevent people who are unauthorized to access your system so the idea behind that policy is more one of prevention detection what about the insurance so getting catastrophic insurance to help prevent anything please say no because that's silly fundamental misunderstanding of how things work does it detect anything what does it actually do replacement replacement so it helps you do what from an attack yeah recover from an attack awesome so yeah so we can think about kind of security policies as being in these general categories right so why is it important to be able to recover from an attack so you can say that system itself could have ramifications in other systems other things and so it would be important to get that back online what else well no system is completely safe or secure so recovery is needed no matter what yeah yeah you want to be able to rebuild yeah you can be able to so by being able to recover from an attack right you're then reducing the damage so damage could be so it depends on exactly what the attack is but the longer that attack takes place right the worst things are I think that's probably a general good general statement right you can think about it your web if your home is burnt down for every day that it's gone that is a home that you are no longer living in right you have no place to live so if you can recover from that and rebuild the house in a day that would be pretty cool and you could get that home back right away so you actually and the ability to recover then may help you think differently about your threats you may not actually be so worried or scared about fire if you can rebuild your home in half a day but you cannot so as far as I know well this is kind of similar so the need for whatever asset lost is still there that's why exactly this makes sense and it ties into what we were talking about over there is this is a system you're protecting a system for a reason because it's necessary for you or for the functioning of the organization right so you want to be able to recover quickly from an attack and so as part of that recovery process you may want to try to add new policies and new mechanisms in order to prevent that attack so that's where automating can help and having logs of what things happen on the system so how do we define policies how do we define the policy of our house looking at potential threats yes so we created the policy by looking through and thinking about potential threats right so then how did we define our policy this isn't a deep question it's very explain to me somebody to describe the policy of our house we describe we describe actions that were acceptable and actions that were unacceptable how did you just explain to me the policy verbalize it and imagine you formalize it by writing it down exactly so we language right natural language so often times our policies are expressed in language this makes sense this is how we think about that so what's the problem with language ambiguity ambiguity so open to interpretation it could be open to interpretation so how do we actually and then how does that impact could that impact the security of our system if our policy is ambiguous so yeah so policy so if your policy is ambiguous you may come up with some mechanism to try to implement that policy but how do you know that that mechanism actually enforces your policy right you may think it does but maybe it could be maybe the person implementing the policy and writing the policy is different from the person implementing and deploying the mechanism does this happen yes people who work in companies probably majority of people say yes because you have organizations you have job functions it's somebody's job to come up with policies it's somebody's job so maybe groups of people too so even worse you have groups of people each with their different thoughts about what what the policy is and what they think it means and what the policy actually says and how to interpret that we always have some guys sitting at a desk somewhere away from what's actually happening that doesn't quite understand yes this often happens with policies people low level down the chain actually are the ones implementing getting mechanisms, putting mechanisms in place to try to enforce that policy and so the low level people I mean both people in mind the mechanism should say I put this thing in place and look that does exactly what the thing says I'm like no I put we meant this other thing it's much more difficult to problem so what's the other way how else could we define policies in horrible English jargon jargon technical language when we want to define a mathematical formula there's a language of mathematics that helps too good so yes let's stop there yeah no it's funny because jargon I was laughing a little bit because technical writing can definitely it tries to be more precise than natural language but if you try reading any kind of academic technical paper you could probably see that yes there is a lot of ambiguity there so even that still exists there so we can formally define our policy but you could go with bottom hand I'm worried about that so well I mean just think about that you go to a website and they say oh you can't actually access our website without using this password with these characters and that's the mechanism that's in place what can force your policy the policy there I would say would be that users should have difficult to guess passwords and so then well I guess the policy would be users should have complex passwords that are hard to guess the mechanism would be we have a system to try to enforce that they have certain requirements it's a little tricky because there's they would say that this is their password policy that's even before you're even part of whatever organization you're in what are you trying to get access to that you are being immediately a mechanism that stops yes but so then the key I think is there's always so even if it's not stated there is a policy that corresponds to the mechanisms so there must be otherwise why are you implementing these things the policy kind of gets to the intent and the mechanism gets to how actually does that happen cool math formal mathematics well in this same thing you could do diagrams and pictures there's another way to express policies is there no way you could do these with diagrams and pictures well it depends on what you're trying to do you could create a diagram of a state machine for instance which could kind of precisely define although a state machine would be kind of a representation of a whole specification so yeah you could well you see like a legacy work in a business a lot of times you have to have posters with like how to do the Heimlich maneuver you know that's done with pictures yeah so there's different ways of expressing I think that we're kind of talking about very broad categories here so yeah natural language definitely has a whole spectrum of very imprecise to but I think once you get into incredibly formal definitions then you step into the mathematics area yeah like the diagram so what's the benefit of doing things so that's my things in math with math with formal languages what university understood university understood just here on earth that's all I know I like that computers can understand it yeah so I think the key here goes back to the ambiguity so the idea with math is it's formally expressed we can formally define a policy we may be able to manipulate it computers may be able to manipulate it they have computer theorem perubers I could maybe try to prove something about the theorem the idea would be to completely eliminate the ambiguity the universal part was kind of is tricky because you need to actually be able to speak the formal language to be able to understand it so that absolutely yeah it definitely makes sense it's just universal kind of implies that everyone is able to understand it which may not be necessarily the case the other one that's kind of in between the two would be some kind of policy language so there's actually languages the most famous one is XACML access control language and so it's a way to describe using XML what your policy is so what are some of the benefits there so it actually goes back to I think New York what would be some of the benefits of using XML what's good about XML standardize standardized yeah so there's a standard there's a schema there's so you know exactly what the file should look like what else is good yeah it's you could write XML right I'm pretty sure everybody in this room could write XML so yeah there's definitely humans can read it it's human readable and writable ish but it's also nice that it's computer readable so they actually do have access control systems that you can feed an XACML file into and the mechanism will go and implement that policy and do it so yeah they have all kinds of editing tools around them so this is kind of becoming a standard so let's stop here and we'll go into correctness on Tuesday I think we'll close out and let it overview thanks