 Alright folks, so for those of you who are listening to this online, I forgot to bring the mic, so the only microphone that's recording right now is the one on the top of my computer, so this is why the audio sucks for the future. Okay, so I lied on, what was that, Thursday? So I wasn't able to release the homework in time. I started on a quest to upgrade everything to I'm going to 1804 and it's taking me longer than I thought. So part one, very easy, submit, sign up for the course Piazza. I think already 80 of you have done this already, so awesome. Part two, so basically you're going to implement an access control policy and so the idea is to think about all the kind of corner cases that could potentially come up and think about what should happen in those cases. So you will write a program that implements this policy, it will be, and you can actually, you can do this assignment in whatever programming language you want as long as after we run a make file, so you'll need to write a make file after we run make in your directory that you submit. There will be some executable file called secure underscore house, and so this is the interface to that so I don't care if you do it in C, Python, Java, whatever you want. We won't go through all of this, this is for your time to do that. It's fairly simple, it's not supposed to be crazy. The program must work on Ubuntu 18.04 64 bit, so this should, this is the test so, no, oh it runs on my machine which is a Windows machine and so you're doing things that aren't compatible. If you're not doing anything crazy it should work, but if you decide to do that it's up to you, like I'm not going to help you debug your crazy Windows system for something if you think it works on your machine. Okay, and then so the other thing is if you want to use a package that's not installed you create a packages file, which is just a text file, and on each line of that file you put what Ubuntu package you want installed. Before we test your stuff we will install all of those packages. So this is how you can basically do it in whatever language you want. So if you want Java, install the JDK, if you want Haskell, you can install GHC, whatever you want. So you'll submit your source code with a make file and a readme. I've almost got the submission site working so this is definitely not going to work, but there will be a site here by the end of today where you can go sign up for an account, submit your thing and see your points right away so there should be no surprises. A deadline is next Wednesday before midnight. Is that right? Daywise is the 12th Wednesday? Okay, cool. Any high level questions? Obviously not any questions on the actual assignment itself. Yeah, louder I think here. It is, but there's not a link to it yet. Yeah, it's so that you pay attention in class and I'll post it afterwards. Any other questions? Yeah. Are there multiple submissions? Yes, you'll have multiple submissions. Okay, 20 for now, but don't, you should not be using the submission site as an oracle. It's not something that tells you whether you're correct or not. You don't make a change and submit your new version and find out it doesn't pass because you didn't test locally, right? So you need to, part of this assignment is coming up with your own test cases to test your own assignments. Cool. Any other questions? Three, two, one. Cool. All right, now onto fun stuff. Okay, so we're right at the end of kind of the overview. I know this has been a long overview, but the important thing here is that we're discussing these kinds of security topics. So we talked briefly about kind of risk analysis where we talked about why to analyze things. So why do we care about laws or customs? What's the difference between the two? Yeah, so laws are basically you can think of like a country level or whatever level you want. So laws are written down and usually enforced by the state, whereas customs are more unwritten rules, right? So they may or may not be explicit laws, but they're still something that you should follow anyways. Or the, I guess, well, it's very complicated, but if you can say the mainstream society follows. So if you want to violate those customs, you should have a reason for doing so. Why do we care? Yeah. I mean, and why does that matter for us in terms of securing, let's say, an organization? I would say defending right now. So that would be a good question. So are there any laws that would prevent you from using certain methods? Yeah. I know that for a lot of computer systems. Okay. And a bunch of people basically came out and said this is a terrible idea because you have back doors. Right. So the idea there is basically the concept of back doors. So maybe the government wants back doors into systems, whether that's lawful or not, I guess is up for debate kind of a thing. But what about thinking about a defender's context? Would you like to know who's attacking you? Why? Why? To stop them. To stop them? Why else? I mean, how's that going to help you stop them? To prosecute them, maybe to turn that information over to law enforcement? What else? Yeah. So if you know who's attacking you, you may be more interested in their methods, how they're doing it. You may be interested in the why. Why are they doing it? Are there other people out there that are like them that we should be defending against? What their skill capabilities? So why don't you just, when you see somebody exploiting your systems, why don't you just break into that computer? So you see an IP address that has just infiltrated your systems. So why don't you just scan that IP address for vulnerabilities, exploit that system to figure out who it is. Would it be useful? Right. So you're actively hacking back into their systems. Yeah, it may be unlawful. How do you know that that's actually that person's system? What if they've broken into somebody else's system and is using that as a jumping off point to break into your system? Right. So now you've just unauthorized access into, let's say it turns out to be your competitor's system. And now you've been doing the exact thing that you were upset about the original attacker doing, right, of getting unlawful access to your systems. So yeah, I mean, these things are important. What are some maybe customs that would restrain our, or change our defender style of defending people? So the laws, we said, well, maybe they restrict us in some sense. We really can't just hack back into attackers. Right. So what are some other customs? Yeah. Maybe it might not be illegal to read customer data on encrypted, but maybe the customers would want you to keep it there. Right. Okay. So customs. That gets a little tricky with encryption, but you can think of, well, what's, you know, most likely to entice a hacker. So we talked about fake data. So you see somebody hacking you, you basically supplied them with fake data to see what they do. But if it's a fake credit card, how are you going to track who's using that credit card or where it's being used if it doesn't actually go through. Right. So maybe for you guys at Sandboy, it would be better to give them just one, to sacrifice one customer's data, give them one customer's data, and then figure out who they are and what they're doing based on how they use that information. Right. But if that was found out, how do you feel the blowback would be against that company? Because they broke, well, maybe broke a law depending on PII, but probably more of this kind of unwritten custom where you wouldn't sacrifice one of your customers just to protect all of them. Ideas, thoughts, customs. Go through your stuff. The cultural norms that we all subscribe to that aren't necessarily codified in law, but that restrict our, what about, let's see. And we talked about laws a little bit in terms of placing booby traps in your house. I think that varies based on what, I'm not a lawyer, so I don't know exactly that. Maybe privacy laws. So how could that prevent an admin from doing their job? Let's say there's some law in effect that says that corporations, let's say you think about Gmail or you think about even ASU, like a law that says ASU cannot look at a student's email. It should seem like a viable privacy law. Is that a good thing, bad thing? Do you know that they can look at your emails? Yeah. Wow. Okay. But now we're going back into this hypothetical situation where it's against the law. Okay. So they should be able to look at it, but there's this email. Let's say yes. Sure. The new security training or maybe an ASU 101, they teach you all the great private university, no employee can look at your email. What do you think of the ASU? Option of opting out. Interesting. Wait, but the privacy thing says that the admins can't look at your email. No, I'm going from the perspective of if they can. Okay. Let's look at it as if they can. When would that cause the issues maybe the admins can't look at people's emails? Maybe the university suspects them cheating. Yeah. So if the university suspects them of cheating or otherwise fraudulent use, what about sending out spam? What if people accuse this person of sending out spam to fellow students? Well, sorry, I can't actually verify that. That's true or not because I can't look at the emails or cheating, right? I can't look at the email. The short version would be very spooked it and how careful they were and all that stuff. But it happens where I've heard of cases, I think of that UC Santa Barbara where a student was found changing grades so they were able to guess or steal a professor's huge main password. And so they tracked the logon IP address to the local bank where they worked part-time. So they were changing the grade from the bank and so they figured out the employees that worked there and then figured it out very quickly based on who's great for change, who the student was. Yeah, you think or even just if you have a problem with your email and now the admins can't, you know, you say, my email is not being updated. They can't send a test message and then look to see whether that message makes it in the inbox or whatever. So anyways, the point is thinking about how these can restrict people from actually doing their job. But it's an interesting trade-off. So think of another problem. What's the problem? How do I know you are who you say you are? Why are you trying to convince me that you are who you say you are? Government paperwork, what's the most common thing that you may have? Driver's license, what do all of you should have as ASU students? ASU ID, right? So I can look at that, see if that's you. But IDs are a pain. Why is anyone lost their ID? Yeah? Or the MagStrike gets de-magnetized and you have to get a new one. Or maybe they're easy to forge. I don't know, I probably don't want to think about that too much. So wouldn't it be great if we could just put a microchip in your finger that has like your student ID information so that you could just come and touch a thing and it would verify that yes, you're who you say you are? Wouldn't that be awesome? No, why not? You don't want to come into this beautiful future with me? Or you can track your every movement and everywhere you go. Anytime you go get food, you can just whoop, and we'll know exactly where you are. You can argue against, this is the big point. Yes? I think with the chip that this has ASU or whoever, if I can date it at that like any time, I don't want to go buy this from the privacy. There's a difference between I don't know, you tell me. I'll say there's no difference. Was that? I didn't say it. I didn't say it, I won't refute it, but okay, so somebody's outraged being treated like an animal and getting microchips. It's super useful if you lose the dog though, so you get lost and figure out where you're supposed to be. Like what's on your, think about your state issued ID, what's on there? Nothing's on your state issued ID that's important. Your name, your address, your what? Your driver's license number, what else? Your date of birth, your picture. Yeah, what was it? That's a different document, it won't be on your ID card, but yeah, so I guess part of that, yeah. Yeah, that would be bad. I don't know if they wouldn't do that, but maybe, I don't know. That would be useful, rather than stealing an ID card. So, anyone for this imaginary proposal? Let's be useful. Did you issue the cell phone through your business or something longer about cell phone reasons? They, well, okay. What can be handy for them? If it's their phone? They're required to keep it on. Maybe it's your job, maybe you're on call and you're going to get all of the services out. You could also probably say there's an an already in England. Yeah, that's a good maybe a good counterpoint or side point, I don't know. So, you just say, well, let's just follow those people and I'll be track of her. Yeah, in the middle. Interesting, is there a difference? I mean, does it, do you have a base recognition system right now? That would be kind of cool if I had a base recognition thing and all of you could actually wear your make-up. Yeah, so maybe at least with base recognition I'll probably get the option of wearing a mask. Okay, so with the current, like, you know, government bureaucratic, what we have here at society, like all kinds of masks. There's like a reasonable expectation that someone gets one of your documents and they'll still be able to, like, recover, you know, eventually. But with the microchip system, assuming that it's like we catch all, you know, I guess, like all of her attacks or anything, you know, any of the things that you're talking about, then I feel like it would be a lot more difficult. Yeah, recovery after, what happens to some of these heels or what happens if your roommate while you're sleeping goes and, like, scans your finger chip thing, but they could make a copy of it and makes a copy of it in their other fingers when they decide who to be in any of the moments. Like, I don't know. There. In addition to that, I think there is, of course, the scenario is great and... Well, soon they're made properly, but I don't know, but that's a good point. So yeah, lots of things to think about when it's physically on your body versus something. And there's, I guess, something to be said for, and this is what I think some people have tried to get at, is with a card, you can only just leave a card at a certain point, right, and just not have it with you. So with your chip, you don't have that option. Do you want to add something? To what extent do you assume... Say it happens tomorrow, so... I don't know. How educated do you? We're going with the Facebook example that I referenced earlier. A lot of people were very surprised sharing everything that Facebook had all this data that they were using. Right. So, I mean, how much are we actually assuming that people would know what they're doing? I mean, we're just going, like, oh, this is convenient. And they're being very surprised that all these companies are like, we know exactly what we're going to do in 10 days. You think about, well, something is convenient, like, I mean, it would be a big scandal, but you think about the facial recognition on a lot of the phones, right? Well, how do you know that that's not sending a 3D model, a perfect 3D model of your face to Apple? I mean, you don't really, but it is super convenient to use. So... That I don't know. I know at least, technically, the way it's done is pretty nice because there's a secure enclave on the chip, or to actually a separate chip, but they do all the facial recognition and they store all the facial recognition data. So, even if your phone gets, like, you saw some malicious app on your phone, that data is pretty well protected. But, yeah, it's all these interesting things. So, the reason why I bring this up is there was a company that, back in 2017, actually decided that, yes, they would want to do this. Microchip implants for employees. One company says, yes. So... The program is not mandatory, but they're a company based in Wisconsin. They can have a... Choose to have a chip the size of a grain of rice injected between their thumb and index finger. Will that be here? Once that's done, any tasks involving RFID technology, swiping into the building, paying for food in the cafeteria, you just wave your hand instead of using your... Would you work for this company? Assuming they do whatever you want them to do? No? Angry privacy advocates. So, you should be more loud and more angry. I mean, not super loud, but... With that information, they could find out where you sleep, where habits are, and collectively they could use that for any company that wants to make a certain type of product or not with a certain area of industry. Yeah, I mean, there's no telling what... You know, I mean, there's no telling what other... You can put a lot of functionality in one of these devices. You can put a GPS tracker in there, you can put 3G capabilities, so if you report home on what you're doing, and then maybe when you leave, you're like, well, if you really want to leave, we know that you've only been spending 30% of your time actually at work and we'll tell that to your next employer, so... See, I'd be interested in some words because it's like... I don't know... I think it's the same data like it's just... Yeah, so it's like convenience versus privacy. I think the key thing is getting injected into you to me is like the weird part. But who knows, I mean... Yes, it's optional now, but maybe it becomes mandatory after more of the company starts accepting it. Yeah. Believe me, that home sucks. I've done that many times. When you get there and then you take it in, you need to sign in at the front desk to get you in. In terms of the large scheme of things, the inconvenience is minor. So I'd agree with you. Because you don't get ridden up in the New York Times if you're just a normal company doing normal stuff. Cool. Alright, good discussion. So... And the other thing that I want to tell and this will be the last thing I can talk about here is thinking about when we're talking about security organization, what are the human issues? So we talked a lot about the humans involved in the system of securing whatever organization. We talked about at a retail location trusting that the humans will lock the doors when they're supposed to lock the doors and unlock the doors when they're both locked. But what other human issues do we need to think about within the organization? Yeah. Blackmail. You want to describe a little bit? Yeah. So maybe blackmail them to leave the door open or blackmail other people. So this is actually a part of... So do you know the process of getting top secret clearance? So you go through this interview process where they do a polygraph and they do an extensive background check. Okay. Remove the polygraph, it doesn't really matter for these purposes, but the idea is not that necessarily they're trying to see what you've done bad in your past. What they want to do is they want to know about anything bad that you've done in your past so you can no longer be blackmailed for it. So rather than saying like, oh, you did this bad thing when you're a kid now you're no longer qualified for this job. I mean, if it's bad enough they'll say, yes, sorry, but no thanks. And it uses that over them as leverage to blackmail them. So this was something interesting that I hadn't really thought of until I talked to more people about this. Yeah. Mm-hmm. Yeah. Right, exactly. So thinking about the humans, what humans are involved. Other things to think about is who's responsible for security in an organization? I mean, think about organizationally. How much power does this organization have, this security organization? I mean, just some crazy department that nobody listens to and has a very limited budget. So how much budget do they have? Right? Because this can actually influence a lot. You may have crazy ideas and this goes into that risk-reward analysis that we talked about is fundamentally you always have a fixed budget for defense. So how do you appropriately spend that budget is super interesting. The other thing to think about which I know if you haven't been at a company yet you may not understand this dynamic. But one important thing is how much organizational power does the security organization have? Do they report to the CEO directly to the CEO? Does the Chief Information Security Officer report there? Or are they at like a VP level? So there's like three people between them and the CEO. So that way when the security officer starts screaming that we found this huge vulnerability or huge bug in our system, we cannot ship tomorrow like we thought we were going to. Does that actually happen or not? Or what happens when a breach occurs? So these are all key things to think about that that kind of are outside the norm when we think of just, okay, security like security is this and you have these policies and mechanisms but it is super complex system with the humans and the humans inside your organization about the insider threats and the laws and customs that you operate within. Oh, yeah, we didn't actually bring that back. So is it against the law to put microchips in your employees? I don't think so but let's say no. But it's kind of like violating a weird unspoken custom that like you don't put microchips like in animals in humans. I would say. Cool and so I think one of the key things is you're always thinking about when you're thinking about the security of the system it comes down to people and systems, right? So as technology as computer scientists, it's super easy for us to focus on just the tech and finding vulnerabilities in one thing without taking kind of this more holistic people centric focus. Any questions? Bless you. All right, and now we will go right on to access control. Okay, so what do we mean when we say access control? Who can access something? Yeah, so what are the difference between authentication and authorization? Right, so the difference there, right, if you don't know who somebody is, how would you know what access they have? You may say, oh, visitors are only allowed in this one room of the house and you have to actually be the owner of the house to get more access to the room but I need some way of authenticating someone. So they're actually in a contest, we're going to go over authorization later, authentication later, how do you tell somebody it's bless you. And so, okay, so think about so when we think about who can access what we'll talk a little bit, let's say A universities or I'd say most universities academic integrity policy disallowed cheating. Does ASU's academic integrity policy disallowed cheating? Yes, of course it does, yes. That would be silly if it didn't. Just feel free to copy each other's work, who cares? Okay, and so it states that it includes copying homework without permission, right? So some class in computer science they have access to a shared server similar to if anybody used general.asu.edu they shared system, some of you. Big shared server, everyone has accounts on there. You can on most of these things, list the users on the system, figure out their home directories. So let's say that student A forgets to read protect their homework file, so what does that mean? What does read protect mean in this context? So let's say my directory my home directory is let's say world readable, which means anyone can list the contents of my home directory and inside there I have a file called homework1.txt or homework1.c, we'll call it a c file that is world readable, which means anyone can read that file. So student B then copies that file to their home directory and submits it as their own. So who violated the academic integrity policy? Was it in what? Ooh, was it in, I don't know, you tell me. B violated not A, what are you saying? So it would depend on Yeah, I mean it depends on kind of what your policy is, right? Because here you have the university's policies, but then you can have separate class policies that can change things. Okay, so part of the assignment it wants the teacher explicitly says to read so they didn't intentionally put the solution on it, I mean I guess it's potentially thanks to what would make you decide one way or the other who did something wrong. Well, I mean, obviously the one student who, you know, stole the work, it all depends on the like the specification of the teacher if like if it wasn't explicitly re-protect their file, they unknowingly put the, so that's interesting. So let's change it slightly and say that the server is set up and configured such that by default a file is not world-readable. So every file you create on UNIX there's a UMass that you can spec, that's why newly created files are not world-readable. So let's say in that case then student A changes their homework to read-only. Does that change the situation for sort of world-readable? Yes. Because they took an explicit action to do so. So what if the then the situation changes further and they say we find out that actually student A copied their homework file into a slash 10th directory that they knew was world-readable and then student B found it there. So how do you determine whether they actually intentionally placed it there in order to deliberately share with this other student while having the ability to say like why didn't I do something to say? Well I would say that student B would be the only one who did something wrong with like moving it on a student in their house and walk with somebody running into it. But you also have to look at whether or not the other student B if there was a reason why the student A is probably responsible. And change also if this was a security class or not. If the assignments about re-protecting are right, you know protecting your home directories kind of like, I don't know, cheating and that it becomes an ethics class and you're cheating on ethics status it becomes worse somehow. Yeah. Well I think all the general and the student A should be able to protect the case otherwise there's no way student B could copy it. There is some kind of key insight there that we don't really have in this description that maybe would change it one way or the other. I had a question. At the same time I'm going back to the kind of project that I built with and some of the blocks in my house and takes all my stuff. I don't think the insurance company you're still kind of at fault for that. Legal standpoint or something whether it's right or wrong. Just because somebody's house is open doesn't give you the right to go in and steal their stuff. So clearly that person is wrong. But then when you bring insurance into it where insurance is going to reimburse you for that stuff it's like were you careless to the point of negligence or something. There may be, I don't know I've never written insurance agreement. I'm sure it's insanely long and ridiculous and probably covers this thing. It's kind of similar to like just being a student just like a company worker going outside for a snow quick and leaving this car outside. Forgot when you left it out there and by the time somebody else took it it could be an act of simulation. Is that something that we should control for? We just left. Forgot his whereabouts on it. I think the main distinction is one person is actively violating the security policy and that they're the one feeding and violating the security policy by I guess a little bit negligence. And it would definitely change if the university policy says students must ensure that all of their files are re-protected. But then when we say well what if used to be old school editors would leave like temporary files and weird locations of the files and maybe the editor they were using created a temp file that happened to be world-readable that they didn't know about. So yeah. So that's interesting thought experiment I like to think about. But specifically what we're thinking about here is in terms of access control right? So here who controls the access to files? Yeah. I don't know. Is it the server? Who else? Who are the actors here? The server? Student A, student B the admin? Who actually controls it? Isn't it like the student that made the file? And just for this example student A has the ability to control whether the file is re-protected or not. Right. So here in this example I'm looking into all of these cases later. So here student A is the one who actually gets to specify who can look at or view the file or write it or execute it depending on the system. So as we talked about the idea here is we're going to be talking about what can you do on the system and that's kind of this high level thing of authorization. So what are you authorized to do? Whereas authentication which we're going to talk about later again is who are you? Not like in a deep sense but like your identity right? Who are you in terms of the system? Who does the system think you are? So do we actually need authorization? Why don't we just give everyone access to everything? You can ask your money in a company a year later. So any key there is trust it all comes down to trust. How do you trust? And so you need to manage when you're thinking about authorization you need to manage trust. And I may trust all of you. I may not trust you enough to give you access to my laptop with that or to give you access to my wallet. And so we talked about risk and so how does kind of risk factor into this? So that would be authenticated. So if we take that around it's like more about what can this person do to the system right? If we think about and so the more that somebody can do to the system would you think is at a higher or lower risk? Higher risk. So you probably want to make sure you trust those people that have high access to the system. You think about the Linux server example like the administrators of that system what kind of access do they have to the system? Complete. They're root. They can do anything on that system. And so there's a lot of trust placed in that role. How do you kind of mitigate the risk though of somebody having complete access to a system? What was it? Logging that access in a file that this super user can control? Preferably somewhere else, right? So the idea is you create some kind of log or some kind of providence to understand or an audit log so that you can see everything that the super user did and that way if there's ever an incident you can go back and try to figure out what happened. You could have multiple root users right? Why would that be useful? Yeah, so you could that way you could have the root users maybe check each other to make sure that something's not going on. What kind of policies would you put in place to mitigate the risk there? But I'm an admin. I need to do everything. Give me root. And what about temporal compartments too? So not just thinking about specific parts or maybe I don't have admin to every single system, right? I just have admin to one system. But then the policy be don't log in as the root user, right? That's actually pretty standard in most distributions now. Log in as your own user which has limited capabilities and only when you need those elevated privileges you escalate up to the root user do whatever you need to do and then drop back down. And that's just standard good practice because you're minimizing risk there. Because we accidentally do RM-RF I don't know, Dash Back Y or no really, whatever flag you need to actually do that, the slash and leave your whole directory. If you do that as your user, you're still going to have some problems but it's not that bad. But if you do it as the root user you will have a very bad time. And that still does work so don't do that. And this is part of when we think about, okay who should be able to do what on the system to minimize the risk we can reduce the access to various users of our system. Which makes sense so if I know that a specific user can't write to the database then I don't have to worry about them corrupting records. Can you eliminate risk? No, good that's the theme of this class. You can't trust everyone and you can't eliminate risk but you can try to take steps to actually try to mitigate those things. So we've been talking about a couple things here authorization, access control and so the idea is basically authorization, if we take that back to our policies and mechanisms we are thinking about things. So authorization is the policy of who should be able to access what whereas access control is then the mechanism that actually enforces that in our system. So what let's say the authorization policy on my ASU for a course what types of users are there? Teachers and students? Yeah, so what else? What can they do? What other users are there? TAs? Graders? Anything else? Admins? Yeah, there's definitely admins. Any more? Alright, people who aren't in the course versus people who are in the course so it's actually a distinction among students depending on if you're in the course you may have more access to things than if you're not in the course. So then what kind of, what some of the policies involved there? Like who can do what on this system? Yeah, so we think about just, even if we just think about let's say like the sign up page what kind of information do you think I can see about a course that I can see about you? What was it? All of it? What's all of it? Do I get your home addresses or do I get your billing information about how you paid for school and what income they came from? No, I do not. Should I? I guess it's the real question. Should I? And the answer is no. And so therefore I do not, right? In terms of reducing risk. If every professor you are taking a class from had the ACH transfer numbers or credit cards you're using to pay for school that would be a huge issue. So I see, think about the information. What information do I need? First name, last name, email, what else? Student ID, picture. I do have it. Whether I need it or not I think it's an interesting debate to have which we won't crowd so you can think about that. What else? Not exactly, but I think there's your academic status. So are you a freshman, a senior, an undergrad, a graduate student? Submissions? I definitely will when you start submitting your homework. That's a separate system so we won't think about that for right now. It's just like the enrollment, enrollment information. Your major? Yeah, that's important, right? So I can see how many of you are not computer science majors. I can also see everyone who's ever dropped the course so I get a list of all of the ad drops. It's super awesome to watch that go down. Not this class. This class has been fine. Other classes though are fun. And then what can you see? Or do you even see anything? Do you get to see all the students who are enrolled in the course? You can? What? You can? That's crazy. Oh, in Blackboard? Interesting. Oh. Interesting. Okay. Cool. Right, yeah. So in a specific course, actually the other thing that I have that you don't have is a I can't remember what they call it in the file that I get. It's like some kind of access code or something. Do you remember having this in your signed up courses? The idea is I'm not. So I can't figure out what we talked about earlier. So I can't send out an email to the whole class with all of your grades with your personal last name. Why not? FERPA, yes. FERPA requirements where I'm required to keep your grades private. So basically to get around that on my ASU there's a field with an access code that is unique for each of you in this course so I can post grades based on that access code and I can post that publicly and because each of those is unique to you apparently you don't know what that is so I've never used it, yeah. It would depend. Yeah, I think it's the core answer. It would depend on how easy it would be for somebody to go backwards. So like you said how easy is it to go from a student ID to a name and then I could say well is there a way for me to get all the new computer science, get their student IDs and then get the last four digits to try to match it up. That part is tricky. Other things you can do is we'll see it as like hashing the user ID or the other thing is I have a submission site where you all have your custom username passwords that are unique to you so I can show you your grades obviously on that site because that's just for your eyes only. Cool. So when we think about so clearly it I mean hopefully you agree that authorization is important everybody can do everything is not really stupid I think was the term. So but the systems are complex. Would you agree with that? So you think about the example we just talked about about an online just even a course enrollment page which seems like a very minor thing but still has all of these interesting and complex access control requirements of who could see what and depending on their roles and you can even envision we didn't get into it but you can envision maybe the TA needs things like your first name last name and your email address but doesn't need the other information and so you can think of that like people get different views into there and so one of the things we really want to do is we want to be able to think about access control and what I mean and to do that we want to model access control. So what do we mean by models here? Yeah we can think of it like a tiered system so like you have users like group users have been users and you kind of have and you privilege going up and number of users going down why is that useful? It's easier to implement or it's easier to maybe validate if your implementation makes sense and what other things that are nice about modeling? I like the word modeling but in formalism they're related. Yeah so you can model it so if you have a model you can say does this model match what job I need or if you have a model you can say does this model actually implement the policy that I want and you can if you have a more formal model you can actually reason about how the system can change. For instance if how would you be able to say something like I don't know if you're just thinking through well can any student let's say well that's not a good example can any student become let's say the administrator on the system right and so you think through well how can a random user on that shared server example how can a random user become administrator yeah so one of the admin users promotes them to admin what else? Okay so they exploit the server to give themselves unauthorized access what was that? Yeah they guess the root password to give themselves administrator access any other things? Yeah a bug so yeah a bug in one of the system's operators so you'd want to think and especially the one that's really interesting access control is if your policy says there's absolutely no way that a regular user can become root but if admin users can turn other admin users into root then clearly there's a very easy way that this can happen so if you have a formal model of thinking about this access control system you may be able to actually prove something about the system that says like it can never get into this state so when we think about access control so what are we talked about there's some users in the system right so there's we talked about with the homework enrollment page the examples of you have a user the of students and teachers and TAs nothing only those are people but what do you actually want to control access to? So information yeah exactly so the information what else? Yeah so you want to make sure that random users can't just create account this is why you're given an ASU username and all that stuff actually I don't remember how that happens but I believe you don't just go sign up at like ASU.com slash sign up and you just get a username and password like okay automatically generates right because it does that when you're a student because not everyone should have access cool so we think of these in terms of okay perfect we think of these in terms of three different things subjects objects and rights so when we think of subjects this is our users in most senses you can think about it's things in the system that can act and can do things so what are some things that are not users that can do things oh interesting okay so maybe like an automated process let's say what else? something like a Linux machine was it? yeah so in unix based systems basically any process can do things so there you have users but you also have a process and maybe that process is associated with the user which we'll actually get into how that works what other things can act on systems in general I think we've actually covered it cool okay so that was a test there's not always an answer maybe one of you has some crazy idea that would work so yeah so people users processes anything with the system that can act so subjects are things that can act objects are things that get acted upon so what are some examples of objects a little more fine great if you want to model the access control to the physical server then yes the physical server has users can you act on them you can do things with them right so you want to model that too just like we said the example promoting somebody to an industry right so that could be something that you act upon or deleting a user and that would be you're acting on a user what else? files yeah files anything else? programs yeah why do you care if users modify your programs yeah you external drives yeah everything so I mean it kind of depends on exactly what access control system you're modeling do I care about maybe I don't know external drives when I'm thinking about a satellite system? probably not I would not consider that use things but I may consider remote users logging in I may consider all kinds of things so the way to think about these we have subjects things that actually do things objects things that are active upon and some idea or some notion of rights in the terms about what can the subject do to the object so what are some normal rights and here with capital R rights so what are some normal rights that we're thinking we're used to dealing with and thinking about yeah execution so being able to execute a program or not have the right to do that what else read or write to files what else yeah so being able to create users or files those can actually be very different things so there are different rights on different objects yeah right so what's the difference between moving and copying moving and what happens to the whole file it gets deleted right so you can maybe depending on your system you model a right as you move as kind of a basic right to be able to move files but or you can think about it in terms of reading and writing files so you can read and write a file and then you can move it to another directory what else yeah yeah being able to change your password being able to even access the system to log into the system yeah this isn't really like on an object but I'm thinking like on the ASU General Server so like maybe a right to be like how much of the server space are allowed to use yeah so usually those are in terms of process counts so we'll definitely get into that at some point you'll have access to a shared server that I'll set up and people will one of the fun things to do on a shared server is to create a fork bomb maybe know what that is anybody accidentally ever created one where you create a script that just keeps calling fork in a loop so every time fork is called it creates another process and then each of those create two processes if you have so many processes running on your system that nothing can happen and it locks up this happened within I think 30 minutes of giving students access to one of my systems and it wasn't even malicious it was just an accident so the way around that is you can set like a hard end like a number of process limit per user on a system so they can only have 50 and 50 is open so yeah no that's a so can I'm not sure exactly how to phrase that but yeah you'd say can you create a new process and so that right would depend on how many are currently open say it louder what did you call to like just kill a lot of people another process no such amount of shared server yeah say it again ooh so yeah so messing with the shell or messing maybe what shell is run or there's all kinds of fun shells shell game or messing with they go environment variables in another process and I can really mess up stuff should you be able to download things on the network or maybe you may want to limit the people yeah being able to turn off the machine or turn on the machine or reboot the machine right maybe being able to run backups of the machine anything else these are good yeah yeah so being able to change what owns a file can a user actually change that they own a file maybe I can do everything to it except for that what about appending to a file what's the difference between appending and write you're adding to a file and what does that mean you can't do you can't delete any previous information in that file exactly so yeah so maybe a write would be you're able to append to this file but you can't actually delete it what about directory what are some of the writes on the directory right so Linux is write is read is able to read all of the so we think about not that we just think about abstract writes so can you list all the files in the directory can you create new files in that directory and can you change directory into a sub directory when the case where you want somebody to be able to go into a sub directory but not be able to read the files in that directory and list the names of all the other files in there but you may want them to be able to deposit in there yeah yeah yeah so on a shared system a lot of shared systems to do like a web page on that system you create you create a directory called public underscore html in your home directory and then if you put any html content it'll show up when you access that website with like tilde your username and so it depends on the system and everything but the idea there is you want the web server needs to be able to actually go into that public html directory but you don't want the web server to be able to read all the files in your home directory or other users any other writes but I'm deleting a file you have the right to delete a file but not read it would that ever be useful anything else I'm trying to think of crazy writes things that are non-standard hardware access yeah I think that was mentioned like right like or you can think of maybe direct memory access maybe you have access to that or not you can think of well that would be reading or writing or anything else yeah executable yeah so you can execute a program so one of the simplest ways of modeling this is actually in a very straightforward way in a matrix and matrix just a table so you write out all of the so on the let's say here in this example on the columns here fg human b these are all the objects on the system and the rows here are the is that right yes and the rows are the subjects why is that right why do I think that's right because I made this line you can see that the objects in the system fg you and b these are all this is a superset of the other column which is the subjects in the system so it depends on the system itself maybe your subjects can are objects or maybe they're not it kind of all depends and so here basically so you think of this in this cell so what does this mean in the cell what does that mean yeah we have no idea we don't know what r1 and r2 is right it doesn't it's essentially meaningless it's just abstract definitions here right so you can see that you have operations r2 on g you have permissions r4 on u whatever that means and so we need to actually know what these means and what the semantics are here but is it ever a question of who can do what on this system it's explicitly stated in this table we have subject v who wants to do r3 to g can they do that it's not on the table you look it up it's very simple so is it a simple model yes they are the subjects they are you and via the subjects because they're on the ropes here so this is a a fairly simple model oh why yeah so how would if you add two users to this how does this table change you have four rows and then another two columns and then let's say those two users each create two files so now how does this table change you have an additional column right so think about a modern think about your modern system that you have like just right now how would you be able to if I said you'll ace this course you want to do anything else just write the access matrix model for your current system none of you would want to do that why yeah no you don't have to do it right here by hand you know a lot of files how does this table change a lot you have a ton of numbers columns right here you have a ton of columns and then if you think about like a Linux machine you think well there's only one user there's you but how many users are there on the default menu let's look I installed this umbuntu 1804 oh I can't make this bigger sorry I think I can SSH into it though how do I find out how many users there are on this system I can say who it's all me well what else huh yeah the etc password file ironically now has no passwords in it but it does it will show me all the users installed on my system and how do I figure out how many users there are I can do wc to tell me the number of files there are 30 users so your table for this is going to be so you'll have at least 30 rows and so you'll have to fill that out for every single file on the system so that's so the way to think about this is this is the perfect access control model in the sense that there's some access anything you want to express you can express here right if you want one person to be able to access a file or three people but not another 20 people you could do that all in here the problem is it just becomes insane actually thinking about this whole model so that's why we have to develop other ways to actually get around this and do real systems because you would never want to do this all right thanks