 So you're going to put the gender check on your sign. All right. It's Tuesday morning. Let's get started. Okay. I think it's working. But then somebody just save the zoom chat that they can hear me. Then we will keep going. Cool. So we're going to continue where we left off on Tuesday and Thursday. You don't have any assignment yet. You'll get your assignment on Thursday. We'll talk about it briefly in the starting class. So that should be fun. So enjoy this fight. Just start. And yeah, any questions this class? Well, we meet in person on Tuesday. It is your responsible for the content on Thursday. We'll be recording the lectures and posting them online. You can either attend on zoom, like everyone else is doing right now or. Or watch the recording. Okay. Yeah. So let's get going. All right. So we left on Tuesday, Thursday. To, uh, we left it with the components of security. So get someone remind us what are the three aspects of security that we always think about when thinking about securing a system. And what's the third one? So what does confidentiality and integrity. What's the third one? Availability. Thank you. And what do they mean? So what does confidentiality mean? Awesome. Yeah. So the ability to keep information that should be secret, secret or to prevent people who shouldn't have access from accessing information. Great. What about integrity? What does integrity mean as a context? What does it mean as a context? Well, so making sure that the information is safe in terms of somebody not being able to change it or alter. Yeah. Great. Or unauthorized altering, right? If we had our, all of our data would be immutable and it could be changed. It probably would be useless to us. Yeah. Good one in the zoom chat. That is unalterable or. Unalterable. Or we can also think of it in the access control or context to say, somebody who shouldn't be able to alter change that data can, but other people can't. Okay. Cool. And then the third one availability. What's. What, what's kind of exactly. Yeah. Yeah. So availability is people who should be able to access data or systems can actually access that data or that system. So it's kind of, you know, it's kind of, you know, it's not like you can think of it similar to integrity, but rather than changing or altering the data, they just don't have access to that data. Cool. Okay. Yeah. So it's everything that we talked about last week. You're all caught up. Look at you. You're doing great. Second week class. Okay. So when we're. We're thinking about securing a system. So we always think about those three security properties, right? And so that itself doesn't just drive us. We also want to think about what are the threats, the specific threats to a system. And the idea here is we think about threats in terms of what are all possible kind of threats or things that could go wrong against the system. And these are some of some general classes of things that we think about. So we think about disclosure threats. So this would be, and what would be a, let's say disclosing information that should remain secret. What security property does that violate? Yeah, confidentiality. Thank you. Sorry. I have to look at the zoom chat too. So I sometimes don't see your hands. Deception. So pretending to be somebody else. So we can trick the system into thinking. So if you think about canvas. Right. If you're able to trick canvas into thinking that you are me. Then you can go in and change grades and set grades and do all kinds of crazy stuff. Right. Yeah. Access. Yeah. So which of the three CIA. Does that fit under confidentiality? Example, you want to elaborate? Why confidentiality? Why availability? Possibly. Yeah. Depending on how we do it, right? I may. So if you think about, if you're able to enter that as you account, you could go in and change the password to be something else that I don't know. So now I don't have access to the system, but only you have access. Yeah. Yeah. So right integrity, both integrity and confidentiality have built within them this notion of who should be able to access or change this data? And so if it's, if I'm not able to know who the actual user is, I can't really give them the correct access. Should they have access or should they not have access? Yeah. So it can actually impact all three. That was great. Cool. Disruption. We may want to disrupt. Something. So this is very clearly kind of related to availability. And then we may be able to get more privileges. We'll go to this later. I don't think it's super useful to think about. Okay. Cool. So let's think for a moment. And there's kind of a number of common threats. So every situation is different if we said, okay, we want to analyze the security properties of this room of me, Paul. 105. From a physical perspective, right? There, there may be, let's say different threats we would consider here versus. If we were going to say secure my home. Versus securing Bill Gates home. Why would we think that there might be different threats in those areas? Why? I'm not as popular or as nice as Bill Gates. Yeah. Bill Gates has more valuable things. And also access to information, which is public knowledge that has a lot more value. That's good. So not only does Bill Gates probably have a more expensive items in his house that you could steal and then sell for money. You may actually have access to information that is more valuable and you could use to let's say trade Microsoft stock or whatever. That's a good one. What about this room versus those other things? Yeah. Okay. Okay. Which are based off of, which are network network. So they're not exactly very useful because unless you get to the network, you can't have to get access to it. Operate. Which drop the map. Okay, cool. Yeah. Okay. You're just going to be hired in this class because it will I will variable. How you have. So I want to move on people. I would do it here. Yeah. Yeah. So it depends on, so when we think of the threats, right? We also want to think of who's behind them. What's motivating them? What do they want out of things? It's also fundamentally different security properties. Do you think Bill Gates has 200 students that show up at his house every hour and 15 minutes? No, that would be kind of a nightmare to secure, right? But fundamentally this room is here for us to come to class. So we have a lot of security properties. We have a lot of security properties. We have a lot of security properties. And so I don't know a room like this, if it gets used enough is seeing roughly what 500, 600 people. So you notice you didn't have a card on the door, right? You didn't have to use your Isaac to access the door. So security properties are, are fundamentally different there. So this is just to. I get you thinking about, Hey. Security is not a one size fits all thing, right? The security that Bill Gates has is definitely not the security that Bill Gates has. He's not the security that Bill Gates has. He's not the security that Bill Gates has. And maybe if I have a security alarm, I feel like I'm doing pretty good. Whereas Bill Gates, if he's just doing that, it's probably not enough because he has. It's so much greater reward if somebody's able to break into his house or do whatever they need to do. Yeah, that's a good one. So Jacob on the zoom chat says a room is a different layout. Like this room. Me Paul is a different layout than a house, right? So it also has different security properties. So there's just looking here, right? There's three doors on the right. There's three doors on the left. There's doors back there. I don't know where these air ducts lead, but there's probably air ducts that lead somewhere, right? So there's a lot of ingress and egress points that we may want to consider about. Like, do we know all those locks work? Do they not work? These are all kinds of things we want to love you. So nice. That was a zoom chat. I have that sound on. Yeah. Yeah. Cool. Okay. Yeah. So then let's go. Okay. So then other kind of common threats. We usually think about in the security context, and these are threats that come up so often in so many different scenarios that we kind of want to make sure we're thinking about these things and going through them as we consider. Securing a system. So one thing is kind of snooping or wire tapping. So what does this mean? I mean, it could be one party listening to another party. It could be a third party listening to the communication of two people. So the term wire tapping comes from when they would actually, the law enforcement agents would get warrants to physically, like to tap into the phone line of assistive. You'd literally like install another wire that would come out and allow you to listen to the communication along that telephone. Yeah. Yeah. So it could be one party listening to another party. It could be a third party listening to the communication of two people. It could be one party listening to the communication along that telephone network. It's come a long way since then, but still similar types of things that we want to think about. This is actually. One of the big things that the Edward Snowden leaks revealed that the NSA was. Wire tapping internal. Google network communications. So. Google's was really good about making sure that everything was encrypted and safe when it came like from your phone or laptop to their servers, but then internally between their servers or between their. I don't know if it's between the data centers, but definitely inside their network. And, and I think even between they weren't encrypting the communication between all those machines. And the NSA knew that and was using that to wire tapping to snoop on all the information that was going across Google's network. So this actually caused Google to go in and completely change their architecture so that everything was encrypted computer to computer so that it couldn't be snooped or wiretapped. The other super crazy thing is allegedly, and I of course don't know that's for certain, but like how does our, how does the internet get from us to like Europe? Yeah, like big cables that go under the water of fiber optic cables, like undersea cables. And allegedly you can get a submarine down there close enough to physically wire tap in there to spy on communications. Yeah. Satellite. Yeah. Satellite's another way. And depending on how it's done, you could maybe get access there. So it's a threat that we always want to kind of consider and think about. So we want to think about this is kind of when it gets into a very clear, a violation of integrity, any kind of modification or altering of data. We want to think like, okay, is it possible for somebody who shouldn't have access to be able to do that? One of the terms that will come up a lot that we think about is a man in the middle attack. And this is where basically somebody is in between your communications. So rather than let's say talking to Google, your computer is actually talking to me. And I'm not going to talk about that. But then when you go to Google, your computer is actually talking to me and I'm talking to Google on your behalf. And then when Google replies, I send back to you their reply so I can see not only snoop and see all the communication, but I can alter and change the data and say, Hey, Google says you don't have any emails. Sorry. And then I just steal all your emails. Yeah. That's one way to think about it. Yeah. So I think that's one way to think about it. And then I'm going to talk about the real proxy. It's, it can happen, you know, the way we'll get into how data actually flows on the internet, but it goes from a hop to hop to hop. So like right now would go from your laptop in this room to some wireless router to some switch somewhere to some switch somewhere else. All the way to Google. And if any of those machines along the way, like a switch or a router is compromised, then you're going to have to keep your phone on the ground. And then you're going to have to return to the internet and mess with your communication. Okay. Masquerading or spoofing. This is kind of what we talked about with the sessions. So being able to. Masquerade. So pretending to be somebody else. Spoofing. So. Tricking a system into believing that you are somebody else. And it seems like one of these things that like, well, you should never be able to spoof or to pretend to be somebody else. Is that actually true? Are there situations where you may want somebody to pretend to be you? Yeah, okay, cool. So cashiers may need to actually masquerade or pretend to be their bosses. Yeah, what other? Anybody in this room? Oh yeah, let's go. Share email for my customer support. Ah, share email for customer support. Yes, so you may have a team of people managing and an email account. Anybody here ever get an email from Michael Crow? Some of you? Do you think he writes all those emails and sends them out himself? I am certain that he was involved in the drafting of those emails. I highly doubt he's sitting behind his computer and going, you know what? I'm gonna send an email to all of ASU and just opens up Outlook, like at ASU, all at ASU.edu and starts typing, right? And then hits enter. But that looks like it's coming from him. Why? And that's because we actually do want people to masquerade and act as us sometimes. So in usually the email context, this is called delegation. So I want to delegate the ability of somebody else to access and use my email. Okay, yeah, repudiation. So this is something that probably you're familiar with and you've been thinking about or at least experienced kind of the other ones. Repudiation is essentially the ability to say or to not be able to say, hey, I didn't send that. So this would be, let's say, one case would be if somebody takes a screenshot of a communication, right? Between and publishes it claiming like you sent them these text messages. Repudiation is for you to be able to say, oh, but those were faked, right? That's not actually me. How do you know that's me? You could just change. All you see is my name on the top. You could change any phone number to be that display name and then control both the phones and completely control the communication. So I could repudiate that, hey, that's not me. Now, are there any scenarios where it may behoove or benefit somebody to be able to repudiate something like that? Credit card purchases, yeah. The credit card company says, hey, you bought $1,000 worth of Amazon gift cards. You go, no, I don't, what are you talking about? I never did that. So yeah, from the online. So repudiation is the ability to say, hey, I didn't do that, right? Just like with the credit card purchase. So with the credit card purchase, if I claim, hey, I never made that credit card purchase, they have to figure out if you did or did not. Let's do another thing. Another one would be, we're gonna stick to the classics, would be let's say stock trading, right? If your stock broker says, hey, you asked us to buy 1,000 shares of crappystock.com and now it's worth nothing. So sorry, all your money's gone. And you say, but hey, I never made that transaction, right? What's the brokerage to do? Can they actually prove? So really, so kind of the, well, I wouldn't say it's discrediting a legit transaction and claiming you're the rightful account holder. It's more about, it may or may not be a legitimate transaction. So the threat would be a repudiation of somebody claiming like, hey, I didn't actually do this. And so the security property we want and we'll get into is non-repudiation. So this is basically, we can use cryptography to say, hey, this is something that I sent. So if I set up my email correctly, when I send an email to you, you can all know that it actually came from me rather than one of you pretending and spoofing to be me. So when I say, hey, we haven't, if you get an email, it says, hey, we have an in-class exam tomorrow and it's not signed by me and you don't actually know it came from me, then you don't have that. So this is why for different types of things, you have these different properties similar with brokerage, brokerages, right? So like the exact same thing happens there. You can't just call them and be like, hey, I'm Adam, I'd like to sell all my shares of X, Y, and Z. They wanna actually authenticate you, know who you are first before they're going to do that. Cool. And then the flip side of that is being able to deny receipt. So being like, hey, I never actually got that thing that you sent me. So let's say I wanna buy a really great stock and I send it to my brokerage and they go, oh, sorry, dude, I didn't get that. Like now the stock is three times as much. Like, do you wanna buy it at that price? If they can do that, then if I don't have a way to prove like, hey, you actually did receive my order and then sue you because you're not acting actually on my behalf, this could be a big problem. Cool. Delaying things. So I think the stock example is a good example of delaying things actually may be useful, right? Because sure they'll do it, but they'll do it at a later point and maybe trade on that difference between the time when they got it and the time that they actually executed it. What are some other examples of when delaying things could be a security threat? Yeah, that's a good one. So emergency systems, you can think of earthquake warnings, you can think of, yeah, any type of situation that is real time and demands attention if an attacker is able to delay that, that's a massive maybe integrity availability problem. Yeah. Yeah, that's a good one. So two factor authentication either emails or push notifications. If I was able to delay that beyond the time window that you had to respond, then you're locked out of your accounts. And if you're the administrator of a system that I'm breaking into, then it's kind of nice because now you can't get in and kick me out or try to do anything like that. Yeah, that's a good one. Cool. And the other thread is something we've already talked about with availability. So denial of service. So we always wanna think about a common threat is, A, can an attacker take down this system, deny us access? And B, either what would that take? What would it cost? And what's the impact to the overall system? Cool. And again, these are just to get you started thinking about these things. These come up in kind of a lot of different scenarios. But when you're thinking about threats, you need to think about the threats to a specific, very specific system. Okay. So now we can think about threats. So we can think about, okay, what are the attacks to our system? But we wanna defend against them, right? So we're thinking about securing a system. We wanna defend against them. We have basically two main ways of defending against them. They are related because you can't really have one without the other. But important and distinct. So the two key things we have are security policies. The other one is security mechanisms. So the way I like to think about it is a door example. So the other house or this room, right? We have this room. We were talking about securing this room. We have all these doors. Each of those doors has a lock on it. The lock would be the security mechanism, right? So it's a security mechanism. What are the security properties of a lock? Like a physical lock. If you have the key, you should be able to do what with it? Unlock it. And what else? Lock it. Yeah. So anybody with the key can unlock it and get access and lock it. So if I just install a, if I install a lock on a door, does that mean I'm safe and secure and I don't need to think about it anymore? Why not? Say it with someone over here? Yeah. Yeah, well, they could just break the lock so they could break the mechanism. What else? Why else might I not be secure? Yeah, it doesn't actually do anything if you don't lock it, right? So even if I had the best lock in the world, you can't break it, you can't pick it, whatever. It's a perfect lock. If everyone leaves it unlocked all the time, it's useless. So that's where security policies come into play. So the mechanism is the lock and the policy is how do we use this mechanism to enforce our security goals? So in this case, the policy would be, hey, if you come into the house, like make sure you lock the door behind you when you're inside the house where when you leave the house and nobody's in there, you have to lock the door, right? These are kind of things we talked about, that organizations need to implement in order to make sure that the mechanisms actually work. So what threat is this combination of policy and mechanisms with this lock trying to prevent? Yeah, unauthorized entry, great. So I'm gonna be breaking into the house. And it's still, so even if we have a perfect policy and a perfect mechanism, does it mean that we are secure from unauthorized access? No, why not? What was that? It could be broken. Yeah, so maybe the mechanism can be broken? What else? Yeah, it may not be the only point of entry, right? That's why we do our threat analysis so we understand what are the different threats, right? Like I was mentioning in this room, there's the doors here, but there's also, there must be some kind of duct system that must get air from somewhere, right? So it must be another way to enter this room from the outside without using any door. And so if I have no idea about that and I haven't thought about that threat, I may not have any policies or mitigations in place to prevent that. Cool, yeah, that's another great one. So Lewis in the chat mentions, part of the policy is who gets the key, right? And what do they do with that, right? Because one of the problems with a physical key is anybody who has the key can make a copy of that key and give it to somebody else. And that person can make a copy of the key and give it to somebody else, right? So it actually can be difficult if it's not impossible to know who has the key. What's the defense against that? You can change the lock periodically and that would wipe out anybody without access before. Yeah, what else? So you keep track. You keep track of who's access, tie a key to the individual. That could be slightly difficult if you had multiple, if you had five or 10 people who were supposed to have access. Detect now would be difficult, yeah. Use a non-standard key that's not used to duplicate or you can, I'm gonna cover my time so you can't do this. Oh no, yeah, there we go. So this key, I think it's the key, well, I'm not gonna tell you what the key is for but it's key to something. And it says, restricted, do not duplicate. That's on the top there. I don't know if you can see this on Zoom. You can't see it either, it's fine. So that's actually stamped on the key itself. So if you take it to somebody to copy it, they should refuse to copy that for you. And that's why, so that's like a social convention almost to try to do that and restrict proliferation. Of course, nothing stops me from making my own copy of that key, right? Figuring out how to use everything or I don't know, I think it's in movies, they like you'd push it into soap so you get the shape of it and then create a key that matches that shape. Yeah. Yeah, are you sure they don't check? Ooh, have you tried? Yeah, yeah. Ah, nice, okay, cool. Yeah, it makes about me doesn't check anything. Yeah, I was wondering because you know, has anyone ever tried to copy a $20 bill, print out a $20 bill with a printer? No, sir. I plead the fit. Yeah, well, you can plead all you want, but it's not gonna let you, it actually detects it and prints out like a quarter of the bill and then prints out a URL to be like printing money is illegal for any purpose. Like it's, your printer actually detects it and will not print it. And there's a hand, no, yeah. There's a two-way, two-part network, it's only biometric. Yeah, so we'll get into that. There's a lot of stuff. Yeah, so this would be another way is maybe say, hey, let's not just have the key. So we won't rely on one mechanism. We'll actually have multiple mechanisms in place that will try to identify people at various stages. What if you're printing money so you can use it in a play? You can't. You can buy fake real money that looks like money, but is not up close. Like that's the key. It's either the size or something like there's a certain restriction. Do you go look this up? This is a real thing. I'm not just BSing you. Do I think foreign printers have that feature? Ooh, that's interesting. I have absolutely no idea. Okay, so let's think, we're gonna think and as a group, come up with an example. So we're gonna go through threat modeling and thinking about threats to our system. In this case, the system we want to defend is a house. So what threats do we wanna consider against this house? What was that? Intruders. Intruders, so be more just like, what's the threat? Okay, so we wanna prevent people from breaking into the house and stealing our stuff. What else? Okay, Godzilla, somebody wrote Godzilla in the Zoom chat. Is that absurd? Yeah, so we may think of natural disasters, right? As one thing. Yeah, or maybe we are worried about Godzilla. I don't know, maybe we live in a Godzilla-prone area. Privacy, interested in privacy, what else? Somebody's stealing our Wi-Fi? Somebody put it in the Zoom chat, yeah. That's not quite a threat, it has to be associated. Yeah, so what's the threat? Yeah, so that kind of goes into unauthorized entry or maybe somebody breaking into robots, right? We wanna think about all points in entry, yeah. Anything, so from the cyber perspective, so thinking about, and maybe the threat there is unauthorized people accessing my internal network. So that could be through the router, it could be joining my Wi-Fi because I have a bad password or no password. Nosey neighbors is one threat, that's pretty good, I like that, that's pretty good. Somebody connecting an extension cord to your house to steal your electricity and using that electricity to mine Bitcoin or something? Yeah. Yeah, power water sewer, those are all important things we want. I think we would not be happy in our house without sewer, yeah. Yeah, so vandalism or property damage, I'm running out of fingers, so we're just gonna keep going. So yeah, we may want to think about the threat of somebody either defacing our property or otherwise destroying our property. Somebody mentioned in Zoom chat package thieves, that's not a threat, that's not a threat, that's not a threat, that's not a threat. Zoom chat package thieves, right? So people stealing our Amazon packages from our porch? What else? Say it again? Yeah, okay, so that's, and I guess the question is, do we care about that? So you mentioned the castles. Yeah, so this is actually one of the key things about this exercise is think about this. We've come up with 20 threats, but you know nothing about this house. You don't know if it's a castle, you don't know if Bill Gates lives there, you don't know if I live there, right? And so there's actually a good tip for any interviews you're doing. So if you interview with a software company, they'll always ask you some kind of questions and they will deliberately leave the question unspecified, kind of like this, right? Where I'm saying, hey, we're gonna defend a house. Was it a house? Is it an apartment complex? Is it a condo? Like are we in a building with other people? This may, you know, where are we? Are we in Phoenix? Do we need to worry about earthquakes? Are we in somewhere else? These are all things that impact our answers in considering threats. So one of the best things you can do in an interview situation is to always ask clarification questions. So, you know, they say, hey, we wanna defend a house. You'd say, okay, what kind of house? Or we wanna do an algorithm to, I don't know, sort numbers in a list. Great, how long, how big is the list? What's the size that we're thinking about? Is we're thinking about 10 elements or we're thinking about a hundred million elements, right? Like these are things that help you define the parameters of the question, which is important in itself. Cool, okay. Any other threats that somebody thought of while we were? I would say your car as well for the contents of it in your house, but it's definitely a big apartment inside your house. Yeah, so I may wanna secure the car as well, which may then extend my security perimeter to the garage if I have a garage. Yeah. Okay. What about, should I worry about aliens? If let's say again? If you're in your house, like you have to extend that to people that are in your house, aliens that are in your house, animals that are in your house, what kind of health would damage your house? So one of the things about defending your house is that it's a good insider threat thought, right? So we may have, we may, let's discount aliens for right now, we'll go back to that, but even what about the people inside our house? What if a friend that we invite over steals things or do we have any, those are kind of threats. Usually we think of these as the insider threat. So this is the ability of somebody inside the company to either turn bad or is paid off in order to kind of compromise the security of the system. Yeah, great. So we may actually want to think about, so part of this exercise is to get you kind of brainstorming about different kinds of threats and attacks. And I don't think the alien thing is so crazy. It depends on what you actually believe, how likely you are to believe that because part of what we do here with threats is to think about all possible threats. And then later we can go, okay, from this whole universe of threats, A, what do we think the likelihood of these things are? So we'd assign a very low likelihood probably to aliens. And we would also then look at, we would also look at the likelihood of that threat happening and then the severity of if it actually occurred, right? Which is more likely aliens, like, I don't know, zap you up into space and then steal all your stuff or like somebody breaks into your house while you're gone and steals all your stuff. The second one. And we'd probably, I guess we'd probably also design similar mitigations of policies to stop both of them, except maybe wearing like a tinfoil hat for the aliens, which probably won't help against the intruder. And what if we're hell bent on preventing aliens, then good luck. I mean, you can still do all of the same stuff, but you'd have to then start thinking about, okay, what do the aliens want? What methods can they use? How can they get into the house? And then you'd have to think about mitigation. So how can I actually prevent them from doing that? And that's where we get into policies and mechanisms. So let's take the, I think let's take the threat of somebody breaking into our house and stealing all of our stuff, right? So what would, what would be, somebody start talking about some mechanisms and or policies that we would want to implement. We, maybe that could mitigate this threat. Locks on the doors, a security system. What kind of security system? What features do you want of it? Where do you want the cameras pointed? Okay, we want them in the main rooms and then after your ways, what else? And outside the house as well. Ah, so a high fence. What does the high fence do? Make it harder to flee. Ah, makes it harder to flee. That's pretty good. Do you have a gate on this fence? That's where I said a gate is hard to get access to. Ah, okay. So a gate that's hard to get access to. Yeah. Cause remember, you need to probably leave your house too. Yeah. Having a safe, qualified. Ah, so maybe making it more difficult by having a safe, right? So even if somebody breaks in, they, depending on their level of quality, right? Are we talking just random burglar? They chose your house versus, hey, they're stealing specifically your stuff. Is this like an ocean's 11 type of situation? Yeah. Make sure it's the aliens that do your alignment with all the policies of the security point. Yeah, so then part of the policy with doors, right? Make sure that people you invite in know the policy. Know to even arm the alarm, right? You can have the best security system in the world with the fanciest detection, but if you don't actually turn it on, then it's of no use. Yeah. Yeah, so that's, and this also helps understanding the, what type of house we're talking about, right? Because, yeah, and how serious we take this threat, right? One mitigation to that would be like, no windows. Sorry, this house only has doors. May not be a nice place to live in, but maybe it helps mitigate the threats. And so we'd have to trade off. What's the likelihood of this threat and what's the risk to that and what's the downside, right? So these are all the things we think about. Anybody, I think is a related thing I have mentioned that. Has anyone ever been locked out of their house or apartment? Yeah, what do you immediately start doing when that happens? Yeah, so not just use the back door, but you start looking at your house and thinking about how can I break into this house, right? What do you think is the back door unlocked? Doesn't have a lot. Doesn't have a lot, that would not make me feel very safe, but windows, yeah, start looking at the windows. Can you take off the screen and then do the windows just open? Some of them don't, some of you have to like jiggle. I also think like, oh, shoot, I know that bathroom window is open, but it's on the second story. Oh, there's a tree right here that kind of goes up there. I wonder if I can kind of get up there that way. And so this is kind of what we're doing here is taking an adversarial mindset and applying it to this situation, right? It's saying, okay, we don't normally think like criminals, hopefully, but we need to for this situation because we want to enumerate what are different ways and threats that an attacker could get into our system. Okay, so yeah, good. So there's a lot of nice things in the Zoom chat about people breaking into their own houses, I assume. Okay, so threats of, so then what are the pros and cons? Let's go through, so we came up, so we had the threat of somebody breaking into our house and stealing our stuff. We have several different policies and mechanisms, right? We talked about locks, we talked about a security system, we talked about a safe. I think some people on the Zoom chat suggested armored guards. What are the pros and cons of that? All of the, like, so take one, okay, I guess of those. So let's do locks, pros and cons, yeah. Yeah, they could be broken or picked. So as a mechanism, they may not be that strong. They definitely have downsides, so that'd be a con, yeah. You have to have a key on you at all times. If you don't have that key, you're locked out of the house. We just talked about being locked down, how annoying that is, yeah. Say it again. Yeah, good lock may cost a lot of money, so depending on how you want to trade off that broken into easy to access, whatever, it may cost you money. People forget to lock doors, that's kind of a con, so we need some kind of policy, and enforcing that policy can be difficult with people you don't directly control, like employees or whatever. What about, let's compare that to a security system? Do you say ladder? Yeah, you have to arm it, so that would be a con, right? Again, you need some policy that says, hey, you need to arm it. Yeah, you have to disarm it, so not only do you have to unlock it, you have to remember the thing and disarm it. Usually it'll beep to tell you, hey, I'm gonna call the cop soon, so, yeah. They're more expensive. More expensive, maybe you're not only paying, you usually don't need a monthly subscription for your door locks. You buy that, that's a one-time key, but a lot of these systems, especially if they're actually connected to somebody that will call the police, require a monthly fee, they'll run, yeah. It does not send responses here. Ah, yeah, it may actually not even solve the problem, right? Because it may not stop people from stealing our stuff, right? If they're able to break in, steal the stuff and leave by the time the cops get there, then what did it really do, right? It just told us that, hey, somebody did steal your stuff, good luck. Yeah. This is going to be sent to the deputy. If you know what you're doing. Hmm, interesting. Which means you can counter the fermenting in the first place by setting up the way it does happen, but you're still struggling to be on the good side with your whole range of gains for getting access, and you can't contact the person for services for you. Yeah, okay, so maybe you can make your own, that's an interesting point. There are definitely some times where that will get into, especially regarding cryptography, where I will highly encourage you to never do your own thing. But yeah, in this case, so I would also bring up interesting things like, okay, well then before I break into your house, what if I cut your internet? Now your thing can't dial out. Which is also a threat I would think about with the security systems in general. How do they work? Do they just use your internet and your wifi? Do they have a different connection? Do they have a cellular access that can alert people? If it's all online, I can just cut it. Yeah, the interesting thing people were talking about in the Zoom chat is, depending on what type of lock you get, if you get a smart lock that is set up with your home, there actually have been cases where people have been able to say like Alexa unlocked the door from outside the house and the Alexa picks it up inside and then unlocks the door, right? So these are other kinds of threat models that can occur. Cool, and then, okay, yeah, well, let's compare that to the safe. So then what is the safe? What are the pros and cons of the safe in terms of that threat? The actual code or combination to the safe, safe market, relatively difficult to break into. Saves may be difficult to break into. I don't know if that's a factor or not, but I'd have to debate that, yeah, in the back. Yeah, so if, yeah, interesting. So yeah, by the time they get there, they're already to the safe, right? So questions I would have is what's the size of the safe? Right? Are you talking just a little like, you know, kind of like the safe you see in a hotel room, right, that size safe? And maybe it's the other thing you'd ask is, is it attached to anything? Because otherwise, well, I don't really care how long it takes me to break it, as long as I know somebody who can break it, I'll just take it, leave, and then have somebody else break it at our leisure where we're not worrying about being in your house. Yeah. No, it's not looking at the ones that are protecting the threats, if you're good at protecting like a piece of paper or whatever, why would you buy a safe? That's good, yeah. So like, what are you protecting, or what are the threats? Like actually the, I mean, what are some other reasons people have safes that don't involve stealing things? Let's go back here. Loud? Ah, firearms, yeah, that's a good one. So literal access control, it's not that you're worried about people necessarily stealing it, it's access to what's in there. Yeah, a fire, right, that may be, I mean, I have a safe like this, like it's a portable safe, like I can hold it and carry it, and it's just got a lock on it that I don't really care what the lock is, because the point is not to put valuables in there, it's in case there's a fire to increase the chances that important documents survive the fire, right? So it's a, it's kind of funny, it's the same mechanism, but for a completely different threat, right? The threat there is fire and damages to my important documents. Yeah, that's great. So which of those three would you recommend in this scenario? Sure, what's the downside of using all three? Yeah, so money, right? So that's, so this is part of it is defining the scenario. Who is this for? Right, again, for Bill Gates, that actually may make a lot of sense to have as many layers of security as possible. I mean, it may even make sense for him to have, I don't know if an armored guard makes sense, but like a secure, a dedicated security team, like people who are watching the things and those kinds of situations, right? Yeah, so anyways, so yeah, so maybe all three, so it really depends on the context, it depends on the budget, and it depends on what they're trying to keep safe, right? It's different if somebody is, well, I don't know, I guess I'll use myself, right? When I was like fresh out of undergrad, I literally had like nothing in possessions, like somebody could just walk into my house and I don't know, there's nothing important for them to steal, right? And over time, you maybe get more and more things that actually people could steal and you wouldn't want that. So your risk threshold kind of changes depending on those situations. So now we're gonna look at kind of security policies. So we've talked about that. Remember, security policies are essentially the rules about how we use a system or approach a system even, or how do we use the mechanisms? So usually we wanna think, when we think about security policies, we want to implement security policies in order to prevent things. So what would be some examples of security policies either in the context we talked about or completely different contexts that have to deal with prevention? Ah, maybe laws against them, so more, but yeah, this goes kind of like a society-wide thing to discourage this kind of behavior to decrease the probability of these threats. That's interesting, yeah, about that. Yeah, so walking the door when you leave, that way the security mechanism is in place would be a way to prevent unauthorized access. What about actually nobody mentioned a potential, well, maybe, ah, there we go, warning signs, yeah, that's good, like the ADP signs. So actually a legitimate mechanism that you could implement against the threat of somebody breaking into your house and sealing things is putting a sign in your window that says like this home is protected by ADT or whatever. That doesn't mean that you have ADT or have ever set it up, but this is trying to prevent the criminal that's looking for a house to break in sees that sign and goes, ah, I'll just go elsewhere, right? There's nothing about this place that's drawing me in. So I might as well go somewhere else that somebody that doesn't have that sort of system. Whether they know you have it or not is a completely different issue. It doesn't completely prevent this kind of a thing. The other kind of funny joke, I guess, is if you have kind of a crappy car and you're worried about people breaking into it, just always park next to a really nice car. That way if they ever wanna break into something, they'll break into the car next to you rather than yours. Yeah, so that's a good one. Ooh, that's a good one in the chat. Another thing with prevention, actually to do with cars is to not leave a bag or something in the car where it's visible, right? Because somebody may be walking across, think that it's a laptop, break into your car and steal it, whether it is a laptop or not, but they don't know it. But if they can't see it, then at least kind of removes this possibility of a kind of crime of opportunity. I guess, yeah, the flip side is leave a bunch of junk in your car. So if people think that everything in there is just garbage. All right, detection. So this is kind of what we talked about with the security system, right? So a security system has aspects of prevention, right? Because maybe somebody will choose to not break into your house because they see the security system, but it also may impact detection. So what are other security policies that have to deal with detection? Yeah, so turning on cameras. So what does that help with? Somebody else? Yeah, so maybe increases the odds of you getting your stuff back, right? In this situation, maybe we can identify the criminals. Maybe we can get the stuff back. Maybe we can at least, maybe from another perspective, it actually helps with insurance. So it may help us prove to our insurance company, hey, we actually did get robbed. We're not just claiming we got robbed in order to get, collect the money on all of our valuables. Yeah. Ah, there you go, yeah. Yeah, so you can know what was taken. So you can replace it. I mean, this is also with the insurance idea. So this also comes up when we're talking about computer systems, right? We want to detect when there's an attack so that we can take appropriate action. So what are maybe some of the actions that would be taken after you detected, let's say somebody inside your wifi network, your home internal network that you didn't want access to? Yes, so let's say you detected somebody. So one of the threats we talked about inside the house was that somebody was in, like somebody who was not supposed to be there had access to your internal local network. So if you detected this, what would you do? Yeah, you may go into the router. Actually, the very first thing I'd do is unplug it. So I'd unplug the whole network, take everything down and then, yeah, maybe reset the router back to factory defaults. So there's a little switch on the back to hold or whatever. You'd have to look up how to do it. Switch it back to factory defaults hopefully to ensure that they are no longer inside. I may now not trust any of the devices on my network. I may wipe them and reinstall them, it kind of depends. And it depends on kind of what visibility we have into these actions, right? So if we can see what they did, we can then mitigate it more. Now, one of the keys is let's say both of these things happened at the same time, right? So somebody broke into my house to steal my things and was also inside my network. And that same network is also where my security cameras are. How can I trust the footage from that security camera if I know somebody's been in it and could have tampered with it? Yeah, maybe I have backups. I would hope I have backups, but some people don't or a lot of even companies don't. Yeah, and so we also may have security policies that have to deal with recovery, right? So when we detect something, how do we recover from it? And so, and actually one of the, this actually feeds this really nice cycle where we of course want to prevent everything we possibly can, right? Because we wouldn't just like, you know, if our job is to secure a house, we just said, yeah, do whatever you want with the locks, leave them open, leave them closed, like whatever, nobody really cares. Just like always leave the doors open. I guess it's just a bad security policy, right? So we want to prevent everything, but we know we can't possibly prevent everything. Why can't we prevent every possible threat? Say it again, Latter. Mistakes happen. I don't, you're saying I make mistakes? Yeah. Yeah, people build these things, right? People build the mechanisms, people implement the policies. There will be mistakes, that's a guarantee, yes. And the biggest thing about security is how are you working? Exactly, and maybe we just don't have enough money. Like, I'm sorry, I don't have enough money to hire armored guards at every entrance of my house all the time. That's just not feasible, right? So I can't prevent every possible threat. And even if I could, attackers are very smart. Yeah. If it's a zero, it has something to do with time. Yeah, you may. Exactly, so they may have, let's say like on the router network, right? They may have found a completely new bug that nobody actually knows about and my router company doesn't even know about. And so they're not gonna fix it and I'm vulnerable to that. So we prevent as much as we can. We have detection mechanisms in place to detect anything that we couldn't prevent. And then after we recover, we say, okay, what can we do to try to prevent this in the future, right? Maybe actually in case of a zero date, it was a vulnerability that was a month old. So maybe I need a policy of, hey, every month I should be looking or every week, I should be looking to see if there's updates for my routers, right? So then you implement a new policy to help with prevention and detection that then the next time there's an incident, you kind of have this nice loop. Act like, well, that's all right, not like that. Okay, so how do we define security policies? How did we define them just right now? More basic than that. Yes, we definitely defined them according to the mechanisms we're using, but how do we define them? This isn't a trick question. Even more basic. So you set it in there, right? How do I write these policies? With English words, yeah. This is the basic level of what we're talking about. How do you actually define these things? So we can write it in natural language, right? We can write it in English. What's the benefit there? Yeah, I can send it to everyone and say, hey, here's the new policy for locking the door when we leave. What's the downside of natural language? Yeah, let's go. Computers may not be able to understand it. Maybe hard for the computer to enforce. Yeah, back, back. Say it again. Is that a pro or a con? Con is everyone knows the policy? Ah! I see, I see. Everyone, even external, like would know the policy. Okay, yeah, that's a good point. That's actually something I should have brought up earlier. If our policy relies on only us knowing it and our adversary not knowing it, is it a good policy? No, why not? Yeah, so this is kind of a general security rule that we'll get into in the future. But yeah, it's a good thing here. We usually don't want to rely, have the security of something rely on people not knowing how it works. Now you may say, well, but of course, the whole reason the nuclear launch code thing is safe is because there's some nuclear launch code that only one person knows, right? Which is true, there are secrets that we wanna keep. So it's the security of the policy and mechanisms work as long as nobody knows that secret. But everyone, we assume the adversary knows and understands how the policies and mechanisms work. And that makes for stronger systems. Yeah, that's a good point. Samuel again? Natural language could be confusing. Yeah, have you ever had a question on a homework assignment maybe? Or you didn't understand what it was asking or an exam question, right? So as great and as fun as natural language is and as easy to convey, the downside is, hey, I have to say things in words. So people can always say, oh, but I was only leaving the room for five seconds. Why would I lock the door then? Even though the policy says you have to lock the door every time you leave. Yeah. Yeah, so you're relying on humans. So you definitely, there's kind of no getting around that if humans are involved in your system. What you can do is try to make either automated computer mechanisms that help with that or have essentially humans checking humans. So this is kind of anybody's scene. I think it's at the start of War Games. It's like to actually launch the nukes. You have to have two people with two different keys, put their keys in at the same time and turn the keys at exactly the same time. And then it's done in such a way that one person can't physically do it. You have to have two people. So you have to have two people in agreement. So you just have one bad actor, they can't just launch nukes unilaterally. Cool. So the flip side of natural language is the beautiful language of mathematics, right? So we can formally define our security policy using beautiful formalism. What's one of the benefits there? Yeah. Easy for computers understand. Say it again. Easy for computers understand. Easy for computers understand. Yeah, what else? Yeah. Say it again. Yeah, it should be unambiguous, right? Assuming you understand all the terms and everything in this language that we created to describe it, it should be unambiguous. There shouldn't be any, oh, well, I didn't know the policy did X, Y, and Z because it's defined all there. What's some of the downsides there? Have any of you read the ASU computer use policy? You definitely should at least not because you're supposed to have done that, probably to be a student here, huh? Sorry, I didn't hear it, right? So you should have read that. If I asked you to do it, you could go read it and understand it and then we could talk about what it does. Now, assume that that document was written in mathematics. It may be much more difficult for you to just go in and read and understand what you are or are not supposed to do. You'd have to actually study to understand this thing. So it's a trade-off. It may be unambiguous, especially to a computer or a machine, but to a human, it may be so incomprehensible that I have no idea and I just can't follow this thing at all. Yeah, that's a good point. People are in the chat, kind of drawing similar parallels between like privacy policies of websites and end user license agreements. You'll lose when you're installing software. Like nobody actually reads those, but you can and could read them. If they were in a formal mathematical language, you'd probably even read them less. So in between those two, there's policy languages. So these are languages that are written in a usually easier to understand computer language. So the one I'm familiar with is XML, I forgot what it's called, XML ACL or something like that. It's like an access controlled mechanism stuff that's written in XML. So you kind of have this nice mix of like, okay, it's when you understand the language, it can be easy to understand, but humans can actually interpret and understand, and sorry, machines can actually ingest that, understand it and force the access control rules. So there's kind of this happy medium that exists between there. Okay, so how do we verify that our security policies are correct? Somebody made the vicious, vicious claim that I make mistakes. But if I write a security policy, how do I know that there are or are not mistakes in it? Oh, sorry, go ahead. Louder. Testing. Testing, yeah, how do I test my security policy with just a bunch of words? Yeah. Try to break the security. Try to break the security policy. So yeah, create maybe models, like create an environment just like we did here, right? We thought about, okay, we want to protect the house. We, our security policy is, everyone has to lock the door when they leave. So our mechanisms are locks. And then immediately, one of you said, yeah, but what about the windows, right? So that's the ability of testing the policies. Yeah, what about, what if people don't? What if the policy doesn't work and people don't lock the doors when they leave? Cool, so we can test it. What else? Yeah, so maybe we can think through, almost like a backup plans in some sense, like what if that policy doesn't work or we can look through the policy and go, hmm, it really depends on step XYZ, like people locking the door after they leave. And maybe we can also implement maybe detection policies to detect when that doesn't happen so that we can respond to it, maybe update the policy. Yeah, that's good. We always want to look at our assumptions, right? So what does this assume, right? So the policy of lock the door when you leave, A assumes that humans will do that and B assumes that the locks work, right? How do we know that the locks work? Maybe the locks are broken and somebody can literally just, like it doesn't actually do anything. This was an old bug with Dropbox. I think it was, what is this before 2010, it may have been 2012 or something where Dropbox accidentally made a change where it wasn't checking your password when you logged in. So you can just put any email address and any password and you'd be able to log into that account. And it was discovered really quickly and fixed within hours and they had logs of everyone who had ever, that had this had happened to, but again, that's kind of a situation where the locks fail, right? So even the policy was correct, the locks themselves essentially failed and weren't doing anything. Cool, so what, so yeah, so we think about kind of the assumptions like we kind of assume the policy is correct. We may want to verify those assumptions. We usually assume and the key is thinking through these assumptions to realize, okay, we're assuming that the mechanism correctly implements the policy, but is that the case? Can we check it? Can we maybe actually check? So maybe we were sold these locks that said they were unbreakable. What if we hire a team to try and break them? Can they break them? The other thing we want to think about is trust. So who does this policy trust? And this kind of gets into the insider threat scenario where we say if our policy relies on, let's say administrators to do things correctly, well, what if those administrators are malicious? What if they start doing bad things? And okay, so mechanisms. So we kind of talked about mechanisms. I don't think we're gonna go too much. They can be either technical or a process like you could think that the, like let's say in an airport going through the security line is not really a technical barrier, right? It's a procedure you have to go through where you throw all your stuff on a thing and it gets x-rayed and these other things happen. The key thing is what makes a security mechanism effective, right? And we talked about these things secure, right? We want the mechanism itself to be secure. We want to make sure that the mechanism itself doesn't fail. The mechanism is precise. So it does what it's supposed to do and nothing more. And how broad is the security mechanism? So, you know, you can think of kind of like the, so think about the security system of the house example, right? Like somebody mentioned, I think the security system on the house should have cameras on the outside and the inside. Well, what security setting do you set when you're going to bed, right? Because you may want those cameras on inside your house in case somebody breaks in, you want the alarm to go off. But if you wake up in the middle of the night and go for a glass of water and the alarm starts going off, that could be incredibly annoying. But it could be so annoying that you're actually not using the mechanism. So you'd want to think through these things. Yeah. What's the difference between a procedural mechanism and a policy? Good question. The policy in my example would be everyone's through the airport to get past the security code, has to go through this procedure. So I think that's where I would draw the distinction. It can get very blurry when you're talking about these things. Because oftentimes mechanism of policies are pretty hand in hand. Yeah. So basically the policy is the what and the procedure is the past. Yes. Well, I'd split it in terms of policies and mechanisms. Yeah. So the mechanism is kind of the how, like the what is the thing, like and the policy is the what, like what do you want people to do or what, how should people use this mechanism? Great. That's good. And okay. So yeah. So this kind of brings us to this notion of assurance, which is half, I guess at the name of the course, right? The course is information assurance. So assurance essentially is how do you trust that a system is secure, right? And it's again, we've talked about and I'll talk about over and over again. You could never, you should never think or assume that a system is secure. Almost every system has been broken. Did I tell the example of the voting machines? I don't think so. Yeah. A good example of this is when we go to threat modeling and when we talked about threat modeling and those kinds of things is basically, so my lab at UC Santa Barbara, before I got there, they were hired by the secretary of state of California, I believe in like 2005 to test the voting machines and to do like a pen test of the voting machine. So what they did was, cool. What they did was, so when they were brought into the room, the guy was talking, there's the voting machine there and the guy was talking about all these crazy diamond like locks on the front, like you can't get around these locks. It's impossible. They're such like an insane design. And one of the professors, Dick cameras, just kind of nodding his head like, yep, that is very cool lock. And so as soon as the guy left, what did he do? He didn't try breaking that lock. He turned the thing around, saw that there were screws on the back, unscrewed it with a regular screwdriver and boom, the thing popped off to get access to the PC inside. So this is kind of a, you should never trust that your system is secure because even if you're using the most high quality whatever mechanisms, if you haven't thought through all the other ways that people can get in, you'll get in trouble. So all right, thanks everyone. On Thursday, we will follow back up here. See you online people.