Monday, March 29, 2010

CS3216: Security system design, Chiang Kai, IBM

IBM: Guest Lecture, Chiang Kai
Date: 29 Mar 2010

(To be honest, I was falling asleep during the talk given by Chiang Kai (CK) on security. I guess that's the thing about security, you take it for granted that it works while you sleep..)

I think one of the interesting points is that we widely underestimate how much of our personal information is online and easily accessible by any crawler. CK brought up an interesting fact that using information available on social networks, a MIT student project predicted with 78% accuracy whether a profile belonged to a gay person using data from 4,000 profiles.
The original article "How privacy vanishes online” can be found here: http://www.nytimes.com/2010/03/17/technology/17privacy.html
Could potential employers use this information to reject your application or be biased against you during the interview? Even if you choose to maintain your privacy through regulating the information that is publicly accessible, you are unable to stop your friends or colleagues from sharing information about your activities. Another scary fact was that social security numbers could be guessed at by analyzing the data available on your profile pages. (Social security numbers are identifying numbers like your I/C number in the U.S.).

CK also brought up the example of Kevin Mitinick, who did not use hacking to break into computer systems, but instead relied on manipulating human trust and behaviours to gain passwords and sensitive information. http://www.nytimes.com/2010/03/17/technology/17privacy.html
Ironically, after being arrested for hacking, he now runs a computer security consulting firm.
A crook to catch a crook.. =)
I think the important point is that the system can be designed to be secure, but if the users are not aware of the security risks of giving away passwords..

Okie, after googling, I found a presentation which gives a short but sufficient introduction to Secure Software: http://www.st.cs.uni-saarland.de/edu/secdesign/intro.pdf
Secure software should ensure:
  1. Confidentiality: Only authorized people or processes are allowed access
  2. Integrity: Data integrity
  3. Availability: The system and data is available under adverse conditions
  4. Authenticity: Users are who they claim to be
Interestingly, the lecture gives a intro on Lifecycle Risk Assessment (second time I came across lifecycle analysis, the other is in calculating ecological impact). The analysis might result in the developer weighing the probablity, severity of potential damage and repair costs required before fixing all the security risks.

It is often a trade-off between security and usability (in terms of speed, efficiency.. ).

Some interesting videos when you search for "How to think like a Blackhat"..
Google's Matt Cutts
Conversations with a BlackHat

=p




No comments:

Post a Comment