Lecture 2: Security Principles
Don’t Blame the Users
To make sure everyone is watching lectures, please click this link to fill out a form for extra credit.
Security is Economics
True or false: As long as the data on my computer is not worth enough money to an attacker, I don't need to worry about attackers stealing my data.
Detection, Defense in Depth
True or false: It is possible to create a detector with a 0% false negative rate.
In practice, do we prefer combining two independent detectors in parallel (either detector can alert) or in series (both detectors must alert)?
Two-factor authentication is often described as requiring a combination of something the user knows, something the user has, and something the user is. What are some examples of each factor?
Measuring Attacker Capabilities
What is rubber-hose cryptanalysis?
What are some examples of least privilege that the CS 161 staff might use?
Trusted Computing Base (TCB)
Ensuring Complete Mediation
More Security Principles
Suppose the TAs decide to use a secret page on the website, https://cs161.org/secret-solutions, to store assignment solutions. Which security principle does this violate?
Which security principle is violated by rubber-hose cryptanalysis?
Time of Check to Time of Use (TOCCTOU)
After finishing this lecture, you should be able to complete Q3 on Homework 1.