Lecture 1: Introduction and Security Principles

Introduction and Course Logistics

Before ever using my 161 skills against a real system, I must get the   of all those involved

What is security?

Reflection: Why are you interested in learning about security?

People and Money

(True/False) The primary way of securing a system is understanding how it works

Threat Model

Reflection: What type of attackers might target you? What type of resources do they have?

It All Comes Down to People

Reflection: Have you ever sacrificed your own personal security for the sake of usability?

Don’t Blame the Users

To make sure everyone is watching lectures, please click this link to fill out a form for extra credit.

Security is Economics

True or false: As long as the data on my computer is not worth enough money to an attacker, I don't need to worry about attackers stealing my data.


Detection, Defense in Depth

True or false: It is possible to create a detector with a 0% false negative rate.

In practice, do we prefer combining two independent detectors in parallel (either detector can alert) or in series (both detectors must alert)?

Password Authentication

Two-factor authentication is often described as requiring a combination of something the user knows, something the user has, and something the user is. What are some examples of each factor?

Measuring Attacker Capabilities

What is rubber-hose cryptanalysis?

Least Privilege

What are some examples of least privilege that the CS 161 staff might use?

Trusted Computing Base (TCB)

Ensuring Complete Mediation

More Security Principles

Suppose the TAs decide to use a secret page on the website, https://cs161.org/secret-solutions, to store assignment solutions. Which security principle does this violate?

Which security principle is violated by rubber-hose cryptanalysis?

Time of Check to Time of Use (TOCCTOU)