SystemsSec 2018W Lecture 2

Notes

openstack.scs.carleton.ca

homeostasis.scs.carleton.ca/wiki

nilofarmansourzadeh@cmail.carleton.ca (TA email)

Alternate Grading Scheme:

10% Participation

20% Experiences

20% Assignments

20% Midterm

30% Final

Thought Exercise:

Secret to cold fusion, Need to keep secret and safe for 20 years. How do I do that?

Possible Solution:

Minimal people (2) - both need to trust each other. Hard copy (clean print, paper and ink) locked away somewhere secure and dry. (safety deposit box in a bank, not hidden under a mattress). I have half of the documents, other guy has other half of the documents. Maybe I split my half of the documents again. Quarter in a safety deposit box, quarter in my house hidden away.

Need to know who wants this.

Need to know how far they'll go to get it.

Threat Modelling:

- Adversaries

- Their Capabilities

- Assume "reasonable" limits (nuclear weapon vs floods vs sledgehammer vs digital virus)

Threats/Adversaries: Oil Companies, Anarchists, Nation States, Militant Evironmentalists

Capabilities:

- Who knows the secret exists? (If they don't know it exists, they won't come looking for it) i.e. once the mad scientist realized what he had, he started trying to hide it.

- Reverse Engineering: If you try to fake an "accident", how do you falter reverse engineering from what you showed?

Defenses:

- Convince world secret doesn't exist.

- Splitting up the secret.

- Offline.

- Cryptography is not viable. 20 years down the line, computers may be able to break that encryption in seconds.

Risks:

- Disclosure.

- Loss of integrity (corrupted)

- Full Data Loss

- Is it better for it to be available (partial loss) on a corruption or completely unavailable (total loss)?

- Should you even use digital storage? NO, too many risks.

- That being said, you can still use digital tools, so long as you completely destroy the tools used.

- What happens if you die? Is there a contingency plan?

Security Tech:

- Lava Lamps for entropy (Cloudflare) (If I put a hidden camera in that room, and I get their source code, they're compromised)

- Anti Malware

- SE Linux

- Firewalls (It's designed to stop certain types of network traffic):

- Problems Arise: Sure bad guys might get stopped, but people may get angry since you blocked something they liked.

- Host

- Perimeter Defense (crunchy on the outside, chewy on the inside), once the perimeter gets bypassed (over, under, through), everything inside is wide open.

- Network

Security theater: All those vaults, bars, steel doors in a bank, just for show (there's probably nothing physical in there).

- Bank runs no longer exist. The banks are now government owned/protected. It's a confidence game.

- Security Theater is useless for computer/digital.

Homework:

CuLearn: List security techs you use/interact, and which ones do you not actually understand.