Free Cryptography Class
Dan Boneh of Stanford University is teaching a free cryptography class starting in January.
Entries Tagged "security education"
Page 4 of 6
The Security Risks of Not Teaching Malware
Essay by George Ledin on the security risks of not teaching students malware.
Using Science Fiction to Teach Computer Security
Interesting paper: “Science Fiction Prototyping and Security Education: Cultivating Contextual and Societal Thinking in Computer Security Education and Beyond,” by Tadayoshi Kohno and Brian David Johnson.
Abstract: Computer security courses typically cover a breadth of technical topics, including threat modeling, applied cryptography, software security, and Web security. The technical artifacts of computer systems—and their associated computer security risks and defenses—do not exist in isolation, however; rather, these systems interact intimately with the needs, beliefs, and values of people. This is especially true as computers become more pervasive, embedding themselves not only into laptops, desktops, and the Web, but also into our cars, medical devices, and toys. Therefore, in addition to the standard technical material, we argue that students would benefit from developing a mindset focused on the broader societal and contextual issues surrounding computer security systems and risks. We used science fiction (SF) prototyping to facilitate such societal and contextual thinking in a recent undergraduate computer security course. We report on our approach and experiences here, as well as our recommendations for future computer security and other computer science courses.
Degree Plans of the Future
You can now get a Master of Science in Strategic Studies in Weapons of Mass Destruction. Well, maybe you can’t:
“It’s not going to be open enrollment (or) traditional students,” Giever said. “You worry about whether you might be teaching the wrong person this stuff.”
At first, the FBI will select students from within its ranks, though Giever wants to open it to other law enforcement agencies. Rather than traditional tuition, agencies will contract with the school, paying about $300,000 a year for groups of 15 to 20 full-time students, according to documents submitted to the board of governors of the State System of Higher Education.
Folk Models in Home Computer Security
This is a really interesting paper: “Folk Models of Home Computer Security,” by Rick Wash. It was presented at SOUPS, the Symposium on Usable Privacy and Security, last year.
Abstract:
Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and use the resulting network to attack third parties. Despite a large security industry that provides software and advice, home computer users remain vulnerable. I investigate how home computer users make security-relevant decisions about their computers. I identify eight ‘folk models’ of security threats that are used by home computer users to decide what security software to use, and which security advice to follow: four different conceptualizations of ‘viruses’ and other malware, and four different conceptualizations of ‘hackers’ that break into computers. I illustrate how these models are used to justify ignoring some security advice. Finally, I describe one reason why botnets are so difficult to eliminate: they have been cleverly designed to take advantage of gaps in these models so that many home computer users do not take steps to protect against them.
I’d list the models, but it’s more complicated than that. Read the paper.
High School Teacher Assigns Movie-Plot Threat Contest Problem
In Australia:
A high school teacher who assigned her class to plan a terrorist attack that would kill as many innocent people as possible had no intent to promote terrorism, the school principal said yesterday.
The Year-10 students at Kalgoorlie-Boulder Community High School were asked to pretend they were terrorists making a political statement by releasing a chemical or biological agent on “an unsuspecting Australian community”.
The task included choosing the best time to attack and explaining their choice of victims and what effects the attack would have on a human body.
“Your goal is to kill the MOST innocent civilians,” the assignment read.
Principal Terry Martino said he withdrew the assignment for the class on contemporary conflict and terrorism as soon as he heard of it. He said the teacher was “relatively inexperienced” and it was a “well-intentioned but misguided attempt to engage the students”.
Sounds like me:
It is in this spirit I announce the (possibly First) Movie-Plot Threat Contest. Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with.
Your goal: cause terror. Make the American people notice. Inflict lasting damage on the U.S. economy. Change the political landscape, or the culture. The more grandiose the goal, the better.
Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc.
For the record, 1) I have no interest in promoting terrorism—I’m not even sure how I could promote terrorism without actually engaging in terrorism, 2) I’m pretty experienced, and 3) my movie-plot threat contests are not misguided. You can’t understand security defense without also understanding attack.
Australian police are claiming the assignment was illegal, so Australians who enter my movie-plot threat contests should think twice. Also anyone writing a thriller novel about terrorism, perhaps.
An AFP spokeswoman said it was an offence to collect or make documents preparing for or assisting a terrorist attack.
It was also illegal to be “reckless as to whether these documents may assist or prepare for a terrorist attack”.
Terrorizing Ourselves
Who needs actual terrorists?
How’s this for an ill-conceived emergency preparedness drill? An off-duty cop pretending to be a terrorist stormed into a hospital intensive care unit brandishing a handgun, which he pointed at nurses while herding them down a corridor and into a room.
There, after harrowing moments, he explained that the whole caper was a training exercise.
[…]
The staff at St. Rose Dominican Hospitals-Siena Campus, where the incident took place Monday morning, found the exercise more traumatizing than instructive.
Perhaps a better way to phrase it is that they learned to be terrorized.
Wikibooks Cryptography Textbook
Over at Wikibooks, they’re trying to write an open source cryptography textbook.
Users Rationally Rejecting Security Advice
This paper, by Cormac Herley at Microsoft Research, sounds like me:
Abstract: It is often suggested that users are hopelessly lazy and
unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certicates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
Sounds like me.
EDITED TO ADD (12/12): Related article on usable security.
Actual Security Theater
As part of their training, federal agents engage in mock exercises in public places. Sometimes, innocent civilians get involved.
Every day, as Washingtonians go about their overt lives, the FBI, CIA, Capitol Police, Secret Service and U.S. Marshals Service stage covert dramas in and around the capital where they train. Officials say the scenarios help agents and officers integrate the intellectual, physical and emotional aspects of classroom instruction. Most exercises are performed inside restricted compounds. But they also unfold in public parks, suburban golf clubs and downtown transit stations.
Curtain up on threat theater—a growing, clandestine art form. Joseph Persichini, Jr., assistant director of the FBI’s Washington field office, says, “What better way to adapt agents or analysts to cultural idiosyncrasies than role play?”
For the public, there are rare, startling peeks: At a Holiday Inn, a boy in water wings steps out of his seventh floor room into a stampede of federal agents; at a Bowie retirement home, an elderly woman panics as a role-player collapses, believing his seizure is real; at a county museum, a father sweeps his daughter into his arms, running for the exit, while a raving, bearded man resists arrest.
EDITED TO ADD (9/11): It happened in D.C., in the Potomac River, with the Coast Guard.
Sidebar photo of Bruce Schneier by Joe MacInnis.