6.857 Computer and Network Security September 06, 2001Lecture Notes 1 : IntroductionLecturer: Ron Rivest Scribe: Fu/ShelatChange your password!1 AdministriviaThere are one and a half (1.5) teaching assistants for this course. As a result, you might considerflipping a two-thirds/one-thirds biased coin when choosing which teaching assistant to direct yourquestion. You might also just use the [email protected] email list. There are two handouts fortoday at the front of class.2 OverviewIn security, theory and practice come together very nicely. Theoretical algorithms are often incor-porated into real-world applications quickly, and conversely, theoretical attacks against a system arequickly implemented (e.g., WEP).As a result, one good quality of this course is that you can pickup a newspaper and find no dearth ofimportant, unsolved security problems. In today’s news, there are half a dozen term paper projects.Here are some of the articles appearing recently:2.1 Payment systems1. Paypal allows one to use the Internet to transfer money. In this article, Paypal describesone of their largest problems. They handle approximately 20,000 new sign-ups per day. Thecustomer service requirements to process that many new accounts and verify that each creditcard account is legitimate are overwhelming their model.2. The US Government is launching a tax payment service over the Internet. This schemesrequires prior account setup in order to tap into a bank account. What are the security issuesand how does this scheme compare with Paypal in terms of user confidence?2.2 Basic security, confidentiality, privacy3. Echelon is a global spy network that monitors phone calls, faxes, IP traffic and countless othercommunication mediums. Europe has concluded that this system exists and claims that it isled by USA. “Europe should setup encryption system to guard against this.” The former CIA0May be freely reproduced for educational or personal use.12 2 OVERVIEWdirector admits to the existence of Echelon and claims that it is used to intercept commercialcommunication only when fraud and bribery is being investigated.4. Cookies. Sample Earthlink ads appeared on the front page of today’s New York Times.A photo showed a bag of free chocolate chip cookies labeled, “Do you know where yourcookies came from?” Cookies can enable detailed tracking of Internet users. How do webuild in encryption to protect privacy? ZeroKnowledge markets the Freedom system for this.[http://www.freedom.net/]5. Law or privacy. Are there technological solutions to privacy problems or can law serve as abetter alternative? Laws can stifle technology. Maybe you will develop an opinion after thiscourse.2.3 Sale of information goods on the Internet6. Yahoo E-Books. Four publishers agreed to sell e-books on Yahoo. Selling digital contentto users poses an interesting problem. How should a publisher conduct the transaction? Inparticular, the adversary in this case is not a third party, but rather the purchaser herself.Can one redistribute the e-book for free after buying it? Security is usually much easier whena third party is the adversary.7. Disney/NewsCorp will sell video on demand over cable and the Internet. Their service willallow playback on televisions or computers that are equipped with special hardware. Napstershook the music industry; could the same thing happen to the video industry?2.4 Controlled distributions8. French court vs. Yahoo. Yahoo had auctions of Nazi memorabilia. A French count ruled thatYahoo cannot make available any of the Nazi memorabilia to French citizens since that wouldviolate a French law prohibiting the sale of Nazi merchandise. How can Yahoo abide this rulingwithout completely censoring the entire service for all users? Which court has jurisdiction overYahoo. If you worry about privacy, you might want to hide your identity, but if Yahoo abidesby French law, it would need to identify each user to determine if that user is from France.Q: What if someone from France orders Nazi goods and sends them to Spain?A: There are services that attempt to identify where in the world you are coming from. Suchservices can do a decent job if one does not purposefully hide oneself. However, these thingsdon’t always work. For instance, the citizenship of a client remains unknown.9. Kermit the frog is trying to boost awareness of the V-Chip, targeted for parents to censorwhat their kids can watch. That is, if parents can figure out how to use the V-Chip withoutthe kids’ help....10. Microsoft XP wants to thwart piracy. The software tries to make bootleg copies self-destruct in30 days. Microsoft’s hope is to use “product activation” to keep that freshly installed versionrunning. One must activate the software within 30 days or the software ceases to function. Thiscontroversial registration process only works once and only on one machine. Alternatively, onecan use the phone to activate the software. The phone process is time-consuming and tedious(entering long numbers by hand).What is the news? An XP crack appeared 7 weeks before the XP’s public debut.2.5 Classic hacking 3Someone posted a corporate version to a newsgroup. Apparently Microsoft has locked thefront door and left the backdoor open. Microsoft claims that the cracking program does notwork and might be filled with viruses. In addition, they state that they are not trying tosolve piracy, but rather hope to reduce it. Coincidentally the release build number for XP is2600, which is also the name of a group that was recently prosecuted for linking to the deCSSsoftware.Q: What will happen when someone cracks that security?A: They have. Some people will get a pirated product for free. It’s a tradeoff. Security isalways a tradeoff. It gets in the way of both the good and bad guys.Prof. Rivest asked who in the lecture has taken 6.046. Rivest himself encountered a piracyproblem when an electronic version of the CLR Algorithms book appeared online in Switzer-land. It was soon removed. “You all should go buy my book.” :-)11. Images/Web. Search engines cache content. The copyright holders of these images are notgetting paid for their work and are therefore complaining about the caching by search engines.2.5 Classic hackingHacking used to refer to the good old hacker. Nowadays the popular press has vilified theterm.12. Hacking is cracking. A man was jailed for hacking massive computers. A 21-year-old man wassentenced for breaking into two NASA computers. In
View Full Document
Unlocking...