STP 301: Privacy and Security

Professor: Jean Camp

Introduction

Sept. 9: Shopping Day

Reading: Goals, guides and tools for STP 301 for Fall 2003

If you choose to take the class give me your name and I will ensure you have access to the class web page. Readings are frequently available only on the course page to avoid packet charges.

Sept. 11: How Big? SoBig

Reading:

What Is SoBig?, 2002, A Two Stage Virus and another description
As of August 30 it is the most costly virus ever Sobig Virus Damage Breaks World Record
Ronald B. Standler, Examples of Malicious Computer Programs a digital catalogue of crime and punishment.
People for Internet Responsibility on Hacking and the Appropriate Response
Why I Hate Microsoft by Phil Karn

Sept. 16: Why Securing Digital is Distinct

Reading:

Anderson, 2002, Unsettling Parallels Between Security and the Environment Economics and Information Security Workshop, Berkeley, CA.
Schneier, 2002 Computer Security: It’s the Economics, Stupid Economics and Information Security Workshop, Berkeley, CA.
optional:Camp & Wofford, " Pricing Security" Computer Emergency Response Team Information Survivability Workshop.

Sept. 18: Economic Perspectives on Computer Security

Reading:

Varian, 2002, System Reliability and Free Riding. Economics and Information Security Workshop, Berkeley, CA.
Kephart, Chess, White Computer Networks as Biological Systems IEEE SPECTRUM May 1993.
Current arguments for both approaches
Optional:
A few more current worms: the Blast Worm defends itself from being patched out of existence.
A current virus Randex provides resources to the attacker for general purposes.

Sept. 23: War on the Network

Reading:

Denning, Information Warfare Chapter 1, "The Gulf War: Infowar " pp. 1 -19.
Hactivism and the power of TV hackivists in the Iraq war.
Defense Information System Network Attack Anonymous Maximum Security pp. 89.
After a two year hiatus CIAO has become active in the Bush Administration as part of the Homeland Security Department. The National Cyberspace Strategy
Determining the truth about hacking attacks: FUD vs. reality
Optional:
An interview with Ehud Tenebaum pp.87, anonymous
A critical examination of the interview.
Other media links http://www.sans.org/resources/idfaq/solar_sunrise.php

Sept. 25: Terror on the Network

Guest Lecture by Jessica Stern

Reading:

The Protean Enemy

Sept. 30: Web defacement: Anatomy of an Attack

Reading:

Cliff Stoll Cuckoo's Egg pp. 218 - 239. Author: copyright 1990.Pocket Books (New York)
Vince Tuesday, Anatomy of an Attack: A Race Against Time. Computerworld; 3/19/2001, Vol. 35 Issue 12, p. 57. Available on ProQuest.

Oct. 2: Voting, or Who Won the Georgia Senate Election

Guest lecture by Rebecca Mercuri

Reading:

Corrupted Polling," Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 36, No. 11, November, 1993.
The Business of Elections," Rebecca Mercuri, 3rd Conference on Computers, Freedom and Privacy, March, 1993.

Oct. 7: Trusted Computing

Reading:

http://www.nap.edu/readingroom/books/trust/ National Academy of Science on trustworthy infrastructure. Trust in Cyberspace pub 1999. pp. 12- 25. Available as a book.
optional: The Evaluated Products List at http://www.radium.ncsc.mil/tpep/epl/

Oct. 9: Trusted Computing -- Trusted by Whom?

Reading:

Trustworthy Computing Group "backgrounder" describes itself from the perspective of enhanced network security.
Anderson, Trusted Computing Platform analysis and frequently asked questions.
Lucky Green, Trusted Computing Platform Alliance, Defcon X, 2002

PRIVACY

Oct. 14: What is Privacy: Privacy vs Data Protection

L. Jean Camp, "Design for Trust " Trust, Reputation and Security: Theories and Practice, ed. Rino Falcone: Springer-Verlang (Berlin) Spring 2003.
In class: what is data protection.

Oct. 16: Emerging Issues in Privacy 1: RFID

What is an RFID? From the industry RFID group. 2003.
Privacy Issues with RFID The EFF FAQ. 2003.

Oct. 21: Emerging Issues in Privacy 2: TIA

Total Information Awareness Executive Summary DARPA.
Total Information Awareness FAQ DARPA.

Oct. 23: Privacy on the Wire: what is wire-tapping?

Reading:

"Listening in In" by Stephen Cass, IEEE Spectrum Special Report on Intelligence and Technology, Vol. 40, No 4, pp. 32 -37.
"Getting the Message " by Paul Wallich,IEEE Spectrum Special Report on Intelligence and Technology, Vol. 40, No 4, pp 38-43.
Echeon an international digital global surveillance tool.

Oct. 28: Technical Risks in Surveillance Technologies

Readings

Anderson, Abelson, Bellovin, Benaloh, Blaze, Diffie Gilmore, Neumann, Rivest, Schiller, & Schneier The Risks Of Key Recovery, Key Escrow, and Trusted Third Parties", 1998
Independent Technical Review of the Carnivore System
Bellovin, Blaze, Farber, Neumann, Spafford Comments on Carnivore System Technical Review December, 2000. SRI.
Neumann, P. G., 1993, "Risks of surveillance", Communications of the ACM, v. 36, No. 8, p. 122(1) August.

Oct. 30: Risks in Surveillance Technologies

Readings

Song, Technology, Terrorism and the Fishbowl Effect: An Economic Analysis of Surveillance and Searches Berkman Center for Internet & Society.
Ellen Dannin,Privatizing Information and Information Technology - Whose Life is it Anyway? Wayne State Law School, 2003.
Michael Froomkin, The Death of Privacy, University of Miami School of Law, 2000.
Optional: Ptech

Nov. 4: What is Cryptography

Reading:

L. Jean Camp "Basic Cryptography" Chapter 3. You may purchase the book or select the material from the on-line version. However, if you choose Print after going to the on-line version Trust and Risk you will print the entire book.
Michael Froomkin, "Flood Control on the Information Ocean," Journal of Law and Commerce 15:2 (1996)
optional: UETA focus on the implications digital signatures

Nov. 6: Authentication & Identifiers

Reading:

Liberty and 3rd Party Identity Systems White Paper
Passport Terms of Use
optional: Microsoft's Passport Flaw Fixed CNSNews, May 8 2003.
optional: Marc Slemko Microsoft Passport to Trouble aka, Microsoft Passport Flaws Fixed, 2001

Nov. 13: Biometrics

Reading:

Elaine Newton "Strengths and Weaknesses of Biometrics" available on course page. "Managing Identity" forthcoming MIT Press.
Lisa Thalheim & Jan Krissler Biometric Access Protection Devices and Their Programs Put to the Test c't magazine No. 11, page 114

Nov. 18: Human Engineering

Reading:

Ross Anderson, "Why crypto systems fail", Comm. of the ACM, v. 37, n. 11, Nov. 1994, 32-40.
Alma Whitten "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0" Alma Whitten, J.D. Tygar 8th USENIX Security Symposium.

Nov. 20; The Virus Problem

Reading:

Anonymous Maximum Security Viruses, pp. 159 - 176.
Denning, Information Warfare and Security Chapter 10: Cyberplagues, pp. 269-282.
optional:A track of all viruses, scans, and spams generated by Roaring Penguin.

Nov. 25: SPAM

Reading:

State v. Heckel, 24 P.3d 404 (Wash., 2001), http://www.spamlaws.com/cases/heckel.html
David Post, Of Blackholes and Decentralized Lawmaking in Cyberspace, 2 Vand. J. Ent. L. & Prac. 70 (2000), http://www.temple.edu/lawschool/dpost/blackhole.html

Dec. 2: Identity Theft

Reading:

Daniel Solove, Seton Hall School of Law The Architecture of Vulnerability
Best practices in developing identity and authentication systems in digital governments. Available on the web page.
optional: Central federal web site on identity theft.
optional: testimony of theft victims from the Privacy Rights Clearinghouse.

Dec. 4: Malware from P2P and Corporate Source

Reading:

There is little academic work on spyware. Therefore the reading is, by necessity, the quality of journalism.
An example of spyware from QuickFlicks is hard to remove, and sends all user urls to a remote machine.
optional: An entertaining site that includes a listing of all the software installed to exploit the putative owner of a machine.
optional: Anti-spyware tools from Spychecker and Ad-aware recommended for your use.

Dec. 9: Best Practices and Summary

Reading:

Evaluating Security Systems: A Five-Step Process Bruce Schneier, Counterpane Internet Security
Generic Security Assessment Questions, Rebecca Mercuri, Notable Software.

Dec. 11: Class Notes

Readings: None

Discussion of final projects, announcement of winter break office hours.