Lecture 2: Security Principles

Don’t Blame the Users


To make sure everyone is watching lectures, please click this link to fill out a form for extra credit.



Security is Economics


True or false: As long as the data on my computer is not worth enough money to an attacker, I don't need to worry about attackers stealing my data.



Prevention



Detection, Defense in Depth


True or false: It is possible to create a detector with a 0% false negative rate.


In practice, do we prefer combining two independent detectors in parallel (either detector can alert) or in series (both detectors must alert)?



Password Authentication


Two-factor authentication is often described as requiring a combination of something the user knows, something the user has, and something the user is. What are some examples of each factor?



Measuring Attacker Capabilities


What is rubber-hose cryptanalysis?



Least Privilege


What are some examples of least privilege that the CS 161 staff might use?



Trusted Computing Base (TCB)




Ensuring Complete Mediation



More Security Principles


Suppose the TAs decide to use a secret page on the website, https://cs161.org/secret-solutions, to store assignment solutions. Which security principle does this violate?


Which security principle is violated by rubber-hose cryptanalysis?



Time of Check to Time of Use (TOCCTOU)


After finishing this lecture, you should be able to complete Q3 on Homework 1.