Lecture 2: Security Principles

Don’t Blame the Users

To make sure everyone is watching lectures, please click this link to fill out a form for extra credit.

Security is Economics

True or false: As long as the data on my computer is not worth enough money to an attacker, I don't need to worry about attackers stealing my data.


Detection, Defense in Depth

True or false: It is possible to create a detector with a 0% false negative rate.

In practice, do we prefer combining two independent detectors in parallel (either detector can alert) or in series (both detectors must alert)?

Password Authentication

Two-factor authentication is often described as requiring a combination of something the user knows, something the user has, and something the user is. What are some examples of each factor?

Measuring Attacker Capabilities

What is rubber-hose cryptanalysis?

Least Privilege

What are some examples of least privilege that the CS 161 staff might use?

Trusted Computing Base (TCB)

Ensuring Complete Mediation

More Security Principles

Suppose the TAs decide to use a secret page on the website, https://cs161.org/secret-solutions, to store assignment solutions. Which security principle does this violate?

Which security principle is violated by rubber-hose cryptanalysis?

Time of Check to Time of Use (TOCCTOU)

After finishing this lecture, you should be able to complete Q3 on Homework 1.