Topics in Computer Security

Monsoon(Fall) 2010

The goal of this course is to explore the economic, political and social issues surrounding technology with a specific focus on computer security. Often the deployment of technology leads to a change in the social balance of power thus leading to security problems as the affected parties attempt to secure their interests. For instance, since 2001 various car safety technologies have incorporated cryptographic algorithms. The introduction of speed sensors in (car) airbags to improve their performance can lead to insurance companies using the data to prevent a motorist from making a successful claim. The usage of cryptographic authentication between the wheels and the axle of a car, in the name of safety technology, could actually be used to prevent third-party manufacture of spares and achieve customer lock-in. Chip-and-pin is another good example of how security technology is used to shift the liability of fraudulent card usage from the bank to the customer. By claiming that their systems are infallible the banks have successfully argued in numerous court cases that the customers must have divulged the pin, and thus were solely responsible for negative outcomes. We shall discuss a broad set of papers from computer security literature. Students will be required to read and present papers in class. The class will be highly interactive and students are encouraged to form opinions and participate in an informed debate. During every lecture hour we shall select a paper that will be presented by one student, who will also lead the discussion. The instructor will moderate the discussion. Each student must present at least one paper during the course.

Writing paper reviews is a hard earned skill that comes from practicing often. I will use the following rubric to grade your reviews:
30% -- What questions does the paper ask, why are those questions interesting, how does it answer them, what are the results, etc.
30% -- what you learned, strengths/weaknesses, next steps, etc.
40% -- moderate a discussion about the topic of the paper (a good way to do this is to present a list of topics or questions about the paper for the reader to consider).
Write your report like a research paper. It should introduce the topic you're studying to the reader, explain why the topic is interesting, how it related to previous work (with references), and then describe the methodology used to investigate the topic and a statement of the results. (Methodology credit goes to someone I met many years ago at Microsoft Research)

(Networks) Paper for 4th August: Metcalfe's Law is Wrong presented by Nilesh Sharma( slides )

This article by Odlyzko and colleagues relates the size of a network with its potential value proposition.

(Password Security) Paper for 11th August: technical and market failures in human authentication on the web presented by Komal Sachdeva (slides) (Class Review)

This article by Joseph Bonneau and Soren Preibusch was published in WEIS 2010. It details the state of password authentication technology as deployed on webservers making a clear case for improvement of current practices

(CCTV security) Paper for 18th August: a systematic study on CCTVs conducted by Martin Gill and Angela Spriggs for the UK Home Office (equivalent to the Home Ministry in our central government) titled Assessing the impact of CCTV presented by Niharika Sachdeva (slides) and Prateek Dhawan(slides). CCTV FAQ from Privacy International give us an opposing viewpoint. (Class Review)

As the Guardian puts it: "The use of closed-circuit television in city and town centres and public housing estates does not have a significant effect on crime". So, do CCTV schemes work or do they not work? According to one estimate, upto a third of the crime prevention budget in the UK is spent on CCTV infrastructure. So are the costs worth the benefits or are CCTV investments a white elephant? When does CCTV work and when it doesn't is the debate topic for the class.

There's fresh information from the Scotland yard on the (in)efficiency of CCTV, obtained as part of a freedom of information request: Operation Javelin -- 1, Operation Javelin -- 1 and Operation Javelin -- 3

(Security Psychology) 25th August: Real world scams based on The Real Hustle TV show

For the next two lessons we shall turn our attention to security psychology. As an introduction to this area, we will study a variety of scams and try to understand the underlying principles behind such scams. No preparation is required for attending this lesson but you might want to go through Wikipedia's useful list of episodes, with brief synopses. You might also like to see some the episodes on youtube.

(Security Psychology) Paper for 1st September: Understanding scam victims: seven principles for systems security by Frank Stajano and Paul Wilson. University of Cambridge technical report UCAM-CL-TR-754 presented by Vidushi Wanchoo and Ratnala Santosh. (Slides, Class review)

Quoting from the paper..."The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and 'short cons' that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit."
"We argue that an understanding of these inherent human factors vulnerabilities, and the necessity to take them into account during design rather than naively shifting the blame onto the 'gullible users', is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security."

(Banking security) Paper for 22nd September: Why cryptosystems fail by Ross Anderson presented by Pulkit Mehendritta and Robin Verma. (Slides, Class review)

For the next few weeks, we shall concentrate on banking security papers starting with a classic paper by Ross Anderson. There are many important lessons for the security engineers in this paper, the most important one (in my opinion) is this: "the threat model commonly used by cryptosystem designers was wrong: most frauds were not caused by cryptanalysis or other technical attacks, but by implementation errors and management failures".

(Banking Security) Paper for 29th September: Thinking inside the box: system-level failures of tamper proofing presented by Mohona Ghosh and Anshu Malhotra. (Slides, Class review)

2008 IEEE Security and Privacy paper

[an error occurred while processing this directive]

(Banking Security) Paper for 20th October: Chip and PIN is broken to be presented by Manasi Sachdeva and Anuradha Gupta.

2010 IEEE Security and Privacy paper

(ID Cards Part I) Paper for 27th October: LSE ID card report by Anupama Agarwal and Madhvi Gupta.

During the next three lectures the class will read and discuss the LSE ID card report -- are ID cards useful? Are they of help in fighting crime? or terrorism? Can they be expected to reduce corruption in India? What new security problems do they create? Are they a cost effective means of achieving the stated goals? These are some of the questions we will be asking ourselves during the next three sessions.

(ID Cards Part II) Paper for 3rd November: LSE ID card report by Sakshi Agarwal and Madhuri Siddula

(ID Cards Part III) Paper for 10th November: LSE ID card report by Komal Kochar and Kamini Sharma

Course Essentials

None

Lectures: 16
Location: Classroom 2
Units: 2
Mailing list: cse595@iiitd.ac.in

The mailing list is for questions/discussion on papers that we have read in the class or to share interesting security news. No chain mails allowed.

Plagiarism notice: please note that homework efforts are individual efforts i.e. not group efforts and not copied off the Internet. The first offence will recieve a -10 score while a second offence will leave you with an 'F' grade.