Homework 1

This homework is focused on helping you develop the security mindset.

Overview

Due: Friday, January 25, 5pm. Extra Credit if submitted by January 18 at 5pm. Late submissions will be docked 20% per day late (days rounded up).

How to Submit: Details below, but in short note that you should submit in two ways -- to the Catalyst Dropbox and as a post to the security mindset forum.

We will repeat this assignment again later in the quarter, after you have had even more exposure to security. You can also receive extra credit if you submit a third security review or current event or both.

Background, and the Context for Security: Current Events and Security Reviews

We will use a forum in our exploration of the broader contextual issues surrounding computer security. (In past years we used blogs and forums.) Please familiarize yourself with this post from 2007; it explains some of the reasons why we originally used a blog for CSE 484 / CSE M 584. In short, the blog was designed to be a vehicle for proactively developing "The Security Mindset." Class participants posted blog entries analyzing the security of existing products and reflecting on current events, and used the blog's comment feature to engage in conversations with others. However, one of the big downsides with the blog is that it really wasn't as interactive as one might want. That's why we switched to a forum last year and will continue to use a forum this year.

They say that one of the best ways to learn a foreign language is to immerse yourself in it. If you want to learn French, move to France. This assignment and the use of the forum is designed to immerse you in the security culture and to force you to think about security during non-course related activities, such as when you're reading news articles, talking with friends about current events, or when you're reading the description of a new product on Slashdot. Thinking about security will no longer be a chore relegated to the time you spend in lecture, on assigned readings, on textbook assignments, or on labs. You may even start thinking about security while you're out walking your dog, eating breakfast, at the gym, or at a movie. In short, you will be developing "The Security Mindset" and will start thinking like a seasoned security professional.

It is also extremely important for a computer security practitioner (and actually all computer scientists) to be aware of the broader contextual issues surrounding technology. Technologies don't exist in isolation, rather they are but one small aspect of a larger ecosystem consisting of people, ethics, cultural differences, politics, law, and so on. This assignment and the use of the forum will give you an opportunity to discuss and explore these "bigger picture" issues as they relate to security. As an added bonus, the forum will also give you an opportunity to exercise your writing and critical thinking skills in a cooperative learning environment with your peers.

Some More Details

You should read the security mindset forum regularly. Between now and January 25 at 5pm, you must submit at least one current events article and one security review. You will submit another one later in the quarter, with a due date to be determined. You can also get extra credit for submitting your first security review and current event one week early or earlier (e.g., you could submit your security review on January 25 for full credit and your current event on January 18 before 5pm for full credit plus some extra credit). You can also submit up to one additional security review or current event for extra credit (two will be required over the course of the quarter, with the second one due at a data TBD; but if you submit three security reviews or current events, then the third submissions will be counted as extra credit).

You are encouraged to participate in discussions about these current events and security reviews on the forum, and you will receive credit for doing so as part of your course participation grade. All your posts and comments should be high-quality, thoughtful, and well-formulated.

Current Event Articles

Current events articles should be short, concise, very thoughtful, and well-written. Please remember that others will be able to read your article. Imagine a broad audience (a general technical audience). Your goal should be to write an article that will help this audience learn about and understand the computer security field and how it fits into the broader context.

Your article should: (1) summarize the current event; (2) discuss why the current event arose; (3) reflect on what could have been done different prior to the event arising (to perhaps prevent, deter, or change the consequences of the event ); (4) describe the broader issues surrounding the current event (e.g., ethical issues, societal issues); (5) propose possible reactions to the current event (e.g., how the public, policy makers, corporations, the media, or others should respond).

Please do your best to ensure that your current event is not the same as a previous current event article discussed in the forum. (Some overlap is inevitable, but please try to make sure each post has some unique content and perspective.)

There are some examples of past current event articles here. (You might have to scroll down a bit.)

Security Reviews

Your goal with the security review articles is to evaluate the potential security and privacy issues with new technologies, evaluate the severity of those issues, and discuss how those technologies might address those security and privacy issues. These articles should reflect deeply on the technology that you're discussing, and should therefore be significantly longer than your current events articles.

It's OK if two articles review the same technology, say the Miracle Foo. But if you're the second reviewer of the Miracle Foo, you need to: (1) explicitly reference the earlier articles; (2) provide new technical contribution; (3) don't waste space repeating what the previous review said. (3) is important since you are all required read this forum, and it's not fair to ask your fellow students to spend time re-reading previously-posted material. For (2), new technical contributions might include: a new perspective on the risks; a new potential attack vector; or a new defensive mechanism.

Each security review should contain:

Summary of the technology that you're evaluating. You may choose to evaluate a specific product (like the Miracle Foo) or a class of products with some common goal (like the set of all implantable medical devices). This summary should be at a high level, around one or two paragraphs in length. State the aspects of the technology that are relevant to your observations below. If you need to make assumptions about a product, then it is extremely important that you state what those assumptions are. To elaborate on the latter, if you end up making assumptions about a product like the Miracle Foo, then you are not studying the Miracle Foo but "something like the Miracle Foo," and you need to make that extremely clear in your review.
State at least two assets and, for each asset, a corresponding security goal. Explain why the security goals are important. You should produce around one or two sentences per asset/goal.
State at least two possible threats, where a threat is defined as an action by an adversary aimed at compromising an asset. Give an example adversary for each threat. You should have around one or two sentences per threat/adversary.
State at least two potential weaknesses. Again, justify your answer using one or two sentences per weakness. For the purposes of these security reviews, you don't need to fully verify whether these potential weaknesses are also actual weaknesses.
State potential defenses. Describe potential defenses that the system could use or might already be using to address the potential weaknesses you identified in the previous bullet.
Evaluate the risks associated with the assets, threats, and potential weaknesses that you describe. Informally, how serious do you think these combinations of assets, threats, and potential weaknesses are?
Conclusions. Provide some thoughtful reflections on your answers above. Also discuss relevant "bigger picture" issues (ethics, likelihood the technology will evolve, and so on).

There are some excellent examples of past security reviews here. (The requirements for these past security reviews may, however, be different than the requirements for this version of the course. So please pay attention to the specific requirements for this version of the course.)

Working with Others.

You may do your current event articles and security reviews in groups of up to three people. In fact, you are encouraged to work in groups. But if you work in a group, please do not do something like: Have Alice work on the current event and have Bob work on the security review and then put both names on both submissions. Instead, please all work collaboratively on all parts of the assignment. There is a lot of value in actually discussing these topics with other people.

How to Submit

You should submit your current event articles and security reviews in two ways (submit both to the forum and the dropbox).

First, you should submit each to the forum. Note that you can pick a pseudonym for the forum, if you wish (but course staff will still be able to map from your real identities to your pseudonym). You don't need to include your name(s) in the forum post, though you are also welcome to if you wish.

Second, save a copy of your current event article or security review in PDF form (e.g., print to PDF on a Mac) and upload the PDF to the course Catalyst dropbox. If you work with someone else on your current events article or security review, then only one of you should upload the PDF to the course submission server. However, make sure that the names and UWNetIDs of all contributors are at the top of the first page of the PDF. This process will facilitate our ability to grade the current event articles and security reviews.