CSEP564 Homework 1
This assignment is focused on helping you to cultivate the security mindset,
and on helping encourage you to think about computer security in your
outside-of-course activities.
Requirements.
- One Current Event Reflection (details below)
- One Security Review (details below)
How to submit. Submit a single PDF to Catalyst (link on the main page). Include your name and UWNetID on each page of that PDF.
Due. Oct 23, 11:45pm.
Collaboration. You may discuss your current events and security reviews with others before you write your current events and security reviews.
However, if you discuss your current events and security reviews with others before you write your current events and security reviews, then you must (1) leave a thirty-minute gap between those discussions and when you start to write your reviews and (2) you must write your current events and security reviews entirely by yourselves.
You may also discuss your current events and security reviews with others after all parties involved in the discussions have completed their current events and security reviews.
Summary: you may discuss your current events and security reviews with others, but your writeups need to be entirely on your own.
Current Event Reflection
The goal of this part of the assignment is to help encourage you to think
about computer security when doing some of your daily activities, namely,
reading the news.
While you could just pick the first news article you see and write a quick
response to the questions below, to get the most out of this assignment
we encourage you to go about your daily activities for a week or so,
assuming you normally read blogs and news stories regularly. As you
read each blog post or news story, ask yourself "is there something interesting
here from a computer security perspective?" After a week or so, pick one
of the stories that interested you the most and complete this part of
the assignment. (If you don't
read news articles regularly, then you will need to read some for this assignment.)
Your current event reflection should include all of the following:
- a summary of the current event, including a link to the relevant blog post or news article;
- a discussion of how the current event is related to computer security (it needs to be related in some way, though it's OK if the relationship is a bit of a stretch; the answer to this bullet may overlap your answer to some of the other bullets in this list);
- a discussion of why the current event arose;
- a reflection on what could have been done differently prior to
the event arising (to perhaps prevent, deter, or change the consequences of the event);
- a description of the broader issues surrounding the current event (e.g., ethical issues, societal issues);
- a discussion of possible reactions to the current event (e.g., how the public, policy makers, corporations, the media, or others should respond).
Please try to be concise.
Your current event summary shouldn't be very long -- at most one or two typed pages. We find grading much easier if you use bulleted lists or bolded section headings to help us tease apart the different parts of your answers.
There are some examples of past current event articles here. (You might have to scroll down a bit; the specific format used back then was a little different.)
Security Review
Your goal with the security review is to evaluate the potential security and privacy issues with a new technology, evaluate the severity of those issues, and discuss how the technology might address those security and privacy issues. You will do this at the conceptual level, hence the emphasis on "potential" above.
Your security review should contain:
- Summary of the technology that you're evaluating. You may choose to evaluate a specific product (like the Miracle Foo) or a class of products with some common goal (like the set of all Miracle Foo-like devices). This summary should be at a high level, around one or two paragraphs in length. State the aspects of the technology that are relevant to your observations below. If you need to make assumptions about a product, then it is important that you state what those assumptions are. To elaborate on the latter, if you end up making assumptions about a product like the Miracle Foo, then you are not studying the Miracle Foo but "something like the Miracle Foo," and you should make that clear in your review. (There's nothing wrong with evaluating "something like the Miracle Foo,"
rather than the Miracle Foo itself -- recall that this is a conceptual
exercise.)
- State at least two assets and, for each asset, a corresponding
security goal. Explain
why the security goals are important. You should produce around one or two
sentences per asset/goal.
- State at least two possible threats, where a threat is defined
as an action by an adversary aimed at compromising an asset.
Give an example adversary for each threat. You should have around
one or two sentences per threat/adversary.
- State at least two potential weaknesses. Again, justify your
answer using one or two sentences per weakness. For the purposes of
these security reviews, you don't need to fully verify whether these
potential weaknesses are also actual weaknesses.
- State potential defenses. Describe potential defenses that the
system could use or might already be using to address the potential
weaknesses you identified in the previous bullet.
- Evaluate the risks associated with the assets, threats, and
potential weaknesses that you describe. Informally, how serious do
you think these combinations of assets, threats, and potential
weaknesses are?
- Conclusions. Provide some thoughtful reflections on your
answers above. Also discuss relevant "bigger picture" issues
(ethics, likelihood the technology will evolve, and so on).
There are some examples of past security reviews here. (The requirements for these past security reviews may, however, be different than the requirements for this version of the course.)
Please try to be clear and concise -- ideally around two or three typed pages. And as with the current events, we find grading much easier if you use bulleted lists or bolded section headings to help us tease apart the different parts of your answers.