Professional Issues I - Lecture notes All lectures PDF

Preview

Summary

Professional Issues I, Computers and Society. Includes all key concepts from first semester lectures. ...

Description

Professional Issues

Semester 1; complete revision notes 2. Fundamental concepts

- Effect of society on technology and vice versa - Forecasting the future

"

Lessig’s four modalities:" ‣ Law: applicable laws to a piece of technology" ‣ Markets: commercial factors influencing a piece of technology" ‣ Social norms: ways that people interact with each other and technology, unwritten rules governing how we behave" ‣ Architecture: complex or designed physical structures" " > any physical structure in the world around you, not only buildings

• $ $ "

Best ways of predicting the future; bet against the worst pundits" 1. Think about what you can predict, short-term" 2. Sub-divide problems: don’t guess an answer, break it down" " > Fermi estimate

•

3. Emergence, convergence and pervasiveness

• $ " $ "

Emergence in new disruptive technologies life cycle Vertical and horizontal convergence Convergence following emergence of new technology Pervasive technology Emergence: time in which technology comes into being and the effect it has on society." $ Rapid change in society, wide scale disruption, emergence of new players and " " " technologies. i.e: printing press, electric telegraph, telephone, internet.." > Lessig’s four modalities can come into play here

Emergence of technologies can be perceived differently depending on the country" $ i.e: the electric telegraph in the UK vs US" •

Convergence: reduction of players in the market place contrasting with expansion in periods of emergence " ‣ Vertical convergence: consolidation of supply chains" ‣ Horizontal convergence: consolidation of many businesses into one or convergence of two related market places"

Convergence following emergence: eventually economies of scale outstrip first mover advantage" •

Pervasive technology: once new technology permeates a society, its presence is assumed rather than questioned. Good way to judge wether a technology is truly disruptive." " > technology which spreads widely throughout a population without necessarily good influence/effect Semester 1

1

Professional Issues

4. Computer security basics: Malware

-

Hackers Key terms in computer society Assumption made when talking about securing a computer Why we have passwords How we store passwords

• Computer hackers;" ‣ White hat hackers: security professionals paid to test security of a system" ‣ Grey hat hackers: gain access to system without permission but for no malicious purposes;" - Aim to make company/users aware or vulnerabilities" - Escalation process if company refuses to act ethically is challenging" ‣ Black hat hackers: gain access to systems without permission to steal/alter data;" - Not always for personal profit, sometimes an act of civil disobedience " • Key terms in computer security;"

intended by system owner" of a system doesn’t want to happen"

Levels of seriousness in a crime; - Accessing to view - Writing to change systems and/or data • The key assumption in computer security:" ➡ Physical security of end points: important assumption that malicious people don’t have physical access to your computer. How can they steal information physically?" ‣ Data can be pulled from a hard drive by plugging it into another computer" ‣ Shoulder surfing attacks also possible" ‣ Password protected files can be bypassed" $ $

Encrypted hard drives; logical solution but may be slow to use system and still $ $ $ $ vulnerable if computer is left unattended."

"

➡ Basic malicious software/malware;" ‣ Computer viruses: unwanted, self-replicating embedded code with a debilitating effect" ‣ Trojan horses: software masqueraded as something else, does something malicious when executed." " " > downloaded from websites/emails (PDF, .doc, .xls, .jpeg)

Semester 1

$

2

Professional Issues

‣ Worms: network propagated virus, meaning it spreads from computer to computer" ‣ Zombies: software program used to control computer remotely without users knowledge, or computer controlled in such way$ $ $ " ➡ Technically advanced malware;" ‣ Root kits: hide software’s presence from users by gaining /root access to a system" - When OS asks what software is running root kit lies and hides software" - Can only be removed by re-installing OS unless exact root kit involved is known$ " ❖ BIOS root kit: evolution of root kit" - Cam only be removed by reformatting BIOS" - Considered to be theoretical until recently" ‣ Key loggers: software sits on a computer and logs the keys you press; installed with Trojan horse and hidden with root kits$ $ " ➡ Password protected systems; authenticate you as an authorised user based upon a shared secret between you and system" $

$

Stored in a single file typically called a password file, hashed and salted." - Every password protected website has this file, as does your computer" - Access should be tightly controlled so even companies which control website cannot have access to your password"

• Hashing; mathematical process (similar to encryption) takes data of arbitrary size and maps it to a fixed hash-value" ‣ Collision resistant hashing: makes it really hard (mathematically) to find data that maps to the same hash value" ❖ Brute force attacks: hash and compare random phrases to the stored passwords, can take a long time to crack." ➡ Password cracking;" ‣ Dictionary attacks: encrypt non-random phrases like a dictionary (or list of common passwords)" ‣ Rainbow table attacks: smartest attack of all - store pre-computed, encrypted passwords and run the same attacks$ " • Salting: websites add arbitrary string to all passwords, drastically increasing time attacks take if password is complex."

5. The application of MalWare

- DDOS attacks and what they look like Semester 1

3

Professional Issues

- Advanced fee fraud and how to avoid it - Phishing and normal conductance - The weakest link in any secure system • DDOS attacks: Distributed Denial Of Service attacks; multiple computers pool resources to attack online services and overwhelm them. Essentially destroy a network/resource by means of a flood attack, can come from a single source but usually distributed" $

Difficult for computer to distinguish DDOS from different website traffic technicalities."

• Advanced Fee Fraud; getting you to pay for something without cast-iron guarantee in place of return." - Powerful lure, compromises significant proportion of spam, relies of greed and illegality. Comes in different forms: non-refundable shipping, costs for selling an item online…" ❖ Scam-baiting: baiting scammers into giving your money, illegal." • Phishing and Pharming for personal information"

"

➡ Phishing: email large group of people to find weakest link" " > originally an AOL email pointing user to a fake login screen, capturing details. - Moved to other services; online banking" - Compromises significant proportion of modern spam$ $ " ➡ Pharming: cracked DNS servers" - Attack local DNS configurations" - DNS is much like a phonebook, linking URL to IP’s" - Stored on local networks for commonly visited sites"

• Social engineering; authorised users are the weakest link in any system" ➡ Spear phishing: abode/word documents" - Customised emails to a single person who will open the document and release specialised Trojan" - Exploit spam filters and anti-viruses and their needs to know about an email/ Trojan in order to catch it$ $ " ➡ Baiting: getting malicious software onto someone’s machine physically by leaving a USB lying around$ " ❖ Black hat hackers in the real world;" - Hacking collectives" - Organised crime; black market distribution, online communications for offline crime" - Government agencies; industrial espionage, influencing the course of elections in foreign countries" 6. Encryption basics in computer society

- Key assumption when transferring data over an unsecured network Semester 1

4

Professional Issues

- Vulnerabilities to be addressed with encryption - Kerchkoff’s principle • Assumption of the man in the middle $ When sending information across an unsecured network outside physical control, must $$ $ always assume that the man in the middle can;" ‣ View; message content, read personal information " ‣ Intercept; stop messages from reaching intended recipient " ‣ Repeat; try to gain access to a secure system by replicating messages$" • Cryptography; a form of secret writing, any technique to disguise the meaning of a work to those who don’t know how to interpret it" ‣ Transposition cyphers: swap the ordering of letters around in some fixed pattern" ‣ Substitution cyphers: take a letter and replace it with another letter, so a becomes z, b becomes y, …" ✦

Weakness of cypher approaches: frequency analysis - any sufficient long message can use a histogram indicating the most frequently used letters in messages to crack cryptography. "

$ Solution; polyalphabetic cyphers;" - Use a different portion alphabet for different portions of text, maybe each letter." - “security through obscurity”; if you don’t let people know how your system works they can’t access your messages" - Much like not telling people what the URL of your website is in the modern world" > When man in the middle cracks a cypher algorithm, it is rendered invalid not only for the individual transferring the message but for anyone transferring a message through that type of encryption. • Kerchkoff’s Principle; security of a key alone must be sufficient to guarantee security of a message using the system. A key - shared secret that unlocks something, usually a message. In modern computing, very large prime numbers used to alter and adjust a message in a way which appears random, removing possibility of frequency attack or modern day equivalents." ‣ Key based encryption; message encrypted into cypher text through sender’s key, decrypted and read by receiver’s key." 7. Key exchange and public key encryption

-

How does encryption secure a message? Diffie-Hellman key exchange RSA Public Key/Private Key encryption Maths underpinning modern encryption

• Encryption as a locked box; a box that you secure a message in by locking it with a key (a shared secret), everything is digital, can be copied infinitely." $ Sender locks the box and hands it along pass-the-parcel style. Once it reaches intended $ $ recipient, they open the box with their key." Semester 1

5

Professional Issues

• Diffie-Hellman principle; way to establish a shared secret between tow parties where communication can be seen by middle man. Relies on factorisation but can be intercepted by man in the middle pretending to be one of two recipients." $ System mixing numbers together to allow public sharing of keys albeit with a vulnerability $ $ (man in the middle)." • Public Key/Private Key Pairs - RSA; generates a public key and a private key" ‣ You publish the public key online and let anyone use it to lock up their message to you in a box" ‣ You keep the private key a secret that only you know and only it can open the messages encrypted with the public key" $ $ $

Anyone can encode a message to sent to you using public key, only private key can $ $ encrypt it. Modern day keys are very large prime numbers and are very difficult to crack." The maths that underpin modern encryption are trapdoor functions like prime factorisation."

8. Governance of the internet - between law and technology

- where did the internet come from? - Who decides who owns a given web domain? - Who are the major stake holders when it comes to decisions about how the online world works? • A brief history of the internet;" - ARPANET: US department of defence robust communication network in event of nuclear war, node-to-node structure" - Request For Comments (RFC) policy document of the internet" - TCP/IP; best and only protocol for transmissions" - 1982: 25 networks joined using TCP/IP" ‣ How the internet works: URL converted to an IP address through a DNS server. Each DNS server doesn’t know all pairings, hierarchical lookup eventually reaches the root DNS server with frequently visited websites at each tier of lookup.$ " • Deciding what domains get how many numbers and names;" - 1960: WIPO formed to arbitrate trade marks, control URLs, major stake holders in decision making about how online world works " - ICANN holds authority for Internet assigned numbers authority (IANA)" - Delegates Regional Internet Registries (RIR)" - In turn delegate ISP’s, Telecomms groups and Academic Institutes" $ $ $ $

Three main top level players in contention to control how this works:" - US department of commerce (until 2016)" - ISOC (internet society) - large companies" - council of registrars (CORE) - ISPs and Telecomms groups that sell domain names"

9. DNS Security and HTTPS

- Certification authority and signing work - Moving away from DNS towards its alternatives Semester 1

6

Professional Issues

- Issues caused by DRM laws • Trusted third parties; DNS is a networked, hierarchical lookup that resolves an IP address which is vital. Links web domains to IP addresses, handed out by governing bodies. IP laws make it illegal to scam IP addresses as does contract law."

$ $

‣ Certificate authorities: verify ownership of a website is strongly linked to a company/ individual. Set of companies that issues digital certificates that tie people/organisations to a web domain. Ensures public key by encrypting it with private key. Entities delegated by US government." $ > passports, banking details, contracts and more can be used to verify identity $ $ $ much like registering a business"

$

Support HTTP over SSL, another form of public key encryption."

$ $ $

‣ Private Key signing;" 1. Browser and website have key pair" 2. Websites public key encrypted with CA private key" 3. Can only be decrypted successfully by the CA’s public key signing it" 4. Guarantees message encrypted by it can only be read by the site you want to send it to" " $ Websites trust most major browsers include certificate authorities public keys for $ $ validation, forming Public Key Infrastructure"

• DNS flaws and SOPA; no security or verification when connecting to a DNS server, meaning unknown networks may not be legitimate and you may be the victim of Pharming using man in the middle attack/compromised DNS." $ " ‣ DNSSEC (DNS Secure) prevent such attacks;" - Encrypt communications between DNS and PC" - Uses certificates to validate that you should trust DNS you are working with" - DNSSEC not wide spread, >10% of all networks" • Digital Rights Management Laws (DRM); DNS and WHOIS intertwined with range of laws" $ i.e: stop online piracy act, digital millennium copyright act, …" DRM makes DNSSEC fix unworkable as DRM demands that ISP redirect you if you visit a page they don’t like:" - redirect cannot happen if DNS requests are properly secures as ISP should not have a $ way to see what webpages you are requesting;" - implications for monitoring web traffic…" ๏

$ $ $

๏

$

ICANN doesn’t have monopoly over DNS root servers because technology is Open Standard;" - IP addresses need consistent approach but mapping of names to numbers can be done by anyone" - ICANN prevented from acting unilaterally"

Alternative roots generally operate much more cooperatively;"

Semester 1

7

Professional Issues

- Google DNS also uses DNSSEC, not all ISPs do" - Protest against SOPA included blackout of services in 2012" 10. Civil law and UK GDPR

- differences between civil and criminal law - Data protection and its necessity - Core idea of GDPR • English and Welsh law"

$ $

$ $

‣ Criminal Law; to regulate punishment for crimes against society and individual." $ Outcome can be conviction or acquittal (innocent), sentence to punishment $ $ $ imposed by state." ‣ Civil Law; to regulate relationships between individuals and other individuals and organisations$ " $ Outcome: defendants or is not liable (responsible for harm caused) to claimant, $ $ $ remedied by damages or other remedy such as injunction"

• Understanding Data Security;" $ $ $

Various attacks possible on computer systems, ways to defend against those attacks. $ $ Looking into legal obligations coming with issue and problems from international nature of $ modern computing. Key point - computer science handles other people’s data."

Data protecting laws vary by countries, therefore international cases are difficult. • The UK General Data Protection Regulations (GDPR); Set of rights and principles to protect us from intrusive, dangerous or unfair use of our personal data by making it illegal" A $ ll data in accessible format is covered, not just data on computers. Failure to store data correctly can lead to fines of 20 million euros, or 4% if companies annual global turnover (whichever is higher). Covers three types of data;" ‣ Personal data - name, address, NI number, passport number, personally identifiable information " ‣ Sensitive data - racial origins, sexual orientation, religion, politics, things you might be discriminated against" ‣ Credit information - category of its own" O $ utlines 5 principles to follow when gathering personal data, covers any data about a $ $ l$iving and identifiable individual. " To hold or process data, must notify ICO (information commissioners office) of companies status as a Data Controller (must ensure sensible secure principle are applied, and suitable training). Failure to comply DPA can result in civil claims for damages or even criminal prosecution by ICO and CPS." ‣ Data controller - determines purpose for which, duration of the manner in which personal data is used. Holds responsibility for data and meet DPA" Semester 1

8

Professional Issues

‣ Data processor - sub contracted company handling data without making key decisions about it. Might control how it is stored, transferred and specific of security" 11. UK GDPR principle and subject rights

-

core principles of GDPR Rights of the subjects of data gathering activities under GDPR Implications of DPA for computer scientists Privacy shield and importance

• GDPR - 6 principles: Personal data…" 1. …processed lawfully, fairly and in transparent manner related to individuals;" 2. …to be collected for specified, explicit and legitimate purposes, not be processed outside of those purposes. Only further processing compatible is archiving purposes in public interest, scientific or historical research, statistical purposes;" 3. …should be adequate, relevant and limited to what is necessary in relation to the reason for which they’re being processed;" 4. …should be accurate, kept up to date, inaccurate data should be erased to replaced as soon as possible" 5. …should be kept in form which permits identification of data to be only used in certain time period and not further than that, may be stored for longer purposes (i.e: archiving) in public interest, …., as long as it complies with implementation of appropriate technical and organisational measure required in order to safeguard rights and freedoms of individual." 6. …processed in manner ensuring appropriate security of personal data, including protection against unauthorised/unlawful processing and against loss, destruction/damage, using appropriate technical/organisational measures." • Subject rights; Right to…" ‣ … be informed: transparency as to how your data is being used" ‣ … have access: obtain confirmation of data being processed, access to their data and other information." ‣ … rectification...