Hello, this is one of my favorite modules in the whole course. We're going to take a look at security. In this module, I will introduce you to computer security. With all of these devices connected to the internet, security is a paramount importance. As such, this module is roughly twice the length and duration as the other modules in this course. Materials covered will be; an overview of computer security, encryption techniques such as one-time pad, symmetric encryption, asymmetric encryption, an algorithm known as Diffie-Hellman. This can be used to securely exchange keys between two points in a network or two computers connect to the internet, caches and message authentication codes, attack vectors on AES, and the keys, an attack called man-in-the-middle and replay attacks and how to defeat some of these attacks. We'll take a look at key protection, schemes, hardware techniques to do that. We'll take a brief look at what are known as side channel attacks. I will introduce to you what is known as a chain of trust. We'll take a look at some poor examples of security implementations. We will look at how web browsers establish secure connections. We'll take a brief peek at block chains, what those are and the learning outcome side. There are four basic learning outcomes that I'm looking for you to take away. The first one is develop a security mindset. The second is the importance of addressing security at all levels and at all interfaces in a system. We want to make it difficult for adversaries to not be able to just walk through the door. You will learn the difference between symmetric and asymmetric encryption, uses for hashes and message authentication codes also known as MACs and begin to develop an awareness of your security standards. I took this slide from Eric Wustrow's, Introduction to Computer Security, because I wanted to re-emphasize the points here. "To defend a system, you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in secure penalties, up to and including expulsion, civil fines and jail time. Our policy in this class is that you must respect the privacy and property rights of others at all times or else you will fail this course. Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act," following there and "federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern hacking. Understand what the law prohibits - you don't want to end up like this guy. " If you want to see how bad things can end up for you, you can go follow that link and see what happened there. "If in doubt, we can refer you to an attorney. Please review CU's acceptable use policy for IT resources or guidelines concerning proper use of information technology as well as the Engineering Honor Code". We're going to talk about many different aspects of security and as engineers, we're naturally curious and you might start to think well, "Now, what if I hacked Ticketmaster site and was able to get free tickets to all the concerts I wanted to go to, okay". You don't want to be that person, all right? You just don't even go there, all right? You want to be a white hat. You want to be a force for good in the world and in the universe. Don't start down that path. We're going to do a security overview. We're going to learn about encryption techniques, technique called one time pad, symmetric encryption, asymmetric encryption. We're going to learn about Diffie-Hellman, key exchange and learn about hashes and message authentication codes and when you use and deploy those. We're going to study some attack vectors. There's also other security people in the field referred to those as attack surfaces. How to attack AES, how to attack the keys. Something known as the man-in-the-middle attack, replay attacks, we'll look at those and that is just the tip of the iceberg. How to protect keys. Some thoughts about key protection and hardware techniques. Some things called side channel attacks. Study what a chain of trust is. We're going to take a look at some examples of poor security implementations, like how web browsers establish a secure connection and those little icons that show up with a lock, and some of them are different colors, we're going to get into all of that how that works. We're going to study block chains. You might have heard, that they've been in the news recently in trying to meet Andy's idea, Professor Femrite's idea of having this class be a clearinghouse for new and emerging technology. We're going to take a look at this technology known as block chains. It's the basis of bitcoin and other cyber currencies. What I want you to take away from this two week segment is, start down the process of developing a security mindset to know or look more at that here coming up. You've heard me say it again or you've heard me say it before, I'm going to say it again, a security has to be addressed at all levels and at all interfaces in a system, and it needs to be designed in from the get-go and not added on after a product is then designed and completed. You want to make it difficult for attackers to walk through the door to get into your system, that's the goal there. We'll learn the difference between symmetric, and asymmetric encryption, again Diffie-Hellman, hashes MACs, key protection schemes, man-in-the-middle and replay attacks, awareness of US security standards. There are probably other URLs and standard published in other countries around the world but I think many countries follow the US NIST standards. We'll take a look at some of those. For again to it, a comic. Take a second to read that. Is it big enough to see? Can you see it, read it back there? It's the interview- who knows Joy of Tech comic? Nobody? Okay. Well, they write comics about technology and I saw this one on The Internet of Insecure Things. The coffee pot is saying, "Excuse me, but you'll need admin approval to brew the coffee," and et cetera, et cetera. All right, come on it's funny. So, what does it mean to be secure? Here, we have Alice and we have Bob and they're communicating over an insecure channel and we've got this person Eve eavesdropping on their conversation, listening in on this conversation and we want to prohibit that. We want Eve to get really frustrated and not be able to discern the conversation that's taking place between Alice and Bob. Here's one example of the security mindset. Bruce Schneier has been involved in security for many years linked to his website and he says, "Security requires a particular mindset. Security professionals - at least the good ones - see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice or three times or more." They just can't help it because this is the way security people think. "SmartWater", he writes "is a liquid with a unique identifier linked to a particular owner", and in quotes he says, "The ideas for me to paint this stuff on all of my valuables as proof of ownership", and "I wrote when I first learned about the idea", "I think a better idea would be for me to paint it on all your valuables and then call the police". He says, "Really we can't help it". This is how security people think. "This kind of thinking is not natural for most people. It is not natural for engineers. Good engineering involves thinking about how we can make things work. The security mindset involves thinking about how to make things fail", or how to get around the roadblocks that are put in front of you." "It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world the way the attackers do, you'll never notice most security problems". Is that cause for concern for anyone? Is it surprising what you have a little bit there? Yes, it's true. Here's my take. When working in security, it is an unwise mental mindset to make statements such as, "That's impossible", or "No one will ever figure this out. " Or other such absolute statements. A better mindset is one that blurs the line between true and false. Mental positions such as, "This is likely or unlikely". "This is probable or improbable". "This is practical or impractical". See some examples of impractical coming up here in a little bit. The world is full of some very clever and very well-funded people, that are very, very dedicated. I'm familiar with the expression, "You need to get a life". Someone just focuses in on one particular thing. Never underestimate that. Big mistake. So, during World War II, the Germans thought they had an incrackable code with the mechanism for senior commanders and generals to distribute orders to the field in the Enigma machine and if you're familiar with the story, you saw how it was possible for some very bright folks at Bletchley Park in the UK to break the Enigma machine. In the US, there's the NSA and who knows what goes on in there. There are some incredibly bright and highly intelligent people working there. The Israeli Mossad and the list goes on. This is certainly not an exhaustive list by any stretch of the imagination. Something that may be hard to fathom or grasp but there's no such notion as 100 percent security. There are only approaches and solutions that are deemed good enough. You build a security system by using trusted algorithms as we'll see and you can place a series of hurdles that an attacker needs to overcome one after another to build up some level of defence, but nothing is ever 100 percent. Never make that mistake that thinking. "All right I've architected the ultimate security system and no one can ever break it or hacking or crack it". Only just good enough. My friend, and mentor Don Matthews will be coming in to talk to you about security here. Coming up, he used to say this all the time, "Security through obscurity is not security." So, no matter how much you obfuscate some information, if you're not using trusted known algorithms, and trust security processes. You think, "Well, no one can figure this out. " It goes back to what I just said, "Oh, this is so messed up, no one's ever going to figure it out." It's not security. Kerckhoffs's Principle, stated by Dutch cryptographer, August Kerckhoff in the 19th century: A crypto system should be secure even if everything about the system, except the key, is public knowledge. That's also a good principle to keep in the back of your mind when you're working in security. So, what can we learn from wood-block puzzles? You're thinking, "What's he talking about?" Wood-block. It's a quadrahedron, I think. Is that right? Put it together. See more pressure. Yeah, excellent. Well, it's not really. That's not right. Oh no. No. [inaudible] Oh, I thought he had it. No. No. I don't know. There it is. Continue? Well done. I made this, when I saw it in my woodworker and I haven't done a lot of woodworking lately. Saw all of this in a book design, and I thought it was pretty cool so I laminated pieces of wood together and cut all the angles and put it together, but it turned out that it was appropriate for using in class, talk about security. Serves one. For the next one, any four volunteers? Two men and two women. No is not an option. Otherwise, I will pick you. Looking away only makes me want to pick you more. Volunteer, come on. It's going to be fun. Fear not. Volunteers, tune into. Come on. Okay, come up. I want you to come up and have a seat, right here, form a little team of four. Okay. Okay. I want to sit on chairs. Yes. In the male's court, please. Give you an assignment in a minute. Okay. No more volunteers? Come on. Come on, come on, come on. Okay, good. We got two male, I want two ladies. Ladies, come on, it's going to be fun. Okay. Ten, nine, eight, seven, six, five, four, three, two, one. Okay, I'm just going to pick you, and you. Come on up. Okay. It's back in the day, when I worked at CA. I was involved with security company called Cryptography Research, printed on the side of this wood-block. Came in and they sell Cryptographic Solutions, and they were trying to, get CA to buy some of their Cryptographic Solutions. So, we exchanged business cards, and I got on their mailing list. So, every December, they would send out these wood-block puzzles and this is one of the easier ones. So, your task, form a team here, your little team of four, and if the others want to come up and stand around and observe their problem-solving process, that's fine. Camera operator can zoom in on you guys, as you work on this. You have 10 minutes to take that apart, when I say go, and put it back together again. It is possible to do it. The class last year they did it in something like six- [inaudible] are you here? Yeah. Wasn't like six or seven minutes, wasn't it? Yeah. So, it's possible to do. So, feel free to come up and observe, if you want to watch. On your mark, get set, go. I'm going to put it back together. On the left, I'll just [inaudible] this will be vertical on this side. [inaudible] So we know to put it back together. On the left, I'll just Who are run by? Can you go over the required time? Take that wood-block puzzle apart, put it back together in 10 minutes, right? [inaudible]. Complete, smooth, solid cube. This was? There was an [inaudible]. Yeah. This was? There was a jacket. This was awaited for seeing [inaudible]. Okay. Good. Are we leaving now? This is VLC. Yeah. This is code word. [inaudible]. This is code word, I knew. Yeah. Good people. You can do, whether to come with. Yeah. It is very very talky. I think, it's done. We can do that actually. As I join us together. I have read that information when take you right on [inaudible] altogether [inaudible]. So, I'm going to call time out here. So, okay. You did really good, just just leave it. Wait. If you? Thank you for volunteering. Thank you for being kicked. The third one, I just leave another table here. So, it has these wooden box and the top is loose,and the rest of it's solid, and there's these wood pieces, that slide interconnected with each other somehow. The only clue you have is a little BB, that you can roll around inside, to get some idea of the internal structure. Today, I've been too terrified to try and take it apart because I figured, I can probably get it apart. I'd never get it back together again. So, this one remains unsolved to this day but I have no idea, they may still be sending these things to me at Seagate, I have no idea of that. It took me quite a while to solve this one, the very first time, when I opened it up I thought, what is this? I tried to pull down it, right? It didn't come apart, and I started checking, and they went, there's a sliding piece in there. This is not your father's wood-block puzzles. So, this is going to take a little time, and it took me, I don't know, maybe, I'm going to call timeout here. Okay. You did really good. Just leave it. Okay, if you Thank you for volunteering. Thank you for being tech. out the first time. I'm not terribly good at solving those types of problems. Okay. So, what was all at all about. What can we learn from wood-block puzzles? How to think orthogonal or unconventional. I made the suggestion to the team, if you were to assemble it outside, That I'll never get it back together again. So this one remains unsolved to this day. But I have no idea that they'd be sending these things to me at Seagate. I have no idea but it took me quite a while to solve this one the very first time when I opened it up I thought, "What is this?" I pulled on it and it didn't come apart. I started shaking it and went, "Oh, there's a sliding piece in there." This is natural file wood block. But this is also going to take a little time. It took me, maybe somewhere in between an hour or two hours later to figure it out the first time. I'm not terribly good at solving those types of problems. Okay. So what was all that all about? What can we learn from wood block puzzles? How to think orthogonal or unconventional? I made a suggestion to the team if you were to assemble it outside, understanding where the pieces are, fixed on the inside, you can gain a different perspective about how the pieces fit together.