After the heartbreak of missing our opportunity to get some dandelion wine, and not being able to break the cipher given to us by the professor, I've decided to drown my woes in Lab 0.
We are to pick two puzzles by Matt Bishop and answer the questions; one has to be about an ethics issue.
For my first pick I chose the puzzle regarding a student that discovers a security flaw in the department's computer system. The student exploited the flaw and gained root access on the machine. The puzzle goes on to explain that the system did not provide sufficient mechanisms to prevent the student from gaining root access. The question is whether she actually "broke in" to the system, and if she actually acted unethically in exploiting the flaw in the departments security.
I believe this was a breach of ethics because the first paragraph states the student "exploited a flaw" in the system to gain root access; this does constitute a violation of ethics by the student because she gained access by means not usually used on the system. The student, after discovering the flaw, should have reported the issue to the correct personnel, and offered suggestions to fix it. In my own personal experience I believe this should be the default action when any security flaw is detected. If I were to exploit a security flaw I discovered on the network at my current employer without informing the proper personnel, I would not only be subject for dismissal, but I could also be brought up on charges by the United States government. I’m not completely sure the chairperson acted ethically; the student did bring a glaring security issue to the attention of the University. In my opinion, the student should have been reprimanded for her actions, and made to sign a waiver stating she would never again knowingly exploit a security flaw on the University’s network.
My second blog is regarding two MIT graduate students that bought a number of hard drives from the Internet, and were able to recover data on the drives.
The question is if the data being discarded on the disks is actually a security vulnerability. I believe it could be depending on who the drives belonged to. If this was an employee that stole the drives from their employer, and decided to make extra money by selling them on Ebay, then this could be a very big vulnerability. The drives could consist of personal employee information, or industry secrets. If this was just someone believing that the “delete” command actually removes the data, than I believe that person should gain more knowledge on computing systems before putting any kind of sensitive information on one. There has to be a level of personal accountability for situations such as these. If it’s a person putting his own old drives on Ebay, he should definitely verify they have been completely wiped with a utility such as BCWipe, or any other utility that will over-write each sector of a hard drive.
I can once again point to my own experiences to illustrate a point regarding this puzzle. Once a computing system comes into my work, the hard drive remains the property of my employer indefinitely. If there needs to be warranty work done on the machine, it is done without the hard drive (and in some instances without RAM as well). Discarded or defective drives are wiped, using a system that writes a ‘0’ to every sector on the hard drive, and the drive is destroyed. While that may seem kind of extreme, it will definitely prevent the spread of sensitive information.
Wednesday, February 25, 2009
Wednesday, February 18, 2009
Is the wine slipping away??? ...not sure..stay tuned
The team unfortunately didn’t get as much figured out this week as I’d hoped; though some progress was made. John and I were able to meet on Sunday evening and continued working on our algorithm, but we really wanted to get together with Jonathan and Ben to make sure we’re all on the same page. We haven’t been able to meet with Jonathan yet, (he just got into the class full time because of work constraints), but John and I did meet with Ben Lawry this evening. After we got up to speed on where we are in the project, we continued formulating our algorithm and writing code in order to brute-force K3; this is the obvious first-step in finding the key, and the one we’ve known about for a while now.
I received an e-mail from diabloo71@yahoo.com, which broke down his algorithm for breaking K3 and his, proposed, steps for continuing up the feistel structure to get K1 and K2. We compared his pseudo code to our own and I *THINK* we’re on the right track; we seem to have the same basic technique to solve the problem. We did receive new S-Boxes from the professor this evening, and they appear to be more linear and, in his opinion, easier to crack. We'll hopefully be able to confirm this when running our *working* code on the plaintext/ciphertext pairs...but I give no guarantees.
John and I did discuss the lab briefly at work today, and John made a comment that we should get threads on one of our work’s super computers in order to brute-force the entire structure…maybe not a bad idea when your employer has two of the top-10 super computers in the world. =)
We came to the conclusion that this would probably be too expensive and we probably wouldn’t even be able to run our code on the machines. Oh well….it was an idea.
Code is now being written on my laptop, which now has Fedora core 10 64-bit on it. I put the code on my personal laptop because I can now take it anywhere with me; I won’t have to find somewhere to SSH into UNM anymore. I aptly named the file: “rubberHose.cpp” for obvious reasons. I’d be lying if I said that I’m not getting a little pessimistic about actually completing the lab, but I’m sure quite a few others in the class are feeling the same way right about now. I’m going spend a great-deal more time on the project this weekend, and I’m now anxiously awaiting version 3 from the professor. ;)
I received an e-mail from diabloo71@yahoo.com, which broke down his algorithm for breaking K3 and his, proposed, steps for continuing up the feistel structure to get K1 and K2. We compared his pseudo code to our own and I *THINK* we’re on the right track; we seem to have the same basic technique to solve the problem. We did receive new S-Boxes from the professor this evening, and they appear to be more linear and, in his opinion, easier to crack. We'll hopefully be able to confirm this when running our *working* code on the plaintext/ciphertext pairs...but I give no guarantees.
John and I did discuss the lab briefly at work today, and John made a comment that we should get threads on one of our work’s super computers in order to brute-force the entire structure…maybe not a bad idea when your employer has two of the top-10 super computers in the world. =)
We came to the conclusion that this would probably be too expensive and we probably wouldn’t even be able to run our code on the machines. Oh well….it was an idea.
Code is now being written on my laptop, which now has Fedora core 10 64-bit on it. I put the code on my personal laptop because I can now take it anywhere with me; I won’t have to find somewhere to SSH into UNM anymore. I aptly named the file: “rubberHose.cpp” for obvious reasons. I’d be lying if I said that I’m not getting a little pessimistic about actually completing the lab, but I’m sure quite a few others in the class are feeling the same way right about now. I’m going spend a great-deal more time on the project this weekend, and I’m now anxiously awaiting version 3 from the professor. ;)
Wednesday, February 11, 2009
I haven’t gotten very far with Lab #1. I’m really still trying to grok all of the information presented in class, which is extensive. I’ve read several postings and pages from the class e-mail list, and I *THINK* I’m starting to see where I should begin. The: “A Tutorial on Linear and Differential Cryptanalysis” paper was especially helpful. The link can be found here: http://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf
I downloaded the sdes16.cc code from Professor Crandall’s website, but, it wouldn’t correctly compile on my Linux box; I get a compiler error that states: -- integer constant is too large for ‘long’ type --. This is probably due to me having a 32-bit version of Ubuntu running on my laptop; I should probably upgrade to 64-bit. I did, however, get the linear.cpp and pc.cpp to correctly compile and run. I’ve been going through the code the last few evenings and have begun writing a rough algorithm for my own implementation of Professor Crandall’s modified 16-bit SDES program. The Professor is allowing us to work in groups, so I’ve teamed-up with two colleagues from work that are also taking the class: John Montoya and Jonathan Mandeville. Jonathan has an extensive background in computer security and has a lot more experience with encryption than me or John. John is a CE major with extensive hardware and some C++ experience, and I’m a junior in the CS department with experience in several languages; this should be a good pairing. We’re going to be getting together this weekend or early next week and compare notes and algorithms so we’ll know what each of us thinks should be the direction to take to solve this lab.
We’re determined to get the wine….
Monday, February 2, 2009
RCR Course for class
I completed the RCR course entitled: "CITI Physical Sciences and engineering RCR Course For The Unaffiliated Learner". While most of the information presented had little bearing on cyber-ethics, I think a couple of points are very valid.
The first part of the course focuses on reasearch misconduct. The goal is to make the reader understand that if the researcher cannot be trusted, then the research results may be invalid. I can understand how this could be relevant to cyber ethics because if an individual embellishes his findings, his entire collection procedures and his reputation can be tarnished. If this were a criminal case involving specific information removed from an individuals hard drive, the information can be thrown out of court and the accused may walk; this is especially important in a cyber-forensics case. This module also discussed the importance of data storage; the "data must be stored in a safe and secure manner during and after the conclusion of the research project."
I also liked the module that discussed the importance of how "scientists balance the free exchange of some sensitive scientific data and information with the possibility that a terrorist or other threat to national security might use the material."
I think this is a very important point regarding computer security and computer forensics. It has been demonstrated that some scientists believe the value of their work transcends security: they will actively share information and specific data about their projects without regards to the sensitive nature of their work. The data obtained in the research is important, but oftentimes the methods used to obtain the data is as, or more, important than the data itself; this was painfully evident during the Manhattan Project. I believe this can be a key issue regarding cyber ethics in this class: the students taking part in this class should not only refrain from using the tools and skills obtained outside of the controlled environment of the class, but should also not publicly discuss their research or data-gathering methods with individuals not in the class.
In my opinion I don't think there was as much of a focus on ethical issues as it relates to computing environments; the modules appeared to focus on ethics and honesty in more of a lab structure. I would recommend either a different course, or possibly a guest-speaker with specific examples of how individuals did not make good ethical choices regarding some of the tools or information we will be learning about this semester, and the consequences of those choices.
The first part of the course focuses on reasearch misconduct. The goal is to make the reader understand that if the researcher cannot be trusted, then the research results may be invalid. I can understand how this could be relevant to cyber ethics because if an individual embellishes his findings, his entire collection procedures and his reputation can be tarnished. If this were a criminal case involving specific information removed from an individuals hard drive, the information can be thrown out of court and the accused may walk; this is especially important in a cyber-forensics case. This module also discussed the importance of data storage; the "data must be stored in a safe and secure manner during and after the conclusion of the research project."
I also liked the module that discussed the importance of how "scientists balance the free exchange of some sensitive scientific data and information with the possibility that a terrorist or other threat to national security might use the material."
I think this is a very important point regarding computer security and computer forensics. It has been demonstrated that some scientists believe the value of their work transcends security: they will actively share information and specific data about their projects without regards to the sensitive nature of their work. The data obtained in the research is important, but oftentimes the methods used to obtain the data is as, or more, important than the data itself; this was painfully evident during the Manhattan Project. I believe this can be a key issue regarding cyber ethics in this class: the students taking part in this class should not only refrain from using the tools and skills obtained outside of the controlled environment of the class, but should also not publicly discuss their research or data-gathering methods with individuals not in the class.
In my opinion I don't think there was as much of a focus on ethical issues as it relates to computing environments; the modules appeared to focus on ethics and honesty in more of a lab structure. I would recommend either a different course, or possibly a guest-speaker with specific examples of how individuals did not make good ethical choices regarding some of the tools or information we will be learning about this semester, and the consequences of those choices.
Subscribe to:
Comments (Atom)