Topics in Computer Security
The goal of this course is to explore the
economic, political and social issues surrounding technology with a
specific focus on computer security. Often the deployment of
technology leads to a change in the social balance of power thus
leading to security problems as the affected parties attempt to secure
For instance, since 2001 various car safety technologies have
incorporated cryptographic algorithms. The introduction of speed
sensors in (car) airbags to improve their performance can lead to
insurance companies using the data to prevent a motorist from making a
successful claim. The usage of cryptographic authentication between
the wheels and the axle of a car, in the name of safety technology,
could actually be used to prevent third-party manufacture of spares
and achieve customer lock-in. Chip-and-pin is another good example of
how security technology is used to shift the liability of fraudulent
card usage from the bank to the customer. By claiming that their
systems are infallible the banks have successfully argued in numerous
court cases that the customers must have divulged the pin, and thus
were solely responsible for negative outcomes.
We shall discuss a broad set of papers from computer security
literature. Students will be required to read and present papers in
class. The class will be highly interactive and students are
encouraged to form opinions and participate in an informed
debate. During every lecture hour we shall select a paper that will be
presented by one student, who will also lead the discussion. The
instructor will moderate the discussion. Each student must present at
least one paper during the course.
Writing paper reviews is a hard earned skill that comes from
practicing often. I will use the following rubric to grade your
30% -- What questions does the paper ask, why are those questions
interesting, how does it answer them, what are the results, etc.
30% -- what you learned, strengths/weaknesses, next steps, etc.
40% -- moderate a discussion about the topic of the paper
good way to do this is to present a list of topics or questions about
the paper for the reader to consider).
Write your report like a research paper. It should introduce the topic
you're studying to the reader, explain why the topic is interesting,
how it related to previous work (with references), and then describe
the methodology used to investigate the topic and a statement of the
(Methodology credit goes to someone I met many years ago at Microsoft
This article by Odlyzko and colleagues
relates the size of a network with its potential value proposition.
This article by Joseph Bonneau and Soren
Preibusch was published in
. It details the state of password authentication
technology as deployed on webservers making a clear case for
improvement of current practices
puts it: "The use of closed-circuit television in city
and town centres and public housing estates does not have a
significant effect on crime". So, do CCTV schemes work or do they not
work? According to one estimate, upto a third of the crime
prevention budget in the UK is spent on CCTV infrastructure. So are the costs
worth the benefits or are CCTV investments a white elephant? When does
CCTV work and when it doesn't is the debate topic for the class.
There's fresh information from the Scotland yard on the (in)efficiency
of CCTV, obtained as part of a freedom of information
Operation Javelin -- 1
Operation Javelin -- 3
(Security Psychology) 25th August: Real
world scams based on
The Real Hustle
For the next two lessons we shall turn our
attention to security psychology. As an introduction to this area,
we will study a variety of scams and try to understand the
underlying principles behind such scams. No preparation is required
for attending this lesson but you might want to go through
, with brief synopses. You might also like to see
some the episodes
Quoting from the paper..."The success of many attacks on computer
systems can be traced back to the security engineers not understanding
the psychology of the system users they meant to protect. We examine a
variety of scams and 'short cons' that were investigated, documented
and recreated for the BBC TV programme The Real Hustle and we extract
from them some general principles about the recurring behavioural
patterns of victims that hustlers have learnt to exploit."
"We argue that an understanding of these inherent human factors
vulnerabilities, and the necessity to take them into account during
design rather than naively shifting the blame onto the 'gullible
users', is a fundamental paradigm shift for the security engineer
which, if adopted, will lead to stronger and more resilient systems
For the next few weeks, we shall concentrate
on banking security papers starting with a classic paper
. There are many important lessons for the security
engineers in this paper, the most important one (in my opinion) is
this: "the threat model commonly used by cryptosystem designers was
wrong: most frauds were not caused by cryptanalysis or other technical
attacks, but by implementation errors and management failures".
2008 IEEE Security and Privacy paper
(Banking Security) Paper for 20th
Chip and PIN is broken
to be presented by Manasi Sachdeva and
2010 IEEE Security and Privacy paper
(ID Cards Part I) Paper for 27th October: LSE ID card report
by Anupama Agarwal and Madhvi Gupta.
During the next three lectures the class
will read and discuss the LSE ID card report -- are ID cards useful?
Are they of help in fighting crime? or terrorism? Can they be expected
to reduce corruption in India? What new security problems do they
create? Are they a cost effective means of achieving the stated goals?
These are some of the questions we will be asking ourselves during the
next three sessions.
(ID Cards Part II) Paper for 3rd November: LSE ID card report
by Sakshi Agarwal and Madhuri Siddula
(ID Cards Part III) Paper for 10th November:
LSE ID card report
by Komal Kochar and Kamini Sharma
Location: Classroom 2
Mailing list: email@example.com
The mailing list is for questions/discussion on papers that
we have read in the class or to share interesting security news. No
chain mails allowed.
Plagiarism notice: please note that homework
efforts are individual efforts i.e. not group efforts and not copied
off the Internet. The first offence will recieve a -10 score while a
second offence will leave you with an 'F' grade.