Rice University logo
Top blue bar image Comp327: Introduction to Computer Security
Blog and homepage for Rice's Comp327

More on the ethics of security disclosures and Edward Snowden

January 16th, 2014 by dwallach

In class, we talked about Snowden and the NSA. What I forgot to bring up, but is an important topic, is the ethics of the NSA hoarding known security vulnerabilities. Let’s say some NSA internal security expert discovers a remote exploit in Windows that allows them to take over a Windows machine. What are they supposed to do with that exploit? They could use it as part of their attack machinery, allowing them to do all the other things that they do once they’ve broken into a computer. Alternatively, they could contact Microsoft and say “hey, this is bad, fix it.”

The core question, from a utilitarian perspective at any rate, is whether the world (or perhaps just the U.S. if you prefer) is better off for the vulnerability to be fixed versus exploited. For example:

  • If the NSA could find it, then others can as well. Perhaps the vulnerability is already being exploited by somebody else.
  • Once the NSA exploits the vulnerability in the wild, others will see it, reverse engineer the attack, and themselves be able to exploit it.
  • If the NSA just tells Microsoft to go fix it, then the NSA “offensive” mission can’t benefit from the vulnerability. However, every Microsoft user benefits from the vulnerability being fixed.
  • Conversely, everybody loses some utility when there’s a vulnerability, even if they’re not the target of an NSA-driven exploit for that vulnerability, and even if they’re not a Windows user. If you’re interacting with somebody else and they have a vulnerability, it hurts you.
  • The downside risk to Windows users, in the aggregate, is proportionate to how many Windows machines they’re running. There are lots of Windows machines in the U.S. versus, for example, not so many in North Korea. You can conclude that the NSA has more incentive to push Microsoft to fix things than the North Korean equivalent agency might have.
  • NSA has two missions: one to conduct its offensive mission (“signals intelligence”) and one to conduct a defensive mission (“information assurance”). You can imagine how putting these two missions under the same roof might lead to some disagreements, since each side of the organization has quite different incentives, in terms of “doing their job”.

Exercise for the reader: try to think these same issues through relative to some of the other recent NSA disclosures, such as the allegation that the NSA deliberately weakened a popular standard for how to securely generate random numbers, or the allegations that they intercept electronics shipments and tamper with the hardware.

What you inevitably will find is that a utilitarian framework like this makes it impossible to say “they should always disclose a vulnerability” or “they should never disclose a vulnerability”. However, you’ll find that it’s useful to compare two different attack modes (e.g., broad spectrum surveillance vs. targeted attacks) and talk about the relative merits and downsides of weaponizing a vulnerability versus patching it.

WebSecLab Setup

January 14th, 2014 by Tad

For several of our assignments this semester, we will be using an environment called WebSecLab.  It will allow you to explore various security weaknesses by developing related exploits.  WebSecLab consists of two parts – a virtual machine that you run on your local computer, and a cloud service where you can upload your progress.  You will want to go ahead and install WebSecLab and make sure that everything works to prepare yourself for those exercises.  Here are some steps to getting everything setup.

1.Download and install VirtualBox.  VirtualBox is an environment that will let you run virtual machines (software images of a computer) on your local host.

2. Download the WebSecLab VM.  You will do your exercises within this virtual machine.

3. Setup and start the virtual machine within VirtualBox.  (Use File / Import Appliance)

4. Start the virtual machine and open the Chromium browser within the Virtual Machine.

5. Follow the links to setup and activate a WebSecLab account.  After pressing the “ActivateVM” button, the webseclab UI will appear in the browser.  The class information that you need is available on Piazza.

If you have any problems, post to Piazza, and we will see what we can do.

Welcome to Comp327, Spring 2014

January 14th, 2014 by dwallach

This blog mostly has material from last year on it, but this will be updated rapidly as we get into the semester. Your homework 0 is already online.

Class meets Tuesday and Thursday 9:25-10:50 in Duncan Hall 1042.

Want a free trip to NYC to study mobile app security?

March 18th, 2013 by dwallach

This might be attractive to some of you. It’s after the end of Rice classes, but might conflict with some of your final exams. http://mobappsectriathlon.blogspot.com/2013/03/announcing-mobappsectri-scholarship.html

HW2 Grades Available

February 10th, 2013 by Tad

Your HW2 grades should now be in the “homework2” branch of your bitbucket repositories.

New: Piazza forum for Comp327

January 30th, 2013 by dwallach

All of you should have received an email inviting you to join the Piazza group for Comp327. If you didn’t get the email, bug me directly. We’re going to give them a shot as a class forum, place for you to ask us (and each other) questions. Assignments and such will continue to be posted here on this blog.

Photographer visiting our class on Thursday

January 29th, 2013 by dwallach

Apparently the Rice campus photographer will be visiting our class on Thursday. If you don’t want to be photographed, you might choose to sit in the back of the room. I’ll have to be careful what I write on the board since it could be preserved for all eternity.

HW2 is now online

January 24th, 2013 by dwallach

Also, we’re still one lecture behind (i.e., the lecture for today / Thursday is what’s listed on Tuesday in the course schedule). We’ll fix this later. Don’t panic.

HW1 has been posted.

January 15th, 2013 by dso

HW1: Infrastructure Setup and Brief ZAP Introduction has been posted here.  Thanks.

Welcome to Comp 327

January 7th, 2013 by dso

Please complete the internal registration for Comp327 under HW0: Internal Registration. Note that registering for Comp327 with us, via this web form, is necessary for participating in the class, but it’s not sufficient. You must also make sure you’re properly registered so far as the university is concerned.