Rice University logo
Top blue bar image Comp327: Introduction to Computer Security
Blog and homepage for Rice's Comp327

Archive for January, 2014

More on the ethics of security disclosures and Edward Snowden

Thursday, January 16th, 2014

In class, we talked about Snowden and the NSA. What I forgot to bring up, but is an important topic, is the ethics of the NSA hoarding known security vulnerabilities. Let’s say some NSA internal security expert discovers a remote exploit in Windows that allows them to take over a Windows machine. What are they supposed to do with that exploit? They could use it as part of their attack machinery, allowing them to do all the other things that they do once they’ve broken into a computer. Alternatively, they could contact Microsoft and say “hey, this is bad, fix it.”

The core question, from a utilitarian perspective at any rate, is whether the world (or perhaps just the U.S. if you prefer) is better off for the vulnerability to be fixed versus exploited. For example:

  • If the NSA could find it, then others can as well. Perhaps the vulnerability is already being exploited by somebody else.
  • Once the NSA exploits the vulnerability in the wild, others will see it, reverse engineer the attack, and themselves be able to exploit it.
  • If the NSA just tells Microsoft to go fix it, then the NSA “offensive” mission can’t benefit from the vulnerability. However, every Microsoft user benefits from the vulnerability being fixed.
  • Conversely, everybody loses some utility when there’s a vulnerability, even if they’re not the target of an NSA-driven exploit for that vulnerability, and even if they’re not a Windows user. If you’re interacting with somebody else and they have a vulnerability, it hurts you.
  • The downside risk to Windows users, in the aggregate, is proportionate to how many Windows machines they’re running. There are lots of Windows machines in the U.S. versus, for example, not so many in North Korea. You can conclude that the NSA has more incentive to push Microsoft to fix things than the North Korean equivalent agency might have.
  • NSA has two missions: one to conduct its offensive mission (“signals intelligence”) and one to conduct a defensive mission (“information assurance”). You can imagine how putting these two missions under the same roof might lead to some disagreements, since each side of the organization has quite different incentives, in terms of “doing their job”.

Exercise for the reader: try to think these same issues through relative to some of the other recent NSA disclosures, such as the allegation that the NSA deliberately weakened a popular standard for how to securely generate random numbers, or the allegations that they intercept electronics shipments and tamper with the hardware.

What you inevitably will find is that a utilitarian framework like this makes it impossible to say “they should always disclose a vulnerability” or “they should never disclose a vulnerability”. However, you’ll find that it’s useful to compare two different attack modes (e.g., broad spectrum surveillance vs. targeted attacks) and talk about the relative merits and downsides of weaponizing a vulnerability versus patching it.

WebSecLab Setup

Tuesday, January 14th, 2014

For several of our assignments this semester, we will be using an environment called WebSecLab.  It will allow you to explore various security weaknesses by developing related exploits.  WebSecLab consists of two parts – a virtual machine that you run on your local computer, and a cloud service where you can upload your progress.  You will want to go ahead and install WebSecLab and make sure that everything works to prepare yourself for those exercises.  Here are some steps to getting everything setup.

1.Download and install VirtualBox.  VirtualBox is an environment that will let you run virtual machines (software images of a computer) on your local host.

2. Download the WebSecLab VM.  You will do your exercises within this virtual machine.

3. Setup and start the virtual machine within VirtualBox.  (Use File / Import Appliance)

4. Start the virtual machine and open the Chromium browser within the Virtual Machine.

5. Follow the links to setup and activate a WebSecLab account.  After pressing the “ActivateVM” button, the webseclab UI will appear in the browser.  The class information that you need is available on Piazza.

If you have any problems, post to Piazza, and we will see what we can do.

Welcome to Comp327, Spring 2014

Tuesday, January 14th, 2014

This blog mostly has material from last year on it, but this will be updated rapidly as we get into the semester. Your homework 0 is already online.

Class meets Tuesday and Thursday 9:25-10:50 in Duncan Hall 1042.