CSC 607 Meeting 9 Charts

CSC 607 Meeting 9 Charts - Security in Computing – CSC...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Security in Computing – CSC 607 Security Wireless Security – WCM 605 Wireless Meeting 9 Thursday 28 Jan, 2010 1/26/2010 1/26/2010 1 “Week 4” Schedule Sat 1/23 Voice Oriented Wireless Networks II Data Oriented Wireless Networks Security in Traditional Wireless Networks Security in Wireless LANs ­ I Tue 1/26 Security in Wireless LANs ­ II Breaking WEP Project Presentations Privacy Issues Review for Final Exam Thu 1/28 Legal and Ethical Issues Breaking WEP Project Presentations Final Exam Week 4 Reading – Pfleeger & Pfleeger 4th Edition Chapters 10 and 11 Chandra Chapters 6 & 7 1/23/2010 1/23/2010 2 Legal and Ethical Legal Considerations Considerations 1/26/2010 1/26/2010 3 Legal & Ethical Issues Protecting Programs and Data • • • • 1/26/2010 1/26/2010 Copyrights Patents Trade Secrets Computer Objects Information and the Law Rights of Employees and Employers Software Quality Issues Computer Crime Ethical Issues in Computer Security Case Study and References 4 Non-Technological Controls for Non-Technological Computer Security Computer Law • Adapting/Changing Courts have reacted remarkably well, considering the time­constants of legal change • Far from perfect Slow After the fact Time consuming Costly Privacy • Much stronger laws recently • Well­recognized ethics Ethics • Not universal Multiple perspectives on right vs. wrong • Does not provide answers 1/26/2010 1/26/2010 5 Legal Controls - Copyrights Protects works of the mind Aimed at creative works of art, literature, written scholarship Legally protects a particular expression of an idea • Does NOT protect the idea itself • Ideas cannot be neither copyrighted nor patented Gives author the exclusive right to make copies of the expression and sell it repeatedly • First sale only, NOT resale Intent is to promote distribution • Must be distributed • Must be in some tangible medium Relatively inexpensive to obtain Protects 70 years after death of author (individual)/ 95 years after registration (organization) Copyrighted object is subject to fair use • Unfair use = piracy 1/26/2010 1/26/2010 Owner can choose whether to sue for infringement 6 Copyrights for Computer Software Software can be copyrighted • May not be very good protection Copyright protects the program statements, but not concept • Ideas cannot be copyrighted • Somebody else’s implementation of the idea is okay • Requirement to publish may not be in best interests of software developer/owner Distribution of object code does not protect source code Digital Millennium Copyright Act (DCMA) (1998) • Clarified some issues • Some Key provisions 1/26/2010 1/26/2010 Digital objects can be subject to copyright Circumvention/disablement of built­in antipiracy is a crime Devices to disable antipiracy are also criminal, BUT Such devices are ok for research and education Back up of digital copies to protect against hardware/software failures is okay Libraries can make up to 3 copies for lending to other libraries Emerging Principle: Software Acquisition is more like renting the right to use than a purchase 7 Legal Controls - Patents 1/26/2010 1/26/2010 Protects inventions, tangible objects or ways to make them Aimed at results of science, technology & engineering Legally protects device or process for carrying out an idea • Does NOT protect the idea itself or a mental processes • Specifically excludes newly discovered works of nature Object patented must be non­obvious First inventor to invent gets the patent, even if there were two independent developments Protects 20 years from date of filing (not date of granting) 2­4 year processing time is not unusual Filing will be published not later than upon issue of patent • May be published earlier, unless filer specifies they will not seek foreign patent protection Relatively expensive and complex to obtain Patent law has expanded to include computer software • Recognizes that algorithms, like processes and formulas are inventions Failure to sue for infringement can lead to loss of patent rights 8 Legal Controls – Trade Secrets A Trade Secret is information that gives one company a competitive edge over another Must be KEPT secret • An infringer is one who divulges the secret Reverse Engineering may reveal the secret. Not illegal Trade Secret application applies well to computer software • Trade secret protection allows distribution of the result (the executable program) while keeping the program design hidden • Makes it illegal to steal a secret algorithm and use it elsewhere • Does not cover copying, so does not protect against pirating • Computer software is vulnerable to reverse engineering 1/26/2010 1/26/2010 Employment contracts useful to protect trade secrets 9 Comparison of Protections Copyright Patent Trade Secret Protects Protected object made public Yes; intention is to promote publication Design is filed at No USPTO and patent is published Requirement to distribute Yes No No Duration 70 years after death or 95 years after registration 20 years after filing Indefinite Legal Protection 1/26/2010 1/26/2010 Expression of idea; Invention; the way not the idea itself something works May sue if unauthorized copy is sold Must sue or lose patent if invention is copied Sue if secret is obtained improperly Pfleeger & Pfleeger, Security in Computing, 3 Ed., Table 9­1, p 566 rd A secret, competitive advantage 10 Summary of Protection for Summary Computer Objects Computer Hardware • Is a work of creativity. Can be copyrighted Copyright Office has not determined appropriate medium to accept object code • • • Single purpose chip can probably be patented Data (instructions, algorithms, etc.) probably cannot be patented or copyrighted Trade secret protection is probably the best approach • • Hardware, Medium and Process can be patented • • • Trade secret protection is probably the best Hard to maintain secrecy when copy is deposited with Copyright Office Copyright does not necessarily prevent others from reimplementing in slightly different form Firmware Object Code Source Code Documentation • 1/26/2010 1/26/2010 Copyright 11 Information – A New Kind of Object Information is neither a physical thing nor a service Special Characteristics of Information • Not Depletable Repeated sale does not diminish stock or quality • Can be replicated perfectly with minimal cost Copy is truly indistinguishable from original Potential to deprive original seller of repeat sales • Value is often time­dependent Often depends on when you know something • Often transferred intangibly 1/26/2010 1/26/2010 Accurate copy of “bad” information is still an accurate copy 12 Legal Issues with Information Information is unlike most other goods and services that are sold or traded Cryptography can protect E­Publishing • Legal Structure needs to evolve Courts have difficulty deciding what protection laws apply to databases • Who owns the data in a database? Laws have not fully evolved to protect E­Commerce • Digital signatures can provide technical protection for financial part of the transaction • Questionable protection when information you purchased is “unsuitable”, arrives damaged, or never arrives • Proof of purchase can be questionable 1/26/2010 1/26/2010 13 Legal System Provides Some Legal Protection of Information Protection Criminal Law Defined by Cases brought by Wronged Party Remedy Statutes Government Society Jail, fine • • • Contracts Common law Government Individuals and companies Individuals and companies Damages, typically monetary Contracts enhance laws, by providing specific protections Government is able to prosecute only major cases Enforcement of civil law is usually expensive 1/26/2010 1/26/2010 Civil Law Legal system is informally weighted by money 14 Ownership Rights – Ownership Employees vs. Employers Employees Inventors own patents • Rights of inventor(s) be assigned to employer • Contracts normally require such assignment The author (software developer) is the presumed owner of a copyright • Employer can assert “Work for Hire”with one or more of: Employer has supervisory relationship Employer has right to fire Employer arranges for work before work is created Written contract specifies that employee has been hired to do certain work • No question when “work for hire” is specified in a contract Protects employer • Employee can retain ownership through licensing 1/26/2010 1/26/2010 Protects employee Work for Hire vs. Licensing is agreed through negotiation 15 Employment Contracts Should spell out rights of ownership Normally require protection of trade secrets May include non­compete clause if employee leaves • State law may limit employer • California limits strongly 1/26/2010 1/26/2010 Right to earn a living takes precedence 16 Software Quality Issues Legal Issues in Selling Correct and Usable Software • There are legitimate differences of opinion in what constitutes “fair”, “good” and “prudent” in the context of software, programmers and vendors • Re general trade, US Uniform Commercial Code (UCC) states, “if the goods or the tender of delivery fail in any respect to conform to the contract, the buyer may reject them” • Quality demands for mass market software are usually outside the range of legal enforcement Moral and Ethical Issues in Producing Correct and Usable Software • Return of software you find not high enough in quality is problematic, at best (Caveat Emptor!) Moral and ethical issues in finding, reporting, publicizing, and fixing flaws • Is the benefit of reporting of a flaw greater for user or attacker? • There is a need for responsible reporting of vulnerabilities 1/26/2010 1/26/2010 17 Computer Crime 1/26/2010 1/26/2010 Legal rules regarding tangible property have been a problem in computer crime • Situation has been improving with time Rules of evidence can be difficult in computer crime • Law prefers original source documents • Magnetic copies may be the ONLY record • A technology advances, devices are being accepted as evidence Can be difficult to establish a chain of custody with computer­ based evidence Relatively recent privacy laws are bringing protection to confidentiality and integrity Placing a value on data continues to be difficult Computer Crime can be hard to define 18 Computer Crime Can Be Hard To Computer Prosecute Prosecute A computer can be the: • Subject, • Object, or • Medium of a crime Even when computer crime is recognized it can be hard to prosecute because of: • • • • • • 1/26/2010 1/26/2010 Lack of understanding of computers and computing Lack of physical evidence Lack of recognition of assets Lack of political impact Complexity of case Age of defendant (juvenile perpetrators) 19 Key Statutes – 1984-1996 US Computer Fraud and Abuse Act (1984) prohibits: • • • • • • • Unauthorized access to national defense data Unauthorized access to banking/financial information Unauthorized access, use, etc., of a US Government computer Accessing a protected computer without permission Computer fraud Transmitting code to damage a computer or network Trafficking in computer passwords US Economic Espionage Act (1996) • outlaws espionage by computer US Electronic Funds Transfer Act US Freedom of Information Act • Effect is to increase classification and protection requirements for sensitive data US Privacy Act (1974) • protects privacy of personal data collected by US Government US Electronic Communications Privacy Act (1986) 1/26/2010 1/26/2010 • prohibits electronic wiretapping 20 Key Statutes – 1996 to today Gramm­Leach­Bliley Act (1999) • Covers privacy of data for customers of financial institutions US Patriot Act (2001) • strengthens 1984 Fraud & Abuse Act Health Insurance Portability and Accountability Act (HIPAA) (1996) • protects privacy of individuals’ medical records Mandates “business associates contracts” for protection of shared data • mandates portability of health benefits Controlling the Assault of Non­Solicited Pornography and Marketing (CAN SPAM) Act (2003) California Breach Notification Law SB1386 (2003) • Requires notification of any breach that could compromise personal information 1/26/2010 1/26/2010 21 International Legal Concerns European Union Directive 95/46/EC discussed above • Requires equivalent protection in non­EU countries Several countries have laws restricting Internet content Some countries restrict encryption A user or a company may become subject to the laws of another country, even if its data only passes through that country There are a number of “safe havens” for computer criminals making the savvy ones very hard to catch 1/26/2010 1/26/2010 22 Cryptography and the Law Conflicting Goals • Users want privacy/businesses need confidentiality desire for strong encryption • Governments want to track illegal and/or dangerous activity desire for weaker encryption Laws on use of encryption vary substantially by country US strongly restricted export of encryption technology until 1998 • In 1997, US courts ruled that printed source code is an idea that cannot be restricted US opened up export of single key (56 bit) DES to most countries in Sep. 1998 Much debate continues to this day 1/26/2010 1/26/2010 23 Laws and Ethics Ethic – an objectively defined standard of right and wrong Ethical system – a set of ethical principles Law Ethics Described by formal, written document Described by unwritten principles Interpreted by courts Interpreted by each individual Established by legislatures representing all people Presented by philosophers, religions, professional groups Applicable to everyone Personal choice Court is final arbiter of “right” Priority determined by individual if two principles conflict Enforceable by police and courts Limited enforcement Pfleeger & Pfleeger, Security in Computing, 3rd. Ed., Table 9­3, page 606 1/26/2010 1/26/2010 US Congress, Parliaments, and Legislatures codify a few ethical judgments into laws. The rest are up to us. 24 Ethical Principles Ethical principles are different from religious beliefs • People with different religious backgrounds may develop the same ethical philosophy • Two exponents of the same religion may reach opposite ethical conclusions in a given situation Ethical principles vary by society and across individuals • Example: east vs. west on privacy Ethics may change • Major events and close contact with others influence ethics Ethical pluralism recognizes that more than one ethical position may be justifiable • People may legitimately disagree on issues of ethics Ethics are not determined by majority rule Conflicting opinions do not excuse us from making and 1/26/2010 1/26/2010 defending ethical choices in computer security 25 Ethical Systems Teleological Theory • Focus on consequences of an action • Choose action that results in the greatest good/least harm Egoism – make best choice for individual Utilitarianism – make best choice for whole universe Deontology • Certain things are good in and of themselves “We hold these truths to be self­evident, that all men are created equal, that they are endowed by their Creator with certain inalienable Rights, that among these are Life, Liberty and the pursuit of Happiness…” – US Declaration of Independence, July 1776 • Two Forms: 1/26/2010 1/26/2010 Rule­Deontology – certain universal, self evident natural rules specify proper conduct for all Rules of proper behavior are developed individually based on religion, experience and analysis 26 Considering Ethical Alternatives Consequence­based Rule­based Individual Based on consequences to an individual Based on rules acquired by the individual – from religion, experience and analysis Universal Based on consequences to all of society Based on universal rules evident to everyone Pfleeger & Pfleeger, Security in Computing, Table 9­4 – Taxonomy of Ethical Theories, page 610 Steps in justifying an ethical choice: 1. Understand the Situation (learn facts, ask questions) 1/26/2010 1/26/2010 2. Know multiple ethical theories 3. Make list of ethical principles involved 4. Decide on weights of each principle (subjective evaluation) 5. Make choice 27 Note: Steps 1 and 3 are the hardest Privacy Rights Case Study (condensed from Textbook) Donald • • Dilemma • 1/26/2010 1/26/2010 Works for county records department Has access to property tax records Ethel • For research purposes, has been granted access to numerical information of some records, but not the corresponding names Ethel requests certain names and addresses so she can contact them for permission to do further study Get together in four groups and list the principles involved 28 Privacy Rights Case Study (condensed from Textbook) Donald • • Dilemma • 1/26/2010 1/26/2010 Works for county records department Has access to property tax records Ethel • For research purposes, has been granted access to numerical information of some records, but not the corresponding names Ethel requests certain names and addresses so she can contact them for permission to do further study Based on the principles involved, what is your group’s conclusion? Should Donald give Ethel the names and addresses? (There is no “right” or “wrong” answer). 29 Privacy Rights Case Study (condensed from textbook) Donald • • Dilemma • • • For research purposes, has been granted access to numerical information of some records, but not the corresponding names Ethel requests certain names and addresses so she can contact them for permission to do further study Job­responsibility (use of info is not part of Donald’s job) Use (legitimate scientific study, not for profit) Possible misuse (no guarantee that Ethel will only “follow up”) Confidentiality (Ethel’s access was restricted from the beginning) Tacit permission (To do the job she was commissioned to do, Ethel needs the additional access) Propriety (Names and addresses are the confidential part of the data) Analysis • 1/26/2010 1/26/2010 Ethel Some principles involved • • • • • Works for county records department Has access to property tax records Rule deontology would argue that privacy is an inherent good. Ethel’s request would violate privacy and should be denied. 30 Some Ethics References IEEE • IEEE Code of Ethics ACM • ACM Code of Ethics and Professional Conduct Computer Ethics Institute • The Ten Commandments of Computer Ethics International Federation for Information Processing (IFIP) • Ethics and The Governance of the Internet (see http://www.ifip.org/ 1/26/2010 1/26/2010 31 Class Discussion Is it legal to connect to your neighbor’s WAP if they have not implemented a password? • With their permission? • Without their permission? Is it ethical? • Discuss the ethics from the perspective of more than one ethical system 1/26/2010 1/26/2010 32 ...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online