Notes for October 2, 1998
- Greetings and Felicitations!
- Go through handouts, class rules
- Will require adding some vulnerabilities to the DOVES database as part of
- May perform a penetration exercise on an as-yet-undetermined system
- Puzzle of the day
- Not appropriate; invasion of systems akin to invading a home or business;
Times will ignore protesters as "irresponsible" or may attack symptom (try to
find, prosecute attackers) or even find just one security problem rather than
secure the site
- Idea here is to force Times to deal with problem of bad reporting (as
attackers see it); this won't do it. Better would be to publicize stories
written by the reporter with a line-by-line critique, and be sure all the
Times' competitors get them (in other words, let the reporter's incompetence
speak for itself, and in effect ask why a respectable newspaper would employ a
reporter who can't get facts straight)
- How do you design a security policy?
- Risk analysis
- Analysis of other factors:
- Risk analysis
- What are the threats?
- How likely are they to arise?
- How can they best be dealt with?
- Analysis of other factors
- What else affects the policy (federal or state law, needs, etc.)?
- Law: as above; discuss jurisdiction (federal or local), problems
(authorities' lack of knowledge about computers, etc.); chain of
- Discuss cryptographic software controls (here, France, etc.)
- What procedures need to be put in place, and how will they affect
- Human Factors
- Principle of Psychological Acceptability (note: illegal violates this)
- Principle of common sense (it's not common; more when we discuss robust
- Design Principles
- Principle of Psychological Acceptability
- Principle of Least Privilege
- Principle of Fail-Safe Defaults
- Principle of Economy of Mechanism (KISS principle, redone)
- Principle of Complete Mediation
- Principle of Separation of Privilege
- Principle of Least Common Mechanism
- Principle of Open Design
You can also see this document
in its native format,
in ASCII text.
Send email to
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 10/3/98