Good morning!

• Lecture will start at 10:45 (let's wait for everyone).• If you have any question, please ask in the chat.• Note that lecture will be recorded.

• Please write your name and student ID there:https://forms.gle/27SzdTnbd83meTKC8

Information Security and Ethics

Information Literacy I – EN(IL1) Course

Information Security

Information SecurityTokyo Tech Guidelines

Link to these GuidelinesUseful informationbut mostly in Japanese

Wikipedia page

Information Security

Key conceptsSecurity controlsRisk managementTypical objectivesAttack methods

Key conceptsWhat is the CIA (triad)?

ConfidentialityIntegrityAvailability

Non-repudiation

Security controlsAdministrativepolicies, procedures, standards, guidelineslaws, regulations

Logicalauthentication, firewalls, intrusion detection, encryptionprinciple: least privilege

Physicaldoors, locks, alarms, cameras, security guardsprinciple: separation of duties

Risk management

Security in depthAt design time:1. strengthen system A2. “what if?”: strengthen B assuming A is violated3. repeat at each level

Typical dark motives

Destructionattacks of devices/infrastructures, harassment, …

Information / money theftidentity theft, spy activities, account violation, ransomware

Stealing processing powerspambot farms

Attack methods (generic)

Eavesdropping MasqueradingReplay attackMan-in-the-middleSession hijacking

Normal communication

(Charles)

Eavesdropping

Masquerading

Replay attack

Replay attack

Man-in-the-middle

Session hijacking

Session hijacking

Attack vectors

Human“social engineering”, phishing, garbage diving

Hardwarebackdoor, physical attack

Software / Networknext slide…

Program threatsTrapdoorTrojan horseLogic bombVirus / wormDenial of service (DoS)Spyware / monitoringCovert channels

Some countermeasuresFirewallPhishing monitoringAnti-virus softwareBackupCryptographic protection: encryption, authentication, certificationPrivacy mode, adblockTOR…

Information Ethics

Copyright for Digital Technologies

Software copyrightSoftware licenseReverse engineering

class ArbitraryTopologyElection (p: ProcessConfig) extends ReactiveProtocol(p,…){private def isRoot = parent == meprivate var parent = meprivate var maxID = meprivate var color : StateColor = Redprivate var children = neighbors.toListprivate var announced = false

private def visitNextChild() {children match {case next :: tail => SEND (Token(me, next, maxID)) ; children = tail // Rule 1case Nil if ! isRoot => SEND (Token(me, parent, maxID)) // Rule 2case Nil if isRoot => SEND (AnnounceLeader(me, neighbors+me, me)) // End

} }

def onSend = {case Candidate if color == Red => visitNextChild()case Candidate if color == Black => /* IGNORE */

}

listenTo(classOf[Token])listenTo(classOf[AnnounceLeader])def onReceive = {case Token(_,_,pid,_) if pid < maxID => /* DROP */case Token(_,_,pid,_) if pid == maxID => visitNextChild()case Token(from,_,pid,_) =>color = Black ; maxID = pid ; parent = fromchildren = (neighbors - from).toListvisitNextChild()

case AnnounceLeader(_,_,_,_) if announced => /* DROP */case AnnounceLeader(from,_,leader,_) =>announced = trueSEND (AnnounceLeader(me, neighbors-from, leader))DELIVER (Elected(Some(leader)))

} }

Copyrighton Programs

copyrightcopyright on programcopyright on assets

(images, sounds, characters, …)

Copyrighton Programs

“Look-and-feel”pull-down menu vs pop-up menutrash can vs. recycle binlogo vs. start menu

Software license

Free software / Open source“free as in beer” or “free as in freedom”

VariantsBSD, MIT license, ApacheGPL, LGPLCreative commons

Software licenseFreewarefree to userestrictions may apply

Sharewarelimited + pay for unlockpaid content

Commercial licensepersonal licensesite licensefloating license

GDPR ?General Data Protection Regulation“New” regulation in European Union (adopted in 2016, enforced since May 2018)Wikipedia link:

Business processes that handle personal data must be built with data protection […] anduse the highest-possible privacy settings […], so that the data is not available publiclywithout explicit consent, and cannot be used to identify a subject without additionalinformation stored separately.No personal data may be processed unless it is done under a lawful basis specified by theregulation, or if the data controller or processor has received explicit, opt-in consent fromthe data's owner.

Consequences:New terms of contract for many websitesSome websites are not available anymore

Summary of key points

Information securityconcepts: confidentiality, integrity, availability, non-repudiationcontrols: administrative, physical, logicalattack vectors, program threats

Information ethicscopyrightsoftware license

3rd Test – Security and Ethics

Your answers should be submitted via the Google Form:https://forms.gle/zdve3VyDKAAbJQZE7 (link also on the website).

To be completed by June 22, 23:59 (strict deadline).

You can submit your answers multiple time, the last submission before the deadline will be considered final.

This test is mandatory – it is a part of your course evaluation.

Next quarter?Information Literacy II- Data processing (gnuplot or python/matplotlib)- Writing scientific documents (Latex)- How to make nice presentations

Less talking, more doing!First Lecture on June 22 at 10:45

Japanese Website: https://titechcomp.github.io/y20-il2j/

Course Evaluationhttps://www.ks-fdcenter.net/fmane_titech/Ans?ms=t&id=titech&cd=iL3ptEVD