Computer Security -...
Transcript of Computer Security -...
![Page 1: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/1.jpg)
Computer SecurityDavid Wagner, C79, 4/4/2013
Thursday, April 4, 13
![Page 2: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/2.jpg)
themes so far:
- measuring risk
- cognitive biases
- probability reduction (e.g., vaccines)
- harm reduction (e.g., treatment)
Thursday, April 4, 13
![Page 3: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/3.jpg)
themes so far:
- measuring risk
- cognitive biases
- probability reduction (e.g., vaccines)
- harm reduction (e.g., treatment)
today: dealing with uncertain risks
Thursday, April 4, 13
![Page 4: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/4.jpg)
computer security is immature
Thursday, April 4, 13
![Page 5: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/5.jpg)
Thursday, April 4, 13
![Page 6: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/6.jpg)
computer security is risk management
traditional view:
Thursday, April 4, 13
![Page 7: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/7.jpg)
Thursday, April 4, 13
![Page 8: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/8.jpg)
Thursday, April 4, 13
![Page 9: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/9.jpg)
Thursday, April 4, 13
![Page 10: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/10.jpg)
Thursday, April 4, 13
![Page 11: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/11.jpg)
Thursday, April 4, 13
![Page 12: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/12.jpg)
Thursday, April 4, 13
![Page 13: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/13.jpg)
computer security is risk management
traditional view:
Thursday, April 4, 13
![Page 14: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/14.jpg)
risk = E[loss] = P(breach) × cost(breach)
Thursday, April 4, 13
![Page 15: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/15.jpg)
risk = E[loss] = P(breach) × cost(breach)
often not known
Thursday, April 4, 13
![Page 16: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/16.jpg)
risk = E[loss] = P(breach) × cost(breach)
often not known
does the system have a vulnerability?
Thursday, April 4, 13
![Page 17: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/17.jpg)
risk = E[loss] = P(breach) × cost(breach)
often not known
does the system have a vulnerability?
will attackers exploit it?
Thursday, April 4, 13
![Page 18: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/18.jpg)
1 million lines of code
Thursday, April 4, 13
![Page 19: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/19.jpg)
1 million lines of code× 1 bug / thousand lines of code
Thursday, April 4, 13
![Page 20: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/20.jpg)
1 million lines of code× 1 bug / thousand lines of code
= 1000 bugs
Thursday, April 4, 13
![Page 21: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/21.jpg)
1 million lines of code× 1 bug / thousand lines of code
= 1000 bugs
attacker only needs to find 1 bug;defender must find all of them
Thursday, April 4, 13
![Page 22: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/22.jpg)
1 million lines of code× 1 bug / thousand lines of code
= 1000 bugs
attacker only needs to find 1 bug;defender must find all of them
don’t know whether system is vulnerable
Thursday, April 4, 13
![Page 23: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/23.jpg)
attackers choose how and whether to attack
Thursday, April 4, 13
![Page 24: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/24.jpg)
attackers choose how and whether to attack
attacks change rapidly
Thursday, April 4, 13
![Page 25: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/25.jpg)
attackers choose how and whether to attack
attacks change rapidly
no good data about prob. of breach
Thursday, April 4, 13
![Page 26: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/26.jpg)
risk = E[loss] = P(breach) × cost(breach)
often not known
Thursday, April 4, 13
![Page 27: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/27.jpg)
implications
Thursday, April 4, 13
![Page 28: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/28.jpg)
security market is sometimes dysfunctional
Thursday, April 4, 13
![Page 29: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/29.jpg)
market for lemons
Thursday, April 4, 13
![Page 30: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/30.jpg)
thinking about risks,when there are multiple players
Thursday, April 4, 13
![Page 31: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/31.jpg)
Thursday, April 4, 13
![Page 32: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/32.jpg)
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
![Page 33: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/33.jpg)
UK:
US:
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
![Page 34: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/34.jpg)
UK:
US:
liability for fraud on customer
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
![Page 35: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/35.jpg)
UK:
US:
liability for fraud on customer
liability for fraud on bank
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
![Page 36: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/36.jpg)
UK:
US:
liability for fraud on customer
liability for fraud on bank
but fraud rates higher in UK
huh?
US banks spent less on security
Thursday, April 4, 13
![Page 37: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/37.jpg)
UK:
US:
Thursday, April 4, 13
![Page 38: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/38.jpg)
UK:
US:
fraud? you must have been careless.tough luck, sucks to be you
Thursday, April 4, 13
![Page 39: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/39.jpg)
UK:
US:
fraud? you must have been careless.tough luck, sucks to be you
fraud? no problem, we’ll reimburse you
Thursday, April 4, 13
![Page 40: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/40.jpg)
UK:
US:
fraud? you must have been careless.tough luck, sucks to be you
fraud? no problem, we’ll reimburse you
good for customers, but alsogood for banks
Thursday, April 4, 13
![Page 41: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/41.jpg)
moral hazard
UK banks got lazy and careless,leading to an epidemic of fraud
Thursday, April 4, 13
![Page 42: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/42.jpg)
lesson:align incentives
Thursday, April 4, 13
![Page 43: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/43.jpg)
rule of thumb:place liability on whoever is in the
best position to do something about it
Thursday, April 4, 13
![Page 44: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/44.jpg)
externalities
Thursday, April 4, 13
![Page 45: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/45.jpg)
spam
Thursday, April 4, 13
![Page 46: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/46.jpg)
spam
~ 90% of all email is spam
Thursday, April 4, 13
![Page 47: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/47.jpg)
spam
~ 90% of all email is spam
costs US $20 billion per year,in lost productivity
Thursday, April 4, 13
![Page 48: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/48.jpg)
costs recipient:
costs sender:
Thursday, April 4, 13
![Page 49: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/49.jpg)
costs recipient:
costs sender:
10 ¢ per spam
< 0.001 ¢ per spam
Thursday, April 4, 13
![Page 50: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/50.jpg)
10 million Viagra spams → 1 sale
$3.5 million in revenue per year, for one botnet
Thursday, April 4, 13
![Page 51: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/51.jpg)
why is this possible?
Thursday, April 4, 13
![Page 52: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/52.jpg)
why is this possible?
bots
Thursday, April 4, 13
![Page 53: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/53.jpg)
cost of spam not born by those enabling it
(an externality)
Thursday, April 4, 13
![Page 54: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/54.jpg)
solution?
Thursday, April 4, 13
![Page 55: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/55.jpg)
• regulation: prohibit the harmful activity
• taxation: tax the harmful activity, so marketprice reflects the true cost to society
• liability: make those causing harm liable for end effects
• mitigation: develop solutions so others are harmed less
Thursday, April 4, 13
![Page 56: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/56.jpg)
Thursday, April 4, 13
![Page 57: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/57.jpg)
let’s count the externalities:
Thursday, April 4, 13
![Page 58: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/58.jpg)
let’s count the externalities:
1. attackers used bots to send lots of traffic
Thursday, April 4, 13
![Page 59: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/59.jpg)
let’s count the externalities:
1. attackers used bots to send lots of traffic
2. attackers exploited open DNS relays to boost amount of traffic
Thursday, April 4, 13
![Page 60: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/60.jpg)
let’s count the externalities:
1. attackers used bots to send lots of traffic
2. attackers exploited open DNS relays to boost amount of traffic
3. ISPs don’t block outgoing traffic with obviously spoofed source address
Thursday, April 4, 13
![Page 61: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/61.jpg)
externalities make risks harder to manage
Thursday, April 4, 13
![Page 62: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/62.jpg)
cyberwar
cyberespionage
cybercrime
Thursday, April 4, 13
![Page 63: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/63.jpg)
Thursday, April 4, 13
![Page 64: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/64.jpg)
Thursday, April 4, 13
![Page 65: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/65.jpg)
Thursday, April 4, 13
![Page 66: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/66.jpg)
Thursday, April 4, 13
![Page 67: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/67.jpg)
Thursday, April 4, 13
![Page 68: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/68.jpg)
Thursday, April 4, 13
![Page 69: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/69.jpg)
Thursday, April 4, 13
![Page 70: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/70.jpg)
Thursday, April 4, 13
![Page 71: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/71.jpg)
Thursday, April 4, 13
![Page 72: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/72.jpg)
Thursday, April 4, 13
![Page 73: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/73.jpg)
Thursday, April 4, 13
![Page 74: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/74.jpg)
Thursday, April 4, 13
![Page 75: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/75.jpg)
Thursday, April 4, 13
![Page 76: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/76.jpg)
cyberwar
cyberespionage
cybercrime
Thursday, April 4, 13
![Page 77: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/77.jpg)
cyberwar
cyberespionage
cybercrime
exercise: name some externalities
Thursday, April 4, 13
![Page 78: Computer Security - people.eecs.berkeley.edupeople.eecs.berkeley.edu/~daw/teaching/c79-s13/slides/0404-securit… · Computer Security David Wagner, C79, 4/4/2013 Thursday, April](https://reader033.fdocuments.us/reader033/viewer/2022050221/5f665796cebe2f6d2e40c7b4/html5/thumbnails/78.jpg)
• prevention: reduce probability of bad thing
• mitigation: reduce cost of bad thing
• risk transfer: shift cost to someone else(insurance, taxation, liability, ...)
general strategies for dealing with risk:
Thursday, April 4, 13