#over the shoulder of the electorate and blaming the people we should be protecting i.e. disabled people + trans people + immigrants | Explore Tumblr Posts and Blogs

raymondsecurityadventures · 5 years

Text

Lecture 9 - Really Long Version - WIP

The first half of this week’s lecture focused largely upon revision, whilst the second half referred to a couple new theoretical concepts (that had been covered by Jazz if you attend his classes so more revision) and a taste of Adam’s lecture next week on privacy.

Culture - Just Culture, Excellence Culture, Feedback Culture and everything in between

Just Culture

Contrasted against blame culture, just culture seeks to take a more holistic outlook upon placing fault for an incident in the event of one and tries to steer away from placing blame upon the last person to interact with the subject of the incident or ‘shooting the messenger’ and addressing the incident as the product of multiple issues. Since Australian airline Qantas’ adoption of this culture and its subsequent success, just culture has seen widespread, occasionally forced, adoption.

Many credit just culture’s success to the relative lack of aversion that individual employees have toward participating in incident and safety reporting related events, meetings and hearings as just culture places assurances to protect said participating employees from any unjust recourse, a la shooting the messenger style, and incentivises issue reporting.

Lessons To Learn from Traditional Engineering

Security engineering is a relatively new field compared to traditional engineering disciplines, so it seem to follow that security engineering could draw from traditional principles such as:

Implementing codes and methodologies to follow in times of crisis

Attempting to falsify everything; i.e. continually testing systems to examine potential issues

Culture of excellence; taking pride in your profession. Deadlines are important but so is delivering quality code and the former shouldn’t come at the cost of the latter.

Fix agile; it’s fast and agile but that’s pretty much it. Pretty awful about security

Associations; there are medical, engineering, accounting and law related associations such as the various bar associations, accounting and actuarial practice associations, Australian Medical Association etc. etc. that enforce rules of practice. Make one for software engineering.

Closing the Loop: Feedforward Systems

Feedforward neural networks tend to struggle classifying more difficult to things to classify, as the lack of feedback from deeper layers causes learning difficulties. This is remedied in various ways, however, the simplest of these remedies is to simply create a feedback loop and allow feedback from deeper layers into previous layers. Which is also commonsense in the real world; educational systems, security systems, government systems etc. all require methods of gauging the success of their policies in order to identify areas of improvement. Thus, apparatuses to channel feedback should exist and should probably be better than MyExperience.

System Properties and Design

Object Oriented Programming Principles

Loose coupling good, tight coupling bad: Steven Bradbury video with one member of a group of tightly coupled falling over causing other athletes to fall over and the Australian coming last because sucked - and thus loosely coupled to the group - wins gold.

Issues and Benefits of Automated Systems

Issues:

Predominantly their inability to cover edge scenarios. Such a system will always have to have a method of operating outside its parameters and artificial intelligence isn’t so advanced that systems are able to do so. So human interference is pretty much always necessary.

Benefits:

Removes the human element from decision making, which is ideal because humans are bad at a lot of things as seen in every cognitive bias ever

Systems Designed by People Suck

We spend 1bn dollars every election, but democratic systems still fucking suck because non-critical infrastructure programmers are building them rather than actual critical infrastructure programmers.

End-to-End

End-to-end security refers to security that stretches the entire length of a system, and is equally robust at all parts. Obviously, people tend to slack off and their cognitive biases may convince them or lead them to believe a particular area is more secure or less critical than is in actuality.

This is particularly true in the case of the US electoral system and only recently have its vulnerabilities been brought to light. Such as system operates in the following manner:

Elections:

People making up their mind about who to vote for

The announcement of voting

Propaganda everywhere

Establishing voting infrastructure

People go to the polls

The votes are counted

The results are announced

We know that the Russians knew step 1 was particularly weak, took advantage of existing information transfer systems (social media specifically) and used them to spread misinformation and Donald Trump won lmfao.

Really Loosely Related Section

I’m including this section for completeness’ sake but it won’t be written up properly and I doubt it will be of any relevance in the exam.

Free Speech? The n-word? Conflicts of interest?

You want all free speech except that's critical of you. When you believe in free speech, you have to believe in free speech that disagrees with you.

Self-Driving Cars: issues with hackermanz

Google: 'no it's fine lol, we have top people working on it. Self driving planes are a thing already, why not cars'. Proceeds to try to convince us that robots will be better than humans because humans are drunk, brash idiots. Proceeds to try and misdirect us:

Misdirection: Ethical dilemmas that computers have to make: would the car rather swerve into a young person or an old person?

Fails to address the magnitude of an incident involving systemic failure in computers v individually driven incidents such as terrorist attacks:

Terrorists are small in number.

Computers are not.

Security Analysis of that nuclear silo site in that Wargames film clip:

Features:

Random location in the middle of nowhere - obscurity

Inconspicuous location in Wisconsin - obscurity

Single way mirror so people wouldn't accidentally find it - security by obscurity

Sign on system

Dual authentication: two people to check codes. Defence in depth? Multiple points of failure?

Two keys required: forgot the protocol name

Large distance between keys

Case Studies to Read/Watch Up On:

3 Mile Island

Chernobyl

China Syndrome

Trust

A bit that our tutors elaborated upon but Richard himself failed to.

Importance of trust:

Makes things work. Trust makes processes efficient as people are able to let down their paranoia and focus upon doing what they specialise in, rather than trying to build 1000 walls to protect what they do and obtaining their own food and shelter rather than relying on specialists such as farmers, builders etc to obtain necessary goods/food/shelter.

It allows society to be society.

The Trust Dilemma

Protocols that rely on trusted third parties. Don't roll your own v allow a third party to do it? Are some things to be trusted? Everything has backdoors.

My Future

Richard tries to convince us of the holistic value of his course. Richard also justifies the strange range of topics to be presented in the portfolio:

Community is important: useful to build off each other's ideas. Something Einstein standing on shoulders of giants

Self-directed learning :- something awesome project. Helps you learn what is important, what you find interesting, constantly update knowledge because security is always changing

Exercise:- do CTFs…'noone's gonna check if you don't do it but do it anyway because you'll learn'. It’s important to stay in shape

Professionalism: plenty recent-ish security related professions growing so we need to do what's right for the profession

1 note · View note