Why Offensive Security Needs Engineering Textbooks
نویسندگان
چکیده
Offensive security—or, in plain English, the practice of exploitation—has greatly enhanced our understanding of what it means for computers to be trustworthy. Having grown from hacker conventions that fit into a single room into a distinct engineering discipline in all but the name, offensive computing has so far been content with a jargon and an informal “hacker curriculum”. Now that it is unmistakably an industry, and an engineering specialization, it faces the challenge of defining itself as one, in a language that is understood beyond its own confines—most importantly, by makers of law and policy. Currently, lawmakers and policy makers have no choice but to operate with pieces of our professional jargon that got publicized by journalists. But writing laws based on professional jargon is dangerous: it will be misunderstood by lawmakers and judges alike. It’s not the wisdom of the judge or the legislator that is in question, it’s their ability to guess the course of a discipline years in advance. Consider the concept of unauthorized access at the heart of (and criminalized by) the Computer Fraud and Abuse Act (CFAA). The un-anticipated, “unauthorized” uses of today will be primary uses or business models of tomorrow. When CFAA was written, connecting to a computer on which one had no account was pointless. Cold-calling a server could serve no legitimate purpose, as none were meant for random members of the public; each computer had its relatively small and well-defined set of authorized users. Then the World Web Web happened, and connecting to computers without any kind of prior authorization became not just the norm but also the foundation of all related business. Yet the law stands as written then, and now produces conundrums such as whether portscans, screen-scraping, or URL crafting are illegal, or even whether telling journalists of a successful URL-crafting trick that revealed their email addresses could be a felony (as in the recent US v. Auernheimer case). Even accessing your own data on a web portal in a manner unforeseen by the portal operator, as in case of ApplyYourself users who could see their admission status prematurely may similarly be a crime under CFAA (for discussion of these cases and different institutions’ reactions to them see S.W. Smith, “Pretending that Systems are
منابع مشابه
The Blunderdome: An Offensive Exercise for Building Network, Systems, and Web Security Awareness
In spite of the controversy surrounding the practice of using offensive computer security exercises in information assurance curricula, it holds significant educational value. An exercise and architecture for an asymmetric (offense-only) security project, nicknamed “Blunderdome”, has been deployed twice at the University of Tulsa: once to graduate students in a security engineering course, and ...
متن کاملWhat rough beast?
Synthetic biology seeks to create modular biological parts that can be assembled into useful devices, allowing the modification of biological systems with greater reliability, at lower cost, with greater speed, and by a larger pool of people than has been the case with traditional genetic engineering. We assess the offensive and defensive security implications of synthetic biology based on the ...
متن کاملRethinking the Notion of Non-Functional Requirements
Requirements standards and textbooks typically classify requirements into functional requirements on the one hand and attributes or non-functional requirements on the other hand. In this classification, requirements given in terms of required operations and/or data are considered to be functional, while performance requirements and quality requirements (such as requirements about security, reli...
متن کاملWhy Individuals Commit Computer Offences in Organizations: Investigating the Roles of Rational Choice, Self-Control, and Deterrence
Computer offences and crimes against corporate computer systems have increasingly become a major challenge to information security management in the Internet-enabled global economy and society. In this study, we attempt to develop a theoretical model that integrates three main stream criminology theories, i.e., general deterrence, rational choice, and individual propensity. We submit that, whil...
متن کاملWhy do narcissists disregard social-etiquette norms? A test of two explanations for why narcissism relates to offensive-language use
Narcissists often fail to abide by norms for polite social conduct, but why? The current study addressed this issue by exploring reasons why narcissists use more offensive language (i.e., profanity) than non-narcissists. In this study, 602 participants completed a survey in which they responded on a measure of trait narcissism, rated several offensive words on the degree to which the words were...
متن کامل