1 / 29

NBA 600: Session 22 Security and Privacy Networked World 10 April 2003

NBA 600: Session 22 Security and Privacy Networked World 10 April 2003. Daniel Huttenlocher. Schedule For Rest of Term. Privacy and security (finish up today) Large networks (today and week of 4/14) Positive feedback effects Small worlds phenomena Smart mobs

rosa
Download Presentation

NBA 600: Session 22 Security and Privacy Networked World 10 April 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NBA 600: Session 22Security and PrivacyNetworked World10 April 2003 Daniel Huttenlocher

  2. Schedule For Rest of Term • Privacy and security (finish up today) • Large networks (today and week of 4/14) • Positive feedback effects • Small worlds phenomena • Smart mobs • Emerging technologies (week of 4/21) • Web services: J2EE and .Net • Vision of Web-based business • RFID – smart tags • Final project presentations (week of 4/28)

  3. Today’s Class • Finish topic of security • Malicious code (“malware”) • Viruses, worms, Trojan horses • Protecting your business • Differences between security in online networked and offline physical worlds • Start topic of large networks • Physical, electronic, social and other networks • Scientific, technical and business implications • Certain properties that can be understood in terms of network structure/dynamics

  4. Malicious Code (“Malware”) • Dates back to early days of computing • Often as pranks, or to demonstrate possibilities • Some terminology • Virus: hidden program or piece of code that “infects” some other program or file causing an unexpected, usually negative, result • Worm: independent program that actively duplicates itself • Trojan horse: malicious program that pretends to be a benign application • Generally must be deliberately installed

  5. Spreading Viruses • Most viruses today are scripts or macros that infect files or email • Because files and email are commonly exchanged between people • Such viruses spread more quickly than other means such as sharing programs • Viruses are always created by someone who intends to do harm • Often based on “templates”, so many similar • Virus scanners must be updated for each new virus, impossible to predict new ones

  6. Current Virus Prevention • Email filters that examine both incoming and outgoing email • Remove known viruses, automatically update • Replicate via address book or sent items • Scans of file systems for infected programs and files • Still can get “bitten” by new ones • Opening attachments can be dangerous • Even if from someone you know because they may be infected • Even viewing email in auto-preview panes can be problematic

  7. Worms and Trojan Horses • Less prevalent because harder to spread • Worms tend to exploit flaws in servers • Usually “buffer overflow” which allows code sent over network to be executed • Think of someone blindly following a recipe and you can insert new steps they simply follow • Recent one was Microsoft SQL server “slammer” worm • Widespread effect this past January • Trojan horses install unknown functionality • All downloaded programs a risk this way

  8. Protecting Your Business • Need good technology but not enough • Should be easy to use and fit with work processes • Need to instill importance in employees and have them contribute to security not evade • View computer and network security as a senior management issue • Policies set by CIO/CTO but agreed to and followed by all senior managers • Likely to have more impact on employees and business than physical security

  9. Some Security Rules of Thumb • Basic technology policies • Keep software patches up to date on all externally accessible and critical systems • According to CERT prevents 95% of intrusions • Use automatically updating anti-virus software • Use firewalls and network loggers • Have regular, automated, offsite backups • Periodically test that restores work • Basic personnel policies • Information security is everyone’s responsibility, broadly educate employees

  10. Passwords • Particularly difficult balance between security and usability • One-time token systems can help • External access particularly problematic • Wide range of remote attackers • Most passwords easy to crack • E.g., Dictionary lookups in matter of minutes • Even all possible 7 character passwords can be tried in a few weeks • But policies can make worse

  11. Microsoft Trustworthy Computing • Initiative launched in early 2002 • Across all product groups • Active involvement of research and academics • Goals are to provide • Security • Privacy • Reliability • Business Integrity • Products and services using software that are as trustworthy as those using electricity • Took electric industry from 1880’s-1920’s

  12. Trustworthy Computing Goals • Security • Systems that are resilient to attack and protect confidentiality, integrity and availability • Privacy • Customer able to control data about themselves and those using data adhere to “fair information” principles • Reliability • Customer can depend on product to fulfill its functions when required to do so • Business integrity • Vendor behaves responsively and responsibly

  13. Trustworthy Computing Means • Secure by design, by default and in deployment • Fair information principles • User data only collected or shared with consent • Availability – ready for use • Manageability • Easy to install and manage; scalable • Accuracy – functions correctly • Usability – easy to use and suited to needs • Responsiveness and transparency of firm

  14. Some Main Players in Security • VeriSign (VRSN) • Digital trust services • $1.2B/yr revenue, up 24% y-o-y (acquisition) • $2.3B market cap • CheckPoint Software (CHKP) • Firewalls • $427M/yr revenue, down 19% y-o-y • $3.9B market cap • RSA Security (RSAS) • E-Security solutions (e.g., secureID) • $230M/yr revenue, down 18% y-o-y • $420M market cap

  15. Large Networks • Networks underlying many aspects of both technological and social systems • Relationships: suppliers, customers, personal • Connectivity: supply chains, information systems, online payment and delivery • Networks have some properties that are very different from “collections” • E.g., bell curve or normal distribution • Height, weight, grades • Not incomes! • Networks generally follow different distribution known as power law

  16. Properties of Large Networks • Positive feedback • Supply side economies of scale • Demand side economies of scale • Often referred to as network effects • Tipping points • Power law distributions • Small worlds phenomena • Power of long-range “random” connections • Evolution of networks • Reputation in networks – “smart mobs”

  17. Positive Feedback • Supply side economies of scale • Marginal cost less than average cost • Anything with high fixed cost, e.g., airline seats • Information goods: (near) zero marginal cost • Demand side economies of scale • Network effects – value higher with more users • Physical and electronic networks • E.g., phone system (first one studied) • Fax, email, IM, Web • Societal networks • Software, VHS tapes, CDs, DVDs

  18. Positive Feedback Effects • “Tippy” markets • Sudden switch to strong get stronger, weak get weaker • Winner take all markets • E.g., VHS vs. Betamax • Dominant player markets • E.g., Windows-Intel vs. Apple • Standards-based markets • Telecommunications: phones and Internet • Negative feedback • Can have stabilizing effect – multiple players

  19. Network Effects • Metcalfe’s law • Value of network proportional to square of its number of users – n2 • Value to each user is (proportional to) n • Times n users • Physical and electronic networks • E.g., phone system • Value proportional to number of people reachable by phone • Communication networks in general • Tendency towards single provider or standard

  20. Societal Networks • Some non-networked goods exhibit network effects • Consumer software in general • More valuable when someone you know can help explain it to you • Windows, TurboTax, etc. • “Network” of know-how • Stronger effect when software used to create documents • Word, Excel, Powerpoint, Acrobat • Inter-operability or standards issues important • “Network” of document exchange

  21. Number of Players • Single vendor/provider • Long distance (pre ATT breakup) • ATT connected their own local exchanges • Enough local share to dominate long distance and lead to further aggregation • Interoperability among vendors/providers • Standards • Internet has many providers all using common hardware and software standards • Licensing • CD’s have many vendors all licensing common standard from Philips

  22. Web Browsers • Substantial network effects • Easier for site developers to have one browser or rock solid standard • Complex and (was) rapidly changing • True standards difficult to develop and maintain • Microsoft realized this and didn’t want to be the marginalized platform • In addition to bundling IE with the OS worked hard to be compatible with market leader • IE 4 produced pages more similar to Netscape 3 than Netscape 4 did

  23. Lock In • Particularly high switching costs for products/services with network effects • Value of alternative lower until many users • Decade-long transitions to new kinds of media • E.g., vinyl to cassette to CD • Difficulty for non-Microsoft Office software • Antitrust concerns specifically address network effects and resulting lock-in • E.g., AOL barred from upgrades to instant messenger service unless interoperate with competitors

  24. Tipping Points • Malcolm Gladwell’s book • Sudden changes that result from seemingly small differences • Crime rates and policing • Epidemics of disease • Dominance of VHS over Betamax • Often underlying networks can provide some insight • Connections between people in spread of disease, ideas, behaviors

  25. Dominant Player or Standard • Chances of tipping Economies of Scale NetworkEffects

  26. Network Effects and IM • In 1999 AOL had near 100% of instant messenger market • With AIM and ICQ combined • In AOL Time Warner merger FCC prohibited advanced IM services such as video • Unless AOL opened up its services to interoperate with other providers • AOL now about 48% of market, petitioning FCC to drop restriction • Claim no longer risk of “tipping” • MSN (29%) and Yahoo (23%) have added advanced services such as video

  27. Causing Positive Feedback • Compatibility, inter-operability, standards • Ease consumer adoption • Multiple competitors, though not necessarily anyone • Potentially give up some performance • Backward compatibility (e.g., dual band phones) • Going it alone • A “10x” product (Andy Grove) • Much better than alternatives to help get over switching cost hurdle • E.g., video game manufacturers

  28. Openness vs. Control • How much added value overall and share you can capture • Value added depends on • Product itself • Size of network • Your share depends on • Ability to capture the value • How open • Resulting degree of competition • Alliance vs. full openness

  29. No Guarantees • Customers value larger networks • How much depends on product/service • Expectations of who will win critical • Tradeoff of openness vs. control • Various strategies • Standards • Room for innovation? • Nearly identical technologies • Proprietary technologies • Consortium – more control than with standards • Going it alone – high risk/reward

More Related