Software Carpentry

Helping scientists make better software since 1997

Cryptography Isn’t Security

One topic that I’ve tried to include in this course a couple of times, without success, is security. I feel irresponsible not saying something about how to share safely, but I’ve never found something that (a) would fit into one hour, (b) wasn’t platitudes, and (c) gave listeners something they could act on.

One reviewer suggested talking about public/private key pairs (to help people set up SSH), signing things digitally, and the like. I’m leery of going down that road, though, since it could easily leave people with a misplaced faith in technical solutions to security problems. As always, suggestions would be welcome…

Advertisements

Written by Greg Wilson

2009/10/23 at 16:38

Posted in Content, Version 4

3 Responses

Subscribe to comments with RSS.

  1. The hook for me with security it ‘trust’. With that as the setup you can talk about…
    – social engineering – don’t trust people
    – xss – don’t trust the client or the server
    – sql injection – don’t trust the client
    – pki – web of trust

    Teaching people to think paranoid about every action is how to get them to start coding securely.

    Adam Goucher

    2009/10/24 at 13:11

  2. Yes, but: students probably won’t have done any web app programming (too far to try to get to in a course at this level) so XSS and SQL injection are out of reach, and if we’re not including the shell, I can’t think of PKI examples that are more than just “here’s some magic”. I’d love to be proved wrong…

    Greg Wilson

    2009/10/24 at 17:01

  3. Greg-

    I think a good hour-long topic is the threat model that underlies most security work.

    An hour might let you deal with issues of transport security, endpoint authentication, the difference between authentication and authorization, and why passwords in cleartext are bad. Encyption is only one tool in a toolbox that might include SSL, VPN, PGP, GPG, OTR, md5, sha-1. All of these are one possible answer to a small class of threats.

    You might cover how Sarah Palin’s webmail account got hacked. There plenty of stories of individually “secure systems” which, in combination, are unsecure.

    For instance, Twitter’s business plans for the coming 6 months were leaked: a staffer used foo@webmail-a.com as the owner address for bar@twitter.com. The foo account expired, and an attacker registered it, knocked over the password for their bar corporate password, and downloaded lots of goodies.

    Stephen van Egmond

    2009/11/10 at 01:42


Comments are closed.

%d bloggers like this: