Home > CS177 > Homework 1

By the way, ignore the two-letter codes in the top-right corner of your homework. That is notation for my arcane use only.

Make sure you understand the difference between the three conditions for security. For example, if John copies Mary's homework because it's available to him, that's a problem with confidentiality, not availability. A lot of these words, when used in the security context in this class, don't have their normal English meanings.

no notes

A common mistake was to put a confidential information situation under detection. In the case of top secret/confidential info or trade secrets, everything depends on no one else knowing the secret information. You've already lost once it's stolen, so recovery and detection are (just about) useless.

Many people lost points on this problem. It's important to clearly understand these three classifications.
  1. Secure means that it always stays in a secure state. Even though this total cutoff wasn't intended by the security policy, it is nonetheless secure. This is NOT broad. In this context, broad isn't used in the normal English sense of "broad, sweeping denial."

  2. This is secure because it always stays in a secure state, but the correct answer is precise, which implies secure. Precise is a more concise classification which means that the mechanism's states are exactly what the security policy allows.

  3. Some people assumed that users will be benign and play by the rules. Never assume any such thing.

I graded mostly on effort for this problem. More questions/topics/issues gets you more points.

no notes

A lot of people lost points on the first part. It is not enough to just look at destination e-mail addresses and flag everything that goes outside the company. Certain people such as public relations and marketing people need to talk to outsiders all the time. Keeping a list of the company's partners isn't always enough because people like tech support will have to talk to many new people all the time, and many of them could have hotmail, yahoo, aol, or other "personal" e-mail accounts. Similarly, just dealing with mail volume isn't enough, since some employees need to send more mails or send large attachments.

A good answer, such as the one given in the answer key, is one that depends on the types of employees and uses several metrics to analyze mail.

As it is a complex issue I wrote up something humongous for it. Let me guess: not many graders do this. =)

There's also this chat.

Home > CS177 > Homework 1