Reading

This is the reading list for CSCI E45b. Do not be put off by the amount of material. The first thing to do is to read the first required reading for Module 1 (Google Effects) and from it understand why we feel that it is not only OK but important to assign so much reading. The real world has far more reading that could be done when researching any particular topic than can reasonably be done thus, selective reading and remembering where a topic was discussed is more important than memorizing the details in a particular document. Finally, note that all of our readings are links to external sites.

Module 1 - Introduction

Required Reading

• We assign a huge amount of reading. This article describes why people nowadays tend to no longer remember individual facts, but rather remember where certain information is so they can find it when they need it. In the context of this course, we do not expect you to remember every word of every required reading material, but rather remember which reading relates to which information, so you can retrieve it when you need it.
  Google Effects on Memory: Cognitive Consequences of Having Information at Our Fingertips - Sparrow et al  (2011)
• We assign this Lessig paper because we believe it is essential to understand the fundamental forces that influence the dynamic of what happens in the cyberworld
  Laws of cyberspace - Larry Lessig (1998)
• This article explains that the core premise of the Internet is that it is an end-to-end “stupid” network, and understanding this is a fundamental part of understanding the rest of the course.
  The Rise of the Stupid Network - Isenberg (1997)
• With this article we want you to see how once upon a time, some people looked at the cyberworld as a “Brave New World” free of the legal and other constraints of the “real” world.
  Declaration of the Independence of Cyberspace  - John Perry Barlow (1996)
• With this article, we want to highlight why only a small subset of the bazillions of innovations that come onto the cyberworld succeed in the marketplace.  Note, while this article is mostly about healthcare innovation, the key points are about technology innovation in general. 
  Diffusion of innovation in healthcare   - Mary Cain and Robert Mittman, Institute for the Future (2002)
• The impact of the cyberworld has been astonishing in all aspects of life and society.  But such an impact on the world is not new, and this passage from Notre-dame de Paris highlights the similarities between the impact of the printing press and the impact of the cyberworld .
  Notre-dame de Paris   Victor Hugo (1831) - Book V, chapters I & II

• It is important for this course to understand that no one entity is in charge or has control over the Internet.
  Who controls the Internet?  And should they? - Bert Hubert (2021)
• Internet standards are created and maintained by the Internet Engineering Task Force (IETF) and made publicly available as “RFCs”.  Many of the readings in this course will be IETF RFCs - this document is an RFC describing RFCs.
  RFC 825 - Request for Comments on Requests for Comments   - John Postel  (1982) 
• This article provides the background on Internet history, technology, architecture, and operations that you will need for a better understanding of the topics presented in this course.
  Declaration of Scott Bradner  – Wikimedia v. NSA (2018) – paragraphs 22-221 

Optional Reading

• NOTE: the above are required readings, and some of them will be involved in the questions we ask for the exams.  Below is a set of related, but optional readings that will not be used for exams, but may be interesting for those of you who want to go further in understanding this module.
• As We May Think  – Bush (1945)
• The Hacker Manifesto  - The Mentor (1986)
• The NSA is commandeering the Internet   - The Atlantic - Bruce Schneier (2013)
• NSA secrets kill our trust   - CNN - Bruce Schneier (2013)
• The Cluetrain Manifesto: The End of Business as Usual  – Levine et al (2001)

 

Module 2 – Internet Governance

Required Reading

• As explained in this module, the jurisdiction of courts and structures of the cyberworld are not the same. This article highlights a situation where a judge does not understand this difference —or decides to ignore it
  Kentucky Tests State's Reach Against Online Gambling  - Washington Post (2008)
• The 1^st amendment of the U.S. Constitution constrains the kind of laws that can be passed by U.S. legislators as it relates to, among other things, communications systems such as the Internet. The Communications Decency Act (CDA) was an attempt by the U.S. Government to regulate some types of communications on the Internet, that the courts ruled to be unconstitutional because of the first amendment. One section of the CDA, Section 230, was not ruled unconstitutional. Understanding Section 230 is important to this course because it is a key reason that the Internet of today looks like it does, and is a fundamental protection for Internet content platform operators in the U.S..
  Communications Decency Act  - skim all except section 230 – read section 230 carefully
• The following article explains that the authors of Section 230 of the CDA wanted to provide protection for intermediary providers, but did not expect these providers to ignore their responsibilities to society.
  Senator Ron Wyden (co-Author of § 230) Trying to Pressure Internet Companies to Restrict "Indecent" Ideas?- Volokh (2018)
• As the course goes to explain, decisions by courts have major impacts on cyberworld technologies (which relates to the fundamental forces identified by Lessig). Here is an example of one of the more important ones.
  In Court's View, MP3 Player is Just a 'Space Shifter'– Kaplan (1999)
• This reading is a follow-on to the reading from Module 01 and focuses on the impact of “Code” in regulating in the digital space. In particular, this reading discusses how technical design affects the ability to regulate in the digital space.
  Code Is Law – Lessig, Harvard Magazine (2000)
• Even before the Internet, some people were worried about the ethical responsibility of engineers, and protecting users’ privacy.  Here is an example from 1968 by the inventor of packet networking.
  On the engineer’s responsibility in protecting privacy – Paul Baran (1968)
• Ethical considerations are becoming an increasingly important part of the cyberworld. While we do not specifically address ethics in our lectures, we assign this reading so you can understand the issues surrounding this topic.
  Code of Ethics and Professional Conduct ACM (2018)
• While the courts have ruled on Network Neutrality, as discussed in this module, here is Scott’s opinion on why the issue has been so difficult.
  Eyes in their ankles: The congressional view of network neutrality   - Bradner (2011)
• As discussed in the module, in 2017-18, the FCC repealed the previous pro-Network Neutrality Title II-based rules for ISPs. But not all the FCC commissioners agreed with the decision.
  Dissenting Statement of Commissioner Mignon Clyburn  - FCC (2018)
• In the "U.S. Laws" topic, slide 4 notes that the U. S. Supreme Court was reviewing the scope of the Computer Fraud and Abuse Act in January 2021. These two readings concern the court's ruling later that year.
  Supreme Court Restricts Use of Computer Fraud and Abuse Act - JD Supra, September 2021
  Van Buren v. United States (06/03/2021) (PDF) - read the first 4 pages (the Syllabus)

Optional Reading

• Regulations to support Mass ID Theft Law  - Commonwealth of Massachusetts
• Magna Carta  (1215)
• International telegraph convention (1865)
• Internet censorship in the United Kingdom  - Wikipedia
• Commentaries on the Laws of England  - Sir William Blackstone (1765-1769)
• The European Convention on Human Rights  - 1950
• Communications Assistance for Law Enforcement Act of 1994  (CALEA)
• FCC CALEA web site 
• An Act Relative to Security Freezes and Notification of Data Breaches  Chapter 82 of the Acts of 2007 - Commonwealth of Massachusetts
• Nuremberg code for Human Subjects  (PDF)  - 1949

 

Module 3 – Internet Application Protocols

Required Reading

• Module 03 is focused on describing specific Internet applications protocols. As a result, the reading is a collection of RFCs that define these application protocols.  As you will see, these documents are quite old, but these are the documents that specify the protocols that we still use today to run most applications that rely on the Internet and will be covering in the class.
• RFCs describing the protocols for the most popular Internet applications:
  Name/Finger   - RFC 742 (1977)
  Simple Mail Transfer Protocol   - RFC 821 (1982)
  Hypertext Transfer Protocol -- HTTP/1.1   - RFC 2616 (1999) - Sections 1 and 15
  Hypertext Transfer Protocol Version 2 (HTTP/2)  – RFC 7540 (2015) – Section 2
  SIP: Session Initiation Protocol   - RFC 3261 (2006) - Sections 1-5, 27
  The Secure Shell (SSH) Protocol Architecture   - RFC 4251 (2006)
• RFC describing how some of the base protocols above can be extended to send information with different format (e.g., images, text, videos, etc.)
  Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies   - RFC 2045 (1996)
• RFCs describing a couple of important extensions to the base HTTP protocol: CGI which allows responding to an HTTP request using a script/program to dynamically generate the content of the response, HTTP State Management which allows HTTP servers to receive information about you and/or your machine to customize their response based on this information
  The Common Gateway Interface (CGI) Version 1.1   - RFC 3875 (2004) - Sections 1-3
  HTTP State Management Mechanism   - RFC 6265 (2011)
• RFC describing a design (that of TLS) for providing end-to-end encryption
  The Transport Layer Security (TLS) Protocol: Version 1.3  RFC 8446 - (2018) Sections 1-4, appendix E

Optional Reading

• IP Encapsulating Security Payload (ESP)   RFC 4303 - (2005) Sections 1 & 2
• Security Architecture for IP   - RFC 4301 - (2005) Sections 1-3, &10
• Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification   - RFC 5751 - (2010) Sec 1-3 & 5
• MIME Security with OpenPGP    - RFC 3156 - (2001)

 

Module 4 – Identity and Authentication

Required Reading

• As described in this module, passwords are still the most common authentication mechanism.  And, the rules for use of passwords have evolved over time.  These articles address the more common myths about how to securely use passwords, concluding with the current advice from the U.S. National Institute of Science and Technology (NIST).
  Security Myths and Passwords   - Spafford - (2006)
  Stanford’s password policy shuns one-size-fits-all security   - ArsTechnica - (2014)
  NIST 800-63B  (2020) Section 5.1.1.2 (a “memorized secret verifier” is a password
• This article provides additional detail on one of the examples of alternative to character-based passwords.
  Déjà Vu: A User Study Using Images for Authentication (PDF) - Dhamija & Perrig - (2000)
• This article provides additional detail on what Scott highlights in the lecture about beating some fingerprint-based authentication mechanism.
  AI-generated ‘skeleton keys’ fool fingerprint scanners  – Bradbury (2018)
• In the lecture, Scott discusses multi-factor authentication.  This article by Bruce Schneier explains that it is not a panacea.
  The Failure of Two-Factor Authentication   - Schneier - (2005)
• As Scott explains in the lectures, authentication does not always have to identify an individual, sometimes it only needs to know you are the same person, not who you actually are.  This old technical proposal from Scott explains one way to do this.
  Purpose Built Keys   - Bradner et all (2003)
• This old column of Scott’s discusses the underlying issue with the current use of social security numbers in the U.S., that Scott discusses in the lecture. 
  Guessable SSNs -- but is that the real problem?   - Bradner – (2009)
• The new thing to do is to go passwordless and use passkeys instead.  Here is an FAQ to understand passkeys.
  Passkeys may not be for you, but they are safe and easy—here’s why – Ars Technica (2023)

Optional Reading

• The Robustness of Google CAPTCHAs    - Ahmad et al (2011)
• HumanAUT Secure Human Identification Protocols   - Bender (PowerPoint)
• Pages about prosopagnosia    - Burman
• Picture Password: A Visual Login Technique for Mobile Devices   - NIST - (2003)
• The Draw-a-Secret (DAS) Scheme    - Jermyn (1999)
• RFID   - Wikipedia
• National Science & Technology Council Subcommittee on Biometrics 
• The History of Fingerprints   - Moore - 2020
• 2001: Space Odyssey   script
• The S/KEY One-Time Password System   - Haller - RFC 1760 - (1995)

 

Module 5 – Trust and Privacy

Required Reading

• In order to understand trust in the digital context, it is important to understand trust as a concept more broadly.  The following articles provide useful views into the broader concept of trust.
  The Problem of Trust – Faulkner (2018)
  Rethinking Trust – Kramer (2009)
  Usability and trust in information systems- Sasse – (2004) – Read sections 2.4 Trust and 2.5 Privacy
• An important part of this course is to give you an understanding of privacy and its importance.  The following two articles provide a view into the value and the challenges associated with privacy generally and in the digital context.
  The value of privacy    - Schneier (2006)
  Why You Should Value Privacy, Even If You Have Nothing to Hide – Graham Shorr (2020)
• The following two articles are key elements for understanding the U.S. legal system’s approach to privacy.
  The Right to Privacy    - Warren and Brandeis – 1890
  A Brief History of Information Privacy Law   - Daniel Solove – 2006
• These are two important U.S. Supreme Court opinions concerning the right to privacy in telecommunication:
  Katz v. U.S.      - U.S. Supreme Court (1967)
  Carpenter v. U.S.  – U.S. Supreme Court (2017) – read the syllabus, and Gorsuch’s dissenting opinion (starting on page 99 of the PDF - because he presents an interesting alternative way to look at privacy).
• The following laws provide examples of the types of privacy related regulations that have been adopted.
  What is GDPR, the EU’s new data protection law? – Ben Wolford (2020)
  The Health Information Technology for Economic and Clinical Health (HITECH) Act   – Subtitle D Definitions and Part I (2009)
  The California Consumer Privacy Act  – Wikipedia
  The California Privacy Rights Act (2020) – Wikipedia
• While many organizations have either not taken a position, or taken the position that employees should have no expectation of privacy when it comes to their business-related communications and information, some higher education institutions including Harvard have developed specific policies on this issue.  The following is Harvard University’s policy to protect the access to electronic information of members of its community
  Harvard policy on access to electronic information  - Faust (2015)
• One of the threats to privacy of electronic information is the growing ability to determine which information relates to an individual, even when the information has been “de-identified”.
  Identifying Participants in the Personal Genome Project by Name    - Sweeney, Abu, Winn (2013)
• As early as 1973, the U.S. Government was worried about defining principles for handling and protecting the information about its citizens.  Here is a recent publication covering the nine principles as the government currently describes them.
  Fair Information Practice Principles (FIPPs) – FPC (2022)

Optional Reading

• Privacy in Internet Protocol   - RFC 6973 - Cooper, et al (2013)
• The European Convention on Human Rights   - 1950-66
• Records, Computers and the Rights of Citizens    - US HEW (1973)
• Electronic Communications Privacy Act   (1986)
• EU General Data Protection Regulation Web site  (2020)
• EU Directive on Privacy and Electronic Communications   (2003)
• EU-U.S. Privacy Shield website  – click on “learn more”
• California Privacy and Data Security web site
• California breach disclosure act   (2002)
• Health and Human Services HIPAA web site 
• Code of Federal Regulations, Title 45, Part 46 - Protection of Human Subjects   (2018)
• Comments on the TCG Best Practices Committee Document    - Bechtold (2005)
• Trusted Computing   - Wikipedia
• A Secure and Reliable Bootstrap Architecture    - Arbaugh et al - 1997
• TCG Architecture Overview    - Trusted Computing Group
• Can you trust your computer?   - Stallman  (2002)

 

Module 6 – Security Threats I

Required Reading

• Part of understanding security threats requires understanding the history of some of these threats.  Some early computer worms and viruses were not designed with evil in mind, they were resource sharing experiments, or game playing.  Following are two articles and a presentation, the first one being on game playing, and the second two concern the Morris Worm which was an experiment in software distribution.
  In the game called Core War hostile programs engage in a battle of bits  – Dewdney, Scientific American (1988)
  The Helminthiasis of the Internet   - RFC 1135 - Reynolds (1989)
  Worms, Viruses, etc: Things That Go Bump on the Net  - Bradner (1989)
• The following article is by computer researchers who predicted that the scale of the impact of worms and viruses could be dramatically larger than had previously been experienced or understood.
     How to 0wn the Internet in Your Spare Time  - Staniford, Paxson, Weaver (2002)
• For the final pieces of history on viruses, we have three articles relating to Stuxnet, an example of military grade malware.  The second article highlights the fact that the controllers or Industrial Control Systems (ICS) targeted by Stuxnet are widely distributed and are used to control much more than military/nuclear systems.
  How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History    Wired (2011)
  The Real Story of Stuxnet – Kushner (2013)
  Seven years after Stuxnet: Industrial systems security once again in the spotlight – Lipovsky (2017)
• The next three articles explore some tools and techniques used to defend against or better understand network based attacks.  
  A taxonomy of DDoS attack and DDoS defense mechanisms   - Mirkovic, Reiher (2004)
  Know Your Enemy: Analysis of 24 Hours Internet Attacks    - The Honeynet Project (2018)
  Honeypots in cybersecurity explained - Crowdstrike (2022)
• Finally, Ransomware is an increasing problem in Internet security.
  50 ransomware statistics and latest ransomware trends for 2023 – Fortinet (2023)

Optional Reading

• Experience with Viruses on UNIX Systems   - Duff (1988)

 

Module 7 – Security Threats II

Required Reading

• The following is a view of Internet security for end-users from the post web expansion phase of the Internet.  It highlights both pitfalls and good practices that are still valid to this day.
  Users' Security Handbook   - Guttman et al. - RFC 2504 - (1999)
• We assign the following three articles so you can better understand the broad topic of social engineering, including phishing.
  Crippling a Company By Telephone   - Winkler
  Anti Phishing Working Group Trend Reports Read the entirety of the latest report (2023).
  Why is phishing still successful? – National Library of Medicine (2020)
• Another important category of more sophisticated malware are bots or Command & Control (C2) malware.  The following paper provides a view into how such malware works, and how it can be used.
  Command and Control in the Fifth Domain  , Command Five Pty Ltd, (2012)
• This is a cautionary tale of why one should not taunt the hackers, or be prepared to suffer the consequences of doing so.
  Anonymous speaks: the inside story of the HBGary hack  – Bright (2011)

Optional Reading

• Crimes of Persuasion: Schemes, Scams, Frauds   - web site
• SmartScreen Filter   - Microsoft anti-phishing protection - Microsoft web site
• CA/Browser Forum   - web site
• The Hacker Crackdown: Law and Disorder on the Electronic Frontier   - Sterling (1992)

 

Module 8 – Protecting the Infrastructure

Required Reading

• The following are a number of documents from the IETF on protecting the infrastructure of the Internet, a document that details the requirements of a particularly security sensitive application , (ETS), and a set of expectations for reacting to security incidents.
  BGP Security Vulnerabilities Analysis   - RFC 4272 - Murphy (2006)
  Generic Threats to Routing Protocols   - RFC 4593 - Barbir et al (2006)
  Threat Analysis of the Domain Name System (DNS)   - RFC 3833 - Atkins & Austein (2004)
  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing   - RFC 2827 - Ferguson and Senie - (2000)
  The TCP Authentication Option   - RFC 5925 - Touch et al (2010)
  sidr working group charter   
  An Infrastructure to Support Secure Internet Routing   - RFC 6480 - Lepinski & Kent - (2011)
  General Requirements for Emergency Telecommunication Service (ETS)   - RFC 3689 - Carlberg and Atkinson (2004)
  Expectations for Computer Security Incident Response   - RFC 2350 - Brownlee and Guttman (1998)
• The U.S. Government has been fiddling in the area of security of the Internet and computing in general for many years.  Understanding the current administration’s approach to cybersecurity is an important part of what we cover in this class.
  Executive Order on Improving the Nation’s Cybersecurity (2021)
  A Strategic Intent Statement for the Office of the National Cyber Director (2021)
• For both your amusement and horror, this video highlights what can be done in the physical world as a result of compromising control systems as was done with Stuxnet. Cyber War - The Aurora Project - CBS TV (2009)

Optional Reading

• Ingress Filtering for Multihomed Networks    - RFC 3704 - Baker and Savola (2004)
• Special-Purpose IP Address Registries   - RFC 6890 - Cotton et al (2013)
• DNSSEC Deployment web site 
• Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations    - US Department of Justice (2009)
• Submarine Cable Map    - TeleGeography
• North American Electric Reliability Corporation (NERC)   cyber security standards

 

Module 9 – Usability and Accessibility

Required Reading

• As Ben mentions in the lectures, there are many different approaches, techniques to understanding users needs and designing the “right” product/service. The following articles highlight some important ideas and techniques on this topic.
  Ethnography for design - Payne (2013) – presentation
  Simplicity Is Highly Overrated - Norman (2007)
  Observational research: Looking for the “aha” Experience (PDF)  - Skaggs (2003)
  Co-creation and the new landscapes of design (PDF) - Sanders, Stappers (2008)
• For your amusement and edification, the following are three articles in which people claim that Microsoft’s design and usability thinking does not lead to good and usable products/packaging.
  Windows 8: Design over Usability - Garfinkel (2013)
  Microsoft Re-Designs the iPod Package - Walsh (2006)
• The following are two example of usability guidelines. One from a technology product company, and one from a standards development organization.
  The Philosophy of UI Design: Fundamental Principles - Apple Computer (2013)
  Web Content Accessibility Guidelines 2.1 – W3C (2023)
• The following article highlights an example where usability was the most important factor in designing a system:
  John E. Karlin, Who Led the Way to All-Digit Dialing, Dies at 94   - Fox (2013)
• The following article boils usability principles to their essence, and are a good way to understand the essentials of good design for usability.
  10 Usability Lessons from Steve Krug’s Don’t Make Me Think  - Redd Horrocks (2009)
• The following articles give you a more direct view into the challenges experienced by people with vision impairments and hearing impairments, respectively.
  The Internet Is for Everyone, Right? Not With a Screen Reader  - Pardes (2019)
  The Problem With YouTube's Terrible Closed ‘Craptions’  - Grey Ellis (2019)
• Harvard has set up a website (partially as part of a settlement of a lawsuit by the National Association of the Deaf) dedicated to clarifying policy and supporting online accessibility. This site includes a page with three important University policies relating to online accessibility. Please be sure to read all three policies, and generally review the other material on the website.
  Harvard University – Digital Accessibility - Policies– (2019)
• The U.S. Federal government is belatedly getting serious about accessibility.
  OMB Unveils Guidance to Put Accessibility at Center of Agencies’ Digital Experience – MeriTalk (2023)
• Inclusive design is a newer concept adding another set of considerations when designing technology – the idea of making technology accessible to all.
  Accessibility, usability, and inclusion – W3C (2023)

Optional Reading

• The Protection of Information in Computer Systems   - Saltzer & Schroeder - (1975)
• Kids can teach themselves - Sugata Mitra TED Talk (2007)
• The FCC Just Approved a Landmark New Way For Deaf People to Communicate  - Motherboard (2016)
• Americans with Disabilities Act of 1990 
• Accessibility, Law and Target.com  – JimThatcher.com
• Eye movements when viewing advertisements   - Higgins, et al (2014)
• Plugged-in - Microsoft, Deborah Bach (2018)

 

Module 10 – Cyber Conflict

Required Reading

• As discussed in the lecture, the most important fact in discussing cyber conflict is the difficulty in attributing an attack to a particular attacker.  This paper highlights the complexity, possible negative side effects, and low deterrence potential of attribution.
  Untangling attribution   - Clark, Landau (2011)
• Over time, some nations have applied more resources and gotten more organized around cyber offensive capabilities.  This report describes an early example of a state sponsored cyber offensive operation.
  APT1 Exposing one of China's Espionage Units    - McWhorter (2012) – Executive Summary
• The next four articles are about “current events”, and highlight the on-going worry of foreign interference in national U.S. elections.
  GRIZZLY STEPPE – Russian Malicious Cyber Activity – JAR-16-20296 (PDF) - US-CERT (2016)
  A Guide to Russia’s High Tech Tool Box for Subverting US Democracy  – Graff (2017)
  FireEye's Mandia on SolarWinds hack: 'This was a sniper round' – Warminsky (2020)
  Cyber War and Ukraine – CSIS (2022)
• As described in the lectures, cyber conflict exists in the broader legal context of traditional war and use of force between nation states.  The following papers provides a good overview of the broader legal context in which to view and understand cyber conflict.
  Cyber Security and International Law (PDF) - O'Connell, Arimatsu, Wilmshurst (2012)
  Trends in international law for cyberspace (PDF) – NATO CCDCOE (2019)
• The following classified document, released by Edward Snowden, gives an overview of how the White House views and expects the U.S. Federal Government to respond and coordinate efforts as it relates to cyber conflict.  There may be an update to this, but if so, it is still classified.
  Presidential Policy Directive 20 (PDF) – (2012)
• The 2007 cyberattacks on Estonia have been held as a key event in the global understanding of cyber conflict.  Estonia as a young nation, has bet its existence and future on the Internet and information technology.  This article gives you a more in-depth view into the conflict of 2007.
  Hackers Take Down the Most Wired Country in Europe   - Davis (2007)
• Herb Lin is a world-renowned expert on (among other things) the topic of cyber conflict.  We use a number of his definitions and concepts in the lectures for this module.  This particular paper describes key concepts and definitions to understand offensive cyber operations: cyber attacks and cyber exploitation
  Offensive Cyber Operations and the Use of Force (PDF)   - Herbert Lin (2010)

Optional Reading

• A photographer’s exploration of the Maginot line
  The Epic 450-Mile French Barrier That Couldn’t Stop the Nazis  – Laura Mallonee (2016)
• 60 Minutes' coverage of the Sony Hack
  The attack on Sony   - Kroft (2015)
• Nations Buying as Hackers Sell Flaws in Computer Code  - Perlroth/Sanger (2013)
• Cyberwar is coming!  - Arquilla, Ronfeldt (1993)
• Ukraine-Cyber-Operations – curated-intel @ GitHub (2023)

 

Module 11 – Commerce, DRM

Required Reading

• Some useful tips on protecting your privacy when shopping online..
  Top 10 tips to protect your privacy and safety during the online shopping season and beyond – Chester Wisniewski (2023)
• Under U.S. law, and particularly under the law that created the Federal Trade Commission (FTC), any privacy statement published on any website engaged in commerce is required to accurately describe the website’s handling of any data that it collects.  The following Microsoft privacy statement (more than 43,000 words of it) is an example of the length that some companies go to make such privacy statements hard to understand.
  Microsoft Online Privacy Statement   (2023)
• This short reference is an example of malware masquerading as an eCommerce product.
  Gator eWallet  - ThreatTrack (2018)
• As the lectures discuss, credit card fraud is an important eCommerce issue.  The following article discusses ways to mitigate some of the risks associated with using credit cards.  While it was written in 2006, it is still very relevant today.
  Choke Point: Preventing Credit Card Fraud   – Scalet (2006)
• Using micro-payments for Internet commerce has been proposed by many people/organizations. For example, it may be nice to have the ability to pay for an individual news article rather than to have to get a whole subscription.  The following articles highlight some proposals and issues with idea.
  PayWord and MicroMint: Two simple micropayment schemes  - Revest & Shamir (2001)
  The Unintended Consequences of E-Cash  - Froomkin (1997)
  The Siren Song of Internet Micropayments   – Crocker (2012)
• Copyrights have been an important cyber world issue since the dawn of the Internet.  The following documents provide some background to copyright as a concept and its legal history.
  The Statute of Anne   - British Parliament (1710)
  Digital Millennium Copyright Act - US Copyright Office Summary   (1998)
  EU approves controversial Copyright Directive, including internet ‘link tax’ and ‘upload filter ’- Vincent (2018)
  Public Domain Day 2024 – Jenkins (2024)
• The Digital Millennium Copyright Act requires ISPs to help police copyright violators.  There can be severe consequences for ISPs who fail to do so as the following news article illustrates.
  Cox Communications Hit With $1 Billion Verdict in Music Copyright Suit  - Maddaus (2019)
• The following RFC is a satirical exploration of the natural consequences of U.S. Senator Oren Hatch’s proposal to physically destroy the computers of people who infringe copyright on the Internet.
  Omniscience Protocol Requirements   - RFC 3751 - Bradner (2004)
• Copyright holders try to use Digital Rights Management technology to protect their material.  The following two articles discuss issues with this approach.
  True Purpose Of DRM: To Let Copyright Holders Have A Veto Right On New Technologies  - Masnick (2013)
  Digital Rights Management: The Technology Behind the Hype   - Stamp (2003)

Optional Reading

• US Government Electronic Funds Transfer web site 
• MIME-based Secure Peer-to-Peer Business Data Interchange over the Internet   – RFC 3335 – (2002)
• How DigiCash Blew Everything   - (1999)
• e-Gold   - Wikipedia
• Berne Convention for the Protection of Literary and Artistic Work 
• Copyright Term and the Public Domain in the United States   (2019)
• Copyright Timeline: A History of Copyright in the United States
• Electronic Commerce Modeling Language (ECML) Version 2 Specification   – RFC 4112 – sections 1-4 (2005)
• Introduction to Secure Electronic Transaction (SET)   – Stallings (2002)

 

Module 12 – Security Policy & Mindset

Required Reading

• This first article reinforces or adds to the set of key considerations covered in the lecture as it pertains to creating good policies (not just security policies) for an organization:
  10 things to consider when creating policies - Lowe (2012)
• The following two readings include examples of information classification used to support the proper handling of information in information security policies. The second reading also includes the specific information handling policies and protection requirements that depend on the proper classification of information.
  Authorized Classification and Control Markings Register vol. 4, edition 2 (version 4.2) (PDF) - U.S. ODNI ONCIX SEC/SSD CAPCO (2011)
  Harvard's Information Security Policy – Review the data classification, policy statements, and the “Requirements for everyone” (all three classes – users, devices, paper and physical records)
• The following Wikipedia article is backup for the discussion on the use of propaganda techniques to promote raising attention to the importance of information security, and the practice of good security
  Propaganda techniques    - Wikipedia
• The original term “hacker” referred to people who were curious about technology, and interested in exploring the boundaries of its use, and even unconventional uses. In more recent times, it has had a mixed meaning where some people reduce “hackers” to evil doers. The following two documents provide an understanding of the original mindset, and a more recent view into the hacker sub-culture and mindset.
  The Hacker Manifesto   - The Mentor (1986)
  72 Hours of Pwnage: A Paranoid N00b Goes to Def Con  – Daniel Oberhaus (2016)
• Bruce Schneier, in the first article below, points out that security professionals need the same type of curiosity described in the above two articles.  The second article is a book review of a recent book by Bruce on a different take on the same issue.
  The Security Mindset    - Schneier (2008)
  How to Know if You’re a Hacker, and Other Life Hacks – Dan Piepenbring (2023)

Module 13 – Surveillance, Counter Surveillance

Required Reading

• The first two readings are considered opinions of the IETF as it relates to surveillance technologies.
  IAB and IESG Statement on Cryptographic Technology and the Internet   - IAB & IESG - RFC 1984 (1996)
  IETF Policy on Wiretapping   - IAB & IESG  - RFC 2804 (2000)
• The following two readings cover specific governmental surveillance programs.  The first is Scott’s description of the NSA’s upstream surveillance program.  The second is Bruce’s analysis of the security impact of facilitating government surveillance.
  Declaration of Scott Bradner – Wikimedia v. NSA (2018) – paragraphs 222-356
  Five-Eyes Intelligence Services Choose Surveillance Over Security  – Bruce Schneier (2018)
• The following two articles provide support for the steganography and watermarking portions of the lecture.
  Hacker Lexicon: What Is Steganography? – Newman (2017)
  Watermarking: Applications and Current State of the Art   - Sowelam (2001)
• The following reading provides additional information on the Great Seal Bug discussed in the lecture.
  The Great Seal Bug   
• The following opinion articles relate to why surveillance by itself is such a problem, and that backdoors are not the proper approach to facilitating law enforcement.
  The Dangers of Surveillance   - Richards (2013)
  What Constant Surveillance Does to Your Brain – Rogers (2018)
  The FBI Needs Hackers, Not Backdoors  - Blaze & Landau - (2013)
• In this consenting opinion, Justice Sotomayor explores the impact of technological advances on established laws such as Katz v. US.  Considering the impact of technological advances on laws and policies is an important part of the approach to the cyber world that we hope you to take away from this course.
  U.S. v Jones   - U.S. Supreme Court (2012) - Concurring Opinion, Justice Sotomayor (starts on page 15 of the PDF)
• The following two articles provide backup for the TOR discussion in the lecture.
  Anonymous Connections and Onion Routing   - Syverson et al (1997)
  Tor: The Second-Generation Onion Router   - Dingledine et al (2004)
• The following five readings are about emissions related vulnerabilities and ways some people are trying to prevent them.
  Wikipedia entry on TEMPEST  
  Soft Tempest: Hidden Data Transmissions Using Electromagnetic Emanations  - Kuhn et al (1998)
  Optical Time-Domain Eavesdropping Risks of CRT Displays  - Kuhn (2002)
  Security Engineering - Anderson -  pp.305-320 

Optional Reading

• Bug types - (2018)
• Private Session Initiation Protocol (SIP) Proxy-to-Proxy Extensions for Supporting the PacketCable Distributed Call Signaling Architecture   , - Marshall & Andreasen - RFC 3603 (2003) – section 9
• NSA’s ANT Division Catalog of Exploits   LeakSource - (2013) - skim
• TEMPEST documents 
• Onion Routing web site 
• Pretexts and Cover Techniques    - FBI (1956)
• Information Leakage from Optical Emanations   - Loughry et al (2002)
• Untraceable electronic mail, return addresses, and digital pseudonyms   David L. Chaum. February 1981. Communications of the ACM
• Engineering and Design - Electromagnetic Pulse (EMP) and Tempest Protection for Facilities 
• Exploring Steganography: Seeing the Unseen   - Johnson & Jajodia - (1998)
• Secrets of Computer Espionage: Tactics and Countermeasures   - McNamara (2003) - chapter 1

 

Module 14 – Safe computing and Networking

Required Reading

• The following two readings are supporting material for the topic on enterprise security standards and PCI.
  PCI Data Security Standards Version 4.0 – (2022) deep skim through the whole document
  ISO/IEC 27001    - Wikipedia
• Our last readings are a collection of documents that are aimed at making your life in the cyber world safer, and more secure; which of course is the ultimate aim of this course.
  MIT's IS&T Top Ten Safe Computing Tips  - (2009)
  FTC's Living Life Online- (2014)
  How to surf the Net without getting PWND    - Galbraith (2010)