-
Notifications
You must be signed in to change notification settings - Fork 42
Questions From Fletcher School Students
####Q: What are the technical obstacles to improved internet governance as envisioned by political leaders around the world?
A: Before doing anything else, political leaders need to understand basic tech.
####Q: Is it possible to hack a submarine?
A: The keyword is possibly. It is possible to hack submarines and it has been demonstrated cars can be hacked. The greater the dependence on connectivity and the growing complexity of software, the greater the possibility.
More on Charlie Miller and Chris Valasek's work on car hacking:
- http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
- Their paper: "Remote Exploitation of an Unaltered Passenger Vehicle" http://illmatics.com/Remote%20Car%20Hacking.pdf
####Q: Can data really be deleted for good from the internet if the "right to forget" is invoked? A: No. Once content is out there on the internet and it spreads, it is generally impossible for all the vestiges to be deleted. Say if people saved content on disk (e.g., personal hard drive), then it gets deleted: what prevents someone from deciding to post it back on the Internet at a later time? How can that be prevented from happening? (read: good luck with that)
####Q: For a program like Stuxnet, what allows it to infect many computers but only affect its intended Iranian targets despite being found in other countries? A: A group must have done major reconnaissance and research on the target (in this case, Iran) to create a piece of malicious software to only affect Iranian targets.
####Q: In instances of encryption what protects users from hackers trying to access the necessary decryption code? Is that provided as an interstitial step in-between end users typically? A: Nothing. If an attacker can get decryption key from a user or install a man-in-the-middle certificate, say via social engineering, then game over. Very related recent case: Facebook Chief Security Officer Alex Stamos reported "@comcast wants you to install a .mobileprofile to use their access points" https://twitter.com/alexstamos/status/688424346088378368. More: http://www.macworld.com/article/3020161/security/dont-give-open-hotspots-a-security-pass.html
####Q: When something is "end-to-end" encrypted does that mean each of the three layers (applications, IP/Packet Switching Layers, physical infrastructure) has their own encrypting technology, that something is encrypted at the first layer and stays encrypted until it reaches its destination, or something entirely different that I'm missing? A: End-to-end encrypted means data that you are sending from your computer is encrypted on your computer BEFORE it is transmitted, not encrypted while data is in transmission. More: http://searchsecurity.techtarget.com/definition/end-to-end-encryption-E2EE
####Q: Do I (my devices) have a rotating set of IP addresses that apply to me or is it always randomly assigned whenever I log on? A: Depends. Many ISP and institutions use rotating set of IP addresses, also known as DHCP (Dynamic Host Configuration Protocol). More: https://kb.iu.edu/d/adov
####Q: When routers are creating point-to-point connections, what does that exactly mean?
####Q: If somebody disabled a "top-tier ISP" would it stop traffic associated with that network, slow down internet activity as routers found ways round that major ISP, slow down the entire internet? Something different?
####Q: How is a data link layer (responsible for "hops"?) different from the network layer within the TCP/IP?
- Network layer (IP) => provides basic information such as source and destination address but does not guarantee delivery of information
- Transport layer (TCP) => provides guarantee delivery of information --or not.
There is a good analogy of the postal network and TCP/IP: http://bpastudio.csudh.edu/fac/lpress/471/hout/netech/postofficelayers.htm
Another lay description: https://www.quora.com/Can-you-explain-OSI-layers-and-TCP-IP-in-laymans-terms
####Q: Is each layer of the Internet hypothetically subject to an attack? A: Yes. See "Attack Possibilities by OSI Layer" from US-CERT https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
####Q: Are BGP advertisements just code to other routers suggesting traffic get directed towards them?
####Q: Are there any classes you would recommend us taking in the department of Computer Science as aspiring Cybersecurity professionals? "Introduction to Computer Science" to get the basics. There are two great guides on building a successful information security career:
- "How to Build a Successful Information Security Career" by Daniel Miessler https://danielmiessler.com/blog/build-successful-infosec-career/
- "Starting an InfoSec Career" by Lesley Carhart http://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/
####Q: How can we as individuals engage in promoting a more secure cyberspace? A: Stay informed, keep learning, be good citizens --talk to those who are curious.
####Q: I understand that it is difficult to tell who is attributable. Yet, the US actually charged five Chinese guys in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA) on 19 May 2014. So, I would like to know whether attributing people, not only IP address, could be possible or not on the basis of Internet technology. Or, does it need other resources from intelligence aspects, such as HUMINT?
####Q: There is a lot of discussion today about vuln exploits, APTs, DDoS, SCADA sabotage, but underreported is the role of insiders and supportive hacktivists in subverting an organization’s cyber integrity. I spent a lot of time pre-Fletcher on the insider threat and hacktivist side, and am interested in a technical expert's view on it’s importance.
####Q: The relationship between the "normal" web and dark web, and the implications for individuals
####Q: How does encryption work at the most basic level, and how is it possible for a company to safely and successfully provide encryption software that works when they are making it readily available to a number of people who can figure out ways to break it?
####Q: How does a person, company, or government successfully make sure that their systems and devices have non-exploitable holes that can be exploited by a hacker? Is a successful hacker able to create holes in a system or only exploit ones that are mistakes in the software or hardware (not sure which is the one that’s most relevant in a cyber attack)?