Simplicity and necessity: designs should be as simple and small as possible. Minimize functionality, favour minimal installs, and disable unused functionality. Aka: minimize the attack surface. Safe defaults: deny-by-default. Design systems to fail closed (denying access) and favour allowlists over denylists.

When we study computer and internet security (aka cybersecurity, in most circles), we are primarily interested in how people interact with software, computer systems, and networks, and in how they can be misused by various agents. We are typically not concerned with unintentional mistakes or other types of damages (such as a network failure cause by an outage or a natural disaster).

computer and Internet security: the combined art, science, and engineering practice of protecting software, computers, networks, the data stored on them, the information transmitted on/between them, and the physical devices/machines they control from intentional misuse by an unauthorized party.

In the first part of this talk, I made the case that theory is useful because it allows us to find (or at the very least, have the correct toolkit and language to explore) solutions to real-world problems. In this part, we are going to look at some examples of such problems and develop mathematical language to be able to discuss them more abstractly. I’ve put the term “real-world” in quotes in the title, because I’m going to be talking about these problems in a lot of generality. However, I want to stress that specific instances of these problems are actually relevant in industry, and I think it’ll be easy to see why once I start talking about them.

I just finished a blog post where I discuss things I’ve recently learned about how to read research papers. I almost included this as a point in that post, but I think it’s important enough to warrant its own article.

Here’s the idea: you absolutely should not be reading the sections of a research paper in order.

It took me a while to learn this one – I can’t remember if I first read this advice somewhere, if someone told it to me, or if I reverse-engineered it from advice I got about how to write papers. It doesn’t matter which one came first, really – my point is that I only found this out in a roundabout way through googling and trial and error and harassing people with questions.