## Last class!

• Well, review on Monday and exam on Wednesday
• But last day of new material
• OMETs are up
• respond to em
• be honest in your evaluation but also remember that this is my first time teaching the class and it’s very much an alpha version
• Proj4 out tonight
• It will be a continuation of proj3
• I will give you a starting point
• Short lecture today
• not much left to cover

## Who ARE you, anyway?

• Trust is the basis of secure communications
• identity is the basis of trust
• proving that you are who you say you are is important
• authentication is the act of proving your identity
• there are several ways of doing so
• something that only you know
• “security questions”
• something that only you have
• keys (the physical kind)
• keys (the digital kind)
• something that is unique to you, physically
• fingerprints
• retina
• DNA?
• each of these can be spoofed of course
• but being able to provide more than one will be more convincing
• it’s unlikely someone will be able to steal ALL of your PII (personally-identifying information)
• most sites today just use passwords
• but multi-factor authentication (MFA) is becoming increasingly popular
• if it’s 2 factors, then it’s 2FA :B
• password AND a PIN texted to you
• password AND a Duo Mobile push
• that kinda thing.

## What are you doing in here?

• does everyone have access to the same places in the real world?
• no…
• you can’t just walk into private rooms, even if the people know who you are
• this is access control
• each user has a set of capabilities: things they can do and see in the system
• capabilities can be granted or revoked
• in proj3, librarians have several capabilities that patrons don’t
• but a patron could never become a librarian or vice versa…
• hmm, proj4 maybe? ;)

## Am I even at the right place…?

• Okay, users are one thing. But what about servers?
• Let’s say you wanted to steal a bunch of usernames and passwords.
• You set up a site, www.pncbank.co.
• uh..
• then, you send out some mass emails that appear to come from PNC support.
• uh oh.
• this is phishing.
• from “phony” and “fishing”
• tricking people into using a site that isn’t legitimate
• this is kind of a social engineering attack…
• how could we prevent this from happening?
• we can’t be perfect about it, but we could have some kind of set of “trusted” sites.
• this would be maintained by a third party. (neither the client nor the server)
• your browser would be able to check if a site is trusted or not….
• and if it’s not, it could give you a warning.
• you may have even encountered this!
• this is the idea of certificates
• you can generate a public key and get it certified by a certificate authority (CA)
• now you have a sort of validated identity!
• but… who’s the certificate authority?
• how do you trust them?
• hahahahaha
• your OS has a list of trusted CAs
• do you know who they are?
• :)
• trust is a slippery thing.