DOCSLIB.ORG

Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Software bug bounties and legal risks to security researchers Robin Hamper (Student #: 3191917) A thesis in fulfilment of the requirements for the degree of Masters of Law by Research Page 2 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. COPYRIGHT STATEMENT ‘I hereby grant the University of New South Wales or its agents a non-exclusive licence to archive and to make available (including to members of the public) my thesis or dissertation in whole or part in the University libraries in all forms of media, now or here after known. I acknowledge that I retain all intellectual property rights which subsist in my thesis or dissertation, such as copyright and patent rights, subject to applicable law. I also retain the right to use all or part of my thesis or dissertation in future works (such as articles or books).’ ‘For any substantial portions of copyright material used in this thesis, written permission for use has been obtained, or the copyright material is removed from the final public version of the thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. AUTHENTICITY STATEMENT ‘I certify that the Library deposit digital copy is a direct equivalent of the final officially approved version of my thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. Thesis/Dissertation Sheet Surname/Family Name : Hamper Given Name/s : Robin Abbreviation for degree as give in the University calendar : Masters of Laws by Research Faculty : Law School : Thesis Title : Software bug bounties and the legal risks to security researchers Abstract 350 words maximum: (PLEASE TYPE) This thesis examines some of the contractual legal risks to which security researchers are exposed in disclosing software vulnerabilities, under coordinated disclosure programs (“bug bounty programs”), to vendors and other bug bounty program operators. On their face, the terms of these programs are purported to offer an alternative to security researchers to publicly disclosing or selling discovered bugs, which have significant value and potential for harm if used maliciously, to purchasers who do not intend to use them in order to fix the underlying issues in software. Historically, vendors have deployed a range of legal measures to discourage or eliminate such disclosure. This thesis examines the terms of three popular bug bounty programs (Google, Department of Defence (hosted on HackerOne) and Facebook and considers their effect in the Australian jurisdiction. It examines issues including the application of unfair contracts legislation and unconscionability. It further examines three key case studies in which vendors have sought, or threatened to seek, legal remedies against researchers who have discovered and disclosed vulnerabilities to them under their programs or directly to them in the absence of one. It concludes that while bug bounty programs somewhat advance the previous uncertainty and potentially onerous legal regime, the terms remain asymmetric, largely non-negotiable and vendors may be able to depart from them in certain circumstances. In this context, a range of reforms are suggested in the concluding Chapter which may improve certainty for security researchers, impose greater responsibility on software vendors and, ultimately, create more secure software. Declaration relating to disposition of project thesis/dissertation I hereby grant to the University of New South Wales or its agents the right to archive and to make available my thesis or dissertation in whole or in part in the University libraries in all forms of media, now or here after known, subject to the provisions of the Copyright Act 1968. I retain all property rights, such as patent rights. I also retain the right to use in future works (such as articles or books) all or part of this thesis or dissertation. I also authorise University Microfilms to use the 350 word abstract of my thesis in Dissertation Abstracts International (this is applicable to doctoral theses only). …………………………………………………………… ……………………………………..……………… ………7/9/2019.……………………...…….… Signature Witness Signature Date The University recognises that there may be exceptional circumstances requiring restrictions on copying or conditions on use. Requests for restriction for a period of up to 2 years must be made in writing. Requests for a longer period of restriction may be considered in exceptional circumstances and require the approval of the Dean of Graduate Research. FOR OFFICE USE ONLY Date of completion of requirements for Award: Page 1 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. School of Law Originality Statement I hereby declare that this submission is my own work and to the best of my knowledge it contains no materials previously published or written by another person, or substantial proportions of material which have been accepted for the award of any other degree or diploma at UNSW or any other educational institution, except where due acknowledgement is made in the thesis. Any contribution made to the research by others, with whom I have worked at UNSW or elsewhere, is explicitly acknowledged in the thesis. I also declare that the intellectual content of this thesis is the product of my own work, except to the extent that assistance from others in the project's design and conception or in style, presentation and linguistic expression is acknowledged.’ Signed: Date: Page 3 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. INCLUSION OF PUBLICATIONS STATEMENT UNSW is supportive of candidates publishing their research results during their candidature as detailed in the UNSW Thesis Examination Procedure. Publications can be used in their thesis in lieu of a Chapter if: • The student contributed greater than 50% of the content in the publication and is the “primary author”, ie. the student was responsible primarily for the planning, execution and preparation of the work for publication • The student has approval to include the publication in their thesis in lieu of a Chapter from their supervisor and Postgraduate Coordinator. • The publication is not subject to any obligations or contractual agreements with a third party that would constrain its inclusion in the thesis Please indicate whether this thesis contains published material or not. ☒ This thesis contains no publications, either published or submitted for publication Some of the work described in this thesis has been published and it has been ☐ documented in the relevant Chapters with acknowledgement This thesis has publications (either published or submitted for publication) ☐ incorporated into it in lieu of a chapter and the details are presented below CANDIDATE’S DECLARATION I declare that: • I have complied with the Thesis Examination Procedure • where I have used a publication in lieu of a Chapter, the listed publication(s) below meet(s) the requirements to be included in the thesis. Name Signature Date (dd/mm/yy) Rob Hamper 7/9/2019 Postgraduate Coordinator’s Declaration I declare that: • the information below is accurate • where listed publication(s) have been used in lieu of Chapter(s), their use complies with the Thesis Examination Procedure • the minimum requirements for the format of the thesis have been met. PGC’s Name PGC’s Signature Date (dd/mm/yy) NA Page 4 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. Table of Contents Chapter 1 - Introduction ................................................................................................................. 9 1.1 Introduction ............................................................................................................................ 9 1.2 Research Question ................................................................................................................ 11 1.3 Introducing Software Vulnerabilities, Bugs and their Source ............................................... 11 1.4 Research Methodology ......................................................................................................... 14 1.5 Thesis Structure .................................................................................................................... 16 Chapter 2 – History, Themes and Literature Review .................................................................... 18 2.1 Vulnerability Disclosure: History and Literature Review ...................................................... 18 2.2 Bug Bounties: History and Literature Review ....................................................................... 29 2.3 Legal Framework: Overview and Literature Review ............................................................. 38 2.4 “Hacker” Ethics: History and Literature Review ................................................................... 42 2.5 Conclusion ............................................................................................................................. 45 Chapter 3 - Why Software Matters ............................................................................................... 46 3.1 Introduction .......................................................................................................................... 46 3.2 Why Software Matters .......................................................................................................... 46 3.3 Mobile Devices .....................................................................................................................
Recommended publications
  • Apps Mit HTML5, CSS3 Und Javascript – Für Iphone, Ipad Und Android 509 Seiten, Gebunden, 3

    Apps Mit HTML5, CSS3 Und Javascript – Für Iphone, Ipad Und Android 509 Seiten, Gebunden, 3

    Wissen, wie’s geht. Leseprobe Entdecken Sie die Möglichkeiten von HTML5, CSS3 und JavaScript für die Entwicklung von modernen Apps. Die Autoren geben Ihnen das notwendige Rüstzeug an die Hand. Außerdem enthält diese Lese- probe das Inhaltsverzeichnis und das gesamte Stichwortverzeichnis des Buchs. »Das technische Grundgerüst« Inhalt Index Die Autoren Leseprobe weiterempfehlen Florian Franke, Johannes Ippen Apps mit HTML5, CSS3 und JavaScript – Für iPhone, iPad und Android 509 Seiten, gebunden, 3. Auflage 2015 34,90 Euro, ISBN 978-3-8362-3485-6 www.rheinwerk-verlag.de/3762 3485.book Seite 45 Dienstag, 2. Juni 2015 11:35 11 Kapitel 2 2 Das technische Grundgerüst Konzeption ist das eine, die Umsetzung das andere. In diesem Kapitel zeigen wir Ihnen die Grundlagen von HTML5, CSS3 und JavaScript. Nun, da Sie ein wasserdichtes Konzept für Ihre App haben, sind Sie schon ganz nervös und wollen endlich loslegen? Sehr gut! Bevor Sie mit konkreter Gestaltung und Pro- grammierung beginnen, geben wir Ihnen einen kleinen Crashkurs in HTML5, CSS3 und JavaScript. Dann sind wir alle für den weiteren Verlauf des Buches auf demselben Stand und können so richtig durchstarten. 2.1 HTML5 – Definition und aktueller Stand HTML ist die Kurzform für Hypertext Markup Language. Mit anderen Worten bedeu- tet dies, dass es sich um eine Definitionssprache und nicht um eine Programmier- sprache handelt. Der Zusatz Hypertext ist schon ein kleiner Fingerzeig auf die erwei- terten Funktionen einer HTML-Datei gegenüber einer reinen Textdatei. Anfänglich standen Weberfinder Tim Berners-Lee und sein Team vor dem Problem der Vernetzung von Inhalten. Die Möglichkeit war nun gegeben, Inhalte und Dateien via Telefonleitungen über viele Kilometer hinweg digital auszutauschen.
  • UNITED STATES DISTRICT COURT NORTHERN DISTRICT of GEORGIA ATLANTA DIVISION in Re

    UNITED STATES DISTRICT COURT NORTHERN DISTRICT of GEORGIA ATLANTA DIVISION in Re

    Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 1 of 7 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION MDL Docket No. 2800 In re: Equifax Inc. Customer No. 1:17-md-2800-TWT Data Security Breach Litigation CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. PLAINTIFFS’ MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT TO THE CLASS Plaintiffs move for entry of an order directing notice of the proposed class action settlement the parties to this action have reached and scheduling a hearing to approve final approval of the settlement. Plaintiffs are simultaneously filing a supporting memorandum of law and its accompanying exhibits, which include the Settlement Agreement. For the reasons set forth in that memorandum, Plaintiffs respectfully request grant the Court enter the proposed order that is attached as an exhibit to this motion. The proposed order has been approved by both Plaintiffs and Defendants. For ease of reference, the capitalized terms in this motion and the accompanying memorandum have the meaning set forth in the Settlement Agreement. Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 2 of 7 Respectfully submitted this 22nd day of July, 2019. /s/ Kenneth S. Canfield Kenneth S. Canfield Ga Bar No. 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 [email protected] /s/ Amy E. Keller Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 [email protected] /s/ Norman E.
  • Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts

    Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts

    Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts Lorenz Breidenbach, Cornell Tech, IC3, ETH Zurich; Philip Daian, Cornell Tech, IC3; Florian Tramer, Stanford; Ari Juels, Cornell Tech, IC3, Jacobs Institute https://www.usenix.org/conference/usenixsecurity18/presentation/breindenbach This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts∗ Lorenz Breidenbach Philip Daian Florian Tramer` Ari Juels [email protected] [email protected] [email protected] [email protected] Cornell Tech, IC3,† Cornell Tech, IC3† Stanford Cornell Tech, IC3,† ETH Zurich¨ Jacobs Institute Abstract ble security problem. Vulnerability reward programs— bug bounties Bug bounties are a popular tool to help prevent soft- a.k.a. —have become instrumental in orga- ware exploits. Yet, they lack rigorous principles for set- nizations’ security assurance strategies. These programs ting bounty amounts and require high payments to attract offer rewards as incentives for hackers to disclose soft- economically rational hackers. Rather than claim boun- ware bugs. Unfortunately, hackers often prefer to exploit ties for serious bugs, hackers often sell or exploit them. critical vulnerabilities or sell them in gray markets. We present the Hydra Framework, the first general, The chief reason for this choice is that the bugs eli- principled approach to modeling and administering bug gible for large bounties are generally weaponizable vul- bounties that incentivize bug disclosure.
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
  • Systematization of Vulnerability Discovery Knowledge: Review

    Systematization of Vulnerability Discovery Knowledge: Review

    Systematization of Vulnerability Discovery Knowledge Review Protocol Nuthan Munaiah and Andrew Meneely Department of Software Engineering Rochester Institute of Technology Rochester, NY 14623 {nm6061,axmvse}@rit.edu February 12, 2019 1 Introduction As more aspects of our daily lives depend on technology, the software that supports this technology must be secure. We, as users, almost subconsciously assume the software we use to always be available to serve our requests while preserving the confidentiality and integrity of our information. Unfortunately, incidents involving catastrophic software vulnerabilities such as Heartbleed (in OpenSSL), Stagefright (in Android), and EternalBlue (in Windows) have made abundantly clear that software, like other engineered creations, is prone to mistakes. Over the years, Software Engineering, as a discipline, has recognized the potential for engineers to make mistakes and has incorporated processes to prevent such mistakes from becoming exploitable vulnerabilities. Developers leverage a plethora of processes, techniques, and tools such as threat modeling, static and dynamic analyses, unit/integration/fuzz/penetration testing, and code reviews to engineer secure software. These practices, while effective at identifying vulnerabilities in software, are limited in their ability to describe the engineering failures that may have led to the introduction of vulnerabilities. Fortunately, as researchers propose empirically-validated metrics to characterize historical vulnerabilities, the factors that may have led to the introduction of vulnerabilities emerge. Developers must be made aware of these factors to help them proactively consider security implications of the code that they contribute. In other words, we want developers to think like an attacker (i.e. inculcate an attacker mindset) to proactively discover vulnerabilities.
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2

    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2

    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
  • Reforming Vulnerability Disclosure Programs in the Private Sector

    Reforming Vulnerability Disclosure Programs in the Private Sector

    Debugging the System: Reforming Vulnerability Disclosure Programs in the Private Sector Jasmine Arooni* TABLE OF CONTENTS I. INTRODUCTION ..................................................................................... 445 II. VULNERABILITY DISCLOSURE PROGRAMS IN PRACTICE: HOW DO THEY WORK? .............................................................................................. 448 III. THE CURRENT LEGAL LANDSCAPE: LEGAL RISKS FACED BY VDP SECURITY RESEARCHERS .................................................................. 450 A. The Computer Fraud and Abuse Act and Its Impact on Security Research ..................................................................................... 451 B. The DMCA and Its Impact on Security Research ....................... 453 C. Safe Harbor Language: A Superficial Fix, Not a Complete Solution ....................................................................................... 454 IV. THE DOJ’S DISCRETIONARY GUIDANCE FOR PRIVATE VDPS ............. 455 V. THE U.S. GOVERNMENT’S INFLUENTIAL ROLE IN VDP GOVERNANCE .................................................................................................... 456 A. The U.S. Government as a “Crowdsourcer”: Validating the Importance of Public Engagement to Cybersecurity ................. 457 B. The U.S. Government as a “Rule Maker”: The DHS’ Compulsory Authority over Government VDPs .............................................. 458 C. The Government as an “Example”: The Impact of Government VDPs on the Private Sector, as Evidenced Through
  • How to Analyze the Cyber Threat from Drones

    How to Analyze the Cyber Threat from Drones

    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
  • The CLASP Application Security Process

    The CLASP Application Security Process

    The CLASP Application Security Process Secure Software, Inc. Copyright (c) 2005, Secure Software, Inc. The CLASP Application Security Process The CLASP Application Security Process TABLE OF CONTENTS CHAPTER 1 Introduction 1 CLASP Status 4 An Activity-Centric Approach 4 The CLASP Implementation Guide 5 The Root-Cause Database 6 Supporting Material 7 CHAPTER 2 Implementation Guide 9 The CLASP Activities 11 Institute security awareness program 11 Monitor security metrics 12 Specify operational environment 13 Identify global security policy 14 Identify resources and trust boundaries 15 Identify user roles and resource capabilities 16 Document security-relevant requirements 17 Detail misuse cases 18 Identify attack surface 19 Apply security principles to design 20 Research and assess security posture of technology solutions 21 Annotate class designs with security properties 22 Specify database security configuration 23 Perform security analysis of system requirements and design (threat modeling) 24 Integrate security analysis into source management process 25 Implement interface contracts 26 Implement and elaborate resource policies and security technologies 27 Address reported security issues 28 Perform source-level security review 29 Identify, implement and perform security tests 30 The CLASP Application Security Process i Verify security attributes of resources 31 Perform code signing 32 Build operational security guide 33 Manage security issue disclosure process 34 Developing a Process Engineering Plan 35 Business objectives 35 Process
  • The Dark Reality of Open Source Spotlight Report

    The Dark Reality of Open Source Spotlight Report

    SPOTLIGHT The Dark Reality of Open Source Through the Lens of Threat and Vulnerability Management RiskSense Spotlight Report • May 2020 Executive Summary Open sourCe software (OSS) has quiCkly transformed both And while Heartbleed and the Apache Struts how modern applications are built and the underlying code vulnerabilities are the household names of open source they rely on. Access to high-quality and powerful open vulnerabilities, they are far from the only examples. Open source software projects has allowed developers to quickly source software is increasingly being targeted by integrate new capabilities into their applications without cryptominers, ransomware, and leveraged in DDoS having to reinvent the wheel. As a result, it is now estimated attacks. Unfortunately, OSS vulnerabilities are often a that between 80% and 90% of the code in most modern blind spot for many enterprises, who may not always be applications is made up of open source components. aware of all the open source projects and dependencies Likewise, many of the very tools that have enabled the that are used in their applications. growth of DevOps and CI/CD such as Jenkins, Kubernetes, and Docker are themselves open source projects. With this in mind, we have focused this version of the RiskSense Spotlight report on vulnerabilities in some of OSS also allows organizations to reduce their software today’s most popular open source software, including costs, and is often key to digital transformation efforts more than 50 OSS projects and over 2,600 vulnerabilities. and the transition of services to the cloud. It is no We then used this dataset to provide a risk-based surprise then that a 2020 report from Red Hat found that analysis of open source software to reveal the following: 95% of organizations view open source software as strategically important to their business.
  • Artificial Intelligence, Big Data and Cloud Computing 144

    Artificial Intelligence, Big Data and Cloud Computing 144

    Digital Business and Electronic Digital Business Models StrategyCommerceProcess Instruments Strategy, Business Models and Technology Lecture Material Lecture Material Prof. Dr. Bernd W. Wirtz Chair for Information & Communication Management German University of Administrative Sciences Speyer Freiherr-vom-Stein-Straße 2 DE - 67346 Speyer- Email: [email protected] Prof. Dr. Bernd W. Wirtz Chair for Information & Communication Management German University of Administrative Sciences Speyer Freiherr-vom-Stein-Straße 2 DE - 67346 Speyer- Email: [email protected] © Bernd W. Wirtz | Digital Business and Electronic Commerce | May 2021 – Page 1 Table of Contents I Page Part I - Introduction 4 Chapter 1: Foundations of Digital Business 5 Chapter 2: Mobile Business 29 Chapter 3: Social Media Business 46 Chapter 4: Digital Government 68 Part II – Technology, Digital Markets and Digital Business Models 96 Chapter 5: Digital Business Technology and Regulation 97 Chapter 6: Internet of Things 127 Chapter 7: Artificial Intelligence, Big Data and Cloud Computing 144 Chapter 8: Digital Platforms, Sharing Economy and Crowd Strategies 170 Chapter 9: Digital Ecosystem, Disintermediation and Disruption 184 Chapter 10: Digital B2C Business Models 197 © Bernd W. Wirtz | Digital Business and Electronic Commerce | May 2021 – Page 2 Table of Contents II Page Chapter 11: Digital B2B Business Models 224 Part III – Digital Strategy, Digital Organization and E-commerce 239 Chapter 12: Digital Business Strategy 241 Chapter 13: Digital Transformation and Digital Organization 277 Chapter 14: Digital Marketing and Electronic Commerce 296 Chapter 15: Digital Procurement 342 Chapter 16: Digital Business Implementation 368 Part IV – Digital Case Studies 376 Chapter 17: Google/Alphabet Case Study 377 Chapter 18: Selected Digital Case Studies 392 Chapter 19: The Digital Future: A Brief Outlook 405 © Bernd W.
  • Privacy and Security

    Privacy and Security

    Privacy and Security Sekar Kulandaivel, Jennifer Xiao - April 21, 2020 Understanding Contention-Based Channels and Using Them for Agenda Defense Spectre Attacks: Exploiting Speculative Execution Understanding Contention-Based Channels and Using Them for Defense (HPCA ‘15) Distrustful tenants living within a neutral cloud provider ● Shared hardware can be exploited to leak information ○ e.g. CPU usage vs. operation can expose secret key ● Two bodies of solutions: ○ HW-based: state-of-the-art is either limited in scope or requires impractical architecture changes ○ SW-based: HomeAlone forgoes shared hardware and permits only friendly co-residency, but still vulnerable to an intelligent attacker Threat model of a co-resident attacker ● Distrustful tenants violate confidentiality or compromise availability ● Goal: infer info about victim VM via microarchitectural structures e.g. cache and memory controllers ● Side-channel: victim inadvertently (oops!) leaks data inferred by attacker ● Covert channel: privileged malicious process on victim deliberately leaks data to attacker Known side-channels to transmit a ‘0’ or a ‘1’ (alt. exec.) ● Alternative execution attacks ○ Timing-driven: measure time to access memory portion ○ Access-driven: measure time to access specific cache misses Known side-channels to transmit a ‘0’ or a ‘1’ (parallel exec.) ● Parallel execution attacks ○ No time sharing required ○ E.g. Receiver monitors latency of memory fetch, sender either issues more instructions or idles Formal model of covert channels ● Detection failure (undetectable flow) = same rate of false positives and false negatives for both legitimate and covert traffic ● Network vs. microarchitectural channels: ○ Network receivers read silently ○ Microarch. receivers read destructively (overwrites when reading) ● Main insight: network channels are provably undetectable whereas microarch.