Midterm Quiz

Originally we intended this quiz to be an hour long, but the TAs think that it may take you up to 3 hours. You have 4 hours. Good luck!

Please copy this quiz into word processor and enter your response below each question. When you are finished, please upload the entire file using the form at the bottom of this page and and click "submit".

If you lose your Internet service during the quiz, please email your file as an attachment to csci_e-170@ex.com.

This quiz has 7 questions, 1 bonus question, and a total of 100 points (plus 15 possible bonus points.)

Good luck.

What is your name:

Question #1 (15 points).

This question concerns Chapter 20. A User-Centric Privacy Space Framework Benjamin Brunk, in Cranor and Garfinkel.

1-a. What is Brunk's "Privacy Space?" Define the term.

1-b. Is a web browser such as Internet Explorer or FireFox an example of Privacy Software, as defined by Brunk?

1-c. No matter how you answered question #2, givefive examples of privacy features in a web browser. For each feature, explain whether the feature contributes to awareness, prevent, detection, response or recovery.

First Feature:

Second Feature:

Third Feature:

Fourth Feature:

Fifth Feature:

1-d. Explain how web browser cookies violate the Code of Fair Information Practice.

1-e. Propose a solution for web browser cookies that would bring them into the compliance with Fair Information Practice.


Question #2. (15 points)

This question concerns Kuhn, Markus G., Anderson, Ross, "Soft Tempest: Hidden Data Transmissions Using Electromagnetic Emanations", David Aucsmith (Ed.): Information Hiding 1998, LNCS 1525, pp. 124-142, 1998.

2-1. Why were the researchers at Cambridge studying Tempest Technology?

2-2. On a typical desktop computer, what is the component that is most responsible for RF emanations?

2-3. Imagine that a piece of hostile software is able to take over a computer and control the Num Lock, Caps Lock, and Scroll Lock lights on a keyboard. Assume that the maximum rate that each of these lights can be flashed in 100 times a second. Does this represent a realistic Tempest-style threat? Why or why not?

2-4. Does the ability to blink keyboard lights represent any kind of threat at all? Why or why not? If it represents a threat, explain how to exploit it and calculate the average data rate. How would you protect against such an exploit?


Question #3 (15 points)

This question concerns Chapter 26. Anonymity Loves Company: Usability and the Network Effect Roger Dingledine and Nick Mathewson, in Cranor & Garfinkel and Roger Dingledine's class presentation.

3-1. Briefly explain how a TOR circuit is created.

3-2. How many servers are used to create a TOR circuit? Why?

3-3. Would the user's privacy be increased if he/she could increase the number of servers? Is this setting under the user's control? Why or why not?


Question #4 (15 points)

This question concerns Chapter 23. Privacy Analysis for the Casual User with Bugnosis David Martin, in Cranor and Garfinkel

4-1. What is Bugnosis?

4-2. How does Bugnosis work?

4-3. Would you run Bugnosis?

4-4. What is the difference between Bugnosis and Privacy Bird?

4-5. What is a web bug anyway?

4-6. Is there a web bug on this web page?


Question #5 (10 points)

This question concerns Chapter 21. Five Pitfalls in the Design for Privacy Scott Lederer, Jason I. Hong, Anind K. Dey, and James A. Landay, in Cranor and Garfinkel, and the class experience of obtaining and using Thawte certificates.

What are the five pitfalls? Explain each pitfall in a sentence or two, and explain how you encountered or avoided each pitfall in your attempts to acquire and use a Thawte personal certificate.

5-1. Pitfall 1: Obscuring potential information flow.

5-2. Pitfall 2: Obscuring actual information flow.

5-3. Pitfall 3: Emphasizing configuration over action.

5-4. Pitfall 4: Lacking course-grained control.

5-5. Pitfall 5: Inhibiting established practice.


Question #6 (15 points)

This is your another question about certificates.

6-1. What does a personal certificate from Thawte certify?

6-2. When you use a Thawte personal certificate, who is the relying party, and what are they relying on?

6-3. What is a Certificate Practices Statement?

Imagine that a hacker is able to steal the private key that was used to sign the Amazon SSL certificate for the server https://www.amazon.com/.

6-4. Describe how the hacker could use this private key to compromise the credit-card of an Amazon customer.

6-5. Describe a second attack that the hacker could perform with this key.


Question #7 (15 points)

In the online discussion on LiveJournal, Professor Garfinkel posted an article about some software that Sony has put on its new computers. The software is designed to prevent users from making more than a few copies of their audio discs. The software uses root kit technology to remain hidden.

If you missed the article, you can view it here.

7-1. Write a short (3 paragraph) essay discussing whether or not you believe that Sony's use of this software violates the principles of Fair Information Practice. If you think that the program does violate FIP, were these violations addressed by Sony's publication of a program to "uncloak" its software?


Bonus Question #8 (15 bonus points)

This question is worth 5 points of extra credit.

It was recently reported that Windows Vista, due to be released next year, will have two significant improvements with respect to Internet Explorer's SSL implementation.

  1. SSL 2.0 will be disabled by default; SSL 3.0 and TLS 1.0 will be required.
  2. IE7 will block access to SSL-enabled websites that have certificates that are expired or that are signed by unknown CAs.
  3. The 256-bit version of AES will be supplied.
The first point is beyond the scope of what was discussed in class. However, given what you know, discuss the impact that improvements #2 and #3 are likely to have on end-user security.


Your answer: