Originally we intended this quiz to be an hour long, but the TAs think that it may take you up to 3 hours. You have 4 hours. Good luck!
Please copy this quiz into word processor and enter your response below each question. When you are finished, please upload the entire file using the form at the bottom of this page and and click "submit".
If you lose your Internet service during the quiz, please email your file as an attachment to firstname.lastname@example.org.
This quiz has 7 questions, 1 bonus question, and a total of 100 points (plus 15 possible bonus points.)
What is your name:
Question #1 (15 points).
This question concerns Chapter 20. A User-Centric Privacy Space Framework
Benjamin Brunk, in Cranor and Garfinkel.
1-a. What is Brunk's "Privacy Space?" Define the term.
1-b. Is a web browser such as Internet Explorer or FireFox an example of Privacy Software, as defined by Brunk?
1-c. No matter how you answered question #2, givefive examples of privacy features in a web browser. For each feature, explain whether the feature contributes to awareness, prevent, detection, response or recovery.
1-d. Explain how web browser cookies violate the Code of Fair Information Practice.
1-e. Propose a solution for web browser cookies that would bring them into the compliance with Fair Information Practice.
2-1. Why were the researchers at Cambridge studying Tempest Technology?
2-2. On a typical desktop computer, what is the component that is most responsible for RF emanations?
2-3. Imagine that a piece of hostile software is able to take over a computer and control the Num Lock, Caps Lock, and Scroll Lock lights on a keyboard. Assume that the maximum rate that each of these lights can be flashed in 100 times a second. Does this represent a realistic Tempest-style threat? Why or why not?
2-4. Does the ability to blink keyboard lights represent any kind of threat at all? Why or why not? If it represents a threat, explain how to exploit it and calculate the average data rate. How would you protect against such an exploit?
This question concerns Chapter 26. Anonymity Loves Company: Usability and the Network Effect Roger Dingledine and Nick Mathewson, in Cranor & Garfinkel and Roger Dingledine's class presentation.
3-1. Briefly explain how a TOR circuit is created.
3-2. How many servers are used to create a TOR circuit? Why?
3-3. Would the user's privacy be increased if he/she could increase the number of servers? Is this setting under the user's control? Why or why not?
This question concerns Chapter 23. Privacy Analysis for the Casual User with Bugnosis David Martin, in Cranor and Garfinkel
4-1. What is Bugnosis?
4-2. How does Bugnosis work?
4-3. Would you run Bugnosis?
4-4. What is the difference between Bugnosis and Privacy Bird?
4-5. What is a web bug anyway?
4-6. Is there a web bug on this web page?
This question concerns Chapter 21. Five Pitfalls in the Design for Privacy Scott Lederer, Jason I. Hong, Anind K. Dey, and James A. Landay, in Cranor and Garfinkel, and the class experience of obtaining and using Thawte certificates.
What are the five pitfalls? Explain each pitfall in a sentence or two, and explain how you encountered or avoided each pitfall in your attempts to acquire and use a Thawte personal certificate.
5-1. Pitfall 1: Obscuring potential information flow.
5-2. Pitfall 2: Obscuring actual information flow.
5-3. Pitfall 3: Emphasizing configuration over action.
5-4. Pitfall 4: Lacking course-grained control.
5-5. Pitfall 5: Inhibiting established practice.
6-1. What does a personal certificate from Thawte certify?
6-2. When you use a Thawte personal certificate, who is the relying party, and what are they relying on?
6-3. What is a Certificate Practices Statement?
Imagine that a hacker is able to steal the private key that was used to sign the Amazon SSL certificate for the server https://www.amazon.com/.
6-4. Describe how the hacker could use this private key to compromise the credit-card of an Amazon customer.
6-5. Describe a second attack that the hacker could perform with this key.
In the online discussion on LiveJournal, Professor Garfinkel posted an article about some software that Sony has put on its new computers. The software is designed to prevent users from making more than a few copies of their audio discs. The software uses root kit technology to remain hidden.
If you missed the article, you can view it here.
7-1. Write a short (3 paragraph) essay discussing whether or not you believe that Sony's use of this software violates the principles of Fair Information Practice. If you think that the program does violate FIP, were these violations addressed by Sony's publication of a program to "uncloak" its software?
This question is worth 5 points of extra credit.
It was recently reported that Windows Vista, due to be released next year, will have two significant improvements with respect to Internet Explorer's SSL implementation.