In-class Quiz #1

This is an open-notes, open-Internet, open-book exam. You may not consult with other people about the exam (except for Jeff Ondich, with whom you may discuss the exam as much as you like).

As promised, this test will be scaled to account for 20% of your grade, and the in-class test from earlier in the term will be scaled to 10%.

  1. (10 points) Spying on Jeff.

    2. For this exercise, assume that this Wireshark file was obtained at a coffee shop, focusing on the activities of one particular person (let's call him "Jeff"). Your job is to summarize in as much detail as you can what Jeff was up to during this short period of time. In particular:

    1. Identify as many computers as possible (by one or more of IP address, MAC address, DNS name, etc.) that were involved with Jeff's activities.
    2. List the actions Jeff took during the time we have information for.
    3. List any usernames or passwords you can find in the record.
    4. What specific software did Jeff use for his activities?
    5. What non-Jeff-centered activities, if any, are captured in this file?
    6. If you discovered anything else interesting, include it (concisely) here.

  2. (6 points) Timing password-cracking. In our second password-cracking lab exercise, I presented you with a simple password file including salt. This lab exercise ended with the questions: "By what factor has your password-checking slowed down? Why?" For this problem, please answer those two questions, with justification based on timing your actual password-cracking code.

    Don't forget that it's easy to time a Unix process. Instead of running "python mypasswordcracker.py", you can run "time python mypasswordcracker.py".

  3. (6 points) Cross-site creepiness. The other day, I was looking at a book on amazon.com. Five minutes later, I was taking a look at Facebook, and the first ad I saw was for that same book. It's a moderately obscure book from the 90's, so I'm not inclined to believe this was a coincidence. Somehow, Facebook got information from my amazon.com browsing history.

    For this exercise, your job is to describe in technical detail how this was (or failing that, how it might have been) achieved. As always in this course, your explanation should shoot for clarity and brevity.

  4. (6 points) I encrypted a message for you using 256-bit AES in CBC mode, converting the resulting encrypted message into base64 so I could print it here.

    Message: iQypXaVaW310XGWugLmfJdbsKcN1vqhmTIACTgOSp2PvzHJNltTN5jGuaep2Z9nL kywykwQ+RVsszAjoaPmZhf7gDiESdb5sMoZ8uGAl+z0IypaAoCTon5LV5orbbG16 5omVlwvNKny69giS0TSrlBfjKfxTi48lmhPa1JpuL5A2suF/WzgNf0M6rE45zRzX tcGtEeSzl07nGeiMpDGGAqDT5Sue174IrIxN8erA3jCzzoaHKIMcbq+SEv+8HUFj Key: 2FE7CEC3131FA9662906ECFB2EAC8A49E8CC99E7B9D690F6426543340A335124 IV: BE5B6338E976BF59C0A5558F1516347E
    1. What relation does "256-bit" have to the information above?
    2. What is "CBC mode"?
    3. What is "IV"?
    4. What message did I send you?
    5. What procedure (command, website, whatever) did you use to discover my message? (In wrangling the tools, you might find it useful to notice that I did not include Salt with my Key and IV.)

  5. (10 points) Pokémon Go login choices. When I first launched Pokémon Go last summer, it offered me the choice to login with my Google/gmail account, or to create a "Pokémon Trainer Club Account" on the pokemon.com site. Knowing what I knew at that point (notably, that the game would be collecting and possibly saving my location data), I paused and did some research to help me decide: should I choose (1) login with Google, (2) create a Pokémon account and use that, or (3) just not play the game. And I wasn't the only one worrying about such questions. A few days later, Minnesota Senator Al Franken, a member of the Senate Privacy and Technology Subcommittee, sent a letter to Niantic, the creators of the game, and issued this press release describing his concerns.

    Write a short report (on the order of one page) discussing the trade-offs involved in my Pokémon decision. You'll want to consider threats and specific mitigations that may be present or absent in the Pokémon Go login system, as well as issues of usability and utility. Don't tell me what to choose. Instead, give me a clear assessment of the costs and benefits of the different choices, with as much relevant technical detail as you can manage in space available.