This is an open-notes, open-Internet, open-book exam. You may not consult with other people about the exam (except for Jeff Ondich, with whom you may discuss the exam as much as you like).
As promised, this test will be scaled to account for 20% of your grade, and the in-class test from earlier in the term will be scaled to 10%.
(10 points) Spying on Jeff.
For this exercise, assume that this Wireshark file was obtained at a coffee shop, focusing on the activities of one particular person (let's call him "Jeff"). Your job is to summarize in as much detail as you can what Jeff was up to during this short period of time. In particular:
(6 points) Timing password-cracking. In our second password-cracking lab exercise, I presented you with a simple password file including salt. This lab exercise ended with the questions: "By what factor has your password-checking slowed down? Why?" For this problem, please answer those two questions, with justification based on timing your actual password-cracking code.
Don't forget that it's easy to time a Unix process. Instead of running "python mypasswordcracker.py", you can run "time python mypasswordcracker.py".
(6 points) Cross-site creepiness. The other day, I was looking at a book on amazon.com. Five minutes later, I was taking a look at Facebook, and the first ad I saw was for that same book. It's a moderately obscure book from the 90's, so I'm not inclined to believe this was a coincidence. Somehow, Facebook got information from my amazon.com browsing history.
For this exercise, your job is to describe in technical detail how this was (or failing that, how it might have been) achieved. As always in this course, your explanation should shoot for clarity and brevity.
(6 points) I encrypted a message for you using 256-bit AES in CBC mode, converting the resulting encrypted message into base64 so I could print it here.
(10 points) Pokémon Go login choices. When I first launched Pokémon Go last summer, it offered me the choice to login with my Google/gmail account, or to create a "Pokémon Trainer Club Account" on the pokemon.com site. Knowing what I knew at that point (notably, that the game would be collecting and possibly saving my location data), I paused and did some research to help me decide: should I choose (1) login with Google, (2) create a Pokémon account and use that, or (3) just not play the game. And I wasn't the only one worrying about such questions. A few days later, Minnesota Senator Al Franken, a member of the Senate Privacy and Technology Subcommittee, sent a letter to Niantic, the creators of the game, and issued this press release describing his concerns.
Write a short report (on the order of one page) discussing the trade-offs involved in my Pokémon decision. You'll want to consider threats and specific mitigations that may be present or absent in the Pokémon Go login system, as well as issues of usability and utility. Don't tell me what to choose. Instead, give me a clear assessment of the costs and benefits of the different choices, with as much relevant technical detail as you can manage in space available.