CPSC 315 Final

Chapter 3 - Network Communications

Spam

Unsolicited bulk e-mail, usually sent out by bots to generate profit

Forms of direct censorship

• Government monopolization

• Pre-publication review

• Licensing and registration

• Self-censorship: most common form of censorship, occurs when group decides for itself not to publish, in order to avoid subsequent persecution and maintain good relations

Jeremy Jaynes

First person in the world to be charged with “felony spam”, although was later acquitted

FCC v. Pacifica Foundation et al.

1973 U.S. Supreme Court case where Pacifica sued the FCC for being issued a declaratory order after the broadcasting of George Carlin’s “Filthy Words”. It was ruled that the FCC did not violate the 1st Amendment.

Web filter

Software that prevents the display of certain web pages, either on an individual PC or through an ISP service

Child Internet Protection Act

Libraries receiving federal networking funds must filter pages containing obscenity or < 18 pornography. The Supreme Court ruled in 2003 that it didn’t violate the 1st amendment

Jesse Logan

An 18 year old girl who took her life after an ex-boyfriend circulated nude pictures of her to a large number of their high school peers

Phillip Alpert

18 year old charged with sending < 18 pornography and forced to register on the SO registry, after sending a nude picture of his girlfriend to her friends and family

Ting-Yi Oei

Assistant principal at Freedom High School who was wrongfully charged with possession of < 18 pornography after investigating a “sexting” incident at his school

Identity theft

When a person uses another person’s electronic identity (e.g. credit card fraud)

Phishing

Use of e-mail to attempt to deceive people into revealing personal information

Cyberbullying

Use of the Internet or phone system to inflict psychological harm

Ghyslain Raza

Received harassment, violent threats, and told to commit suicide after a video of him later called “Star Wars Kid” went viral online

Megan Meier

13 year old who committed suicide after receiving cruel messages from a 47 year old woman posing as a 16 year old boy. Her case led to the creation of the Megan Meier Cyberbullying Prevention Act

Contributing factors to Internet addiction

• Social factors

  • Peer groups

• Situational factors

  • Stress

  • Lack of social support and intimacy

  • Limited opportunities for productive activity

• Individual factors

  • Tendency to pursue activities to excess

  • Lack of achievement

  • Fear of failure

Chapter 6 - Privacy and Government

What are the competing desires of citizens that governments must balance in regards to privacy?

• Desire to be left alone

• Desire for safety and security

Solove’s Taxonomy of Privacy

• Information collection: activities that gather personal information

• Information processing: activities that store, manipulate, and use personal information that has been collected

• Information dissemination: activities that spread personal information

• Invasion: activities that intrude upon a person’s daily life, interrupt someone’s solitude, or interfere with decision making

Employee Polygraph Protection Act

1988 law that prohibits private employers from using lie detector tests for employment. Federal, state, and local governments are exempt from this law

Children’s Online Privacy Protection Act

Requires online services to gain parental consent before collecting information from children 12 and under

Genetic Information Nondiscrimination Act

Employers and health insurance companies can’t request genetic information or use it to make decisions. Exceptions are made for other types of insurance, such as life, disability, and long-term care, as well as for small companies (< 15 employees)

Examples of information collection by the government

• Census records

• IRS records

• FBI National Crime Information Center

• OneDOJ Database

• CCTV cameras

• License plate scanners

• Police drones

Omstead v. United States

1928 U.S. Supreme Court case which ruled that wiretapping is okay without a search warrant

Nardone v. United States

1939 U.S. Supreme Court case which ruled that wiretapping is not okay without a search warrant

Katz v. United States

1967 U.S. Supreme Court case which ruled that a search warrant is needed to place a bug (hidden microphone)

Operation Shamrock

Continuation of WWII interception of international telegrams, expanded to phone calls under the NSA

Carnivore Surveillance System

FBI monitoring system created to monitor Internet traffic

TALON Database

Created by the Department of Defense in 2003 to contain reports of suspicious activities or terrorist threats near military bases, later included reports of anti-war protests

Chapter 7 - Computer and Network Security

Why is computer security important?

Networked computers are used for shopping, banking, managing personal information, and controlling industrial processes. A lack of security can lead to stolen information, extortion, and attacks on critical infrastructure.

Original vs. modern meaning of "hacker"

Original: An explorer, risk taker, or system innovator (e.g., MIT Tech Model Railroad Club in the 1950s)

Modern: Someone who gains unauthorized access to computers and computer networks

Methods to obtain usernames and passwords

• Eavesdropping

• Dumpster diving

• Social engineering

• Brute-force searches

• Dictionary attacks

Password best practices

• Don’t use short passwords

• Don’t use dictionary words

• Don’t rely on substituting numbers for letters or vice versa

• Don’t reuse passwords

• Give ridiculous answers to security questions

• Enable two-factor authentication

• Have password recoveries sent to a secure e-mail address

Computer Fraud and Abuse Act

Criminalizes a wide variety of hacker-related activities with a maximum penalty of 20 years in prison and $250,000 fine

Electronic Communications Privacy Act

Prohibits intercepting any form of data transmission as well as storing of email messages without authorization

FBI vs. Apple (2015-2016)

After the San Bernardino attack, the FBI asked Apple to create a backdoor to unlock the shooter's iPhone. Apple refused, arguing it would harm all users. The DOJ withdrew the request after finding another way to access the phone.

Sidejacking

Hijacking an open Web session by capturing a user’s cookie, is a serious concern for unencrypted wireless networks

Firesheep

A Firefox extension released in 2010 that made sidejacking easy. It had over 500,000 downloads in the first week and led Facebook and Twitter to add secure browsing options.

Firesheep: Ethical analysis

Act utilitarian view: Good, because it forced websites to improve security. Kantian view: Wrong, because victims were used as a means to an end.

Virus

Self-replicating code embedded within a host program. Spreads through downloads, email attachments, flash drives, and CDs.

Worm

Self-contained program that spreads through a computer network by exploiting security flaws in networked computers

The Internet Worm (Morris Worm)

Released onto the Internet from an MIT computer by Robert Morris Jr. in 1988. Led to significant numbers of Unix computers crashing for a day until fixes could be published. Morris was suspended from Cornell, given 3 years of probation, 400 hours of community service, and fined $150,000.

Sasser worm

Infected 18 million computers and disrupted Delta Airlines, the European Commission, Australian railroads, and the British coast guard. The creator, Sven Jaschan, received 30 hours of community service and 18 months of probation.

Conficker Worm (Downadup)

Appeared in 2008 on Windows computers. It was difficult to eradicate and affected legacy systems in factories and healthcare facilities. Its main purpose was to spread itself

Cross-site scripting (XSS)

Injecting malicious scripts into a website that get executed on a victim’s browser, allows for stealing cookies, tracking user activity, etc.

Drive-by Downloads

Unintentional downloading of malware caused by visiting a compromised website or clicking on a pop-up.

Trojan Horse

A program that appears harmless but has a hidden malicious purpose

Backdoor Trojan

A type of Trojan that gives the attacker remote access to the victim's computer.

Ransomware

Malware designed to extort memory from a victim or entity by encrypting victim’s data and demanding a ransom for decryption

Rootkits

A set of programs that grant privileged access to a computer. They activate on boot and use security privileges to hide themselves.

Spyware

Program that monitors a victim’s browsing, keystrokes, and screenshots over an Internet connection without the user's knowledge

Adware

Spyware that displays pop-up ads related to user’s activity

Bot, Botnet, Bot Herder

Bot: backdoor Trojan that responds to commands from a control program

Botnet: collection of bot-infected computers (some contain over 1 million machines)

Bot herder: person who controls a botnet and uses it for spam or DDoS attacks.

Bring Your Own Device pros and cons

+ Employers reduce hardware/software expenditures

+ Increased productivity and job satisfaction

- Company data may be compromised if device is stolen

- Insecure device can make company vulnerable to a data breach

BYOD policy questions

• What are the security standards for personal devices?

• What apps can employees run from their devices?

• What level of support will the company’s IT department provide?

• Does the company have the right to erase all data from a personal device that has been stolen?

• When employees leave the company, how will company data be removed from their devices?

Phishing vs Spear-phishing

Phishing: large-scale effort to gain sensitive information from gullible computer users

Spear-phishing: variant of phishing in which email addresses chosen selectively to target a particular group of recipients

SQL Injection

An attack where the attacker inserts a SQL query into a web application's input field to extract sensitive data from the database.

DoS vs DDoS

Denial-of-Service (DoS) attack: intentionally preventing legit users from using a service

Distributed Denial-of-Service (DDoS) attack: DoS attack launched from a botnet

Mirai botnet / Dyn attack (2016)

A massive DDoS attack on Dyn, a DNS provider, using approximately 100,000 IoT devices (routers, cameras, baby monitors). It made Netflix, Twitter, Spotify, and PayPal unreachable for hours. IoT devices were vulnerable because many had default or no passwords

Why are IoT devices easy to attack?

• Some devices don’t have password protection

• Default passwords are often not changed

Jeanson James Ancheta (“Zombie King”)

Leader of a hacker network called the “Botmaster Underground” which hijacked tens of thousands of computers nationwide, and then rented out the “zombie” machines to customers who wanted to attack corporate networks. He was sentenced to 57 months in prison.

PharmaMaster

Ringleader of one of the world’s largest spam gangs, responsible for a DDoS attack against a spam deterrence system named Blue Frog

Cyber attack

Computer-to-computer attack that undermines the confidentiality, integrity, or availability of a computer or the information on it

Notable politically motivated cyber attacks

Estonia (2007), Georgia (2008 and 2009), Iran (2009), and Twitter (August 2009, linked to the Georgia-Russia conflict)

Supervisory Control and Data Acquisition (SCADA) Systems

Automated and centralized monitoring systems for industrial processes using Internet protocol, less expensive and easy to maintain but carries security risks

Stuxnet Worm (2009)

Created by the United States and Israel, attacked SCADA systems running Siemens software in Iranian uranium enrichment facilities, led to a temporary shutdown of Iran’s nuclear program

Unit 61398 (PLA) cyber espionage

A Chinese military unit responsible for hundreds of data breaches over a decade. It is the prime suspect in the 2015 OPM breach, which exposed the data of 22 million Americans.

Anonymous

A loosely organized hacktivist movement. Notable targets include the Church of Scientology (2008), RIAA/MPAA (2009), organizations that froze WikiLeaks funds (2009), and Jihadist groups (2015).

Pros and cons of online voting

+ Higher voter turnout

+ Faster vote counting

+ Higher accuracy

+ Less costs

- Unfair advantage to people with home computers

- Difficult to maintain voter privacy

- Obvious targets for cyberattacks

- Home devices may be less secure

- Susceptible to phony vote servers

- No physical records for auditing/recounts

Online voting: Conclusion

There is a strong case against online voting for now because systems are vulnerable to widespread fraud, home computer security is weak, and there are no paper records

Chapter 8 - Computer Reliability

Types of data-related failures

1. Inputted data was incorrect

2. People’s interpretation of retrieved data was incorrect

Disenfranchised voters (Florida 2000)

Thousands of voters were disqualified because incorrect database records mistakenly identified them as felons. This may have affected the election outcome.

False arrests (NCIC records)

Several people were arrested multiple times due to incorrect records in the NCIC database. In 2003, the Justice Department announced that the FBI is not responsible for the accuracy of NCIC information.

Software and billing error examples

• Qwest sent incorrect bills (2001).

• Grammar and spell checkers actually increased errors in some cases

• A London ambulance dispatch system failure contributed to 20 deaths

• A Malaysia Airlines autopilot failure caused a sudden 3,000-foot climb.

Amazon/iPaq pricing error

Amazon offered the HP iPAQ for £7 instead of £275, leading to a flood of orders. In response, Amazon shut down the site and refused to deliver for the incorrect price, because their terms and conditions stated that a sale is only legally binding when the item is physically shipped and the payment is debited

Patriot Missile Defense System Failure (1991)

An anti-aircraft missile system used during the Gulf War, failed to shoot a Scud missile that killed 28 soldiers. The system was designed to run for only a few hours but was kept running for over 100 hours. Small clock errors accumulated into a 687-meter tracking error

Ariane 5 failure

The rocket self-destructed 40 seconds into its maiden flight, destroying $500 million worth of satellites. The cause was a software error where a floating-point value was assigned to an integer, raising an exception that was not handled. The code had been reused from the Ariane 4, where this error was impossible.

AT&T Long Distance Network Failure

Disruption of half of telephone-routing switches due to an error in a single line of code, led to 70 million calls unable to go through and 60,000 people losing service completely, as well as AT&T losing revenue and credibility

Loss of Mars Climate Orbiter

Mars satellite that disintegrated in Martian atmosphere, the cause was that Lockheed Martin’s design used English units while Jet Propulsion Lab’s design used metric units

Denver International Airport failure

The automated baggage handling system was too complex for the development team and the timeline was too short. This caused a 16-month delay in opening the airport, costing the city $1 million per day. A conventional baggage system had to be added.

Tokyo Stock Exchange error

A Mizuho Securities employee accidentally ordered 610,000 shares at 1 yen, instead of 1 share at 610,000 yen, and overrode the computer’s warning. Mizuho was unable to cancel the order due to a software bug, resulting in $225 million lost buying back shares

DRE voting machines

Direct Recording Electronic voting machines were funded by the Help America Vote Act of 2002. Issues included failure to record votes, overcounting, vulnerability to tampering, and no paper audit trail. Many states have since replaced them with optical scan ballots that use paper for auditing.

Therac-25

A radiation therapy machine developed by Atomic Energy Commission Limited (AECL). Accidentally killed several people with radiation overdose, caused by race conditions in the internal software and a lack of fail-safes

Therac-25: Moral responsibility

The Therac-25 team is morally responsible because they built the device that caused harm and were negligent in its design.

Automation of Driving

Created by SAE International (previously Society of Automotive Engineers)

• SAE Level 0: No Automation

• SAE Level 1: Driver Assistance (e.g. cruise control)

• SAE Level 2: Partial Automation (steering and acceleration)

• SAE Level 3: Conditional Automation (dynamic driving but will request human intervention, like Tesla Autopilot)

• SAE Level 4: High Automation (dynamic driving without human intervention under most conditions, like Waymo One)

• SAE Level 5: Full Automation

Tesla Autopilot (Version 7.0)

Released in October 2015 with software that could control speed and steering (Level 2/3 automation). Tesla warned that the driver was still responsible.

Tesla fatal accident (May 2016)

Joshua Brown was killed when his Tesla, traveling at 74 mph, struck a semitrailer truck. The Autopilot had been engaged for 37 minutes, but Brown's hands were on the wheel for only 25 seconds. The brakes did not apply because the white trailer's radar signature looked like an overhead sign.

Hand-off problem

When drivers lose attention, they need 3 to 7 seconds to regain control, but accidents often happen in less than 3 seconds. This is why Ford, Volvo, and Google are skipping Level 3 automation entirely.

Tesla accident: Moral responsibility

Responsibility is shared among the truck driver (failed to yield), Joshua Brown (speeding and inattentive), and Tesla engineers (released a Level 3 product without solving the hand-off problem and allowed Autopilot to operate while speeding).

Uber autonomous vehicle program

Uber rapidly developed autonomous vehicles because it saw failure to do so as an existential threat. Testing began with two safety operators, but by Fall 2017, Uber reduced this to one operator despite complaints that it would be harder to stay alert. Uber also turned off automatic emergency braking to reduce false positives, making the human operator solely responsible for emergency braking without any system alerts.

Uber fatal accident (March 2018)

In Tempe, Arizona, an Uber test vehicle traveling at 43 mph struck and killed a pedestrian crossing the road in dark conditions. The system detected the pedestrian 6 seconds before the collision but struggled to classify the object. It determined that emergency braking was needed 1.3 seconds before impact but did not alert the driver. The safety operator was looking at a screen and may have been streaming a video.

Uber accident consequences

The pedestrian died. The Arizona governor suspended Uber's testing program. Uber shut down the facility and terminated 300 safety operators.

Computer simulations

Simulations are used to replace physical experiments that are too expensive, unethical, or impossible. They can also model past events and predict the future.

Verification vs Validation

Verification: does the program correctly implement the model?

Validation: does the model accurately represent the real system?

SDLC stages

1. Specification (Requirements Analysis): Determine requirements and feasibility.

2. Development (Design and Implementation): Create the design and build the software.

3. Validation (Testing): Ensure the software meets specifications and user needs. Exhaustive testing is impossible; testing can reveal bugs but cannot prove there are none.

Bias in AI training sets

When AI systems are trained on biased data, their performance is affected. For example, facial recognition systems trained on data that was 75% male and 80% white misidentified the gender of darker-skinned females up to 35% of the time

Shrinkwrap warranties

Software warranties typically state that the user accepts the software "as is." No vendors accept liability for harm caused by using their software.

Software liability

The Uniform Commercial Code (UCC) applies to mass-marketed software, which courts often consider a "good." Courts have ruled that "accept or return" agreements are valid and enforceable. If software were considered a product, strict liability would apply, making the maker liable for personal injury or property damage caused when the product is used as intended. This mainly affects embedded systems like medical devices.