ITEC 345 2013fall ibarland

home—lects—hws
D2L—breeze (snow day)

paper-description
Course Paper

• Oct.23 (Wed) 14:00: Topic and Outline due.
• Nov.08 (Fri) 14:00: Draft due
• Nov.18 (Mon) 14:00: Paper due in class sharp
• Nov.21 (Thu) 10:00 sharp: Peer review due.
• Dec.06 (Fri) 14:00: Polished version due

In all cases, bring a hardcopy to class, and submit on D2L.

Pick a topic to research, and write a report (5-7 pages long) on that topic. I have provided a few sample topics below, however I encourage you to consider other security-related topics as well. The report must closely adhere to the format of an IEEE research paper, including citations. A sample format in MS word is available.

Be sure your paper is informative, specific, and well-written. You (or a lucky roommate) should give it a close read just before submitting, to catch any grammatical errors, missing words, inconsistent verb tenses, and the like. Ask the reader to tell you something specific that they learned from your paper (and, have in mind something that you hoped they learned, that they didn't know before).

Include a bibliography with at least two original (non-Wikipedia) sources. Citing web sources is okay (but at least one non-web source is preferred when possible). Your paper’s bibliography does not contribute toward the page count.

Turn-in details:

Here is what is expected for each of the deadlines above:

• (10%) Topic and outline. What is your paper topic, and what specific aspects will you be investigating? Give an outline of the structure of your paper (about 4 main sections/points, plus an intro and summary). Give approx. 2 paragraphs about what you find interesting, as well as resources you plan on using (specific books, etc.). Do you personally have a specific question you'll try to be answering, in the course of your paper? This paragraph should reflect your initial research.

  Bring hardcopy to class, and submit a copy on D2L.

• (10%) Draft: This is to make sure that you are making steady progress (and not leaving everything for the last week). It should have sections corresponding to a clear logical structure (based on your outline), although the exact text/examples will be rough, incomplete. It should be at least half of the final length, or more.

  Bring hardcopy to class, and submit a copy on D2L.

• (10%) Paper due. Submit on D2L, and submit a paper copy with a pseudonym For next time: Use your deterlab id? Or, the hash of: your userid ++ last 4 of sid? (e.g. “SoccerGenius” or “Xbox2Now!”). I will re-distribute the drafts randomly to your peers the next class.

  Details: Have your paper submitted on D2L (with both pseudonym and your name). Bring to class a hardcopy, with only your pseudonym on it. I will be re-distributing those hardcopies to your peer.

  This grade will just be one of 0%/25%/50%/75%/100%:
  100% if you turn in something that could be close to a final version (even if you end up revising it);
  75% for something that is short of a final version, but is still strong;
  50% for something that that is full of typos and poor writing and is painful for your peer to read;
  0-25% for something that is falls far short of a final version (e.g. only one page...).

• (5%) Peer Review: You will read and evaluate one other paper, looking for: content (informative, or vauge?), presentation (do you understand what the author was trying to say?) and grammatical errors.

  Your feedback will be returned to the author in class on Friday (after I acknowledge it); this means getting it to me the night before. We will discuss the exact logistics, in class.

  Peer Review instructions

  Mark up the hardcopy distributed to you, and return in class on Wed. (or under my office door by Thu. 10:00) with the items A-E below, written on it.

  Read the paper, marking (on the hardcopy) awkward sentences and typos (incl. “its”/“it's” and “their”/“they're”/“there”). It's not you're job to catch all typos, but you should give the paper a close read. For example, if there is a half-sentence which is filler that would actually strengthen/focus the writing if it were omitted, strike it through. You are encoruaged to to use standard proofreading marks.

  Summarize with the following 5 points (written on the hardcopy). For B,C,D, just rate how much you agree with the sentence:
  5: Agree strongly, 4: Mostly agree, 3: Kinda agree, 2: kinda disagree, 1: mostly disagree, 0: disagree strongly.

  1. “Reviewed by:” and your real name¹.
  2. “The paper was well-written at the sentence level — no distracting typos or convoluted sentences, no meaningless phrases, no sentence fragments; it was easy to understand.”
  3. “The paper was well-written at the paragraph/section level — well organized, well-reasoned, arguments supported, examples pertinent.”
  4. “I found the paper interesting to read, and feel now I have a solid and specific understanding of the particular topics discussed.”
  5. If the author were to spend 30-60min revising it, what should they focus on?
  For example, you might mark:

  1. Reviewed by: Ian Barland
  2. 4
  3. 2
  4. 4
  5. Good structure, but Section 4 felt kind of tacked on; maybe motivate it more, showing how it really is a variation on the overall theme? Interesting topic!

  Note that your feedback does not actually contribute to the author's grade — it contributes to yours! You'll get 5% of your grade based on if your evaluation is fairly close to mine². The purpose of having you review another's paper is to: (a) help them improve their paper, and (b) perhaps give you an improved perspective on your own writing.

• (65%) Polished version: Based on feedback from your peer, you may revise your paper as needed. (Of course, if you feel your peer's suggested feedback would weaken your paper, you're free not to take it.)

  Btw, be sure there are no typos in your title — I saw a number of titles that were slightly off, and the peer reviewer didn't necessarily catch/comment on it.

  Bring hardcopy to class, and submit a copy on D2L.

Content Standards

Be specific, not vague

In all cases, giving specific details and concrete examples and techniques is more important than giving general-but-nonspecific overviews.

For example, rather than saying: “Email is insecure, because messages can be forged.” instead, explain how it can be forged:

Email using SMTP doesn’t require authentication: it can be forged. The SMTP server receiving a message simply receives a string stating who the message is purportedly from; anybody connecting to the SMTP server can provide any message and claim any originator.

220 rucs.radford.edu ESMTP Postfix (Ubuntu) 
MAIL FROM:imposter@doppelganger.com
250 2.1.0 Ok
RCPT TO:victim@gmail.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
subject: help
As a Nigerian prince, I demand your bank account number! 
.
250 2.0.0 Ok

Similarly: Rather than just say loosely “DES is insecure”, be more precise:

An attacker can break DES with a brute-force attack: the 56-bit key has 256 ~ 72 quadrillion possible values. Although this is very large, it is on the edge of feasible: a network of 1000 students, using off-the-shelf desktop computers (3GHz processors), each taking 100 cycles to do each the 16-rounds of DES, could crack any key within 1.2yrs.

If you find yourself using terms like “can hack into” and “highly insecure”, strive to give concrete examples instead.

Avoiding plagiarism

A good approach to guard against plagiarism is to keep an hour (or better, one day) between reading and writing. That is, read various sources, and take brief notes. Then wait a day, letting the concepts stew. After that, sit down and try to clearly explain the important issues and concepts. If you find yourself getting stuck, or can't remember specific facts, go back and read but (again) wait a day before resuming that part of the writing.

Proof-reading

Even if you don't use Word/OpenOffice, you might want to paste your document into Word just to look for red and green grammar errors/warnings. Also, be sure to scan specifically for common mistakes: “its”/“it's”; “to”/“too”; “their”/“there”/“they're”.

If a roommate or friend is also working on a paper, swap proofreading with them. (You can also give them feedback on what is unclear, too wordy, etc..)

Use bulleted lists

When appropriate use bulleted lists (or enumerated lists, where the order is important). Using sub-sections can also help reveal the structure of your thinking.

Possible Topics (with some possible resources):

• Looking at current and recent security news, choose a sub-topic and give a summary of recent and ongoing events. Look at least two weeks back in archives, and follow the news for a week.

  Possible resources: 1. the comp.risks forum 2. the websites mentioned in class, for monitoring security issues. 2. Websites such as slashdot.org, reddit.com (/r/netsec, /r/ComputerForensics), Wired.

• Survey the various forms of malware and spyware.

  One possible resource: Malware: Fighting Malicious Code by Ed Skoudis and Lenny Zeltser (book available on safari catalog in the library).

• Survey the security of Android or iOS operating systems, including the App stores. How have specific attacks in the past worked? What controls/safeguards have been instituted, to guard against these attacks?
• What specific techniques has the NSA been reported as using, to break or bypass encryption? Do not only include generic info like “they worked with companies to gain access to customer-passwords”; instead find specific companies, requests, and techniques used. No points if you only provide information I read in non-technical outlets like newspapers!
• Review the working of the stuxnet worm.

  A couple of possible resources:

  • 1. An introductory video: http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html
  • 2. Nicolas Falliere, Liam O Murchu and Eric Chien, W32. Stuxnet Dossier http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

• Benevolent Viruses (how to use viruses for beneficial purposes)

  A couple of resources:

  • Fred Cohen, A Case for Benevolent Viruses, http://all.net/books/integ/goodvcase.html
  • Vojnovic, M., & Ayalvadi, G. J. (2008). On the race of worms, alerts, and patches. IEEE/ACM Transactions on Networking, 16(5), 1066-1079.

• Discussion of various security models: Bell-LaPadula, Biba, Clark-Wilson, Harrison-Ruzzo-Ullman, take-Grant

  Resources:

  • http://csc.uis.edu/center/resources/readings.html
  • http://www.acsac.org/2005/papers/Bell.pdf

• Give examples of both Diffie-Hellman and RSA, encrypting the same message in both system. Compare and constrast their approaches, including the practical usability of each, and their known weaknesses.

  Resource: textbook.

• Research stack-based buffer overflows.

  Resource: http://insecure.org/stf/smashstack.html

• Bitcoin – how it works technically. Why can’t I copy my currency-file, and use it twice?

  Task: Give an example of a “microbitcoin” example where you work through the exact math, except everything is just 3 digits (mod 1000): coins are merely 3-digit numbers, and (for example) person#i’s public key might be “multiply a message by the i’th prime number that doesn’t contain a multiple of 2 or 5; take that result mod 1000”. That is, person#1 mutiplies by 3 mod 1000; person#2 by 7, and person#3 by 11. Using something like that, then work through the exact steps involved with person#1 selling coin#99 to person#2, who in turn sells it to person#3. What is the resulting coin, exactly?

• What is DNS Poisoning? What difficulties are there, in carrying it out? How can network administrators detect and stop a DNS poisoning attack?
• Survey the security of Web-browser extensions

  Resources:

  • http://webblaze.cs.berkeley.edu/2010/secureextensions/
  • http://lifehacker.com/5770947/five-best-browser-security-extensions

home—lects—hws
D2L—breeze (snow day)

©2013, Ian Barland, Radford University Last modified 2013.Dec.08 (Sun)

Please mail any suggestions (incl. typos, broken links) to ibarlandradford.edu