Wednesday, December 19, 2012

Final Grade

The problem I wrote about last time didn't appear to impact my grade, great!

Finished the semester with a 4.0. Whoo!

Monday, December 17, 2012

Winter break

Well, yesterday marked the end of my most recent semester. I was in charge of putting our paper through TurnItIn, reviewing the report, and submitting to our professor. It went terribly.

First, I ran the paper through TurnItIn and viewed the Similarity report. The web app was telling me the paper scored a 7% similar to its databases, but had nothing flagged in the paper. Commenting on it being weird to my wife, I downloaded the useless report and submitted the papers.

A few hours later, the rest of my team drew my attention back to the useless papers. Prompted by their concerns, I returned to TurnItIn and scanned around the app's interface. As it turns out, you can toggle off the report display so that it just shows what you submitted. Pointless, as I already have the file I submitted. So I toggled it on, downloaded the less useless report and submitted it again.

After a few more hours, the team contacted me concerned that my whole post was missing. Back to the website, attach the files again, and post.

Today, I got home from work and checked my email and the class page. (Note it is now after the submission deadline.) My attention is drawn, at prompting from my team, to the fact that TurnItIn claims a 3% match to This claim is really bizarre, as we don't even have a reference for in our paper. Looking into it, the service is correct and we submitted a paper with two paragraphs ripped nearly word for word from this paper by the United States Patent and Trademark Office. Ridiculous.

In an attempt to save the team from my mistake, I have submitted the following amendment to my Self and Peer Evaluation concerning the paper to the professor.

I need to amend my evaluation.

There are two paragraphs that made it to the submitted TEAMNAME paper which are pulled almost verbatim from without citation and without even a reference to

I had felt I was being harsh on TEAMMATE0 in what I turned it, but it was too light.

He did not attend the work planning, threw together a quick, plagiarized section which required significant maintenance to even look passable, and withdrew his support from any of the post-drafting collaboration.

That said, I was the one who ran the paper through turnitin. I did not catch the two paragraphs in time. TEAMMATE1, TEAMMATE2, and TEAMMATE3 attended the planning, communicated often, and carried out their assigned portions of the work. The failure to prevent the plagiarized paragraphs from making it to submission was on me. My first paper had a 10% score overall, and 9% to SCHOOL papers that I never had seen, so it made me lose any faith I had in the turnitin system, so I didn't delve into what the 7% score was. I didn't trust the scanner, so all I concerned myself with was making sure that the paper didn't hit the 15% threshold.

The majority of the TEAMNAME group performed their responsibilities to satisfaction and deserve to have their grade based on the merit of the writing. The blame for the Internet and User Furnished Device Policy sections falls to TEAMMATE0 for submitting it as his section and to me for not catching it during my review.

Thank you for taking the time to read this,

Matthew Molyett

Wednesday, December 12, 2012

Finals week

Well, this week is the team project that makes up our final. Hopefully it goes well. My big concern about it is to remember that I need to focus on the human aspects of cybersecurity, I tend to think in more technical terms.

Monday, December 10, 2012

Customer tracking and computer newbies

Topic - Are non-literate internet users are at a higher risk for experiencing identity theft, or is everyone now equally vulnerable – support your opinion. Explain specifically how end-user tracking and recording technologies may either increase or reduce cybersecurity risks for non-literate users when using the Internet, or when shopping at a brick and mortar establishment.

Yes, non-literate internet users are at a distinctly higher risk of identity theft. Lacking knowledge about how the internet results in users missing clues that can protect them. Clues that protect knowledgeable users:

  • http:// vs https:// Encrypted traffic hides your data from passive snooping.
  • Verified site and certificates. Browsers identify sites which have gone the extra step to prove their ownership to the certificate authorities. This protects customers from accidently logging in to This style of URL transform is especially challenging to detect.(Kumaraguru et al, 2010)
  • Spoofed email headers, which can give away that the email you just received is fake, so you should not click their link to

Customer tracking and recording can significantly decrease the cybersecurity risk for non-literate users. The login patterns for a victim of phishing, or other account theft, will experience a sudden change. The damage of a compromise is greatly decreased if the tracking company recognizes the change and freezes the account.

Nguyen & Hayes (2010) write about customers having greatly different views about the tracking and recording based on what technology is in use. Web services tend to rate as a much higher concern technologies such as electronic toll collection. I find this a bit odd, personally. Electronic tolls place you physically someplace, which is information that can be used to commit real, dangerous crime against you.

Slightly off-topic, but those loyalty cards can pose a significant physical security risk. If you registered your address with your card and always use it at the local shop, then using the card else where lets your movements be tracked. Specifically, if you use the card two states away, then it is a good indicator that the house at that address is probably empty.

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), 7.

Nguyen, D. H., & Hayes, G. R. (2010). Information privacy in institutional and end-user tracking and recording technologies. Personal and Ubiquitous Computing, 14(1), 53-72.

Sunday, December 9, 2012

Sacrificing privacy for... ugh

Topic - To what degree should US citizens and non US citizens have to give up privacy in the name of national security? Should US citizens be treated differently than non-US citizens? What factors, if any, influence this decision, tipping the scale to allow for less privacy in favor of national security?

Right off the bat, I would like to point out how incredibly subjective this topic is. The balance of personal liberty, especially privacy, versus state security is a constantly debated point in academic circles, political circles, and policy discussions.

What is privacy anyway? If we cannot define it, how can we discuss giving it up. If CNN was to run a story showing the outside of a house, with pictures, and revealing the full name and address pulled from the white pages, some people would call it an invasion of privacy. Pranevičienė (2011) reported numerous definitions of privacy:

  • "Privacy is not simply an absence of information about us in the minds of others, rather it is the control we have over information about ourselves"
  • "Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others"
  • "Privacy is a sweeping concept, encompassing (among other things) freedom of thought, control over one‘s body, solitude in one's home, control over personal information, freedom from surveillance, protection of one's reputation and it protection from searches and interrogations"
Given such sweeping definitions, basically anyone learning anything about you from anyone could be a violation of privacy. Such privacy is not defensible for citizens or non-citizens.

Concerning the easier to define privacy, the contents of our communications, there needs to be a refined focus to actionability of privacy violations. Privacy of communications with regard to law enforcement action is absolutely vital, and cannot be sacrificed for security. Citizens and non-citizens need to have freedom from every word they say or write to be potential evidence or circumstantial evidence.

Nonactionable privacy violations have no need to be protected. People do not fear pointless chit chat from being overheard in malls, precisely because the intercepted information is nonactionable. If collection for intelligence purposes was strictly nonactionable with regards to the target, then privacy would not need to be balanced against national security. The overlap of, or at least fear of, actionable law enforcement intercept with intelligence generation is what necessitates the balance.


Saturday, December 8, 2012

Anonymity and assisting society

Topic - Determine the extent that anonymity has helped better society, industry, and individuals. Does the malicious use of anonymity outweigh the positive benefits it provides?

Anonymity benefits society by easing the burden of charitable giving. Often, once a donation is made to a charity or such, that entity will continue to regularly solicit donations. I encountered this just after college. A small donation, via check, to St. Jude's Children's Hospital and I was receiving regular solicitation requests for years. By donating behind the screen of anonymity, generous patrons can give without regard for future communications. Kay, Salveggio, and Guess (2008) write that a rabbi from the 1300s, Maimonides, placed the label of second highest level of charity on giving anonymously to anonymous recipients.

The ability to perform acts of good, such as charitable giving, without ramifications unfortunately extends to acts of malice. The right to the privacy of ones behavior must be weighed against the right of others to be free from annoyance and danger. The impunity that one gains by anonymity enables great wrongs and so "traceable anonymity" (Kay, Salveggio, & Guess, 2008, pp 70-9) provides a good balance. It allows us to gain the privacy benefits of anonymity, but provides society a safeguard against overly malicious behavior; though only if the trace-ability is limited and guarded itself. An ISP that will turn over account information when presented with a valid court order (and only to a court order) provides reasonable traceable anonymity.

Kabay, M. E., Salveggio, E., & Guess, R. (2008) Anonymity and Identity in Cyberspace. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons.

1000 Reasons to keep writing

I went to check the activity on my blog and had 999 pageviews. My wife:"Hold on..."

Whoo! 1000 pageviews. I have noticed that my recognition of dangerous computer security practices has increased since starting this program. Hopefully the blog is helping those readers with their security.

I've write more in-depth soon about how I've noticed my own perceptions changing.

Wednesday, December 5, 2012

Pushing out the paper

Short post today because the week is really busy. I am in week 11 of 12 for my current class, so crunch time is starting.

As promised, here is the full paper Preventing Damage by Preventing Grade System Intrusions, although it is later than I meant to publish it. Out of every grade I have received during my Masters so far, this paper has scored the best. Hopefully it gives you something to think about.


Monday, December 3, 2012

Preventing Damage by Preventing Grade System Intrusions: Conclusion

Educational institutes such as colleges and schools have understandable reasons to desire use of electronic grading records. Such systems must be recognized for the dangers they pose as lucrative targets for hackers, crackers, and cheaters. The impact from unauthorized intrusions can be significant for the future of the students, even those whose records are not modified, as shown by Tyler Coyner graduating salutatorian. Coyner’s data manipulation stripped another student of their rightful honor as salutatorian (McMillan, 2011).

Defensive efforts must be made to address but the attack vectors to be utilized by intruders and the motivation driving the attack. Whenever possible, it is best to recognize the situations that may lead to an attack and defuse it in advance.

McMillan. (March 4, 2011). Top Student Charged With Fixing Grades for Cash. PCWorld. Retrieved from:

Preventing Damage by Preventing Grade System Intrusions: Attacker Vectors

Social Engineering

Non-technical theft of account information is a people problem and can be solved through policy and enforcement of said policy. Back in the first case study it was discussed that the attacker was alleged to have used the same account information numerous time, 110 times to be exact (Lupkin, 2012), over the course of two years. Such a situation cannot happen if passwords do not stay valid for that long. If the superintendent had updated her password every three months then the attack would have quickly lost access.

Another policy that can prevent such account compromises is strict rules on how to protect account information. Since Lupkin (2012) did not mention any technical tactics used, it is likely that Venusto received the account information in a more direct way, such as the victim having the data written down at her computer or even having handed over the account for some reason. It can be convenient for an upper official to give their information to a secretary, say to schedule meetings, but that should always be considered a critical security violation.

Attack Vector: Malware Infection

Edwin Kim collected his required account information via a software keylogger that he had installed on a shared workstation (Gibbons, 2012). Security policies which required and enforced the principle of least privilege would have prevented this compromise. A common user, as an average student should be at a university, will not have the privilege to install software which runs outside of their own session. Any changes which can impact the running environment of other users should require an administrator to perform. Additionally, high value targets such as professors should avoid sharing hardware with students. A student that exchanges the expected keyboard with a ‘value-added’ look-alike can then log their keystrokes even without installation privileges.

Attack Vector: Physical Security

Palos Verdes High School’s intrusion was the result of poor physical security. Defense in depth should have prevented access. Altman (2012) makes no mention of how the teens entered the grounds or the building, so one has to assume that those steps were fairly trivial. Both should have been secured and surveilled with either recording devices or human guards. Once inside, the intruders collected a master key after picking the lock on the janitors’ office. An object of such value as the master key should not be available just behind a lock that itself can open. Clearly, the protections on the key were significantly lacking.

Altman, L. (January 26, 2012). 3 Palos Verdes High students arrested in grade-tampering plot. Retrieved from:

Gibbons, M. (February 8, 2012). Bucks college student fails in attempt at an easy A. Retrieved from:

Lupkin, S. (July 19, 2012). Mom Arrested For Hacking School Computers to Change Kids' Grades. abc News. Retrieved from: