Overview

Let’s go into a little more detail about what we’re going to do for this WebQuest. Essentially I’m going to ask you to gather some data and take some notes about it, think about what that process meant to you, and then educate yourself about how you might change your behavior on the 'web in light of your findings.

This can be an intensely personal experience, and you might not be willing to share all of your findings. Just remember this is an exercise for you to learn about these topics on your own. I’m interested in discussing how the experience might change your behavior or how you think about social media and not the specifics of what you did during these activities!

Activity I: Information Exposure

Important
Potential Discomfort Ahead!

The upcoming process might be a little unnerving, or, depending on your constitution, downright disturbing. It’s intended to shake you up a little and to make you really think about it—maybe even get a little metacognition going.

It also may be tempting to look up your friends. That’s natural and quite fun! After all, many of us enjoy spy movies or fiction in one form or another. Just be aware that this isn’t fiction. Make use of the integrity competency and keep both your and others' best interests at heart.

Please remember that when I ask you to take notes about things you find online about yourself, I’m not asking you to write down the specifics. For example, if you find your cellphone number you can just note that you found the number. There’s no need to write down the actual number itself.

You’re going to use some search engines as well as any social media services you have to gather data about yourself. As you find information, please jot down some notes:

  • What kind of information did you find?

  • Where might this information have come from (Facebook, Twitter, etc)?

  • What kind of value does that information have?

  • Are you concerned about that information being publicly available?

Here are some search engines to get you started. For a truly exhaustive list, you can look here. Some sites will ask you to pay to get the "full results." You’re not required to do so, nor do I encourage it, but be aware that such is the case.

Tip
Digging Deeper

Remember to really dig deep. Try to combine information from multiple sites to get a more complete picture. Here’s few things you might try:

  • If you get a phone number or other piece of information from one site, you can search for that phone number on a different site.

  • If you’ve lived in multiple places, you might try looking for yourself in places where you used to live.

  • Try to find your Amazon.com wishlist here.

  • Once you’ve found a potential home address, you can use Google Street View to find out what kind of car you drive, what color your house is, what kind of neighborhood you live in, etc.

Remember one of our five competencies is creativity. Don’t be afraid to get creative, but do stay within the bounds of legality and common sense.

You can also look on Facebook, Google+, MySpace, or any other social media site you can think of. Try to stick to what would be available publicly on these social media sites. And yes, I know it’s tempting to just hang around on Facebook, but you’re only going to get as much out of this activity as you put in. Please be cognizant of how you spend your time!

Here’s some example questions you can try answering using these sites:

  • What’s your mother’s maiden name?

  • How much money does your family make?

  • What color is your house?

  • What kind of car do you or your parents drive?

  • What was your high-school mascot?

Warning
So how exposed are you, really, and what does that even mean?

This is a tough portion of the assignment. It’s not clean and well-structured because everyone’s footprint on the Internet will be different. Heavy social media users may have more information floating about, for example. Don’t be upset if you had a hard time finding information about yourself—that’s likely a good thing!

The point of this exercise was to illustrate the concept of information exposure. This will mean different things to different people—I’d imagine that exhibitionists and hermits might not agree on the definition.

As such, I can only offer my own definition, which may differ than yours. A difference could mean that you disagree with me on the nature of privacy, have an alternative attitude towards social interactions, or just plain disagree. That’s okay! The point was for you to develop your own definition and understanding.

That said, information exposure, to me, is the degree to which I have lost control over information about me. I’ll give a concrete example, which should hopefully clear up any confusion. Say I shop on Amazon.com, but decide that I don’t want to buy the product I was interested in right now, so I add it to my Amazon.com wish list. In doing so, I know I’ve told Amazon what I want to buy, and they’re going to use it to suggest similar or related products to buy based on my wish list and purchase history. So already, I’ve ceded my purchasing habits to Amazon. What I might not realize is that I’ve also let the world know what I want to buy, because Amazon wish lists are, by default, publicly visible, never mind that it might show my home address as well.

While this is useful if one of my friends wants to buy me a gift, it could potentially be embarrassing if I have some unusual shopping habits. This kind of information exposure or leakage might seem easily dismissed, but it could easily affect my employment options, social life, or personal relationships. In short, the simple act of wishing I had a certain product told potentially everyone on the planet something private about me. That information is now exposed, and the value it had can be used against me.

Deliverables

As homework for Activity I, I expect you to write a short reflection, 1-2 double-spaced pages in length. It’s intended to be fairly open-ended, but you should answer the following questions:

  • What does information exposure mean to you in light of the activity you just did?

  • How much control do you think you have over your information?

  • What kind of reaction did this activity solicit from you? Are you indifferent? Unsettled?

Please turn your reflection in as well as whatever portion of your notes you feel comfortable sharing with me.

Activity II: Risk

Activity II is going to be more of a thinking exercise than Activity I. You’re basically playing the role of a red team for yourself.

Ask yourself the question: If I had time and resources, how could I use information I on the 'net about me to make my life worse in some way? To be sure, it’s a strange thought experiment. Perhaps it would help if you think of it as applying a sense of integrity in reverse. How much value do you place on your information, especially in light of the risk associated with the exposure of that information? Hopefully, you’ll become more aware of what you post online as a result.

Note
Social Engineering

There’s an entire field of study dedicated to manipulating people to either do something they wouldn’t ordinarily do or give up information they should keep secret. Think spies and con-men.

People tend to trust people that share the same interests, come from the same places, or just share some common bond. In other words, people tend to fall prey to crimes of affinity. Just imagine, what if someone could find all sorts of publicly available information about you. Here’s some ideas to get you started:

Don’t be afraid of giving any anxious or paranoid tendencies a little more leeway during this exercise. It might take you in some interesting creative directions. Just don’t go overboard, as we don’t want to lose any sleep over this stuff…or should we?

Tip
Asking the Right Questions

You might have noticed the list of prompt questions from Activity I seemed familiar. Perhaps you recognize them because they’re very similar to the security questions used to protect your banking passwords. How much value might be placed on those particular pieces of information?

Confused? Looking for a place to start? Here are some ideas:

Warning
Hold on, this is paranoid! None of this would happen to me!

Paranoid? Me? Never!

In all seriousness, you’re right. It is paranoid, and I certainly hope that none of these bad and scary things will happen to you. However, what I hope this exercise showed you is that there is a level of risk associated with information exposure. People can and will always place different subjective value on that risk. It’s a bet, just like in gambling. You’re gambling that something bad won’t happen to you.

You could play it safe and "bank" all your information with trusted parties. For example, your school or your employer need some basic information about you to pay you, take money from you, keep records on you, or to perform some other bureaucratic or logistical functions. Is there a risk associated with that? Don’t your school and your employer want to treat you right? Why would they release that information to malicious people? The answer is they wouldn’t! If they would, I strongly encourage you to do some thinking about your future with them.

However, no fortress is impenetrable. You’ve released information about you, which has real value and real risk, to a third party—you’ve ceded control. Alone, perhaps you might have been ignored, which is a comforting fallacy. These third parties, however, have a lot of information on you, and not just you, other people as well! They’ve concentrated a bunch of information in one place, just like a bank collects money. And what do criminals do? They rob banks.

Note
The Fallacy of Security through Obscurity
Before, I insinuated that the idea that small targets might be left alone—you’ll also note that I also said it was a fallacy. In the pre-computer past, this idea of Security through Obscurity might have worked. Now that we have vast amounts of computation power, we can no longer rely on anonymity and being "the small guy" to protect us. Corporations and criminals both have access to a rich vein of information ore and now have the tools to mine it. If it’s out there then some unfeeling, tireless machine will find it.

Deliverables

For Activity II, please write a reflection on the risks associated with information exposure. Now that you have an idea of what kinds of information are out there, what kinds of bad things might happen if the wrong people got a hold of this information? Again, the reflection should be 1-2 double-spaced pages in length. Here are some of the questions you should address:

  • What kinds of risks do you actively expose yourself to by posting information the Internet?

  • What kinds of risks are you passively exposed to by virtue of using various Internet services?

  • How are risk and the value of information related?

  • How, if it all, has your personal definition of risk changed?

Again, remember to not limit yourself to just your findings in Activity I. You are of course welcome to draw upon them to enrich your reflection.

Activity III: Protection

Activity III is (conveniently enough) a three-parter! Lucky you! As we talked about earlier in the Task section, we’re going to try to come up with some potential solutions to the problem of sending a message or bit of information securely. Once we’ve done that, we’re going to take a very brief look at basic cryptography and finally apply what we’ve learned to real systems, deployed on the Internet.

Activity III, Part I: Brainstorming

Imagine that you and a friend are physically separated by a significant distance, but would like to send a package to the other person safely. Sounds simple, right? Just drop off the package at your local post office or courier service and be on your way. However, as with everything, there’s always a catch—in this case multiple catches:

  • The contents of the package are for your and your friend’s eyes only. No one other than the two of can know what’s in the package. Use your imagination to decide what’s in the package. It could be a juicy bit of gossip, nuclear launch codes, or just a gift for a special someone.

  • You’re both much too busy—and it’s prohibitively expensive or inconvenient-- to actually go visit the other person to hand off the package.

  • The rest of the world is out to get you. Everyone else has a burning desire to get at what’s in that package, even people you would ordinarily trust.

It’s not all storm clouds and gloom, however! There are a few things going for you:

  • You have access to unobtainium, a magical material which is impervious to all imaging technologies, known and unknown, such as X-Rays, Terahertz waves, and even Superman. It is also indestructible! You can’t drill through it, cut it, smash it, or otherwise compromise it in some way. Sorry adamantium fans, unobtainium can’t be broken by unobtainium. It’s magic!

  • You can fashion things out of unobtanium such as unpickable locks and what-have-you.

This sounds pretty good, right? Well, here’s an example. I put my package in an unobtainium box, lock it with an unpickable unobtainium lock, and ship it to my friend. But wait, my friend doesn’t have the key to the lock! How do I guarantee that only my friend gets access to the key?

Now that you have a feel for the parameters of the thought experiment, take some time, exercise your creativity, and come up with 1-2 ideas which guarantee safe transit of your package to your friend.

Tip
Plan Carefully!

Be careful and consider as many possibilities as you can when coming up with an idea to get the package to your partner. Don’t be afraid to use what you learned in activities I and II to help you. What kind of information would your friend need? What risks does giving that information to them pose?

This isn’t supposed to be easy, so don’t get discouraged if it takes you some time to think about it. There’s no right answer, either—to paraphrase Feldmarschall von Moltke:

No plan survives contact with the enemy.
— Helmuth Carl Bernard Graf von Moltke
Important
Take Notes!
Remember to take notes about your idea, your partners, and what weaknesses you both found in each other’s ideas. Look for trends.

Once you’ve got 1-2 ideas each, find a partner and take turns explaining your ideas to one another. Your job now is to play devil’s advocate and really kick the tires, so to speak. Leave no stone unturned! Imagine whatever your partner is sending to their friend is of great personal worth to you and that you have limitless resources and time. What could you do, short of knocking your partner over the head with a club and stealing their set of keys, for example, to get your hands on the package?

Hopefully by now you’ve stumbled across some sticking points in your ideas. Were there any particularly difficult problems to solve in this thought experiment? What did they involve?

Warning
Spoiler Alert!

Make sure to finish your brainstorming and discussion before moving on.

It’s video time! Have a look at the following video and see if it sheds any light on how to approach the problem.

Video: Key Exchange

Note that this is only one solution to the key exchange problem, and it has its own issues—we’ll explore them later.

Activity III, Part II: A Brief Introduction to Cryptography

Now that we’ve thought about and seen a few solutions to the problem of sending a physical object to another person, the question becomes: "How do they do this with data on the Internet?"

Let’s refer back to the video. There are actually two separate things happening in the video. The first is that at the end of the video both Professor Chris Bishop and his colleague Andy have a copy of the blue key. There was a key exchange that happened, and it used two different key/padlock sets: Andy’s red key and Chris’s green key. The second is that because both Andy and Chris have a copy of the blue key, they can now dispense with the double-locking of the briefcase and simply use a single blue padlock on the briefcase to shuffle things back and forth.

While they didn’t show a blue padlock in the video, one could imagine the following scenario:

  1. Chris wants to send a document to Andy, so he puts it in the briefcase.

  2. Chris locks the briefcase with a blue padlock and sends it to Andy.

  3. Andy receives the briefcase, locked with a blue padlock.

  4. Andy unlocks the blue padlock with his copy of the blue key and retrieves the document.

Symmetric Crypto Example

It turns out that the above process is the way that most things are transmitted securely across the 'net.

Note
Symmetric vs Asymmetric Cryptography

The system where you share the blue key is known more formally as Symmetric Cryptography. The key (har-har) is that communicating parties use the same shared secret, aka "key," to encrypt and decrypt the data, i.e. lock the briefcase. IBM has a pretty decent article here.

The idea of asymmetric cryptography is slightly different. In asymmetric cryptography, there is an entity that "locks" up your data, and a different entity which "unlocks" the data. One can think of the padlock/key combo as an example of this. The padlock locks the briefcase and the key unlocks it.

The main advantage of asymmetric cryptography is you can freely distribute the locking entity (the padlock), whereas in symmetric cryptography you must keep a shared secret (the blue key). Unfortunately the padlock/key metaphor gets somewhat convoluted.

Nevertheless, let’s forge ahead! In asymmetric cryptography, you only have to keep the key safe. As an example, I could give all of my friends a supply of identical padlocks to which only I have the key—we’re assuming they can’t reverse-engineer the key from the padlock. Then, if they want to send me a message, they simply lock the "briefcase" with my padlock and send it on its merry way. Since I’m the only one with a key, only I can open the briefcase and the message is safe. I could even give a supply of the locks to my enemies, and the messages my friends send me would be safe.

So, what have we learned so far? Well, it seems like secure communication could be done by using the trick we learned from the video to exchange copies of a shared key, and then just use that key and the corresponding padlock to transfer information back and forth.

But we’re missing a key point! Couldn’t someone intercept the briefcase during the original transfer of the blue key, lock it with their own padlock, and make a copy before sending it to the original recipient?

Again, let’s go back to the video. In the video, Andy was able to send a copy of the blue key to Chris successfully and securely, right? Let Eve be an evil person, "Eve" for "evil," who wants to get a copy of the blue key for herself. How might she do that?

Well, she can insert herself into the communication between Andy and Chris, as shown here:

  1. Andy puts the blue key in the briefcase.

  2. Andy locks the briefcase with his red padlock, and sends it to Chris.

  3. Eve intercepts the briefcase, locks it with her gold padlock, and sends it back to Andy.

  4. Andy unlocks the red padlock and resends the briefcase to Chris.

  5. Eve, being the evil person she is, intercepts the briefcase again, unlocks her golden padlock, and now has the blue key, which she promptly copies.

Man in the Middle Example

Now that she has a copy of the blue key, she can send the original to Chris in the same fashion that Andy sent the key to her (using green and gold padlocks this time), with Chris and Andy being none the wiser. This means that if Andy and Chris use blue padlocks and keys to send message back and forth, Eve can see everything they send and even change it!

Compromised Example

How does Andy know that the padlock coming back from "Chris" actually belongs to Chris? How does he know there isn’t a man (or woman) in the middle?

Warning
Doesn’t the padlock color matter?

"Wait!" you say. "The color of Eve’s padlock is gold, shouldn’t Andy and Chris be able to figure out that someone intercepted the briefcase?"

You’re absolutely correct. As it turns out, the "color" of the "padlock" equivalent is extremely important, as it lets us verify the identity of each participant in the information exchange.

Note
Isn’t this the key exchange problem restated?
In a way, yes. If we’re keeping the colored padlock metaphor, we can use the idea of Diffie-Hellman key exchange to agree upon a "safe" color for the padlocks. Or if we wanted to be really fancy, we could go all the way to quantum key exchange.

Activity III, Part III: Case Study

For Part III of this activity, we’ll be looking at the cryptographic protocol that secures much of the traffic on the Internet, Secure Sockets Layer. In a nutshell, it uses asymmetric cryptography to exchange keys, much like Chris and Andy did, and then uses the shared key to encrypt further traffic. Of course, just like Chris and Andy, there is the problem of authentication—how do we know someone actually is who they say? To answer that question, let’s have a look at another video:

Video: SSL Certificate Explained

The video details a system wherein a higher authority, a certificate authority (CA), vouches for the integrity of someone’s identity. As in the video, they vouch that the key exchange with the pencil company is actually with the pencil company, not some evil Eve in the middle.

What might be the problem here?

Warning
Who verifies the verifiers?

I’ll let the security community speak for itself on this one:

This root of trust issue has been around since there were hierarchies of control.

Quis custodiet ipsos custodes?
— Decimus Iunius Iuvenalis

It’s a real problem, and fortunately is one that people are working hard to solve. There are several schools of thought and several different proposed solutions.

Note
Domain Name System Seucrity Extensions (DNSSEC)
One of the upcoming systems proposed to help combat the certificate authority problem is DNSSEC. The problem with that is while it certainly helps catch bad certificates issued by a compromised certificate authority, it itself requires a chain of trust and its own certificate authorities. Regardless of which solution you or I espouse, just remember it has to attack the underlying problem and not just the symptoms.

Deliverables

Now that you’ve learned a little about how cryptography works and how it’s deployed on the Internet, it’s time to answer the question "What are you going to do in response?"

Write a coherent narrative, 5-6 double-spaced pages in length, which addresses one of the following prompts:

  • How will you change your behavior with regards to your views on the value of information and your information exposure and risk on the Internet?

  • If you don’t intend to change your behavior, justify your decision. What gives you enough confidence in the status quo?

And that’s it! Wander over to the Evaluation section if you want to have a look at the rubric, or just read the Conclusion.

Last updated 2020-08-05 09:35:15 PDT

Top of Page | Introduction | Task | Process | Evaluation | Conclusion | Credits | Underlying Unit
Back to jontse.com | Copyleft Jonathan Tse 2011 | Created using AsciiDoc and AsciiDocGen | Design by Andreas Viklund.