CSCI E-170 Calendar - Fall 2005

Midterm Projects

The purpose of the mid-term project is to do serious book, magazine, online or interview research on a compelling security topic. Take a question that you want answered and find the answer. We are particularly interested in questions that have significance in security policy or history. In the final project you will have a chance to program something, but this is project is more along the lines of an in-depth literature review.

You have been assigned to a group of 3 or 4 students. It is your responsibility to work together as a group and prepare a single document that represents a significant contribution from each person in your group. If one or more people in a group drops the course during the course of the midterm project, the remaining individuals will work on their own and will be graded accordingly.

Technical Details for Project

The work product for your midterm project is a 12 to 15 page project report. Only the report will be considered in the assignment of your grade, so please do not go to the effort of creating a website, maintaing a blog, writing code, or creating a multi-media presentation unless you believe that doing so is necessary to create the report.

Specifications for the report:

12-15 pages (Note: references and bibliography do not count towards your page count.)
No title page; put the title and your group name, at the top of the first page. You may optionally include the names of those in your group as well; papers will be posted on the course website.
Single-spaced, 11 point font.
Double-space between paragraphs.
1 inch margins between the paper edge and the main text blocks.
Your group's name and page numbers should appear on every page.

The report should consist of several sections:

An introduction, in which you frame the problem that you have considered.
An extensive literature review in which you present previous work that has been done in this area.
A discussion, in which you evaluate the work that has been done and present your own, novel analysis of the problem.
A presentation of what future work might be useful in this area, and specific recommendations for how that work could be accomplished.
A conclusion.

Remember, midterm papers will be posted on the class website. It is your choice whether or not to include your names on the report, but the group name (e.g. "orange") must be provided.

Ideas for Midterm Projects

Forensic Tools Do a market analysis of forensic tools. Examine the tools themselves; the tool users; the legal requirements surrounding the acquisition, preservation, and presentation of evidence; and your assessment of the direction that the market is evolving. Do some research into why people are buying these drives wholesale.

Steganography is is a collection of techniques for hiding information in "plain view." The US government is very concerned that terrorists might use steganograhpy for covert communications. What is the history of steganograhpy, and how is it used today? How is steganography different from watermarking? Are there legitimate uses for steganograhpy? What steganograhpy detectors are available? Who is using them.

HIPAA's Impact on Security.. A review of the impact that the Health Insurance Portability and Accountability Act has had on the computer security world. Are companies actually improving their security, or is HIPAA compliance merely another check-box of things to do?

CISSP and other Certification. What is the impact that certification has had on the practice of computer security? Why was certification adopted in the field? Did it make a big impact?

RFID Security and/or Privacy. How do you build a secure RFID system? How do you even define Security and Privacy in this context? What are the constraints of RFID that make it more challenging than an electronic consumer product? What kind of attacks are you protecting against? How do you manage the amount of data needed to associate content or value with the IDs?

CA Practices. Evaluat the practices and certification practice statements of one or more CAs. Who are these companies? How did they get their keys into browsers and email clients? What do they charge? How big is their market? Are they doing a good job? What's the difference between their different products? What do you think?

Anonymity What kinds of anonymity are there? How do any government regulations and laws apply to this field? What technical means are there for ensuring anonymity. Design a system that improves upon these technical solutions.

Digital Rights Management New technologies are making it harder to copy and access certain types of content. Sometimes these DRMs expose various information about the user in order to prevent duplication. What are these various technologies, and exactly how much information is transmitted? Are there ways to circumvent the technologies? How legal are the circumventions? Can you create a taxonomy of DRM systems?

Spyware and Viruses Traditionally most users haven't considered security important on their computer rationalizing it as: "I'm not important/interesting enough to matter. I don't have anything private or that I care about." The current trends in spyware and viri say otherwise - credit card numbers, and Massive Denial of Service attacks are done from otherwise boring computers. What kind of interesting things can be done if you were designing spyware. Is there some way to leverage this concept to do something constructive? How much information is leaked out by various spyware/viri types. Be very careful if you choose this project. We will not be pleased if you send us viri in email or as your submission or break any Harvard Computing rules.

Human Factors Why do people have so much trouble with various security technologies? Do they have the same kinds of problem with physical security? How can you shift the paradigm or change the technology to make it more accessible? How can you use human habits/limitations to your advantage?

VoIP Security Evaluate the security of VoIP systems, including SIP and Skype. How does the security of these systems compare with the security of POTS telephone systems or wireless systems?

Cost of Viruses/Security Much is said about the cost to American businesses of viruses or security vulnerabilities in general. Much of what is said is said by companies that have a vested interest in inflating these numbers. Evaluate the true cost of computer viruses and other security problems. You can do this by doing a meta-analysis of existing studies or by conducting your own modeling. You could even do both.

Product Activation Analyze the growing use of product activation in Windows XP, Adobe, and other programs. What are the advantages and disadvantages of product activation?

Cryptographic File Systems Disk forensics would be dramatically complicated through the extensive use of cryptographic file systems. But despite the fact that this technology is widely understood, it is rarely used. Survey the existing cryptographic file systems, including features in the new offerings by Network Appliance and Seagate. Evaluate these based on their plausibility, usability and cost. What is your prognosis for cryptographic file systems?

Phishing Survey the phishing problem and real solutions.

Authentication for Websites Two-factor authentication. TANs. Remote Biometrics. Client-side certificates. What is the real future for authentication of websites?

Biometrics Survey the available technology and the costs of biometric authentication and identification systems. Describe how you see the biometric market, who the users are, and what are the real, practical uses. What are the myths that need to be exploded? What will be the 5-year future of biometrics?

Exploits Create a taxonomy of exploits. Is the nature of exploits changing? Why did http://rootshell.com/ go away? What about the insider threat? What do easter eggs have in common with insider-planted exploits? Have there been any insider-planted exploits.

Or make up your own.