https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/index.html General Instructions Activities are small hands-on activities you can do to experience security and privacy first-hand and potentially discuss it with other people within and outside of the course. They are intended to be short hopefully taking only 5-10 minutes to complete, but with the opportunity to explore more if you are interested in doing so. Hugo en-us kami.vaniea@uwaterloo.ca (Kami Vaniea) kami.vaniea@uwaterloo.ca (Kami Vaniea) Fri, 09 May 2025 13:04:25 -0400 https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/read-breach-report/index.html Thu, 01 May 2025 11:13:33 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/read-breach-report/index.html Deadline: May 16 Organizations that experience security breaches sometimes release public reports aimed at helping the wider security community understand what happened and hopefully learn from the experience. These reports are sadly not common, but they are very interesting and educational to read. Steps Pick a data breach report to read, the following are good options but you can pick any you like. British Library - October 2023 breach Troy Hunt’s write-up of the Disqus Data Breach Heartland Payment Systems - August 2009 breach written by Federal Reserve Bank of Philadelphia US FTC charges against Snapchat (Counts 1, 2, and 6) - technically this is a legal document, but it has lots of technical details. A “Kill Chain” Analysis of the 2013 Target Data Breach written by USA Committee on Commerce, Science and Transportation Read the Executive Summary or Introduction and at least one other section. Optionally, you can search for the breach in the news if you are not already familiar with it. Complete self-reflection questions Reflection questions State what data breach report you read. What attack was used in the breach? What did you learn about what attackers and/or defenders do during breaches? Other things to read South West Thames Regional Health Authority, ‘Report of the Inquiry into the London Ambulance Service’ (1993) Due to poor management of a software project the City of London England was completely without ambulance service for a day. The write-up is the inquiry into how that happened. List of related documents https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/verify-chat-keys/index.html Mon, 05 May 2025 19:26:44 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/verify-chat-keys/index.html Deadline: May 23 Most end-to-end encrypted chat programs allow users to do manual verification of the other chat partner. Software: Either WhatsApp or Signal. Two people in the group need to have the same software. Its ok to do this activity with someone outside the class. Steps: Follow the steps for WhatsApp or Signal below. You can also try with both to compare and contrast. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/optout/index.html Thu, 24 Apr 2025 15:10:41 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/optout/index.html Deadline: May 30 You often have the right to opt-out of data collection and usage. Unfortunately opting out can be rather complex. But in order to comply with various laws, and to claim they are doing right by consumers, most companies do have a functional path to opt out of various things. A common opt-out is cookies and other types of web tracking. In order to claim that opting out is a reasonable and realistic thing for consumers to do, advertisers form alliances where consumers can (theoretically) opt out of tracking by all members on one page. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/verify-website-cert/index.html Thu, 17 Apr 2025 16:11:18 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/verify-website-cert/index.html Deadline: May 30 We often visit websites and simply assume that the website we are seeing is the real one. But that is not always the case and for important websites you might want to do some verification. Man in the Middle Attacks can and do happen so web browsers use certificate authorities to verify the identity of websites. You have the ability to see these checks. Steps The following steps are written for Firefox but similar steps will work on most modern browsers. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/modify-urls/index.html Thu, 17 Apr 2025 16:16:50 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/modify-urls/index.html Deadline: 13 June The internet uses Universal Record Locators (URLs) to express to computers where the user wants to go. We are used to clicking on links or searching and then clicking on links. But it is quite possible to navigate large parts of the internet by just directly editing URLs. Software: This activity will work on any major browser, and any other browser that allows you to edit URLs, including mobile browsers. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/download-data/index.html Thu, 17 Apr 2025 15:01:55 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/download-data/index.html Deadline: 27 June It is your data, so you should have the right to it. The introduction of the Data Protection Directive (1995) in Europe caused several companies to start making users’ data available. Back in 1995 they sometimes sent printed copies in the mail, but now most large companies offer you the right to access your own data for free digitally. In this activity you will be: Selecting a company/organization Going through the process to request your own data Downloading the data Opening the data Potential places to get data You may download your data from any internet service that supports it. The following is a list of companies that support data download and a link to get you started. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/nojavascript/index.html Thu, 17 Apr 2025 14:54:48 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/nojavascript/index.html Deadline: 4 July Install a Javascript blocker and then experiment with what happens when various parts of a website are blocked and unblocked. Steps The instructions below assume Firefox, but should work for several different browsers. Install one of the following blockers in your browser. uMatrix - recommended noScript - more agressive Visit a large for-profit news website such as: CNN National Post Global News Unblock select Javascript sources. Most blockers default to blocking all Javascript from third parties. Try unblocking different Javascript sources one at a time, remember to re-load the website between each change to the blocking so you can see changes. Visit a large publicly funded news website such as: BBC PBS Repeat step 3. Either keep or delete the plugin. If you keep it, make sure you know how to open a new plugin-free profile (firefox -p) or have another browser available as the plugin will break banking websites. Reflection questions How did the two types of sites (for-profit and public) differ in terms of the amount and types of Javascript being used? How many different Javascript sources did you have to unblock to make the site usable? Did you feel like you would be able to selectively load just the parts of a site that you wanted to? Other things to try Try out other websites that you use frequently. The University of Waterloo for example. Large complex sites like Facebook can also be interesting to block bits of to see what happens. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/modify-website-content/index.html Thu, 24 Apr 2025 09:42:03 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/modify-website-content/index.html Deadline: 11 July In this activity you will be modifying a live website, essentially creating something you could screenshot and would look 100% real but is completely fake. Please use this information responsibly and as a lesson about trusting screenshots of websites. Software: Instructions are written for BlueSky and Chrome but should work with most major browsers and social media platforms. Steps Modify BlueSky Post Go onto BlueSky (or another social media site) and find a specific post you would like to modify. Right click on the part of the post you want to change and select “Inspect”. The browser should have brought up the HTML assocated with that part of the page. Below is a screenshot of me doing this with a Krebs on Security post. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/panopticlick/index.html Thu, 17 Apr 2025 16:13:37 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/panopticlick/index.html Deadline: 18 July Your web browser provides lots of facts to webpages and to JavaScript as part of normal operations. These facts are helpful in that they let pages properly adapt content to match the capabilities of the computer and monitor they are on. But they can also be used to uniquely fingerprint and track users. In this activity you will be looking at the types of information visible Steps Visit the Cover Your Tracks website using your normal web browser using your normal settings. Click “Test Your Browser”. Make sure to scroll down on the results page to see all the different types of data the site was able to collect about your browser. Try visiting the page again using a privacy-preserving mode like Private Browsing, or Incognito. Try visiting with a different browser than your normal one. Brave Chrome - Advertising friendly Firefox - Auto blocks advertising Reflection questions What detected information most supprised you. Learn more Panopticlick Your browser has ad tech’s fingerprints all over it, but there’s a clean-up squad in town - News article opinion piece talking about how effective Chrome Incognito is or isn’t. Also suggests some alternatives. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/read-regulation/index.html Thu, 17 Apr 2025 16:15:23 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/read-regulation/index.html Deadline: 25 July Legal regulations can have large impacts on how technology is implemented. Laws and regulations are a way that government tries to influence how technology is built and how it impacts people. In this activity you will be picking a regulation/law (suggestions below) and reading part of it. Laws and regulations Select a law/regulation from the following list. Or use this list as inspiration and select your own regulation to read. I encourage exploring Canadian regulation, but you are welcome to select from regulations worldwide as long as they have a clear connection to privacy or security. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/listen-to-phish/index.html Thu, 17 Apr 2025 15:16:05 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/listen-to-phish/index.html Deadline: 25 July This activity requires you (or someone physically near you) to receive a scam communication. So I recommend starting this activity a bit earlier than others since it is hard to control when a scam might happen. If you really don’t receive any scams, try talking to your friends or family about ones they have seen recently. All you need to do is read or listen to the full scam communication and then think critically about the following questions. There is no need to progress past the initial communication. It is fine to hang up after the initial pitch by them, you do not need to speak to anyone, and you do not need to click any links. Please also review the safety guidance below. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/set-a-cookie/index.html Fri, 09 May 2025 12:13:01 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/set-a-cookie/index.html Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning. Cookies are small text strings stored by your browser on the behalf of websites. Software: Instructiosn are for Firefox, but most browsers should work. Note that Firefox blocks 3rd party cookies, so you will see less cookies on Firefox than on Chrome. Steps Look at cookies Start by looking at some cookies for this website. Do the following while the course website is open. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/har/index.html Fri, 25 Apr 2025 14:57:25 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/har/index.html Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning. Modern websites are built from many different souces. In this activity you will be using your browser’s functionality to record a sequence of web browsing activities and then look at the result. Software: Chrome or Firefox recommended Steps Capture your own traffic Visit any news website such as: CBC CNN Waterloo Chronicle Open the developer console by pushing F12 Switch to the Network tab Reload the website and wait a bit for most content to load You can now see all the pages that are being fetched and all the content being sent back and forth between your browser and the various servers. The interface will also let you filter, sort, and dive into anything you find interesting. Download the resulting Har file: Firefox right click on any network line and select “Save all as HAR” Chrome Click on the down arrow icon below the Networking tab to download the HAR file. A HAR file is just a Jason object, it can be opened in any programming language that supports HAR files or anything that can open Jason. See map of website connections Firefox is required for this one. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/shadow-password-file/index.html Fri, 09 May 2025 13:04:25 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/activities/shadow-password-file/index.html Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning. Software: Root access on a Linux machine is required for this activity. Root access on a Mac might work, but the instructor has not tested it. In this activity you will be looking at the Linux shadow password file and seeing what happens when you create a new user.