There is no required textbook for this course. The textbooks below are provided for those who wish to read further or get a more in-depth understanding of a topic.
Not graded: USEC students are not requried to complete the activities. They are not marked and do not impact your final grade.
Some students benefit from having access to hands-on activites that can help with better understanding technical security and privacy concepts. These activities were copied from the Computer Security ECE458 course and some outreach activities. I have tried to remove mention of grading, but appologies if there are still some grading-related wording in them.
Subsections of Usable Security and Privacy (ECE750 T38)
Assignments
There are two assignments for the course.
Assignment 1: Conduct a small cognitive walkthrough
You will be conducting a small cognitive walkthrough study on an encryption technology of your choice.
Assignment 2: Analyze existing data
You will be analyzing data collected as part of an existing published research paper.
Subsections of Assignments
Assignment 1
Deadline: July 9th
In this assignment you will be conducting a cognitive walkthrough similar to the one done in the Why Johnny Can’t Encrypt research paper we read.
The goal is to perform an expert cognitive walkthrough evaluation of a current encryption tool.
Groups
You are allowed to do this assignment on your own or with one other person. If you are in a group of 2, only one final report needs to be written up.
Steps
Step 1: Select a tool to evaluate
You can select any encryption tool with the exception of WhatsApp and Signal as the correct usage of these have been partially covered in the ECE458 course. If you are unsure, I recommend Wikipedia’s list of encryption tools. In particular, consider tools listed at the bottom of that page under the “disk encryption”, “email clients,” and “OTR” messaging categories. Download and install (or, if applicable, simply enable) the tool you chose.
Step 2: Pick a task and its correct usage
Think about what the main purpose of the tool is and then determine the correct usage of the tool for that task. Some tools will have only one main task, but others may have several. You only need to do the activity for one main task, but you do need to cover all the aspects of that task. For example, if key exchange is necessary before encrypting, then you need to consider key exchange and encrypting.
You may need to consult documentation or guides to identify the correct way to use the tool securely. Even if you use this tool yourself already, make sure that you are correctly handling issues like: keys, backup, and verifying identities of communication partners (if there are any).
Step 3: Conduct a cognitive walkthrough
There are formal and informal cognitive walkthroughs. A formal cognitive walkthrough is a precisely planned study conducted by several human-computer interaction experts. The experts use a persona, make formal action sequences, and fill out structured reports as part of the process.
For this assignment you will be doing a ligher version closer to an informal cognitive walkthrough. The goal of such a walkthrough is to find the big problems but follow a less documentation-heavy process. This approach is more commonly used by professionals like HCI designers and software engineers to quickly evaluate a user interface while still following a structured approach. Like most HCI methodologies, one of the key goals of a cognitive walkthrough is to get you to slow down and seriously consider the interface in front of you from the perspective of a real user.
In this study you should assess the usability of the design for a University student who has never taken any security courses. That means they are smart, experienced with using comptuers, experienced with the Internet, but may have no idea of how encryption works or what keys even are.
Download the spreadsheet and fill in the task you are assessing at the top. Also fill in the correct actions necessary to complete that task (step 2). Copy and paste the existing action blocks as needed to ensure that all correct actions are listed.
Now go through your selected software and fill in the answers to the 4 cognitive walkthrough questions for each action. If you are in a group of 2, then both members need to fill in the spreadsheet seperately.
Step 4: Identify big issues
Look at the spreadsheet(s) you created and use them to identify what issues you consider to be most problematic. When dealing with a client or writing a research paper you often have to synthesize the low level findings into higher-level issues.
Final Write-up
You will be submitted a report and a spreadsheet. If there are two members then both members should fill out their own spreadsheet, so there will be two spreadsheets submitted.
Report
The report should contain:
Names of the group member(s)
Name of the tool you chose
Paragraph 1: In your opinion, what were the largest usability issues with the tool you evaluated?
Paragraph 2: What usability flaws identified in the Johnny paper still persist in this tool? Describe them.
Paragraph 3: What usability flaws identified in the Johnny paper have been addressed to your satisfaction by this tool? How were they addressed?
If you believe any of those paragraphs is not applicable (e.g., the tool has no usability flaws not described in the Johnny paper), instead briefly explain why you believe it is not applicable.
Project
The goal of this project is to read about a specific area of Usable Security and Privacy in more depth, think critically about existing gaps in knowledge. and plan a study that could theoretically help fill the identified gap. The project has two feedback-only deadlines and then a final deadline which results in a project grade.
I recommend reading through the full document to get an understanding of what will be required as the end state. The two feedback deadlines should help students make progress in that direction.
You will be picking a subject topic of your choice within the realm of Usable Privacy and Security. The proposed study needs to be about usability, but the study does not need to directly involve humans. A study looking at pre-existing datasets (i.e. password breaches), or content analysis (i.e. Stack Overflow posts) would also work. As would more traditional approaches like a lab study looking at encryption software usability.
For this project you only need to demonstrate the ability to consider some existing literature, identify an interesting gap in knowledge, and plan a study to address that gap.
Feedback Deadline 1: Rough idea
Deadline: July 2nd
For this deadline you only need to specify a rough idea for the project in 1-2 paragraphs. You need to state what the subject area is you will be focusing on. What research questions or directions you have in mind. And how you are considering answering them in a study.
Feedback Deadline 2: Initial plan
Deadline: July 11-18th - I’ll start giving feedback on the 11th, but it can be turned in as late as the 18th.
For the second deadline you need to have a more revised plan.
A short description of the problem. Think abstract-type explanation.
Brief summary of prior work that cites at least two papers. This summary need not be comprehensive, but it should show some engagement with what others have done.
Research Questions or Research Goals - These should be clearly stated. There could be only one such research question, or there could be several, it depends on what is being researched.
Methodological approach - What methodology are you considering for the study. For example, it could be an interview study, a survey, a document analysis, or many other options.
What you plan on measuring in the study.
Plan for analysis. How are you planning on turning your raw data or observations into a final result. This could be the statistics you plan to use, or the analysis methodology. It can even be descriptive statistics (mean, median, mode) if those are most appropriate.
List of appendix documents you will be creating.
Final deadline: Research plan
Deadline: July 28th
The final report is essentially a plan to conduct a research study. You do not need to conduct the study or even a pilot of it. Only the written plan is required.
Use the ACM one column article template either in Microsoft Word or in LaTeX. I will not be strictly marking template, so minor variations from the official template are fine.
Plan structure
The final document should have the following sections in this order. It is ok to add sub-sections below these to structure the document as needed. Below I state what needs to be in each section.
Introduction and related work
Briefly explain the issue that is to be studied. The introduction should answer questions like:
What topic area is being studied?
Why does this topic matter? Or who cares about the topic?
How will this study advance knowledge above and beyond existing research?
The introduction should cite at least two papers related to your proposal. Unlike a real paper, it is not necessary to provide a comprehensive related work. But at least some related work needs to be considered and planned.
Research Question(s)
State the research questions or research goals of the work.
Planned methodology
This section should read very similar to a methodology section in a research paper. It should explain the methodology you plan on using, reasoning behind methodology choices, and how you plan on analyzing the resulting data.
Bibliography
This section should follow the ACM template.
Research materials - appendices
This section is most similar to an appendix in a research paper. There is a trend in science towards replicatable research. In other words, modern research papers are encouraged to include enough of their materials that a future researcher could re-run the study.
This section should contain the research materials necessary to run the study. These materials will differ depending on the methodology used, but here are some examples of what might be included:
Interview script for an interview study.
Questions asked for a survey.
List of content sources for a content analysis and a list of possible initial qualitative codes if coding is planned.
The list of “correct” steps to be analyzed for a cognitive walk through.
Interfaces tested - UI interfaces shown in a lab study. If software is tested, key UI interfaces are often shown in the appendix to help readers understand what users saw. For a planned study these can be included if the software exists, or mocked-up if the software does not exist yet.
Not needed - You do not need to include any of the following documents in this section:
Recruitment materials - things like advertisements, email posts
Code - You do not need to write or provide any data analysis code or code you would use to create any of the study setup.
Implemented surveys - The questions should be included (see above) but there is no need to imput them into functional survey software.
Research plan grading guide
The project will be graded on the following points.
Study framing (30 points)
The introduction and related work should:
Make it clear what is being studied and why.
Explain how the planned study fits in with the chosen related work.
Study motivation or methodology decisions need to be linked to related work.
Research questions (20 points)
Research questions or research goals need to be clear and precise enough that they can be evaluated in a study. They also need to align with the goals stated in the framing.
Internal validity (40 points)
Internal validity means that the study is actually testing what it is meant to test. Most of the assessment will be if the methods and research materials sections make sense internally and if they match the research questions.
Overall presentation (10 points)
Overall presentation and flow. Issues like spelling, layout, and other presentation-related issues are marked here.
Chapter 3
Lectures
Clicking the print icon in the upper right will concatinate all the Lecture pages onto one page.
Lecture pages are designed around self study. They include required readings, points you should understand from the lecture, and one or more questions you can think about. Some lectures contain lecture note text. They also include links to additional materials if you find the topic intersting. As well as links to news articles and other materials referred to in the lecture.
Usable Security and Privacy is a field that looks at how people currently use security and privacy technologies as well as how to make those technologies more usable. USEC touches on many topic areas including: Human-Computer Interaction, Cybersecurity, Privacy, Law, Public Policy, Psychology, and Social Science.
Security and privacy tools that cannot be used are, well, useless. In fact they can be worse than useless because people will work very hard to circumvent the “annoying” technology potentially putting themselves in more danger.
What does “secure advertising” mean to you?
s/hlr4&id=206&men_tab=srchresults))
The next time you run into an uncomfortable social situation that involves privacy, try and think back on this lecture to tease out what about the situation made you uncomfortable.
Daniel J. Solove. “The Limitations of Privacy Rights”. 98 Notre Dame Law Review 975 (2023), GWU Legal Studies Research Paper No. 2022-30, GWU Law School Public Law Research Paper No. 2022-30
Think about a security or privacy technology that you often use and claims to be encrypted. How might you run a study like the Johnny paper on that technology and how would you expect the results to be the same or different?
Compare Telegram and Signal in terms of communication security.
Lecture Notes
Why Johnny Can’t Encrypt is one of the most famous studies in Usable Privacy and Security. It showed that even PhD students at Carnegie Mellon University could not accurately send and receive encrypted email messages without making very serious errors.
Critique a study in terms of limitations and strengths
Apply
Select a research paper, read through the methodology section, note down what you think the limitations are. Then read through the limitations section and compare your notes against what the authors wrote.
Try understanding the basic statistics. Anything about models or GLMMs can be skimmed.
Learning Outcomes
Understand
Research questions guide survey design.
Wording can have a large impact on answers.
How to apply study design lessons to surveys.
Apply
Take a survey and pay attention to the questions you are being asked. Are any of them leading? Do they accurately allow you to express your skills or opinions?
Most in-store receipts have links to take a survey
Phone surveys sometimes happen
If you call a service center you may be asked to take a survey
Fill out a product review, it normally includes a mini survey
Lecture Notes: Survey Scales
Survey Scales about Security and Privacy
Writing good survey questions requires careful thought and a good knowledge of the information you are trying to measure. Some concepts are also challenging to measure like “security attitude”. To solve this problem, research teams create what are known as “survey scales”. A scale is a set of questions that are well written and have been shown to reliably measure a concept.
Scales have several useful properties. First off, writing good survey questions is challenging, so a pre-written scale is just easier to use. Secondly, if multiple researchers all ask the exact same questions, it becomes possible to compare answers across research studies. Finally, researchers using a scale can assume (and cite) that it reliably measures a concept.
Below are four scales from usable privacy and security. Each measures a different set of concepts.
IUIPC
Naresh K. Malhotra, Sung S. Kim, and James Agarwal. 2004. Internet Users’ Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model. Information Systems Research 15, 4 (2004), 336–355.
Daniel Votipka, Desiree Abrokwa, and Michelle L. Mazurek. 2020. Building and Validating a Scale for Secure Software Development Self-Efficacy. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI ’20). Association for Computing Machinery, New York, NY, USA, 1–20.
Serge Egelman and Eyal Peer. 2015. Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. Association for Computing Machinery, New York, NY, USA, 2873–2882.
Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher. Design and Evaluation of a Data-Driven Password Meter In Proceedings of CHI 2017.
Password administration for system owners by the National Cyber Security Center of the United Kingdom - one of the first countries to officially advocate for user-friendly password rules
Sending fake phishing messages to employees is based on this and other PhishGuru work.
Learning Outcomes
Topics
Phishing
Psychology around risk
Teachable moments
Understand
Phishing is actually an authentication problem.
Training users involves thinking about what they need and when.
Apply
Try reading the University of Waterloo’s anit-phishing guidance.
Additional Resources
Cases where skilled people fell for phishing
How to Lose a Fortune with Just One Bad Click - Attacker was able to send an email from google.com which was correctly signed by Google. Getting an email fron Google caused the victim to feel safe and like the represenative on the phone was real.
Pluralistic: How I got scammed - account of Cory Doctorow who is a security researcher and was successfully scammed by someone pretending to be his bank
Its easy to impact the views of others just by how a question is asked.
Match approaches to the type of information you want to know
Apply
Try asking friends or family what three things they would suggest other people do to stay safe online. Do their suggestions match the common suggestions?
For this module you will start by thinking about how you yourself think about and act in regards to security. People rarely take the time to think about their security and therefore you may find yourself forming opinions as you think. The various activities in this module are inteded to ellicit preferences, attitudes, opinions, knowledge, and intended behavior from people.
Security is known as a “secondary task” that is something that has to be done in order to complete other tasks. For example, people rarely have the goal of unlocking the door to their home, instead they have a goal like “go inside” which has a sub-task of “unlock the door”. Similarly people rarely go to the Facebook homepage to login, instead they go to view their feed or post. Logging in is a sub-task of gaining further access.
Staying safe online
Online safety is a deceptively complex task for most users. It involves everything from their understanding of the threats, to their models of how computers work, and even their expectations around how effective different mitigation strategies are. In this module we will be discussing how people go about keeping themselves safe and what they define “safe” as. Towards the end of the module we will also discuss the widely accepted definiton of security and how that aligns with what we have learned about people.
Eliciting views and preferences
Asking people about security views, preferences, attitudes, and behaviors can be supprisingly complex. There are two main problems. 1) There is a known “correct” answer which is that they are as secure as possible. People like to look like they are doing the right thing, so when you ask them they may answer as if they are doing the best thing even if they are not. 2) People don’t think about security very often and as people we develop opinions by talking and thinking about things. So when you ask them about security they start thinking about the problem and generate opinons as they are talking. For example, most Canadians can easily answer questions like “what is your favorite type of music” or “which hocky team do you support” because they have thought about these issues before. Compare that to “What door in Davis Center do you most enjoy walking through?” You probably never thought about the issue of Davis Center doors before, but you are now thinking about the issue and developing an opinion. Perhapse you are recalling the experience of walking through the door nearest the Tim Hortons and smelling the coffee. Or the sound of library wispers when you walk through the library entrance door. Asking about security is somewhat similar to asking about Davis Center doors. Most people have at best a vauge opinion before being asked and then develop an opinion as they answer the question.
Elliciting views and preferences in security can be challenging but there are a range of ways to do it that minimize bias. There are also a range of methods meant to help with self-reflection that allows people to assess and possibly improve their own security approaches.
Activities are small hands-on activities you can do to experience security and privacy first-hand and potentially discuss it with other people within and outside of the course. They are intended to be short hopefully taking only 5-10 minutes to complete, but with the opportunity to explore more if you are interested in doing so.
Not graded: USEC students are not requried to complete the activities. They are not marked and do not impact your final grade. The activities were copied from a Computer Security course and some outreach activities. I have tried to remove mention of grading, but appologies if there are still some grading-related wording in them.
I recommend:
Completing the activities with other people you can discuss them with
Try answering the self-reflection questions
You are also welcome to share activities with people outside the course
Subsections of Activities
Block third party content
Install a Javascript blocker and then experiment with what happens when various parts of a website are blocked and unblocked.
Steps
The instructions below assume Firefox, but should work for several different browsers.
Install one of the following blockers in your browser.
Unblock select Javascript sources. Most blockers default to blocking all Javascript from third parties. Try unblocking different Javascript sources one at a time, remember to re-load the website between each change to the blocking so you can see changes.
Visit a large publicly funded news website such as:
Either keep or delete the plugin. If you keep it, make sure you know how to open a new plugin-free profile (firefox -p) or have another browser available as the plugin will break banking websites.
Self-reflection questions
How did the two types of sites (for-profit and public) differ in terms of the amount and types of Javascript being used?
How many different Javascript sources did you have to unblock to make the site usable?
Did you feel like you would be able to selectively load just the parts of a site that you wanted to?
Other things to try
Try out other websites that you use frequently. The University of Waterloo for example. Large complex sites like Facebook can also be interesting to block bits of to see what happens.
Download your data from Social Media
It is your data, so you should have the right to it. The introduction of the Data Protection Directive (1995) in Europe caused several companies to start making users’ data available. Back in 1995 they sometimes sent printed copies in the mail, but now most large companies offer you the right to access your own data for free digitally.
In this activity you will be:
Selecting a company/organization
Going through the process to request your own data
Downloading the data
Opening the data
Potential places to get data
You may download your data from any internet service that supports it. The following is a list of companies that support data download and a link to get you started.
Open up the data in whatever format it is in. You may need to try some different file formats. Below are some things you can try looking for in the data:
Logins to your account. Sometimes these include GPS locations and/or IP addresses. Are they accurate?
Lists of friends. Do you still know all these people?
Photographs uploaded.
Reflection questions
What was the download process like? Did it feel easy and effortless or was extensive technical experience needed?
How useful is the data? Now you have your own data on your computer, do you feel like you could actually use this data for anything?
What surprised you most about the process of downloading your own data?
Other things to try
If you have some extra time try:
Downloading data from more than one source and comparing the file structures.
Try uploading some of your data onto another platform. In theory some of these download platforms are intended to allow users to move their data between companies.
You often have the right to opt-out of data collection and usage. Unfortunately opting out can be rather complex. But in order to comply with various laws, and to claim they are doing right by consumers, most companies do have a functional path to opt out of various things.
A common opt-out is cookies and other types of web tracking. In order to claim that opting out is a reasonable and realistic thing for consumers to do, advertisers form alliances where consumers can (theoretically) opt out of tracking by all members on one page.
Steps
Try opting out of cookie tracking using one of the two websites below. Both of these sites are run by advertising networks. Do your best to opt out of as many trackers as possible.
Are you confident that you opted out correctly without making any errors?
Are you confident that you will no longer be tracked by these companies?
Other things to try
Try opting out of some other form of tracking or marketing. Below are some ideas of what to try:
Car: most modern cars send information back to their makers. Try finding out what information is sent and opting out of its secondary usage as much as possible.
Robotic Vacuum: most robot vacuums map homes and send data back
TV: Most modern smart TVs collect detailed information about what shows are being watched. They may also add behavioral marketing based on collected data.
Smart Meters: Likely installed by the energy company. Find out if your house, apartment, dorm, condo, or other residence has a smart meter.
If you have done the Javascript activity already. Try installing UMatrix again and then opting out using one of the two pages above. Consider how different privacy protection technology may interfear with each other.
In this activity you will be modifying a live website, essentially creating something you could screenshot and would look 100% real but is completely fake. Please use this information responsibly and as a lesson about trusting screenshots of websites.
Software: Instructions are written for BlueSky and Chrome but should work with most major browsers and social media platforms.
Steps
Modify BlueSky Post
Go onto BlueSky (or another social media site) and find a specific post you would like to modify.
Right click on the part of the post you want to change and select “Inspect”.
The browser should have brought up the HTML assocated with that part of the page. Below is a screenshot of me doing this with a Krebs on Security post.
Find the line you want to edit, right click on it, and select “Edit as HTML”. You can now edit the text or just add some.
Look at the resulting page.
Modify Javascript
Modifications are not limited to just HTML. It is very possible to modify code on the page and change its behavior.
Chrome is required for these instructions. It is possible in Firefox but quite annoying.
The page loads Javascript code. To see it, right click on “Submit” and click “Inspect”. Then select “Sources” in the developer console.
Figure out what you need to enter into the text box to get the page to say “Hello World” at you.
Change the Javascript so that any text will cause “Hello World” to appear.
Reflection questions
Reflect on the following two prompts:
Screenshots are often used as evidence in news articles and social media posts. Especially for content that has been deleted.
Websites are made of a mix of client code (HTML, JavaScript) and backend server code (PHP, Ruby, Python). Client-side checks are used quite often by websites.
Other things to try
Try removing page element that you find annoying. Technology like Ad Blockers are just automatically doing what you can do manually. Try loading a page that has a large banner or ad at the top and then remove it. You will often see me doing this at the start of class. I like to make news articles on the screen easy to read, so I often remove unecessary page elements and change the text width.
Look at client-side checks.
Many pages have client-side checks for all sorts of things. Twitter, for example, used to check new passwords against a list of common passwords client-side. By opening the JavaScript you could see a list of passwords that Twitter does not allow.
Modify URLs
The internet uses Universal Record Locators (URLs) to express to computers where the user wants to go. We are used to clicking on links or searching and then clicking on links. But it is quite possible to navigate large parts of the internet by just directly editing URLs.
Software:
This activity will work on any major browser, and any other browser that allows you to edit URLs, including mobile browsers.
Steps
Amazon
Amazon uses a consistent naming structure across all their country-specific sites.
Search amazon.com (USA Amazon) for a product of your choice.
Add “&s=price-asc-rank” to the end of the URL and hit enter. What changed about the page?
Open a product of your choice.
Edit the domain from “amazon.com” to “amazon.ca” directly in the URL bar and hit enter.
If the product is available in both the USA and Canada, then you should see the page change to the Canada version which will likely have a different price, shipping time, and somtimes different reviews.
Amazon product URLs are long, but they actually don’t have to be. Starting at the rightmost end of the product’s URL, start deleting bits of the URL till you find the shortest URL that will still load the product page. It helps to think about how the URL is structured while doing the activity.
Wikipedia
Wikipedia uses a very accessable naming structure. If you know what you want, there is no need to even search, you can just enter the URL directly.
Try creating a URL that links to the University of Waterloo’s Wikipedia page and then enter that URL directly into your browser’s URL bar to check if you did it correctly.
Try creating at least one other Wikipedia URL and directly visiting it.
YouTube
YouTube includes information in the URL like distance through the video so that people can share not only videos, but specific points in videos. Since the information is in the URL, it can be manipulated.
Legal regulations can have large impacts on how technology is implemented. Laws and regulations are a way that government tries to influence how technology is built and how it impacts people.
In this activity you will be picking a regulation/law (suggestions below) and reading part of it.
Laws and regulations
Select a law/regulation from the following list. Or use this list as inspiration and select your own regulation to read. I encourage exploring Canadian regulation, but you are welcome to select from regulations worldwide as long as they have a clear connection to privacy or security.
Did you feel that you were able to understand the part of the regulation you read?
As an Engineer, do you feel like you could implement what you read?
See data visible to websites
Your web browser provides lots of facts to webpages and to JavaScript as part of normal operations. These facts are helpful in that they let pages properly adapt content to match the capabilities of the computer and monitor they are on. But they can also be used to uniquely fingerprint and track users.
In this activity you will be looking at the types of information visible
Steps
Visit the Cover Your Tracks website using your normal web browser using your normal settings. Click “Test Your Browser”.
Make sure to scroll down on the results page to see all the different types of data the site was able to collect about your browser.
Try visiting the page again using a privacy-preserving mode like Private Browsing, or Incognito.
Try visiting with a different browser than your normal one.
We often visit websites and simply assume that the website we are seeing is the real one. But that is not always the case and for important websites you might want to do some verification. Man in the Middle Attacks can and do happen so web browsers use certificate authorities to verify the identity of websites. You have the ability to see these checks.
Steps
The following steps are written for Firefox but similar steps will work on most modern browsers.
Visit a website that is likely to pay for enhanced verification. Unfortunately not many sites, even banks, do this, so I recommend trying one of the following first to see what enhanced verification looks like and then trying other possibilities:
You should see “Certificate issued to:” followed by the organization’s name. If this information is missing, then the organization has not paid for enhanced verification.
Click on “Connection secure” to see more details. Note that now the full name and address are shown.
Click on “More information” -> “View Certificate”
This page lists the certificate chain that verifies this website. On the left is the organization’s certificate which has been signed. Then the certificate authorities that did the verification.
Look in the “Certificate Policies” section where it should say “Domain Validation”, “Organization Validation”, or “Extended Validation”.
Now try visiting a site that is likely less willing to pay for enhanced verification but is still relatively large. Below are some suggestions:
How did the websites and certificates in the pages you looked at differ?
What did you learn about how companies express their identity to end users?
Few sites pay for extended validation. Is that a rational choice for companies to make?
Listen to Phish
This activity requires you (or someone physically near you) to receive a scam communication. So I recommend starting this activity a bit earlier than others since it is hard to control when a scam might happen. If you really don’t receive any scams, try talking to your friends or family about ones they have seen recently.
All you need to do is read or listen to the full scam communication and then think critically about the following questions. There is no need to progress past the initial communication. It is fine to hang up after the initial pitch by them, you do not need to speak to anyone, and you do not need to click any links. Please also review the safety guidance below.
Questions to think about
Who is the scammer claiming to be?
What would a real communication from that group or individual look like? (It is ok to answer that you do not know.)
How did you determine this was a scam/phishing?
What do you think the scammer is trying to achieve? This one may be challenging to impossible to answer, but trying guessing.
How confident are you in your assessment? Could you be wrong?
If you are unsure, how might you double check if the communication is valid or phishing?
Safety
Do not:
Give out real data
Click on links in suspected scams/phishing (unless you are on a safe VM, and even then be very careful)
Give them your real name or contact details
Email them back - many email providers (though maybe not UWaterloo) use Greylisting where the mail server considers if you have ever emailed the sender before when creating its spam score. The reasoning is that you normally only email valid contacts. But if you email a scammer, then the next email they send will get a score boost from the greylist and consequently may not catch a subtle scam. Avoid emailing scammers.
You can:
Run wget on any links and look at the resulting page in a text editor. Do not open it with a web browser.
Give the scammer a fake name or address
Avoid using the contact information of the University you attend. Better to pick a large location in a populous city like Toronto.
Talk vocally to the scammer. There is some risk that by answering you may git put on a “willing to answer” scammer list. But otherwise just talking to a scammer is not harmful if you pay attention to the rules above.
Reflection questions
Answer the questions above.
Add at least one sentence of self-reflection.
Learn more
Scams are often obvious because they occur outside the context we expect. That makes them easy to identify. But scams work by finding one person where that message does make sense. And just about anyone can fall for phishing:
Pluralistic: How I got scammed - account of Cory Doctorow who is a security researcher and was successfully scammed by someone pretending to be his bank.
Each lecture has a required set of readings that should be completed before lecture. Most weeks there will be one research paper and then other lighter readings such as news articles, opinion pieces, laws, regulations, or other guidance documents.
Required readings can be found on the lecture pages for each lecture.
Weekly reflection form
Every week you will be turning in a filled in form and self reflection about one of the required research paper readings for the week that contain an experiment (see below). Even though multiple papers are required reading, only one needs to be written up in the form and submitted.
If none of the papers for a week contain an experiment (rare), then you can choose any of the readings assigned that week and the study design portion is not required. Below I list all weeks where such a situation happens.
Some papers have multiple studies. For example, they might describe an interview which was then used to design and run a survey. If that happens, then fill out the form once but choose multiple options to fit the different studies. For example, for methods you might write both “interview” and “survey”.
Turn in a PDF of the form. I have provided a version in Word below as well as Markdown and a website version you can copy into your favorite editor format. The final version needs to have the same sections. But if you want to convert it to a different format, such as LaTeX, that is fine.
Week 2 - there is no experiment paper assigned, so the “study design” section of the form does not need to be filled out and any paper assigned in week 2 can be chosen. Only the citation and summary are required this week.
