05-436 / 05-836 / 08-534 / 08-734 Usable Privacy and Security

Homework 6

Print your homework out and submit it in person at the start of class (3:00pm) on Thursday, February 27th. Homework will not be accepted after 3:05pm on that day.

• Part 1 (50 points): Write a 3--7 sentence summary and short "highlight" for each of the readings assigned for February 25th and February 27th. Students taking the 12-unit version of this class must also submit a summary and highlight for one of the optional readings from either of those days.


• Part 2 (50 points): USB flash drives can spread infections in a number of ways. (One example.) Attackers may distribute infected flash drives by leaving them around where employees of a target company are likely to pick them up. In addition, a user who uses a flash drive to exchange files with another user whose machine is already infected, may pick up the infection on the flash drive and bring it to their own machine. Some companies are prohibiting their employees form using flash drives, but others are just asking their employees to be careful.
  
  Imagine a security tool that runs on a user's computer and monitors the USB ports, looking for programs that run automatically when a flash drive is plugged in. When an autorun program is detected it prevents it from running and displays a warning. The warning dialog offers users the option of letting the program run.
  
  Your first task (to be done in class) is to design the warning using the design tool at http://saucers.cups.cs.cmu.edu/~cbravo/woda/ You may do this yourself or work with someone else. If you are not in class, do this at home. Use the NEAT and SPRUCE guidelines as you develop your design.
  
  Your next task (to be done individually at home and turned in with your homework) is to critique someone else's warning. Go to http://saucers.cups.cs.cmu.edu/~cbravo/woda/ and critique the warning that was submitted immediately before yours. If you submitted the first one then critique the last warning submitted. Please write one bullet point addressing each of the NEAT and SPRUCE messages. Then briefly discuss any additional factors you think might be relevant that are not addressed by NEAT and SPRUCE.