1) What is the first step in problem-solving? A) Writing code B) Debugging C) Understanding the problem D) Optimizing the solution Answer: C 2) Which of these is not a step in the problem-solving process? A) Algorithm development B) Problem analysis C) Random guessing D) Testing and debugging Answer: C 3) What is an algorithm? A) A high-level programming language B) A step-by-step procedure to solve a problem C) A flowchart D) A data structure Answer: B 4) Which of these is the simplest data structure for representing a sequence of elements? A) Dictionary B) List C) Set D) Tuple Answer: B 5) What does a flowchart represent? A) Errors in a program B) A graphical representation of an algorithm C) The final solution to a problem D) A set of Python modules Answer: B 6) What is pseudocode? A) Code written in Python B) Fake code written for fun C) An informal high-level description of an algorithm D) A tool for testing code Answer: C 7) Which of the following tools is NOT commonly used in pr...
User Authentication
* Protection, dealt with making sure that only certain users were allowed to perform certain tasks, i.e. that a users privileges were dependent on his or her identity. But how does one verify that identity to begin with?
Passwords
* Passwords are the most common form of user authentication. If the user is in
possession of the correct password, then they are considered to have identified
themselves.
* In theory separate passwords could be implemented for separate activities, such as reading this file, writing that file, etc. In practice most systems use one password to confirm user identity, and then authorization is based upon that identification. This is a result of the classic trade-off between security and convenience.
Password Vulnerabilities
* Passwords can be guessed.
• Intelligent guessing requires knowing something about the intended target in specific, or about people and commonly used passwords in general.
• Brute-force guessing involves trying every word in the dictionary, or every valid combination of characters. For this reason good passwords should not be in any dictionary ( in any language ), should be reasonably lengthy, and should use the full range of allowable characters by including
upper and lower case characters,numbers, and special symbols.
* "Shoulder surfing" involves looking over people's shoulders while they are typing in their password.
• Even if the lurker does not get the entire password, they may get enough clues to narrow it down, especially if they watch on repeated occasions.
• Common courtesy dictates that you look away from the keyboard while someone is typing their password.
• Passwords echoed as stars or dots still give clues, because an observer can
determine how many characters are in the password.
* "Packet sniffing" involves putting a monitor on a network connection and reading data contained in those packets.
• SSH encrypts all packets, reducing the effectiveness of packet sniffing.
• However you should still never e-mail a password, particularly not with the word "password" in the same message or worse yet the subject header.
• Beware of any system that transmits passwords in clear text. (“Thank you
for signing up for XYZ. Your new account and password information are shown below". ) You probably want to have a spare throw-away password to give these entities, instead of using the same high-security password that you use for banking or other confidential uses.
* Long hard to remember passwords are often written down, particularly if they are used seldom or must be changed frequently. Hence a security trade-off of passwords that are easily divined versus those that get written down.
* Passwords can be given away to friends or co-workers, destroying the integrity of the entire user-identification system.
* Most systems have configurable parameters controlling password generation and what constitutes acceptable passwords.
• They may be user chosen or machine generated.
• They may have minimum and/or maximum length requirements.
• They may need to be changed with a given frequency. (In extreme cases for every session.)
• A variable length history can prevent repeating passwords.
• More or less stringent checks can be made against password dictionaries.
Encrypted Passwords
* Modern systems do not store passwords in clear-text form, and hence there is no
mechanism to look up an existing password.
* Rather they are encrypted and stored in that form. When a user enters their password, that too is encrypted, and if the encrypted version matches, then user authentication passes.
* The encryption scheme was once considered safe enough that the encrypted versions were stored in the publicly readable file "/etc/passwd".
• They always encrypted to a 13 character string, so an account could be disabled by putting a string of any other length into the password field.
• Modern computers can try every possible password combination in a reasonably short time, so now the encrypted passwords are stored in files that are only readable by the super user. Any password-related programs run as setuid root to get access to these files. ( /etc/shadow )
• A random seed is included as part of the password generation process, and stored as part of the encrypted password. This ensures that if two accounts have the same plain-text password that they will not have the same encrypted password. However cutting and pasting encrypted passwords from one account to another will give them the same plain-text passwords.
One-Time Passwords
* One-time passwords resist shoulder surfing and other attacks where an observer is able to capture a password typed in by a user.
• These are often based on a challenge and a response. Because the challenge is different each time, the old response will not be valid for future challenges.
-> For example, The user may be in possession of a secret function f(x). The system challenges with some given value for x, and the user responds with f(x), which the system can then verify. Since
the challenger gives a different (random) x each time, the answer is constantly changing.
-> A variation uses a map (e.g. a road map) as the key. Today's question might be "On what corner is SEO located?", and
tomorrow's question might be "How far is it from Navy Pier to Wrigley Field?" Obviously "Taylor and Morgan" would not be accepted as a valid answer for the second question!
• Another option is to have some sort of electronic card with a series of constantly changing numbers, based on the current time. The user enters the current number on the card, which will only be valid for a few seconds. A two-factor authorization also requires a traditional password
in addition to the number on the card, so others may not use it if it were ever lost or stolen.
• A third variation is a code book, or one-time pad. In this scheme a long list of passwords is generated and each one is crossed off and cancelled as it is used. Obviously it is important to keep the pad secure.
Biometrics
* Biometrics involve a physical characteristic of the user that is not easily forged or duplicated and not likely to be identical between multiple users.
• Fingerprint scanners are getting faster, more accurate, and more economical.
• Palm readers can check thermal properties, finger length, etc.
• Retinal scanners examine the back of the users' eyes.
• Voiceprint analyzers distinguish particular voices.
• Difficulties may arise in the event of colds, injuries, or other physiological changes