CSC 300 Professional Responsibilities Quiz 2 Solutions

Student Name:

Please answer the following questions in the space provided. Each question is worth 10 points, for a total of 20.

Encryption and Interception of Electronic Communication

Communication utilizing electronic devices (e.g. cell phones, computers, fax machines) has become a widely used method for exchanging information among individuals, groups, corporations and other organizations.

What are some of the main advantages of using encryption? Consider not only the perspective of individuals, but other perspectives as well.
- Main Issue: Confidentiality of Communication and Information
- Individuals:
  - protection of the right to privacy
  - secure storage and transfer of sensitive information (health, financial, personal, ...)
  - secure storage and transfer of valuable digital documents (digital cash, certificates, ...)
  - secure online transactions (shopping, bill payments, ...)
  - verification and authentication of identity
- Groups and Organizations:
  - see above
  - research in new technologies
- Companies:
  - secure storage and transfer of sensitive information (business documents, confidential data, personnel information, ...)
  - secure online transactions (requests, orders, payments, ...)
  - protection of intellectual property (copyright)
  - verification and authentication of identity (authorization)
  - more efficient business transactions
- Government and Law Enforcement:
  - secure storage and transfer of sensitive information (government documents, confidential data, personnel information, law enforcement information, ...)
  - military communication and storage of information
  - verification and authentication of identity (government/law enforcement personnel, roles, authorization)
- Society:
  - higher protection of privacy
  - more secure and possibly more efficient interaction and economic transactions
What are some of the main disadvantages of using encryption? Again, consider various perspectives.
- Main Issue: Access to questionable activities and information can be prevented
- Individuals:
  - the use of encryption causes some overhead (computing power, storage, bandwidth, infrastructure)
  - loss of information (loss of keys, insufficient key recovery plan)
- Groups and Organizations:
  - see above
  - legitimate access to information may become impossible
- Companies:
  - consequences of flaws in systems that rely on encryption can be more severe (unauthorized access spreads widely, hidden dependencies between systems)
- Government and Law Enforcement:
  - consequences of flaws in systems that rely on encryption can be more severe (see above)
  - legitimate access to information may become impossible
- Society:
  - false sense of security
  - paranoia about privacy, confidentiality, potential abuses
  - more difficult role for law enforcement
  - limited availability (requires computer, software, skills, ...)

Could Therac happen to you?

Assume that you are the software engineer responsible for the design and implementation of the software that controls a device like the Therac 25. Based on the knowledge and skills that you have acquired through your studies and practical experience, what are some important factors that could influence that task? Consider aspects that would prevent such problems from happening (or at least make it less likely, or more difficult), and aspects that could still lead to similar problems, despite advances in technology.

Requirements and Specifications
- careful elicitation of requirements (users,
Design for Safety
- identify possible problems, and consider them in the design
- redundancy of safety precautions (software, hardware, operating instructions, ...)
- critical evaluation of the design
- usability evaluation (human factors, usage of devices)
Formal Verification of Software and Hardware Aspects
- formal proofs of certain critical properties
Testing
- extra thorough tests for safety-critical aspects
- test methods that guarantee coverage of all (critical) aspects
- prototype testing under strict safety provisions
- consideration of parts vs. whole system testing
- re-testing of re-used components under new conditions
Controlled Process
- changes in requirements, features must be considered and integrated in a carefully controlled way
- coordination of the different steps involved (requirements elicitation, specification, design, implementation, deployment, maintenance, upgrade, ...)
- sufficient resources (time, money, people, ...)
- distribution of critical documents to all relevant parties
- accountability and responsibility
Evaluation of Risks/Benefits Ratio
- study of the expected problems (frequency, severity) vs. expected benefits
Domain Expertise
- sufficient knowledge of the application domain in order to recognize critical aspects
Collection of Data from Operational Systems
- early detection of possible problems
- deterioration of critical aspects can be noticed
Self-Recovery Features
- automatic restart/reset
- shutoff of faulty components or function
User Feedback
- process to evaluate, react to, and distribute user feedback
Factors beyond developer's control
- system complexity (especially real-time aspects)
- human error
- reliability of hardware, OS, other software used
- operating conditions
- maintenance

FJK Home

CSC 300