G53PEC-E1

The University of Nottingham

Malaysia Campus
SCHOOL OF COMPUTER SCIENCE

A LEVEL 3 MODULE, AUTUMN SEMESTER 2016-2017

Professional Ethics in Computing

Time allowed: ONE HOUR

Candidates must NOT start writing their answers until told to do so

Answer ONE Question From Section A and ONE Question From Section B

Only silent, self-contained calculators with a single-line display are permitted in this
examination.

Dictionaries are not allowed with one exception. Those whose first language is not English
may use a standard translation dictionary to translate between that language and English
provided that neither language is the subject of this examination. Subject specific translation
dictionaries are not permitted.

No electronic devices capable of storing and retrieving text, including electronic dictionaries,
may be used.

DO NOT turn examination paper over until instructed to do so

 SECTION A

Answer ONE Question From This Section

A1. This is a question on Computer Crimes. Answer all sub-questions.

a. A network administrator turned on his computer and found a pop-up that read
“PAY $20,000 OR WE WILL DOS YOUR NETWORK!!”

This scenario involves two types of computer crime. Name and briefly explain
each of the two aspects.
[4 marks]

* DOS = Denial of Service

b. For some hackers, the motive is the intellectual challenge of breaking into an
unauthorized computer system. A hacker who views no personal data, alters
nothing, and has no destructive intent claims that his hacking is harmless.
Write a rebuttal to this claim, explaining the harm caused even when no data is
accessed, stolen, modified, or destroyed.
[5 marks]

c. Describe the three main concerns with the use of passwords for authentication.
Explain what is meant by a social engineering attack on a password.
[4 marks]

d. Explain how “phishing” is typically carried out and how it can be prevented.
[6 marks]

e. A friend is setting up a small home network that is to have access to the World
Wide Web. Identify two possible external threats to data that is stored on a
network and explain how you would try to prevent them.
[6 marks]

A2. This is a question on Privacy and Free Speech. Answer all sub-questions.
……
 SECTION B

Answer ONE Question From This Section

B1. The following questions are pertaining to Intellectual Property. Answer all sub-
questions.

Imagine that you work for a Malaysian company that is developing face recognition
software that it wishes to exploit commercially. Explain what protection the law
provides your company under each one of the following circumstances.

a. The company wishes to sell single user licenses of their software to anyone in
the world who wishes to pay for it.
[5 marks]

b. The company wishes to sell separate multi-user licences of their software to

the police forces of different states.
[5 marks]

c. The company has developed a novel algorithm that provides faster and more
accurate performance than any other commercial face recognition software.
How can it prevent competitors from reverse engineering the software and
making use of the same algorithm?
[5 marks]

d. The company has developed a highly distinctive user interface that gives it
instant brand recognition. How can it prevent competitors from creating illicit
"clone" versions of this user interface?
[5 marks]

e. One of the company’s software developers wishes to claim credit for the
software on his CV. What, if any, protection is he given under the law that
would allow him to do this?
[5 marks]

B2. The following questions are pertaining to Professional Ethics. Answer all sub-
questions.

……
 Sample Answers
A1

a+b:
(Poor answer) The issue here is that hackers are accessing sites without
authorization. This makes it a crime. Regardless of whether or not they modify or
steal any data, they have somehow bypassed the site's security to gain access. It's
just like trespassing. It doesn't matter if they took anything, they were trespassing
and that is a violation of computer crime laws. They should be punished. (The
question didn't ask if it was a crime, it asked to explain the harm caused.) (0-2)

(Weak answer) A hacker who steals and alters nothing has still violated your privacy
rights. Even though they have no destructive intent, the hacker is being intrusive. If
I knew someone had looked through my computer which contains personal photos,
email, etc. I would definitely feel intruded upon. The hacker has no right to do
that. (While "invasion of privacy" could be considered a "harm" there are many more
direct and more damaging consequences this answer failed to mention.) (3)

(Good answer) Even with no harmful intent, a hacker may inadvertently change
something that causes damage. For example, hackers usually try to erase evidence
of their snooping, and he might erase the wrong thing. The victim will have to spend
money to figure out where their security had a hole and fix it. Companies that rely on
their data will have to have someone make sure nothing was changed; they can't just
take the hacker's word for it. In California, companies have to inform their customers
if their data has been victim of hacking, so they have to send out letters. The hacker
may brag to other hackers about his "conquest" thus making the site a target for
malicious hackers. (4-5)

c:
Three main concerns with the use of passwords for authentication:
 Will the user disclose the password to another person intentionally,
accidentally, or because they were deceived? (1)
 Will the user be able to regularly enter the password correctly? (1)
 Will users be able to remember their passwords or will they have to
record them somewhere or choose easily guessed passwords? (1)

When an attacker obtains a password directly from its user by deceit the attack
is known as social engineering. (1)

d:
Phishing is a crime that starts with deceptive e-mails being sent to
consumers. These messages are made to look as if they come from the
person's bank, in an effort to get the intended victim to reveal personal
information, such as bank account numbers and online passwords. The crime
succeeds because the e-mails look legitimate, with realistic bank logos and
web site addresses (URLs) that are very similar to the bank URLs. (3)

Banks don't use e-mail communications to ask for personal information

because e-mail is not secure. Hit the delete button and never respond to
 such an e-mail. When you wish to address an issue that requires personal
account information, visit your bank in person, use its secure web site, place
a phone call or write a letter. (3)

e:
The network could be targeted by hackers (1) who are trying to gain
unauthorised access to the network. (1) This could be prevented by installing
a firewall. (1)

A virus could be introduced via email (1) which could delete all data on the
network. (1) This could be prevented by running up-to-date virus scanning
software which would detect and isolate them. (1)