CS513 Homework 1: Cornell's Security Policies

General Instructions. You are expected to work alone on this assignment.

Due Date: Tuesday, Feb 3, 2004. In class. No late assignments will be accepted.

Problem Description This assignment is a vehicle for you to better understand various security policies that apply to students using computers supported by the Computer Science Department and Cornell University.

Policies that define what constitutes acceptable computer use can be found at:

As a CS513 student, you obviously need to know your responsibilities. Studying these policies will ensure that you know the limits. Moreover, as a system security expert, you might some day be asked to write a security policy or to evaluate somebody's actions relative to such a policy. One of the best ways to understand the consequences of what is said in a policy is to contemplate that policy relative to specific examples of behaviors. And that's what this assignment is all about.

  1. Study the above policies (and the various policies that are linked to them).

  2. Prepare a position paper (typed using 10 point type or larger, at most 1 page, single-side) that discusses whether the following behavior is permitted. Buttress your argument by including references to and excerpts from the applicable policies.

    A CS513 student invents and programs a tool that would allow anyone to impersonate any network identifier and logon to the University's network. (Among other things, this would give access to all email, student grades, and student financial statements.) The inventor does not actually use this tool (since that would be a clear violation of University policy) but simply posts it to a well known website. Instructions for using the tool are also posted.

  3. Prepare a position paper (typed using 10 point type or larger, at most 1 page, single-side) that discusses whether the following behavior is permitted. Buttress your argument by including references to and excerpts from the applicable policies.

    A CS513 student figures out a way that would allow anyone to impersonate any network identifier and logon to the University's network. (Among other things, this would give access to all email, student grades, and student financial statements.) The inventor does not actually program the scheme but simply posts a discussion of how the attack would work to a well known website.