🧠 ETHC303 — Quiz 2 Cheat Sheet Network Security & Privacy (Cloud Computing) · Privacy Issues in Cyberspace

Reverse-Engineered Exam Cheat Sheet

Built directly from your past ETHC303 exam questions on these two chapters — not from the slides. Every entry below exists because it helps you answer a real exam question style, even if the professor changes the wording, the scenario, or the order of options.

📘 Scope: Network Security & Privacy (Cloud Computing) + Privacy Issues in Cyberspace

1. Key Concepts

☁️ Cloud Computing — Core Concepts

Cloud Computing

Definition: "A style of computing where massively scalable IT-enabled capabilities are delivered 'as a service' to external customers using Internet technologies."

Why it matters

Every ethical/security issue in this chapter flows from one root fact: your data and programs live on someone else's infrastructure, not yours.

Common exam wording

"organization adopts cloud computing, assuming efficiency gains..." / "massively scalable... as a service"

Example

A hospital storing patient files on Google Cloud instead of an in-house server.

SaaS / PaaS / IaaS / EaaS

Definition: Service models describing what layer the cloud provider delivers.

Why it matters

A real exam question (Q5) tested exactly this: swapping SaaS and EaaS definitions to make a false statement.

Common exam wording

"X offers online application programs" vs "X offers hardware resources such as CPU and storage."

Example

Gmail = SaaS (the app). AWS EC2 = IaaS/EaaS (the raw hardware/CPU/storage).

Data Breach

Definition: Exposure of information not intended for public release — health, financial, PII, trade secrets, IP — caused by a targeted attack, human error, app vulnerability, or poor security.

Why it matters

The professor tests whether you can tell WHO is responsible: hacker, the provider itself, or a third party — often you never know.

Common exam wording

"attackers modify data and maintain access without exploiting infrastructure vulnerabilities..."

Example

A clinic's cloud database exposing patient records after an employee misconfigures access settings.

Data Loss

Definition: Permanent loss of data via malicious attack, natural disaster, or a provider-side data wipe/accidental deletion.

Why it matters

⚠️ Confused constantly with "Data Breach" (breach = exposure/theft; loss = data is gone).

Common exam wording

"Amazon... permanently destroying customer data" / "Google lost data when lightning struck its power grid."

Example

A fire destroys a data center with no backup — customer files are gone forever.

Account Hijacking

Definition: Attackers use stolen/compromised login credentials to remotely access, manipulate, or falsify cloud data and redirect users to illegitimate sites.

Why it matters

Directly threatens CIA (Confidentiality, Integrity, Availability) of the cloud service.

Common exam wording

"attackers can eavesdrop on activities... manipulate data... redirect clients to illegitimate sites."

Example

A phished employee's cloud login is used to alter shared financial reports.

Malware Injection

Definition: Malicious script/code embedded into a cloud service so it runs as a "valid instance" of that SaaS/service.

Why it matters

Exam trap: it isn't an outside attack — the malicious code hides inside what looks like legitimate software.

Common exam wording

"scripts or code embedded into cloud services that act as valid instances."

Example

A rogue plugin uploaded to a SaaS marketplace that spies once installed.

Shared Vulnerabilities / Shared Responsibility

Definition: Cloud security is split between provider (infrastructure) and client (their own passwords, access, MFA).

Why it matters

Tests whether you know a breach can be the CLIENT's fault, not the provider's.

Common exam wording

"weak protection system at the client's systems" / "fine-grain control is up to you."

Example

Dropbox secures its servers, but a user reusing a weak password is still hacked.

Insecure APIs / Excessive Implicit Trust

Definition: Attackers abuse legitimate, trusted API calls/interfaces rather than exploiting infrastructure bugs or stealing new credentials.

Why it matters

⭐ Appeared verbatim in a past exam (Q6): logs showed only "legitimate API calls" — the trick was realizing trust itself was abused.

Common exam wording

"maintain access without exploiting infrastructure vulnerabilities or stealing new credentials... only legitimate API calls."

Example

An app with over-broad API permissions is used to quietly pull more data than intended.

Advanced Persistent Threat (APT)

Definition: A long-term, stealthy, targeted attack where the attacker stays undetected in a system for an extended period.

Why it matters

Keyword trigger: "persistent" + "undetected" + "over time" = APT, not a one-off breach.

Common exam wording

"remains undetected for an extended period... continuously monitors and exploits."

Example

A nation-state actor silently sits inside a company's cloud environment for months, harvesting data.

Ethical Issues of Cloud Computing (non-technical)

Definition: Compliance, Discrimination, Spiteful Activity, Intellectual Property misuse, Policies ignoring customer interest, Social/affordability issues.

Why it matters

These are the "soft" ethics issues examiners love turning into true/false traps — see List section below.

Common exam wording

"vendors may prioritize high-paying clients" (Discrimination) vs "former/disgruntled employees doing harm" (Spiteful Activity).

Example

A small business can't afford the same cloud tier as a competitor → Social/affordability issue.

🔐 Privacy Issues in Cyberspace — Core Concepts

Privacy vs. Information Privacy

Definition: Privacy = the right to be let alone, freedom from interference/intrusion. Information Privacy = control over the flow of one's personal information, including its transfer and exchange.

Why it matters

The foundational definition — almost every question in this chapter is really about who controls the flow of data.

Common exam wording

"control over the flow of one's personal information."

Example

You can be "alone" in your house (privacy) yet still have your smart TV leaking viewing data (information privacy violated).

Internet Cookies

Definition: Files a website sends to/retrieves from a user's computer to collect browsing preference data; re-submitted on the next visit.

Why it matters

Cookies aren't automatically evil — they customize retrieval and store preferences, but they also enable tracking/ads.

Common exam wording

"downloading of that information onto a user's computer without informing the user."

Example

A shopping site "remembering" your cart between visits.

Flash Cookies (Supercookies)

Definition: More persistent cookies that survive normal cookie deletion/cache clearing; cannot be removed by anti-spyware tools.

Why it matters

⭐ Exact exam wording appeared: "website cookies that are hard to detect and delete" = Flash Cookies.

Common exam wording

"hard to detect and delete" / "cannot be deleted by commercially available anti-spyware."

Example

A "Better Privacy" Firefox add-on is needed specifically because normal deletion fails.

Device Fingerprinting

Definition: A summary of a device's software/hardware settings (fonts, clock, browser config) unique enough to identify it, used like a cookie.

Why it matters

⭐ Exact exam wording: "Summary of the software and hardware settings collected from a computer or other device" = Fingerprinting.

Common exam wording

"leaves no evidence on a user's computer" / "impossible to know when you are being tracked."

Example

You clear all cookies but ad networks still recognize your laptop by its unique settings.

Cross-Device Tracking

Definition: Linking a single consumer's activity across their phone, tablet, and desktop.

Why it matters

Distinguish from fingerprinting (one device) — cross-device links MULTIPLE devices to one person.

Common exam wording

"connect a consumer's activity across smartphones, tablets, and desktops."

Example

You search shoes on your phone, then see the ad on your laptop.

Data Mining & Profiling

Definition: Data mining extracts patterns from large datasets; profiling uses those patterns to predict an individual's interests/behavior and make decisions about them.

Why it matters

⭐ Exact exam wording: "shopping data can be used to promote healthy habits, but may also influence insurance coverage" = behavioral profiling.

Common exam wording

"predict interests and behaviour" / "refusal of insurance or a credit card."

Example

An insurer raises your premium based on your grocery-purchase patterns.

RFID

Definition: Radio-Frequency Identification — chips readable from a limited distance, consisting of a tag and a reader.

Why it matters

⭐ Verbatim exam definition: "Chips can be read from a limited distance, consisting of a tag and a reader."

Common exam wording

"tag and a reader" / "limited distance."

Example

Store inventory tags, or contactless access badges.

Biometrics

Definition: Identify/verify identity using intrinsic physical or behavioral traits (fingerprint, iris, face, voice, DNA).

Why it matters

⭐ Unlike passwords, biometric data cannot be revoked or reissued if compromised — favorite exam fact.

Common exam wording

"verify people's identities using their intrinsic physical characteristics."

Example

iPhone Face ID / fingerprint unlock.

Surveillance Drones

Definition: Unmanned aerial systems carrying cameras, heat sensors, radar, Wi-Fi crackers, and sometimes fake cell towers/less-lethal weapons.

Why it matters

Raises both privacy AND civil liberties concerns — can intercept texts/calls, not just take photos.

Common exam wording

"stay in air for hours... scan entire cities."

Example

Police drone tracking a protest crowd.

Computer Matching vs. Computer Merging

Definition: Matching = cross-checking two+ databases to find "hits" (e.g., catching law violators). Merging = integrating multiple databases into one central database (data-banking).

Why it matters

Consent given to ONE agency does not authorize sharing/integrating with OTHERS — this is the ethical crux.

Common exam wording

"contextual integrity... violated" / "individual is not aware... being integrated."

Example

Matching = comparing a welfare-recipients list against an employment-income list to find fraud. Merging = combining your bank, medical, and shopping data into one master profile.

Internet of Things (IoT) & Mobile Devices

Definition: Everyday connected devices (smart meters, thermostats, phones) generate continuous data usable for mining/profiling; GPS enables location tracking even without a GPS chip (via Wi-Fi network monitoring).

Why it matters

User autonomy is the "central theme" the professor highlights for IoT privacy.

Common exam wording

"user autonomy is a central theme" / "location data links the online world to the physical environment."

Example

A smart thermostat's usage pattern reveals when you're away from home (burglary risk).

2. Lists to Memorize

⭐ Verbatim past-exam matching list (Question 4, Part One)

Data-collection techniques you must be able to instantly recognize from a description:

🧠 Mnemonic: "Rich Frogs Do First Take Data In Video For Cross Bio GPS Behavior" — or simpler, group them mentally as Physical (RFID, Drone, Video, GPS) vs Digital-tracking (Cookies, Flash-cookies, Fingerprinting, Cross-device) vs Identity (Biometrics, IRIS) vs Analysis (Data Mining, Profiling).

⭐ Verbatim past-exam list (Question 4, Part Two) — Countermeasures

🧠 Match by symptom → cure: Scenario mentions a virus/spyware → Anti-virus. Mentions sensitive data over a network → Encryption. Mentions employees misusing access → Raise Awareness or Access Control. Mentions login/identity → MFA.

12 Advantages of Cloud Computing 🧠

  1. Economical — reduced/incremental cost, no owned infrastructure
  2. Increased Storage — more than private systems
  3. Flexibility — more than past computing methods
  4. Mobility — access info from anywhere
  5. Shift Focus — rent processing power instead of buying hardware
  6. Insight — integrated analytics, bird's-eye view of data
  7. Collaboration — simple team sharing across a platform
  8. Quality Control — one place, one format, fewer errors
  9. Disaster Recovery — quick recovery in emergencies
  10. Loss Prevention — data safe even if your own device fails
  11. Automatic Software Updates — no manual IT rollout needed
  12. Sustainability — less hardware/paper waste, lower emissions
⚠️ Exam Trap: "Bird's-eye view of data" = Insight, NOT Collaboration. The exam deliberately swapped these (Q5.2).

Ethical Issues of Cloud Computing 🧠

⚠️ Exam Trap: Discrimination (favoring rich clients) vs Spiteful Activity (insiders doing harm) are commonly swapped in true/false questions (Q5.3 exactly).

Tips for Safer Social Networking 🧠

  1. Use a strong, unique password (don't reuse across sites/eID)
  2. Provide as little personal information as possible (avoid birth date, address)
  3. Understand & customize privacy settings on every account
  4. Don't allow 3rd-party apps to access your info if avoidable
  5. Be careful about what you post
  6. Be suspicious of friend/follow requests
⚠️ Exam Trap: Nomophobia (fear of being without your phone) is NOT a safety tip — it's a smartphone-addiction risk. The exam listed it as a false "tip" (Q5.5).

Benefits of Promoting a Brand on Social Media 🧠

⚠️ Exam Trap: "Exposure to Competitors" is NOT on the benefits list — it was inserted as a false statement (Q5.4). The real listed benefit in that spot is Improved Customer Insights.

Changes to Privacy Caused by Cybertechnology

  1. Amount of personal information collectible (huge, low storage cost)
  2. Speed of transmission (milliseconds across networks)
  3. Duration/permanence and ease of duplication of digital records
  4. Ability to combine/merge/match previously separate data sources

3. Common Comparisons

Concept A Concept B Key Distinction
First-party Cookies Third-party Cookies Set by the site you're on to improve YOUR experience/functionality vs. set by outside domains (advertisers) to track you across many sites.
Cookies Flash Cookies Regular cookies are easy to delete/expire; flash cookies ("supercookies") survive normal deletion and need special tools (e.g., Better Privacy add-on) to remove.
Cookies/Flash Cookies Device Fingerprinting Cookies leave a file on your device (can be found/deleted); fingerprinting leaves NO trace — you can never know you're tracked.
Computer Matching Computer Merging Matching = cross-checking 2+ separate databases to find "hits" (e.g., fraud detection). Merging = combining databases into ONE central file ("data-banking").
Data Mining Profiling Data mining = extracting patterns from raw data. Profiling = USING those patterns to categorize/predict/make decisions about a specific person.
Privacy Information Privacy Privacy = right to be let alone (broad). Information Privacy = specific control over the flow/exchange of one's personal data.
Data Breach Data Loss Breach = unauthorized exposure/access (data still exists, just seen by wrong party). Loss = data permanently destroyed/gone.
Discrimination (cloud) Spiteful Activity (cloud) Discrimination = provider favors big paying clients over small ones. Spiteful Activity = insiders/ex-employees intentionally sabotage data/systems.
SaaS EaaS / IaaS SaaS = online application software provided by the cloud provider. EaaS/IaaS = raw hardware resources (CPU, storage, equipment).
Passive Network Attack Active Network Attack (e.g., MITM) Passive = attacker only listens/intercepts traffic (eavesdropping). Active = attacker also alters/injects into the communication flow, undetected.
Raw Personal Data Derived/Aggregated Data (profiles) Raw data = direct identifiers. Derived/aggregated data (behavioral profiles) can still be highly sensitive even without direct identifiers — a common exam scenario twist.
Cross-device Tracking Device Fingerprinting Cross-device links ONE user across MULTIPLE devices. Fingerprinting identifies ONE device via its unique settings.

4. Scenario Questions

Type A: "Description → Technique/Countermeasure" matching

How to recognize it: A table/list gives short factual descriptions and asks you to match each to a term from a word bank (exactly like past Question 4).

Reasoning process: Underline the ONE distinguishing keyword in the description (e.g., "tag and reader" → RFID; "hard to detect and delete" → Flash cookies; "intrinsic physical characteristics" → Biometrics). Then check if a countermeasure is being requested — match by symptom→cure (see list above).

Common mistakes: Confusing Fingerprinting (device settings) with Biometrics (physical human traits); confusing First vs Third-party cookies; picking Firewall when Encryption fits better (data-in-transit vs blocked-access scenarios).

For full marks: Match term-for-term with no blanks; if unsure between two similar terms, pick the one whose EXACT defining phrase appears in the scenario text.

Type B: "False statement → pick the correction" (Question 5 style)

How to recognize it: A statement is given as false; you choose which of two near-identical rewordings makes it TRUE. Wrong picks lose marks (no guessing!).

Reasoning process: Identify which single word/phrase was swapped (usually a term-for-term swap like SaaS↔EaaS, Collaboration↔Insight, Data loss↔Discrimination, Nomophobia↔an actual tip, Exposure to Competitors↔Customer Insights). Recall the correct pairing from the Lists section, then pick the option restoring the correct pairing.

Common mistakes: Picking an option that "sounds right" grammatically but swaps in the WRONG concept; not re-reading both options carefully since they look almost identical.

For full marks: Only select an answer when certain — since wrong answers are penalized, when torn, skip rather than guess.

Type C: Cloud/security "which explanation fits" MCQ (Questions 6-10 style)

How to recognize it: A short technical scenario (breach, unresponsive system, regulatory issue) is described, then 4 competing "most consistent" explanations are given.

Reasoning process: Look for what the scenario explicitly RULES OUT ("without exploiting infrastructure vulnerabilities," "without stealing new credentials," "logs show only legitimate calls") — this eliminates options claiming infrastructure/credential compromise, leaving abuse-of-trust/API answers. For attack-type comparisons, decide passive (listen only) vs active (listen + alter). For "system unresponsive after authentication requests," look for BOTH resource exhaustion AND social-engineering elements mentioned — pick the option that captures both, not just one.

Common mistakes: Choosing the most dramatic-sounding option (e.g., "must involve malware injection") instead of the option that matches the EXACT constraints stated in the scenario.

For full marks: Treat these like elimination puzzles — cross out any option contradicted by an explicit detail in the prompt; the surviving option is correct even if it sounds less exciting.

Type D: "Implicit flawed assumption" scenario (cloud adoption / jurisdiction)

How to recognize it: "Organization adopts cloud computing assuming X, but later faces Y" — asks what assumption was flawed.

Reasoning process: Recall that in cloud computing, data is stored elsewhere in the world, so it's not always clear which law applies or which authority can demand access. The flawed assumption is almost always: "local laws/oversight still fully apply" or "regulatory simplicity was assumed."

Common mistakes: Blaming a technical failure (server crash) instead of the correct legal/jurisdictional assumption.

For full marks: Name the assumption explicitly: "they assumed data location/jurisdiction wouldn't complicate compliance."

5. Essay Cheat Sheet

Likely Prompt: "Discuss privacy issues arising from data collection in cyberspace and how ethics/technology/law address them."

Perfect structure:

  1. Intro (1-2 sentences): State that cyberspace enables collection of user data via many techniques, often without full knowledge/consent, and that technical + legal measures alone cannot guarantee control, so ethics is essential.
  2. Body — Techniques (pick 3-4): Briefly define each technique used (e.g., cookies, RFID, fingerprinting, biometrics, data mining/profiling) and how each threatens privacy.
  3. Body — Countermeasures (pick 2-3): Encryption, User-Consent Management, Access Control, Raising Awareness — explain how each specifically mitigates the technique discussed.
  4. Ethical Analysis: Tie back to WHY ethics matters even when law/tech exist — informed consent, contextual integrity, user autonomy.
  5. Conclusion: Responsible data practice requires combining technical safeguards + legal frameworks + ethical judgment.

Keywords that MUST appear: consent, contextual integrity, control over personal information, user autonomy, data mining/profiling, encryption, access control.

Examiner expectations: Concrete technique names (not vague "internet tracking"), a clear technique→countermeasure pairing, and an explicit ethical justification (not just "it's bad").

Likely Prompt: "Evaluate the ethical issues of adopting cloud computing for a business."

Perfect structure:

  1. Intro: Define cloud computing and note that while it offers major advantages, it introduces new ethical and security responsibilities shared between provider and client.
  2. Advantages (2-3): Economical, flexible, disaster recovery.
  3. Ethical Issues (pick 3-4): Discrimination, Spiteful Activity, Compliance, Social/affordability issues, Policies ignoring customer interest.
  4. Security Issues (pick 2-3): Data breach, Account hijacking, Insecure APIs/trust abuse.
  5. Ethical Framework: Apply Utilitarianism — providers must weigh the interests of ALL customers (big or small), not just the most profitable ones.
  6. Conclusion: Shared responsibility model means both provider AND client must act ethically and securely.

Keywords that MUST appear: shared responsibility, utilitarianism, discrimination, compliance, data breach, jurisdiction.

6. MCQ Traps

Trap 1: "EaaS offers online application programs."
❌ Wrong — that's SaaS.
✅ EaaS = hardware resources (CPU, storage).
Trap 2: "Bird's-eye view of data = Collaboration advantage."
❌ Wrong.
✅ Bird's-eye view/analytics = Insight advantage. Collaboration is about sharing/viewing info as a team.
Trap 3: "Vendors favoring high-paying clients in a crisis = Data loss."
❌ Wrong.
✅ That's Discrimination. Data loss = data is destroyed/gone.
Trap 4: "Exposure to Competitors = a benefit of social media branding."
❌ Wrong — not on the benefits list at all.
✅ Correct benefit in that context = Improved Customer Insights.
Trap 5: "Nomophobia = a safer social networking tip."
❌ Wrong — Nomophobia is fear of being phone-less (a risk/addiction concept).
✅ Real tips: strong passwords, minimal personal info, custom privacy settings, be suspicious of requests.
Trap 6: "DDoS = a single powerful attack that always fully crashes a server."
❌ Oversimplified/wrong framing.
✅ Correct distinction: DoS = one attacking source; DDoS = multiple distributed attacking sources (severity isn't the defining factor — the SOURCE COUNT is).
Trap 7: "A cloud breach via legitimate API calls must mean the provider failed to isolate tenants / infrastructure was hacked."
❌ Wrong — logs showing ONLY legitimate calls point to abuse of trusted interfaces (excessive implicit trust), not an infrastructure compromise.
Trap 8: "A breach exposing only behavioral profiles (not raw data) means there's no real privacy risk."
❌ Wrong.
✅ Derived/aggregated data can still be highly sensitive even without direct identifiers.
Trap 9: "Fingerprinting is basically the same as cookies, just a fancier name."
❌ Wrong.
✅ Fingerprinting leaves NO trace on your device and can't be deleted — a fundamentally different (harder to defend against) tracking method.
Trap 10: "Biometric data compromise is recoverable, just like a password reset."
❌ Wrong.
✅ Biometric data cannot be revoked or reissued — a compromise is permanent/catastrophic.

7. Memory Hacks

🧠 Cloud Ethical Issues → "DISCO-SPICe": Discrimination, Intellectual property, Social/affordability, COmpliance, SPIteful activity, customer-interest policies.

🧠 Cookies family, ranked by "stickiness": Regular Cookie (easy delete) → Third-party Cookie (blockable) → Flash Cookie (hard to delete) → Fingerprinting (impossible to detect). Visualize a ladder getting harder to escape as you climb.

🧠 Matching vs Merging: "MATCHing = making a MATCH (a hit) between two separate files." "MERGing = MERGing everything into one big file." Picture two puzzle pieces clicking (matching) vs. melting into one blob (merging).

🧠 Biometrics = "Un-resettable password": Real-life analogy — you can change a stolen credit card number, but you can't change your fingerprint. That permanence IS the exam point.

🧠 Data Mining vs Profiling: Mining = digging up raw ore (patterns). Profiling = shaping that ore into a tool aimed at YOU specifically (a decision).

🧠 Passive vs Active network attack: Passive = a spy with binoculars (watching only). Active = the spy cuts the phone line and impersonates the caller (altering the flow).

🧠 Shared Responsibility: Picture an apartment building — the landlord (provider) secures the building's locks and walls, but YOU (client) still have to lock your own apartment door (password, MFA).

⭐ 8. High-Yield Facts ⭐

9. Professor's Favorite Questions

⭐⭐⭐⭐⭐ Matching table: technique/tool ↔ description (RFID, Fingerprinting, Cookies, Biometrics, Data mining, etc.) — this exact format has appeared before and tests rapid recognition.

⭐⭐⭐⭐⭐ True/False "correct the false statement" pairs on Cloud + Social Media (SaaS/EaaS, Insight/Collaboration, Discrimination/Data loss, Nomophobia, Exposure to Competitors) — near-certain repeat format given it appeared twice already in the bank.

⭐⭐⭐⭐ Scenario MCQ on cloud breaches distinguishing infrastructure compromise vs. abuse of trusted APIs/legitimate access — tests deeper reasoning, not memorization.

⭐⭐⭐⭐ Short-answer: "Explain the difference between First-party and Third-party cookies" or "Flash cookies vs regular cookies" — classic comparison-based short answer.

⭐⭐⭐⭐ Listing question: "List and briefly explain the ethical issues of cloud computing" (Discrimination, Compliance, Spiteful Activity, etc.) — matches the course's known preference for "List"-type questions.

⭐⭐⭐ Essay: "Discuss privacy issues in cyberspace and the role of ethics" or "Evaluate cloud computing ethical issues using Utilitarianism" — possible if the exam includes an extended-response section.

⭐⭐⭐ Scenario: assumption-flaw question about cloud adoption and legal jurisdiction — tests conceptual understanding of cross-border data storage.

⭐⭐⭐ MCQ distinguishing passive vs active network attacks (sniffing vs MITM-style alteration) — possible crossover from the security chapter.

10. One-Page Rapid Review

☁️ Cloud Computing — 5 Minute Version

🔐 Privacy in Cyberspace — 5 Minute Version

⚠️ Last-Minute Trap Checklist