| Module | Slides | Lecture
number | Lecture date | Textbook sections |
|---|
| 1 |
(PDF)
(3up)
| Lecture 1
| 15 Sep
| 1.1 – 1.8
|
| Optional reading: The 10 privacy principles of PIPEDA |
| 2 |
(PDF)
(3up)
| Lecture 2
| 17 Sep
| 3.1
|
| Mandatory reading before class: Smashing The Stack For Fun And Profit |
| Optional reading: On the Evolution of Buffer Overflows |
| Optional reading: Exploiting Format String Vulnerabilities |
| Optional reading: Example format string vulnerabilities (November 2011, May 2012) |
| Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples |
| Lecture 3
| 22 Sep
| 3.2
|
| Optional reading: Morris worm |
| Optional reading: The Spread of the Sapphire/Slammer Worm; also: Slammed! |
| Optional reading: The inside story of the Conficker worm; also: Conficker C Analysis |
| Optional reading: Technical analysis of client identification mechanisms |
| Lecture 4
| 24 Sep
| 3.2
|
| Mandatory reading before class: Reflections on Trusting Trust |
| Optional reading: Linux Kernel "Back Door" Attempt; also: The backdooring of SquirrelMail |
| Optional reading: Salami Fraud |
| Optional reading: Clickjacking attack (Interface illusion) |
| Optional reading: Two-factor Man-in-the-Middle attacks: ABN Ambro incident; Android malware for stealing SMS messages |
| Optional reading: MITM Malware Re-Writes Online Bank Statements |
| Lecture 5
| 29 Sep
| 3.3
|
| Optional reading: An operating system kernel with a formal proof of security |
| Optional reading: Bugs in open-source software: #gotofail, Heartbleed Bug |
| 3 |
(PDF)
(3up)
| Lecture 6
| 1 Oct
| 5.1
|
| Optional reading: Caja: Capability-based Javascript. Project webpage; draft specification |
| Optional reading: Android permissions demystified |
| Lecture 7
| 6 Oct
| 5.1
|
| Optional reading: MySpace Passwords Aren't So Dumb |
| Optional reading: The Top 50 Gawker Passwords |
| Optional reading: Gawker mishandles non-ASCII passwords |
| Optional reading: Secure Passwords Keep You Safer |
| Optional reading: Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication |
| Optional reading:
25-GPU cluster cracks every standard Windows password in <6 hours |
| Lecture 8
| 8 Oct
| 5.2
|
| Optional reading: The difficuilties of fingerprints |
| Lecture 9
| 13 Oct
| 5.2
|
| Mandatory reading before class: The Protection of Information in Computer Systems, section I.A. (only section I.A. is mandatory) |
| Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars |
| Optional reading: SELinux |
| 4 |
(PDF)
(3up)
| Lecture 10
| 15 Oct
| 6.1, 6.2
|
| Optional reading: Social engineering I:
How I Lost My $50,000 Twitter Username,
How I almost lost my $500,000 Twitter user name @jb... and my startup |
| Optional reading: Social engineering II:
Robin Sage,
Fake social media ID duped security-aware IT guys |
| Lecture 11
| 20 Oct
| 6.3, 6.4
|
| Optional reading: The New Threat: Targeted Internet Traffic Misdirection |
| Optional reading: Cybercrime 2.0: When the Cloud Turns Dark |
| Optional reading: Pakistan hijacks YouTube; The flap heard around the world; Egypt leaves the Internet; Why Google Went Offline Today and a Bit about How the Internet Works |
| Lecture 12
| 22 Oct
| 6.7, 6.8
|
| Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It); The DDoS That Almost Broke the Internet; Biggest DDoS ever aimed at Cloudflare's content delivery network; Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
|
| Optional reading: The Inside Story of the Kelihos Botnet Takedown; Gameover; Backstage with the Gameover Botnet Hijackers |
| Optional reading: Firewalls: IETF Recommended ISP Security Services and Procedures |
| 5 |
(PDF)
(3up)
| Lecture 13
| 27 Oct
| 2.3
|
| Optional reading: COPACOBANA |
| Optional reading: A Stick Figure Guide to AES |
| Optional reading: Defeating AES without a PhD |
| Lecture 14
| 29 Oct
| 2.3
|
| Lecture 15
| 3 Nov
| 2.3, 6.6
|
| Optional reading: Tree of Trust (red: root CA; green: intermediate CA) |
| Optional reading: Cracking WEP in 60 seconds |
| Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11 |
| Lecture 16
| 5 Nov
| 6.6, 9
|
| Optional reading: Turkish Registrar Enabled Phishers to Spoof Google, also Comodogate and DigiNotar incident |
| Optional reading: Superfish |
| Lecture 17
| 10 Nov
| 6.6, 9
|
| Optional reading: The Tor Project |
| Lecture 18
| 12 Nov
| 6.6, 9
|
| Optional reading: SSH: passwords or keys? |
| Optional reading: Mixminion |
| Lecture 19
| 17 Nov
| 6.6, 9
|
| Optional reading: De-Anonymizing Alt.Anonymous.Messages |
| Optional reading: Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You. |
| Optional reading: Off-the-Record Messaging |
| 6 |
(PDF)
(3up)
| Lecture 20
| 19 Nov
| 7.1 – 7.4
|
| Optional reading: Social Security Numbers Deduced From Public Data |
| Lecture 21
| 24 Nov
| 7.5, 9.4
|
| Optional reading: FOILing NYC's Taxi Trip Data |
| Optional reading: A Face Is Exposed for AOL Searcher No. 4417749 |
| Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity |
| Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity |
| Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization |
| 7 |
(PDF)
(3up)
| Lecture 22
| 26 Nov
| 10.1 – 10.4
|
| Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada |
| Optional reading: IST's continuity plan in case of a pandemic |
| Optional reading: UW's emergency response policy |
| Lecture 23
| 1 Dec
| 10.5, 11.1, 11.2
|
| Optional reading: PogoWasRight.org, databreaches.net, OSF DataLossDB |
| Optional reading: The Computer Centre Incident at Concordia |
| Optional reading: Visual Cryptography (example) |
| Optional reading: Waterloo's Electronic Media Disposal Guidelines |
| Lecture 24
| 3 Dec
| 11.4 – 11.7
|
| Optional viewing: A Fair(y) Use Tale |
| Optional viewing: The great copyright battle: UBC's bold stand against Access Copyright |
| Optional viewing: Unintended Consequences: Ten Years under the DMCA |
| Optional reading: A History of Backdoors (Crypto Wars) |
| Optional reading: The Athens Affair, All is revealed! |
| Optional reading: Summary of Investigatory Powers Bill |
| Optional reading: Bruce Schneier on Full Disclosure
(Google's view)
(Microsoft's view)
|
| Optional reading: Codes of ethics:
ACM
IEEE
CIPS
|
