CS 458/658 F17 Modules

A draft of the lecture slides for each module will be made available the evening before the module begins. The final version of the lecture slides will be made available after the module is completed and replaces the draft. Use of the draft is at your own risk!

You are expected to have read the indicated sections of the textbook before the corresponding lecture.

Readings marked as mandatory contain required material for the course, and must be read before the date of the corresponding lecture.

Module	Slides	Lecture number	Lecture date	Textbook sections
1	(PDF) (3up)	Lecture 1	11 September	1.1 – 1.8
			Optional reading: The 10 privacy principles of PIPEDA
			Optional reading: A terminology for talking about privacy
2	(PDF) (3up)	Lecture 2	13 September	3.1
			Mandatory reading before class: Smashing The Stack For Fun And Profit
			Optional reading: On the Evolution of Buffer Overflows
			Optional reading: Exploiting Format String Vulnerabilities
			Optional reading: Example format string vulnerabilities (November 2011, May 2012)
			Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples
		Lecture 3	18 September	3.2
		Lecture 4	20 September	3.2
			Optional reading: Morris worm
			Optional reading: The Spread of the Sapphire/Slammer Worm; also: Slammed!
			Optional reading: The inside story of the Conficker worm (access restricted to uWaterloo); also: Conficker C Analysis
			Optional reading: Technical analysis of client identification mechanisms
			Mandatory reading before class: Reflections on Trusting Trust
			Optional reading: Linux Kernel "Back Door" Attempt; also: The backdooring of SquirrelMail
		Lecture 5	25 September	3.3
			Optional reading: Salami Fraud
			Optional reading: Clickjacking attack (Interface illusion)
			Optional reading: MITM Malware Re-Writes Online Bank Statements
			Optional reading: An operating system kernel with a formal proof of security
			Optional reading: Bugs in open-source software: #gotofail, Heartbleed Bug
3	(PDF) (3up)	Lecture 6	27 September	5.1
			Optional reading: Android permissions demystified
			Optional reading: Caja: Capability-based Javascript
		Lecture 7	2 October	5.1
			Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network, Android malware for stealing SMS messages
			Optional reading: Why passwords have never been weaker - and crackers have never been stronger; 25-GPU cluster cracks every standard Windows password in < 6 hours
			Optional reading: The top 50 woeful passwords exposed by the Adobe security breach
			Optional reading: Password Security: A Case History, Facebook's password hashing scheme
			Optional reading: Passphrases that you can memorize - But that even the NSA can't guess
			Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder
		Lecture 8	4 October	5.2
			Optional reading: Breaking fingerprint recognition: 'Fake fingerprint' Chinese woman fools Japan controls, Politician's fingerprint 'cloned from photos' by hacker
			Optional reading: Breaking facial recognition: Vietnamese security firm: Your face is easy to fake, Android facial recognition based unlocking can be fooled with photo
			Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners
			Optional reading: Biometrics-based forensics: Computing the Scene of a Crime, High-Tech, High-Risk Forensics
			Optional reading: Border Drones with Facial Recognition
		Lecture 9	13 October	5.2
			Mandatory reading before class: The Protection of Information in Computer Systems, section I.A. (only section I.A. is mandatory)
			Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars
			Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives
			Optional reading: SELinux
4	(PDF) (3up)	Lecture 10	16 October	6.1, 6.2
			Optional reading: Social engineering I: How Apple and Amazon Security Flaws led to my Ephic Hacking, How I Lost My $50,000 Twitter Username
			Optional reading: Social engineering II: Robin Sage, Fake social media ID duped security-aware IT guys
		Lecture 11	18 October	6.3, 6.4
			Optional reading: MITM attacks: The New Threat: Targeted Internet Traffic Misdirection
			Optional reading: Cybercrime 2.0: When the Cloud Turns Dark
			Optional reading: Black hole attacks: Pakistan hijacks YouTube; The flap heard around the world; Why Google Went Offline Today and a Bit about How the Internet Works
			Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It); The DDoS That Almost Broke the Internet; Technical Details Behind a 400Gbps NTP Amplification DDoS Attack; Understanding the Mirai Botnet
			Optional reading: The Inside Story of the Kelihos Botnet Takedown; Gameover; Backstage with the Gameover Botnet Hijackers
		Lecture 12	23 October	6.7, 6.8
		Lecture 12	Optional reading: Attacking an IDS
5	(PDF) (3up)	Lecture 13	25 October	2.3
			Optional reading: COPACOBANA
			Optional reading: A Stick Figure Guide to AES
			Optional reading: Defeating AES without a PhD
		Lecture 14	30 October	2.3, 6.6
			Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision, SHA-1 collision
			Optional reading: Tree of Trust (red: root CA; green: intermediate CA)
		Lecture 15	1 November	6.6, 9
		Lecture 15	Optional reading: Lest We Remember: Cold Boot Attacks on Encryption Keys
		Lecture 16	6 November	9
			Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11
			Optional reading: Cracking WEP in 60 seconds
			Optional reading: KRACK: WPA2 Attack
		Lecture 17	8 November	9
			Optional reading: badssl.com
			Optional reading: Turkish Registrar Enabled Phishers to Spoof Google, also Comodogate and DigiNotar incident
			Optional reading: Distrusting New WoSign and StartCom Certificates
			Optional reading: SSH: passwords or keys?
		Lecture 18	13 November	9
			Optional reading: Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
			Optional reading: Off-the-Record Messaging
			Optional reading: A terminology for talking about privacy
			Optional reading: Structuring anonymity metrics (Use VPN for access)
		Lecture 19	15 November
			Optional reading: Bitcoin
			Optional reading: Mixminion
			Optional reading: De-Anonymizing Alt.Anonymous.Messages
			Optional reading: The Tor Project, JonDonym/AN.ON/JAP
6	(PDF) (3up)	Lecture 20	20 November	7.1 – 7.5
			Optional reading: Snooping into Rob Ford's medical records
			Optional reading: Using police databases for personal gain
			Optional reading: Social Security Numbers Deduced From Public Data
			Optional reading: Identifying spies with data aggregation (final four paragraphs)
		Lecture 21	22 November	9.4
			Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law, How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error
			Optional reading: Data mining in action: How Companies Learn Your Secrets, How this company tracked 16,000 Iowa caucus-goers via their phones
			Optional reading: FOILing NYC's Taxi Trip Data
			Optional reading: A Face Is Exposed for AOL Searcher No. 4417749
		Lecture 22	27 November	9.4
			Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity
			Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity
			Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization
7	(PDF) (3up)	Lecture 23	29 November	11.4 – 11.7
			Optional reading: Bruce Schneier on Full Disclosure, Google's view, Microsoft's view, Disclosing breaches to the government
			Optional reading: Codes of ethics: ACM IEEE CIPS
			Optional viewing: A Fair(y) Use Tale
			Optional viewing: The great copyright battle: UBC's bold stand against Access Copyright
		Lecture 24	4 December	10.1 – 10.4
			Optional reading: IST's continuity plan in case of a pandemic
			Optional reading: uWaterloo's emergency response policy