[Course homepage]

CS 458/658 F20 Modules

Readings marked as mandatory contain required material for the course, and must be read before the date of the corresponding lecture. Relevant sections from the either textbook are identified by the corresponding tag: PPM for the Pfleeger et al. textbook, and vO for the van Oorschot textbook.

Module Slides Lecture
number		 Lecture date Textbook sections
1
Lecture 1 September 8 PPM: 1.1 – 1.8; vO: 1.1, 1.2, 1.4
Optional reading: Californias Data Privacy Law
Optional reading: The 10 privacy principles of PIPEDA
Optional reading: A terminology for talking about privacy
Optional reading: Will Google's and Apple's COVID Tracking Plan Protect Privacy
2
Lecture 2 September 10 PPM: 3.1; vO: 6.1 – 6.9
Mandatory reading: Smashing The Stack For Fun And Profit
Mandatory reading: (Version with some errors corrected)
Mandatory reading: Basic Integer Overflows
Optional reading: On the Evolution of Buffer Overflows
Optional reading: Exploiting Format String Vulnerabilities
Optional reading: Example format string vulnerabilities (November 2011)
Optional reading: Example format string vulnerabilities (May 2012)
Lecture 3 September 15 PPM: 3.2; vO: 7.1 – 7.3, 7.6 – 7.9
Lecture 4 September 17 PPM: 3.2; vO: 7.4 – 7.5
Mandatory reading: Reflections on Trusting Trust
Mandatory reading: Browser Security Principles: The Same-Origin Policy
Optional reading: Morris worm
Optional reading: The Spread of the Sapphire/Slammer Worm
Optional reading: Slammed!
Optional reading: The inside story of the Conficker worm (access restricted to uWaterloo)
Optional reading: Conficker C Analysis
Optional reading: Technical analysis of client identification mechanisms
Optional reading: Linux Kernel "Back Door" Attempt
Optional reading: The backdooring of SquirrelMail
Optional reading: Salami Fraud
Lecture 5 September 22 PPM: 3.3;
Optional reading: Clickjacking attack (Interface illusion)
Optional reading: MITM Malware Re-Writes Online Bank Statements
Optional reading: Off-the-Hook: An Efficient and Usable Client-Side Phishing Prevention Application
Optional reading: An operating system kernel with a formal proof of security
Optional reading: Bugs in open source software: #gotofail
Optional reading: Bugs in open source software: Heartbleed
3
Lecture 6 September 24 PPM: 5.1; vO: 5.1
Optional reading: Android permissions demystified
Optional reading: Caja: Capability-based Javascript (project webpage)
Lecture 7 September 29 PPM: 2.2; vO: 5.2, 5.3, 5.7
Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network
Optional reading: Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages
Optional reading: Passphrases that you can memorize - But that even the NSA can't guess
Optional reading: The top 50 woeful passwords exposed by the Adobe security breach
Optional reading: Password Security: A Case History
Lecture 8 October 1 PPM: 2.1; vO: 3.1-3.9
Optional reading: Facebook's password hashing scheme
Optional reading: SafeKeeper: protecting web passwords using trusted execution environments
Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis
Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder
Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls
Optional reading: Politician's fingerprint 'cloned from photos' by hacker
Optional reading: 3D printing a fingerprint
Optional reading: Android facial recognition based unlocking can be fooled with photo
Optional reading: Breaking Windows Hello Face Authentication
Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners
Optional reading: Biometrics and false positives
Lecture 9 October 6 PPM: 5.2; vO: 5.2, 5.4, 5.8, 5.9
Mandatory reading: The Protection of Information in Computer Systems, section I.A.
Optional reading: The Security Principles of Saltzer and Schroeder, illustrated with scenes from Star Wars
Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives
Optional reading: SELinux
Optional reading: Fortanix Runtime Encryption Platform
4
Lecture 10 October 8 PPM: 6.1, 6.2
Optional reading: 10.6 Background: networking and TCP/IP
Optional reading: How I Lost My $50,000 Twitter Username
Optional reading: How Apple and Amazon Security Flaws led to my Epic Hacking
Optional reading: Robin Sage
Optional reading: Fake social media ID duped security-aware IT guys
Lecture 11 October 20 PPM: 6.3, 6.4
Optional reading: Pakistan hijacks YouTube
Optional reading: Strange snafu misroutes domestic US Internet traffic through China Telecom
Optional reading: A $152,000 Cryptocurrency Theft Just Exploited A Huge "Blind Spot" In Internet Security
Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)
Optional reading: The DDoS That Almost Broke the Internet
Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
Optional reading: Understanding the Mirai Botnet
Lecture 12 October 22 PPM: 6.7, 6.8
Mandatory reading: DH Key-Exchange
Optional reading: The Inside Story of the Kelihos Botnet Takedown
Optional reading: Gameover
Optional reading: Backstage with the Gameover Botnet Hijackers
Optional reading: Attacking an IDS
Optional reading: Kerboros
5
Lecture 13 October 27 PPM: 2.3
Optional reading: El Gamal Encryption
Lecture 14 October 29 PPM: 2.3
Optional reading: Hash-Based Signatures
Optional reading: Crypto breakthrough shows Flame was designed by world-class scientists
Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision
Optional reading: SHA-1 collision found
Lecture 15 November 3 PPM: 2.3, 6.6
Optional reading: Tree of Trust (red: root CA; green: intermediate CA)
Optional reading: Turkish Registrar Enabled Phishers to Spoof Google
Optional reading: Comodogate
Optional reading: DigiNotar incident
Optional reading: Chrome's Plan to Distrust Symantec Certificates
Optional reading: Lest We Remember: Cold Boot Attacks on Encryption Keys
Lecture 16 November 5 PPM: 6.6, 9
Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11
Optional reading: Cracking WEP in 60 seconds
Optional reading: KRACK: WPA2 Attack
Optional reading: Let's Encrypt - Free SSL/TLS Certificates
Optional reading: badssl.com
Optional reading: Superfish
Optional reading: The Tor Project
Optional reading: Re-identifying Tor users
Lecture 17 November 10
Optional reading: Bitcoin: A Peer-to-Peer Electronic Cash System
Lecture 18 November 12 PPM: 6.6, 9
Optional reading: SSH: passwords or keys?
Optional reading: Mixminion
Optional reading: De-Anonymizing Alt.Anonymous.Messages
Optional reading: Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
Optional reading: Off-the-Record Messaging
6
Lecture 19 November 17 PPM: 7.1 – 7.5
Optional reading: Doctors snooped on Humboldt Broncos records, privacy commissioner finds
Optional reading: Using police databases for personal gain
Lecture 20 November 19 PPM: 9.4
Optional reading: Social Security Numbers Deduced From Public Data
Optional reading: Identifying spies with data aggregation (final four paragraphs)
Optional reading: A reading list on differential privacy
Lecture 21 November 24 PPM: 9.4
Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law
Optional reading: Data mining and integrity: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error
Optional reading: Data mining in action: How Companies Learn Your Secrets
Optional reading: Data mining in action: How this company tracked 16,000 Iowa caucus-goers via their phones
Optional reading: FOILing NYC's Taxi Trip Data
Optional reading: A Face Is Exposed for AOL Searcher No. 4417749
Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity
Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity
Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization
7
Lecture 22 November 26 PPM: 10.1 – 10.4
Optional reading: Ethically questionable behaviour: Cambridge Analytica
Optional reading: Ethically questionable behaviour: AT&T hacker
Optional reading: Ethically questionable behaviour: Attacking Tor exit nodes
Optional reading: Ethically questionable behaviour: Deanonymizing Tor users
Optional reading: Ethically questionable behaviour: Facebook mood manipulation
Optional reading: Ethically questionable behaviour: Unaccountable algorithms
Optional reading: ACM code of ethics
Optional reading: IEEE code of ethics
Optional reading: CIPS code of ethics
Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada
Optional reading: IST's continuity plan in case of a pandemic (cached version)
Optional reading: uWaterloo's emergency response policy
Optional reading: PogoWasRight.org
Optional reading: databreaches.net
Optional reading: uWaterloo's Information Security Breach Response Procedure
Lecture 23 December 1 PPM: 10.5, 11.1, 11.2
Optional reading: The Computer Centre Incident at Concordia
Optional reading: uWaterloo's Electronic Media Disposal Guidelines
Lecture 24 December 3 PPM: 11.4 – 11.7
Optional reading: A Fair(y) Use Tale
Optional reading: Access Copyright v. York University
Optional reading: Unintended Consequences: Ten Years under the DMCA
Optional reading: A Tale of Three Backdoors
Optional reading: The Athens Affair
Optional reading: A Death in Athens
Optional reading: On the Juniper backdoor
Optional reading: Bruce Schneier on Full Disclosure
Optional reading: Google's view
Optional reading: Microsoft's view
Optional reading: Dropbox's view
Optional reading: Disclosing breaches to the government