A draft of the lecture slides for each module will be made available
the evening before the module begins.
The final version of the lecture slides will be made available after
the module is completed and replaces the draft. Use of the draft is at
your own risk!
Readings marked as mandatory contain required material for the
course, and must be read before the date of the corresponding
lecture.
| Module |
Slides |
Lecture
number |
Lecture date |
Textbook sections |
| 1 |
(PDF)
(3up) |
Lecture 1 |
May 2 |
1.1 – 1.8 |
| Optional reading: The 10 privacy principles of PIPEDA |
| 2 |
(PDF)
(3up) |
Lecture 2 |
May 4 |
3.1 |
| Mandatory reading: Smashing The Stack For Fun And Profit |
| Optional reading: On the Evolution of Buffer Overflows |
| Optional reading: Exploiting Format String Vulnerabilities |
| Optional reading: Example format string vulnerabilities (November 2011) |
| Optional reading: Example format string vulnerabilities (May 2012) |
| Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples |
| Lecture 3 |
May 9 |
3.2 |
| Lecture 4 |
May 11 |
3.2 |
| Mandatory reading: Reflections on Trusting Trust |
| Optional reading: Morris worm |
| Optional reading: The Spread of the Sapphire/Slammer Worm |
| Optional reading: Slammed! |
| Optional reading: Technical analysis of client identification mechanisms |
| Optional reading: Linux Kernel "Back Door" Attempt |
| Optional reading: The backdooring of SquirrelMail |
| Optional reading: Salami Fraud |
| Lecture 5 |
May 16 |
3.3 |
| Optional reading: Clickjacking attack (Interface illusion) |
| Optional reading: The inside story of the Conficker worm (access restricted to uWaterloo) |
| Optional reading: Conficker C Analysis |
| Optional reading: MITM Malware Re-Writes Online Bank Statements |
| Optional reading: An operating system kernel with a formal proof of security |
| 3 |
(PDF)
(3up) |
Lecture 6 |
May 18 |
5.1 |
| Mandatory reading: Module 2 slides 2-112 – 2-132 |
| Optional reading: Android permissions demystified |
| Optional reading: Caja: Capability-based Javascript (project webpage) |
| Optional reading: Caja: Capability-based Javascript (draft specification) |
| Lecture 7 |
May 25 |
5.1 |
| Mandatory reading: Module 3 slides 3-1 – 3-18 |
| Optional reading: Passphrases that you can memorize - But that even the NSA can't guess |
| Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis |
| Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder |
| Lecture 8 |
May 30 |
5.2 |
| Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls |
| Optional reading: Politician's fingerprint 'cloned from photos' by hacker |
| Optional reading: Vietnamese security firm: Your face is easy to fake |
| Optional reading: Android facial recognition based unlocking can be fooled with photo |
| Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners |
| Lecture 9 |
June 1 |
5.2 |
| Mandatory reading: The Protection of Information in Computer Systems, section I.A. |
| Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars |
| Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives |
| Optional reading: SELinux |
| 4 |
(PDF)
(3up) |
Lecture 10 |
June 6 |
6.1, 6.2 |
| Optional reading: How I Lost My $50,000 Twitter Username |
| Optional reading: How I Almost Lost My $500,000 Twitter Username @jb... and my startup |
| Optional reading: Robin Sage |
| Optional reading: Fake social media ID duped security-aware IT guys |
| Lecture 11 |
June 8 |
6.3, 6.4 |
| Optional reading: The New Threat: Targeted Internet Traffic Misdirection |
| Optional reading: Cybercrime 2.0: When the Cloud Turns Dark |
| Optional reading: Pakistan hijacks YouTube |
| Optional reading: The flap heard around the world |
| Optional reading: Why Google Went Offline Today and a Bit about How the Internet Works |
| Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) |
| Optional reading: The DDoS That Almost Broke the Internet |
| Optional reading: Biggest DDoS ever aimed at Cloudflare's content delivery network |
| Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack |
| Lecture 12 |
June 13 |
6.7, 6.8 |
| Optional reading: The Inside Story of the Kelihos Botnet Takedown |
| Optional reading: Gameover |
| Optional reading: Backstage with the Gameover Botnet Hijackers |
| Optional reading: Attacking an IDS |
| 5 |
(PDF)
(3up) |
Lecture 13 |
June 15 |
2.3 |
| Optional reading: COPACOBANA |
| Optional reading: A Stick Figure Guide to AES |
| Optional reading: Defeating AES without a PhD |
| Lecture 14 |
June 20 |
2.3 |
| Optional reading: Theoretical attacks yield practical attacks on SSL, PKI |
| Optional reading: Crypto breakthrough shows Flame was designed by world-class scientists |
| Lecture 15 |
June 22 |
2.3, 6.6 |
| Optional reading: Tree of Trust (red: root CA; green: intermediate CA) |
| Optional reading: Lest We Remember: Cold Boot Attacks on Encryption Keys |
| Lecture 16 |
June 27 |
6.6, 9 |
| Lecture 17 |
June 29 |
6.6, 9 |
| Lecture 18 |
July 4 |
6.6, 9 |
| Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11 |
| Optional reading: Cracking WEP in 60 seconds |
| Lecture 19 |
July 6 |
6.6, 9 |
| Optional reading: Turkish Registrar Enabled Phishers to Spoof Google |
| Optional reading: Comodogate |
| Optional reading: DigiNotar incident |
| Optional reading: Superfish |
| Optional reading: The Tor Project |
| Lecture 20 |
July 11 |
6.6, 9 |
| Optional reading: SSH: passwords or keys? |
| Optional reading: Mixminion |
| Optional reading: De-Anonymizing Alt.Anonymous.Messages |
| Optional reading: Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You. |
| Optional reading: Off-the-Record Messaging |
| 6 |
(PDF)
(3up) |
Lecture 21 |
July 13 |
|
| Lecture 22 |
July 18 |
|
| Lecture 23 |
July 20 |
|
| 7 |
(PDF)
(3up) |
Lecture 24 |
July 25 |
|