CS 458/658 S22 Modules

A draft of the lecture slides for each module will be made available the evening before the module begins. The final version of the lecture slides will be made available after the module is completed and replaces the draft. Use of the draft is at your own risk!

Readings marked as mandatory contain required material for the course, and must be read before the date of the corresponding lecture.

Module	Slides	Lecture number	Lecture date	Textbook sections (Pfleeger et al. / van Oorschot)
1	(PDF) (3up)	Lecture 1	May 2	1.1 – 1.8 / 1.1 – 1.4, 1.6
			Optional reading: The 10 privacy principles of PIPEDA
			Optional reading: A terminology for talking about privacy
			Optional reading: Federal privacy reform in Canada: The Consumer Privacy Protection Act
			Optional reading: Modernizing Canada’s Privacy Act
			Optional reading: Microsoft’s report on Russian Cyberattacks in Ukraine
			Optional reading: Social Security Employees in Illinois Sentenced in Federal Court on Charges Including Bribery and Identity Theft
2	(PDF) (3up)	Lecture 2	May 4	3.1 / 6.1 – 6.8
			Mandatory reading before class: Smashing The Stack For Fun And Profit
			Optional reading: On the Evolution of Buffer Overflows
			Optional reading: Exploiting Format String Vulnerabilities
			Optional reading: Example format string vulnerabilities (November 2011)
			Optional reading: Example format string vulnerabilities (May 2012)
			Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples
		Lecture 3	May 9	3.2 / 7.1 – 7.4
			Optional reading: Morris worm
			Optional reading: The Spread of the Sapphire/Slammer Worm
			Optional reading: Slammed!
			Optional reading: Technical analysis of client identification mechanisms
		Lecture 4	May 11	3.2 / 7.5 – 7.9
			Mandatory reading before class: Reflections on Trusting Trust
			Optional reading: US Federal Student Aid website has a Facebook web bug
			Optional reading: Linux Kernel "Back Door" Attempt
			Optional reading: The backdooring of SquirrelMail
			Optional reading: Clickjacking attack (Interface illusion)
			Optional reading: MITM Malware Re-Writes Online Bank Statements
		Lecture 5	May 16	3.3 / 1.7, 6.9
			Optional reading: An operating system kernel with a formal proof of security
			Optional reading: Bugs in open source software: #gotofail
			Optional reading: Bugs in open source software: Heartbleed
3	(PDF) (3up)	Lecture 6	May 18	5.1 / 5.1 – 5.2
			Optional reading: Android permissions demystified
			Optional reading: Google launches its third major operating system, Fuchsia
		Lecture 7	May 25	5.1 / 3.1 – 3.4, 3.6
			Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network
			Optional reading: Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages
			Optional reading: Passphrases that you can memorize — But that even the NSA can't guess
			Optional reading: The top 50 woeful passwords exposed by the Adobe security breach
			Optional reading: Password Security: A Case History
			Optional reading: Facebook's password hashing scheme
			Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis
			Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder
			Optional reading: Largest password data breach in history has been leaked online
		Lecture 8	May 30	5.2 / 3.5
			Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls
			Optional reading: Politician's fingerprint 'cloned from photos' by hacker
			Optional reading: Vietnamese security firm: Your face is easy to fake
			Optional reading: Android facial recognition based unlocking can be fooled with photo
			Optional reading: Breaking Windows Hello Face Authentication
			Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners
			Optional reading: Border Drones with Facial Recognition
		Lecture 9	June 1	5.2 / 1.7
			Mandatory reading before class: The Protection of Information in Computer Systems, section I.A.
			Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars
			Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives
			Optional reading: SELinux
4	(PDF) (3up)	Lecture 10	June 6	6.1, 6.2 / 9.1, 9.3, 9.6, 10.6, 11.3
			Optional reading: How I Lost My $50,000 Twitter Username
			Optional reading: Robin Sage
			Optional reading: How Apple and Amazon Security Flaws Led to My Epic Hacking
		Lecture 11	June 8	6.3, 6.4 / 11.3, 11.4, 11.6
			Optional reading: Cybercrime 2.0: When the Cloud Turns Dark
			Optional reading: Why Google Went Offline Today and a Bit about How the Internet Works
			Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)
			Optional reading: The DDoS That Almost Broke the Internet
			Optional reading: Biggest DDoS ever aimed at Cloudflare's content delivery network
			Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
			Optional reading: Understanding the Mirai Botnet
			Optional reading: Strange snafu misroutes domestic US Internet traffic through China Telecom
			Optional reading: A $152,000 Cryptocurrency Theft Just Exploited A Huge Blind Spot In Internet Security
		Lecture 12	June 13	6.7, 6.8 / 10.1, 10.2, 11.1, 11.2
			Optional reading: The Inside Story of the Kelihos Botnet Takedown
			Optional reading: Gameover
			Optional reading: Backstage with the Gameover Botnet Hijackers
			Optional reading: Attacking an IDS
5	(PDF) (3up)	Lecture 13	June 15	2.3, 12 / 2
			Optional reading: One-time pad
			Optional reading: A Stick Figure Guide to AES
			Optional reading: Defeating AES without a PhD
			Optional reading: Twenty Years of Attacks on the RSA Cryptosystem
			Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision
			Optional reading: SHA-1 collision found
		Lecture 14	June 20	6.3, 6.6 / 4.3, 8.1, 8.2, 8.4, 8.5, 9.2, 10.5, 12
			Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11
			Optional reading: Cracking WEP in 60 seconds
			Optional reading: El Gamal Encryption
			Optional reading: DH Key-Exchange
			Optional reading: DigiNotar incident
			Optional reading: Superfish
			Optional reading: Sennheiser Headset Software
			Optional reading: WireGuard
		Lecture 15	June 22	6.6 / 8.6, 8.7, 10.3
			Optional reading: SSH: passwords or keys?
			Optional reading: Why Johnny Can't Encrypt
			Optional reading: PGP Criminal Investigation
			Optional reading: Off-the-Record Messaging
			Optional reading: Signal's Double Ratchet
		Lecture 16	June 27	6.6., 9.1, 9.2, 9.6 /
			Optional reading: A Survey of Anonymous Communication Channels
			Optional reading: The Tor Project
			Optional reading: Re-identifying Tor users
		Lecture 17	June 29	6.2 /
		Lecture 17	Optional reading: Encrypted Traffic Analysis
		Lecture 18	July 4	/ 13
			Optional reading: Bitcoin: A Peer-to-Peer Electronic Cash System
			Optional reading: Ethereum Proof-of-Stake
			Optional reading: The centralized power of decentralized mining pools
6	(PDF) (3up)	Lecture 19	July 6	7.1 – 7.3, 7.5 /
			Optional reading: A quick-start tutorial on relational database design
			Optional reading: What does ACID mean in database systems?
		Lecture 20	July 11	9.4 /
			Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law
			Optional reading: Data mining and integrity: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error
			Optional reading: FOILing NYC's Taxi Trip Data
			Optional reading: Social Security Numbers Deduced From Public Data
			Optional reading: A Face Is Exposed for AOL Searcher No. 4417749
			Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity
			Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity
			Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization
		Lecture 21	July 13	9.4 /
			Optional reading: Dataset reconstruction attacks
			Optional reading: Damien Desfontaines' friendly introduction to differential privacy
			Optional reading: A list of real-world uses of differential privacy
			Optional reading: Gautam Kamath's Algorithms for Private Data Analysis course at UW
		Lecture 22	July 18	/
			Optional reading: Nicholas Carlini's adversarial ML reading list
			Optional reading: Attacking machine learning with adversarial examples
			Optional reading: Microsoft's Tay chatbot poisoning
			Optional reading: How to steal an AI
7	(PDF) (3up)	Lecture 23	July 20	11.1, 11.2, 11.4 – 11.7 /
			Optional reading: Ethically questionable behaviour: Cambridge Analytica
			Optional reading: Ethically questionable behaviour: AT&T hacker
			Optional reading: Ethically questionable behaviour: Deanonymizing Tor users
			Optional reading: Ethically questionable behaviour: Facebook mood manipulation
			Optional reading: Ethically questionable behaviour: Unaccountable algorithms
			Optional reading: Ethically questionable behaviour: Malicious Linux kernel patches
			Optional reading: Access Copyright v. York University
			Optional reading: Unintended Consequences: Ten Years under the DMCA
			Optional reading: A Death in Athens
			Optional reading: On the Juniper backdoor
			Optional reading: databreaches.net
			Optional reading: Bruce Schneier on Full Disclosure
			Optional reading: Google's view
			Optional reading: Microsoft's view
			Optional reading: Disclosing breaches to the government
			Optional reading: ACM code of ethics
			Optional reading: IEEE code of ethics
			Optional reading: CIPS code of ethics
		Lecture 24	July 25	10.1 – 10.5 / 1.3 – 1.6
			Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada
			Optional reading: uWaterloo's Information Security Policies, Standards, and Guidelines
			Optional reading: uWaterloo's Electronic Media Disposal Guidelines
			Optional reading: The Computer Centre Incident at Concordia
			Optional reading: Twitter thread on Rogers' outage
			Optional reading: Roger's report on July 2022 Canada-wide service outage (abridged)