Module |
Slides |
Lecture number |
Lecture date |
Textbook sections (Pfleeger et al. / van Oorschot) |
1 |
(PDF) (3up) |
Lecture 1 |
May 9 |
1.1 – 1.8 / 1.1 – 1.4, 1.6 |
Optional reading: The 10 privacy principles of PIPEDA |
Optional reading: A terminology for talking about privacy |
Optional reading: Federal privacy reform in Canada: The Consumer Privacy Protection Act |
Optional reading: Modernizing Canada’s Privacy Act |
Optional reading: Microsoft’s report on Russian Cyberattacks in Ukraine |
Optional reading: Social Security Employees in Illinois Sentenced in Federal Court on Charges Including Bribery and Identity Theft |
2 |
(PDF) (3up) |
Lecture 2 |
May 11 |
3.1 / 6.1 – 6.8 |
Mandatory reading before class: Smashing The Stack For Fun And Profit |
Optional reading: On the Evolution of Buffer Overflows |
Optional reading: Exploiting Format String Vulnerabilities |
Optional reading: Example format string vulnerabilities (November 2011) |
Optional reading: Example format string vulnerabilities (May 2012) |
Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples |
Lecture 3 |
May 16 |
3.2 / 7.1 – 7.4 |
Optional reading: Morris worm |
Optional reading: The Spread of the Sapphire/Slammer Worm |
Optional reading: Slammed! |
Optional reading: Technical analysis of client identification mechanisms |
Lecture 4 |
May 18 |
3.2 / 7.5 – 7.9 |
Mandatory reading before class: Reflections on Trusting Trust |
Optional reading: US Federal Student Aid website has a Facebook web bug |
Optional reading: Linux Kernel "Back Door" Attempt |
Optional reading: The backdooring of SquirrelMail |
Optional reading: Clickjacking attack (Interface illusion) |
Optional reading: MITM Malware Re-Writes Online Bank Statements |
Lecture 5 |
May 25 |
3.3 / 1.7, 6.9 |
Optional reading: An operating system kernel with a formal proof of security |
Optional reading: Bugs in open source software: #gotofail |
Optional reading: Bugs in open source software: Heartbleed |
3 |
(PDF) (3up) |
Lecture 6 |
May 30 |
5.1 / 5.1 – 5.2 |
Optional reading: Android permissions demystified |
Optional reading: Google launches its third major operating system, Fuchsia |
Lecture 7 |
June 1 |
5.1 / 3.1 – 3.4, 3.6 |
Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network |
Optional reading: Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages |
Optional reading: Passphrases that you can memorize — But that even the NSA can't guess |
Optional reading: The top 50 woeful passwords exposed by the Adobe security breach |
Optional reading: Password Security: A Case History |
Optional reading: Facebook's password hashing scheme |
Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis |
Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder |
Optional reading: Largest password data breach in history has been leaked online |
Lecture 8 |
June 6 |
5.2 / 3.5 |
Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls |
Optional reading: Politician's fingerprint 'cloned from photos' by hacker |
Optional reading: Vietnamese security firm: Your face is easy to fake |
Optional reading: Android facial recognition based unlocking can be fooled with photo |
Optional reading: Breaking Windows Hello Face Authentication |
Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners |
Optional reading: Border Drones with Facial Recognition |
Lecture 9 |
June 8 |
5.2 / 1.7 |
Mandatory reading before class: The Protection of Information in Computer Systems, section I.A. |
Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars |
Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives |
Optional reading: SELinux |
4 |
(PDF) (3up) |
Lecture 10 |
June 13 |
6.1, 6.2 / 9.1, 9.3, 9.6, 10.6, 11.3 |
Optional reading: How I Lost My $50,000 Twitter Username |
Optional reading: Robin Sage |
Optional reading: How Apple and Amazon Security Flaws Led to My Epic Hacking |
Lecture 11 |
June 15 |
6.3, 6.4 / 11.3, 11.4, 11.6 |
Optional reading: Cybercrime 2.0: When the Cloud Turns Dark |
Optional reading: Why Google Went Offline Today and a Bit about How the Internet Works |
Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) |
Optional reading: The DDoS That Almost Broke the Internet |
Optional reading: Biggest DDoS ever aimed at Cloudflare's content delivery network |
Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack |
Optional reading: Understanding the Mirai Botnet |
Optional reading: Strange snafu misroutes domestic US Internet traffic through China Telecom |
Optional reading: A $152,000 Cryptocurrency Theft Just Exploited A Huge Blind Spot In Internet Security |
Lecture 12 |
June 20 |
6.7, 6.8 / 10.1, 10.2, 11.1, 11.2 |
Optional reading: The Inside Story of the Kelihos Botnet Takedown |
Optional reading: Gameover |
Optional reading: Backstage with the Gameover Botnet Hijackers |
Optional reading: Attacking an IDS |
5 |
(PDF) (3up) |
Lecture 13 |
June 22 |
2.3, 12 / 2 |
Optional reading: One-time pad |
Optional reading: A Stick Figure Guide to AES |
Optional reading: Defeating AES without a PhD |
Optional reading: Twenty Years of Attacks on the RSA Cryptosystem |
Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision |
Optional reading: SHA-1 collision found |
Optional reading: Enigma Machine |
Lecture 14 |
June 27 |
6.3, 6.6 / 4.3, 8.1, 8.2, 8.4, 8.5, 9.2, 10.5, 12 |
Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11 |
Optional reading: Cracking WEP in 60 seconds |
Optional reading: El Gamal Encryption |
Optional reading: DH Key-Exchange |
Optional reading: DigiNotar incident |
Optional reading: Superfish |
Optional reading: Sennheiser Headset Software |
Optional reading: WireGuard |
Lecture 15 |
June 29 |
6.6 / 8.6, 8.7, 10.3 |
Optional reading: SSH: passwords or keys? |
Optional reading: Why Johnny Can't Encrypt |
Optional reading: PGP Criminal Investigation |
Optional reading: Off-the-Record Messaging |
Optional reading: Signal's Double Ratchet |
Lecture 16 |
July 4 |
6.6., 9.1, 9.2, 9.6 / |
Optional reading: A Survey of Anonymous Communication Channels |
Optional reading: The Tor Project |
Optional reading: Re-identifying Tor users |
Lecture 17 |
July 6 |
6.2 / |
Optional reading: Encrypted Traffic Analysis |
Lecture 18 |
July 11 |
/ 13 |
Optional reading: Bitcoin: A Peer-to-Peer Electronic Cash System |
Optional reading: Ethereum Proof-of-Stake |
Optional reading: The centralized power of decentralized mining pools |
6 |
(PDF) (3up) |
Lecture 19 |
July 13 |
7.1 – 7.3, 7.5 / |
Optional reading: A quick-start tutorial on relational database design |
Optional reading: What does ACID mean in database systems? |
Lecture 20 |
July 18 |
9.4 / |
Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law |
Optional reading: Data mining and integrity: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error |
Optional reading: FOILing NYC's Taxi Trip Data |
Optional reading: Social Security Numbers Deduced From Public Data |
Optional reading: A Face Is Exposed for AOL Searcher No. 4417749 |
Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity |
Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity |
Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization |
Lecture 21 |
July 20 |
9.4 / |
Optional reading: Dataset reconstruction attacks |
Optional reading: Damien Desfontaines' friendly introduction to differential privacy |
Optional reading: A list of real-world uses of differential privacy |
Optional reading: Gautam Kamath's Algorithms for Private Data Analysis course at UW |
Lecture 22 |
July 25 |
/ |
Optional reading: Nicholas Carlini's adversarial ML reading list |
Optional reading: Attacking machine learning with adversarial examples |
Optional reading: Microsoft's Tay chatbot poisoning |
Optional reading: How to steal an AI |
7 |
(PDF) (3up) |
Lecture 23 |
July 27 |
11.1, 11.2, 11.4 – 11.7 / |
Optional reading: Ethically questionable behaviour: Cambridge Analytica |
Optional reading: Ethically questionable behaviour: AT&T hacker |
Optional reading: Ethically questionable behaviour: Deanonymizing Tor users |
Optional reading: Ethically questionable behaviour: Facebook mood manipulation |
Optional reading: Ethically questionable behaviour: Unaccountable algorithms |
Optional reading: Ethically questionable behaviour: Malicious Linux kernel patches |
Optional reading: Access Copyright v. York University |
Optional reading: Unintended Consequences: Ten Years under the DMCA |
Optional reading: A Death in Athens |
Optional reading: On the Juniper backdoor |
Optional reading: databreaches.net |
Optional reading: Bruce Schneier on Full Disclosure |
Optional reading: Google's view |
Optional reading: Microsoft's view |
Optional reading: Disclosing breaches to the government |
Optional reading: ACM code of ethics |
Optional reading: IEEE code of ethics |
Optional reading: CIPS code of ethics |
Lecture 24 |
August 1 |
10.1 – 10.5 / 1.3 – 1.6 |
Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada |
Optional reading: uWaterloo's Information Security Policies, Standards, and Guidelines |
Optional reading: uWaterloo's Electronic Media Disposal Guidelines |
Optional reading: The Computer Centre Incident at Concordia |
Optional reading: Twitter thread on Rogers' outage |
Optional reading: Roger's report on July 2022 Canada-wide service outage (abridged) |