| Module |
Slides |
Lecture
number |
Lecture date |
Textbook sections (Pfleeger et al. / van Oorschot) |
| 1 |
(PDF)
(3up) |
Lecture 1 |
May 9 |
1.1 – 1.8 / 1.1 – 1.4, 1.6 |
| Optional reading: The 10 privacy principles of PIPEDA |
| Optional reading: A terminology for talking about privacy |
| Optional reading: Federal privacy reform in Canada: The Consumer Privacy Protection Act |
| Optional reading: Modernizing Canada’s Privacy Act |
| Optional reading: Microsoft’s report on Russian Cyberattacks in Ukraine |
| Optional reading: Social Security Employees in Illinois Sentenced in Federal Court on Charges Including Bribery and Identity Theft |
| 2 |
(PDF)
(3up) |
Lecture 2 |
May 11 |
3.1 / 6.1 – 6.8 |
| Mandatory reading before class: Smashing The Stack For Fun And Profit |
| Optional reading: On the Evolution of Buffer Overflows |
| Optional reading: Exploiting Format String Vulnerabilities |
| Optional reading: Example format string vulnerabilities (November 2011) |
| Optional reading: Example format string vulnerabilities (May 2012) |
| Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples |
| Lecture 3 |
May 16 |
3.2 / 7.1 – 7.4 |
| Optional reading: Morris worm |
| Optional reading: The Spread of the Sapphire/Slammer Worm |
| Optional reading: Slammed! |
| Optional reading: Technical analysis of client identification mechanisms |
| Lecture 4 |
May 18 |
3.2 / 7.5 – 7.9 |
| Mandatory reading before class: Reflections on Trusting Trust |
| Optional reading: US Federal Student Aid website has a Facebook web bug |
| Optional reading: Linux Kernel "Back Door" Attempt |
| Optional reading: The backdooring of SquirrelMail |
| Optional reading: Clickjacking attack (Interface illusion) |
| Optional reading: MITM Malware Re-Writes Online Bank Statements |
| Lecture 5 |
May 25 |
3.3 / 1.7, 6.9 |
| Optional reading: An operating system kernel with a formal proof of security |
| Optional reading: Bugs in open source software: #gotofail |
| Optional reading: Bugs in open source software: Heartbleed |
| 3 |
(PDF)
(3up) |
Lecture 6 |
May 30 |
5.1 / 5.1 – 5.2 |
| Optional reading: Android permissions demystified |
| Optional reading: Google launches its third major operating system, Fuchsia |
| Lecture 7 |
June 1 |
5.1 / 3.1 – 3.4, 3.6 |
| Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network |
| Optional reading: Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages |
| Optional reading: Passphrases that you can memorize — But that even the NSA can't guess |
| Optional reading: The top 50 woeful passwords exposed by the Adobe security breach |
| Optional reading: Password Security: A Case History |
| Optional reading: Facebook's password hashing scheme |
| Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis |
| Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder |
| Optional reading: Largest password data breach in history has been leaked online |
| Lecture 8 |
June 6 |
5.2 / 3.5 |
| Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls |
| Optional reading: Politician's fingerprint 'cloned from photos' by hacker |
| Optional reading: Vietnamese security firm: Your face is easy to fake |
| Optional reading: Android facial recognition based unlocking can be fooled with photo |
| Optional reading: Breaking Windows Hello Face Authentication |
| Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners |
| Optional reading: Border Drones with Facial Recognition |
| Lecture 9 |
June 8 |
5.2 / 1.7 |
| Mandatory reading before class: The Protection of Information in Computer Systems, section I.A. |
| Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars |
| Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives |
| Optional reading: SELinux |
| 4 |
(PDF)
(3up) |
Lecture 10 |
June 13 |
6.1, 6.2 / 9.1, 9.3, 9.6, 10.6, 11.3 |
| Optional reading: How I Lost My $50,000 Twitter Username |
| Optional reading: Robin Sage |
| Optional reading: How Apple and Amazon Security Flaws Led to My Epic Hacking |
| Lecture 11 |
June 15 |
6.3, 6.4 / 11.3, 11.4, 11.6 |
| Optional reading: Cybercrime 2.0: When the Cloud Turns Dark |
| Optional reading: Why Google Went Offline Today and a Bit about How the Internet Works |
| Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) |
| Optional reading: The DDoS That Almost Broke the Internet |
| Optional reading: Biggest DDoS ever aimed at Cloudflare's content delivery network |
| Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack |
| Optional reading: Understanding the Mirai Botnet |
| Optional reading: Strange snafu misroutes domestic US Internet traffic through China Telecom |
| Optional reading: A $152,000 Cryptocurrency Theft Just Exploited A Huge Blind Spot In Internet Security |
| Lecture 12 |
June 20 |
6.7, 6.8 / 10.1, 10.2, 11.1, 11.2 |
| Optional reading: The Inside Story of the Kelihos Botnet Takedown |
| Optional reading: Gameover |
| Optional reading: Backstage with the Gameover Botnet Hijackers |
| Optional reading: Attacking an IDS |
| 5 |
(PDF)
(3up) |
Lecture 13 |
June 22 |
2.3, 12 / 2 |
| Optional reading: One-time pad |
| Optional reading: A Stick Figure Guide to AES |
| Optional reading: Defeating AES without a PhD |
| Optional reading: Twenty Years of Attacks on the RSA Cryptosystem |
| Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision |
| Optional reading: SHA-1 collision found |
| Optional reading: Enigma Machine |
| Lecture 14 |
June 27 |
6.3, 6.6 / 4.3, 8.1, 8.2, 8.4, 8.5, 9.2, 10.5, 12 |
| Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11 |
| Optional reading: Cracking WEP in 60 seconds |
| Optional reading: El Gamal Encryption |
| Optional reading: DH Key-Exchange |
| Optional reading: DigiNotar incident |
| Optional reading: Superfish |
| Optional reading: Sennheiser Headset Software |
| Optional reading: WireGuard |
| Lecture 15 |
June 29 |
6.6 / 8.6, 8.7, 10.3 |
| Optional reading: SSH: passwords or keys? |
| Optional reading: Why Johnny Can't Encrypt |
| Optional reading: PGP Criminal Investigation |
| Optional reading: Off-the-Record Messaging |
| Optional reading: Signal's Double Ratchet |
| Lecture 16 |
July 4 |
6.6., 9.1, 9.2, 9.6 / |
| Optional reading: A Survey of Anonymous Communication Channels |
| Optional reading: The Tor Project |
| Optional reading: Re-identifying Tor users |
| Lecture 17 |
July 6 |
6.2 / |
| Optional reading: Encrypted Traffic Analysis |
| Lecture 18 |
July 11 |
/ 13 |
| Optional reading: Bitcoin: A Peer-to-Peer Electronic Cash System |
| Optional reading: Ethereum Proof-of-Stake |
| Optional reading: The centralized power of decentralized mining pools |
| 6 |
(PDF)
(3up) |
Lecture 19 |
July 13 |
7.1 – 7.3, 7.5 / |
| Optional reading: A quick-start tutorial on relational database design |
| Optional reading: What does ACID mean in database systems? |
| Lecture 20 |
July 18 |
9.4 / |
| Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law |
| Optional reading: Data mining and integrity: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error |
| Optional reading: FOILing NYC's Taxi Trip Data |
| Optional reading: Social Security Numbers Deduced From Public Data |
| Optional reading: A Face Is Exposed for AOL Searcher No. 4417749 |
| Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity |
| Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity |
| Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization |
| Lecture 21 |
July 20 |
9.4 / |
| Optional reading: Dataset reconstruction attacks |
| Optional reading: Damien Desfontaines' friendly introduction to differential privacy |
| Optional reading: A list of real-world uses of differential privacy |
| Optional reading: Gautam Kamath's Algorithms for Private Data Analysis course at UW |
| Lecture 22 |
July 25 |
/ |
| Optional reading: Nicholas Carlini's adversarial ML reading list |
| Optional reading: Attacking machine learning with adversarial examples |
| Optional reading: Microsoft's Tay chatbot poisoning |
| Optional reading: How to steal an AI |
| 7 |
(PDF)
(3up) |
Lecture 23 |
July 27 |
11.1, 11.2, 11.4 – 11.7 / |
| Optional reading: Ethically questionable behaviour: Cambridge Analytica |
| Optional reading: Ethically questionable behaviour: AT&T hacker |
| Optional reading: Ethically questionable behaviour: Deanonymizing Tor users |
| Optional reading: Ethically questionable behaviour: Facebook mood manipulation |
| Optional reading: Ethically questionable behaviour: Unaccountable algorithms |
| Optional reading: Ethically questionable behaviour: Malicious Linux kernel patches |
| Optional reading: Access Copyright v. York University |
| Optional reading: Unintended Consequences: Ten Years under the DMCA |
| Optional reading: A Death in Athens |
| Optional reading: On the Juniper backdoor |
| Optional reading: databreaches.net |
| Optional reading: Bruce Schneier on Full Disclosure |
| Optional reading: Google's view |
| Optional reading: Microsoft's view |
| Optional reading: Disclosing breaches to the government |
| Optional reading: ACM code of ethics |
| Optional reading: IEEE code of ethics |
| Optional reading: CIPS code of ethics |
| Lecture 24 |
August 1 |
10.1 – 10.5 / 1.3 – 1.6 |
| Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada |
| Optional reading: uWaterloo's Information Security Policies, Standards, and Guidelines |
| Optional reading: uWaterloo's Electronic Media Disposal Guidelines |
| Optional reading: The Computer Centre Incident at Concordia |
| Optional reading: Twitter thread on Rogers' outage |
| Optional reading: Roger's report on July 2022 Canada-wide service outage (abridged) |