A draft of the lecture slides for each module will be made available
the evening before the module begins.
The final version of the lecture slides will be made available after
the module is completed and replaces the draft. Use of the draft is at
your own risk!
You are expected to have read the indicated sections of the textbook
before the corresponding lecture.
Readings marked as mandatory contain required material for the
course, and must be read before the date of the corresponding
lecture.
Module | Slides | Lecture number | Lecture date | Textbook sections |
1 |
(PDF)
(3up)
| Lecture 1
| 7 Jan
| 1.1 – 1.11
|
Optional reading: The 10 privacy principles of PIPEDA |
2 |
(PDF)
(3up)
| Lecture 2
| 9 Jan
| 3.1, 3.2
|
Mandatory reading before class: Smashing The Stack For Fun And Profit |
Optional reading: On the Evolution of Buffer Overflows |
Optional reading: Exploiting Format String Vulnerabilities |
Optional reading: Example format
string vulnerabilities (November 2011, May 2012) |
Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples |
Lecture 3
| 14 Jan
| 3.3
|
Lecture 4
| 16 Jan
| 3.4
|
Optional reading: Morris worm |
Optional reading: The Spread of the Sapphire/Slammer Worm; also: Slammed! |
Optional reading: Technical analysis of client identification mechanisms |
Mandatory reading before class: Reflections on Trusting Trust |
Optional reading: Linux Kernel "Back Door" Attempt; also: The backdooring of SquirrelMail |
Optional reading: Salami Fraud |
Lecture 5
| 21 Jan
| 3.5
|
Optional reading: Clickjacking attack (Interface illusion) |
Optional reading: The inside story of the Conficker worm (access restricted to uWaterloo); also: Conficker C Analysis |
Optional reading: MITM Malware Re-Writes Online Bank Statements |
Optional reading: An operating system kernel with a formal proof of security |
Optional reading: Bugs in open-source software: #gotofail, Heartbleed Bug |
3 |
(PDF)
(3up)
| Lecture 6
| 23 Jan
| 4.1, 4.2, 4.3, 4.4
|
Optional reading: Android permissions demystified |
Optional reading: Caja: Capability-based Javascript. Project webpage; draft specification |
Lecture 7
| 28 Jan
| 4.5
|
Optional reading: Breaking two-factor authentication: ABN Ambro incident, Citibank incident, Android malware for stealing SMS messages
|
Optional reading: Why passwords have never been weaker - and crackers have never been stronger; 25-GPU cluster cracks every standard Windows password in <6 hours |
Optional reading: The top 50 woeful passwords exposed by the Adobe security breach |
Optional reading: Fighting Hackers: Everything You've Been Told About Passwords Is Wrong |
Optional reading: Password Security: A Case History, Facebook's password hashing scheme |
Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder |
Lecture 8
| 30 Jan
| 5.1, 5.2
|
Optional reading: Breaking fingerprint recognition: 'Fake fingerprint' Chinese woman fools Japan controls, Politician's fingerprint 'cloned from photos' by hacker |
Optional reading: Breaking facial recognition: Vietnamese security firm: Your face is easy to fake, Android facial recognition based unlocking can be fooled with photo |
Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners |
Optional reading: Biometrics-based forensics: Computing the Scene of a Crime, High-Tech, High-Risk Forensics |
Lecture 9
| 4 Feb
| 5.3, 5.4, 5.5
|
Mandatory reading before class: The Protection of Information in Computer Systems, section I.A. (only section I.A. is mandatory) |
Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars |
Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives |
Optional reading: SELinux |
4 |
(PDF)
(3up)
| Lecture 10
| 6 Feb
| 7.1
|
Optional reading: Social engineering I:
How I Lost My $50,000 Twitter Username,
How I almost lost my $500,000 Twitter user name @jb... and my startup |
Optional reading: Social engineering II:
Robin Sage,
Fake social media ID duped security-aware IT guys |
Lecture 11
| 11 Feb
| 7.2
|
Optional reading: MITM attacks: The New Threat: Targeted Internet Traffic Misdirection |
Optional reading: Cybercrime 2.0: When the Cloud Turns Dark |
Optional reading: Black hole attacks: Pakistan hijacks YouTube; The flap heard around the world; Why Google Went Offline Today and a Bit about How the Internet Works |
Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It); The DDoS That Almost Broke the Internet; Biggest DDoS ever aimed at Cloudflare's content delivery network; Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
|
Optional reading: The Inside Story of the Kelihos Botnet Takedown; Gameover; Backstage with the Gameover Botnet Hijackers
|
Lecture 12
| 13 Feb
| 7.3, 7.4
|
5 |
(PDF)
(3up)
| Lecture 13
| 25 Feb
| 2.4
|
Optional reading: COPACOBANA |
Optional reading: A Stick Figure Guide to AES |
Optional reading: Defeating AES without a PhD |
Lecture 14
| 27 Feb
| 2.7 (except p. 77-78)
|
Optional reading: Theoretical attacks yield practical attacks on SSL, PKI |
Optional reading: Crypto breakthrough shows Flame was designed by world-class scientists |
Lecture 15
| 4 Mar
| 2.8 (except p. 79-84), 7.3
|
Optional reading: Tree of Trust (red: root CA; green: intermediate CA) |
Optional reading: Lest We Remember: Cold Boot Attacks on Encryption Keys |
Lecture 16
| 6 Mar
| 7.3, 10
|
Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11 |
Optional reading: Cracking WEP in 60 seconds |
Lecture 17
| 11 Mar
| 7.3, 10
|
Optional reading: Turkish Registrar Enabled Phishers to Spoof Google, also Comodogate and DigiNotar incident |
Optional reading: Superfish |
Optional reading: The Tor Project |
Optional reading: SSH: passwords or keys? |
Lecture 18
| 13 Mar
| 7.3, 10
|
Optional reading: Mixminion |
Optional reading: De-Anonymizing Alt.Anonymous.Messages |
Optional reading: Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You. |
Optional reading: Off-the-Record Messaging |
6 |
(PDF)
(3up)
| Lecture 19
| 18 Mar
| 6.1 – 6.7
|
Optional reading: Social Security Numbers Deduced From Public Data |
Lecture 20
| 20 Mar
| 6.8, 10.4
|
Lecture 21
| 25 Mar
| 6.8, 10.4
|
Optional reading: Boston Bomber slipped past while spelling glitch tripped up the law |
Optional reading: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error |
Optional reading: FOILing NYC’s Taxi Trip Data |
Optional reading: A Face Is Exposed for AOL Searcher No. 4417749 |
Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity |
Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity |
Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization |
7 |
(PDF)
(3up)
| Lecture 22
| 27 Mar
| 8.1, 8.2, 8.3
|
Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada |
Optional reading: IST's continuity plan in case of a pandemic |
Optional reading: UW's emergency response policy |
Optional reading: Stealing Commodities |
Optional reading: PogoWasRight.org, databreaches.net, OSF DataLossDB |
Lecture 23
| 1 Apr
| 8.4, 11.1, 11.2
|
Optional reading: The Computer Centre Incident at Concordia |
Optional reading: Waterloo's Electronic Media Disposal Guidelines |
Lecture 24
| 6 Apr
| 11.4, 11.5, 11.6
|
Optional viewing: A Fair(y) Use Tale |
Optional viewing: The great copyright battle: UBC's bold stand against Access Copyright |
Optional viewing: Unintended Consequences: Ten Years under the DMCA |
Optional reading: The Athens Affair, SISMI-Telecom scandal |
,
Optional reading: Bruce Schneier on Full Disclosure,
Google's view,
Microsoft's view
|
Optional reading: Codes of ethics:
ACM
IEEE
CIPS
|
-->