[Course homepage]

CS 458/658 W19 Modules

A draft of the lecture slides for each module will be made available the evening before the module begins. The final version of the lecture slides will be made available after the module is completed and replaces the draft. Use of the draft is at your own risk!

Readings marked as mandatory contain required material for the course, and must be read before the date of the corresponding lecture.

Module Slides Lecture
number
Lecture date Textbook sections
1 (PDF)
(3up)
Lecture 1 January 7 1.1 – 1.8
Optional reading: The 10 privacy principles of PIPEDA
Optional reading: A terminology for talking about privacy
2 (PDF)
(3up)
Lecture 2 January 9 3.1
Mandatory reading before class: Smashing The Stack For Fun And Profit
Optional reading: On the Evolution of Buffer Overflows
Optional reading: Exploiting Format String Vulnerabilities
Optional reading: Example format string vulnerabilities (November 2011)
Optional reading: Example format string vulnerabilities (May 2012)
Optional reading: A Taxonomy of Computer Program Security Flaws, with Examples
Lecture 3 January 14 3.2
Optional reading: Morris worm
Optional reading: The Spread of the Sapphire/Slammer Worm
Optional reading: Slammed!
Optional reading: The inside story of the Conficker worm (access restricted to uWaterloo)
Optional reading: Conficker C Analysis
Optional reading: Technical analysis of client identification mechanisms
Lecture 4 January 16 3.2
Mandatory reading before class: Reflections on Trusting Trust
Optional reading: Linux Kernel "Back Door" Attempt
Optional reading: The backdooring of SquirrelMail
Optional reading: Salami Fraud
Optional reading: Clickjacking attack (Interface illusion)
Optional reading: MITM Malware Re-Writes Online Bank Statements
Lecture 5 January 21 3.3
Optional reading: An operating system kernel with a formal proof of security
Optional reading: Bugs in open source software: #gotofail
Optional reading: Bugs in open source software: Heartbleed
3 (PDF)
(3up)
Lecture 6 January 23 5.1
Optional reading: Android permissions demystified
Optional reading: Caja: Capability-based Javascript (project webpage)
Optional reading: Caja: Capability-based Javascript (draft specification)
Lecture 7 January 28 5.1
Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network
Optional reading: Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages
Optional reading: Passphrases that you can memorize - But that even the NSA can't guess
Optional reading: The top 50 woeful passwords exposed by the Adobe security breach
Optional reading: Password Security: A Case History
Optional reading: Facebook's password hashing scheme
Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis
Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder
Lecture 8 January 30 5.2
Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls
Optional reading: Politician's fingerprint 'cloned from photos' by hacker
Optional reading: Vietnamese security firm: Your face is easy to fake
Optional reading: Android facial recognition based unlocking can be fooled with photo
Optional reading: Breaking Windows Hello Face Authentication
Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners
Optional reading: Border Drones with Facial Recognition
Lecture 9 February 4 5.2
Mandatory reading before class: The Protection of Information in Computer Systems, section I.A.
Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars
Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives
Optional reading: SELinux
4 (PDF)
(3up)
Lecture 10 February 6 6.1, 6.2
Optional reading: How I Lost My $50,000 Twitter Username
Optional reading: How I Almost Lost My $500,000 Twitter Username @jb... and my startup
Optional reading: Robin Sage
Optional reading: Fake social media ID duped security-aware IT guys
Lecture 11 February 11 6.3, 6.4
Optional reading: The New Threat: Targeted Internet Traffic Misdirection
Optional reading: Cybercrime 2.0: When the Cloud Turns Dark
Optional reading: Pakistan hijacks YouTube
Optional reading: The flap heard around the world
Optional reading: Why Google Went Offline Today and a Bit about How the Internet Works
Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It)
Optional reading: The DDoS That Almost Broke the Internet
Optional reading: Biggest DDoS ever aimed at Cloudflare's content delivery network
Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack
Optional reading: Understanding the Mirai Botnet
Lecture 12 February 13 6.7, 6.8
Optional reading: The Inside Story of the Kelihos Botnet Takedown
Optional reading: Gameover
Optional reading: Backstage with the Gameover Botnet Hijackers
Optional reading: Attacking an IDS
5 (PDF)
(3up)
Lecture 13 February 18 2.3
Optional reading: COPACOBANA
Optional reading: Antminer S9
Optional reading: A Stick Figure Guide to AES
Optional reading: Defeating AES without a PhD
Lecture 14 February 25 2.3
Optional reading: Crypto breakthrough shows Flame was designed by world-class scientists
Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision
Optional reading: SHA-1 collision found
Lecture 15 February 27 2.3, 6.6
Optional reading: Tree of Trust (red: root CA; green: intermediate CA)
Optional reading: Turkish Registrar Enabled Phishers to Spoof Google
Optional reading: Comodogate
Optional reading: DigiNotar incident
Optional reading: Chrome's Plan to Distrust Symantec Certificates
Optional reading: Let's Encrypt - Free SSL/TLS Certificates
Optional reading: badssl.com
Optional reading: Lest We Remember: Cold Boot Attacks on Encryption Keys
Lecture 16 March 4 6.6, 9
Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11
Optional reading: Cracking WEP in 60 seconds
Lecture 17 March 6 6.6, 9
Optional reading: Superfish
Optional reading: The Tor Project
Lecture 18 March 11 6.6, 9
Optional reading: SSH: passwords or keys?
Optional reading: Mixminion
Optional reading: De-Anonymizing Alt.Anonymous.Messages
Optional reading: Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
Optional reading: Off-the-Record Messaging
6 (PDF)
(3up)
DRAFT
Lecture 19 March 13 7.1 – 7.5
Optional reading: Snooping into Rob Ford's medical records
Optional reading: Using police databases for personal gain
Lecture 20 March 18 9.4
Optional reading: Social Security Numbers Deduced From Public Data
Optional reading: Identifying spies with data aggregation (final four paragraphs)
Lecture 21 March 20 9.4
Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law
Optional reading: Data mining and integrity: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error
Optional reading: Data mining in action: How Companies Learn Your Secrets
Optional reading: Data mining in action: How this company tracked 16,000 Iowa caucus-goers via their phones
Optional reading: FOILing NYC's Taxi Trip Data
Optional reading: A Face Is Exposed for AOL Searcher No. 4417749
Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity
Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity
Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization