A draft of the lecture slides for each module will be made available
the evening before the module begins.
The final version of the lecture slides will be made available after
the module is completed and replaces the draft. Use of the draft is at
your own risk!
Readings marked as mandatory contain required material for the
course, and must be read before the date of the corresponding
lecture.
| Module |
Slides |
Lecture
number |
Lecture date |
Textbook sections |
| 1 |
(PDF)
(3up) |
Lecture 1 |
January 8 |
1.1 – 1.8 |
| Mandatory reading: Californias Data Privacy Law |
| Optional reading: The 10 privacy principles of PIPEDA |
| Optional reading: A terminology for talking about privacy |
| 2 |
(PDF)
(3up) |
Lecture 2 |
January 10 |
3.1 |
| Mandatory reading: Smashing The Stack For Fun And Profit |
| Mandatory reading: (Version with some errors corrected) |
| Mandatory reading: Basic Integer Overflows |
| Optional reading: On the Evolution of Buffer Overflows |
| Optional reading: Exploiting Format String Vulnerabilities |
| Optional reading: Example format string vulnerabilities (November 2011) |
| Optional reading: Example format string vulnerabilities (May 2012) |
| Lecture 3 |
January 15 |
3.2 |
| Lecture 4 |
January 17 |
3.2 |
| Mandatory reading: Reflections on Trusting Trust |
| Mandatory reading: Browser Security Principles: The Same-Origin Policy |
| Optional reading: Morris worm |
| Optional reading: The Spread of the Sapphire/Slammer Worm |
| Optional reading: Slammed! |
| Optional reading: The inside story of the Conficker worm (access restricted to uWaterloo) |
| Optional reading: Conficker C Analysis |
| Optional reading: Technical analysis of client identification mechanisms |
| Optional reading: Linux Kernel "Back Door" Attempt |
| Optional reading: The backdooring of SquirrelMail |
| Optional reading: Salami Fraud |
| Lecture 5 |
January 22 |
3.3 |
| Optional reading: Clickjacking attack (Interface illusion) |
| Optional reading: MITM Malware Re-Writes Online Bank Statements |
| Optional reading: An operating system kernel with a formal proof of security |
| Optional reading: Bugs in open source software: #gotofail |
| Optional reading: Bugs in open source software: Heartbleed |
| 3 |
(PDF)
(3up) |
Lecture 6 |
January 24 |
5.1 |
| Optional reading: Android permissions demystified |
| Optional reading: Caja: Capability-based Javascript (project webpage) |
| Lecture 7 |
January 29 |
5.1 |
| Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network |
| Optional reading: Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages |
| Optional reading: Passphrases that you can memorize - But that even the NSA can't guess |
| Optional reading: The top 50 woeful passwords exposed by the Adobe security breach |
| Optional reading: Password Security: A Case History |
| Lecture 8 |
January 31 |
5.2 |
| Optional reading: Facebook's password hashing scheme |
| Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis |
| Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder |
| Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls |
| Optional reading: Politician's fingerprint 'cloned from photos' by hacker |
| Optional reading: 3D printing a fingerprint |
| Optional reading: Android facial recognition based unlocking can be fooled with photo |
| Optional reading: Breaking Windows Hello Face Authentication |
| Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners |
| Optional reading: Biometrics and false positives |
| Lecture 9 |
February 5 |
5.2 |
| Mandatory reading: The Protection of Information in Computer Systems, section I.A. |
| Mandatory reading: Fortanix Runtime Encryption Platform |
| Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars |
| Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives |
| Optional reading: SELinux |
| 4 |
(PDF)
(3up) |
Lecture 10 |
February 7 |
6.1, 6.2 |
| Optional reading: 10.6 Background: networking and TCP/IP |
| Optional reading: How I Lost My $50,000 Twitter Username |
| Optional reading: How Apple and Amazon Security Flaws led to my Epic Hacking |
| Optional reading: Robin Sage |
| Optional reading: Fake social media ID duped security-aware IT guys |
| Lecture 11 |
February 12 |
6.3, 6.4 |
| Optional reading: Pakistan hijacks YouTube |
| Optional reading: Strange snafu misroutes domestic US Internet traffic through China Telecom |
| Optional reading: A $152,000 Cryptocurrency Theft Just Exploited A Huge "Blind Spot" In Internet Security |
| Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) |
| Optional reading: The DDoS That Almost Broke the Internet |
| Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack |
| Optional reading: Understanding the Mirai Botnet |
| Lecture 12 |
February 14 |
6.7, 6.8 |
| Mandatory reading: DH Key-Exchange |
| Mandatory reading: Kerboros |
| Optional reading: The Inside Story of the Kelihos Botnet Takedown |
| Optional reading: Gameover |
| Optional reading: Backstage with the Gameover Botnet Hijackers |
| Optional reading: Attacking an IDS |
| 5 |
(PDF)
(3up) |
Lecture 13 |
February 26 |
2.3 |
| Mandatory reading: El Gamal Encryption |
| Lecture 14 |
February 28 |
2.3 |
| Mandatory reading: Hash-Based Signatures |
| Optional reading: Crypto breakthrough shows Flame was designed by world-class scientists |
| Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision |
| Optional reading: SHA-1 collision found |
| Lecture 15 |
March 4 |
2.3, 6.6 |
| Optional reading: Tree of Trust (red: root CA; green: intermediate CA) |
| Optional reading: Turkish Registrar Enabled Phishers to Spoof Google |
| Optional reading: Comodogate |
| Optional reading: DigiNotar incident |
| Optional reading: Chrome's Plan to Distrust Symantec Certificates |
| Optional reading: Lest We Remember: Cold Boot Attacks on Encryption Keys |
| Lecture 16 |
March 6 |
6.6, 9 |
| Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11 |
| Optional reading: Cracking WEP in 60 seconds |
| Optional reading: KRACK: WPA2 Attack |
| Optional reading: Let's Encrypt - Free SSL/TLS Certificates |
| Optional reading: badssl.com |
| Optional reading: Superfish |
| Optional reading: The Tor Project |
| Optional reading: Re-identifying Tor users |
| Lecture 17 |
March 11 |
|
| Mandatory reading: Bitcoin: A Peer-to-Peer Electronic Cash System |
| 6 |
(PDF)
(3up) |
Lecture 18 |
March 13 |
7.1 – 7.5 |
| Optional reading: Doctors snooped on Humboldt Broncos records, privacy commissioner finds |
| Optional reading: Using police databases for personal gain |
| Lecture 19 |
March 18 |
9.4 |
| Optional reading: Social Security Numbers Deduced From Public Data |
| Optional reading: Identifying spies with data aggregation (final four paragraphs) |
| Optional reading: A reading list on differential privacy |
| Lecture 20 |
March 20 |
9.4 |
| Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law |
| Optional reading: Data mining and integrity: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error |
| Optional reading: Data mining in action: How Companies Learn Your Secrets |
| Optional reading: Data mining in action: How this company tracked 16,000 Iowa caucus-goers via their phones |
| Optional reading: FOILing NYC's Taxi Trip Data |
| Optional reading: A Face Is Exposed for AOL Searcher No. 4417749 |
| Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity |
| Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity |
| Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization |
| 7 |
(PDF)
(3up) |
Lecture 21 |
March 25 |
10.1 – 10.4 |
| Optional reading: Ethically questionable behaviour: Cambridge Analytica |
| Optional reading: Ethically questionable behaviour: AT&T hacker |
| Optional reading: Ethically questionable behaviour: Attacking Tor exit nodes |
| Optional reading: Ethically questionable behaviour: Deanonymizing Tor users |
| Optional reading: Ethically questionable behaviour: Facebook mood manipulation |
| Optional reading: Ethically questionable behaviour: Unaccountable algorithms |
| Optional reading: ACM code of ethics |
| Optional reading: IEEE code of ethics |
| Optional reading: CIPS code of ethics |
| Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada |
| Optional reading: IST's continuity plan in case of a pandemic |
| Optional reading: uWaterloo's emergency response policy |
| Optional reading: PogoWasRight.org |
| Optional reading: databreaches.net |
| Optional reading: uWaterloo's Information Security Breach Response Procedure |
| Lecture 22 |
March 27 |
10.5, 11.1, 11.2 |
| Optional reading: The Computer Centre Incident at Concordia |
| Optional reading: uWaterloo's Electronic Media Disposal Guidelines |