| Module |
Slides |
Lecture
number |
Lecture date |
Textbook sections |
| 1 |
(PDF)
(3up) |
Lecture 1 |
January 8 |
1.1 – 1.8 |
| Mandatory reading: Californias Data Privacy Law |
| Optional reading: The 10 privacy principles of PIPEDA |
| Optional reading: A terminology for talking about privacy |
| 2 |
(PDF)
(3up) |
Lecture 2 |
January 10 |
3.1 |
| Mandatory reading: Smashing The Stack For Fun And Profit |
| Mandatory reading: (Version with some errors corrected) |
| Mandatory reading: Basic Integer Overflows |
| Optional reading: On the Evolution of Buffer Overflows |
| Optional reading: Exploiting Format String Vulnerabilities |
| Optional reading: Example format string vulnerabilities (November 2011) |
| Optional reading: Example format string vulnerabilities (May 2012) |
| Lecture 3 |
January 15 |
3.2 |
| Lecture 4 |
January 17 |
3.2 |
| Mandatory reading: Reflections on Trusting Trust |
| Mandatory reading: Browser Security Principles: The Same-Origin Policy |
| Optional reading: Morris worm |
| Optional reading: The Spread of the Sapphire/Slammer Worm |
| Optional reading: Slammed! |
| Optional reading: The inside story of the Conficker worm (access restricted to uWaterloo) |
| Optional reading: Conficker C Analysis |
| Optional reading: Technical analysis of client identification mechanisms |
| Optional reading: Linux Kernel "Back Door" Attempt |
| Optional reading: The backdooring of SquirrelMail |
| Optional reading: Salami Fraud |
| Lecture 5 |
January 22 |
3.3 |
| Optional reading: Clickjacking attack (Interface illusion) |
| Optional reading: MITM Malware Re-Writes Online Bank Statements |
| Optional reading: An operating system kernel with a formal proof of security |
| Optional reading: Bugs in open source software: #gotofail |
| Optional reading: Bugs in open source software: Heartbleed |
| 3 |
(PDF)
(3up) |
Lecture 6 |
January 24 |
5.1 |
| Optional reading: Android permissions demystified |
| Optional reading: Caja: Capability-based Javascript (project webpage) |
| Lecture 7 |
January 29 |
5.1 |
| Optional reading: Breaking SMS-based two-factor authentication: Attacking the cellular network |
| Optional reading: Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages |
| Optional reading: Passphrases that you can memorize - But that even the NSA can't guess |
| Optional reading: The top 50 woeful passwords exposed by the Adobe security breach |
| Optional reading: Password Security: A Case History |
| Lecture 8 |
January 31 |
5.2 |
| Optional reading: Facebook's password hashing scheme |
| Optional reading: LinkedIn Revisited - Full 2012 Hash Dump Analysis |
| Optional reading: Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder |
| Optional reading: 'Fake fingerprint' Chinese woman fools Japan controls |
| Optional reading: Politician's fingerprint 'cloned from photos' by hacker |
| Optional reading: 3D printing a fingerprint |
| Optional reading: Android facial recognition based unlocking can be fooled with photo |
| Optional reading: Breaking Windows Hello Face Authentication |
| Optional reading: Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners |
| Optional reading: Biometrics and false positives |
| Lecture 9 |
February 5 |
5.2 |
| Mandatory reading: The Protection of Information in Computer Systems, section I.A. |
| Mandatory reading: Fortanix Runtime Encryption Platform |
| Optional reading: The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars |
| Optional reading: Reliably Erasing Data From Flash-Based Solid State Drives |
| Optional reading: SELinux |
| 4 |
(PDF)
(3up) |
Lecture 10 |
February 7 |
6.1, 6.2 |
| Optional reading: 10.6 Background: networking and TCP/IP |
| Optional reading: How I Lost My $50,000 Twitter Username |
| Optional reading: How Apple and Amazon Security Flaws led to my Epic Hacking |
| Optional reading: Robin Sage |
| Optional reading: Fake social media ID duped security-aware IT guys |
| Lecture 11 |
February 12 |
6.3, 6.4 |
| Optional reading: Pakistan hijacks YouTube |
| Optional reading: Strange snafu misroutes domestic US Internet traffic through China Telecom |
| Optional reading: A $152,000 Cryptocurrency Theft Just Exploited A Huge "Blind Spot" In Internet Security |
| Optional reading: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) |
| Optional reading: The DDoS That Almost Broke the Internet |
| Optional reading: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack |
| Optional reading: Understanding the Mirai Botnet |
| Lecture 12 |
February 14 |
6.7, 6.8 |
| Mandatory reading: DH Key-Exchange |
| Mandatory reading: Kerboros |
| Optional reading: The Inside Story of the Kelihos Botnet Takedown |
| Optional reading: Gameover |
| Optional reading: Backstage with the Gameover Botnet Hijackers |
| Optional reading: Attacking an IDS |
| 5 |
(PDF)
(3up) |
Lecture 13 |
February 26 |
2.3 |
| Mandatory reading: El Gamal Encryption |
| Lecture 14 |
February 28 |
2.3 |
| Mandatory reading: Hash-Based Signatures |
| Optional reading: Crypto breakthrough shows Flame was designed by world-class scientists |
| Optional reading: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision |
| Optional reading: SHA-1 collision found |
| Lecture 15 |
March 4 |
2.3, 6.6 |
| Optional reading: Tree of Trust (red: root CA; green: intermediate CA) |
| Optional reading: Turkish Registrar Enabled Phishers to Spoof Google |
| Optional reading: Comodogate |
| Optional reading: DigiNotar incident |
| Optional reading: Chrome's Plan to Distrust Symantec Certificates |
| Optional reading: Lest We Remember: Cold Boot Attacks on Encryption Keys |
| Lecture 16 |
March 6 |
6.6, 9 |
| Optional reading: Intercepting Mobile Communications: The Insecurity of 802.11 |
| Optional reading: Cracking WEP in 60 seconds |
| Optional reading: KRACK: WPA2 Attack |
| Optional reading: Let's Encrypt - Free SSL/TLS Certificates |
| Optional reading: badssl.com |
| Optional reading: Superfish |
| Optional reading: The Tor Project |
| Optional reading: Re-identifying Tor users |
| Lecture 17 |
March 11 |
|
| Mandatory reading: Bitcoin: A Peer-to-Peer Electronic Cash System |
| 6 |
(PDF)
(3up) |
Lecture 18 |
March 13 |
7.1 – 7.5 |
| Optional reading: Doctors snooped on Humboldt Broncos records, privacy commissioner finds |
| Optional reading: Using police databases for personal gain |
| Lecture 19 |
March 18 |
9.4 |
| Optional reading: Social Security Numbers Deduced From Public Data |
| Optional reading: Identifying spies with data aggregation (final four paragraphs) |
| Optional reading: A reading list on differential privacy |
| Lecture 20 |
March 20 |
9.4 |
| Optional reading: Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law |
| Optional reading: Data mining and integrity: How Obama Officials Cried 'Terrorism' to Cover Up a Paperwork Error |
| Optional reading: Data mining in action: How Companies Learn Your Secrets |
| Optional reading: Data mining in action: How this company tracked 16,000 Iowa caucus-goers via their phones |
| Optional reading: FOILing NYC's Taxi Trip Data |
| Optional reading: A Face Is Exposed for AOL Searcher No. 4417749 |
| Optional reading: ℓ-Diversity: Privacy Beyond k-Anonymity |
| Optional reading: t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity |
| Optional reading: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization |
| 7 |
(PDF)
(3up) |
Lecture 21 |
March 25 |
10.1 – 10.4 |
| Optional reading: Ethically questionable behaviour: Cambridge Analytica |
| Optional reading: Ethically questionable behaviour: AT&T hacker |
| Optional reading: Ethically questionable behaviour: Attacking Tor exit nodes |
| Optional reading: Ethically questionable behaviour: Deanonymizing Tor users |
| Optional reading: Ethically questionable behaviour: Facebook mood manipulation |
| Optional reading: Ethically questionable behaviour: Unaccountable algorithms |
| Optional reading: ACM code of ethics |
| Optional reading: IEEE code of ethics |
| Optional reading: CIPS code of ethics |
| Optional reading: Investigation into the loss of a hard drive at Employment and Social Development Canada |
| Optional reading: IST's continuity plan in case of a pandemic |
| Optional reading: uWaterloo's emergency response policy |
| Optional reading: PogoWasRight.org |
| Optional reading: databreaches.net |
| Optional reading: uWaterloo's Information Security Breach Response Procedure |
| Lecture 22 |
March 27 |
10.5, 11.1, 11.2 |
| Optional reading: The Computer Centre Incident at Concordia |
| Optional reading: uWaterloo's Electronic Media Disposal Guidelines |