Modules

A draft of the lecture slides for each module will be made available the evening before the module begins. The final version of the lecture slides will be made available after the module is completed and replaces the draft. Use of the draft is at your own risk!

Readings marked as mandatory contain required material for the course, and must be read before the date of the corresponding lecture.

Module - Introduction to Computer Security and Privacy

Resources: slides.pdf
Jan 10: Lecture: Course logistics; Lecture: The basis of computer security and privacy; Textbook Pfleeger et al. chapters 1.1 - 1.8; Textbook van Oorschot chapters 1.1 - 1.4, 1.6; Optional reading The 10 privacy principles of PIPEDA; Optional reading A terminology for talking about privacy; Optional reading Federal privacy reform in Canada: The Consumer Privacy Protection Act; Optional reading Modernizing Canada’s Privacy Act; Optional reading Microsoft’s report on Russian Cyberattacks in Ukraine; Optional reading Social Security Employees in Illinois Sentenced in Federal Court on Charges Including Bribery and Identity Theft

Module - Program Security

Resources: slides.pdf
Jan 12: Lecture: Flaws and failures; Textbook Pfleeger et al. chapters 3.1; Textbook van Oorschot chapters 6.1 - 6.8; Mandatory reading before class Smashing The Stack For Fun And Profit; Optional reading On the Evolution of Buffer Overflows; Optional reading Exploiting Format String Vulnerabilities; Optional reading Example format string vulnerabilities (November 2011); Optional reading Example format string vulnerabilities (May 2012); Optional reading A Taxonomy of Computer Program Security Flaws, with Examples
Jan 17: Lecture: Unintentional Security flaws and malicious code; Textbook Pfleeger et al. chapters 3.2; Textbook van Oorschot chapters 7.1 - 7.4; Optional reading Morris worm; Optional reading The Spread of the Sapphire/Slammer Worm; Optional reading Slammed!; Optional reading Technical analysis of client identification mechanisms
Jan 19: Lecture: Defenses against security flaws; Textbook Pfleeger et al. chapters 3.2; Textbook van Oorschot chapters 7.5 - 7.9; Mandatory reading before class Reflections on Trusting Trust; Optional reading US Federal Student Aid website has a Facebook web bug; Optional reading Linux Kernel “Back Door” Attempt; Optional reading The backdooring of SquirrelMail; Optional reading Clickjacking attack (Interface illusion); Optional reading MITM Malware Re-Writes Online Bank Statements
Jan 24: Lecture: Defenses against security flaws (continued); Textbook Pfleeger et al. chapters 3.3; Textbook van Oorschot chapters 1.7, 6.9; Optional reading An operating system kernel with a formal proof of security; Optional reading Bugs in open source software: #gotofail; Optional reading Bugs in open source software: Heartbleed

Module - Operating System Security

Resources: slides.pdf
Jan 26: Lecture: Protecting OSes and access control; Textbook Pfleeger et al. chapters 5.1; Textbook van Oorschot chapters 5.1 - 5.2; Optional reading Android permissions demystified; Optional reading Google launches its third major operating system, Fuchsia
Jan 31: Lecture: User authentication; Textbook Pfleeger et al. chapters 5.1; Textbook van Oorschot chapters 5.1 - 5.2; Optional reading Breaking SMS-based two-factor authentication: Attacking the cellular network; Optional reading Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages; Optional reading Passphrases that you can memorize — But that even the NSA can’t guess; Optional reading The top 50 woeful passwords exposed by the Adobe security breach; Optional reading Password Security: A Case History; Optional reading Facebook’s password hashing scheme; Optional reading LinkedIn Revisited - Full 2012 Hash Dump Analysis; Optional reading Anatomy of a password disaster - Adobe’s giant-sized cryptographic blunder; Optional reading Largest password data breach in history has been leaked online
Feb 02: Lecture: Security policies and trusted OSes; Textbook Pfleeger et al. chapters 5.2; Textbook van Oorschot chapters 3.5; Optional reading ‘Fake fingerprint’ Chinese woman fools Japan controls; Optional reading Politician’s fingerprint ‘cloned from photos’ by hacker; Optional reading Vietnamese security firm: Your face is easy to fake; Optional reading Android facial recognition based unlocking can be fooled with photo; Optional reading Breaking Windows Hello Face Authentication; Optional reading Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners; Optional reading Border Drones with Facial Recognition
Feb 07: Lecture: Security policies and trusted OSes (continued); Textbook Pfleeger et al. chapters 5.2; Textbook van Oorschot chapters 1.7; Mandatory reading before class The Protection of Information in Computer Systems, section I.A.; Optional reading The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars; Optional reading Reliably Erasing Data From Flash-Based Solid State Drives; Optional reading SELinux

Module - Network Security

Resources: slides.pdf
Feb 09: Lecture: Networks, Servers and Ports; Textbook Pfleeger et al. chapters 6.1 - 6.2; Textbook van Oorschot chapters 9.1, 9.3, 9.6, 10.6, 11.3; Optional reading How I Lost My $50,000 Twitter Username; Optional reading Robin Sage; Optional reading How Apple and Amazon Security Flaws Led to My Epic Hacking
Feb 14: Lecture: Port Scanning to Spoofing; Textbook Pfleeger et al. chapters 6.3 - 6.4; Textbook van Oorschot chapters 11.3 - 11.4, 11.6; Optional reading Cybercrime 2.0: When the Cloud Turns Dark; Optional reading Why Google Went Offline Today and a Bit about How the Internet Works; Optional reading The DDoS That Knocked Spamhaus Offline (And How We Mitigated It); Optional reading The DDoS That Almost Broke the Internet; Optional reading Biggest DDoS ever aimed at Cloudflare’s content delivery network; Optional reading Technical Details Behind a 400Gbps NTP Amplification DDoS Attack; Optional reading Understanding the Mirai Botnet; Optional reading Strange snafu misroutes domestic US Internet traffic through China Telecom; Optional reading A $152,000 Cryptocurrency Theft Just Exploited A Huge Blind Spot In Internet Security
Feb 16: Lecture: More Network Attacks; Textbook Pfleeger et al. chapters 6.7 - 6.8; Textbook van Oorschot chapters 10.1 - 10.2, 11.1 - 11.2; Optional reading The Inside Story of the Kelihos Botnet Takedown; Optional reading Gameover; Optional reading Backstage with the Gameover Botnet Hijackers; Optional reading Attacking an IDS

Module - Internet Application Security and Privacy

Resources: part-1-crypto-basics.pdf; part-2-crypto-use-cases.pdf; part-3-pets.pdf
Feb 28: Lecture: Basics of cryptography; Textbook Pfleeger et al. chapters 2.3, 12; Textbook van Oorschot chapters 2; Optional reading One-time pad; Optional reading A Stick Figure Guide to AES; Optional reading Defeating AES without a PhD; Optional reading Twenty Years of Attacks on the RSA Cryptosystem; Optional reading Why it’s harder to forge a SHA-1 certificate than it is to find a SHA-1 collision; Optional reading SHA-1 collision found
Mar 02: Lecture: Security and privacy protocols in link, network, and transport layers; Textbook Pfleeger et al. chapters 6.3, 6.6; Textbook van Oorschot chapters 4.3, 8.1 - 8.2, 8.4 - 8.5, 9.2, 10.5, 12; Optional reading Intercepting Mobile Communications: The Insecurity of 802.11; Optional reading Cracking WEP in 60 seconds; Optional reading El Gamal Encryption; Optional reading DH Key-Exchange; Optional reading DigiNotar incident; Optional reading Superfish; Optional reading Sennheiser Headset Software; Optional reading WireGuard
Mar 07: Lecture: Application-layer security and privacy; Textbook Pfleeger et al. chapters 6.6; Textbook van Oorschot chapters 8.6 - 8.7, 10.3; Optional reading SSH: passwords or keys?; Optional reading Why Johnny Can’t Encrypt; Optional reading PGP Criminal Investigation; Optional reading Off-the-Record Messaging; Optional reading Signal’s Double Ratchet
Mar 09: Lecture: Security and privacy in the Blockchain context; Textbook van Oorschot chapters 13; Optional reading Double spending; Optional reading Why Proof of Stake (Nov 2020); Optional reading Nothing-at-stake problem; Optional reading Long-range attacks
Mar 14: Lecture: ** Privacy-enhancing technologies **; Textbook Pfleeger et al. chapters 6.6; Textbook van Oorschot chapters 9.1 - 9.2, 9.6; Optional reading A Survey of Anonymous Communication Channels; Optional reading The Tor Project; Optional reading Re-identifying Tor users; Optional reading Encrypted Traffic Analysis

Module - Data Security and Privacy

Resources: part-1-db-security.pdf; part-2-inference-and-syntactic-notions.pdf; part-3-differential-privacy.pdf
Mar 16: Lecture: Database security and privacy; Textbook Pfleeger et al. chapters 7.1 - 7.3, 7.5; Optional reading A quick-start tutorial on relational database design; Optional reading What does ACID mean in database systems?
Mar 21: Lecture: privacy-notions; Textbook Pfleeger et al. chapters 9.4; Optional reading Data mining and integrity: Boston Bomber slipped past while spelling glitch tripped up the law; Optional reading Data mining and integrity: How Obama Officials Cried ‘Terrorism’ to Cover Up a Paperwork Error; Optional reading FOILing NYC’s Taxi Trip Data; Optional reading Social Security Numbers Deduced From Public Data; Optional reading A Face Is Exposed for AOL Searcher No. 4417749; Optional reading l-Diversity: Privacy Beyond k-Anonymity; Optional reading t-Closeness: Privacy Beyond k-Anonymity and l-Diversity; Optional reading Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization
Mar 23: Lecture: Differential privacy; Optional reading Dataset reconstruction attacks; Optional reading Damien Desfontaines’ friendly introduction to differential privacy; Optional reading A list of real-world uses of differential privacy; Optional reading Gautam Kamath’s Algorithms for Private Data Analysis course at UW
Mar 28: Lecture: Adversarial machine learning; Optional reading How to Attack and Defend ML Models; Optional reading USENIX Security 2018 keynote (YouTube video)

Module - Non-technical Aspects of Security and Privacy

Resources: part-1-law-and-ethics.pdf; part-2-admin-sec.pdf
Mar 30: Lecture: Ethical issues; Lecture: Administering security; Textbook Pfleeger et al. chapters 11.1 - 11.2, 11.4 - 11.7; Optional reading Ethically questionable behaviour: Cambridge Analytica; Optional reading Ethically questionable behaviour: AT&T hacker; Optional reading Ethically questionable behaviour: Deanonymizing Tor users; Optional reading Ethically questionable behaviour: Facebook mood manipulation; Optional reading Ethically questionable behaviour: Unaccountable algorithms; Optional reading Ethically questionable behaviour: Malicious Linux kernel patches; Optional reading Access Copyright v. York University; Optional reading Unintended Consequences: Ten Years under the DMCA; Optional reading A Death in Athens; Optional reading On the Juniper backdoor; Optional reading databreaches.net; Optional reading Bruce Schneier on Full Disclosure; Optional reading Google’s view; Optional reading Microsoft’s view; Optional reading Disclosing breaches to the government; Optional reading ACM code of ethics; Optional reading IEEE code of ethics; Optional reading CIPS code of ethics
Apr 04: Lecture: Legal issues; Lecture: Emerging topics in security and privacy; Textbook Pfleeger et al. chapters 10.1 - 10.5; Textbook van Oorschot chapters 1.3 - 1.6; Optional reading Investigation into the loss of a hard drive at Employment and Social Development Canada; Optional reading uWaterloo’s Information Security Policies, Standards, and Guidelines; Optional reading uWaterloo’s Electronic Media Disposal Guidelines; Optional reading The Computer Centre Incident at Concordia; Optional reading Twitter thread on Rogers’ outage; Optional reading Roger’s report on July 2022 Canada-wide service outage (abridged)

Module - Review of Course Content

Resources: prep-for-final.pdf
Apr 06: InteractiveEnd-of-course review