CS 231: Computer Security

Ideas for improving the class next time

How to read this page

Items marked ASSIGNMENT require you to hand something in. Do so by adding the relevant files to your (or your partner's) GitHub repository and pushing to the GitHub server.
Items marked VIDEO, READING, or TASK do not require you to hand anything in. Do these items by the date specified, or during the week in which the video or task appears.
Items marked "QUESTIONS DG1" (or DG2) tell you what to prepare or think about before your first (or second) Discussion Group session in the given week.
Tuesday due dates have a due-time of 11:59PM Central.
Friday due dates have a due-time of 5:00PM Central.

Week 0

Things to do right away, on or before the first day of class.

[ASSIGNMENT] Fill out this survey about course logistics.
[VIDEO] (18:27) CS231 Overview: the Pandemic Edition
[READING] The course information page. I will expect you to know what's in here.

Week 1

Thinking about security; setting up our tools

[ASSIGNMENT 3/30] Setting up Slack, git, and Kali
[READING 4/2] Inside the Twisted Mind of the Security Professional, by Bruce Schneier
[READING 4/2] The Preface and Chapter 1 of Ross Anderson's Security Engineering, 2nd edition
[READING 4/2] The CS231 ethics page
[VIDEO] (19:38) A brief introduction to HTTP
[ASSIGNMENT 4/2] A network tools scavenger hunt
[QUESTIONS DG2] What struck you as particularly interesting or puzzling or insightful or misguided or whatever about each of these readings? How would you briefly characterize the idea of the "security mindset"? What, if anything, should I add to or change about my ethics page?

Week 2

TCP; HTTP; packet sniffing with wireshark; symmetric and asymmetric encryption

[ASSIGNMENT as soon as possible] A partner preferences survey
[VIDEO] (30:04) A brief intro to Wireshark
[ASSIGNMENT 4/6] Getting started with Wireshark
[VIDEO] (12:20) Reading technical specifications
[READING 4/5] Sections 1, 1.1, 2, 2.1, and 2.2 of RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
[READING 4/5] Section 4 and Section 5.5 in RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
[ASSIGNMENT 4/9] HTTP's Basic Authentication: A Story
[READING 4/9] Chapter 2 Usability and Psychology (only up through section 2.4.5 on Social Engineering Attacks) Ross Anderson's Security Engineering, 2nd edition
[QUESTIONS DG2] Responses to the Anderson reading. How are usability and security connected? Has anything relevant to this reading changed since it was published in 2008?

Week 3

encryption (symmetric and public key); key exchange; cryptographic hashes

[READING] Chapter 5 Cryptography of Ross Anderson's Security Engineering, 2nd edition. I recommend reading this lightly, and then using it as a reference as needed.
[VIDEO] (12:35) base64
[VIDEO] (25:54) Symmetric encryption
[VIDEO] (9:32) Diffie-Hellman Key Exchange
[VIDEO] (21:40) Public-Key Encryption
[READING] Read through this short list of study questions for our cryptography studies.
[QUESTIONS DG1] Try out these Diffie-Hellman and RSA exercises. Bring questions to class on Monday.
[ASSIGNMENT 4/13] Being Eve
[TASK 4/13] Please fill out this partnership survey. Thanks.
[VIDEO] (33:41) Cryptographic Hash Functions
[READING 4/16] Reflections on Trusting Trust, by Ken Thompson.
[QUESTIONS DG2] How would you summarize Thompson's point and argument? He covers a lot of ground in just a few paragraphs in the "Moral" section—any reactions? Who do we implicitly trust in our day-to-day digital and non-digital affairs? Is this trust warranted? Do you think attitudes about hackers have changed since 1984?
[ASSIGNMENT 4/16] Cryptographic scenarios

Week 4

transport layer security (TLS); public key infrastructure (PKI); X.509 certificates

[READING] Public key infrastructure (Wikipedia)
[READING] X.509 (Wikipedia). Goal: learn what a "certificate" is, and what it's for.
[ASSIGNMENT 4/20] No assignment for Tuesday. Wheee!
[LAB] Observing a TLS session
[VIDEO] (25:00) Public Key Infrastructure (PKI)
[READING] Address Resolution Protocol (ARP)
[ASSIGNMENT 4/23, but extension to noon 4/26 if you want it] Person-in-the-Middle via ARP Spoofing

Week 5

more PKI; exam; threat modeling

[READING/THINKING] Some study questions about Public Key Infrastructure
[QUESTIONS DG1] (1) What are your questions about X.509 certificates, TLS, and PKI? (2) During the second half of the class, what topics do you want to study? What security-related stuff, day-to-day or historical or whatever, are you most curious about?
[EXAM 11:59PM 4/28] TO BE POSTED BY 8:00AM 4/27
[READING] "Threat modeling explained" blog post. Note the discussion of STRIDE in particular.
[READING] Sections 8.2 and 8.3 of Anderson's Security Engineering. Focus on the nature of security policy models, the Bell-LaPadula model, and the Biba model.
[READING] The CIA Triad
[READING] Is the CIA model still relevant? (2009 blog post)
[READING] The Parkerian Hexad
[QUESTIONS DG2] What is a threat model, and what is it for? What are the various security models (STRIDE, Bell-LaPadula, Biba, CIA, Parkerian Hexad) trying to get at?
[ASSIGNMENT 4/30] (free extension to Monday May 3 8:00AM, when I plan to start grading this one; there will be no assignment due 5/4) A STRIDE-based threat analysis
[EXAM due 11:59PM 4/28] I have posted the link on Slack and Moodle. Submit via Moodle as PDF file.

Week 6

midterm break; passwords; security-related laws

[READING] Partner plan for the second half of the term
[ASSIGNMENT 5/7] Password-cracking
[READING 5/7] The US Law section of Wikipedia's article on Anti-Circumvention (with focus on Section 1201 of the Digital Millennium Copyright Act)
[READING 5/7] The first few paragraphs of the Overview of Wikipedia's article (on Section 512 of the Digital Millennium Copyright Act). Also, read the Criticism section of that same article.
[READING 5/7] Lessons from 22 Years of the U.S. DMCA by Cory Doctorow
[QUESTIONS DG2] Who benefits from Section 1201 of the Digital Millennium Copyright Act? Who is harmed? Examples of ways Section 1201 has helped people? Examples of ways Section 1201 has harmed people? Same four questions, but about Section 512.

Week 7

ethical analysis; penetration testing

[READING] Learn a bit about what penetration testing is. Here's Wikipedia's take and a pretty good summary from TechTarget
[QUESTIONS DG1] Read about penetration testing and get connected to a partner for the 5/11 assignment. No other prep required for Monday.
[ASSIGNMENT 5/11] Penetration testing
[READING] ACM Code of Ethics and Professional Conduct
[ASSIGNMENT 5/14] Ethics scenario analysis
[VIDEO] (31:27) Cookies

Week 8

web security

[READING] Explore the OWASP Top Ten to get a feel for the most common web security problems.
[QUESTIONS DG1] What leftover thoughts do you have about the penetration testing and ethical hacking assignments from last week? What interesting stuff jumped out at you from the OWASP Top Ten?
[VIDEO] (22:09) SQL Injection
[VIDEO] (15:48) Cross-Site Scripting
[ASSIGNMENT 5/21] Explainer video about a web security topic
[VIDEO 5/21] (22:46) We're building a dystopia just to make people click on ads, a 2017 TED Talk by Zeynep Tufekci
[READING 5/21] How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did, a 2012 article by Kashmir Hill
[READING 5/21] (only if you have time—watch the Tufekci and read the Hill first) One Nation, Tracked
[QUESTIONS DG2] How powerful is the personal data that internet companies collect? What benefits do we get from allowing its collection and dissemination? Should data collection be regulated?

Week 9

tracking, data brokers, and data policy; security history

[ASSIGNMENT 5/28] Security history video
[READING 5/28] EFF's Recommendations for Consumer Data Privacy Laws
[READING 5/28] GDPR "Principles"—make sure to click through and read about the 7 specific principles in the left-side menu, especially "Data minimisation" and "Storage limitiation"
[QUESTIONS DG2] If you were allowed to regulate the collection, use, retention, sharing, and sale of people's personal data, what regulations would you propose? What negative uses of data would your regulations prevent? What positive uses of data would your regulations prevent?

Week 10

some more pen-testing; what could you study next?

[ASSIGNMENT 7/2] (Wednesday, not Tuesday!) Pen-testing #2: Metasploit
[VIDEO] Coming soon...a video about stuff we didn't cover in our 9.5 weeks, but that you could look into next
[VIDEO] (19:42) Where we've been and what you can do next
[QUESTIONS DG1] Just show up. We'll have a little chat about my wrap-up video and anything else that's on your minds