CS338 Computer Security
Monday, 11 September 2023

https://cs.carleton.edu/faculty/jondich/courses/cs338_f23/

+ Hi
- Jeff Ondich; call me Jeff; Olin 301A
- Office Hours info linked on the top of the course web page
- Talk to me: in person, Slack #general, Slack DM, email

+ Kali
- Need it for Friday's assignment
- Do *not* need Metasploitable yet (and possibly not at all)

+ Introduce yourself to the people around you.

+ I just typed "https://carleton.edu/" in my browser.
What happens when I hit Enter?

    DNS lookup - carleton.edu = what IP?
    TCP handshake - browser says "hey carleton.edu web server,
        can we talk?"
    Browser sends a formally structured HTTP GET request for / (the home page)
    Check for certificate (we're using https)
    Browser cache gets checked--have we been here before?
    Server sends the HTML of the homepage to the browser
    Later queries for images, CSS files, JS files, etc.
    so much more stuff...
    

----
+ First half of course
- Understand a TLS exchange

+ Where are we headed?
- High-level themes
    - Security mindset
    - Threat modeling
    - Usability & security
    - Trade-offs
- Things you'll be able to do
    - Explain and use some basic cryptography
    - Explain in detail what happens during an HTTPS session
        (cooler and more complicated than it may first appear)
    - Some essentials of penetration testing (a.k.a. pen-testing, ethical hacking, red-teaming)
    - Create a simple threat model
    - Do a simple ethical analysis of a security scenario
    - Explain (and prevent) several types of web vulnerabilities
    - Start with an unfamiliar technical report (e.g., NIST's new
        cybersecurity framework; a report on MS's stolen
        certificates and how they have been used; a report on what
        Chrome's new "Privacy Sandbox" means)
        and be able to (with effort) make sense of it.
    - Follow most parts of an episode of the Risky Business podcast
    - ...

+ General
- 300-level class expectations
    - independence
    - tolerance for not knowing/understanding
    - tolerance for ambiguity and open-endedness
    - willingness to experiment
    - willingness to dig deeper
- Website structure
    - Top menu
    - Intended to be phone-friendly (let me know if it's not!)
    - [ASSIGNMENT] -- due on the date where they're listed
    - [READING] and [VIDEO]

+ Tools
- Unix, particularly Kali Linux
    - videos
    - what is it? what's it for?
    - why do I think it's important to know about?
    - what's the difference between Unix, UNIX, Linux,...?
- git
    - videos
    - what is it? what's it for?
    - why do I think it's important to know about?

+ This week
- "Security mindset"
- Get Kali installed
- Get started with TCP/IP networking
- Get started with HTTP basics
- Get started with Wireshark
- Meet Burpsuite (briefly)