CS338 Computer Security
Monday, 28 March 2022

https://cs.carleton.edu/faculty/jondich/courses/cs338_s22/

+ Hi
- Call me Jeff
- Olin 301A
- Office Hours are listed on a Carleton-only Google doc
    including a Zoom link that I mostly remember to turn
    on but sometimes forget
- Email is fine, but I prefer Slack #questions and Slack DMs
    (and I'm usually quicker to respond on Slack)

+ Today
- Jeff talking about a bunch of miscellaneous stuff
- Prep for the 4/14-15 visit from Bruce Schneier
- Firing up our first hacking tool (Wireshark) and taking a
    look at some network traffic.

+ Where are we headed?
- A couple examples
    - The old system for putting money on your One Card
    - The March 10 story about Russia creating its own "certificate authority"
- High-level themes
    - Security mindset
    - Threat modeling
    - Usability & security
    - Trade-offs
- Things you'll be able to do
    - Explain and use some basic cryptography
    - Explain in detail what happens during an HTTPS session
        (cooler and more complicated than it may first appear)
    - Some beginning penetration testing (a.k.a. ethical hacking)
    - Create a simple threat model
    - Do a simple ethical analysis of a security scenario
    - Explain (and prevent) several types of web vulnerabilities
    - Start with an unfamiliar technical report (e.g. the recent
        Linux vulnerability or the recent FIDO white paper about
        password-free authentication) and be able to (with effort)
        make sense of it.
    - Follow some parts of an episode of the Risky Business podcast
    - ...

+ Bruce Schneier's visit
- https://en.wikipedia.org/wiki/Bruce_Schneier
- Books: Applied Cryptography, Liars & Outliers, Data & Goliath,
    Click Here to Kill Everybody,...
- Public Interest Technology: https://www.youtube.com/watch?v=U2jn4pXDZn0
- Thu 4/14: some opportunities to chat with him
- Thu 4/14: Public talk, interview form, Jeff as interviewer
    - What should I ask him?
- Fri 4/15: he'll be here in class
    - What do we want him to talk about?
- First: on Wednesday 3/30, be prepared to talk about
    "Inside the Twisted Mind of the Security Professional"
- I'll ask you to read and discuss more of his stuff after that

+ General
- 300-level class expectations
    - independence
    - tolerance for not knowing/understanding
    - tolerance for ambiguity and open-endedness
    - willingness to experiment
    - willingness to dig deeper
- Website structure
    - Top menu
    - Intended to be phone-friendly (let me know if it's not!)
    - [ASSIGNMENT] -- due on the date where they're listed
    - [READING] and [VIDEO]

+ Tools
- Unix
    - videos
    - what is it? what's it for?
    - why do I think it's important to know about?
    - what's the difference between Unix, UNIX, Linux,...?
- git
    - videos
    - what is it? what's it for?
    - why do I think it's important to know about?

+ A little vocabulary
    - clients, servers, and protocols
    - protocol stacks
    - IP addresses
        - IPv4 and IPv6
        - ifconfig
        - what's IP?
    - TCP & the TCP handshake
    - (QUIC, DNS,...)

+ Let's look at Kali & Wireshark
- Get it running on a Olin 310 computer
    See the Resources page
- Launch Firefox
- Launch Wireshark
- Use Wireshark to look at network traffic
    Filter: "net 137.22.0.0/16"