Computer Security (ECE458/750T27)
Welcome to Computer Security.
Some important links:
- Learn - Quizzes and lecture videos will be posted here.
- Syllabus
- Piazza (Signup link)
- Crowdmark
Welcome to Computer Security.
Some important links:
Activities are small hands-on activities you can do to experience security and privacy first-hand and potentially discuss it with other people within and outside of the course. They are intended to be short hopefully taking only 5-10 minutes to complete, but with the opportunity to explore more if you are interested in doing so.
Groups You are welcome and even encouraged to complete activities in groups. Self-reflections (see below) should be completed on your own. But feel free to complete the activity with others and discuss it with them. Only one person in a group needs to do the steps, provided that everyone can see what is happening.
Turn in Each student should complete a self reflection paragraph addressing the stated questions after completing each activity. This self-reflection should be individually written by each student.
The purpose of a self-reflection is to think critically about a topic. Communicating through writing or speaking forces the brain to convert information stored in a non-linear form into a linear sentence structure form. Communication therefore forces you to think about the information a bit differently than you would if you were simply working alone.
For self reflection we are asking you to think about the activity you did and how it relates to you. Each activity has a set of guiding questions, but you are not limited to the list. You are welcome to talk about past experiences, how the activity changed your view, or even how you already knew all this information.
At minimum a self reflection must:
Self-reflections are each worth one point and are essentially pass fail. The first few reflections will be graded very lightly with feedback given if we feel the refleciton is not detailed enough or has other issues.
You are very welcome to complete all the activities early. No advanced knowledge is needed to complete activities, though it may be helpful in fully understanding them. You may submit your self-reflection as often as you would like up till the deadline.
Based on in-class questions and engagement, we may modify the “other things to try” and “learn more” sections at any time. These sections are for additional learning and you are not required to engage with them.
We may also add new activities based on student interest. Any new activities added after the start of the course will be clearly marked as optional and will not be graded.
Several activities include lists of suggested sites to try, things to read, or things to try next. If you have a good suggestion about other things that should be on theses lists, feel free to post on Piazza under the activities. If appropriate, we may add your suggestions into the activity.
Extra activities start with an “E:” on the sidebar or “Extra:” in the activity title. These activities are there for your personal learning but are not graded. You are not required to complete them.
Extra activities are usually added after the class has already started in response to questions the instructor is getting. So even though they are not graded or required, it is recommended that you complete extra activities on topics that you find confusing.
Deadline: May 16
Organizations that experience security breaches sometimes release public reports aimed at helping the wider security community understand what happened and hopefully learn from the experience. These reports are sadly not common, but they are very interesting and educational to read.
Deadline: May 23
Most end-to-end encrypted chat programs allow users to do manual verification of the other chat partner.
Software: Either WhatsApp or Signal. Two people in the group need to have the same software. Its ok to do this activity with someone outside the class.
Follow the steps for WhatsApp or Signal below. You can also try with both to compare and contrast.
Deadline: May 30
You often have the right to opt-out of data collection and usage. Unfortunately opting out can be rather complex. But in order to comply with various laws, and to claim they are doing right by consumers, most companies do have a functional path to opt out of various things.
A common opt-out is cookies and other types of web tracking. In order to claim that opting out is a reasonable and realistic thing for consumers to do, advertisers form alliances where consumers can (theoretically) opt out of tracking by all members on one page.
Try opting out of cookie tracking using one of the two websites below. Both of these sites are run by advertising networks. Do your best to opt out of as many trackers as possible.
Try opting out of some other form of tracking or marketing. Below are some ideas of what to try:
If you have done the Javascript activity already. Try installing UMatrix again and then opting out using one of the two pages above. Consider how different privacy protection technology may interfear with each other.
Deadline: May 30
We often visit websites and simply assume that the website we are seeing is the real one. But that is not always the case and for important websites you might want to do some verification. Man in the Middle Attacks can and do happen so web browsers use certificate authorities to verify the identity of websites. You have the ability to see these checks.
The following steps are written for Firefox but similar steps will work on most modern browsers.
Dr Vaniea hosts her own webmail on her personal domain. Unfortunately the website has a security problem. Try and visit her webmail page and figure out what the security issue is. Think critically about if this is a security issue that matters for this use case, or a false alarm.
Deadline: 13 June
The internet uses Universal Record Locators (URLs) to express to computers where the user wants to go. We are used to clicking on links or searching and then clicking on links. But it is quite possible to navigate large parts of the internet by just directly editing URLs.
Software: This activity will work on any major browser, and any other browser that allows you to edit URLs, including mobile browsers.
Amazon uses a consistent naming structure across all their country-specific sites.
Wikipedia uses a very accessable naming structure. If you know what you want, there is no need to even search, you can just enter the URL directly.
YouTube includes information in the URL like distance through the video so that people can share not only videos, but specific points in videos. Since the information is in the URL, it can be manipulated.
Dr Vaniea does research on URLs and how people read (or can’t) read them. Below are some of her research papers:
Deadline: 27 June
It is your data, so you should have the right to it. The introduction of the Data Protection Directive (1995) in Europe caused several companies to start making users’ data available. Back in 1995 they sometimes sent printed copies in the mail, but now most large companies offer you the right to access your own data for free digitally.
In this activity you will be:
You may download your data from any internet service that supports it. The following is a list of companies that support data download and a link to get you started.
Open up the data in whatever format it is in. You may need to try some different file formats. Below are some things you can try looking for in the data:
If you have some extra time try:
Deadline: 4 July
Install a Javascript blocker and then experiment with what happens when various parts of a website are blocked and unblocked.
The instructions below assume Firefox, but should work for several different browsers.
Try out other websites that you use frequently. The University of Waterloo for example. Large complex sites like Facebook can also be interesting to block bits of to see what happens.
Deadline: 11 July
In this activity you will be modifying a live website, essentially creating something you could screenshot and would look 100% real but is completely fake. Please use this information responsibly and as a lesson about trusting screenshots of websites.
Software: Instructions are written for BlueSky and Chrome but should work with most major browsers and social media platforms.
Modifications are not limited to just HTML. It is very possible to modify code on the page and change its behavior.
Chrome is required for these instructions. It is possible in Firefox but quite annoying.
Try removing page element that you find annoying. Technology like Ad Blockers are just automatically doing what you can do manually. Try loading a page that has a large banner or ad at the top and then remove it. You will often see me doing this at the start of class. I like to make news articles on the screen easy to read, so I often remove unecessary page elements and change the text width.
Look at client-side checks. Many pages have client-side checks for all sorts of things. Twitter, for example, used to check new passwords against a list of common passwords client-side. By opening the JavaScript you could see a list of passwords that Twitter does not allow.
Deadline: 18 July
Your web browser provides lots of facts to webpages and to JavaScript as part of normal operations. These facts are helpful in that they let pages properly adapt content to match the capabilities of the computer and monitor they are on. But they can also be used to uniquely fingerprint and track users.
In this activity you will be looking at the types of information visible
Deadline: 25 July
Legal regulations can have large impacts on how technology is implemented. Laws and regulations are a way that government tries to influence how technology is built and how it impacts people.
In this activity you will be picking a regulation/law (suggestions below) and reading part of it.
Select a law/regulation from the following list. Or use this list as inspiration and select your own regulation to read. I encourage exploring Canadian regulation, but you are welcome to select from regulations worldwide as long as they have a clear connection to privacy or security.
Deadline: 25 July
This activity requires you (or someone physically near you) to receive a scam communication. So I recommend starting this activity a bit earlier than others since it is hard to control when a scam might happen. If you really don’t receive any scams, try talking to your friends or family about ones they have seen recently.
All you need to do is read or listen to the full scam communication and then think critically about the following questions. There is no need to progress past the initial communication. It is fine to hang up after the initial pitch by them, you do not need to speak to anyone, and you do not need to click any links. Please also review the safety guidance below.
Do not:
You can:
Scams are often obvious because they occur outside the context we expect. That makes them easy to identify. But scams work by finding one person where that message does make sense. And just about anyone can fall for phishing:
Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning.
Cookies are small text strings stored by your browser on the behalf of websites.
Software: Instructiosn are for Firefox, but most browsers should work. Note that Firefox blocks 3rd party cookies, so you will see less cookies on Firefox than on Chrome.
Start by looking at some cookies for this website. Do the following while the course website is open.
Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning.
Modern websites are built from many different souces. In this activity you will be using your browser’s functionality to record a sequence of web browsing activities and then look at the result.
Software: Chrome or Firefox recommended
Firefox is required for this one.
Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning.
Software: Root access on a Linux machine is required for this activity. Root access on a Mac might work, but the instructor has not tested it.
In this activity you will be looking at the Linux shadow password file and seeing what happens when you create a new user.
Lecture |
Date |
Day |
Module |
Lecture Title |
Activities Due | Â | Â | Â |
1 |
5-May |
Monday |
Introduction | Â | Â | Â | Â | |
2 |
9-May |
Friday | Â | Â | Â | Â | ||
3 |
12-May |
Monday | Â | Â | Â | Â | Â | |
4 |
16-May |
Friday |
Read a breach report | Â | Â | Â | ||
 |
19-May |
Monday | Â |
No class – holiday |  |  |  |  |
5 |
23-May |
Friday | Â |
Verify chat keys | Â | Â | Â | |
6 |
26-May |
Monday | Â | Â | Â | Â | ||
7 |
30-May |
Friday | Â |
Opt-out, Verify web cert | Â | Â | Â | |
8 |
2-Jun |
Monday | Â | Â | Â | Â | Â | |
9 |
2-Jun |
Monday | Â | Â | Â | Â | ||
10 |
6-Jun |
Friday | Â | Â | Â | Â | Â | |
 |
9-Jun |
Monday | Â |
No class – Instructor gone |  |  |  |  |
11 |
13-Jun |
Friday | Â |
Modify URLs | Â | Â | Â | |
12 |
16-Jun |
Monday |
Midterm |
No class | Â | Â | Â | Â |
13 |
20-Jun |
Friday |
Midterm |
No class | Â | Â | Â | Â |
14 |
23-Jun |
Monday | Â |
Networking - tcp, onion routing | Â | Â | Â | Â |
15 |
27-Jun |
Friday |
Programming |
Programming Security |
Download data | Â | Â | Â |
 |
30-Jun |
Monday | Â |
No class – holiday |  |  |  |  |
16 |
2-Jul |
Wednesday | Â |
Program security | Â | Â | Â | Â |
17 |
4-Jul |
Friday | Â |
Programming security  |
Block 3rd party content | Â | Â | Â |
18 |
7-Jul |
Monday |
Web Security |
Web Security - People | Â | Â | Â | Â |
19 |
11-Jul |
Friday | Â |
Web Security - XSS |
Modify website | Â | Â | Â |
20 |
14-Jul |
Monday | Â |
Web Security - defenses | Â | Â | Â | Â |
21 |
18-Jul |
Friday |
Privacy |
Privacy |
See data visible to websites | Â | Â | Â |
22 |
21-Jul |
Monday | Â |
Privacy | Â | Â | Â | Â |
23 |
25-Jul |
Friday | Â |
Additional topics |
Listen to phish, Read regulation | Â | Â | Â |
24 |
28-Jul |
Monday | Â |
Revision | Â | Â | Â | Â |
The University automatically assigns makeup lecture times for the course. These are to be used in the event that the Instructor has to be out of town or some unexpected event happens.
I recognize that these times may be challenging for some students to attend. Effort will be made to do lecture recording for any makeup lecture times used.
Expect to use:
Not expected to be used:
Under each lecture module on the sidebar you will find links to many sources of information on the topic. These are optional readings, you are not required to read any of them. I am often asked after class about where to look to learn more about a topic or where to go if the topic is a bit challenging to understand from the lecture content. These resources are a good place to start for those interested.
I am always happy to add new resources to these lists, so if there is something recent that I have left off. Or even just something fun that you think others might enjoy, feel free to email me about them.
Cryptography is the study of encryption approaches and is one of the most basic tools used in security. In this module we will cover some of the basic principles of cryptography and some of the most common cryptography aprroaches.
Security in Computing - Chapter 2.1 and 2.2
Encryption is not magic, it does not protect all things from all attacks, it is built on assumptions and like all tools is designed to perform specific tasks. Different types of cryptography are designed to solve different problems, think about the problems, constraints, and assumptions that can be made before selecting a cryptographic approach.
Difference between symetric and asymetric cryptography Keys, what they are for, assumptions about them, and what they do Stream and block ciphers
Think about the different tools that you use on a daily basis that claim they use encryption to protect you. Try looking up what kind of encryption they use and reason about why that type was chosen.
Due: July 4th
Submission is through Crowdmark