Computer Security (ECE458/750T27)

Welcome to Computer Security.

Some important links:

Jun 13, 2025

Subsections of Computer Security (ECE458/750T27)

Activities

General Instructions

Activities are small hands-on activities you can do to experience security and privacy first-hand and potentially discuss it with other people within and outside of the course. They are intended to be short hopefully taking only 5-10 minutes to complete, but with the opportunity to explore more if you are interested in doing so.

Groups You are welcome and even encouraged to complete activities in groups. Self-reflections (see below) should be completed on your own. But feel free to complete the activity with others and discuss it with them. Only one person in a group needs to do the steps, provided that everyone can see what is happening.

Turn in Each student should complete a self reflection paragraph addressing the stated questions after completing each activity. This self-reflection should be individually written by each student.

Self reflection

The purpose of a self-reflection is to think critically about a topic. Communicating through writing or speaking forces the brain to convert information stored in a non-linear form into a linear sentence structure form. Communication therefore forces you to think about the information a bit differently than you would if you were simply working alone.

For self reflection we are asking you to think about the activity you did and how it relates to you. Each activity has a set of guiding questions, but you are not limited to the list. You are welcome to talk about past experiences, how the activity changed your view, or even how you already knew all this information.

At minimum a self reflection must:

  • Have three sentences
  • Sound like the student engaged with the activity
  • Show thought and reflection about the activity

Self-reflections are each worth one point and are essentially pass fail. The first few reflections will be graded very lightly with feedback given if we feel the refleciton is not detailed enough or has other issues.

Early completion

You are very welcome to complete all the activities early. No advanced knowledge is needed to complete activities, though it may be helpful in fully understanding them. You may submit your self-reflection as often as you would like up till the deadline.

Based on in-class questions and engagement, we may modify the “other things to try” and “learn more” sections at any time. These sections are for additional learning and you are not required to engage with them.

We may also add new activities based on student interest. Any new activities added after the start of the course will be clearly marked as optional and will not be graded.

Opinions about activity content

Several activities include lists of suggested sites to try, things to read, or things to try next. If you have a good suggestion about other things that should be on theses lists, feel free to post on Piazza under the activities. If appropriate, we may add your suggestions into the activity.

Extra activities

Extra activities start with an “E:” on the sidebar or “Extra:” in the activity title. These activities are there for your personal learning but are not graded. You are not required to complete them.

Extra activities are usually added after the class has already started in response to questions the instructor is getting. So even though they are not graded or required, it is recommended that you complete extra activities on topics that you find confusing.

Apr 22, 2025

Subsections of Activities

Read a Breach Report

Deadline: May 16

Organizations that experience security breaches sometimes release public reports aimed at helping the wider security community understand what happened and hopefully learn from the experience. These reports are sadly not common, but they are very interesting and educational to read.

Steps

  1. Pick a data breach report to read, the following are good options but you can pick any you like.
  2. Read the Executive Summary or Introduction and at least one other section.
  3. Optionally, you can search for the breach in the news if you are not already familiar with it.
  4. Complete self-reflection questions

Reflection questions

  • State what data breach report you read.
  • What attack was used in the breach?
  • What did you learn about what attackers and/or defenders do during breaches?
May 1, 2025

Verify Chat Keys

Deadline: May 23

Most end-to-end encrypted chat programs allow users to do manual verification of the other chat partner.

Software: Either WhatsApp or Signal. Two people in the group need to have the same software. Its ok to do this activity with someone outside the class.

Steps:

Follow the steps for WhatsApp or Signal below. You can also try with both to compare and contrast.

WhatsApp

  1. Open WhatsApp on a phone
  2. Menu -> Settings then click on the QR code image near the profile line
  3. Person A should scan person B’s QR code to verify them. Then switch and Person B should scan Person A’s QR code.
  4. Tada! You are now verified contacts.
  5. Open a chat with your (new) contact, then click their picture/icon to open the contact information.
  6. Scroll down to “Encrytion” and click to verify that you are using encryption.

Signal

  1. Open Signal app on a phone
  2. Open a chat with the other person
  3. Menu -> Chat settings -> View safety number
  4. Compare the presented numbers or scan the barcode
  5. If you are satisfied that they numbers match click the “Mark as verfied” button

Reflection questions

  • As an end-user do you feel confident that you have properly verified this person such that the security property of Authentication will now hold future chat messages with this person?
  • Are you likely to verify chat parterns in the future? Why or why not?
  • What do you feel you learned from this activity?

Other things to try

  • Do the above activity on both Signal and WhatsApp and discuss how they differ.
  • Try with Tellegram (only if you already have the app)

Learn more

May 5, 2025

Opt-out of data usage or collection

Deadline: May 30

You often have the right to opt-out of data collection and usage. Unfortunately opting out can be rather complex. But in order to comply with various laws, and to claim they are doing right by consumers, most companies do have a functional path to opt out of various things.

A common opt-out is cookies and other types of web tracking. In order to claim that opting out is a reasonable and realistic thing for consumers to do, advertisers form alliances where consumers can (theoretically) opt out of tracking by all members on one page.

Steps

Try opting out of cookie tracking using one of the two websites below. Both of these sites are run by advertising networks. Do your best to opt out of as many trackers as possible.

Reflection questions

  • What was the experience like?
  • Are you confident that you opted out correctly without making any errors?
  • Are you confident that you will no longer be tracked by these companies?

Other things to try

Try opting out of some other form of tracking or marketing. Below are some ideas of what to try:

  • Car: most modern cars send information back to their makers. Try finding out what information is sent and opting out of its secondary usage as much as possible.
  • Robotic Vacuum: most robot vacuums map homes and send data back
  • TV: Most modern smart TVs collect detailed information about what shows are being watched. They may also add behavioral marketing based on collected data.
  • Smart Meters: Likely installed by the energy company. Find out if your house, apartment, dorm, condo, or other residence has a smart meter.

If you have done the Javascript activity already. Try installing UMatrix again and then opting out using one of the two pages above. Consider how different privacy protection technology may interfear with each other.

Learn more

Apr 24, 2025

Verify a website certificate

Deadline: May 30

We often visit websites and simply assume that the website we are seeing is the real one. But that is not always the case and for important websites you might want to do some verification. Man in the Middle Attacks can and do happen so web browsers use certificate authorities to verify the identity of websites. You have the ability to see these checks.

Steps

The following steps are written for Firefox but similar steps will work on most modern browsers.

  1. Visit a website that is likely to pay for enhanced verification. Unfortunately not many sites, even banks, do this, so I recommend trying one of the following first to see what enhanced verification looks like and then trying other possibilities:
  2. Look at the identity information. In Firefox:
    1. Click on the lock icon.
    2. You should see “Certificate issued to:” followed by the organization’s name. If this information is missing, then the organization has not paid for enhanced verification.
    3. Click on “Connection secure” to see more details. Note that now the full name and address are shown.
    4. Click on “More information” -> “View Certificate
    5. This page lists the certificate chain that verifies this website. On the left is the organization’s certificate which has been signed. Then the certificate authorities that did the verification.
    6. Look in the “Certificate Policies” section where it should say “Domain Validation”, “Organization Validation”, or “Extended Validation”.
  3. Now try visiting a site that is likely less willing to pay for enhanced verification but is still relatively large. Below are some suggestions:
  4. Compare the “Subject Name” section of certificates of pages with and without enhanced verification.
  5. Finally, try visiting some pages that are small and use the “free tier” of certificates. Some suggestions:

Reflection questions

  • How did the websites and certificates in the pages you looked at differ?
  • What did you learn about how companies express their identity to end users?
  • Few sites pay for extended validation. Is that a rational choice for companies to make?

Other things to try

Dr Vaniea hosts her own webmail on her personal domain. Unfortunately the website has a security problem. Try and visit her webmail page and figure out what the security issue is. Think critically about if this is a security issue that matters for this use case, or a false alarm.

Apr 17, 2025

Modify URLs

Deadline: 13 June

The internet uses Universal Record Locators (URLs) to express to computers where the user wants to go. We are used to clicking on links or searching and then clicking on links. But it is quite possible to navigate large parts of the internet by just directly editing URLs.

Software: This activity will work on any major browser, and any other browser that allows you to edit URLs, including mobile browsers.

Steps

Amazon

Amazon uses a consistent naming structure across all their country-specific sites.

  1. Search amazon.com (USA Amazon) for a product of your choice.
  2. Add “&s=price-asc-rank” to the end of the URL and hit enter. What changed about the page?
  3. Open a product of your choice.
  4. Edit the domain from “amazon.com” to “amazon.ca” directly in the URL bar and hit enter.
  5. If the product is available in both the USA and Canada, then you should see the page change to the Canada version which will likely have a different price, shipping time, and somtimes different reviews.
  6. Amazon product URLs are long, but they actually don’t have to be. Starting at the rightmost end of the product’s URL, start deleting bits of the URL till you find the shortest URL that will still load the product page. It helps to think about how the URL is structured while doing the activity.

Wikipedia

Wikipedia uses a very accessable naming structure. If you know what you want, there is no need to even search, you can just enter the URL directly.

  1. The Wikipedia page for the University of Toronto is: https://en.wikipedia.org/wiki/University_of_Toronto
  2. Try creating a URL that links to the University of Waterloo’s Wikipedia page and then enter that URL directly into your browser’s URL bar to check if you did it correctly.
  3. Try creating at least one other Wikipedia URL and directly visiting it.

YouTube

YouTube includes information in the URL like distance through the video so that people can share not only videos, but specific points in videos. Since the information is in the URL, it can be manipulated.

  1. Open this wonderful video of Dr Vaniea lecturing on ethics. https://www.youtube.com/watch?v=GZniJBygnX8&t=133s
  2. Try jumpping to different points in the video by modifying the URL.

Reflection questions

  • Have you ever tried directly modifying URLs before?
  • What most supprised you about this activity?

Other things to try

  • Try changing how you write URLs for git and for ssh.
  • Lookup YouTube random video generators

Learn more

Dr Vaniea does research on URLs and how people read (or can’t) read them. Below are some of her research papers:

Apr 17, 2025

Download your data from Social Media

Deadline: 27 June

It is your data, so you should have the right to it. The introduction of the Data Protection Directive (1995) in Europe caused several companies to start making users’ data available. Back in 1995 they sometimes sent printed copies in the mail, but now most large companies offer you the right to access your own data for free digitally.

In this activity you will be:

  1. Selecting a company/organization
  2. Going through the process to request your own data
  3. Downloading the data
  4. Opening the data

Potential places to get data

You may download your data from any internet service that supports it. The following is a list of companies that support data download and a link to get you started.

Open the data

Open up the data in whatever format it is in. You may need to try some different file formats. Below are some things you can try looking for in the data:

  • Logins to your account. Sometimes these include GPS locations and/or IP addresses. Are they accurate?
  • Lists of friends. Do you still know all these people?
  • Photographs uploaded.

Reflection questions

  • What was the download process like? Did it feel easy and effortless or was extensive technical experience needed?
  • How useful is the data? Now you have your own data on your computer, do you feel like you could actually use this data for anything?
  • What surprised you most about the process of downloading your own data?

Other things to try

If you have some extra time try:

  • Downloading data from more than one source and comparing the file structures.
  • Try uploading some of your data onto another platform. In theory some of these download platforms are intended to allow users to move their data between companies.

Learn more

Apr 17, 2025

Block third party content

Deadline: 4 July

Install a Javascript blocker and then experiment with what happens when various parts of a website are blocked and unblocked.

Steps

The instructions below assume Firefox, but should work for several different browsers.

  1. Install one of the following blockers in your browser.
    • uMatrix - recommended
    • noScript - more agressive
  2. Visit a large for-profit news website such as:
  3. Unblock select Javascript sources. Most blockers default to blocking all Javascript from third parties. Try unblocking different Javascript sources one at a time, remember to re-load the website between each change to the blocking so you can see changes.
  4. Visit a large publicly funded news website such as:
  5. Repeat step 3.
  6. Either keep or delete the plugin. If you keep it, make sure you know how to open a new plugin-free profile (firefox -p) or have another browser available as the plugin will break banking websites.

Reflection questions

  • How did the two types of sites (for-profit and public) differ in terms of the amount and types of Javascript being used?
  • How many different Javascript sources did you have to unblock to make the site usable?
  • Did you feel like you would be able to selectively load just the parts of a site that you wanted to?

Other things to try

Try out other websites that you use frequently. The University of Waterloo for example. Large complex sites like Facebook can also be interesting to block bits of to see what happens.

Apr 17, 2025

Modify website content

Deadline: 11 July

In this activity you will be modifying a live website, essentially creating something you could screenshot and would look 100% real but is completely fake. Please use this information responsibly and as a lesson about trusting screenshots of websites.

Software: Instructions are written for BlueSky and Chrome but should work with most major browsers and social media platforms.

Steps

Modify BlueSky Post

  1. Go onto BlueSky (or another social media site) and find a specific post you would like to modify.
  2. Right click on the part of the post you want to change and select “Inspect”.
  3. The browser should have brought up the HTML assocated with that part of the page. Below is a screenshot of me doing this with a Krebs on Security post.

alt text alt text

  1. Find the line you want to edit, right click on it, and select “Edit as HTML”. You can now edit the text or just add some.

alt text alt text

  1. Look at the resulting page.

Modify Javascript

Modifications are not limited to just HTML. It is very possible to modify code on the page and change its behavior.

Chrome is required for these instructions. It is possible in Firefox but quite annoying.

  1. Visit this practice page
  2. The page loads Javascript code. To see it, right click on “Submit” and click “Inspect”. Then select “Sources” in the developer console.
  3. Figure out what you need to enter into the text box to get the page to say “Hello World” at you.
  4. Change the Javascript so that any text will cause “Hello World” to appear.

Reflection questions

  • Reflect on the following two prompts:
    • Screenshots are often used as evidence in news articles and social media posts. Especially for content that has been deleted.
    • Websites are made of a mix of client code (HTML, JavaScript) and backend server code (PHP, Ruby, Python). Client-side checks are used quite often by websites.

Other things to try

Try removing page element that you find annoying. Technology like Ad Blockers are just automatically doing what you can do manually. Try loading a page that has a large banner or ad at the top and then remove it. You will often see me doing this at the start of class. I like to make news articles on the screen easy to read, so I often remove unecessary page elements and change the text width.

Look at client-side checks. Many pages have client-side checks for all sorts of things. Twitter, for example, used to check new passwords against a list of common passwords client-side. By opening the JavaScript you could see a list of passwords that Twitter does not allow.

Apr 24, 2025

See data visible to websites

Deadline: 18 July

Your web browser provides lots of facts to webpages and to JavaScript as part of normal operations. These facts are helpful in that they let pages properly adapt content to match the capabilities of the computer and monitor they are on. But they can also be used to uniquely fingerprint and track users.

In this activity you will be looking at the types of information visible

Steps

  1. Visit the Cover Your Tracks website using your normal web browser using your normal settings. Click “Test Your Browser”.
  2. Make sure to scroll down on the results page to see all the different types of data the site was able to collect about your browser.
  3. Try visiting the page again using a privacy-preserving mode like Private Browsing, or Incognito.
  4. Try visiting with a different browser than your normal one.
    • Brave
    • Chrome - Advertising friendly
    • Firefox - Auto blocks advertising

Reflection questions

  • What detected information most supprised you.

Learn more

Apr 17, 2025

Read a Regulation, Law, or Advisory

Deadline: 25 July

Legal regulations can have large impacts on how technology is implemented. Laws and regulations are a way that government tries to influence how technology is built and how it impacts people.

In this activity you will be picking a regulation/law (suggestions below) and reading part of it.

Laws and regulations

Select a law/regulation from the following list. Or use this list as inspiration and select your own regulation to read. I encourage exploring Canadian regulation, but you are welcome to select from regulations worldwide as long as they have a clear connection to privacy or security.

Reflection questions

  • Did you feel that you were able to understand the part of the regulation you read?
  • As an Engineer, do you feel like you could implement what you read?
Apr 17, 2025

Listen to Phish

Deadline: 25 July

This activity requires you (or someone physically near you) to receive a scam communication. So I recommend starting this activity a bit earlier than others since it is hard to control when a scam might happen. If you really don’t receive any scams, try talking to your friends or family about ones they have seen recently.

All you need to do is read or listen to the full scam communication and then think critically about the following questions. There is no need to progress past the initial communication. It is fine to hang up after the initial pitch by them, you do not need to speak to anyone, and you do not need to click any links. Please also review the safety guidance below.

Questions to think about

  • Who is the scammer claiming to be?
  • What would a real communication from that group or individual look like? (It is ok to answer that you do not know.)
  • How did you determine this was a scam/phishing?
  • What do you think the scammer is trying to achieve? This one may be challenging to impossible to answer, but trying guessing.
  • How confident are you in your assessment? Could you be wrong?
  • If you are unsure, how might you double check if the communication is valid or phishing?

Safety

Do not:

  • Give out real data
  • Click on links in suspected scams/phishing (unless you are on a safe VM, and even then be very careful)
  • Give them your real name or contact details
  • Email them back - many email providers (though maybe not UWaterloo) use Greylisting where the mail server considers if you have ever emailed the sender before when creating its spam score. The reasoning is that you normally only email valid contacts. But if you email a scammer, then the next email they send will get a score boost from the greylist and consequently may not catch a subtle scam. Avoid emailing scammers.

You can:

  • Run wget on any links and look at the resulting page in a text editor. Do not open it with a web browser.
  • Give the scammer a fake name or address
    • Avoid using the contact information of the University you attend. Better to pick a large location in a populous city like Toronto.
  • Talk vocally to the scammer. There is some risk that by answering you may git put on a “willing to answer” scammer list. But otherwise just talking to a scammer is not harmful if you pay attention to the rules above.

Reflection questions

  • Answer the questions above.
  • Add at least one sentence of self-reflection.

Learn more

Scams are often obvious because they occur outside the context we expect. That makes them easy to identify. But scams work by finding one person where that message does make sense. And just about anyone can fall for phishing:

Apr 17, 2025

Extra: Set a Cookie

Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning.

Cookies are small text strings stored by your browser on the behalf of websites.

Software: Instructiosn are for Firefox, but most browsers should work. Note that Firefox blocks 3rd party cookies, so you will see less cookies on Firefox than on Chrome.

Steps

Look at cookies

Start by looking at some cookies for this website. Do the following while the course website is open.

  1. Open the developer tools (Ctrl-Shift-I)
  2. Open “Storage” tab
  3. Open “Cookies” on sidebar.
  4. Look at all the cookies stored by all UWaterloo websites, not just this page. Try clicking on the various cookies and seeing what is being stored.
    • Name is essentially the variable name of the cookie.
    • Value is the value the cookie is storing.
    • Domain is the website domain associated with this cookie. Note that the browser will only allow websites from this domain to access this cookie.
    • Secure indicates if the cookie must be sent encrypted (https) or if it can be sent without encryption (http) - see FireSheep below.
  5. Look at the cookies for another website.
  1. Download this example website by right clicking and selecting “Save page as”. It is an HTML page, so if you just click it will load. You need to save the text file to your local computer.
  2. Open the HTML file in the plain text editor of your choice.
  3. Change “JohnDoe” to any string of your choice.
  4. Use the steps above to see the content of your cookie.
  5. Visit a similar Example Cookie Page which picks a random number for you when you first visit. Subsiquent visits should show you the same number because the number is stored in a cookie.
    • Find 3 ways to make the site “forget” who you are. Try thinking like a normal user, the approaches need not be complex or overly technical.

Reflection questions


Learn more

  • FireSheep old attack where you could steal unencrypted Facebook cookies over wifi at coffee shops and take over other peoples’ Facebook logins. Facebook was encrypting pages but not cookies at the time.
May 9, 2025

Extra: Record data a page sends/receives

Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning.

Modern websites are built from many different souces. In this activity you will be using your browser’s functionality to record a sequence of web browsing activities and then look at the result.

Software: Chrome or Firefox recommended

Steps

Capture your own traffic

  1. Visit any news website such as:
  2. Open the developer console by pushing F12
  3. Switch to the Network tab
  4. Reload the website and wait a bit for most content to load
  5. You can now see all the pages that are being fetched and all the content being sent back and forth between your browser and the various servers. The interface will also let you filter, sort, and dive into anything you find interesting.
  6. Download the resulting Har file:
    • Firefox right click on any network line and select “Save all as HAR”
    • Chrome Click on the down arrow icon below the Networking tab to download the HAR file.
  7. A HAR file is just a Jason object, it can be opened in any programming language that supports HAR files or anything that can open Jason.

See map of website connections

Firefox is required for this one.

  1. Add the plugin Lightbeam on Firefox
  2. Visit a couple of pages on different websites
  3. Click on the Lightbeam icon to open the page, and wait because Lightbeam is slow…..
  4. Look at the connections between websites and the pages they load
  5. Uninstall Lightbeam. It is a fun tool, but it also records every page you visit.

Reflection questions

Apr 25, 2025

Extra: Shadow Password File

Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning.

Software: Root access on a Linux machine is required for this activity. Root access on a Mac might work, but the instructor has not tested it.

In this activity you will be looking at the Linux shadow password file and seeing what happens when you create a new user.

Steps

  1. Run: “sudo cat /etc/shadow”
  2. Note that most of the entries have no passwords. These are various computer systems which have accounts on the computer for access-control reasons.
  3. Find your own user.
  4. Create a new user account on the machine and set its password to something easy.
  5. Find the new user in the shadow file.
  6. Lookup the salt code to see what algorithum your OS is using to compute the hash.
  7. Compute the correct hash yourself using the salt string from the shadow file, the correct password, and a hash generator. The generator can be an online one or using a library in the language of your choice.
  8. Compare what you computed to what the system has. If they don’t match, you may need to lookup the shadow password file structure for your OS version and adjust.
  9. Remove the user from your system by removing the account you created.
May 9, 2025

Lectures

Lecture

Date

Day

Module

Lecture Title

Activities Due

   

1

5-May

Monday

Introduction

Introduction

    

2

9-May

Friday

Authentication

Authentication

    

3

12-May

Monday

 

Authentication, Phishing

    

4

16-May

Friday

Access Control

Access Control

Read a breach report

   
 

19-May

Monday

 

No class – holiday

    

5

23-May

Friday

 

Access Control and Information Flow

Verify chat keys

   

6

26-May

Monday

Cryptography

Cryptography Introduction

    

7

30-May

Friday

 

Cryptography

Opt-out, Verify web cert

   

8

2-Jun

Monday

 

Cryptography

    

9

2-Jun

Monday

Networking

Networking

    

10

6-Jun

Friday

 

Networking

    
 

9-Jun

Monday

 

No class – Instructor gone

    

11

13-Jun

Friday

 

Networking

Modify URLs

   

12

16-Jun

Monday

Midterm

No class

    

13

20-Jun

Friday

Midterm

No class

    

14

23-Jun

Monday

 

Networking - tcp, onion routing

    

15

27-Jun

Friday

Programming

Programming Security

Download data

   
 

30-Jun

Monday

 

No class – holiday

    

16

2-Jul

Wednesday

 

Program security

    

17

4-Jul

Friday

 

Programming security  

Block 3rd party content

   

18

7-Jul

Monday

Web Security

Web Security - People

    

19

11-Jul

Friday

 

Web Security - XSS

Modify website

   

20

14-Jul

Monday

 

Web Security - defenses

    

21

18-Jul

Friday

Privacy

Privacy

See data visible to websites

   

22

21-Jul

Monday

 

Privacy

    

23

25-Jul

Friday

 

Additional topics

Listen to phish, Read regulation

   

24

28-Jul

Monday

 

Revision

    
  • Red indicates lectures that are canceled.
  • Green indicates lectures at abnormal times.

Makeup Lectures

The University automatically assigns makeup lecture times for the course. These are to be used in the event that the Instructor has to be out of town or some unexpected event happens.

I recognize that these times may be challenging for some students to attend. Effort will be made to do lecture recording for any makeup lecture times used.

Expect to use:

  • Monday June 2nd, 4pm-5:20pm

Not expected to be used:

  • Monday May 12
  • Monday June 23
  • Monday July 21

Lecture Module Resources

Under each lecture module on the sidebar you will find links to many sources of information on the topic. These are optional readings, you are not required to read any of them. I am often asked after class about where to look to learn more about a topic or where to go if the topic is a bit challenging to understand from the lecture content. These resources are a good place to start for those interested.

I am always happy to add new resources to these lists, so if there is something recent that I have left off. Or even just something fun that you think others might enjoy, feel free to email me about them.

Apr 22, 2025

Subsections of Lectures

Authentication

Slides

News

Laws, regulations, and guidance

Research

Random Fun Stuff

  • * The password game - Simple game that keeps giving you new harder, more crazy, password rules as you progress.
Apr 23, 2025

Cryptography

Cryptography is the study of encryption approaches and is one of the most basic tools used in security. In this module we will cover some of the basic principles of cryptography and some of the most common cryptography aprroaches.

Slides

Security in Computing - Chapter 2.1 and 2.2

Learning Goals

Understand

Encryption is not magic, it does not protect all things from all attacks, it is built on assumptions and like all tools is designed to perform specific tasks. Different types of cryptography are designed to solve different problems, think about the problems, constraints, and assumptions that can be made before selecting a cryptographic approach.

Remember

Difference between symetric and asymetric cryptography Keys, what they are for, assumptions about them, and what they do Stream and block ciphers

Apply

Think about the different tools that you use on a daily basis that claim they use encryption to protect you. Try looking up what kind of encryption they use and reason about why that type was chosen.

Additional Resources

Apr 23, 2025

Networking

Slides

Educational Games

  • CS4G Network Simulator - an easy to understand and play simulator game that takes you through some of the most basic attacks in networking such as spoofing and a man in the middle attack
  • Permission Impossible - a simple drag-and-drop game designed to teach firewall concepts and rules
  • Blue Team - a more complicated firewall game that has you set firewall policies for multiple computers in a network, upper levels include some simple interaction with an intrusion detection system

Additional Resources

Apr 23, 2025

Subsections of Assignments