https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/index.html The class is divied based on the high-level topics being covered. Each module listed on the sidebar has a list of lectures and associated resources based on that module. Hugo en-us kami.vaniea@uwaterloo.ca (Kami Vaniea) kami.vaniea@uwaterloo.ca (Kami Vaniea) Wed, 23 Apr 2025 12:09:20 -0400 https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/introduction/index.html Wed, 23 Apr 2025 10:29:39 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/introduction/index.html Slides Slides Videos How Chinese Criminals Steal Your Credit Card With Just One Text Additional Resources News and blogs The Age of Integrity by Bruce Schneier The computer errors from outer space - cosmic radiation can flip bits. Threats to correct opperation of software can come from anyware. Cosmic radiation even triggered a precautionary fleet action for Airbus A320’s. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/authentication/index.html Wed, 23 Apr 2025 12:09:12 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/authentication/index.html Authentication is about determining that an entity, such as a person, has a desired property, such as knowing a password. The goal of authentication is ensuring that the system knows who is interacting with it and can therefore make later decisions, such as access control decisions, with confidence. Slides 2025 Slides 02-Authentication 03-Authentication 03-Phishing Recommended Reading Security in Computing - Chapter 2.1 and 2.2 Video 17 minutes: What’s wrong with your pa$$w0rd? News Exclusive: how the Atlantic’s Jeffrey Goldberg got added to the White House Signal group chat Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years by Brian Krebs Laws, regulations, and guidance NIST SP 800-63-4 Section 3.1.1. NIST proposes barring some of the most nonsensical password rules by Dan Goodin (arsTechnica) Password administration for system owners by the National Cyber Security Center of the United Kingdom - one of the first countries to officially advocate for user-friendly password rules Research Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012. Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher. Design and Evaluation of a Data-Driven Password Meter In Proceedings of CHI 2017. Florian Mathis, John H. Williamson, Kami Vaniea, Mohamed Khamis (2020). RubikAuth: Fast and Secure Authentication in Virtual Reality. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Ur, Blase, et al. “How does your password measure up? The effect of strength meters on password creation.” 21st USENIX security symposium (USENIX Security 12). 2012. Random Fun Stuff * The password game - Simple game that keeps giving you new harder, more crazy, password rules as you progress. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/access-control/index.html Mon, 01 Jan 0001 00:00:00 +0000kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/access-control/index.html Access control is how the system manages access to various resources. Classically access control is defined in terms of who wants to perform what action on what resource and if that tripple of (who, action, resource) should be allowed. Slides 2025 Slides 04-Access-Control 05-Information-Flow-Control News Erroneous Death Termination ‘A Total Meltdown’: Black Friday Zipcar Outage Strands Customers in Random Places Wikipedia and other education pages Bell–LaPadula Model Biba Integrity Model Research https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/cryptography/index.html Wed, 23 Apr 2025 12:09:20 -0400kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/cryptography/index.html Cryptography is the study of encryption approaches and is one of the most basic tools used in security. In this module we will cover some of the basic principles of cryptography and some of the most common cryptography aprroaches. Slides 2025 Slides 06 Cryptography Introduction Topics: Man in the Middle, substitution ciphers, one time pad, stream ciphers, block ciphers 06-Handout 07 Cryptography Topics: Playfair cipher, crypto errors, hash functions, hmac, sp-networks 07-Handout – (Answers) 08 Cryptography Recommended Reading Security in Computing - Chapter 2.1 and 2.2 https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/networking/index.html Mon, 01 Jan 0001 00:00:00 +0000kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/networking/index.html Networking is how we reliably move data between computers over unstable and sometimes untrusted connections managed by strangers. Slides 2025 Slides 09 Networking Introduction Packets, IP addressing, OSI network model, ports, TCP 10 Networking Autonomous Systems, BGP Routing, VPNs 11 Networking Threat Models, Onion Routing, Denial of Service, Firewalls, NAT 12 Networking Educational Networking Games CS4G Network Simulator - an easy to understand and play simulator game that takes you through some of the most basic attacks in networking such as spoofing and a man in the middle attack Permission Impossible - a simple drag-and-drop game designed to teach firewall concepts and rules Blue Team - a more complicated firewall game that has you set firewall policies for multiple computers in a network, upper levels include some simple interaction with an intrusion detection system News A single point of failure triggered the Amazon outage affecting millions Amazon Web Service (AWS) went down for 15 hours due to a race condition and DNS. Additional Resources Clark, David. “The design philosophy of the DARPA Internet protocols.” Symposium proceedings on Communications architectures and protocols. 1988. Mockapetris, Paul, and Kevin J. Dunlap. “Development of the domain name system.” Symposium proceedings on Communications architectures and protocols. 1988. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/secure-programming/index.html Mon, 01 Jan 0001 00:00:00 +0000kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/secure-programming/index.html Secure programming is a broad topic but roughly covers the security of operating systems and applications. Slides 2025 Slides 13 Secure Programming 14 Secure Programming 15 Secure Programming Extra Slides - Car key hacking slides, not covered in lecture so not examinable News from Lecture Below are some of the news stories cited in lecture or during the first 5 minutes. https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/web-security/index.html Mon, 01 Jan 0001 00:00:00 +0000kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/web-security/index.html Web security covers the security of web servers, browsers, users, and organizations that all interact over the Internet. This module starts with a quick course in how the Internet and websites function then moves on to more classic website attacks like Cross Site Scripting. Slides 2025 Slides 16-WebSecurity Topics: How websites are built 17-Cookies Topics: Cookies, web tracking, cookie access control 17-WebSecurity-XSS Topics: Cross Site Scripting (XSS) Note that a few “New Slide” slides were added after lectuer to give examples of a few points that were confusing. 18-WebSecurity Topics: News Post Office Scandle Official Report Additional Resources Research Papers Daniel Kirkman, Kami Vaniea, Daniel W. Woods (2023). DarkDialogs: Automated detection of 10 dark patterns on cookie dialogs. In Proceedings of the 8th IEEE European Symposium on Security and Privacy (EuroSP'23). https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/privacy/index.html Mon, 01 Jan 0001 00:00:00 +0000kami.vaniea@uwaterloo.ca (Kami Vaniea) https://ece.uwaterloo.ca/~kvaniea/teaching/ece458/S2026/modules/privacy/index.html There are many deffinitions of privacy, in this class we learn a bit about those definitions including contextual privacy, user control over data flows, and privacy laws. Slides 2025 Slides 19-Privacy 20-Privacy Additional Resources Protecting Privacy in Practice: The current use, development and limits of Privacy Enhancing Technologies in data analysis by the Royal Society, March 2019 The State of Web Privacy: How Wrongful Collection is Redefining Digital Risk by Coalition. - Takes a insurance-focused view to privacy breaches and observes that incorrect collection of data is being successfully litigated in the United States.