CS231 Computer Security
Monday, 15 September 2014

BOOT YOUR CLASSROOM COMPUTER TO WINDOWS

1. Who's here?

2. What's this course about?

-- Two questions, three stories, and a way of thinking.

-- Question 1: in the context of our networks and computer systems,
     what are the nature, roles, and sources of trust?

-- Question 2: how do theory and engineering interact in creating
     secure and/or insecure systems?

-- Story 1: I login to skittles.mathcs.carleton.edu using SSH.

-- Story 2: I buy a movie from Amazon Prime using One-Click.

-- Story 3: I'm at Goodbye Blue Monday using their wireless connection
    (and/or the one next door at Tandem Bagels), and so are a dozen
    other laptop users.

-- The way of thinking: How can this communication be secured? How can
    the security be compromised? What if I do this or this or this...?
    Where are the weak points? ...

3. Jeff's personal goals
-- Deepen my understanding of the theory and mechanisms
-- Learn the practice of penetration testing and intrusion detection

4. The plan

-- Start with Story 1. Use it to get introduced to:
     * network protocols in general
     * a little bit of Ethernet and TCP/IP
     * public key cryptography and key exchange
     * public key infrastructures (PKI)
     * authentication
     * how to use a packet sniffer (specifically, wireshark)
     * how can SSH be undermined?

-- Take a breath, do some reading now that we know some stuff.

-- Work through Story 2:
     * More PKI, with emphasis on certificates and websites
     * SSL and TLS
     * passwords
     * storage of sensitive data

-- Taking another breath for general reading and thinking

-- Work through Story 3
     * all those W protocols--WEP, WPA, WPA2
     * what are the avenues of attack here?
     * intrusion detection
     * penetration testing, including getting to know nmap a bit

-- Projects: studying a special topic

-- Interspersed through all this:
     * a visit from Dave Diehl of CrowdStrike
     * a visit from Carleton's Rich Graves
     * brief explorations of recent and historical security breaches

5. Some logistics
-- http://cs.carleton.edu/faculty/jondich/cs231_f14/
-- Moodle: we'll use it only for homework submission and to connect to Piazza
-- Miscellaneous homework, a few half-period quizzes, and a project
-- Textbook: Security Engineering 2e, by Ross Anderson, Wiley 2008
-- Question: how many of you have taken the Networks (CS 331) course?

6. Looking at HTTP: the short version
-- Using telnet to talk to a web server
-- Using wireshark to watch http traffic

7. The longer version (as time permits, and to be continued Wednesday)
-- Clients and servers
-- Protocol stacks and headers
-- The transport layer and TCP
-- Ports and IANA and /etc/services
-- Ethernet