A project: learn something new and share it

You may work alone or with a partner. If you really want to work alone, that's OK, but I encourage you to consider working with somebody else.

Deadlines

5:00PM Friday, Oct 31: post your initial project proposal (described below) on #general in Slack
24 hours after I reply to your proposal: post a refined proposal in the same Slack thread
11:59PM Wednesday, November 12: submit all deliverables

Goals

Dig deeply into some security topic that interests you
Practice explaining and/or demonstrating your understanding of your technical topic to a moderately technical audience

Rubric

2 - Project proposal 1 - Project proposal revision 16 - Content. This is your explanation/demo/video/whatever. Have you understood your topic and helped your audience understand it? Cool. This category also includes presentation issues like readability of diagrams, grammar, intelligibility of audio, etc. 1 - Extra awesomeness: I set aside one point to reward particularly impressive presentation elements, like a great demo, a particularly creative presentation technique, exceptionally well designed diagrams, etc. I don't give this point out very often, so 18 or 19 points on this assignment is a great score.

What's the plan?

For this assignment, you're going to pick a security topic that interests you and dig deeply into it. Then you're going to create something to help teach your audience about your topic. The "something" in question could be a video, a paper in the style of an explainer blog, some code to demonstrate or implement your topic, etc.

I'm flexible about what I'll accept, as long as you can show that you have learned an interesting topic well, and you can help me learn it, too. So feel free to be creative on how you approach this project.

Possible project types

Option 1: explain a technical topic

Suppose, for example, that you have wondered about what's going on when a website (e.g., medium.com) offers you the option to login using your Google account (or Facebook, or...). How does medium communicate with Google? How is your password protected? What kind of permissions are you granting to medium when you enter your Google credentials? etc.

It turns out that this stuff is orchestrated by a protocol called OAuth. OAuth is moderately complicated and a little bit controversial, but our first weeks of class prepared you well to start studying it.

If you wanted to understand OAuth, you could study it and figure it out well enough to enable you to produce a video along the lines of my class videos or explainer-style videos from people like Computerphile.

Prefer blog explainers to video explainers? Do the same explaining, but in blog/walkthrough form. Or even create a small website to help your audience explore your topic, if that type of nonlinear exposition feels right for the topic.

Option 2: demonstrate a technical topic

Maybe you would prefer to build something to help you learn and to enable you to demonstrate your understanding.

Sticking with the OAuth example: you could design a small web application that offers one set of features by default, but offers an enhanced set of features if the user is willing to "login with Google". For this project, your emphasis would be on writing code to coordinate the interaction between your application and Google's OAuth servers, and your web application's features could be just barely complex enough to demonstrate the before-and-after differences.

Because part of this project is about helping others learn about a topic, you'll want to think about how the demo itself might act as a form of explainer. For example, if you're doing an OAuth demo, the "web application" could include some dynamic material illustrating the progress of the OAuth client/server exchange while a person is running your demo.

Option 3: explain a historical security incident

There have been a ton of very interesting historical security incidents, and you can learn a lot about how they worked. How exactly did the NotPetya malware come into existence and disrupt global shipping? What was going on under the hood with the WannaCry malware that ransomed 200,000 machines, and precisely what mechanism did random hacker Marcus Hutchins use to stop its global spread? What was Stuxnet, what was it for, who made it, and how did it work? etc.

For historical topics, you'll want to focus some attention on technical explanation like in Option 1 above, but also some attention on explaining the events, historical context, and societal impacts of the incident.

Video often works great for this kind of topic, but you could also do more blog/paper-style presentation or design a small website to enable your reader to explore the topic.

Option 4: other

Got another idea for how to learn something and share your understanding? Great! Talk me through your idea in your initial proposal.

First deadline: project proposal

In brief, your proposal should answer the questions "what do you want to study?" and "how do you want to share what you learned?"

This should be a short proposal, giving me enough specificity about what you have in mind that I'll be able to give you some concrete suggestions about how to proceed, potential pitfalls, etc. Include the following:

names of all partners
brief description of the topic you want to study
description of how you intend to present your work (e.g., video, video + demo, small website, explainer blog,...)
list of deliverables (which you may have already provided in the previous bullet point)
questions you have for me about your topic

Next: I respond

I'll try to give you feedback on your proposals in a thread on Slack within 36 hours of your posting, but since it will be the weekend, it may take me a little longer.

Since these proposals are going into the #general channel on Slack, you may find that you have a constructive response to offer to somebody else's proposal. This is not required, but it's also just fine to chime in on somebody's proposal. (If you do, put your response in a thread attached to the original proposal.)

Second deadline: refined project proposal

After I respond to your proposal, update it accordingly in the same thread.

Final deadline: the rest of your deliverables

First, create a readme.txt/md in a folder named "project" in your class git repo. This can include the refined project proposal. It should also include any links required to see your project, instructions on how to build and run your demo, etc. That is, please put enough info in here that the grader and I can easily and quickly start looking at your project.

It's possible that your whole project will be linked from your readme file, and that's fine. If you prefer to put your stuff on Google Drive or Panopto or YouTube or something like that, that's just fine. But if you are including files that are not found elsewhere, please put all relevant materials in your git repo's "project" folder.

Topic ideas

Here's a tiny starter list of project ideas.

Cryptography, authentication, etc.
- Wardriving and cracking WEP
- Password cracking
- Passkeys and FIDO
- OAuth
- Windows authentication: Kerberos or NTLM or NTLMv2
- Setting up HTTPS using Let's Encrypt as a certificate authority
- How do VPNs work (setting up an OpenVPN server); what do they do for you?
- How do browsers do password-management, credit card storage, etc.
- the Signal Protocol
- what exactly do certbot and the Let's Encrypt certificate authority server do to get you a certificate?
- ...
...
the Tor network and browser
Spectre & Meltdown & Rowhammer and other CPU-level vulnerabilities
Phishing (phishing campaign software, structure of phishing attacks,...)
The last 10 years of iOS security/privacy enhancements
Command-and-control software for hacking
Ransomware
Keyloggers
Steganography
...
Historical security incidents
- NotPetya
- Stuxnet
- ILOVEYOU virus
- SolarWinds
- shellshock
- the Morris worm
- ...
[There are so many more!...]