Course information

Readings

No textbook required.

We'll read a wide range of miscellaneous online papers, news stories, tutorials, technical specifications, etc.

Grading

Your grade will be based on your performance on homework and labs (50%), a couple of exams (20% each), and a final project (10%). There will be no in-person requirement during finals week, so you'll be able to complete your final work remotely.

In-class labs

In-class labs are intended to give you a first look at some concept or tool. (For example, on day 1 we'll do a short lab introducing the command-line tool curl. I intend for the labs to contain specific step-by-step instructions with pretty simple questions to check your comprehension along the way.

Each lab will be worth 3 points (compared to homework assignments, which will typically count for between 10 and 20 points). In general, if you make a good-faith effort to answer all the questions in a lab, you will receive the full 3 points, even if your answers are not complete or fully correct. I will close submissions for the labs at the end of the day of the lab. I will also drop your worst two lab scores at the end of the term, so you can miss a couple labs without penalty.

Late homework

Each homework assignment will be given a due date and time. Unless otherwise specified, you may assume the due time is 5:00PM if it's a Friday, or 11:59PM otherwise.

Work handed in after the due time but within 24 hours will be docked 50%. Anything handed in later will receive a score of 0.

Since I recognize that the term gets busy and complicated for most people, you get 4 free 24-hour tokens. By default, I will apply these tokens automatically to assignments you hand in late, so you don't need to alert me unless you have some non-default way you want to use the tokens. Tokens are not splittable (e.g., if you use a token to hand in an assignment 3 hours late, you have consumed the whole token).

Collaboration

Working with your classmates is a good thing. Sharing insights is fun, and can enhance everybody's learning. The main danger of collaborating on course work is in allowing your collaborator to do all the work, and thus all the learning.

For homework assignments, you may create your write-ups alone or with one classmate. If you work with a partner, you should submit one copy of your work with both names listed in your submission. If you would like me to assign you a partner for any given assignment, let me know via Slack direct message and I'll do my best to connect you with somebody.

In most cases, you'll submit your work using a GitHub repository. When you're working with a partner, you can put the submission in either one of your repositories, and I'll be able to find it. That said, it's very important to put your names in a comment at the top of source code or at the top of a PDF or whatever. Similarly, when I ask you to use a specific file name or put things in a specific folder, it's important for you to do so. I try to automate whatever is automatable when I'm writing feedback for you, and by following my specifications, you can make my job a lot easier and less error-prone.

For exams, of course, you must work alone, using only the resources I explicitly allow.

If you have any doubts about what constitutes acceptable collaboration, talk to me.

Using stuff you find online

Here are some thoughts on using other people's code. Read that document, please. In brief: cite your sources and check with me if you think you might be straying into plagiarism territory.

My thoughts on non-code resources are consistent with the guidance provided by Carleton's Writing Center. Learning from many sources is great. It's important, however, not to claim other people's work as your own, even implicitly.

Questions about general or specific issues in this realm? Talk to me!

What about LLMs?

Educators at all levels and in all disciplines are experimenting to try to figure out the long-term implications of large language models like ChatGPT, Claude, Gemini, Llama, etc. In computer science, we're also thinking about code generation tools like Cursor, Claude Code, Codex, Copilot, Windsurf, etc.

This term, let's look for and talk with each other about opportunities to use the LLMs to help us learn and do our work effectively. I want you learning, and if LLMs can help that to happen, I want us to collaborate to figure out how and share our ideas.

For this class, you may use LLMs as you see fit, but if you use output from an LLM in anything you submit as homework (or exam, etc.), I want you to tell me about it. So, if any of your submitted work includes any LLM output (verbatim or paraphrased), I require you to include a file called LLM.txt (or LLM-name-of-assignment.txt) (or .md, .docx, .pdf,...) with your submission. Your LLM.* file should consist of a sequence of sections, each of which describes a portion of your submission that came from LLM output. Each such section should include:

• What subset of your homework submission are we talking about?
• Which LLM did you use to generate that subset?
• What exact prompt(s) did you use to generate the output?
• Anything else you want to say.

One more thing: I'd love to see you share your stories of AI successes, failures, or madcap adventures. I have created a channel named #ai in our Slack workspace for this purpose.

Questions about this policy?—bring it up in #questions on Slack, raise it in class, or talk to me in office hours.

Slack

We will use a Slack workspace to share questions and answers, ideas, interesting security-related articles, etc. I have invited you via your Carleton email address to join the Slack group, so you should have received an invitation email by now. If not, let me know.

I recommend that you choose a way to check for Slack updates at least daily. Because I am part of several on-going Slack groups, I just keep the Slack desktop app running. Many of my students and other collaborators prefer the mobile Slack app, which is fine, too.

GitHub

We will use public GitHub repositories for homework submission. See the Week 1 lab on this subject for instructions on getting set up.

Rough schedule

The rough ordering of topics in the course is shown below. Independently of these topics, we'll slip in some attention to security history, current security news, and practice on developing your security mindset.

• Week 1: The "security mindset"; intro to TCP/IP network concepts; Kali Linux; Burp suite
• Weeks 2-4: Network security; authentication; cryptographic and networking concepts as needed; public key infrastructure (PKI); TLS; HTTPS
• Week 5: Ethical analysis; threat modeling; some relevant US laws; other conceptual frameworks. The first exam.
• Weeks 6-10: Miscellaneous topics; an exam; a final project
  • penetration testing (also known as pen-testing or ethical hacking)
  • web security, including session handling, SQL injection, cross-site scripting, cross-site request forgery, password management & cracking, etc.
  • secure programming
  • various types of malware
  • historically interesting hacks (e.g. Heartbleed, Notpetya, ILoveYou, the Morris Worm, SolarWinds, etc.)
  • social engineering
  • etc.