ASSIGNMENTs are due at 11:59PM on the date where they appear. Submissions via GitHub.
Read/watch the READING/VIDEO items before class on the date where they appear.
M Mar 28
- [READING] Course information
- [SURVEY] Please fill out this survey
- [OPTIONAL] Using git in CS338
- Class notes
W Mar 30
- [ASSIGNMENT] Setting up Slack, git, and Kali
- [READING] Inside the Twisted Mind of the Security Professional, by Bruce Schneier
- [READING] The Preface and Chapter 1 of Ross Anderson's Security Engineering, 2nd edition
- [VIDEO] (19:38) Brief introduction to HTTP
- Class notes
F Apr 1 (no fooling!)
- [ASSIGNMENT] A network tools scavenger hunt
- [READING] A note on ethics
- [VIDEO] (14:52) Why technologists need to get involved in public policy (Schneier)
- [READING] We’re Banning Facial Recognition. We’re Missing the Point. (Schneier)
- Class notes
M Apr 4
- [VIDEO] A brief introduction to Wireshark. (From spring 2021, when we were using VirtualBox instead of VMWare.)
- [ASSIGNMENT] Getting started with Wireshark
- Class notes
W Apr 6
- [VIDEO] (12:20) Reading technical specifications
- [READING] Sections 1, 1.1, 2, 2.1, and 2.2 of RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- [READING] Section 4 and Section 5.5 in RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
- [READING] More Schneier: Policy vs. Technology
- Class notes
F Apr 8
- [ASSIGNMENT] HTTP's Basic Authentication: A Story
- [READING] Yet more Schneier (this time on privacy and surveillance): Surveillance Kills Freedom By Killing Experimentation and Security vs. Surveillance
- [READING] And even more Schneier (blockchain!): There's No Good Reason to Trust Blockchain Technology
- [VIDEO] (12:35) base64
- [JAMBOARD] Schneier questions
- Class notes
M Apr 11
- [READING] Chapter 5 of Anderson (Cryptography) I recommend skimming this, and then using it as a reference as needed.
- [READING] Study questions for cryptography
- [VIDEO] (25:54) Symmetric encryption
- [VIDEO] (21:40) Public-Key (Asymmetric) encryption
- [VIDEO] (9:32) Diffie-Hellman key exchange
- [LAB] Diffie-Hellman & RSA by hand
- Class notes
W Apr 13
- [ASSIGNMENT] Being Eve
- [TOMORROW] 4:00 Thursday, April 14, Weitz Cinema: "Technology, Security, and Society: A Conversation With Bruce Schneier
- Class notes
F Apr 15
- [DON'T MISS IT] Bruce Schneier comes to class
M Apr 18
- [VIDEO] (33:41) Cryptographic hash functions
- Class notes
W Apr 20
- [ASSIGNMENT] What's in an SSH key file?
- Class notes
F Apr 22
M Apr 25
- [ASSIGNMENT] Cryptographic scenarios
- [READING] Public key infrastructure (Wikipedia)
- [READING] X.509 (Wikipedia). Goal: learn what a certificate is, and what it's for.
- [VIDEO] (25:00) Public Key Infrastructure (PKI)
- Class notes
- Slides (drawings (whatever))
W Apr 27
- Bring questions about the topics on the exam to class
- Slides
F Apr 29
- In-class exam
M May 2
- Woohoo, midterm break!
W May 4
- Threat Modeling Explained (blog post). Focus especially on STRIDE.
- [READING] The CIA Triad
- [READING] Is the CIA model still relevant? (2009 blog post)
- [READING] The Parkerian Hexad
- Class notes
F May 6
- [READING] Sections 8.2 and 8.3 of Anderson's Security Engineering, 2nd ed. Focus on the nature of security policy models, the Bell-LaPadula model, and the Biba model.
- [ASSIGNMENT] Threat modeling with STRIDE
- Class notes
M May 9
- [ASSIGNMENT (due T May 10)] Password cracking
- Class notes
W May 11
F May 13
- [ASSIGNMENT (due 1:00PM May 13)] Exam corrections
- [READING] The US Law section of Wikipedia's article on Anti-Circumvention (with focus on Section 1201 of the Digital Millennium Copyright Act)
- [READING] The first few paragraphs of the Overview of Wikipedia's article (on Section 512 of the Digital Millennium Copyright Act). Also, read the Criticism section of that same article.
- [READING] Lessons from 22 Years of the U.S. DMCA by Cory Doctorow
- (Want more Doctorow? Here's a recent essay about Disney's treatment of royalties. For short fiction, I recommend the story Unauthorized Bread.)
- Class notes
M May 16
- [ASSIGNMENT] Pen testing, part 1
- Class notes
- Slides
W May 18
F May 20
- [READING] Address Resolution Protocol (ARP)
- [ASSIGNMENT, due Sat 5/21] Person-in-the-Middle via ARP Spoofing
- [LAB] Pen testing, part 2: Metasploit
- Class notes
M May 23
- [READING] ACM Code of Ethics and Professional Conduct
- [READING] Explore the OWASP Top Ten to get a feel for the most common web security problems.
- [VIDEO] (22:09) SQL Injection
- [VIDEO] (15:48) Cross-Site Scripting
- Class notes
W May 25
- [ASSIGNMENT] Ethical analysis of a scenario
- [LAB] Cookies and Cross-Site Scripting (XSS)
- Class notes
F May 27
- [ASSIGNMENT, due Sat 5/28] A video about a historical security incident
- [VIDEO] (22:46) We're building a dystopia just to make people click on ads, a 2017 TED Talk by Zeynep Tufekci
- [READING] How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did, a 2012 article by Kashmir Hill
- [READING] (optional—maybe save it for the summer) One Nation, Tracked
- Class notes
M May 30
- [EXAM, 5:00PM June 6] The final takehome exam
- Class notes
W June 1
- [LAST CLASS] I have been at Carleton for 31 years: AMA
- Congratulations!
- Class notes
F June 3
Reading days office hours:
Thursday 11:00-11:55
Friday 10:00-12:00
Slack consultation available through the weekend, plus
ad hoc Zoom conversations if I'm available