 Alright, so welcome everyone, just so that you know that you're in the right place. This is CSE 365. Anyone not in the right place? The doors are all around here, so feel free to just make your way out. I feel like it's still not on, but try clipping it up here. Okay, so basically today we're going to start off with basically kind of a getting to know you. We'll hopefully dive into some actual security stuff, so I'll introduce myself first and a little bit about what I do, what this class's purpose is, what the role is, some of the awesome people we have to help you be successful in the class, the TAs and undergrad TAs, and then we'll go over syllabus, like we need to do, and finally we'll get into real stuff. So for those that don't know me, I'm Adam DuPay. You can call me Adam please, or Dr. DuPay is fine too, I don't know, whatever you want, but I prefer Adam. I got my PhD at UC Santa Barbara in 2014, and there I really kind of, actually, well the the main way I got started is I did a five-year bachelor's masters at UCSB, so similar to the four plus one program we have here at ASU, and after I graduated, I got a job at Microsoft up in Seattle as a software developer, and I was like, I'm never coming back to academia ever again, I'm gonna make tons of money, it's gonna be great, and actually it was great, so Microsoft was awesome, but while I was there, I kept working on my master's project, which is a paper that we had written, and I kind of fell in love with research, and I really wanted to do research, so I went back to UC Santa Barbara for my PhD, and I've been back in academia I guess ever since, and part of what drew me into security was playing Hack for the Flags, which is a CTF games, these are kind of ethical hacking games where you compete against other teams in order to break software in such a way that you're able to steal a piece of data called a flag, and that flag is proof that you were able to break the software, so I did that at UCSB with a team called Shellfish, and then I kind of restarted this group called the Pone Devils, so they actually have a CTF this weekend, we are fortunate that the president of the Pone Devils is here, and so he's gonna tell you a little bit about it in promptive, so I didn't tell him he was gonna do this. Hi everybody, this is also very impromptive, I'm Zion, I'm the captain of the Pone Devils team for the president, we do CTFs like Adam said, which allows us to kind of travel to the edges of the world, just this year we got to go to Vietnam and pull in all of these trips are of course free, this weekend we're gonna be playing a CTF, so a CTF is kind of what Adam said, we're trying to steal a flag that proves you broke the software, later in this class your guys are gonna kind of talk about how to own software, and on the Pone Devils we teach you how to really start doing that, so if you guys would like to come down we're doing it this Saturday at Brickyard on the fourth floor, feel free to join our Slack, if you don't know how to get there, feel free to message Adam, oh it's right there too, and also come and find me over here in the front, just hit me with your laptop and I'll write in the codes and we'll start hacking, all right thank you, please come down and be super fun, free food. When did you start as the Pone Devils? Oh I started the Pone Devils when I was a freshman, I joined it. How much did you know? Nothing, maybe like even less than you guys did, I joined here barely knowing what Linux was, and then freshman to junior now, I'm the captain, you can change a lot in just one year. Or a semester. Or a semester, or even a semester. Cool, yeah so please these are kind of if you really find yourself super interested in security, these are the kind of ways that you can really hone your skills and develop even industry relevant skills, like many we've had people who go from the Pone Devils to go working at the NSA, and part of the reason is they have on their resume that they played in CTFs, they know how to exploit crypto and binaries and all this kind of fun stuff. Okay so then the amazing people that will help you in this course, so Stephen is here, I'm going to save time, I'm not going to introduce everyone, but Stephen's here, he's great, he was our TA last semester, so he's intimately familiar with this material, he's going to make sure you have a great time, Arvind I don't think is here unless he's here, stand up. Okay you'll see him and I'm going to mess up your name again even though we just covered this. Marzy is in the corner over there, so these are the people that are going to be helping you as TAs, we also have a number of undergrad TAs for this course, so if you're an undergrad TA please stand up, I think you may have, yeah so this is Riley, he's going to be helping you, we'll have a number of other undergrad TAs, these are people who literally just took the course last semester, they are well primed to know what to do. So a little bit more in the way of introduction about me, so part of what I do now is I'm a, I don't know, co-captain of this group called the Order of the Overflow, so we're a group that put on the essentially the Olympics of hacking, so this is a capture the flag competition that occurs every August, co-located with the DEFCON security conference, and all of these CTS throughout the year, the goal really for people is to qualify to participate in this final capture the flag event in Vegas, this DEFCON capture the flag, so we held this last event in August, in August it's a, the final event is a two and a half day event, I think it's a total of 24 hours, it's 10, 10 and 4 of actual game time, but to get there you actually had to qualify first, so there were six qualifying CTS from around the world, so the winners of those CTS automatically qualified for the finals, and then we had about 1200 teams that competed in our qualification event in May 2019, so these teams played a CTS that essentially had a board full of challenges, and the goal was click on that challenge, figure out what it says, maybe it's a piece of software that you need to analyze for vulnerabilities and then write an exploit against, maybe it's a crypto puzzle, maybe it's a, I'm trying to come up with examples, but the problem is we're preparing for this year, so I don't want to accidentally come up with an example that's going to be used, so this competition ran for 48 hours straight, so it's a 48 hour competition, so in the end the, basically from the qualifying event and from this the top 16 teams qualified, so PPP was the team that qualified in first place and also ended up winning the competition, they are from Carnegie Mellon University, and so to give you, so we invite 16 teams to come physically compete, so this 1200 teams is all online, so we bring everybody in, each of the teams get eight people at a, around a table, and then they get a network table that gives them access to the game, and then we can start playing, so this I believe is a video so this shows you, and on the second day kind of the cool thing we did is we gave questions that are going to date me, but we gave each of the teams an original Xbox one that we had modded to play Doom when they connected it to our network, and what they had to do, we put bugs in this Doom game, so they had to basically figure out game hacks and find ways to actually kill, like beat everyone else for points, so this is one of the challenges, so this is people playing Doom on, running on an original Xbox one that we gave them, and so to give you a breadth of kind of what kind of skills and things people do at the Olympics hacking, they hacked iOS apps, so an app like Telegram, they had to figure out vulnerabilities and write exploits for those, they hacked everyone interested in deep learning, nobody, machine learning, I'm shocked, I thought that was like the hot topic that everyone wants to do, what do you want to do then, what's the hot topic, get a job, list machine, security, obviously, that's what you want, okay, awesome, so deep learning models have a number of ways that they can be attacked, so you can, for instance, we had deep learning models that were trained to recognize a flag, and then just from that model, you could actually recover the flag that it was trained on by kind of pulling apart this neural network. The challenge I worked on was a list machine, so in the 80s, some folks in MIT created a machine that actually ran lists, technically list microcode, but ran lists essentially on the CPU, so the entire operating system, everything was written in lists, and so I wrote a web server on top of that that the teams talked to and then had to reverse engineer from a binary image of this list machine, what the vulnerability was and exploit it. The DOOM running on Xbox, another cool thing, writing x86 code that would run no matter how many bits were flipped and actually do something useful, so in the end we had a long game, a lot of teams played, overall the PBP, the Vlad Parlin opponent, so this is also the award ceremony at the end, they were the winners, they won, and their prize, so I don't know, what do you think a prize is for something like this? A million dollars, unfortunately no, so I do not have a million dollars to give them, unfortunately, the conference I guess also does not yet, so it's not quite at the level of like eSports or something like that, but so A, they get something that's way more important than money, what's that? Yeah, the cred, the status, right, they get seen as the people who won, and they've won I think three out of the last four years or something, they've won a lot of these competitions, so they get seen as kind of the best hackers in the world, and they also get, from the DEF CON security conference, they get eight black badges, so these are badges that give you free access to the DEF CON conference for life, so they're super prestigious, each year they're custom built, so you wear those around the conference, then everybody knows you're super cool because you have a black badge, and I think they just have collections of them now, they probably have just a trophy case that this black badge is stored up, cool, any questions on this? Background a little bit about me, no, don't be shy, there's not a lot of us here, cool, all right, so a little bit to kind of get you situated on where you are inside, let's say security at ASU, right, so where we are here, so if I know, I don't know if I should ask this, maybe I'll go later, who's here just because I have to take this class because it's required? Who is actually interested in security? I appreciate that, I think a lot of you are lying, but that's okay, so depending on how this class goes, maybe you'll be more interested in security, so to go further in depth we have two undergraduate cybersecurity concentration programs, a B.S. in Computer Science and a B.S.E. in Computer Systems Engineering, this essentially allows you on your degree, it will say concentration in cybersecurity, we also have three graduate programs, if you're interested in that, at the MS, MCS, and the PhD level, you can find out kind of more about here, so essentially at the B.S. level you need a minimum of 15 credits in cybersecurity and related areas, and basically you can take, we have a number of security courses, this is in well, sharp contrast to other universities, so many places are lucky if they have one security course, we have a number of them covering all kinds of different areas, the goal of this course to kind of situate it, you're going to get a broad base into all areas of security, so you're going to understand what does security even mean, we're going to talk about things like access control, things like crypto, we're going to talk about crypto, we're not going to go super into depth in any of these things, but we're going to cover all the bases so that you basically won't embarrass me if you go out and interview for a security job after this class, so you'll understand everything you need to know. The other courses are designed to go more in depth into different areas, for instance, 466 with Yan Shoshish Tashvili is much more focused on exploitation, so how can you analyze software for vulnerabilities quickly and automatically write exploits for those? Network security gets you more into networks, forensics gets you more into forensics, so you can kind of choose what courses you want to go to specialize in. The other really interesting thing is that we have a, so the NSA and the Department of, so National Security Association, agency, there we go, I knew it wasn't those other ones, okay, and the Department of Homeland Security basically have designated ASU and the Cybersecurity Program a National Center of Academic Excellence in Information Assurance Education. What this means and a cool aspect of that is, let me pull this up, so on the center's website, we have a nice thing, ignore that video, it's quite embarrassing, we have a really cool opportunity for students that's because of this accreditation, so if it was just like a, I don't know, a fancy certificate we can hang up somewhere, it probably wouldn't be worth it. The cool thing is we have a number of scholarships to give out to really good students who want to work and pursue this area. So the basic idea is this is called a scholarship for service program where the government will give you one year of tuition and stipends, and for every year of tuition and stipend that you get, you agree to go work for the government for a year after the fact. I believe it can cover two years of undergrad or masters, and you can do I think three total if you do like a four plus one, so you do two undergrad and one masters, I believe that works, but don't quote me on that. So it's actually, so a really great program for students. Yeah, so health insurance, travel to conferences, you do summer internships with a federal agency, so you can see what it's like to work at these places. A couple of caveats, you must be an American US citizen and permanent residence because you're going to go work for the federal government. A lot of these jobs, although not the majority, I mean, the majority of these jobs require a security clearance. And so you must be a full-time student, have that a good GPA. The GPA thing is really about you being competitive because you're going to be competing with these jobs, it's not a given that they just give you a job, you have to actually earn a job at an organization. So if you're interested, feel free to email me, I can send you this information, I can send you to more places, but this is a super cool way to essentially get paid to study security stuff and then do that in the industry. So then after you do your service, you're now well positioned to either continue working for the federal government or use your expertise and your access to a security clearance to become a consultant to earn a ton of money and to do consulting work. Any questions on that? I feel like I have to scan. Okay. And now this class. So why do we go over the syllabus on the first class of essentially every class? Not getting integrities part of it? Yeah, what else? What is it? Yeah, the syllabus is essentially the contract between me and you, right? So I'm setting up my expectations for what I expect for the class and essentially you're by continuing to be in this class, you're agreeing to it. I don't know. I guess if you have any super big concerns, you should raise it now, but I'm willing to entertain any interesting ideas. So the TAs and I will be hosting office hours. We'll specify the times and locations. We will try to make it so that office hours will be spread throughout the week so that you'll be able to get the help that you need when you can get it. Also, we're always available by appointment. So if you can't attend an office hours, then feel free to reach out to us and we can try to figure out something that works. Okay. Sorry. Can you read this in the back? I should have asked first. Can you read it now in the back? You don't have to read it, read it. It's on the website. Okay. So basically, as I mentioned, this course, the goal is cover all aspects of security. We're going to be touching on a lot of different areas. And the kind of important thing I want you to think about and one of the important takeaways is it's not security is not just a technical concern, right? You have to understand the organization. You have to understand the business goals of whatever you're trying to secure and also think about maybe potential legal requirements, ethical issues, all of these kinds of things we really want to discuss. There's a textbook that's recommended. So basically everything you need for this class I will cover in lecture but you're totally free. This is a great book. So if you want, I have on the website mappings of lecture material to content in the book. So if you want to get the book and get somebody else's explanation of it, that's not me. I won't be offended. I feel free to do that. Okay. Course communication. So before we talk about this, I want y'all to look around. Look around the room. There's 370 people enrolled in this course. There's a lot of people. There's very few numbers of us as you saw, right? So communication and effective communication is super important. So essentially we'll use let's say this works. Yeah, okay. I haven't done anything here but so essentially we use this last semester. I think it was pretty successful. We'll use the course Piazza as a discussion board for the course. So follow the link here, sign up. This will, I will do all announcements through the course Piazza. We'll have all, so if you have a question, the best way to get an answer is to ask it on the course Piazza and then we can, then your other students should please help each other and we can come in for tricky things or if it's a question for us, right, that a student clearly can't answer. It's totally okay to help each other over concepts or things or discussions. Last semester was really successful. I think we got some really good communications on there. Okay. Other important thing. Have you ever learned how to ask a question beyond basic grammar? Like of course, you know, I do phrase a sentence that ends in a like is a question, right? Hopefully, please. Okay. Highly recommend if you've never read this article before, there are many different ways to ask a question about the same issue. Have you ever maybe got this from a friend or something that said, my code doesn't compile. Here's a screenshot. Is it easy to answer that question? No. No, why not? You said no, right? Do you want to answer anyways? I don't know where the sound comes from in this room. It's great. Yeah, it's a needle in a haystack and it doesn't provide any context of what it is you're trying to do specifically. So if you have an error, that means you're trying to do something, but whatever's happening is not what you're expected to be. Without understanding what you're trying to do, like what are you trying to accomplish? Why do you think it is important? What steps have you taken to determine what the problem is, right? And then what error messages are you seeing that aren't in a screenshot because odds are what I'm going to do is copy and paste that into a Google search form just like you can do. And I'm trying to figure out what could possibly go wrong. Right. So this type of thing is like this is going to be a skill that I highly recommend you start developing now as you go out there to the workforce and you're part of a team. If you're known for sending these kinds of issues to your team, that is a bad luck, right? You want to say it's okay to ask for help when you're stuck. I'm not saying don't ask for help, but there's a good way to ask for help and for suggestions that it highly, highly, highly increases the chances that you're doing something good or that you're going to get a response. And on Piazza, you're going to include some source code or something. You can make the post private just to us so we can maybe see sentence of code to see what's going on. These are all tips that are super important and very helpful and will help us help you because we want to help you. Any questions on asking questions? Make it a good question. No. All right. Cover that. And the other thing that I think I know some students find a little bit frustrating with at least a little bit of my style of teaching is so I've done this for a long time now when you bring a problem to me, I'll probably know exactly what the problem is very quickly because I've seen this 20 other times from other students. I will not tell you exactly what the problem is in life because I'm a horrible monster. You're not going to learn anything. If I just keep telling you exactly what's wrong every time you turn me into an oracle where every time your code doesn't compile, you bring it to me and I have to point out the no-pointer exception that you're getting over here or whatever it is. The goal is for you to develop skills so that you can learn and think and solve the problems better yourself. So what I'll do is I will ask you questions to lead you in the direction of where I think the problem is. So maybe that line's funny. What's that line doing? What is that function doing? What's the documentation of that function saying? What arguments are they taking? What arguments are you passing in? Is it possible that this value is null here at this point in your program? Those kinds of things. And so I encourage you on the mailing list to think kind of similarly. So rather than all the time maybe just giving the exact solution to the problem, although sometimes that is fine, really think about and maybe point them to resources that can help people solve their problems. Like, oh, I googled and it seems like the Stack Overflow post maybe is similar. And so then that helps people help themselves. Yeah, cool. Any questions on that? Asking questions. All right. And a lot of this, some of the stuff that we do in this class is very kind of puzzle-based. So solving security challenges, it's almost like a puzzle. So if you give someone straight up the answer, that's not, you're taking away the joy of them figuring it out for themselves, which I swear there is. So don't share solutions or answers. It's forbidden. We'll talk about plagiarism. If you want to ask us a question, so I could have showed you, but my email box is essentially been overflowing for the last like two years. So every three months I'll do a just archive everything and then in three or four months I'm back up to like 500 unread emails and it's just insane. So I would do my best to answer all of your emails. If you really have something for me, like it's totally fine to communicate with me over email. If I don't reply to you right away, please follow up. So that's a way of ensuring that it goes to the top of my inbox. Other things is Piazza has a very nice private message feature that goes to just the TAs and myself. So we'll be the only one that sees that. So feel free to ask questions through there. It's much easier for us to respond on that. And finally this happens frequently. So dealing with the, so if you think about the imbalance of the number of students versus the number of me and the number of TAs, right? So if you ask a question, it's highly likely somebody else has a similar question. So if it's not private in nature, then I will likely make a Piazza post out of that email. So it's usually better just to start with the Piazza post. That way we can start from there. And that should be good. These are the topics we're going to cover. We're going to hit a lot of different areas. Kind of, what we hit depends on, my classes are more discussion based than kind of anything. So I never know exactly how long things are going to take. We may have time for web. We may not. Who knows? We'll see. But we'll get to a lot of this stuff. It'll be really fun. Okay. Cool. So evaluation. We're going to do homeworks. So exams and in class capture flag competitions. So I'm still working out the logistics of how this will work. It's not going to be for another, I don't know, probably two months, maybe more. Basically, like midway towards the end of the semester, we'll have two in class CTS. That'll be super fun. It's essentially graded on a participation base. So as long as we see that you're participating and doing stuff and, you know, it's not a who got first place or who didn't get first place, that I'm less concerned about. So more details will be forthcoming, but it should be a fun in class way to hack on stuff. There'll probably be five to seven homework assignments, again, depending on how much stuff we cover, covering the material presented in class. There's a midterm. It'll cover everything discussed on the lectures up until that point and the assignments. No notes or outside material or devices will be allowed. There'll be the same thing. Final exam that covers comprehensive. I know in 14 weeks you will continually ask me this question. Final exam will be comprehensive, all the material of the course with probably an emphasis on the second half that wasn't tested in the midterm. No notes, outside material devices, nothing smarter than a pencil is the way I like to say that. So the grading, so midterm and final are each 15% of your grade. CTS will be 5% and homework will be 65%. So the bulk of this class, I guess, is on the assignments because this is where you actually apply. So we can talk all day about concepts and lecture of breaking crypto or brute forcing hashes or finding vulnerabilities in software, but until you actually go do it, that's where the real meat is. So that's why the points here are in the homeworks. Questions on that? So this is the preliminary grade thresholds for each of these. What this means is that if you get a 93 or above, you're guaranteed an A. I'm not going to raise these thresholds, so it's not like an A would be 95%. I reserve the right to lower them if I need to, so I may lower the A range to 92 or I think in a class like this there'll be so many people that I probably won't touch it, to be perfectly honest, because you'll all be right there and if you start lowering down, it's like, well, with that person's close and that person's close, then all of a sudden there's like no place to put it. So just warning you now. So don't count on that. I also don't. I'll put this in here. I'm going to say it now. I'll update this, but I do not round any grades. So there'll be a number of opportunities throughout the course for extra credit. If you feel like you may be in a situation where you would like rounding, do the extra credit. Make sense? And I've had to reply to emails where somebody got like a low to be an 89.8. It's like, sorry, there's actually somebody who is 89.9, so it sucks. Questions on grading? Not a lot of questions in this class. I'm a little worried. We're going to start calling randomly on people? Possibly. Yeah, it usually doesn't happen, but in the past where let's say one problem was very unclear or something like that. And so the top score was like a 95. So then I'd make 95 the new 100 and upgrade everyone's to reply to it. So yeah, I always look at that, but it usually doesn't happen. But we'll see. Anything else? I feel like you guys are so far away on that side of the class. I'll try to walk over there. It's just weird. I don't have a clicker yet. All right, homework due dates and exam dates. So I guess this gets into... So I'm experimenting this semester with using Canvas. I've never used it before. I usually always use the course website. So right now, there's just a link to this website on Canvas. I'm going to use Canvas for grade scope integration and probably to give you your grades. I'm not 100% sure on that. We'll see. But essentially, everything you need will be on this website. So we'll post dates of midterms, finals, when assignments are due. We will post all the lecture slides. We'll be up here. I will... I don't know where and I say this, but I will try to record all of the lectures, which I am doing now. So I'll try to record all the lectures. What I'm recording, as you'll see from the videos, is the sound from this mic and the screen. So that's it. And I don't do anything. I just take it and throw it on YouTube. And I put a link on the website. So I don't know. My philosophy is essentially like you're paying for this class. If you want to show up, show up. If you don't want to show up, I don't care. If you have a doctor's appointment and you have to miss class, I don't care. Just watch the video. I'll try, but it's no guarantee. So if technical things happen, I'm not going to re-deliver a lecture just because the recording crashed. But I will try. If there's any reading that will be posted here, basically everything will be posted on the course website and announced in class and also announced on Piazza. Okay. So basically, so for assignments, if they're like assignments are due at the date and time that they are due, you have plenty of time for assignments. So I don't really care if it's a little bit late. If that's late, basically for each day that it's late, it's a 20% deduction. So if you have a 100% assignment that you submit on the second day, then that's an 80%. And then the day after that, it'd be 60 and then go down another 20%. Your highest score, so I'm still setting it up. I'm going to try, well, I'm going to try something slightly new, but basically it'll be an auto graded system to submit all of your stuff and you'll get to know your grade right away. And it will always be the highest grade that you've ever gotten on that assignment is your score. Questions on that? Yeah. Yep. If you submit late, then it doesn't matter. Your highest grade over all of your submissions will be your score for that time. Questions behind that? Does RSS still even work? Is there any RSS readers? Interesting. Okay, I'm seeing nods. So apparently, yes. Yeah, if you figure that out, let me know. Here we go. Okay. Folks registered with the DRC, happy to support all of that. So just register as normal, we'll work around whatever we need to work around. That's totally fine. Okay, this is the least fun part of every semester. Well, I guess the second least fun part of every semester, the least fun part is when I have to write people up for plagiarism and cheating. That is the absolute worst part of my entire semester. So don't be the person or people that makes me do that. So consider this now the big scary warning. Don't doing that. So you already all know basically what constitutes plagiarism and cheating. What does that essentially mean? You have an ASU student code of conduct and an ASU student academic integrity policy. Don't cheat. What does cheating mean? Yeah, so like, I don't know, to be perfectly honest, the way I think of it is like, I'm not asking you to do busy work, I'm asking you to do stuff that's going to actually help you in your career in the future. So we have a lot, you know, so it's really hard to cheat at your job or plagiarize at your job. You can get in serious trouble for IP issues and all kinds of issues. So, you know, we're trying to turn you into really good computer scientists who can go out and do awesome stuff. And this is how you do it is by doing assignments, coding things, reading code, all that kind of stuff. So, but of course, I understand. So I too, when I code and constantly googling for things and maybe taking a snippet from Stack Overflow or some website on how to do some certain thing, I understand. And that's totally fine. And I'm fine with this provided you cite your code. So just put a comment above that that says, Hey, I got this from this Stack Overflow link. Perfect. Like that way, if it turns out that you and another student's code matches, you can say, Oh, they use the same Stack Overflow thing. Great. Your comment is, I found this on somebody's private get or public GitHub account. And it's the entire assignment. Right. That's clearly not okay. That's so using any students other students code past current in this class, current student in this class past student is a violation of the academic integrity policy. So and there's a zero tolerance policy in this class, basically any violations of academic integrity policy that we discover will result in a zero on that assignment. And you will also be reported to the dean's office. So the dean's office keeps a list of all the people who've been plagiarized on an assignment. So the first time basically you meet with somebody in the dean's office who explains everything that's going on, you sign a thing, you have the ability to appeal if you want to. And then you get put on this list. And then if it happens again, that's when you get like the penalties increase significantly to like expulsion or yeah, all kinds of really bad stuff. So and if you ask me, Well, how do I know exactly how this process works? Because I've done it 27 times. So you submit code to us. I've had I've seen all kinds of things. I've seen students submit code and ASU like names and ASU IDs of other students still in the comments. I've seen stuff where people try to change it around a bit, but it still matches. And it's very easy to tell that it's exactly the same. You know, I've seen literally all kinds of stuff. If you ask me, I can tell you more stories, but so don't don't be that person. I don't want to have to do it. So just don't do it. It'll be well, I'll be happier for it. You'll be better students. The thing I will say is I understand a lot of times as much as I would want you not to students often wait till the last days or minutes or hours to start an assignment. And then by that point, they realize it's more difficult than they thought it was. It's going to take them more time. And they're under all this pressure to get an A. Maybe they have a scholarship that's going to go away. I think I'm going to get an A in this course or whatever. And so then they end up copying somebody's code. And so I've seen all of those. I've had all of those excuses and all of those people still got written up and reported and all of that. So and because I don't really honestly, if you're going to do terrible work and planarize and not learn on your own, then that's I guess your prerogative in some sense. The problem is the other students who work super hard on their assignments and get a C, even though they spent, you know, 40 hours on the assignment and are in my office hours every week, you know, it's not fair to those students that you get an A because you cheated, but they took the C and they took their hits. And so I'm just trying to make things fair. This is how we do that. So some examples. These are just examples. They're not limited to this sharing code with a fellow student, collaborating on code with a fellow student, submitting another student's code as your own, submitting a prior student's code as your own, and even sharing another, submitting some of those with a, posting your code online. So this is another problem that I run into often. There's really, so why do you think people, or if you have, why do people post assignments on something like GitHub? Does it show experience to your employers? Yeah, it shows experience to your employers. What experience is it showing? Don't do it. So it shows something. But this is the problem. So put yourself in the mindset of a recruiter for a company, or like what I've done for Microsoft is I would go to campuses and try to recruit people. So one of the things I ask is, oh, what have you done outside of class? Why are employers interested in that question? Yeah, it shows that you're motivated. What else? Yeah, initiative. What else? Jack Jay. Jack Jay, do you like to code? Yeah, do you like to code? Yeah, what else? It shows you've done something that hundreds of other people have. Right, literally, not even hundreds, like thousands of other people. So if you think about all the computer scientists across the country at all these institutions, they're all doing assignments like this. No employer actually cares that you wrote a compiler. Like literally everyone through a CS program does that, right? The assignments in this class are the same way. They're not at the level that's going to impress an employer, trust me. They're literally junior level assignments, right? So what employers are interested in is what are you doing outside of that, right? What are you coding? What apps are you making? What websites are you developing that are on your own that are different and outside of your curriculum? Just like when applying to schools they want to see what extracurriculars you're doing, right? Because everyone does the normal course stuff. They want to know what other stuff you're doing. So this is why it's A, I mean it's against the academic integrity policy to post your code online. And this is things that we and the department searches for. I understand the need or the wants to put your code in a repository like GitHub. I think that's totally cool. But there's a great, now I think you can have unlimited GitHub private repos and there's even a student pack where you can get like paid GitHub which gives you more stuff. So there's really no excuse and no reason to have your code from the assignments online. Any questions on plagiarism cheating? Yes. If posting your code online is forbidden then what's the policy on posting a snippet to like a stack overflow? Interesting. That's one of those things that depends more, right? I mean is a snippet like three lines of just how to iterate over an array because it's not working? Like that I think would be fine. But if it's the, if your question is essentially the assignment description then that's a problem. And then if your code is also what you've done for the assignment. People on stack overflow are usually pretty good at sniffing out if this is a homework assignment question and you'll likely get very little responses. So use your judgment I think is the best part. And I think you know we've seen a lot of these similar problems so ask us I think would be my response. Presumably your code's on stack overflow because it's broken, right? So it's probably not a good base to start from. Any other questions? Concerns? Comments? Cool. All right so of us. Anything else we need to talk about? Yeah. I'd like to not force you to use a specific language so a lot of the assignments, well not a lot, but the assignments I'll let you do it in whatever you want and I'll show you we'll work on mechanisms of how that all works. Well you're very good at assigning a way to produce to make files that will build these things and be able to execute them, all this kind of stuff. Yeah so Cali Linux is essentially a version of Linux that's used for pen testing. It has a lot of pen testing tools already installed on it. I've used it in the past, I've done pen testing engagements. I don't use it like normally day-to-day. I use it for that mostly. And like remote medics that change that. Honors contracts for this club? No, no honors contracts. DuPay is I believe a French name I think. At least that's the family I think it's like French Canadian is how which probably comes from France? I don't know. I have no idea. All right anything else? Yep. Oh what languages do I know? How do you define know? Like know well enough to like. Ooh that's a tricky question. Well I'll say this my main language is Python. So like for instance I wrote all of the game code for the DEF CON attack defense system. So database and database API and all the different components that need to work together to make the game work. All that's in Python 3. I guess I just recently a year and a half ago made the switch to Python 3. All of my old code is in Python 2. Let's see. I mean I enjoy programming in C. I think C is very fun really awesome low-level language to code in. C plus plus I have literally haven't done since my undergrad. So professionally I did C sharp development. So all of my stuff at Microsoft was C sharp and I've done a research project in that. I really like weird and esoteric languages so I did a research project in OCaml 1. No no no that's not right. Yeah OCaml. Okay it was okay. And I really like like Haskell. I like Lisp like languages too. I don't know. I kind of like different languages. JavaScript although that's a really annoying one. But Ruby. I guess I did a lot of Ruby on Rails back in the day. I don't know. Also this is the thing with security. You have to read a lot of other languages. So you'll have some challenge that's written in Lua. And you'll have to be able to read Lua code to understand what it does or Perl. Which is insane to understand. So yeah you should definitely be learning different programming languages. I think that's useful. Anything else? Cool. Okay so that's the intro. Let's get into real stuff now. First thing we're going to talk about. What is security? Ability. Ability. I don't know building to stop outside interference. It could be possible. So the ability to stop outside interference. So within there you have a notion of like a differentiation between the inside and outside. Right. And interference. Cool. What else could come here? I'm going to refer to you in the regions. Yeah. Are these slides posted on the left side? These ones are not. I didn't know if we'd get to them or not. But there's not a lot of content. It's more of a discussion. Whatever it takes to get a software to run is intended. Oh okay. Whatever it takes to get the software to run as intended. Interesting. So why is running as intended important? A solution. And I wanted to run with the parties that I wanted it to run with in the way that I wanted to run and not unpredictable manner. Okay. So yeah. So you wanted the software to run in the manner that it was developed for and for who it was intended to be used by. Yeah. That sounds way better when you check. Getting rid of. So security is getting rid of no more ability. So if there's a known problem then that is important to get rid of it. So what are some examples of these kinds of things? So maybe let's try and be more concrete. A wall in what sense? So what part of things? Why is that equal? Yeah. So a brick wall keeps outside threads out and inside threads in. How do you move from one to the other? A door? So maybe a door and how do you, to that example, to the other example, how do you, how do you prevent unwanted people from moving inside to outside? A lock and key. Yeah. So then what does that mean then? So in this scenario, you're protecting your essentially personal security, right? Or physical security we can say by building walls at a door and with a lock that has a key so that only people that have access to that key can access it. So what would be some known vulnerabilities with that system? A ladder? Yeah. We didn't talk about a roof. So they put a ladder up and walked over and then got in. Yeah. Someone could lose the key? Yeah, you could lose the key and get locked out of your own little, I don't want to call it a house because it's not very sad. So lockpicking would be essentially somebody who does not have a key being able to get access into the house by attacking the lock. Key duplication. So how can you make copies of keys? You can literally just make it go to Home Depot, there's machines, you're going to have to talk to a person. You can go there, have to make a copy of the key. What else? The stroke of entry, so like smashing the wall? Yeah, you can, somebody can smash the wall or the door or the lock. Yeah. Tell me anything. Tell me anything. So waiting for somebody else to go in and you're living like an apartment complex that has like a key to get into the complex itself. Do you often let people come in, mind you? Yes, because you're a polite person. This side not it, this side did not. I don't know why. Yeah, but you're actually violating the security properties of that facility, right? You don't know whether that person is supposed to be in there or not. You don't know if they're going to rob somebody's house. You now let them pass the security barrier without checking or verifying anything. Yeah. Yeah, maybe essentially lockpicking is kind of that one by one with pins. I don't know, I'm not a very, I'm not even a good lock picker. Yeah, but that's kind of the philosophy behind that. Yeah. Can you just trick someone to give you access, right? Like maybe pretend to be the owner and call a locksmith who then comes and lets you into this house. Yeah. Pretending you're someone with a key? Pretending you're someone with a key? Yeah, so yeah, or so thinking about keys themselves, crazy things. People can take a picture of a key and then you have a, I guess I'll show you mine. Don't take a picture of my key. I'll actually take a seat. So essentially the ridges on this key, right, correspond are how, what essentially unlocks the door. So if these ridges are not correct, your key is not going to go in and it's not going to be able to turn the lock. So if you were to take a picture of this, probably even with like iPhones or phones nowadays, you could fabricate a key. So you could then make a copy of somebody's key just from a photograph of the key and not from actual key itself. Other ways I've heard about this is, I guess I'm wanting prison movies for some reason, is like pushing the key into a bar of soap and then that gives you the ridges. So you can make a copy key based on the imprint of that key. So if you have access to a key very quickly, you can make an imprint like a mold almost and then put the key back so nobody knows that you took that and have that. I think it was one of the big newspapers. I think is maybe the New York Times was doing a story on, I think it was the MTA, so like the subway system in New York, they have these skeleton keys that get the maintenance access to any room and or maybe it was the firefighters keys or something and they published a picture, like a high quality picture of these keys. So they had to completely change that because like now literally anyone could make one of those keys. So these are all aspects in thinking about security. So what do all of these things have in common? Because we started talking about software and then we started talking about building a crazy house thing around us to mediate outside threats versus inside threats. So what are some of the things that they have in common? Vulnerabilities. Vulnerabilities, so vulnerabilities in this would mean what? Weak spots, right? Or ways to subvert the security of the system. Yeah, you don't have in common that there's actually somebody that wants to get into murder. Right, there's an adversary that wants to, let's say like a little higher level, wants to violate the security of our system. Right, so in one case it's breaking into our house, in another case maybe breaking into a software system. Right, but there's some adversary, an active adversary that's doing that. An entry point, so there's ways that people can get although, is there just one entry point? Do we talk about all the examples in our wallet table? The thing about all the entry points we talked about, right? We talked about the front door. We also talked about blowing a hole in the wall. We talked about using a ladder to go over the wall. What else did we talk about? A tunnel, digging a tunnel underneath and popping up. Uh, magically teleporting into the place. Right, so these are all, okay, so these are all good. Okay, yeah, so these are all good examples that we can already draw off of our normal experiences to try to understand what is security, what are vulnerabilities. The way we think of security is we try to kind of classify security problems into three different areas. And we've touched on a lot of these, so the first one being essentially confidentiality, which essentially means keeping things that are supposed to be secret, secret, right? Or another way to think of this is only the people that should know about this thing know about this thing. Right, so what are some examples of confidentiality that are, that you've seen in, or that are maybe important to you? Your social security number, why is that important to be confidential? Identity of that, yeah, if you're so, if I have your name, your social security number, and maybe a few other pieces of information about you, I can go open a loan in your name. Right, which you're actually now on the hook for until you can prove that it wasn't you. And you may not know about that for years, until I take that $10,000 out of that loan, I know we're gonna pay it, and I'm $10,000 richer, and you have this loan attached to your name. I can open up credit cards in your name. What else, what other confidential things? Everyone got real quiet after that. Medical records, yeah, why is it important to keep medical records quiet? Or confidential? Insurance, insurance, in what sense? Yeah, so you want to keep maybe your medical condition private from your, maybe your insurer, maybe your employer, who can take action against you based on your medical condition? Yeah, there's entire laws governing the collection and medical information. What else? Your password is supposed to be confidential. Yeah, so like the password to your MyASU password, why is that very important for me to keep confidential? Change periods, you can just give yourself an A right now and just like sit back the rest of the semester, right? I think that somebody would know that. Would you give a question for that? I would definitely not, no, that would be, I will give you, I'll give you plenty of opportunities to exercise your adversarial skills in an ethical setting, so therefore going outside of that and doing something outside of there is very unethical. I've actually got students who have done that. Yeah, I can tell you that story later. Cool, so all of these are attacks of confidentiality. What about your phone? Is there anything confidential on your phone? I see a lot of people's eyes getting bigger. Yeah, pictures, text messages, location data, where you've been, literally since you've owned that device, your place you've been. There is a great story of a, I don't even know if it's so popular, Pokemon Go? Have you heard about Pokemon Go? There is a great story about a woman pinching her boyfriend cheating because he caught a Pokemon at his ex-girlfriend's place. Right, so and so some aspects of confidentiality which will cover access control. So this literally is what we're talking about with the door and keys. Who can get access to a room? You can think about my ASU. How does my ASU know me from you from anyone else? We're going to go into this more in depth. We'll also cover encryption, so encryption is another way that I can ensure that a piece of data can only be read by people with the key, the right key. And we'll cover that, we'll cover how to break it, all fun stuff. One thing we didn't necessarily, I don't think, touch on as much. So what about something like integrity? So that, let's say data or things are only changed by people or things that should change them. Are you concerned at all about the integrity of your bank account? Well, some of you, it depends on how much is in there, right? But if you, you know, and if you're concerned all in a certain place, if you woke up there's an extra $10,000 in there, you probably wouldn't be super concerned, right? But if you woke up and there was $0 in there, then you'd be very concerned, right, of where that came from, who made that change. So the integrity of data, what are some other areas where integrity of data is important? Facebook? Yeah, why? Oh, it's not important. Oh, it's not important? Yeah. Well, if somebody was just able to modify your Facebook profile to be whatever they wanted it to be, right, that could be a, maybe even a reputation attack against you and that would be something not wanted. Yeah, in the back. Databases. Databases, yeah, what kind of databases? Like, research teams. Yeah, finances or what about your social security records? There's a great scene in, it must be hackers, in a movie where they change somebody to be deceased on a database, right? So it's hackers, yeah. And so imagine now you go to ASU to get your financial aid and they're like, oh, sorry, you're dead. Like, you can't have like this financial aid. You know, that sucks, that's a huge hole to move out of. What other integrity things are important? Yeah. Grades. Grades. Why are those important? It sucks, it's lower than it should be, right? Your search is your integrity of that. Now, why is that important? It also has a commonality, but yeah, what if somebody's trying to frame you for murder, right? And so they're able to insert things like how to hide a dead body in your search query, which by the way, the government can subpoena Google for, in a very good case, they do that all the time and they get access to all your search history of like, how do you search? They say, huh, right after this person was murdered, there was a Google search of how to hide a dead body. Very suspicious. Yeah. Okay, yeah, so integrity, phone number, we'll get into the background authentication. Grades. Cool. So we'll look into kind of ways to, different ways to kind of prevent data from being modified or detecting when data and when things have been modified. Those are super important. We're doing good. Cool. Okay. Last one is something we haven't really talked about a lot, although we talked about, when we talked about what is security, we talked about the problems of losing a key. Why is losing a key a security problem? Let's say we, say we know our controller, let's say we accidentally drop a key in a vat of molten something that's melted, right, it's completely gone. So we know that it would be stolen, but now what's the security problem? Yeah, we are locked out of our own house, if you want, like in this scenario, right? So we're locked out of the system. We can't use a system. What are other ways that not being able to use a system could be a security problem? You have to open it up to let yourself in a way that it shouldn't be. Yeah, so then we have to think like an attacker and break our way in, right? Anyone ever break into their own apartment or house? Yeah, it's amazing how you start thinking like an attacker, right? And you're like, oh, that tree is really close to the window. And I know I didn't lock that window. So if I can get into that tree, I can go to the second story and then open the window and then get in the house that way, right? Or you start realizing how easy it is to take off all of those plastic, like the mesh things in front of the windows, right? And then try to just slide the windows and open it up. Actually, a little bit of a tangent, but that's what we're trying to develop for you in this class, is that adversarial mindset of how do I break this? How do I break into things? So it's very important. So what about, so yeah, so then this gets into kind of the third area of security. So this is what we call the CIA triad. It's very easy to remember. CIA, confidentiality, integrity, availability. Literally, I've had multiple people tell me that this is one of the first questions they get asked in a security interview. So this is something to definitely remember. And it's important to think about because now you can, if you're asked to kind of analyze the security of a system, you can start thinking about it for these three lenses, right? What are potential problems against confidentiality? What are potential problems against integrity? And what are potential problems against availability? So some of the things we'll end up talking about in this class is denial of service attacks. So this is, so what's the problem if you were able to like take down Amazon for a half hour? Is that a security problem? Yes, why? A massive loss of income. I don't know what it is. You can probably look it up. We're talking of multiple millions of dollars. I mean, a half hour is a long time for a site like Amazon. But if people aren't able to, so what happens is oftentimes, but why is it difficult to take down Amazon? Yeah, they're huge. We'll get into when we talk about denial of service, but they are very big, right? What am I targeted for of a medium-life company? And their website went down for 15 minutes. They lost a million dollars in revenue or even whatever, $500,000. And then they got an email from me saying, oh, it sucks that your website's down. Lucky for you, I'm in the business of, let's say, anti-denial of service. And so if you pay me $10,000 of the bitcoins, I'll make sure that your website gets back up. And to prove to you that that's true, your website will be up down, but it will probably be down in another 10 minutes. So I can stop my denial of service attack. The website goes back up. 10 minutes later, I want my tag again, and I send a follow-up email. It says, here's my Bitcoin address. I would like $10,000 with a Bitcoin. And these are things that actually happen. I mean, people do these kinds of stuff. So it's important to be thinking about all aspects of of this. And so what are some... So we talked about what is security. We talked about vulnerabilities. We talked about this a little bit. One of these key aspects of security is what threats are there against our system. So does every system suffer from the same threats? No? Sometimes? Okay. Let's think about a system, not necessarily the security around the system. We'll talk about that itself a little bit more. Let's think about this. How secure is your apartment or home? Secure-ish. You lock the door and you leave. Anybody have a security system? Some people? An angry dog? It's good. Yeah. Do you think if you were Bill Gates, you would secure your house differently? Why? Okay. One is more resources. Sure. Yeah? So, but think about a person. You're worth $10 million. So you can, but why do you do that? Right? So yeah, you can hire additional people. You can do all this stuff. But why? This morning. You're a more visible target and therefore you're subject to different threats than you just are as a student knowing about your life. So threats, the important thing to think about is even under the same, let's say, scenario of securing a home, the threats are different based on the context of whose home is it, right? So these are important things to keep in mind when designing and talking about the security of a system. What are the potential threats against this system? You know, think about banks have pretty good security. Things like Fort Knox have higher levels of security and eat things like nuclear launch stations have very high, like high levels of security, right? So all of these are all dependent on what the threats are. What other threats are we worried about in not just those scenarios, but scenarios that we've talked about today? From place and see. So yeah, why is that a threat? Yeah, so just because so you showed you exactly he's not locked your door because nobody's ever broken into your house. Some of you got it. That kind of mindset happens a lot, especially in companies. In companies, it's a little more complicated because the security work may not be getting the resources they need, because other management has some places to be mindset of. Well, we haven't been attacked or nobody hasn't broken into our data. And then it happens, though, it's a national story and a huge problem. And all of our data gets leaked. What are the threats? What about your phone? I like thinking about phones. Yeah, so this is actually a so secure facilities have randomized pin code things to prevent against this. But yeah, if you ever look at your phone after you've typed in your passcode, right, you have smudge marks, like on all of the places where you get to a somebody to look at that and probably guess what you're like to passcode or narrow it down significantly. What else? Oh, SIM card swap. Yeah, that's a really bad one. Does everybody know what that is? So a SIM card swap, right? What gives you access to your phone number is your SIM card. So in a SIM card swap, essentially, people all your carrier pretend they're you and that they're your phone number can make them that you've got a new SIM card and they need to activate it with your number and deactivate the old one. Why do people do this attack? Why do they care about your phone number? Your two factor authentication? Yes, your two factor authentication token, which is usually enabled in high value things. I actually have a student in my class a couple years ago that had their Coinbase account where they had Bitcoin installed because somebody did a SIM swapping attack against them and was able to get the two factor authentication token and log in as that. That's crazy. What else with the phone? Are you worried about sleeping? This is something we used to do mess with people in our lab. They would fall asleep in the lab, so we take their phone and unlock their phone. Right? No, nobody's done that. Okay, so yeah, there's a number of ways we can kind of classify threats. This is good to start here. I'll see everybody on Thursday and you'll have your first assignment on Thursday.