 Okay. I think we're good to get started. Thanks everyone for being here today. This is the course, right? Make sure we're all both in the same place. Everyone here and me. Cool. For those that weren't here for my pre-announcement, so I lost my VGA to USB-C adapter, so I am presenting off this screen what you're seeing here, and I'm recording off of this screen, so I'm going to try to keep them in sync. But there may be weirdness just for those of you who are watching online. So good afternoon, I guess, since it's technically right afternoon, everyone. Thank you for being here and not being at lunch. This is Introduction to Information Assurance, CSE 365. As you may know, this course 365 is new at this level, at the 300 level. It used to be a 400 level course. I'll talk about why we made that change in a little bit. But first, I'd like to introduce myself to you all. Has anyone here taken a class from me? Who? Only one of you. Oh, you guys are in for a fun surprise. I'm just kidding. Okay, so I'm Adam Dupay. I did my PhD at UC Santa Barbara. I actually have all three of my degrees from UCSB. I did undergrad there, and then I did their equivalent of a 4 plus 1 program, so I got a master's in the additional year. After that, I said I am so tired of academia, I am going to go work and make a lot of money. So I had a full-time job at Microsoft as an SDE, a software developer engineer. And I was there about a year before I realized I really missed doing research and doing kind of crazy cool novel things that nobody's ever done. So I went back to UCSB for my PhD. After I finished that, I ended up here at Arizona State University where I've been for now, I guess, four years. This is my fifth year. Wow, I feel real old. So my research is on basically all kind of areas of system security. So trying to understand and analyze the security of a system to build systems to solve security problems. My PhD was on automated web vulnerability analysis, so how can you create tools that either analyze the source code of a web application and say there's a possible cross-site scripting vulnerability here? Or black box tools that have no idea about source code and you just point them to a web application and say find me all the vulnerabilities. Since then, I've expanded into a lot of areas. I'm interested in Android security, SDN security. Really, if it's cool, I'm kind of into it. I'm also a big capture-the-flag player, so I started playing capture-the-flag, and that's actually really how I became honestly a security professor is I took an undergraduate security course with a professor at UCSB. He invited me to join their hacking team and then from there it kind of snowballed into doing research with him, doing a PhD. For those that don't know, so capture-the-flag contests are essentially, you can think of them as little puzzles. So it's like a security puzzle that you have to solve, usually in the form of a program. There's some intentional vulnerability, which is the puzzle aspect. And then you have to analyze the program, find the vulnerability, write an exploit that steals a flag that you shouldn't be able to capture, and then you deliver that flag to the game organizers as proof that you actually broke that service. So I started playing my CTF days with UCSB's team, Shellfish. They're one of the top teams. I think they're probably top 20-ish in the world. They won the Olympics of hacking in, I think, 2008, which I'll talk about in a second. I want to put this advocate there. We're actually under the... So I'm the faculty leader of the group, the Bone Devils. They have student presidents, vice presidents, and everything. They're organizing a really big introduction meeting actually today at 4 p.m. So if any of this stuff already, you're wondering how can I get into more hands-on security stuff? This is the way to do it. So we actually have a meeting tonight, and then we have our first CTF that we're playing in this weekend, which is super cool. So it's open to everyone at all skill levels. The current president, Will Gibbs, he started... He joined the group when he was a freshman and knew literally nothing, and then he learned on his own, and then after a year said, I want to make this a student group, and I said, okay, do it. He drafted a constitution, and now it's like an official student organization that he runs. So as long as you're willing to put in the time and the effort, really anyone can get into the security stuff. And this is the website, which I'll try to click through right now, which definitely is not going to work. Okay, since I'm on a different computer, I have no idea what's going to happen when I do this. That's my Dropbox. I'm awesome that that's on there. Cool. So you can come here. You can learn about our meeting times. We have a mailing list. We have a Slack. You have an ASU email. You can just join our Slack. Come out. Say hi. We have some really cool stuff, and we also have what I actually really like here. We'll create this How to Hack page, which talks about binary exploitation. So it kind of walks you through some of the basics. It even has a working stack layout, which is cool. Any questions on that? I have a question for you. That's something that I want. Any questions? We're going to be together for 15 weeks, so we might as well get to know each other. Have there been any seniors who have taken this class? This class? Yeah. Well, technically this class is brand new, so no, because 365 has never been taught before. So it used to be 465, and so a lot of the material and content is going to overlap significantly with 465. But it will be a little bit, I won't say watered down. It won't be quite as difficult. Like the difficulty won't be insane. So it should be appropriate for your level, but this is something I could use feedback on. This is going to be cool. And now I'd like to introduce our awesome TA, Ferris, you want to stand up, Wave? So you shouldn't mess with Ferris. He spent three weeks in the Turkish army this summer as part of mandatory military service. So he knows how to salute. He knows how to make a bed with no creases. Do you have any questions about that? I feel free. Is that true? No? Your bed is creased, man? And wrinkled. Okay, cool. So Ferris, no wrinkles. Okay, yeah, no wrinkles, no wrinkles. So Ferris is a PhD student at ASU. He started as a master's student, got him all the research, and then decided to continue on with his PhD. Do you want to tell people about your research at a high level? Currently, I'm working on a quality research study. And where I conduct interviews with professionals from the industry, regarding security operations centers, and I analyze those verbal data that I collect to find some conclusions about it. So limitations about the security operations centers. Right, so a lot of organizations have this Security Operations Center where they look at alerts in a network and say, is there like an antivirus alert, or did one of our intrusion detection systems just alert, and then they need to do something about it. But us as academics, we try to come up with cool, crazy new ways to solve that, but we don't actually know what their real problems are. So Ferris is out there doing interviews with people, essentially labeling the interviews. I don't want to introduce the coding word, which gets confusing. So Ferris is going to be our TA for this. He's super awesome. He's really into the security stuff. So he's going to be a great asset for everyone. Cool. Questions about Ferris? Cool. So I want to tell you about something that just happened last week. So I was part of a team. So when I mentioned Capture the Flag, so DEF CON is a security conference that happens every year in the summer in Las Vegas. This year, I actually have no idea how many attendees there were this year, because I was so out of it. There's a lot of people that go, and one of the main events there is DEF CON CTF, so Capture the Flag. And this is an in-person, invite-only, like qualification-based event where we host qualifications in, I think, May. This year, the top 24 teams were invited to come to Vegas in person, so teams from around the world. We had an Italian team that flew 40 people to Vegas to play. It was really cool. So I was part of the team that organized this as part of the Order of the Overflow. Three of the professors here at ASU, me, John, and Tiffany are part of the Order and spent literally our entire summer doing nothing but prepping for this game. Because it turns out when you invite 24 of the top hacking teams in the world to play a game, you need to make sure infrastructure is actually really well done as well. So they did find some bugs in our infrastructure, but luckily they weren't game-breaking bugs, and nobody was able to break the game that way. So this is a little picture to kind of give you an idea. So even though each of these teams has 40 or 50 people playing, they actually are limited by space of only having eight people. So we were in this organizer table in the middle. There was 24 kind of eight pods of a rectangle table where each of the teams would be. We had to lay ethernet cable from us to every team, which is absolutely terrible. I don't know if you've ever had to take it down. And then we did it once, and then in the morning they said the fire marshal was there. Everything needs to take down three times. So one in the middle and two on the sides, not just one. So they had to retake everything. It was a very big learning process in terms of doing all of this kind of stuff. But the teams played for 48 hours total. So it was Friday competition had 10 hours. So it was 10 a.m. to 6 p.m. Saturday. And then after that we closed down, shut down the game. They all had to go home, but they would continue working on stuff overnight. The next day 10 a.m. to 8 p.m. again. And then four hours the next day on Sunday. So they actually played for a total of 24 hours. And then this was us at the closing ceremonies of DEF CON announcing the winners. So the winners didn't actually know at the end who won. So the teams three through one were all there. And so we announced, and so this is, you probably can't, maybe it's a good thing you can't see, but I think at this point I'd slept for like nine or 10 hours since Thursday morning. And this was like Sunday at 4 p.m. Just fixing bugs in the game stuff. So if you look everyone up on stage is kind of like out of it a little bit. And that's why. But it was a super fun event. A team from that's composed of academics and industry people, mostly based in Korea, but also in Georgia Tech. DEF CON route they won. And so the question is what proper prize can you give the top hackers in the world? So what they did was one of, this projector's not very good. Do you see this badge here that this person's wearing? So this is a very special black badge. So the winning team gets eight of these black badges, which means they get free entry to DEF CON conference for the rest of their life for winning this event. And that's, you get bragging rights and you get this and you get nothing else. And that's to thank you for playing. So it's actually pretty, it's pretty crazy, pretty incredible. They were really stoked and they were really good. So you talk about like top team, like they submitted I think 500 more flags than the second place team or something insane like that. Like they are insanely good. Cool. Any questions on this? So I'll give you guys a little background about what I've been up to this summer. Wait, did these teams come from all over the world? Yep. So our qualification event was open to everyone. We had 600 teams play and that was 48 hours straight. So we started that on a Friday, ended on a Sunday. And teams from all over the world played. The top 24 were invited to come to DEF CON to play in the finals. Yeah, it's like organizing. Yeah, so our role was not just organizing, but creating each of the puzzles. So it's be like, I don't know, sports analogies aren't great. We're part, they're officials because whatever we say goes, if we say like at one point teams were making too many requests to the network. So we started unplugging their cables and saying you guys need to turn down your scripts, otherwise we will just cut your cable completely. So we're part referees, but at the same time it's like building kind of like an obstacle course in some sense. We have to build it custom from scratch so the teams don't know what's coming. All of the services are written like 100% from scratch, so it's not like we don't take something like Chrome and be like, okay, now poem Chrome. It's like we create this puzzle that has one or more vulnerabilities that we intentionally put in and then they have to analyze, usually at the binary level, engineer it, identify the vulnerabilities and then launch exploits of all the other 23 teams to steal their flags. I'm on the hook for this for like two more years at least, so next time I'm going to sleep more. Okay, so before we get started, I want to introduce you to all the cool security stuff we have at ASU because students constantly are coming to me saying, hey, how can I get involved with security? So one good way is the poem devils. I don't think I mentioned it, but a lot of the students will go to those meetings, go to capture the flags, play, learn, and then go out and get jobs like in the real world. So we have students that got jobs at the NSA and other government organizations that now they can't tell me what they do, but it was really because they said that they played these capture the flag games. Cool, so we have actually... Ah, yes. Okay, we have two undergraduate cybersecurity concentration programs. This is a new thing. It used to be information assurance. Now it's cybersecurity. What this concentration means is it goes on your degree that says you have a concentration in cybersecurity. We have this at the BS level and the BSE level, and I believe... There we go, so we have three graduate programs, MS, MCS, PhD. You can find more about it at this link. That's slightly out of date, but that's fine. So the BS concentration, the idea is you take 13 credits in cybersecurity areas and related areas as technical electives. The good news is you're already taking the first class in that series, so 365 is now a required class for all the other courses. You take this, the purpose of this course is to give you a broad overview of all the areas of security. So then at the 400 level, you can choose to drill down into areas that you're interested in. So some of those courses are 466, Computer Systems Security. It'll be a really awesome class this semester. 467, 468, Data and Information Security, Network Security, Computer Network Forensics. We also, I believe, have a number of 500 level courses that you may be able to take as an underground, but talk to your advisors, because I don't know how that works. I just know what the courses are very roughly. Any questions about the concentration? I'm currently signed up for 466. Is the prerequisite still this class? It's not really prerequisite. It's a great question. Do not know. It shouldn't be there, but maybe because it's the first time we're waving that, especially for, I think it'll be a, it's probably a prereq for all the freshmen that are starting now. So that when they go through, they know when they need to take it, but it's not fair to change that to people who are already through. So I think you'll be fine, yeah, you'll be fine doing both. Okay, and the other thing about, so part of this, part of, they're desynced. Okay, so part of why we have this concentration is that we are an NSA and DHS designated, like they look at our program, they look at all the courses we're teaching, and the content of those courses, and they designated ASU a National Center of Academic Excellence in Information Assurance Education. So these are like from these two, so this is two certifications, one from the NSA, one from DHS. Out of class stuff. Let's see if I can click. This is going to be the difficult part. This should not take us too long. I want to actually get to stuff today. I really use a Windows computer, so I feel a little out of it. There we go. I'm not going to do it on this one. Awesome, okay. So syllabus, we will be announcing by Tuesday, I need to sit down and figure out office hours times. So as office hours times, we will be there unless we give usually at least 24-hour notice of being out of town or something. So we'll make sure you have enough office hours where you can come to us and ask questions. Let's see. I'm trying to find a new, why is this? Everything's weird. Okay. This says the wrong one. I know you can't see this, but trust me, it's wrong. If you watch on the video, you'll see it. Okay. Okay. Cool. I usually have used in the past a Google group for course communication. I like having a place where all of you can ask each other questions because if you look at this classroom, there's at least 132 of you and there's two of us. Right? So that scale is tipped very much in the student's direction. So this is a kind of help yourself course. The problem is last semester when I taught 545, apparently Google groups does not properly block spoofed email addresses. And so somebody sent a email message to the Google group as me saying that the midterm was going to be an open note, open book midterm. Which is as you'll notice in the syllabus is completely not true. So I no longer actually, I don't know if I should say this, but I know people who work at Google and I sent them very angry messages being like why does your crap product allow you to do this? It should be blocked. Sorry. So I will set up something else. If anybody has something that they've used in the past that they love, I'll say blackboard. I'll say that now, but I guess we're retiring it. I usually, if anybody has any good news, I've heard Piazza's good or Moodle are good. I may experiment with one of those this semester. Wait, did you say they're retiring blackboard? I think so. Canvas. I like to usually use my own thing that is simple rather than a complicated enterprise type thing. So if anybody has any questions, feel free to shoot in my way. I'd be happy to think about that and to use that. Cool. So the entire idea, as I mentioned, the idea of this course, it's going to give you an overview. Is this still too small for people to read in the back? I think the answer is yes. I think that's good. So the idea is security is incredibly multifaceted and the syllabus is online right now at my website. I haven't posted it on the link on whatever my ASU is. It will be there soon. If you want to go here, you can go to my website, teaching classes. The link is here. This will be our main form of communication is this website. I will update it. I will try to, as you can maybe see right now, I try to record all my lectures I do not make absolutely any guarantees about that actually happening due to technical reasons. I will try my best to make sure that it happens but whatever, if the recording fails I'm not going to re-record a whole class just for those people who aren't here. It's kind of up to you. I do it as a way so that you all don't have to sit there writing down every single thing I say. You can go back and review the lectures kind of on your own time. But in general for my courses, you're all adults. I expect you to act like adults if you don't want to show up to a course you're paying for. I don't care. I'd like you to be here because we have awesome discussions. But if you choose not to be here that's on you. Any more questions? How to access this? Wait, so you say we're going to be moving to campus? No, that's a whole university thing. I'm not doing that. Cool. The idea of this course as I mentioned we will go over all types of areas of security. So the parts that I really like of identifying vulnerabilities and systems, exploiting those vulnerabilities we will cover. We're also going to cover really important things such as policy. So how do you as an organization ensure that your security controls are happening? We were talking about management, legal aspects. So we'll touch on the legal side of things and especially ethical side where we end up hacking questions on overview. We'll touch on crypto too. We'll do a kind of very broad overview. Questions? Are we going to be looking at hyperconverged infrastructure as well? Is that okay? I don't know what that means. So instead of having a bunch of different servers they're all moving kind of to one platform? We will we're going to look at security basically what I want you to take away from this course is to be able to think with a security mindset. To be able to analyze any system for possible security flaws and security vulnerabilities and to also think about the threats to that system. So this is for a lot of the courses we want you to apply what you're learning here to any context so you can answer that question when your boss says hey we're looking at merging we're switching from a VM based solution to now a dockerized container based Kubernetes cluster. So then you can think through what does the business need what threats are we worried about and how does that change in this new environment what policies and mechanisms do we need to put in place to make sure that we don't have any problems. So that's really what rather than focusing on any one technology we're going to do kind of a broad overview but we will get we'll talk about security vulnerabilities buffer overflows, rock those kind of things and so we will go deep into some tech. But yeah the skill should be transferable. We are, you know you can take security courses to get a certificate that you know how to run something like Nessus or Nmap or something but we're trying to teach you how to think like a security professional right so that you can be the person developing the tools not the person just using the tools. Okay, prereq should be easy I don't think you could take this course without having these prereqs so they're there. The textbook, so I like to do pretty much every ultimate tier that you need in this course will be provided in lecture. You'll get the recorded lectures assuming they work as long as the lecture slides. I do recommend this book, this book is a good resource if you're a person who likes having multiple pieces to draw from I highly recommend getting this introduction to computer security. On the front page of the website I will map all of our course content to sections of this book so you can review those and see kind of how they map with what we're talking about here. Alright, that make sense? Cool. Okay, so the course mailing list will be TBD, it will be to be decided I will let everyone know when we have one. I cannot recommend if you have not read this this I guess article on how to ask questions in the smart way you should read it and if you've already read it you should re-read it and if you've read enough that you've memorized it you should probably read it just one more time. This is an incredibly good way of describing how to get a good answer from somebody so oftentimes I've taught, has anybody taken 340 yet? Yeah. Or is it in 340? Yeah, I get, when I taught 340 I would get emails from students being like my code doesn't compile and I want to help you I fully believe all of you can walk out of this class with an A right? You put in the work you do good on the assignments you can get an A I want to help you, if your code's not compiling I want to help teach you why it's not compiling but if you just tell me it's not compiling that's not enough information for me to go off of right? So what this document describes is how to phrase your question in such a way that it's likely to be answered right? Of saying, wow I'm getting this really weird compile error it looks exactly like this I googled this error message I found these stack overflow questions none of them really respond to what I'm trying to do I've tried X, Y, and Z I've tried commenting out this line I've tried changing this thing to public from private still nothing is fixing this error and I can't understand why right? So like one question, or one question is just like hey give me help the other one is saying hey I'm super stuck and here's all the information you need and here's everything I've tried to get unstuck right? We have limited time I'd love to spend all of my time helping all of you but with limited time we prioritize people who it's very likely we can help and we can say ah I see exactly the problem you tried this, this, and this you give me enough information to do that that said don't just throw your source code at us to fix it because that's technically all we need to reproduce your errors so just be cognizant of when you're asking questions and this applies not just to us but also to the mailing list too because you should be asking your fellow students when you get stuck and getting answers to those questions is kind of an art in and of itself so I highly recommend to read this document Any questions on asking questions? Don't worry I won't take off any points it's not great Yes The website if you go to adamdukebay.com you can go to teaching there's a teaching link and then that'll show the classes and then there'll be a link to this page I'll also be posting this as soon as this is over on the of course I don't remember the thing for me it's on my ASU and I just post a syllabus link Okay cool Okay I will create an address a specific email address that you should use for all communications to us one of the most annoying things because anybody well probably not but one of the most annoying things that can happen is if a student emails me and the TA and then the TA answers it and then I'm going through my email and I spend time to answer it and the student's like oh the TA already fixed this for me like three hours ago right so making sure we're included on communications I'll give you one email address to use it'll probably be something very simple to use and that way it'll be useful for everything so that's like a good thing so at a high level these are roughly the course topics we'll cover we'll talk about security objectives mechanisms attacks and threats we're gonna do I know you can watch this course online I like having students in here so we can have discussions I will propose scenarios and we'll talk through what threats are appropriate to this scenario and so it really helps to have people in here who are willing to contribute to the discussion because I think that's the best way to kind of learn and reason about security is thinking through those things so we'll cover everything access control crypto authentication network security web security system security policies management risk assessments assurance privacy anonymity legal and ethical issues questions on that if there's something you'd really like to see shoot me an email let me know I can't guarantee we'll get to it but we'll try are we going to be doing threat modeling? yeah what, say it again? is it threat modeling? possibly I like to teach things more at a high level rather than a specific methodology of doing things but we definitely talk about here's the scenario what are the threats, which ones are relevant for this specific organization business which all apply directly to this cool and the other thing I will say about somebody who took 465 last time I taught it I think it was in about two months or maybe a month and a half into the course he came in and sat down and said that he just had an interview with a security company and like the three questions they asked him were like three things we talked about in class like the first or second week so you know I will do kind of two things we learn about the high level thing we also I teach you the important things about security that security professionals expect you to know we'll also do low level so there will be voting and there will be hands on exploitation things in this class so this is not just a high level course but this is also kind of a low level get your hands dirty, write code break stuff we will have between three to six homework assignments it's a broad range so that on how things go we can have more that will cover all the topics there will be a midterm and a final exam just in case anybody tries to spoof me you know, leading up to this you can be assured that all of my exams are always closed book closed computer, closed nothing you, your brain, a writing instrument and that's it so grading 60% homework 20% midterm, 20% final so homework is rated a lot because it takes time, it takes effort I expect you to put in the work and do it any questions on the breakdown it does add up to 100 right, you all check that otherwise that would suck, you can only get 90% or something thresholds for grades so this is what I say is these are the I will never curve let's say lower than this I might decide depending on your grade distribution to say wow maybe 89% should be an A- but I won't ever go up I won't say now the cutoff for an A- is 95% so you can be rest assured through the course, you're calculating your grade if you're in these ranges, these are the grades that you're going to get is that good, fair it's not a lot of questions should I be worried by that are you all going to drop taking it in, that's cool okay the my late policy, so homework due dates exam dates are posted well you will know about them well in advance when the assignment is given for assignments basically you can choose to be late I'm totally fine with that but every day that you're late is a 20% reduction in your overall score so that means that if you let's say submitted 100% of the assignment a day later 10 minutes after the deadline, that's considered not on time so that's a 120% reduction so if you submit 100% project that's an 80% and if you do it on a second day so it's stacked, so it'd be 60% we will take your highest submission of all of your submissions that makes sense and you will know your grade when you submit your assignments except for written assignments because that doesn't make sense when's the deadline? time wise, usually midnight 11.59, Arizona time the day depends on when the assignment is given when I think it's fair I think it's really difficult because some people want to do it on a Friday at midnight or Thursday at midnight so they can just get it done the one thing I can say I will never do is have a deadline the day before class usually like on Monday or Wednesday because then nobody shows up to class because they were all cramming for the deadline I don't know, we'll play with it yes going back to what you said before the highest submission counts is that essentially if you have part of it done you can submit it anyway? yes, so you'll have I will try to this since it's a I guess a 300 level course it's a bit of a trade off I don't want people to just make a change and then just resubmit without doing their own testing so you shouldn't be using the testing system as an oracle when you fix your bugs which definitely happens and with a lot of you it starts jamming up the queue of grading so what I like to do instead is to what I like to do instead is to cap it at something usually absurdly high like 20 or 25 that can give enough I still people run out of that somehow I so there will be some kind of limit to prevent so to force you to think yes highest point total submission including late so if you submitted one before the deadline that was 84% and then afterwards you submitted something that was passes everything all the test cases but with the deduction is 80% your grade would be 84 yes I'll post the link there's going to be no blackboard for this course none it's going to be the website there'll be a submission website as well so it'll be my website, submission website and some kind of course discussion thing but you will all know about it trust me I will force you to cool it's going to be fun you typically return exams or do you have people to office hours to discuss them it's a great question because I do different things in my undergraduate courses so I don't want to make any claims without reviewing what I did in the past you will know I mean you'll be able to see okay yeah okay if anybody needs any special accommodations I'm very happy to do that I've done it in the past it works out really well so just contact me let me know through the DRC and we'll work everything out so that everyone gets their fair accommodations okay now the part where I need to be really scary have I been scary yet? yes? okay now I need to be even scarier but I don't know how okay so plagiarism I mean I'm kind of of two minds so on one hand I mean you're paying for this course so if you want to pay for and cheat your way through to an A and go out in the world and somebody asks you about one of the three important aspects of security and you can't answer that's kind of your fault because you're never going to get that job on the other hand I hate it when students put in a bunch of work get like a B and then a student who cheats gets an A and I think that's really not fair to the students who put in the time and work so I'm very strict and very harsh on plagiarism and cheating so I have reported to the the dean's office every instance of plagiarism that I've detected in all of my courses undergrads and graduates I think at the bottom it says how many 27 a little bit out yeah 27 so I've done this 27 times I know how to do it I'm not afraid to do it everyone has a sob situation but it's still not fair to the rest of the students so I'm looking out for all of you who are putting in the work so that your A in this class is actually worthwhile as an A so you are so what does plagiarism and cheating mean in a course you've all read the student handbooks I'm sure you're very familiar with it it was directly copied and pasted from a friend or a source especially if you keep their ksuid it's a hard thing it's a very hard thing to do yeah so Andy basically using code that's not your own especially from a fellow student in class so I have an exception that you have here I was a professional developer I do know in the real world that I still do I do it now when I google for something there's some code on Stack Overflow that fixes it I copy and paste it in this course what we want to make sure is that you include a comment in your source code just of where you found it which is actually a good practice to do anyway software engineering wise so if somebody goes and sees that code they can know oh you took it from this thing and maybe there was an update or maybe something fixed that so you are free to use snippets and stuff you find online it's a 2465 solution to assignment one that would not count as an acceptable copy and paste but it's like how do I reverse a function in Python and you find something that's totally fine to use so I think the differences are very clear are fairly clear so using another student's code even past students present students is a violation of the academic integrity policy and we have all the past submissions we run everything against them these are easy things to check we'll get to that later I believe we'll discuss that when we get a little bit closer and as I mentioned zero tolerance policy which means that every violation of the academic integrity policy is reported to the dean's office I've done this 27 times I don't want to do it anymore so please do not make me do this number but I will do it if I have to do it and this is something that can be tough and I understand you're coding it's 11pm on the deadline you've been coding for the last 24-48 hours it's still not working and it's very tempting to just take something from one of your friends and just use it it's very easy to detect and it causes a lot of pain later on so it's much better to just take the lumps 70% or whatever and know that you didn't cheat so some examples sharing code with fellow students don't use other people's code in this class that's an easy way we can all stay safe submitting another student's code is your own that's clearly not good submitting a prior student's code as your own I don't know if you're aware but we can retroactively change grades like academic integrity violations even the students who've graduated and then they actually have to come back and retake the course I don't want to do it I know none of you will this is what I have to say and do okay so the other thing that students tell me and this is something I partly sympathize with is that do not post your code publicly accessible online for your courses I had one instance where somebody submitted an assignment late got full credit it matched with another student there's actually two students matched with one student so I had to call them all in, write them all up the first student foolishly posted their code online on github right after the deadline and the other students somehow found it and submitted it as their own with making and so this includes working out of a public github repo so you want to use get to develop I love it, I fully support it you should do that use the github student pack so you have unlimited private repositories you can all go get that now as ASU students so there's no reason to make your repo public the second thing that students tell me is I want to have a public repo for my course assignment so that I can impress potential employers or maybe I should be telling you this but I don't really hate it but I went on recruiting trips for Microsoft what impresses employers is not what you do in your course do you think about something like 340 every person who does a CS degree writes a compiler so posting your open source compiler says nothing what do you think impresses employers outside projects doing something that you're not required to do you will graduate with a piece of paper that says you got passing grades in all these courses so they know you did stuff in your courses what they want to know is what are you doing on top of that and it could be anything it could be something silly that's how I got my Microsoft job I created this website anybody use Woot Woot.com it's this website that would sell one item overnight it would release it and they'd have limited quantities it would be super cheap so I created a website called Woot Watchers that would watch that and then send you a text message when the thing changed so you could know to go buy it and if you wanted to buy it and I got about a thousand-ish users which is not crazy but it was fun for me like in my room in college so I did this little thing and I created it all over the gun rails and ran it that's a good question I posted a bit in a Woot forum and then people would use it I'm very much not a marketing or graphics design person as maybe you can tell from my websites so I just keep it super simple the funny story about Woot Watchers is that I would get because so Woot would it would be like a once a day thing and then they'd have a Woot off where they would sell an item as soon as it sells out they'd sell a new item and a new item and so my thing would just go crazy sending people text messages and so I got very angry emails from a couple people being like you're using all of my text messages like I'm going to sue you for all this data usage I'm a college kid what are you going to do I'm sorry man you can disable it it's not my fault and this was back in 2006-2007 basically pre-smartphone era so it was all SMS stuff but it was fun it was a cool thing to do just because I wanted to learn Ruby on Rails that was the only reason why I did it now we have fun no plagiarism, no cheating stuff that's it any questions on course logistics we've still got 25 minutes we can jump into some material yes what's your definition of the syllabus yes I'm going to update it with that's just a clause in there to kind of cover me if anything happens but that would be like I mean it's tricky to say right because 4-6 days for some reason I decided to change the percentage of grade distribution between homework that's something I would do in the next few days and then tell you about it even a month before the end of the course before the drop date would be not okay so reasonable things the only things here I'm going to change are about I won't change these thresholds I definitely wouldn't change this grading thing just adding the course mailing list on here it's definitely not going to change substantially what did I say again oh yeah so maybe I can go back to the slides yeah so let's see is he in this picture yeah he could barely see him so this guy here Will Robertson who's a professor at Northeastern University he was part of the shellfish team that won Defcon CTF that year so he has a black badge so he has free entry to Defcon for life I have not won yet but I've also not lost so that's nice and ASU team has yet to qualify but they're working hard I forgot to talk about that so thank you alright anything else let's jump oh oh oh let's jump oh you can't see it on here okay I'm going to briefly do exactly what I did over there so this is Will Robertson's on the video you can see now and let's do overview cool okay so now we begin so what is security we're all here because you're taking a course on cyber security information security but what is security your phone account okay keeping somebody from hacking your phone account why are you worried about your phone account say it again and then using your number to have text messages sent to your that new phone number to hack your bank account yeah that's actually a big problem nowadays that's how people break into coin based accounts and steal bitcoins oh snap that sucks I'm sorry yes I can't hear you guys just speak threat identification what do you mean by threat identification so identifying threats that can occur that will take down your system exactly as intended to making sure the system works exactly as intended to do you all do that with your systems that you built try to who you try to yeah your course assignments are you trying to make them work exactly as they're supposed to does anyone ever write a bug yeah unintentionally yeah so it's kind of clear to see why we have security problems we have humans writing software humans are imperfect systems are very complex and so all it takes sometimes is one bug in order to crumble the entire system keeping information confidential okay so keeping information confidential in the sense that only somebody that should see it can see it who defines who can see it is can I define it I guess it's between the user and the service provider yeah so it kind of depends right it depends on the situation we're talking about right like can Apple so anybody with an iPhone or you cool with Apple just unlocking your phone at any time and browsing through it it's their phone they built it yeah whoever owns the information whoever owns the information ooh okay that's interesting yeah so the person who owns the information figures out who should be able to access it or not what about think about we'll talk a lot about different contexts here so some of the context will be like a private business some of the context will be like national security issues right so think about an intelligence officer writing a report for the government about a let's say a terrorist threat or a terrorist plot in progress should that so who created that information the officer right they're the ones writing down this information should they be able to decide who gets that information can they say the public should get this information or the president shouldn't get this information right so it's even difficult thing to think about even the person who originates the information maybe shouldn't control who can access it but that's so we'll separate that a little bit so okay we have so confidentiality so is there a general form of let's say confidentiality like can you just say yeah social confidentiality like physical confidentiality okay there are places where that's not the case this is not one of them there is but there are also designated as the release yes that's sort of like a scary thing like you can't wonder how to make it everyone but it's that specific place you can interesting okay cool awesome so okay so so confidentiality let's say keeping private information private right and we'll delay the who decides what information should or shouldn't be private so we can say maybe some things so what are some things that you would like to keep confidential personally you don't have to share what they are nobody started like reading off your social security number yeah your bank account number why is your bank account number confidential or why would you like it to be confidential it has your money so anyone who has your bank account number do you guys know this if you have a check right you know how you transfer money between accounts you put in the bank number and then the routing number and then the account number and that's all you need to transfer money from that accounts yeah it's crazy have you ever even seen a check sometimes I have to do these checks like self checks to see if my references make sense yes passwords so why do you want to keep your passwords confidential I don't want someone to send emails from my ASU account to professors or something yeah or to log into the grading system of ASU and be able to change their grades right so yeah so those kind of things confidential what else wait let's stick with confidential is confidential the same thing as keeping information accurate no because you could keep something private but not care about whether it's accurate or not yeah yeah so I want more confidential examples what was that medical history yeah you may not want somebody to know what kind of medical issues you may have you may not want your insurance company in particular to know what kind of stuff yeah purchasing yeah purchase history why not what are you worried about what are you going to hide I'm just kidding in general right so you can build a very comprehensive model of a person based on their purchases right you could see what they like what they do where they go what kind of things they're into which might maybe revealing even more information about you than you're comfortable sharing there's a hand in the back okay no what is we're focusing more on confidentiality here so like what are some things that you would prefer to be confidential yeah private communications so text messages I don't know what chat clients do people use like whatsapp, signal discord okay was that Slack oh Slack's a good one yeah you know there's for Slack's the owner of the Slack can get a data dump of the entire Slack including private messages yeah interesting you gotta read those privacy policies to see what they can do now let's say I can't remember what it used to be that it would alert everyone in the Slack that that was going to happen now I think they can do it but they need to write a written letter to get the data dump of that so think about how that affects people using their companies corporate Slack's that are doing things through private messages yeah you guys name an address name an address why is your name an address would you want to keep confidential it gets into a little bit of physical security aspects right you may not want people to know where you live you may not want people to know where to I don't know ship weird things too yes okay you got it now so security number so why are you so security why not your social security number what can you do with somebody's social security number what was that pilot death certificate yeah so you that would be very difficult what else your exact location your GPS location let's go back to social security for a second because I was actually surprised and I never realized I always knew it was confidential but realizing all the things you can do with it they also apply for jobs jobs which could be cool but you're not getting any of that money passports passports what about credit cards loans they can get loans in your name that you're now on the hook for to affect your credit score that you have to go through hoops to fight yeah all this kind of stuff so okay pictures you take on your phone maybe nobody mentioned that right so these are all kind of interesting things that we talked about there so confidentiality so there's kind of three main things we talk about when we talk about what is security what do we need there's three different aspects the first one is confidentiality like we talked about right so making sure that depending on whoever's system or whatever it is that private things stay private right and as well one of the themes that we'll get into is this is very let's say context sensitive in the sense that it depends on what system you're talking about about what things are confidential and in different context different things may be confidential or they may not be cool so what else so what are some other things aspects of security that aren't necessarily confidentiality yes I don't know what the word is but you don't want people to be able to like alter your files I know that why not like the NHS had like a problem with ransomware and all their files got blocked and that caused a lot of delays with patients yeah so having people not be able to alter your files and why is that so we'll call that we'll call that integrity right so making sure that the data is what you thought it was and the data doesn't change so why is that different from confidentiality okay so the main difference is in let's say so I guess if we're concerned about integrity are we necessarily also concerned about confidentiality no why not I'll be giving you a counter example somebody could just delete the data so they didn't learn what's in it but it's not there anymore it's still a serious problem right so that would be a problem if we had some secret data that somebody was able to delete right so and then now we no longer have access or if it's like a public site with open source code if we might not care too much or someone can take a look at that but if they all of a sudden put something in there that steals people's data right so think about like the Linux kernel right the Linux kernel is completely open source absolutely zero confidentiality requirements from the Linux source code but not everyone can just write to it and change it because you could easily introduce a backdoor to allow you access to anybody's Linux machine which would be a huge huge deal yeah right so this actually goes one of the recent trends now is a public website that will obviously a public website is by nature not confidential do we agree if you can go to your browser and go to cnn.com or whatever that is fundamentally not confidential right you're seeing at least that public facing page right they may have admin interfaces that they want to keep secret but that front-facing page is not confidential now what if somebody goes in and changes cnn.com's front page or some other pages front page to put in a snippet of JavaScript code that mines Bitcoin in everyone's browser that visits that page right so now and which is this actually happens if you look up I can't remember where the recent thing was but this is called crypto jacking is that the right term I think so yeah so here the confidentiality of the page is still fine nobody cared about that but the integrity of the page has been violated from what the people intended it to be into what's being sent to people so yeah these are all so what are some other things that you would want to maintain the integrity of in your let's say more personal so we can kind of relate to this maybe transaction history you might want to keep that the same you don't want that to randomly change exactly so it depends on what your bank account status is if you woke up and had an extra couple grand in your account maybe you're not going to scream about it but if you wake up the other way and now your account is now in the negative 2000 or whatever that would be a problem because if the bank or whatever can't maintain the integrity of your transactions that'd be a huge problem what else records that's a huge one right so what if somebody was able to change your medical record to say that you're not allergic to something that you are allergic to and then you go to the hospital and the doctors give you the thing that you're allergic to potentially causing harm yeah I mean this happens all the time where not even with mistakes like that but where they end up doing surgery on the wrong limb and then I think the classic case of this or I don't know if this is true or not but the thing that happens is they'll write on or they'll write no they'll write no on somebody's leg like over and over and the doctor will see it and think it says on because they'll read it upside down and so they'll think they're operating on that leg yeah alright that's alright what about like your you know like we said with kind of the ransomware example so what about all your files on your laptops and phones like do you want access to all of the stuff you've done for your courses and all the pictures that you've taken right so like if somebody was able to corrupt all of that so that you can't access that now right that would be a pretty bad although I guess I guess integrity there is a little bit different but cool and so the areas we'll kind of so we'll talk about in the course kind of integrity in terms of how to prevent integrity attacks how to detect them and so are there any other we've kind of touched a little bit around this but are there any other components of security that don't necessarily fall into confidentiality or integrity yeah maybe the availability of a service availability in what sense so like a denial of service tack on a website or something so that basically the business is down for example think about Amazon does Amazon make a lot of money per second yes imagine if you were able to take down Amazon.com for like an hour right that would have a measurable impact on Amazon's bottom line because people cannot buy their products through them right but you're not violating the confidentiality necessarily of Amazon you're not necessarily violating the integrity because maybe you're not able to change their home page to be whatever you want if you can make it so that it's not available for people that want to use it then I've actually caused a critical security problem so you can think of this I always think of this as the CIA Triad this is something you should burn into your brain this is something that interviewers ask of you but rather than just memorizing confidentiality and integrity availability it's actually being able to understand and process each of these things how they're different, how they relate what are some examples of a system because so making a system that is incredibly confidential such that let's say nobody can access it is fairly easy in some sense I could create a computer I could put it in a vault that only I know the passcode of I can station guards that I trust if I'm the military I can put people to guard that but it's still not very available to access this system and so security is always a balance between these things you need people to access your system otherwise that in itself is a security concern you also want the things that need to be confidential and maintain integrity on those things that you need questions on this? is confidentiality not necessarily the same thing as the the opposite of favorability is it? I would say no so if we go back to the Linux example the Linux source code is not confidential but if I took away people's access to that that's not necessarily breaking the confidentiality that would make sense so I guess the opposite of confidentiality in this case would be basically you don't care who has access to what which makes sense in something like open source code which makes sense in let's say what's another example here open source code public records public records yeah that's a good one or you can think of Bitcoin like the blockchain is all public all the transaction history and so in that case you don't care about confidentiality but you still care about people's access to things right so you have basically no confidentiality requirements well I guess on another hand if your requirement is the opposite of confidentiality which means everybody has it then you are kind of concerned with availability I don't know I probably want to ask you a question like that since it's very complicated but the idea is to think through so be able to take a situation and think about okay start thinking about threats start thinking about if I have like how can I compromise the confidentiality, integrity and availability of this system and does that make sense and what are the business and organizational goals of this system so you can say do I care about confidentiality then I can get rid of an entire class of attacks that I don't need to worry about because they're not what is important to our business what time does this class go to 15 okay so what is the threat a virus or a bug can definitely be a threat a person how can a person be a threat I look so nice what they can hack, they can hack break into your stuff what else can a person do people make mistakes all the time and not just necessarily coders you have people let's say if you wanted to get into a store before anybody was there and somebody stops you and say hey the store is closed like you can't come in here and you say oh no no I'm part of the cleaning crew we have to come in here, there's a big deal my boss told me to come over here and then they just let you in that was probably a mistake that they made in terms of their access control requirements of the physical space but it's people making mistakes or what are some other famous things that have happened I'm not sure you're not supposed to drive into a system this is a great example you talk about people making mistakes I can't remember who it was, somebody who worked I think it was General Schmidl I don't know if I could say that he was saying that what ended up happening was they found the military the US military has their own network completely separate from the US internet like the internet as a whole it's called MillNet it's about outgoing packets from one of the machines in a base to Russia very bad thing to see so they start investigating it turns out what happens is the Russians like three years earlier had compromised a bunch of thumb drives and sent them to the convenient store that was next to this base and then just waited and eventually and so those people buy those thumb drives and eventually it took one person to ignore the rules that they weren't allowed to stick an unclassified flash drive into a classified system they did that, they popped it and then it went to go talk to home so this is definitely people in terms of threats you can have a policy that says you should never plug in a USB thumb drive but if there are thumb drives and there are USB ports people are going to plug them in alright, I think we can stop there thanks everyone thank you