 Alright, folks. First day of class. Everyone's stoked to be here. Excited. Not super enthusiastic because everybody's still, like, cooling off. Yeah, me too, so it's good. We will be in this together. Alright, so I'm in the right place. Can everyone see the slides, especially in the back? Do I need to figure out what these magic 1 through 6 numbers are on the front here? I'm sure one of them does something that may help with that. But if you can't see the screen, let me know. Cool. Alright, starting on. Alright, so this is Introduction to Information Assurance. Make sure you're in the right room. If you're not, good luck finding your room. I've definitely done that before. It's fall 2019, is that correct? Cool. So before we jump into, so a little bit about today. Today we'll be a little bit of getting to know each other, getting to know the course, and now we're going to jump right into materials. So usually we will cover some stuff. So I am Adam DuPay. I'm a doctor. I did my PhD at UCSB. My industry is, I went to UCSB for their 4 plus 1 program. And then I said I'm never coming back to academia. I'm going to go work in industry and make a little money. So I got a job at Microsoft. I was there for a year and I decided, man, I really missed doing research. I missed doing novel stuff that nobody's ever done before. So I went back to UC Santa Barbara for my PhD. Where after I finished, I came here at ASU in 2014. So I've been here for five years now, which I still feel like I'm very new, but I guess I'm kind of old in that sense. So if you have any questions about what industry experiences like, industry jobs, I'm happy to kind of talk through that. I'm a software developer writing a C-sharp code. While I was there, so how I got into security, why I'm here now as a security professor, is I played what's known as catch-the-flag competitions with shellfish. So as we'll see throughout some slides, catch-the-flag is like a really awesome, we call it ethical hacking competition. So you compete against other teams to see who can break software, who do the fastest, who the most, or all kinds of cool stuff. When I came here, I started a group called the comb devils. Anybody heard of them? I don't know. Awesome. So the next meeting is tomorrow, Friday at 4.30. Is it 4? Anybody correct me? I think they said 4. But that's on the president if it's wrong, not me. So the comb devils, they have a great website. They are ASU's catch-the-flag team, so they compete all the time in catch-the-flag. They were just playing in the World Championships, which we'll talk about next. They also have Slack, Slack's all the rage, actually most of the stuff happens on Slack. So I'll briefly show you their website, so you can go check it out. That's how many students who haven't applied, it's great. So the comb devils, none of this is actually very much updated, but the important thing here is the link to Slack. So join Slack, let's hang out, talk security stuff if you're interested, and keep it in mind as we go about the semester and as hopefully your interest in growth is in the topic. Well, any questions about me? I guess I'll talk a little bit about what I do here at ASU. Oh, please, yep. It says you played CTF of Shellfish. You or what is Shellfish? Good question. So Shellfish is UCSB's catch-the-flag team. They have won the Olympics of Catch-the-Fly, which is death-con Catch-the-Fly. They won it in 2006 before I joined. I was a part of that. Actually, the comb devils in Shellfish have this very unique relationship where we're kind of essentially part of Shellfish. So some of the big CTFs, the comb devils will play with Shellfish on a big team. They sometimes travel to UCSB to play there. Sometimes it's the reverse. So yeah, it's a pretty fun environment. Spencer, I got you a seat right in the middle here. Do you want to take that seat? All right, cool. Thank you for moving in. Cool. Okay, about research. So I'm also the, so I don't just teach. The shock's a lot of undergrads as professors do something besides teach. So we do research in all types of areas of cybersecurity. My PhD at UCSB was on how can we make better tools to automatically find vulnerabilities in a website. Since then we've touched all kinds of areas from phone phishing to binary analysis. Really, the group is huge and we do all kinds of very cool stuff, I think. So I'd like to introduce the TAs for this course. So the first TAs, Max. Max will stand up and introduce himself to you. He was in your shoes not too long ago. Just two years ago. All right, I'm Matt, everybody. I'm the second year of PhD student here. I'll be on the TAs for this course. I kind of ended up in position nine because of the spouse. I think it's a little crazy now. I don't know just me, because one particular homework assignment in this class that I did was only crazy. And so you could find it almost worked. Almost. And I wrote only five lines first. I just wrote one. It worked out. I kind of work in, like, binary analysis but coming at it from, like, languages on sandwich. We're going to do a very language-based people battle because I'd love to hear about that. I don't play CTFs, but I'm kind of CTF-adjacent. So I'll probably deal with the people that I can direct you to if you have any questions. Well, awesome. And I don't know if Gokul is here or not. I'd like to know if I can introduce you. Yeah, I'm glad he's still on his way here, but I'll make him introduce himself when he shows up. So we'll be your main front-facing sports staff. We will be helping you in this awesome security journey that we are all on together. If you have any questions, we're always available. We'll talk about it when we get to Syllabus. The best way is to communicate all that type of fun stuff. Any questions so far? Questions for Max. I'm going to ask him how to avoid becoming a PhD student, maybe a PhD student. What is it that he did that caused you to notice me? You got to talk to Mike and repeat the questions. The question was, what did I do that made I notice me? It was a particularly complicated problem. It was a solution to one of those elements that they didn't want to write the program. They had to write a separate program and write that sort of program. Program, program, program, program, program. So, first thing I want to talk about to contextualize and get a little bit more into CTS, I want to talk to you about something that is really near and dear to my heart. So, really how I got into security, like I said, was through taking a course at UCSB. The professor there saw that I had an interest in security and invited me to join their hacking group, which was Shellfish. And then from there, we competed in these catch-the-flag competitions, the kind of nexus of which the other people described as the Olympics of catch-the-flag is DEF CON catch-the-flag. So, has anybody heard of the DEF CON conference? Yeah, so this is, for those that don't know, it's a basically underground hacker conference that happens every year in the summer in Las Vegas to kind of describe how underground it is they do not accept cash for payment, for entry into the conference. It's all, sorry, they don't accept credit cards. Yeah, they only accept cash. And I don't know if you've ever been to an industry conference, but there's a 4-day conference that only costs $300 as opposed to $1,000 plus. And let's see, is somebody there interested in things? Oh, there's a, actually. I think I have it here. Because I haven't cleaned out my bags since we went to Vegas, but there's a badge every year. This year it was like a, I don't know what this is. They talked about some kind of crystal, whatever, geologists can tell me exactly what this is. This little badge, it has electronics on the back. Apparently it does stuff if you get close to other people's stuff. We never looked into it. But the cool hacker thing is they actually have a counterfeit badge contest. So they kind of encourage people to make fake badges to get into the contest. So I think somebody made something that looked like this for our soap to get into the conference. Yeah, which was pretty cool. So all these hackers attend the conference. That's really kind of an industry thing, trying to see what the latest trends are. There's talks. There's all kinds of cool stuff. What we run is a competition at DEF CON called Capture the Flag. DEF CON Capture the Flag. And this is, so there are, what we do is there are like five or six CTFs before that that the winners are invited to attend. And then in May we had an online Capture the Flag competition that anyone from around the world could join. I believe, yeah. So we had six qualifying CTFs from around the world. And then the 1,200 teams competed in our competition in May. So they were solving and these are kind of all kinds of different security challenges. So it could be a binary that they downloaded that was running on a remote system. So they had to analyze that binary, look for vulnerabilities, develop exploits, and then use that exploit to capture the flag. So this flag is just kind of like a piece of information that says, yes, you actually exploited this service correctly. So all kinds of categories, all kinds of fun stuff. The top, so then the top 16 teams here, along with the qualifying teams for a total of 16 where doesn't really, the math doesn't work, but it's fine. We're invited to attend. And the top team in calls was PVP, which is the Planned Parliament of Toning, which is Carnegie Mellon's CTF team. They won our qualification event. And then we invited all these teams here in person so they could only compete in the final event in person. This was, what, two weeks ago? Three weeks ago? Two weeks. Yeah, I'm still recovering from this. It was crazy. Poor Max volunteered to help us. He showed up at an Airbnb we had in Vegas on Tuesday before the competition. So the competition started on Friday. He showed up on a Tuesday. And we put into work, as we'll see, editing levels of the June 1st person shooter that was going to run on an Xbox. Which led to a 40 hour online. Yes, together with us. So, yeah, so what we did is the 16 teams were physically in the room. So we're running, organizing the game. I don't have a picture of the hardware, but we had a server rack that had about $100,000 worth of servers in it to run the game infrastructure. Because the way these competitions work is essentially to think of we as organizers write custom software, so custom services. That's something that they've never, like a binary or a program that they haven't seen before. And then each of them, so each of the 16 teams is running a virtual machine, or you can think of it as a server that's running identical copies of the custom software we wrote. So they have to, in this type of capture the flag, which is called attack defense, they have to analyze the binaries find vulnerabilities, write exploits, and then the important thing is patch their binaries so that other people can't exploit them. And it's all going on, so they're launching attacks at each other. They have traffic analysis that looks at the traffic that's going to their machine so they can identify maybe an attack and actually throw it at another team without even knowing what the heck is going on. So there's a lot of prep work that goes into this. We spread these 16 teams throughout the room. I think Max is actually too busy with Doom to help us lay the cables. Is that right here? You did lay the cables. You did lay the cables, yes. So we had a lay. I don't know if you can see anything yet. So, special cable, even at Cable to each of the teams, we've consulted with the Fire Marshal multiple times. We take three times, one in the middle and one on each side. Otherwise the Fire Marshal gets unhappy and if the Fire Marshal's unhappy, he shuts down your event. So, always going to keep the Fire Marshal happy. This is kind of a video I think I took. I have no idea if this will work. Hopefully there's no audio, but I'm just panning around so you can kind of see the craziness. So the long narrow space, 16 teams with projectors playing with the scores and music and all kinds of stuff. We had some animations going in the background. And then here on the end, kind of fooling about everyone was us organizing the game and trying to run everything. So, that's not what I want. Cool thing that we did is what Max was talking about and what Max was involved in on Saturday morning. So, after a full day of hacking on Friday, on Saturday the team showed up. We gave each team captain an original Xbox that we had soft-modded to download a game client from our server when they connected to their network. That game client was running a modified version of Doom, which is, what year did Doom come in? 92? 91? It was one of the first first computers if you're not aware. And so the idea was by, they could intercept that game client and then modify it so that they could do essentially like game hacks. So there was a bug we put in where you walked slower than normal. You could walk through walls. And so they were playing like a literal capture of the flag in here where Max actually modded the levels to create flag locations that they had to stand on for points. But they could hack into the game to make them do better. So they learned points in the game through playing this game. So for about 10 hours, these teams were like playing Doom at their tables. It was a lot of fun. So some of the things we had the teams do, so this is kind of when you think of like what is the kind of pinnacle of capturing the flags, what things are we testing? We had to hack iOS apps which is I think one of the first times we had that. So it was by a chat app similar to Telegram. I don't know if anybody uses that or Signal. So there was a vulnerability in each of the apps that they could use by sending messages and all this crazy stuff. They hacked deep learning models. Is anybody interested in AI and machine learning? Only some. I don't believe this at all. They guys like the new hotness. I've got everybody. I'm surprised there are so many security people. Let's do you guys this class in the corner. So what they had to do is we trained a deep learning classifier so a neural network on a flag. And then we gave essentially each of the teams the model and they had to reverse engineer what was the flag from the model. So from the weights on the neural network kind of working backwards to figure out what was it trained on. And then they could do things like retrain it and then upload it to us as a patch. So it was kind of a crazy idea that explored this area of adversarial machine learning. So what kind of things do neural networks leak? How can we kind of attack neural networks? All those kind of fun stuff. Cool thing that I did was I heard about a list machine before this moment. Does anyone know what the list is? Scheme. And scheme, right? Yeah, so in the way the story goes it's in the 70s and 80s. Actually, talking about AI, all AI was done in Lisp. But it was very slow at the time so groups at MIT actually created a processor to essentially run technically not Lisp code but microcode that... had an entire operating system in Lisp, an entire windowing system and everything so they could run the AI applications faster. Actually, I can show you real quickly. Let's see if it works. Because I think history is super cool in thinking about where we went in terms of... So this is from the early 80s. The specific machine that's emulating is called the CADR. And you can see it booted up and printed out. One of the cool things is it's font and it's crazy seven. But you can do things like... Man, I'm gonna mess this up. Hello class. And we'll print out hello class. So this is a whole Lisp machine. So there's an emulator running that's emulating all the microcode here. I wrote a web server on top of this so they could talk to a... talk to this machine through a web server. And then they had to find vulnerabilities in this and hack into it which was very fun. Cool. The Doom running on the Xbox, that was super cool. They also... One of the other crazy things was... Anybody know anything about gamma rays and crazy physics things? Yeah. So do you know that they can actually flip a bit into your computer and make it zero into a one or one into a zero? Yeah. So there's a famous story where the army was commissioning these massive supercomputers and they had two different computers like the same machine in two different facilities. One machine had double the failure rate of the other. They tried replacing all the parts doing everything that they could to fix it. They couldn't fix it. What they finally realized is that one machine was at sea level and the other machine was up in the mountains. And the one in the mountains had the double failure rate. And it was because of gamma rays going in and randomly flipping bits in a machine. So they led whatever you do and then played it or whatever and then the error rates dropped exactly the same. So what this challenge was to be able to write some assembly code that could survive bit flips like still do the same thing no matter how many bit flips you did and one of the teams actually did it was at 4096 bits. Do you remember? I don't remember. But anyways, it was crazy. Cool stuff. So the game ran for a total game time of 24 hours. So we had 10 hours in the on Friday, 10 hours on Saturday and 4 hours on Sunday. But the teams would work on stuff over the night. So Friday night and Saturday night they would continue to work on challenges. They'd show up with exploits. Lots of cool stuff. We had some interesting stats. There were like 6000 flags stolen. Which was kind of an insane throughout the whole competition. New flags were generated every 6 minutes and not every service was active at the same time. Usually we only had about 2 services active at once. So those numbers were pretty crazy. And so overall the team that did the best was PVP. They actually just crushed the competition. Turns out they had like 4 list experts on their machine that were able to exploit that challenge within 4 hours. And they just continued to exploit it and no wheels knew what the heck was going on or what was happening or how to fix it. For context also, 4 hours just kind of passed to that. I think it was 4.5 hours for people to pass their names and do a nice score with their team. Yeah, it was crazy. So then we were up on the closing ceremony stage for DEF CON. And the important thing to be asking is why do the teams do all this effort? What's in it for them? There's not cash prizes. Although some CTFs have cash prizes. What's more important than cash? Rest of the day. It's being sure, yes. True. That is a true statement. What else? Valuable objects, what was that? Jobs. Jobs. Jobs is respect. Respect. Respect. And you can get the job because of the respect you have through this, right? Because you put it on your resume. Respect. Respect. Anyways, they also do get the valuable object. That was very good. So I showed you, my badge is like white. I mean, the front is white, the back is yellow, but what the team gets is eight black badges, which gets them to the special black badge that DEF CON makes that gives you access to the conference for the rest of your life. And so this is like the end. They wear it around the conference so that people know that you're a super awesome lean hacker. So having a black badge is really cool. So we're really happy. The really crazy thing is apparently both of our shirt colors were the same this day. So you can see like our teams in purple and the other teams in like the PVP, the winners, is in a slightly different purple. But we're kind of standing behind them and everyone else is standing in front. Some other people, if you take behaviors in, I mean concurrently, 466 this semester. I don't know if that's possible maybe for people who are in further along. Yeah, so that's Dr. Rianne Shoshakili who you'll meet next week because he's out of town today. Or if I just spoil that, still attend class. So he's kind of the face of our organization. And there's other professors here and Tiffany Bao is the other professor at ASU who's involved. She was, she's still in China trying to get her visa to come back here. So she was not able to attend. So any questions on that? Share some cool stuff like we do here at ASU. Yeah. Do you guys participate in any other CTFs that travel other than that from? Yeah. So it's tricky. So as organizers, we have put limits on ourselves of what we can and cannot do. We don't want to unfairly alter the game. And so when we play, we usually play with poem devils and or shellfish. And shellfish poem devils plays played at DEF CON. So we, we, the organizers don't play in any CTF that's a three-wall event for DEF CON. But other than that, yeah, if you go to actually, let's just do it right now. The best resource for this is there's a website called CTFTime.org. So there's literally CTFs every weekend. It's kind of insane. So we can boot this up and now that all of you are back in the area, it's crazy slow now. Not you, obviously, but everyone else. So they have an upcoming event so there's always CTFs coming up. Tokyo Western, they're a great CTF team. Their CTF is August 30th. That should be an insanely fun CTF. So yeah, there's constantly CTFs. Any other questions? Yeah, please. I mean, if you have no experience hacking, like that is poem devils like accepting somebody who's not that thing sort of like that hacking like that? Yeah. So the poem devils is always looking for new membership, right? Like, everyone always starts as a person who knows nothing. Like, nobody comes in and just like, oh, I just, oh, magically things work, right? Like, it takes a lot of important effort. So the poem devils is always looking for new people who want to put in that effort to learn things. So they'll kind of help guide people on their path. And then they have weekly meetings to kind of increase their skills and work on things and especially but it's really like competing in these CTFs is super important and that's how you build your skills. Yeah, and to add to that, like not all the CTFs are the same level. That's right. They have CTFs, CTF kind of, we're best for like, like high school level kind of way up to that point. Yeah. So you can do them on your own. Yeah, it's a great way. And then there's all the past challenges are kind of available. So security is one of those areas where there's tons of resources available to you. So you should be available to yourself of them and learn, study a lot of it. It really does benefit from like self-directed and any other questions. 200 plus people, but I would be staring at you asking you if you have questions for the next 15 weeks. So you might as well jump in now. Don't feel afraid. Yeah. What are the, so it's probably the old meeting times before? Great question. I think they're meeting twice a week, but I'm not 100% certain. So Tuesday, but I don't know what it's about. Yes. Join the Slack. Everything will be announced as things again. It's the beginning of the semester, so things kind of get a little crazy. And we have a great group running it. So I'm tangentially thinking that's awesome. Cool. All right. Stuff about security at ASU. So why are you in this class? You can be honest. To graduate. To graduate. It's required. Why is it required? Yeah. All going back. Security is a big deal. Security is a big deal. I mean, why? Is it a big deal? Do you agree with that? Or is that just how I forced you all into this class? Yeah. Do you read the news? I guess that's a good question. I don't know. Or Twitter or Instagram or showing my age. I say Snapchat. My space. Nice. Yeah. So security right? So there's constantly what's the latest data breach or security incident that you've heard about? What's that? What's that? What happened? What's that? All right. I don't know. Yeah. Well, I know Equifax was a big one. Equifax was insane. I don't even remember how many millions of people were. It was like half half of the US population. Yeah. Insane. Yeah, there's candy. Say it again. City bank. City bank. Yeah. It was a crazy recent one. There's been J.P. Morgan Chase has been hacked and so really and the way I think of it as in the best case scenario every one of you is going to go out there and get awesome software development or software adjacent jobs right? Using your computer science degree and so it's really important that you are aware and have a security mindset. So that's what we're here to try to help you do is even if you don't go into security directly even if you're not you know, hacking on stuff or being a pentester or anything just having that awareness of oh, maybe there's maybe we should be looking about how we're storing passwords in our database. Like is this actually the right way to do this? And so then you can actually you know enough other people and they really need to think about this in security. Is there any maybe this is an interesting question is there any does anybody think that they will graduate and develop some code write some software or some system that does not have a security impact? I'm happy to have that discussion I want to think about that. The username and password has to have security because if you say invalid username then we either gave them information that that's not the great username instead of username and password is invalid. Yeah, this is a great point, right? So if you're touch making anything that has any sort of user credential username and passwords what information are you giving hackers? Are you storing that password? You may think well my sites are not important it's a dumb toy site but how many of your users are reusing their Gmail password on your site and then now your site is hacked and your database has leaked and your Gmail has got compromised because of what you did. Even low level let's say I don't know firmware code on Intel chips or hardware chips there are people who are finding more abilities of those that allow people access of your machines if you think of a case even like games games don't have any impact but a lot of kids play a lot of games and you want hackers to be able to hack into you know underage children's machines through your game probably not that's why the epic store sucks what was that? that's why the epic store sucks I don't know that epic store sucks epic games they constantly get hacked and so all these kids in their accounts are constantly getting hacked yeah it's crazy and then the old school there are cases of digital rights management of games or other things that would install basically like administrator root level primitive software on your machine that has trivial more abilities in it in that way so you know that's so I bring this up we're going to talk about the different ways we have security at the ASU but I do fundamentally believe that if you're graduating today with a computer science degree and you have no knowledge of security you will be at a significant disadvantage I was talking to people on Monday from the NSA who were working with on research and they said security and to them it's terrifying that's why we have so many more abilities but we'll get into that so I just want to address that off the bat if you want to go deeper so you want to go more into security we have two undergrad cybersecurity concentration programs and three cybersecurity graduate concentration programs so no matter what degree you're trying to get you can get a concentration on your degree that says you are a whatever concentration of computer science or cybersecurity I would tell you to be alive and stand up here and tell you you need to do this to get a job in the security industry they value knowledge a lot more than credentials so if you can in the interview explain and understand you understand security you understand threats you understand this whole system and you can think adversarial they battle getting a job you can have a degree that says you're a computer scientist but if you can't program or do anything then you will have a difficult time getting a job questions on that? we'll be set up again so concentration we have some pretty cool stuff we are possibly changing this very slightly to make it a little easier to do a concentration but nothing is finalized so I won't announce that if and what that happens I'll let you know but the basic idea of a concentration is you're taking it because it's something we have at ASU that a lot of places don't is multiple undergraduate and graduate classes that focus on cybersecurity so some of you want both of them everybody's in 365 right now yay we are also an NSA a national security administration agency agency agency yeah and the department of homeland security have designated ASU center for cybersecurity and digital forensics along with the cybersecurity program as a national center of academic excellence in information assurance education and we have questions about that what does that mean yeah it's a thing so actually the cool thing it allows us to do is and what I'm talking about today I'll probably talk about it later on in the semester but I can mention it now is it allows us to get grant money from the government to give out scholarships for cybersecurity students and this is actually a super cool program is any of the scholarship for student service students in here cool awesome two three so basically this is a program where the federal government will pay for your tuition pay for your stipend and give you a stipend for up to two years for undergraduate and one and maybe one additional year if you do the four plus one with the expectation that for every year you get the scholarship you go work for the federal government for a year so this is like an insanely good deal you get your school pay for it you can go work at and we play students at three letter agencies like the NSA and the CIA where you get security clearance you do work for the government for however long your degree was and then you can decide to stay there where you go into the private sector and make a ton of money with now your expertise your experience and that sweet sweet clearance so if you're interested in that please talk to me if you were actually looking for more and more students so it's something that we're really excited about it's open to only US citizens so sorry but this is actually probably the right time it's going to be two years of funding so if it's your junior year you can get your senior year maybe one other or whatever so any other questions yeah where you go if you want information about that you can and that's a great question I believe and now I'm just going to randomly click on stuff until it works like a computer scientist okay so I think our center the if you do cdf.asu.edu yeah look at that we have a uh let's pull not the widgets video we'll look at the start so the information's a bit out of date out of date on specific deadlines we're updating in the process of actually it was not January because I did that but all the information is here you can talk to me or you can really Steve Yau talk to Steve Yau is running administering this program so I will connect you his way be persistent when you're emailing about this stuff we get a ton of emails so if you're interested in this we're super happy to have you so I honestly think it's a great primer that's a great way to help folks any other questions that's a good question alright now the super fun part of every class that you're going to be in today syllabus time so why do we do this people understand yeah so you can can't claim that we didn't do it it's basically a big reason right so okay so this is kind of setting expectations for the course if you have questions we can talk about it now stuff's online yep all stuff's on my website I've linked to the syllabus through my ASU or whatever I did that a couple days ago so I think there should be a link there to this website but I actually have no idea how that goes on your end so I don't know yeah okay cool well yeah you will find that you are all smart people I think you type in you type in my name FSE365 fall of 19 this is all online should be able to access all of this and this will be the basically so I what's the correct way to say this we can ask me for my opinions later I'll just say I don't use Canvas or Blackboard or any of that stuff I think it's extra complicated it doesn't really do what we need to do so the way the class operates I will post on this website this website's kind of the main way that I will kind of post information so we'll put up here after class I'll add the lecture slides I will try to this is in the syllabus I tried to record all the lectures you saw me probably in the beginning testing that you know stuff's weird like I don't know if the file gets corrupted I'm not gonna reteach a course so it's like best effort I'll just throw it on YouTube and I'll put a link to it here so you can check this for our the recording classes the goal is so that A there's currently 199 of you enrolled in this course if you're out of town or whatever you can't make it you don't want to make it I honestly don't care like come, don't come you are paying for this course so your attendance is not really my problem it's your problem so and if I you end up missing but I don't record the lecture that's just tough that's life so I think we're kind of in the syllabus we're gonna set office hours like today we'll start next week so it'll be clear we'll have a schedule where it'll be office hours today so that and we'll try to vary it the important thing about office hours are if you cannot there's no office hours that you can ever make because of work schedules or class schedules let us know and we can maybe try to shift or we're always happy to meet at any point the one thing I do use that I found very helpful is Piazza anybody use this before yeah what do you think of it just as good as Candace wow that's a real main phrase it's super useful that their website loses access yeah I mean I only use it I was saying yeah I only use it for the Q&A for discussions so actually to tell you the truth I used to use a I used to use a Google group it's pretty old school just a web page and a Google group so that we can all help each other and then it turns out that Google groups do not do any authentication on emails so I don't know how much you know about emails but there's like DMARC and SPF or I can't remember what the other tech is that do authentication of emails a student right before a midterm sent out an exam to the class that the midterm would be an open note open book which is definitely not as my email and Gmail happily took that and sent it out to the entire class even though I actually yelled at some of my friends who work at Google why does this work this way it's so terrible but anyway so then the next year I switched to Piazza so I think the things that are really nice are that you can ask questions anonymously you can also direct your questions just to us so we'll basically just use the discussion features here which we'll talk about in a second why that's so important the description of this stuff we're talking about cybersecurity information assurance we'll talk about the differences there that person can get an A for asking your account no they didn't pack my account that's that way better that person I mean I looked through the email the headers and everything they used some free email spooking service in Russia China or something so there actually is not enough information in that email to be able to track it and send it back to them so it was a bummer and they completely rechained probably teach classes but whatever I've got other students for other stuff which I'll maybe tell stories later as far as cybersecurity is going to be more like crypto this is an everything class so this is why this is a a 300 level class and B it's required now for all of the 400 level cybersecurity courses because we're going to lay the groundwork so this is like in the description we'll literally cover almost every topic you can think of in cybersecurity I will probably dive in more heavily into areas that I am interested in right so this looks great about teaching we'll cover everything and I'll focus probably more time on stuff that I love that's just kind of the way it is so that actually is something else and there's something you desperately would like us to cover you're feel free to let me know I can't guarantee that I'll make that happen but I'll definitely be thinking about how to do that cool there are projects I assume people textbook so everything you need to know to take this course will be given and will discuss in lecture so you do not need a textbook that's not why it's not a required textbook it's recommended it's a good textbook I own a copy of this I had a copy of this textbook when I took a version of this course at UCSB and I would also post on the front page of the website the chapters in the textbook that match what we talk about so I think it's actually a really good thing to have if you want to have it so you're not just relying on me you can get it outside I mean everybody learns differently so if you learn by reading math, bishops text better than any class stuff then that's totally fine I will not get offended questions on textbook kind of like the standard of your security textbook okay course communication before we talk about this look around this room we're going to have to read it like you can literally look back you're just looking at the right place where there's five people now look at the back there's a 300 person room there's currently 199 people enrolled in this course is anyone not enrolled in this course that wants to be it's a real question it's not a trick question I'm not going to kick you out we have space I just don't want to get too crazy I don't know that I can do 300 people yet okay nobody's going to raise their hand but if you want to get in this course and you cannot but you're here we're trying to we call it easy as being crashing a course let me know I'm going to go too I got it officially perfect awesome great that is good so cool if we need that we can increase I don't want to get too crazy but regardless there's a lot of people and we're three people two TAs one professor so we have to be in this together I want all of you to get A's but not easy A's but I want you to put in hard work to get A's this class will require work and programming and projects all that kind of stuff I've had lots of success with students on a mailing list helping each other out asking each other questions we'll talk about academic integrity all that not fun stuff I highly if you've never read this document before it sounds kind of inflammatory kind of ask questions the smart way which implies that there's a dumb way to ask questions but the advice is really good so let's imagine this put yourself in our perspective or even another student's perspective you get an email from a student that says my program doesn't compile here's a screenshot you are a person with limited resources what do you do when you see that email you what? leave it on red leave it on red you just skip it maybe this person will figure it out what would increase your odds of answering that question and helping that person tell them what you've tried so far this person told you what you've tried so far so if they said hey I'm having some pile air hey here's the text of it so it's on a screenshot so I can actually copy that text and maybe google it or do something I've tried X I've tried Y I've tried making the binary executable I've tried all these things and none of them work why does that help wanting to help someone to respond it shows that they've put in effort they've put in effort right if just every time like I'm not a compiler oracle like every time you get stuck you just spring jump and send it to me like I'm you will get dq'd because I'm very like not disqualified but dprioritized at the bottom of the email queue and I got a lot of emails so I just went through for DEF CON basically a month or two I stopped responding to emails and I cleared out like 500 emails so yeah like a lot of stuff and I want to help I definitely want to help and you should all also want to help each other but it's important to think about and it's difficult when you're up against a deadline and the thing's not working I totally understand that but put yourself in the best situation so that people can help you so this document talks a lot about that about talking about what you've done like make it easy to reply like whether you're trying to do a little bit of awesome actually really the examples in here if you do this correctly this will help you in your entire career right you think it may be annoying to get an email like that or in a class but imagine you're on a team developing software and you're emailing the lead compiler error what is this nonsense and over time a few of those is fine but over time they're like oh wow this person doesn't know anything why did we hire them again right we want you to be the best communication is incredibly important so it definitely makes sense to voice that but one thing and this is the I will probably be very annoying to you if you're asking me questions on how to solve things I I've done this a lot I usually know exactly what the problem is unless you are writing a list compiler that compiles a narrative program that solves the problem on that point you're kind of on your own but I usually know what the problem is but I will not tell you what it is right away why I want you to figure it out yourself but not necessarily on your own time I don't want to give you the answer I want to guide you to how to think about how to solve the answer right and find that answer because obviously if you do the answer you wouldn't be coming to me or the TAs clearly there's something that's not clicking something that's stuck some crazy bug to figure out we've all been there right machines and computers are horrible they barely work and we are the ones magicians were supposed to try to make it all work right and so it's going to be very frustrating but at the same time I will ask you what you've tried and I may have in my mind what about this or what about how does string don't pair work and what are you doing with the return value there try to just think about what's wrong with the code so it's not to blow you off or it's not helping guide you to the correct answer to solve your problem but to how to think about that problem so you can solve the next problem in the future okay don't set each other code drawing a line on the piazza and be like hey this is the code I wrote that totally works and solves that problem right I mean do the same thing take the same approach you can help guide your people you can say I saw that same error this is probably the problem like X, Y and Z if you ever have a question about it you can send us a private post on piazza or send us an email can you ask others like other people this class for help on your code or not let's pin it we'll get to it in a second promise okay cool another thing is part of scaling so this aren't even happening if I've been getting emails about this class I know there's 200 of you it's totally reasonable the only request I have is because my email volume is insane piazza is very good for that so that's why we have this piazza I get emails on those the T.H. check it I check it they can alert me if I need to go to something immediately you know a private post that's just close to us if you have something super sensitive that you just want to email me about please do that I'm not saying don't email me I'm just saying in terms of effective communication email is not always the best way of communication if you email us directly which happens right of course if it's sensitive personal private we reply back to you we figure out how to do that we get your thing taken care of if it's something that we think that the entire class would be useful to understand that right so you have a question about something I don't know I'm going to come up with a wrong example but what was the correct answer for you right if you email that to us and we just email it back to you you're the only person who benefits from that answer so what we'll do is we'll take your post and probably make a piazza reply a piazza post and then put our reply and then link you to that post we will probably also we can also redact your name which we've definitely done in the past so we just take a content reply so nobody knows it was you who asked that question if you tell us you're sick or whatever we're obviously not going to do that on the thing right so I've done this successfully now for like five years so I haven't had any problems with this it's just really helpful because they always say right when you ask the question and somebody else has that exact same question it's definitely true with these kinds of things so we're trying to help each other alright like you mentioned we're going to cover everything I mean pretty much everything we're going to start with the basics we're going to give about security how do we think about security we're going to talk about the cornerstone's access control we'll touch on cartography authentication network security web security system security including binary analysis policy and management risk assessment and risk management these are actually incredibly important but we even though we're a technical course is security purely a technical concept no why not what other things matter the people do people matter no people matter you think I don't see I can see well it looks very far right why do people matter yeah like the psychology like social engineering stuff like that yeah so you can have the best security in the world your users login with username and password all it takes is one employee with high level access to click on a link to see a phishing page to put in their username password and now I'm acting as that user right so we need to be thinking holistically about users yeah yes and if you find like a bug bounty or something you have to have the soft skills to be able to communicate with the problem yes so this is actually a good thing that permeates all of computer science not just this is actually something that shocked me when I started at Microsoft I spent about I don't know only half my time coding during the week like the other half was in meetings deciding what we wanted to do it was triaging bug reports it was emailing my colleagues and like discussing things right like nobody codes in isolation you need to be able to talk with other people to do something because you're jacking on behalf of this traditional user cool privacy anonymity and we'll talk about legal and ethical issues too because that actually is something that's very important right so we need to be aware of the legal and ethical ramifications of what we're trying to do cool alright assessment so this is the original nature of classes I would love for all of you to work very hard and then learn a lot of awesome stuff and go on with your lives and I never have to grade you or give you a grade right the reality is we have to give grades you have to earn the grades right I don't actually give grades you do the work you earn the grades they'll be about three to six homework assignments varying lengths and skills a lot of it will be programming so this will require programming skills this is not a theoretical course we are putting fingers to keyboards actually doing stuff there'll be a midterm no outside notes materials exams and a final exam that's kind of a programming heavy course so this is the layout the homeworks are equally weighted and they're total weight overall on the course is 60% midterm exam 20 final exam 20 questions on this? yeah is it a final if you're with it or just a class? yes can we do it? yes so on this test are we writing code or depends on I don't know we'll see let's not worry about these exams don't worry that will be great we'll talk about that let's not forget about that I know it's totally not a problem as a student but resist those urges alright thresholds for grades so my promise is I will never curve up so what does that mean? like you get if you get 34% that will always be in A I will never curve that threshold up I may I research right to curve it down in case I don't know you all like I'll put it on me in case that exam is incredibly more difficult than I thought it would be I can reduce these down however I see fit but you should always know so there's like four things you need like you can always you can do basic math right adding numbers up averaging them multiplying by percentages so you can always know your score 34% is a great generous for an A which one? 34% you said you said 94% 94 94 I mean it depends on how the class goes I think it was a math class once or maybe a physics class in college where like 60% was in A so you're just like yeah I don't know what 40% was maybe that was a C alright homework have due dates things have times that they are due right I mean that's like I don't know I work out deadlines all the time so we can choose to be late or not late on an assignment every day it's late we'll be at 20% reduction which stacks two days late 40% three days late 60% so whatever you would have got you submit it 100% a day late you get 80% on that assignment if you do 80% of the assignment and submit it a day late you do whatever that is what is 80% of 80? 64% awesome I don't know if that's right but somebody else should check it's a security post if you for whatever reason you know if you like just talk to us for makeup exams it really needs to be something important I mean the entire point is that we all take the exam at the same time so it's fair all that fun stuff we'll of course accommodate any religious holidays if you need any special accommodations please talk to me about it happily do that alright so then I'm sorry before we get to the not fun stuff any questions on this? do more okay cool so pleasure is even cheating so don't I mean don't be an ethical person don't submit somebody else's code as your own I think that's really kind of what it comes down to the reason why I'm actually particularly kind of harsh on this so over the five years I've issued 27 academic integrity policy violations so I have will also say I've also submitted a policy violation for every case I've encountered so if you come to me and I've had students cry in my office it's going to ruin their career and they're going to get sent home whatever it sucks I understand it but I need to do and report this because it's not fair to the rest of the students in the class so I've seen students who work insanely hard on projects like I don't know whatever they claim like you know and I know because they're in my office hours every week every office hour they work like 40, 50, 60, 70 hours on a project and they get a C and another student takes their code it gets an A that's not fair so you know I understand you're sometimes up against the wall don't do it resist the urge just take a C failure is okay like you can totally fail this class take it later it's not going to ruin your life I promise and I'm going to say most of the stuff I'm talking about at top 340 maybe take that in trying to take it yeah it's a hard class 20 or 30 you've got to withdraw our fail rate so you go 20 or 30% where we started withdrew from the class or failed the course it's fine take it again no problem so don't let that be the excuse of though I couldn't fail right failure is fine doing stuff unethically of course I understand I write code you know what I do a lot I google for how to do things and I find something on Stack Overflow and I say how do I do this in Python that's exactly what I want and I copy that into my code so I understand that that's part of honestly the culture and reality you can do that but you better just like a paper site where that came from right just put a comment write about that code it says hey I got this from here of course you need to use your judgment if you google for how do I solve assignment 1 of CSE 365 days and then you copy paste whatever you find there into your thing and you're like well what I put in the comment I can be like great but you didn't write any code you didn't do anything so you get a zero like so you know use your judgment if you have any questions ask me so then talking about I think it's time for your congratulations so sharing code with fellow students so where it becomes a really big problem is when your code ends up the same right like just like writing a book just like writing a paper in an English class if your if your stuff is the same if your paragraphs are the same like you copied that paragraph that did not come from you so answer the question this is kind of where the line is drawn work together that's fine talk at a high level try to keep specific you know like use your best judgment if your code ends up the same I will drop the hammer I don't want to so don't make me do that so other things these are examples that I've literally seen so do not do this but this is not an exhaustive list I'm not saying it's all the different ways that you can violate the academic integrity policy sharing code with fellow students collaborating on code with fellow students so people will say oh but we work together in the lab and well 90% of your code is exactly identical like that does not happen by accident yeah what's the difference between helping another fellow student and collaborating on the code collaborating collaborating like directly on code with a student so if you're I mean are you doing the assignment for them or are you helping them solve problems and if it's something you wouldn't want to put on the mail like this on the piazza that you're doing this don't do that that's a good imagine everything you're doing and this is public and we all see that will other students be outraged at what you're doing that's probably a good indicator that you should not do that and you know submitting another student's code as your own I need to fix this submitting a prior student's code as your own another thing that had happened is a student posted their code on a public github and then the next day after it was due other students found it and then copied it and submitted as their own for 80% instead of 100% and so we had a real problem deep-tangling it's keeping your code secure is up to you this is a security force right you lose all of it on what is it do they need to use ASU General yeah it's a shared system so we will actually be using shared unit systems like that what is not an excuse is oh my home director is world readable and I just accidentally did this and they accidentally happened to copy this homework file from me that's on use securing this stuff is on you and the important thing is getting a repo like be a little bit aware you actually get free private repos from github there's a github student developer pack that has even more stuff to it the other thing that I hear from students and this is something I always tell people about industry people say well I want to open source and release my code so that employers see how awesome I am which is a great instinct the trick is that so you think about just this course this semester there is going to be 199 other people that do the exact same assignment you did is that really impressive like why do you want to show up that off to the employers and then think about around the country particularly in like a compiler's course or something everybody does those assignments so I think actually the definite better way to attract an employer's attention is to have a unique project on github like do something spare time even if it's simple have that be your centerpiece of your github not your code from your class assignments everyone does class assignments that makes sense any questions on this? we go with the 115 okay perfect that's fair enough yeah do you like group projects or like final projects? no I don't think so cool let's see any other thing oh the other thing okay so all of this assumes I probably should have started with this but yeah for all of these policies is is anyone here under the age of 18? it could happen we could have minors is anybody if you want to raise your hand but if you are come talk to me the rest of you you're adults right so is this syllabus we're talking about it you're reading it this is the policies you know you're adults like assignments are due when they're due exams are on the days they're on come to class don't come to the class I treat you like adults I'm not gonna make you unless everybody wants that but it probably only says maybe five or ten a semester if they do so yeah we need to treat each other with respect I think we'll do good this is going back a bit but if someone else asks like if you don't know anything about CTSP do you want to point out do you want to point out if you don't know anything about CTSP do you want to point out does this class prepare you at all for CTSP yes so we will be especially binary analysis the network security we're going to talk about all the aspects so that you won't be able to you're not going to be amazing but we're going to be definitely developing those skills some of the homework assignments will be hands on security skills we'll go break things just like a CTF which should be fun it's supposed to be fun everything's supposed to be fun okay cool let's we got time alright we're going to roll on to the next cool so let's have a 10 minute discussion this doesn't have to be all 10 minutes what is security seems like an important question right you're going to course on essentially security computer security what does that mean let me go to the back sorry yeah gotta yell sorry okay good so those are some interesting things though right keeping people out of places stopping them from doing things I think you said they shouldn't do you're not allowed to do so it's important to kind of remember is context important so if I before the start of the class locked all the doors before anyone came in that would be like letting you not come into this room right is that security that I'm doing that depends on the purpose I'm doing it for I'm afraid one of you is going to attack me I'm also denying you should as a student right you have the right to be in this room you're taking this class right so yeah so it's important context is always important which I think got to your other points of like where you're not supposed to be necessarily yeah like security is a system that's supposed to protect people protect them from what does protection mean I mean if we're talking about security anything that would do them harm okay anything that would do them harm any other comments the means of protecting assets are like not authorized like forces for people okay so we have a lot of concepts so means protecting assets what could be an asset your code your code your yourself yourself your information from online to access to the handover here yeah cool so using either methodologies or methods what's the difference I'm just trying to dig that's fine we're just this the first day you don't have to have a discussion it's fine yeah so multiple methods or methodologies to try to prevent unwanted parties from accessing yeah so these are you know and then so okay so security so security kind of has this implicit notion of safety right we talk about that what types of safety like what things do we care about keeping safe what was that money so like you know just data data and at the end of the day it's all some data data sake I was going to say personal data personal data which could be different right it could be I mean you think about the data on your phone would you be super stoked to give one of your fellow students access to your phone with all your pictures and emails and stuff hopefully not weapons weapons weapons that might be connected to like the satellite or something like that we're talking about physical safety I think which is kind of getting to that so there's actually think about safety there's different components so we think about maybe some sense maybe like electronic or data security right which is really just bits ones and zeroes or it could be maybe pages it could be printed out and physical data there's also like a physical component yeah anything within a parent value anything within a parent value it's important whoever wants to steal it because as long as somebody thinks there's value from it I guess as a defensive perspective if somebody will gain value from steal or you will lose value if you lose this thing then yeah that's an important thing okay information integrity information integrity so making sure that the information is what we thought it was right so you think about do you care about the integrity of your bank account yeah kind of find the which direction it goes in it's really better because you spent some money not and you authorized the money being spent not because somebody hacked in and just changed you know your million dollar bank account to a thousand dollars yeah so all of these have and this is actually a super key thing it's actually it was really funny I think one of the first times I taught this course we covered this concept that I had a student in the class actually I met in DEFNOT internships and these are like the things they talk about and they the questions they bring up so really key and this is kind of synthesizing everything that we've talked about right of different aspects of security so we'll touch on physical security a little bit and we'll be kind of in a broad concept because I want you to be especially in the beginning thinking very broadly and outside the locks into what things mean in the community we think of essentially three aspects of security that try to encompass all of these and this is a super important topic that comes up again and again I've kind of referred to it as the CIA Triad so it's really easy to remember like the CIA one is keeping secret things secret right so confidentiality right there's information like actually I'm legally obligated to keep your grades secret right so there comply with that these things like all these laptops are encrypted so if I lose this laptop you won't be able to read the hard drive and look at other people's student data and student records and inside there there are topics that we're going to cover more and go more to depth so the idea of access control who can access what right this goes back to the original point of who has the permission to access the records from everyone because that may not be super useful encryption is also used in here we'll get into encryption but how to keep secret data secret integrity so the the C so then the I integrity how do we make sure that nobody's modifying or altering our data without our knowledge right so this is a huge important thing we want to focus on kind of the prevention detection so we want to see how can we prevent modifying our data information and how can we detect maybe when are somebody has violated the integrity and the third one is one that I think I tried to allude to a little bit I think other people maybe mentioned it it's kind of one that's very easy to forget about and that's kind of availability right so if I lock all the doors or somebody will say a prankster locks all the doors so we can't get into the room we can't have class why is that a component of security what if someone needs to get that thing to lock all the doors yeah imagine you're at like an ATM right and you're trying to put your card in to get money out if you need cash to pay for something if you can access that system that's not good right I mean that's you've been denied access to the system and you're not able to use it and so this is a super important thing to think about and one of the things we always think about is denial of service so can I deny somebody's service one of the beautiful examples of this that I heard about was so everybody kind of agree that email spam protection is pretty good do you get a lot of email spam no it's pretty good right why is that well it uses machine learning to look at the words that the scammer's using and they can see that it's likely spam so but I heard about an interesting service that will send hundreds of thousands of emails at an email address that has random contact that doesn't mean anything but why is this useful okay so you can maybe use that to test the anti spam system yeah it also blows up your email it blows up your email so criminals were using this they would target and try to hack into a bank and during the time they would do that they would first get the email addresses of all the IT and the security people they would use this service to flood their inbox so that the alerts from any internal systems would never make it and the human wouldn't see that so it's trying to attack the availability of a human's ability to like see what's going on and make responses so this will be a very very common topic throughout the semester where we're talking about how much of the integrity availability of the app so it's a a a a a a a a a a a a a a a a a a a a a a a a a a a