 as the semester goes on. Cool. All right, let's rock and roll. It's 6-0-2, I'll be perfectly honest. I've never taught this late before, so it's very weird not teaching without coffee, but we will get through it together. Okay, everyone, if you made it to the Zoom, you are in the right place. This is CSC 365 for Spring 2021. If you have friends in this course who are having trouble finding the Zoom link because there's no Canvas, please send them this link or send them to the website. We'll dig in there later. If you have any questions, feel free, type it in the chat or raise your hand or unmute whatever it is that you wanna do is good. Cool, all right, let's get started. And first, as a way of introduction, so hey, everyone, I probably haven't met the vast majority of you. I'm Adam DuPay, and a little bit about my background so that you can understand kind of where I'm coming from and I don't know if you wanna chat about anything or need my advice about anything. So I did my PhD at UC Santa Barbara where I actually got technically three, yeah, so the slides are posted on the website. So if you go to the website and then go to schedule, they'll be on there, unless I broke it actually, I didn't check before I pushed my last changes. So hopefully they're there. So I did, actually I did my undergrad, I did the four, basically the equivalent of the four plus one at UCSB. So I did undergrad and masters at UCSB and then went to decide that I was never coming back to academia. I was gonna make tons of money and went to go work for Microsoft as a software developer. I was there a year before I realized I really missed, before I really missed research. And so I went back for a PhD at UCSB and I graduated from there and got a job here at ASU. So I've been teaching since here since 2016. MS is a master's. So it's the like, ASU has a four plus one. So you can do a bachelor's and a master's degree in computer science in five years, basically. And so from here then, and one of the things that I, oh, doing what at Microsoft? Okay, yeah, good question. So at Microsoft, I was working as a software developer. I was working on a team that was the user experience team. So basically the idea was we had technical writers that wrote all the help content for how to use various things in my Windows server. If you've ever used MSDN and seen the online documentation, about I think 70% of the content that was on MSDN went through our system. So basically you had technical writers that wanna write content. They hate actually using technical tools. So this was before the days of Markdown and everything. So it was all XML based, but they hated XML. And so we had a whole build chain and system for them to write their docs in XML using Microsoft Word, which is insane in itself, but they really liked that. And then we were able to publish those documents to where if you're using Windows and you hit F1 and that help file comes up in various things. So it could build out a .chm file, which is how those things get made or it could spit the same content out to MSDN. So yeah, I really liked it there, but I realized like with research, I think I found that basically the fundamental difference was with research, I was fundamentally doing something new. Whereas at my job, I was kind of building another app type thing, which I liked it and I liked solving problems, but with research, you get to actually do something that fundamentally no human has ever done before. And cool. And then I kind of got into security through playing capture the flag games, which we'll see a little bit more about into a second. And that's how I got really into security and why I really like cybersecurity. And so I wanna introduce you to the Pone Devils. If you're feel yourself getting very interested into the course, they have meetings every Monday at 4.30 PM. You go check it out. They have a Discord server. They play with, they actually the Pone Devils at ASU and Shellfish from UCSB merged into kind of one team. So they still hold ASU meetings as Pone Devils. And yeah, if you can't join, still hang out and or you can still join the Discord, ask questions if this stuff really interests you. I found a lot of the students who take this class really like, yeah, so they're ASU's CTF club. Okay, yeah, my office hours are Thursdays from 3 PM to 4 PM. And next, Tiffany is going to introduce herself. So we'll explain why in a second. Right. And thanks Adam for the introduction. Hey everyone, guys. Can't hear you, Tiffany. Give me a second. Wait, can you guys hear her? And it's just me. Can you guys hear me now? Yeah, I can hear her just fine. We can hear her. Yeah, I can hear her too. Okay, just fine. All right, Adam, blame yourself. Cool. So, hey everyone, I am Tiffany. And Adam and I, we are friends. We're also very close, collaborated colleagues. And I am an assistant professor at 6C. Adam and I were from the same lab, SFCOM lab. And a little bit background about me. I am, I mean, I graduated. I was a PhD student at CMU, the side lab, which is also a security lab doing all different kinds of cyber security research. And specifically my research is about software security. You can, I call it, actually, I call it aspects of software security. I just come up with this new name because I touched a very broad aspects about software security. For more information, you can just check my research link over there. You should be able to get a like more detailed description about what research that I'm doing right now. And also my office hour is Tuesday after the session. Like after I have a class from, I think it's from 10 to 11. And I have a office hour from 11 to 12. And also this is the link and you can just like visit that to my office hour. And you will get more information about how the course rolls. Adam will introduce about that. So, but like for you, you can go to either the office of either my or Adam's and also all the TAs which Adam will also talk about later. And that's pretty much about me, thanks. Did you talk about, sorry, I couldn't hear you for a while, Tiff. Did you talk about the fact that you basically looked at cyber security, exploit development in terms of nuclear mutually assured destruction? And it won you a word from the nationals, from the NSA? I didn't mention that, but yeah, that is something that I was looking to basically, I found this very interesting comparison between nuclear weapons and the zero-day modern abilities in software security. And then I kind of like match them up and try to get the difference and the common thing. And I conclude this for cyber security, for zero-day modern abilities, there's also such mutual, M80, mutual assured deterrence. So I would like to call it M80 because it's pretty bad, honestly. Awesome. Yep, anyway, thanks, Adam. Cool, yeah, thanks, Tiff. Okay, so yeah, we got a lot of support for this class. So as you'll see, we have a bunch of students in this class. I can't really see right now easily how many are in this Zoom. It's probably in the 200-ish range, but it should be higher, but I guess people figured out, 274? Wow, that's actually amazing. I'm shocked. I don't think I've ever got that in an in-person class in terms of attendance on the first day, but I guess it's hard to tell. Yeah, wait a week, indeed. Okay, cool. So then the, we have a number of TAs. So on the left is our TAs, on the right is our undergrad TAs. You'll get to know them fairly well as the semester progresses. Maybe we'll let them introduce themselves later. Not here yet. But okay, so what Tiffany said, we're gonna be, we're kind of trying to, I wouldn't say take advantage of the pandemic, but take advantage of the fact that this course, both sections of CSE 365 are gonna be completely online for this semester. And so we said, well, it seems kind of redundant for us to be teaching the same content just to two different classes. What if we like merge the classes into one superclass? So that's kind of gonna be the model that we're gonna take. So we're thinking of the classes in terms of sessions. So we have the, you know, the class that you're in right now, the Monday, Wednesday session, the session two is Tuesday, Thursdays. Oh, I missed that up tonight. 10 30 AM to 11 45 AM. And so we're kind of gonna do a model where one of the sections will be live and the next session will be replay. So for instance, like right now, this class is clearly live. So what we do is we'll record and my dog is attacking me now. Okay. So what we'll do is record a live lecture. So I'll give a lecture on access control, let's say, and in session one on Monday and then in session two on Tuesday, I'll play the recorded lecture, but I'll be there during class to answer questions. We'll have discussions as well. So when there's discussion points, we do a lot of discussion based kind of Socratic method style learning in this class, which I think is really important. And so that way, the same person that teaches the lecture will be there. So Tiffy and I have kind of split up the content. So she is a crypto expert who didn't you, was it last year you created a CTF challenge that had like people proving things about crypto stuff. Right. It's a deaf comment. I even created a website to prove my math crypto talent. Yeah, that's right. Yeah. So you can attend any session you want. So it's totally up to you. We will also record the sessions, the live sessions will always be recorded and posted online. So you can also, I mean, you know, yeah, we'll figure that out. We'll figure out the deltas between them. No, I messed up on the time. Anyways, I'm getting to start the chat. Yes, it's me messed up the time. Yeah, I'm sorry for that. It's 10. I mean, I'm pretty sure that a session to the best of that. No, I did it. I messed it up. I deliberately remember making that. So anyways, yeah, you feel free to attend. You can attend both if you want and you want extra, you know, extra refresher session. You can attend literally anything, but we're kind of treating these classes as kind of one big class. And so, yeah, and everything will be on the course website and it will be announced basically before we go. You are not required to attend for that question. So, you know, I treat students like adults. You're all adults, so attend, don't attend. You know, I mean, you'll get a lot more out of attending I think and asking questions and talking with that. And so, yeah, you know, we'll, our goal is to provide you in advance with the schedules. So you'll know exactly what things are live and what things are replays so that you can decide to optimize for whatever sounds good. Okay, cool. Where are we here? Okay, yeah, now let's go check out the website. Okay, is this big enough so that everyone can see the content? Yes. Yep, okay, awesome. Cool, so this is where you can find all the information out about the course, cse365.io, has kind of the philosophy we're going for here. That Tiffany and I, our email addresses, if you need to get in contact with us, teaching assistants, names and email addresses for them, we'll post the undergrad TAs as we finalize all that. And okay, so then the other important thing, what we're just talking about on the schedule. So we're gonna be updating this Google calendar with the schedule of the courses. So you can kind of see I've optimized here that like this session is live and obviously tomorrow, well, not obviously, but tomorrow morning, the session two class will be live as well because they don't know about this model necessarily. But starting on Wednesday, we'll be going into this where for the moment Wednesday will be live and Thursday will be recorded. And so we'll try to keep this up to date, at least a week or two in advance. It kind of depends on what the content is because we're splitting this up kind of based on content. So roughly half of the time session one will be live and session two will be recordings and the other half session two will be live and session one will be recordings. And then we also have office hours set up between us and the TAs. So I think between all of us, we have 12 hours of office hours a week. There will be Zoom links of how you can attend them. Since you don't have assignments yet, I don't think anybody's gonna want to attend yet. So yeah, there's the schedule and then down here is where we'll post the schedule as we go. Oh, I did, it did work, cool. So we'll post the slides that we cover and any of the videos will also go here of the recording. Any questions so far on the schedule? Tomorrow's class is live. So tomorrow, Tuesday session is live. Wednesday session is live. Thursday is recording. Right, but tomorrow's session's gonna be the same as today. Yes, tomorrow's session's gonna be exactly the same. We're gonna have to do this exact same thing with them because we haven't merged the classes yet. Any other questions? All right, cool. Adam, I saw a question, it's asking about Canvas. So right now we're... We haven't decided we're... Oh, go ahead, Tiff. Yeah, go ahead. Actually, I already set a link in Canvas to redirect everything to this course website. Okay, cool. Yeah, I meant to do that. Yeah, so we may post grades on Canvas. We're not sure yet, but everything will be on the website. So basically, Canvas will just redirect you here because we want everything to happen through the website basically. So the one thing we will have though is discussions. So for communication, so the really important thing when managing a class, so now that we've explained this model, not only the 300 students that we have enrolled in this class, how many students are in your class, Tiffany? It's also about 300. Yeah, I think it's around 300. So we have 600 people here. And so we will... We're gonna take advantage of Piazza and use that to... Okay, anyways, I can't show you right now because I'm not logged in at the moment. But let's go to... Okay, so let's go to the syllabus. We'll cover this now. Pre-rex, I think. So the basic idea, so the way to think about this class and the way I think about this class is it's a required class for all computer science students at ASU because as hopefully we'll become clear the more and more you take this class, security of systems is really infected by... Once you go and graduate, any work that you do will impact the security of systems. And so we'll see kind of the dire consequences. Even electrical engineers making hardware. There's actually been a lot of recent work on how to take advantage from software of hardware defects or hardware problems. There's a whole field of Rohammer attacks where they're able to flip a bit in memory inside of a memory chip just by reading and writing to various parts and RAM. So security really impacts everything. And so what we're gonna do in this class is do a broad overview of all areas of security. I'll talk later about the different other classes we have from here, but the idea is this class, we're gonna go over basically everything. And then from here, there's further classes where if you really wanna go in depth, you can take more on that. So pre-rex, there's, I think, I don't think you can sign up for this class with the pre-rex. This will be a programming and hands-on course. So where you'll need to know how to, so this will be something that will, the very first assignment we'll have will go over this. It won't be assigned until Thursday for the textbook. So everything you need, there's no required textbook. Everything you need will be provided in lectures, but there is this textbook, the introduction to computer security. Feel free to buy it. I don't think I posted it, but I have the link between the topics we talk about and the sections in the book. So if you want something to supplement, your learning, feel free to buy the book. It's a good book, it's not terrible. So feel free to get that if you would like. Any questions on that so far? Okay, cool. So course communication. So I guess the golden number to think about in your mind is 600, right? So it's one way to think about it is 600 versus two or 600 versus how many TAs do we have total with undergrads? Six, 11, 13 with us. Yeah, we have, well, 12. We have five TN, five UDTAs plus us, this is 12. Right, okay. So yeah, so this is why we're gonna use Piazza as a method of asking questions. If you've never used Piazza, it's actually, I really like it for classroom discussions. You can ask questions and other students can answer, the TAs can answer, the undergrad TAs can answer, instructors can answer. We can also mark answers that are, will also mark answers that are good answers. But it's important if you've never read this, I really highly recommend you to take the time to read this, how to ask questions the smart way. There's, it's a big difference if you get a question that says, hey, my program doesn't compile, what's up? That's a little bit more difficult to debug and understand. Whereas if you say, hey, my C program won't compile, my compiler is giving me this errors when I run it with this arguments. I tried X, Y and Z, they don't work. And so I'm not, so I'm kind of run out of ways. What other things should I look at? So that is definitely something that we, that I highly, highly, highly recommend you read this. It's a great article. It'll help you especially in your job. So think about when you're, think about in your job when you, I found this, sorry, going forward, is when I was in my job, oftentimes as a junior engineer you are thrust into a system and they say, okay, go fix these bugs. And it's really difficult. You want to ask questions of your colleagues that in ways that they will actually help you out. So it's really highly recommended. And okay, so you can, the other thing is that's important is to think about, we definitely want you all to help each other. This is something that is really important to answering each other's questions. It really does help you learn when you answer people's questions. On the same time, if they say, hey, how do I solve assignment one? And you just say, oh, here's the code that solves assignment one. That goes against the academic integrity problems. So the way that I've found is the most effective is to try to point out their mistake or point them to a resource. So rather than saying, oh, maybe here is something that looks like it's similar to your mistake or your problem, this really helps. So yeah, we want everyone to do the work. We want you to get good grades and we want you to, and we want you to do well on the course, but of course we want you to learn. And so we want you to do your own work. That's something that's super important. If you have a question for us, please make it as a private post on Piazza. So this is a way you can set a post such that it's only accessible to the professors. And that way we can get through it there. It also helps that there's two of us, so we'll be double on top of those things. And the final important thing, so this is when you think about communication. So imagine 1,200 eyeballs out there and they're asking us a question and they're sending us a private email or something. Oftentimes, and it's definitely true, I found, is people have the same question in the rest of the class. So oftentimes what we'll do is we'll take your question with your name removed, oftentimes, if it's a private question or something like that, and we'll reply on Piazza. And this way everyone in the class can see the response here and it actually really helps. So it's up to you to be on top of the Piazza, to look at the post. It has really good search functionality so you can search for different questions on different assignments. So it's really cool. Any questions on communication? Nope, good. Here's kind of the rough list of topics we'll cover. I mean, all kinds of stuff. I'm not gonna go into this. We'll hit all these things. I think it'll be pretty cool. You can access the course Piazza on the website. So there should be a link to the Piazza on the website. All right, and since everyone, we gotta give you grades. So we actually have decided this semester to get rid of exams. So we won't have any exams and we will... So it's basically just gonna be homework assignments and essentially we're thinking of them as a week long practical hands-on exam. So that's a CTF or capture the flags. So basically, we'll have three to seven homework assignments in the course. They'll cover the materials presented in the lecture. They're pretty fun. I think we've got some good stuff in here. And so rather than doing an exam, we'll have a midterm capture the flag where it'll basically be a week long. It'll be open for a week. It's not that you have to work an entire week on this, but it will be open for a week and there'll be different challenges that you'll have to solve using the techniques that we talked about in class and solving those will get you good points that should be really cool. And so for these midterms and final, oh, I didn't change this to CTF. For the midterm and final CTF, these will be done individually and you can... So don't discuss it with each other, but you can come and talk to us or the TAs just like you would do with a take-home exam. Any questions on these assignments? Your dog has some questions? Yeah, the dog is going crazy. Sorry. She's trying to be corralled into the other room. She found, she's applying now. Okay, cool. So as far as grades, so now that we have homework midterms, midterm CTF, final CTF, so homework 70%, midterm CTF 10% and final CTF 20%. Yes, homeworks will all be, I think actually now everything is automatically graded. If the CTFs are auto graded, so you'll know what your score is right away, the homeworks will be auto graded. Yeah, that's interesting. So yes, we'll talk about the exact things of the homeworks in a second. We use grade scope for automated homework submission, which is actually really great. So you can submit, I believe as many times as you want. Anyways, we'll get into that as soon as the first assignment will be released on Wednesday. So we'll be able to see that there. Okay, letter grade threshold. So the way that we run the course, the idea is we're never gonna raise the curve. So we'll start the grades here. So basically, so if you get above 100%, you'll get an A plus if you get 93 or above, you get an A, a 90 or above, A minus and so on and so forth. So we may lower that. So we may say, oh, well, maybe it makes more sense for a B minus to go down to 79 or 78, kind of depending on how the students go. But we'll lower it, but we'll never raise it. Does that make sense? So it won't be that if you get a 91%, it will never be an A minus. Does that make sense? Is extra credit offered? Is that how you would get over 100? Yes, we haven't decided exactly where those go yet, but yes, there will be opportunities for extra credit. Cool, let's move on to finished grading. So we've decided to continue offering the Y grade for students that want it. I'm not gonna go into all this so much because you don't have to decide for another, I don't know, 13 weeks, but you can if you want select to get a Y grade, which is the equivalent of a pass grade. I think this has been kind of standard in the pandemic times. So if you have any questions on this, I'll bring this up later. So we don't have to go into it too much now. Yes, lectures will be accessible outside of class. They'll be posted on YouTube and links to them will be on this website, cse365.io. Okay, homework due dates. So basically the policies, like we said, it's all self-automated grading. So each day in assignments late will deduct 20%. So 20% the first day, 40% the second day, 60% the third day. The highest grade that you get overall is your grade and it'll show you in grade scope exactly what that is. I guess this does not apply with exams because we don't have exams. So all of this is superfluous. That's good. And of course, if you have circumstances of why things are late, talk to us we're reasonable people. Okay, how are we doing on time? What do we go till 7.15? Yeah. Okay, if you need any special accommodations, I think if you register with the DRC, we should be all good and we get those things. So that should be good. Okay, now this is the not fun part. So plagiarism and cheating. So basically we want you to do your own work. Believe it or not, the things we're teaching you are not a silly busy work to fill your time. These are actually skills and things that will be useful to you as you go forward, not just here at ASU in future classes, but as you go forward in your careers. So I highly encourage you to actually do these assignments and do the CTF exams or the CTFs. If you've never read these before, feel free to peruse the student code of conduct and the academic integrity policy. And so one thing that comes up, we understand and we actually are very much a part of people that program by and Google for things and use snippets of code that we find online. So you can definitely use snippets of code that you find online, but always, always comment it and document it, put a comment in your code that says, hey, I found this from this website. So this way, when we run the submissions through plagiarism detection and we see two functions that are identical, we say, oh, look, they got this both from the same part, right? This isn't plagiarism. They're just using resources that they find online, which is finding these things is itself an important skill. So that being said, there's a zero tolerance policy in this class. So any violation of the academic integrity policy was on a zero in the assignment and we will file forward the violation to the dean's office. I've so far issued, wow, that's number keeps getting higher. 27 academic integrity policy violations. And frankly, I mean, to be honest, if you want to cheat yourself out, like you're paying for this class, if you want to cheat yourself out and not learn anything and get an A, I used to think that wasn't a big deal, but then I realized and I saw how much effort some students put into the course and they get Bs and Cs. So it's not fair to them and it's not fair to the rest of the students if you are essentially taking away from them and they're getting an A for cheating. So this is why I do take this thing seriously. Okay, so some examples in case you need to know this, sharing code with students, collaborating with code on code with a fellow student when it's not a group assignment, submitting another student's code as your own. I've seen this before where somebody didn't even change the ASU ID of the person they took the assignment from. That was very fun. Believe it or not, we have submitting a prior students code as your own. We have all of these assignments from all the years so don't submit somebody else's assignment. Any questions on this so far? Can you say it again? That was very, it was pretty low for me. I'm sorry. So like for homework, are you just like not allowed to work with like anybody for any reason? Each assignment will be different. So it'll be clear based on the assignment of if you can or can't. Most of the stuff it's for you to do alone. There will I think be some assignments that'll be group assignments, but mostly no. Okay, the other thing and this is a thing that has definitely come up before. You can see a good syllabus policy by the number of things they've had to put in there based on things they found. So basically I've, so don't post your assignment code online. And this includes working out a public GitHub repo. So GitHub now has private repos that you can do. There's a GitHub student developer pack if you've never known that has private repos. And basically in the key argument that people sometimes say is while I'm trying to impress potential employers with my coding skills. And I would highly, highly recommend doing literally anything else. Any type of open source project will be more impressive than something you did for class. Cause if you think about it, almost every student that graduates does some, you know, does assignments for school. And I've seen this as when I was recruiting for Microsoft. So we would look at people's if they had open source code. And if it's just class assignments, that's not super impressive. Like everybody does these assignments, right? What's impressive is if you go outside of your way and you do an assignment that or not an assignment, but you program something that is outside of the bounds of class of just any, it could be anything cool that you think that that would be cool. And that you will not believe how much that puts you head and shoulders above of other candidates. And it could be something silly or easy. Go ahead Tiff. Yeah, and also I want to say that you may actually ignite more concern than, you know, showing your capabilities because every company cares about copyright. Like they know that this is a homework. And of course they know that this is not something they were supposed to publish. So what if you just published some, you know, comp this private code to GitHub. This will definitely be a no-no and comments don't want to do that. So make sure that you only publish what you are supposed to publish. This will help you in your job hunting. That's actually a great point, Tiffany. It reminds me of a story when I was at Microsoft. I was looking at some code of our project and we were redoing this like tree view of a file system inside of our windowing thing, whatever it was. And so we, I went and I was like, okay, but how do you actually build some of these? So I Googled like tutorial for building this tree-based file system in like Windows GUIs or whatever. And I look at this article and I'm like, huh, this code is very similar to the code that's in our product. Like what? And so I went to my boss and I showed him and he's like, oh, it's the copyright on that code. I'm like, there's no copyright. So it means that it's copyright of the author. He's like, rip it out immediately and rewrite it. Like can't do that. So some contractor or somebody years before had done that without thinking about that. If you do that, you open yourself up to legal liability. Right. Cool. Okay. So this update, and I actually did. So people have been asking, I think Tiffany, is this a holdover from 545? Yes. Okay. So ignore this line for now. Let me, I'm gonna pull up my old one because we'll update it to this basically. Okay. Yeah. So there's nothing about programming. So that's good. I mean, programming is important, but yeah, you don't definitely not have to know Python and bash or we'll get into the stuff that you need to know. The assignments for the most part will let you choose your own programming language using make files. So we'll get into that. The assignments will kind of ease us in there. You can choose to use Python. If you've got super stoked about learning Python from this class, feel free to use Python. So yeah, sorry, this line will need to be removed. Yeah. This line. I was like reading that. I was like, I think this is from a grad course. Yep. Okay. Let's see. Okay. We did plagiarism, syllabus update. We may need to update the syllabus. We'll try to update you if we need to, of course. Okay. Work-life balance. So you want to talk about this, Tiffany? You're the one who posted this in? Or no, you took it from somebody else. So. Yeah, sure. I like to talk about that work-life balance because, you know, guys, we know that this is a very special semester. It's not that special because we're being through this last semester, but it's still very special compared to the most of the years that you stay at ASU. So we cared about your career. We cared about your grades, but also more importantly, we cared about you as yourself. So please just, you know, maintain your health, maintain your, like, mental and physical health very well. And, you know, I put a lot of things, just like, it's not something that the people will always tell you, right? Like, eat well, exercise, don't smoke, don't drink too much. Anyway, but like, just take care of yourself using the way that you feel most comfortable with. And if you have something, like, maybe you got infected during this semester, maybe you bumped into some serious family crisis during this semester, that's also fine. So just let us know. And if there is anything, any difficulty in like accomplishing, finishing the homework or finishing the CTF, just let us know. We are happy to help you, you know, resolve the issues to like do our best to resolve the issues. And also there is ASU counseling services that can help you with your mental health if you need, as well as the ASU's health center. So please just don't hesitate to contact us or contact any of those counselings or ASU health centers if you have anything serious. Also, you're very welcome to reach out those TAs for any of those questions, like homework-wise or campus, like the ASU Life by Things, they have been staying here for, I think most of them have staying in longer time that you do, maybe they will be able to help you with those stuff, that's it. Awesome, yeah, that's great. Thanks, Tiff. Okay, great. Title IX, yeah, so, you know, sexual violence and harassment based on sex is prohibited. And we, there's information and resources you can find here, we're also mandatory reporters. So if we become aware of anything of any acts of sexual discrimination or sexual violence or dating violence, anything like that, then we are obligated to report them. There's cancelling services that you can talk to people and there's lots of resources available. Cool, I mean, that part's not cool, but you know, we're here for you. All right, I think we did it all. Okay, let's get back to those slides. All right, let's talk about some fun CTS stuff. So I thought about updating this. Based on our last year, and then I realized this was the last year we actually got to be in person. So we got to see people, pictures of people actually together. So that's why I chose to keep this in. So Tiff and I are actually part of a team that runs the, some sense the Olympics of capture the flag competitions. Essentially, capture the flag competitions are competitions where organizers create essentially little puzzles. So they create like a service that has some type of vulnerability that you have to break into in order to steal a flag. And you show the organizers that you stole this by stealing their flags. So Tiff and I are members of the order of the overflow. And so we yearly hold this competition. This was in 2019. So we have six other CTF events that were pre-qualifier. So the winner there would qualify for our competition. And then we have our own, so we host basically two capture the flag competitions. One in May, where we had 1200 teams from around the world that competed. And so they had over the course of 48 hours a number of challenges to solve. And the winning team solved a ton of challenges. It was kind of crazy. PVP, which is actually a team from CMU, from Tiffany's alma mater of CMU. So we don't hold that against her. We think that that's just fine. And so then so that we invited 16 teams around the world to play with us. So this is what basically the area would look like. So the CTF is actually held with the DEF CON security conference. This is a conference that happens in Las Vegas every August for 27 years straight until last year with the pandemic, they had to go 100% online. And so the DEF CON conference, over 30,000 people from around the world come to this conference and attend and they... And so the CTF happens inside there. So it's kind of like in what I meant, like the Olympics, there's other qualifying events and we bring the top 16 teams around the world to compete here. We have teams from Taiwan, China, the US. There's like three or four US teams. What other teams? Korea. Korea, yeah, they're very big into CTF. And so we as organizers basically run this game. And so we create all the challenges. Tiffany comes up with insane crypto things for them to solve. I come up with really weird things for them to solve. Let's see if this video plays. You won't be able to hear it there, but so you can kind of get a feel for the space and maybe you can longingly look at images of people actually less than six feet apart from each other and then close space. So that's us up there on the stage kind of making sure that the game runs. You probably didn't notice it, but I can point it out because we had to deal with it, is all of those things along the ground is all cords that we had to tape down, or else the fire marshal would yell at us if we did it incorrectly. So we had... Yeah, anyways, lots of fun stuff. I already did that. Oh, that was right. The crazy thing that we did is on Saturday morning we gave all the teams an original Xbox, so the very first Xbox. And when they would plug it in, it would download from us a Doom game. So we got Doom to run on the original Xbox and they'd play a literal capture the flag against each other. But when they did this, they actually found out that their guns wouldn't shoot. And so what they had to do was capture the binary as it was going across the wire, reverse engineer it to figure out how it worked and then change the binary so that they could allow them to do things like shoot. And we had a number of... Basically, we put bugs in there that would let them jump through walls, like wall hacks and stuff like that. And there were certain areas that by analyzing the binary and the maps, there were certain areas that you could capture the flag which you couldn't access normally, so you had to find them in there. So it was pretty cool. The teams played this for like hours straight. It turned out what happened though is like... A couple of the teams, like PVP, had people who are like professional level Doom players so they would just... They figured out how to shoot and then they'd just run around destroying people for days. So it was pretty fun. And yeah, so this is some of the other stuff we had there. They had to hack iOS apps, like a similar thing like Telegram. They had to hack deep learning models. So if you've heard a lot about deep learning or artificial intelligence or machine learning, this is basically really complicated neural networks. Oh, these games ran for 48 hours. No, no, ran for a total of 24 hours, split over three days, right? Right. Eight and four, is that right? No, 10, 10, four. 10, 10, four. Yeah. And so we would only release certain challenges over the course of the game. But yeah, the deep learning model was super cool. So we would train a neural network to recognize a flag and then you had to identify, like be able to extract the flag from that neural network, adversarily from other people even, which was really cool. We did a challenge with a Lisp machine. So in the early 80s, they actually had machines that would actually run the operating system. Everything was written in Lisp and the CPU actually could execute a microcode that was based on Lisp. And so I turned that into a web server and they had to hack this Lisp machine. Oh, that was super fun. So anyways, yeah. So this is kind of the stuff that we do. Oh, so a flag for a capsule flag is just a piece of information that says that you hacked it. So we'll get into this kind of, but it basically means like, hey, this system shouldn't allow me to get this flag. Like if you think about an iOS app, if there's a file on your iPhone that an app shouldn't be able to access, but I hack into your telegram app and read that file, then that means that I've taken over your application. Cool, yeah. So we ran for a lot of games. There was a lot of flags stolen. It was a lot of craziness. PVP ended up on top that year, which was really cool. This was again, man, is Tiffany in this picture? No, you were in... No, I was in China. That's right. Okay, yeah. I'm over here. Yan is one of the other guys. On Shoshishashvili, he teaches 465. If you end up taking a class from him. Yeah, so that anyways, this was the closing ceremonies where we... So, oh, the big thing is, what are the teams compete for? So the DEF CON conference is, it's one of those conferences that it costs $300 and it's all cash. So it's a three day conference, $300 cash. So the winners get eight of these black badges. So it's a badge, you kind of can see it's on them now, but it's black and it basically gets them free access to the conference for life. And it's a mark of kind of like an expert hacker. Like if you see somebody walking around DEF CON with a black badge, like they know what's up. So... Salut. Exactly, yes. Cool, okay. So, this is actually a good time with some of the questions in the chat. So security, so we have a two undergraduate cybersecurity concentration programs, a BS in computer science and a BSE in computer systems engineering. What this means is a concentration means that you get on your diploma, excuse me, cybersecurity concentration on there. And we also have three graduate programs, if that's what you're interested in. And the idea is it demonstrates that you're going more into cybersecurity. So you basically will take a minimum of 15. So you'll have to take 365, which you're already taking. And I believe you only need to take three more classes among this set. So 466, which is kind of like super advanced exploitation. 468, network security, 469, forensics. We're also, ASU is a, we've been recognized by both the NSA and the Department of Homeland Security as a national center of academic excellence in information assurance education. Cool, okay. And we went over the syllabus. I think we are done with this. What time we got? Oh, good, 25 minutes. Any questions on what I just covered? Well, I take a sip of water. Where is my, let me answer some questions. You shouldn't feel dumb. Everyone started at the beginning. So literally I got into security by taking an undergraduate course in security, which is actually very much how I styled this course. So, you know, literally everyone starts at the beginning somewhere. So don't worry about that. It's all about learning. Oh, honors contracts. No, no honors contracts for this course. It's too, at least that's my opinion. Tiffy and I will need to talk about it, but... No, I have the same opinion as yours. We're like parents. We need to decide and make sure we have a unified front. Right. Let's get started. So now we're going to talk about security and the idea here is we're going to go over kind of an overview of security here. And so this is where I have never done this part online only before. So you'll have to be my guinea pigs. So let's have a discussion the best we can. What is security? What do you think security means? Don't lose important stuff. Safety. Yeah, so losing important stuff is important. How does safety compare? Anybody want to actually talk and give more than a two word answer? No offense. And so much easier in class when I can just stare at you all until one of you talks. Keeping things secure from people who shouldn't have them or have access to them. Okay, good. Thanks, Jose. So keeping things secure from people that shouldn't have access to them. Is that the only aspect of security? Although I guess, can you really use the word secure when you're talking about security? But yeah, so the really important thing is there of somebody who's not supposed to have access to it, right? Immutability. Okay, can you explain a little bit more? Preventing something from being able to be changed. Okay, so preventing something. So maybe in some sense, immutability preventing something that shouldn't be able to be changed. So what types of things would you not want? Let's say somebody who shouldn't change something, change something. Like a database. Like a database? What kind of database? Give me an example, but not you because you answered already. Okay. So somebody else. My grades. Your grades. Why? Because I'll get an A. Oh, you want? Wait, what? Say that again? Because I'll do nothing, but I'll get an A anyways. Okay, so yeah, if you think about it from the either professors or universities perspective, then maybe they wouldn't want you because you're not authorized to change your grade, especially let's say after the fact. I mean, obviously grades have to be changed because right now you all have, I guess no grade in this class, but eventually you will have a grade in this class. And so what's that grade gonna be? And who can change it, right? And there's even, there's a whole, if you probably have never seen it, but there's a whole process where once I put in grades and make it final, when I change it, I just can't go in and change a grade. I have to request that a grade is changed and then somebody else above me has to approve that change, right? So why would they do something like that? Yeah, so good, Jorge, prevent single bad actors, right? So, or so you can't bribe me so that they can actually see that there's a log in an audit of what's going on, awesome. Yeah, cool, okay, this is great. So we talked a little bit about immutability or not being, let's say, immutability is pretty strong, right? And it kind of implies that you can't, nobody can change anything, cool. Okay, so let's pick one of these other examples. Yeah, so like a, so we talked about getting access to things that it shouldn't have access to. We talked about not changing things. What other types, what other, like what are the things encompass security? Any ideas? Preventing information from leaking out. So preventing information from leaking out. So can you give me an example of something like that? That could leak. Like that would be a security problem if something were to leak out. I mean, I guess it's always like movies, for example, someone is able to get the movie before they release. Yeah, so you can think of a couple of ones. Somebody had an interesting example on the chat. Think of things that are on your phone, right? Emails on your phone, pictures on your phone, text message on your phone, other things if you think about in the financial space. So if you were, if a company was able to leak their, their financial information, let's say before their earnings are announced, right? Their earnings announcements affect the stock. So if you know what their earnings are gonna be, you can trade on that stock in order to make money. Anything else? Yeah, so be insider trading. But if I bought, if I hacked into it, I'm not really an insider. I'm making myself an insider. Loop holes. Yeah, so kind of, and there's a lot of things that are really important in just the examples of things that we've talked about in here, right? So, of, you know, there's this inherent aspect of things being allowed or not allowed, right? And so this is something that is critically important when talking about security, right? We wanna think about, we can't just, so if I, for instance, and one of the examples I will probably use again and again cause I really like this one. So if I told you, you could, there's a website and anybody can edit that website, is that a security problem? It would depend on whether the person who made the website wanted it to be accessed or not. Yeah, thanks, Sarah. So can anybody give me an example of a website where you would not want anyone to edit every page? Your bank, your bank website? My bank website, like making a thing. Wells Fargo or whatever. Yeah, Chase, other examples. Whitehouse.gov. What was that? Whitehouse.gov. Yeah, that's great. So yeah, Whitehouse.gov, the government websites, right? And then, but actually people already mentioned in the chat the examples of things that, examples where you do want that, right? If I told you that site is Wikipedia, then, then yeah, the fundamental nature of Wikipedia is that anyone can edit it, right? And of course, they have to have locking mechanisms to deal with bad actors. But what this example is trying to demonstrate is that the exact same behavior, right? The behavior alone is not necessarily a vulnerability, right? Being able to edit a website if you're a random person on the internet seems like it should be some kind of security problem. But it isn't for Wikipedia, but it is for a news website or your bank. So it's important to keep in mind that context is incredibly important. And so one of the things we really want to think about when we talk about security is we think of security having three different components or three different ways that you can try to compromise the security of the system. And we've talked about some of these in our discussion here. So, and I always think of CIA, so this will help, Pneumonic will maybe help you remember these three. So one is confidentiality. So what's an example of some of the things maybe we've talked about of confidentiality being a component of security. Bank info. Yeah, bank info, right? But does that mean nobody can see your bank account information? Only people who are supposed to be seeing it, like I guess you- Yeah, only the people that should see it, right? So that means you, you should be able to see your bank information. The people who work at the bank, maybe some of them should be able to see it, maybe not the janitor or a random teller on their day off or something. They shouldn't be able to see or edit your bank account information. The government may have the right to get access to your bank account information. And so some of the things that we'll talk about in here is we'll talk about access control. So access control is a way of thinking about and understanding who can access what in a computer system. So this is something that is important that we'll definitely talk about is how does access control impact confidentiality? And we'll look at later on in the course, encryption. So we'll see that encryption is a way to mathematically guarantee confidentiality given some certain parameters. So confidentiality is one of the key aspects. But it's not the only aspect, right? So what would be an example of something that is a security issue but is not necessarily confidentiality? Judging by the CIA acronym, I'm gonna assume the I stands for integrity. Okay, so wait, give me an example though. That's the answer. I guess how well it stands up against like outside threats or attacks or something to that effect. What does integrity mean? If it's not like how well it stands attacks, I don't know. Think about in terms of just like, let's stick with this same person. Sorry, it's really hard to tell you guys's names. I assume it's a terrible way of doing this but let's think about data. What does the integrity of data mean? I guess the ability of it to like have like backups. Yeah, like someone said on Tampa what to not be altered by other people. There you go. So yeah, think about somebody at the bank if they were able to change your bank account to be negative $10. Even if- They'd give me a whole $24. There you go. I was waiting for that joke. So yeah, so there in that case, even if they don't know what your bank account balance was beforehand, right? They're not able to read what your balance is which would violate the confidentiality of your bank account. If they're able to change your bank account value to anything that's not authorized or what it should be, then that's violating the integrity of the data there. So what are other aspects where we would care about the integrity of some data or systems? So systems is also a good way to think about it too. I just wanted to, the data one I think is a little bit easier to start with to think about. Anybody have any of others thoughts of- Okay, I was just thinking like Stuxnet where they changed like the RPM of some of those centrifuges and it just destroyed the- Yeah, so Stuxnet was a basically a piece of malware that if I remember correctly, got into SCADA systems. So it actually jumped the air gap. So the systems weren't connected to the internet but they had- It's the USB. Yeah, it was USB through design files, right? Or something, anyways. So yeah, it got infected USB drives. They plugged it into these SCADA systems. These SCADA systems in Iran were connected to nuclear enrichment machines. And so what they did is they had it so that the SCADA system would lie to the control system. It would tell the user, yep, it's running fine, everything's going good, but they would run it at speeds that they knew would cause malfunctions and hardware malfunctions. And they did this enough and got in their systems and it set back the Iranian nuclear enrichment facilities by, I want to say decades, but I don't remember the latest numbers. Yeah, so integrity and what we think about here a lot in terms of prevention. So in the case of bank accounts, how can we prevent somebody who's unauthorized from changing our bank account? How can we prevent these types of integrity breaks? And we'll see kind of, there's interesting and cool cryptographic ways that we can do this. But prevention is not the only story. And this is kind of a constant theme of security that we're gonna be talking about throughout this course. Detection is not the only important thing. So, or sorry, prevention. If we could prevent 100% of all possible attacks or all possible integrity attacks, then kind of we'd be done and we could just go home, right? But that's not the world we live in, as we'll see. There can be a bug at kind of almost, it's impossible to ensure that something is 100% secure. And so we need to rely on things like detection. So how can we detect when the integrity of something has been compromised? Oh, I should have, okay, cool. So the A part of the CIA triad availability is something that seems a little bit counterintuitive. It almost doesn't seem like it belongs, at least to me. So to me, when I think about security, I kind of think, okay, confidentiality, I need to keep things secret, right? Like that clearly is a security aspect. Integrity, I wanna make sure that things aren't tampered with that nobody has messed up my data or my database. So what does availability have to do with security? Is it like making sure that the service just remains up? So like protecting its DDoS attacks, for example? Yeah, so why is it important that something, why does important, so it would definitely be important in terms of reliability that something remains up. Why is it a security concern if something is not up and available? That means that because like, say like, I guess like your security system is not online. So it's either been taken off or it's like either been down due to maintenance or like a security vulnerability than somebody else can hack the system much easier with more access than if the security system was online. Yeah, exactly, that's a great. I have an example of this is, I think the name of the attack is called like email bombs. So normally, if somebody sends you a bunch of spam email to buy whatever Google Gmail and other systems are very good at filtering out email spam, but there's a service that you can go pay money to, they will send gibberish garbage emails to a target. So you give them some emails, they will send just random emails that don't get flagged as spam because they have nothing, they're not spam emails, there's, it's all random gibberish. And so what people do is they will, they'll use this as cover. So if you're gonna break into a bank, you'll figure out the email addresses of people that work in security, launch these email bomb attacks so their inbox gets flooded with these garbage emails and then they'll miss those detection alerts that their systems are sending them of, hey, we think we've seen something funny, we've seen something really weird and that availability, so you're attacking the availability of somebody to either do their job or something like that, that can be a big problem. So yeah, we'll see this, the most common term that gets thrown around and people are talking about in chat is denial of service. So this is one of the common means of attacking availability, you can't. So another way this can be a security problem is, yeah, so ransomware attacks, thanks Kevin. So that's a good one. So ransomware attacks are when, is a piece of malware, so it's some software that you download that gets on your computer, however it does, it then goes and encrypts all of your documents and files. It says, hey, if you want access to these files again, you need to pay us X amount of bitcoins. And actually the really ironic thing is, apparently some of the best documentation of how to buy bitcoins is from ransomware attackers. And so this is again, this is an attack on availability, right? They've made your data unavailable and they're holding it hostage until you pay them back. Cool, all right, we'll go to threats. Okay, cool, so now that we've talked about security, so we can think about security. So the CIA triad is an incredibly important part of security, it's gonna come up throughout the whole semester. So you really need to drill the CIA triad in your brain so you can understand how to think about those. But that kind of talks about, so those are ways that we can categorize a different attack against a system. We can say, okay, this type of attack is an availability attack or this type of attack is a integrity attack. But we also wanna be thinking about threats. So threats are more like specific instantiations of the things that we're talking about. So some examples are, and what's important about threats is, as we'll get into, when you're trying to think about defending a system, what you wanna be thinking about is what are possible attacks against my system, right? So like we talked about, one of the things, one of the threats that got brought up earlier is disclosure, right? So the threat that, let's say the information on your phone is disclosed to the world. So what type of component of security would disclosure fall under? Confidentiality? Yeah, great, thanks. Yeah, so confidentiality, right? So the information was meant to be confidential and private. So the fact that this information is disclosed to the world is itself a big problem, is a threat that we need to think about. Other things we need to think about are deception. So in what ways would deception be a threat? What would be an example of deception? Social engineering? Ooh, yeah, great. Thanks, Cody. So yeah, social engineering. So people are also mentioning in chat or phishing. So social engineering is basically pretending to be somebody else. And so deception is basically trying to trick a system or someone else into thinking you are who you say, or you're not who you say you are. On the context of phishing, so PH, ISH, ING, phishing is when you go to a website that's pretending to be something like PayPal.com, you go there, it's not actually PayPal.com. It's a fake website that's pretending to be PayPal.com and it's trying to trick you into giving them your username password. Yeah, okay, then disruption. So what would be, what's an example of disruption in terms of a threat? Yeah, so DOS attacks, or somebody mentioned DDoS attacks. So distributed, the extra D stands for distributed. So distributed now as service examples. Yeah, great, thanks. Okay, so this is good. And then, excuse me, I'm not used to talking this long. I'm gonna have to get back into professing shape. Okay, so then some common threats that we can talk about is, and that will come up again and again throughout the course, is snooping or wiretapping, right? So these are all kind of different terms for essentially the same thing. So what component would snooping or wiretapping attack? Confidentiality. Yeah, confidentiality. Why confidentiality and not integrity? It doesn't change, it just reads it. Yeah, so it's not anybody changing what you're doing. It's reading or getting access to communication that you shouldn't been able to have. So one of the things that was weren't so revealing about the Edward Snowden leaks of what the NSA was doing is Google was very good about encrypting so that it couldn't be snooped, everything that went from their users into Google. But they didn't realize that in between inside Google, they kind of had this security perimeter and they said, okay, inside Google, we won't have to encrypt any of our communication and it'll be faster and whatever. But they didn't realize that part of what the NSA was doing was they were inside companies on the inside, snooping and wiretapping the internal information. And so this is a threat that we need to consider when thinking about systems. We talked about this, modification, alterations. One of the most common name. Sorry about that, I don't mean to trigger your nice Google device. One of the types of things we need to think about in is a man in the middle attack, which we'll see when we get into network security, a very specific example, but it's essentially unlike a snooping or wiretapping where they're just listening to your communication, a man in the middle attack, somebody's in the middle and is altering your communication as it's going by. Masquerading and spoofing, if I were, let's say to send an email out to the class as Michael Crow saying that CSE 365 is canceled this semester, how would you actually know that that was really from him and not from me? Yeah, so you kind of necessarily wouldn't be able to maybe. And so this is part of the identity problem and part of what we'll get into of, how do you know that something actually comes from me? Or how do you know if somebody emails you all and says, hey, this is Adam, I'm canceling class tomorrow, how do you know that's actually from me? So we'll see that, but this is a threat that we have to always be thinking about. But is it always the case that somebody sending an email as somebody else is always a problem? Another way to think about it, do you think Michael Crow sends out every email that goes to all the student body? Yeah, so he probably has a hand in writing them or he approves them of course, right? And actually like a lot of systems, if you work in enterprise or you work in a company, Outlook has this notion of delegation where you can delegate to somebody else to email on your behalf. Okay, so other things that we talked about a little bit, one thing that's important is repudiation. So being able to, repudiation is the notion that you can claim that you didn't say something, right? So if I wanted to say, I guarantee you, we will have that everyone in this class will get an A and then at the end of the semester, I say, wait a minute, I never said that, what are you talking about that, right? So that's a threat to, if you want me to prove and guarantee that I promise that everyone gets an A, which I'm not doing right now, that I promise you, if you work hard in this class and do well, you'll get an A, how about that? Yeah, so we'll see, there's ways of doing this using cryptography that we'll definitely get into. Denial of receipt being like, I never got this, what are you talking about? Delaying information, denial of service, these are all different common threats. Okay, cool. So on Wednesday, we'll be talking about how to defend against threats. So thanks everyone, I really appreciate it. It'll be a fun semester.