 Cool. All right. Welcome, everyone. One of the, well, we'll get into it, but yeah, so if you're here for CSU 365, you are in the correct place. There's a decent number of you in the audience. I think it's more than on Tuesday, so that's good. So you may be wondering what is going on with this course. So the first thing I want to cover is the course set. So if you notice when you register for this course on my ASU or whatever, it says that it's a hybrid course. And so you signed up for a section that has half the number of in person hours as everything else, right. So you signed up for a Tuesday section from 9am to 1015, or most of you. It was a Thursday section right now from 9am to 1015. So what the hybrid means is basically half of your time is going to be in class stuff and the other half is going to be online. The online stuff will occur Tuesdays at 9am to 1015. So you can, so you are going to treat you all like you're in the Thursday class because the Tuesday class got this on Tuesday. So on Tuesday, at 9am, we're going to start and continue from where we leave off today, continuing with content, and then from there we'll continue that content on Thursday, and so forth. So essentially you can think about it like you guys are sharing this room, because we have a roughly 250 students in each of the sections they actually physically don't have a room big enough to hold the number of people in the two classes otherwise it's probably what we would do. But you're free to attend synchronously the Tuesday or Thursday section on Zoom. So we'll always have the Zoom available if that's if it's not your section. And we'll also record all the videos and post them online. So you can watch the video to watch them before your next class. You can also attend in person. I mean I don't see even right now usually when your experiences but I've seen like the most number of attendance is usually the first day of class, and then any exams. So this is the most people we have. You can feel free to attend in person if you want if there comes a situation where we're just bursting the capacity and we have to kick people out if it's not your section that day will ask you to leave. I highly doubt we'll be in that situation but just as a warning. Cool, any questions on that. Yeah. No, this is the only week where we're covering the same content so we're building off and we continue regular Tuesday Thursday. So we'll cover stuff will continue kind of overview of security on Tuesday. And if we don't finish that then we'll continue that on Thursday, and then we'll go to the new content the next Tuesday so it's like a normal classroom just switching in person versus online. I see another. I'm not used to a room this big it's really weird. Yeah. We'll get into all the exams and all that stuff so yeah but the content will be the assignments exams that we don't have exams but everything will be the same between both. And we won't treat you. We don't, we actually don't even remember which section you're in until the end of the year when we have to put in grades separately into our separate section so we're treating you like one giant class. Any other questions. Cool, we'll get into the details we have everything is available on the course website that's where we're going to post all of our stuff. We're also going to use piazza for discussions but I'll get into that more when we talk about the. Before we get into the syllabus and everything. The question on the zoom why don't we use canvas, because canvas is terrible. So that's why we don't use it. I don't know how it is for you but for me it's literally one of the worst pieces of software I've ever used in my life so it's it's worthless and we can do a lot more and a lot cooler stuff outside of campus so that's why we use all this other stuff because I think they're the best at what they do. And I think piazza we always have a good. I feel like we always have good piazza actually has really good discussions, like the way you can do posting you can do anonymous posts so that the other students don't know who you are. I can like endorse a student's answer so it's mobile to the top so that everyone sees that like yes instructor endorse this. It's really nice it's actually really great for a large class like this because what happens is basically how can we check our grades if they're not on campus. As you'll see in the syllabus there's not going to be a ton of assignments or exams. So theoretically at any point in time you should know your grade and be able to calculate it to help with that and help make sure that we know what great. We both agree on what you got on assignments throughout the course of the semester will email you every student in the class you're great to get an email and say hey on assignment this we have you for this on assignment this we have you for this. And we'll do that also after the midterm CTF and after the final CTF and so you'll know your final grades kind of throughout the time. That's up to you so I think the benefit would be like right now I'm watching the zoom chat so if you're attending remotely, I'll be able, we'll be able to answer your questions during the chat. So that's the benefit otherwise yeah you're free to we'll try to have the recordings up as soon as possible sometimes it gets weird with editing and stuff but we'll and I'll show you where it is on the court website but we'll we'll continually post the recordings there. So now that we got that course stuff out of the way a little bit of introduction by myself. I'm out of the bay, you can refer to me as Adam, that's kind of what I prefer but whatever you can. I guess whatever you want to call me is also fine. And I have to keep hitting this admit button. Okay, I do my PhD at UC Santa Barbara actually did a four plus one so I did an undergrad plus a master's there basically the equivalent of ASU four plus one program. After that I got the job at Microsoft working full time I was like I'm never going back to academia I'm going back to make tons of money. And I really liked it at Microsoft but I really missed doing research I got involved with research during my master's here. And so that's why I went back to UCSB for my PhD. There I was there for four years and then graduated got a job here at ASU. And that was a long time ago so I kind of got into security actually by playing in natural climate competitions which is going to be a theme and things that we'll see in this course. So I originally started playing CTF with shellfish CTF team that was started at UC Santa Barbara, and then I helped kind of reform the Pone Devils CTF team at ASU, which has now essentially Pone Devils merged with shellfish so this is now like a multi institutional beast and ASU also kind of Pone Devils also created the ASU hacking club, which if you're interested you can find out more information at their website. I'll have office hours on Tuesdays from 1030 to 1130 am it's on the website, we'll show you in a second. And my office hours you can go in person if you want to regard 472, or you can always attend out soon. So part of what we're trying to do this semester is accommodate both. You know, I think almost everything will have a zoom option and each person's office hours will say if they're meeting in person or just on to. All right, Tiffany, are you there. I can't actually see the cool. Okay, so the professor of the Tuesday section is Tiffany now so one of the things we're doing by merging this course together is we can actually kind of divide the content so we can each teach the content that we're best at. So, for instance, I am really bad at cryptography and mathematics in general whereas Tiffany is a crypto expert. I'll get into some things that she's done but as part of our CTS that we've organized she's created some quantum cryptography challenges and all kinds of cool stuff so you're going to learn a ton of cool stuff from her on crypto and other things. So we have her background she's currently an assistant professor here in the sky, update this, she had her PhD at Carnegie Mellon University, which is a very cool and good school. They also have one of the top capital flag teams in PPP the Cloud Parliament with Konig. Her research coverage really cool stuff so we have to do. She's done great a lot so she works on software security so how to automatically find bugs and vulnerabilities of programs, but also going to a higher level and analyzing kind of the cyber security landscape from a game theory level. One of the coolest things that Tiffany did was look for me and of course, a paper that I think one Tiffany award from the NSA was looking at the ability to quickly ricochet exploits. So if somebody sends an exploit to your system. If you technically have the ability to take that and reflect it back at them. What would that mean for the cyber security landscape so if you think it actually gives. And what you found is by analyzing it from a mathematical game theory perspective. She was able to show that it actually incentivizes a large, large entity like the United States who has a lot of assets so they were to launch an attack at a small company who has a small number of assets. And that company or that country was able to quickly turn around and reflect it back to the United States. That would cause more damage than the damage to the original country so what she showed is it actually incentivizes disclosure of vulnerabilities so that a country like the United States rather than using that exploit for offensive purposes would decide to disclose fix it and disclose it to everyone so that everyone knows about it and they can fix it, which is a really cool result. So yeah, so we're on the website. We also have a number of TAs and undergrad TAs. They're named on the website where I just met some of my nice. If you're an undergrad TA you want to stand up I know there's like, at least four of you. Look, you can actually meet them and see them in person I feel really bad I only know the from last year I went to the handles of the undergrad TAs that I work with. Okay. And this kind of a little bit of some fun stuff to talk about some of the things that tipping I kind of get into one of the things we're really passionate about is capture the flag competition that you can think of as ethical hacking is where organizers put together kind of puzzles. So they create custom pages of software that have some vulnerabilities, and then the teams compete against each other race to identify the problem the bug in the code. Write an exploit and usually launch it at the other teams to seal some flag which they give the organizers for points. So there's actually a number of CTF throughout the year. I think there's almost one every weekend if you want to get crazy about it. So the, what I think of as the kind of premier and the top capsule flying competition is co located with the DEF CON security conference, the DEF CON is a conference that happens every August in Las Vegas. Question, why would you have a, have you ever been to Las Vegas in August, we've all been to Phoenix in August right. What's the defining future of Phoenix in August. I didn't say loud enough, hot, hot, right. Is Vegas any different. No. So why do you want to hold a conference where 30,000 people from around the world go to Vegas in the summer. No rain. You're inside all the time. Yeah, somebody has it on the, on the chat and zoom. Yeah, cheap room so the hotels are actually cheaper actually just like in Phoenix right during the summer months, you can go to resorts for pretty cheap because nobody actually want to come here. So I'm a similar mindset, you can host a conference for pretty cheap so the DEF CON conference is kind of like still has this underground flavor where you can buy a pass for the conference for I think it's $300 cash money. So they, they, you have to buy it in person with cash you can't use a credit card, so there's no price of anything like it's very much a cool kind of cyberpunk thing. And collocated with that over time this kind of the flag event organically was created at DEF CON that a series of organizers throughout the years have taken up the mantle of creating this competition so Tim and I are members. So the order of the other flow that's our team name. And this is from DEF CON 27, which is one of my favorite ones it was the last one we've had fully in person in 2019. And so, the way that works is basically throughout the year. So the organizers will designate six other caps of the flags and say the winner of that event gets to qualify. And then also so in addition to this final CTF the organizers also post a fully online 48 hour capital flag event, which is called the qualification event so in, in that year we had 1200 teams around the world in our qualification event in May of, and this qualification event, you'll actually become very familiar with this style of supply because our assignments are going to be based around this. And what we, what we do here is, we have. So these are kind of the reason kind of is you can kind of select any of these challenges that may be worth different points. And you're all trying to solve this puzzle so maybe it's, but I think on the right here is the category. So there's a web challenge. Maybe it's a crypto thing, maybe it's a service running somewhere that they say hey this IP address in this sport is this binary running. That's all the information you're given so you have to analyze the binary find the vulnerability exploited steal the flag to minute here for points. And in this competition so this is a 48 hour straight competition that was actually kind of the same but the winning team with the CMU team that Tiffany was a member of, and they just saw the ton of stuff they actually dominated this year. And in fifth place with shellfish are our old team. So we selected basically from the qualifying event and other cts the top 16 teams in the world were invited to the final event where they packed in person. And for this final event, rather than the jeopardy style. It was what's known as an attack defense CTF, where you have to basically every team is essentially running their own machine that is running custom services written by us to analyze vulnerabilities in those services, write exploits for them, launch the exploits of the other teams, steal their flags and also patch their own vulnerabilities to fix them. And so this is kind of a, what it looked like in person to one of the things that's accepted here, each team area has eight people in it and maps. And it turns out, well, many of these teams have much, much, much more. So they'll often have like teams in a hotel room of 10 2030. I've even heard rumors after like 60 or 70 people playing. And this I like, we don't know how loud this people was. So this is kind of gives you a visual representation you can see that this was in 2019 because nobody's wearing a mask. And this was kind of we were part of a desk on there. And like people would come and walk around and kind of see what the people were doing. One of the really cool, one of the really cool challenges that we did was was on the structure time wise, is it's over the course of three days so it was Friday, Saturday, Sunday. 10 hours of game time on Friday, 10 hours of game time on Saturday, and four hours of game time on Sunday, or 24 hours total. And on Saturday, the team showed up and we handed every captain, an original Xbox with a controller power supply. And we said there's a cable at each of your tables, plug the Xbox into the cable. And that's all we told them. So what would happen is when they, and you can see kind of their surprise in their faces. What would happen when they booted that up so we had one of the guys on our team is really into the original Xbox like he helps with emulating and running like old Xbox games on modern hardware so he's really familiar with the whole hardware. He was able to port doom to run, which is an old computer game to run on the original Xbox. And so what happened is you turn the Xbox on, it would be connected over the network, it would actually download the doing game from our systems onto players, run it, and then they would be playing about every 10 minutes, a capture the flag game within our backs the flag game, and the person who won that round would get points, and then that would keep going. But one of the first things they noticed is when they started the game, you can run around but you can't shoot. So it's really kind of hard to capture a flag if you can't keep anybody away. So what they actually had to do was reverse engineer the game and basically use game hacking skills to as the game was downloaded from us, change the bits and bytes of the game to allow them things like shooting, and to allow them, and then beyond that there is a number of bugs in our implementation, so that they could walk through walls, so that they can move faster than they were supposed to. It was all kinds of really cool stuff. The unintended thing that we didn't realize what happened is, is anybody a professional or a really good doom player, like maybe does speed runs in there free time. Okay, you can tell us later on. Yeah, we didn't think so either. It turns out there are these kind of people, and they were playing on some of the CTF teams. So once they're able to hack the game enough to shoot. They just sat their best doom player in front of it and they played doom for like four hours straight. And it was actually a pretty effective technique to get points until some of the other teams started finding the complex bugs. So that was an interesting kind of unintended side effect here. And okay, and then so some of the other things that the teams did not hear, so if you remember we made this challenges. One of the things was we made an iOS application that was like telegram, and they had to hack, it was running on a real iOS device. So they had to find vulnerabilities in that hack everybody's apps. It was pretty cool. They, we incorporate elements of machine learning. So I believe this one was essentially something like we trained a neural network trained to recognize the flag. And then based on the weights in the neural network you can actually reverse engineer and figure out what the flag was that it was trying to detect. And there's interesting ways to objuscate this to make this more difficult and that's what the teams had to do to basically catch the challenge that I created this year was really fun so so list is a one of the earliest programming languages and back in like the things like 60. Yeah, back in the 80s there was companies that were like listed the future. So we should have a CPU that rather than running x86 or whatever microcode runs list microcode so that that way the machine would write the operating system list everything unless it runs in this machine. They have emulators for this. So I wrote a web server with the vulnerability in it. So the teams have to like decompile a decompile this file which was in a list machine microcode to figure out what was going on, and then eventually exploit it so yeah pvp did really good and this one is actually kind of widen one because they were the first, I think, almost only people to do this. Yeah, the other interesting thing that maybe has actual real world application. So the term child voting is important we'll get into it later but basically the idea this challenge was hey how do we write something. Some code to some binaries ones and zeros that are executed by the CPU, where if you flipped random bits from a zero to one or one to zero, it would still work. And one of the teams actually was able to write I think like, I think it was like 1024 or something bit shell code, where you could flip all of the bits, and it would still execute correctly not, not like flip all of them but you could flip every single bit, switch it, run it, it would still work, do the next one run it still work, next one run it still work. Why might that be useful. Is that a real world application. Yeah. Yeah, the network transmission errors that's a good one where a lot of time where bit flips occur over network transmissions what else. Yeah, yeah, so one of the one of the stories I was told by a computer architecture professor was that the, let's say the army I don't know which branch but let's say the army had commissioned the huge machines to run some computations, and they had built two identical machines, but one had twice the error rate of the other one. So they kept replacing parts trying to debug trying to figure out why I had a higher error rate. The difference was one facility with the lower error rate was located at sea level, and the other one was up in the mountains. And they realized it was actually cosmic gamma rays or whatever that hits memory in the right place it can cause a bit flip. And that actually caused the error so by using I think lead, so they're like line the computer with lead or whatever that actually prevented an error rate for exactly the same for those two machines. So if you think about just from like C level, the mountain level that could cause things imagine what happens with satellites in space. Right, so bit flips are actually very common there and you have to get. I think they call it rad safe like radiation safe hardware which is super cheap or sorry super expensive and super slow compared to come out of the hardware. So if you're able to actually bring some kind of team that can survive a couple bit flips that's actually really helpful in space because maybe you don't need the super expensive components. Cool. So the teams played for a while. There's actually a lot of attacking going on it was kind of crazy. Overall at the end of the day. So these we had three, we kind of graded them up three different categories one is attack one was defense. And the other was this kind of King of the Hill style challenges which was like the, which the doom game was one of these King of the Hill style things. And there's, you know, we have ways to score them, but at the end, he won, which was super cool. And so we got to present them with, oh, I forgot to say the thing that these people actually win. So the deaf conference what they do is the winner, the winning team of the CTF wins eight black badges what they call so black badge gives you free access to that time for life. And so yeah it's a super prestigious thing and people can tell when you wear it around the conference like it's, it's really cool so he won that that year. That was really awesome. And I wanted to, and then these are, these are pictures from this year. So this was 2021 in August. And so there's a couple interesting parallels between this and what we're doing here. So this year. So in 2020 DEF CON was completely online and virtual so we ran a virtual capital flag. We had a time zones of all the teams. So we had this horrible schedule where we invented a like 28 hour day. So the teams would play for eight hours sleeper for or not sleeper for the game we go down to four hours up for eight hours down to four That way every team had a crap time where it was like one and their time but it just wasn't inherently unfair. Turns out the teams hated that so yeah nobody likes, and we hated it too because like we had no time to sleep you'd like, go to the back in two hours wake up and then have to rest for this game for another eight hours. So, so in 2021, the DEF CON conference was hybrid so in person and virtual, and our CTF was hyper. So some teams were there in person some teams were remote. Our team itself was in person and remote. And one of the things I want that we should keep in mind here. And one of the things as well, is that actually what I found was hybrid was more difficult than being completely virtual, because being completely virtual, everyone was virtual so it was kind of there was there are definitely pain points like we have one guy his challenge, well it ended up being not exploitable. So the compiler was doing something weird and he didn't prove that it was actually exploitable. And we kept trying to get a hold of him, but we couldn't get a hold of him because he's fallen asleep on a stupid like pillow that he had, but nobody was where he lives to go and wake him up, which we would have done in person so yeah that was definitely a problem but being hybrid is actually more difficult because we have to deal with our team members that were remote but also here, and any any announcements that we made we'd have to make virtual and in person so yeah just keep that in mind as we're, you know, even just here like, maybe it's because I'm more in practice with right on completely online classes from the last couple years but it's, it's actually more difficult having this zoom like keeping track of the chat and keeping track of who needs to be admitted into the zoom meeting while also looking at the nice people that are here. I love having you here because I like seeing your faces and like you nod sometimes or slightly laugh when I make a joke, much better than the silence on zoom when I make a joke and I don't know if anybody thinks it's funny so I like it but yeah just keep, you know keep that in mind as we're going forward it's going to be an adventure for all of us. Just like it was an adventure for me so this was, I think after an all nighter I could pull from like Friday to Saturday, right a set up a bunch of stuff and I was the only one who could do it. I just actually stayed in this big room in a giant conference center with the AC blasting so by the morning time and not so that's not really just 466. He was trying to warm me up by putting a tablecloth over me, and I guess he massages I don't have like vague memories of this. The problem was that I was trying to get some other things set up, and I just couldn't and at one point I just took a nap underneath the table there. It was one of these things where it's like I didn't want to run to the hotel room because that happened our first year in 2018 I was like guys, I'm so wait I'm so tired I need to like leave and take a nap. Last, this time we were in a hotel across the way so I had to walk all the way to our hotel, sat down, and was just trying to fall asleep when yon called me. I was like, so the database like something is wrong with the database and I tried to like tell him this commands for run, and he wasn't fixing it so I did just get up and come all the way back so this way I was like all right I can sleep under the table halfway I'll just like shake me awake and I'll be awake and fix things. Luckily, I had my revenge, because that night Saturday, yon stayed up the whole night to implement some stuff for Sunday morning. And when we showed up, he was like curled up like a little baby under the thing here. It was really fun. So this was our fourth year hosting and we realized you know what, this is way too much work. So we are done hosting.com. I'm actually super excited about this because it took up way way way too much time. And I'll get to play now in the CPS. So this was the closing ceremonies when yon is telling us. So that's yon that's me. I don't want to spoil anybody's identity if they don't want to be spoiled. And unfortunately Tiffany didn't get to participate this much in 2021 because she was busy making a baby so this is a little baby Alan. So Tiffany has. Yeah, so he's super cute. I've met him a few times. Anyways, I don't know what to say my babies. All right, cool. So, okay. So kind of, okay, that's what we did. Kind of setting the stage of CTS, why they're important. I think they're super important because they get you into it really give you the hands on security skills that you need to, you know, get a job, not just get a job but also to really understand things. What I'd like to say is that I could sit up here and teach you the theory about buffer overflows, and I've done it long enough that I'm guarantee all of you understand the theory by the time we're done with that. But until you actually go to your computer and really explain about for overflow you really don't understand what's going on there and all the things and it helps you learn much more about computers and how they work and that's kind of what we're going to be doing in this class is really understanding those things. We have more in the security we have to undergrad cyber security concentrations of concentration actually shows up on your degree with those concentration and cybersecurity. We also have graduate programs where you can also get a cyber security consultation. If you want more information about it. Feel free to ask me. So the concentration in BS you need to take 15 credits. You are required to take CSC 365. Yes, what. I may all taken CSC 365 so checkmark done you're already actually essentially a third of the way through. So then you choose to from the other classes. And then of course the young teachers, actually think there's some crazy people who've taken that before taking 365 is that what I saw. I don't think that should be possible should be possible. Whatever. So you choose two of those so the idea is to give you choice so you can kind of dive into whatever area interests you most. We have some really cool faculty that are starting this year that will find things like privacy adversarial machine learning. And then you just take two elective courses that you probably would have taken anyway, but from a list of like cyber security related. So actually the lift here is pretty easy for pre all since you already are taking 365. We've been recognized by the NSA and DHS as a national center center of academic excellence in information assurance education. And now for the fun part. Anybody have any questions on anything I just asked so far. Don't ask me questions about Tiffany's baby. I can't. You can feel free to like speak up if I don't see your hand up or whatever. Okay, cool so the basic idea of this course is so information assurance is kind of the older term for cyber security. They, I guess, technically kind of means slightly different things but also not really so it's not worth thinking about the differences, you can just think about them as kind of the same. So cyber security information assurance. Okay, so what we're going to basically be doing is covering so that this course is at the breadth course of cyber security. So cyber security touches on a ton of different areas and so we're going to kind of give you a sampling of each area. Like for instance, and if you're more interested in it and we offer. We offer different level courses on that then you, then you can choose to take those courses so we're when we go over binary analysis and reverse engineering and exploits and those kinds of things that that's what you're really into. Then you can take 466 where they do that for an entire semester and that gets really beaten into you. And we're also focusing on kind of holistically things so we're going to talk about things about like policy and management, legality ethics, ethics is a thing that comes up a lot. The three reps I probably have to cover because I don't think you can register for the course without them. So, we have a, so there is a textbook, it's recommended, which means hey, if you want to get it go ahead it's this book will what we'll do is for each. So the next topic that we talk about will link to sections in that book where you can read more things. I mean, I, I like to do an okay job teaching right we are style may not be for everyone so if you want different ways of interpreting and understanding the material, feel free to get the book it's a great book, if you want to read it, but we won't be giving you know we won't be assigning readings out of the book, you can get everything you need to this class just from the lectures. It's really up to you if you want to use the book. Questions on the book. Cool. Yes. We will use for all course communication so when we make announcements will announce them here in Piazza. It's not her responsibility to keep up to date with those things it's not her responsibility so what we will do is make sure that we announced communications there. It's one of the actual great. Well, one of the great things about having such a large course and, and even merging them is that almost every question that you have somebody else has already had that same question. So having someplace like Piazza where we can have and when students can ask questions that other students can answer, like this is incredibly helpful for all of you in, you know, figuring out programming problems or understanding concepts all these kinds of things like it really is like this is actually like being able to help each other and benefit from each other so highly encourage you to do that. There's also a course discord but some of the students created that Tim and I are on. That's not a, I guess, officially endorsed by us maybe we will I don't know but if you want to join that it's also a good way I think we'll try to work out something there it was really. We successfully in spring 21 the undergrad TAs were involved as well, but could do a lot of different things and help there so that's another good way but it. The promise doesn't have the, the kind of staying power it's much more difficult I feel like to search for questions in like previously asked questions and discord. So often when people ask the same question over and over again and then we continually link them to like the FAQ or the Piazza post that answers the question. Cool. Now, this may be something that I don't know what you thought about before how to ask a question. And before you even think about this is not necessarily something that is intuitive or easy. But when you think about it you can ask a question like hey my clue doesn't pile up. Okay, like what am I using a hammer to compile it like what's, what's going on like I have. I have no details to help you answer that question. And I honestly like, I know maybe difficult for you to believe this but Tiffany and I are actually humans. And we respond when when we see that students are trying, we actually try really hard to help them. If it seems like you're not really trying. It becomes slightly more difficult we will still probably help you but it may be not as much in depth help as we would give somebody who we see is putting in that effort so that's part of that you've never read this. If you have questions a smart way, I highly highly highly recommend you review this, because it talks about these kinds of things of how to ask questions actually get a good answer back. So some of the things is, the things that I'm talking about demonstrating that so being precise, right, rather than hey, my code doesn't compile. What's the error message, right, what's the error you're giving what's the command you're using to compile. I think that are very helpful to help you. And the other thing that's really important the third thing is what is what have you done to try to solve the problem. Right, if I can take that error message put it into Google, send you the first stack overflow result it means that you're not really putting in the effort you need to solve your problem. But no joke. Every time I'm coding something I'm constantly googling the errors that I find it hit like this happens to me all the time I just write out code that's perfect, a compiler compiles and then it runs with no books. I'm constantly hitting problems and learning things and so developing that skill as a computer scientist as a software developer to be able to go and find things that exist to solve your problems is incredibly helpful and will be an asset to you throughout your life. So this is part of why we're doing this not just to make our lives better but really to help develop you and part of your communication skills as a developer. So yeah so being able to read to this doc is super handy super helpful. And, and yeah so that all those things will help us help you and help you help each other because you'll find as well when people post yachts of houses that are like, dude this question was either answered in the assignment or answered like five times already so students can see that as well and so just don't be that person be that night you know that's not to say don't ask questions always ask questions we're here to learn we're here to help, but put in the effort to help teach yourself and then when you get up and you say hey, my clothes are compiling. I'm using this GCC command. It's getting me this error message. I googled and I found these links and this thing says I'm not using the right library but that doesn't make sense because I'm not using the library. And this other link says to do this other thing. So I've run out of options of what things to try. And oftentimes, I think some students get kind of annoyed with their style of answering questions, because oftentimes I will very rarely answer your question directly. I will ask you a question to help guide you to the answer right part of that is helping to teach you the questions to ask yourself in order to get to the right answer because I've been doing this a long time. I've seen almost every possible mistake that students can make actually my favorite time is when a student has a problem that I've never seen before. Because I'm like, Oh, this is interesting. Let's dig in and figure out what's going on. And then when I do that I learn something. But oftentimes it's things that I see over and over again. And so, if you have a question you come to me, I give you answer. You that solves your problem but when you get into that same situation again or a slightly different one. You don't know what to do. So, part of my style is is to ask you questions to get you thinking about things that are hard to get you to the solution. It's, you know, it'll be frustrating but it's good for you in the long run. Okay, other things we'll get into with the, with the plagiarism but you know, definitely ask tons of questions help each other, but just don't share a code. So that's, that's where we draw the line when you're sharing code that's when it gets dicey. Let's talk about that later in the plagiarism. And you can act like me, you can say, Okay, it's better to point out a mistake or saying like, Oh, it's not compiling because you're missing a semicolon probably because I've seen that like you should rather than saying like oh there's a semicolon missing on line 53, like at this and everything will be magic with this. It's better to point them to something that will help them fix the problem rather than just giving them the answer. Okay. The other thing to things here. So Tiff and I get a lot of email, like a lot of email like I have currently 700 or not read emails in my inbox. It's just like impossible to keep up with everything I've random people emailing me other anyways. So, while we try to, we will try desperately to respond to all of your emails it's, it's very possible that something will slip through if you just email us. So this is why Piazza is great. If you make a private Piazza post, it just comes to the professors and the TAs and not the undergrad TAs. So, So please do that if it's something private. If we deem that it's actually not quite private, or if you email us one of the benefits of Piazza is everyone gets to learn from that answer. If you just email us and we just respond to you. That doesn't really nobody's benefiting from that interaction. So, oftentimes what we'll do is actually rip out your question, create a Piazza post with that question put our answer in. And obviously, and of course, if it's something personal, we won't do that right or oftentimes what I'll do is anonymize the person's name. So nobody actually knows who asked that question. If it's something personal or private or medical related or whatever. Definitely talk to us about it you can make a Piazza post private one, obviously, or email us directly that's also good. Questions on course communication topics, we're going to cover a lot of stuff. We're going to cover a lot of different things access control to a cryptography authentication network security system security binary security. We'll touch on the reality ethical problems. Like I mentioned at the start, we're, we're not going to have any exams. We did this experiment into this last year I think it was pretty useful so there'll be homework assignments and capsule flag competitions. So we're not quite sure exactly how many assignments we're going to have to the course. It'll be more clear as we kind of go through it. This actually depends a bit on how fast we get through content. And it's all about kind of navigating the assignments we get versus the capital flags and all that kind of thing. So, there will be a midterm CTF and a final CTF this will be essentially in lieu of exams, you can think of it as like a take home exam. It's a time for you that have challenges that exercise things that we use in the course. So you're going to work on it individually. On Tuesday, it's a week long so we'll give you a week for each of these. And this way you can do it at your leisure, you also do the nature of the capture the flag you know you're great on that, all the time, because you will see we will tell you hey, each challenge is worth what, whatever 1015 20 points and so you'll get all this money at 70 or have 80 or whatever. And so you can decide, hey, do I want to keep going and get 100 or 110, or am I okay with this and just stop. So, same with the final, final CTF they'll just be towards the end of the semester obviously and be cumulative with everything we did. So grading the grades, it'll be mostly homework assignments so weighted towards homework 70% midterm CTF 10 and final CTF 20. These things. Great thresholds. So again, you have complete knowledge of how to calculate your scores, you know the weighting of assignments. I don't know 100%. Midterms know because I can't guarantee what other people are going to do so I don't know when they do their midterms. I think, I don't know I have to look at what we did last year and I don't want to commit to anything right now without talking to Tiffany about things. So if you look so at the top of the website, there's the archive link to spring 2021, where you can actually look at what it was last year what the duration was. I think we had a, actually, I'm literally no more of this. I know it happened. That's what I do. Okay, so anyways, so you have full knowledge to calculate your grades, you know the weighting you know the, you'll and you also know the thresholds here. So what we're guaranteeing is if you get a 90% or high, like if you get a 90%, that is an A minus. It will always be an A minus. Now we're going to say a 90% is now a B plus so we'll never raise those curves up, but we may raise them down if we see fit. So you may get an 89.9 normally that would be an A and that would be a B plus because there is no rounding there's plenty of credit opportunities. But we may, for whatever reason, see, maybe we should drag down that thing so that now 87% of the B plus is an A minus. It rarely happens. It's not going to happen too crazy but this gives us the ability so that way, you're always guaranteed whatever grade you think you have is at least that. So I see this screen on my iPad. Okay, homework due dates and exams so homework due dates will be posted in advance on the course website announcing class also on YATTA. You can submit late so each day that an assignment is late. You need to do 20%. So if you submit it from one minute late to 24, 23 hours and 59 minutes late, then it will be 20% off and 40% and 60% and 80% and then 100% in which case of course not. We're getting into the specifics here as we go forward. Typically, I think it depends on the assignment but usually whatever part of the assignment it is, that part will be reduced. So if it's a four point part assignment and you do three parts beforehand, those grades don't get affected by doing the last part of the day late. And you also get the highest possible score so that you've gotten so far so if you were able to get 75% before the deadline, but even going late you weren't able to break that like whatever your highest score was and you will know. No assignment due dates will not be listed on Canvas. We do not use Canvas for anything. The only thing reason Canvas for is to point you to that website. The other thing that is a policy that actually will hopefully make your life better. I was a student once I know it's hard to imagine but and I understand that students start things late especially. I'll design students who think they're really good will start late and then realize which is a really complex project and not be able to finish it in time. So what this leads to is a lot of pressure on us in the TAs and the undergrad TAs about people asking questions and demanding help as we get closer and closer to the deadline. So what we, so we instituted last year that was really helpful for everyone was basically a help a homework help blackout so like six hours before that and you have at least a week if not two weeks on your assignments. So what we do is six hours before the deadline since the deadline at midnight at 6pm we're going to say all right unless there's like massive problems like if a server goes down or whatever. Like we're not like don't expect any response on any help questions. You're still free to help each other. That's that's totally fine is just from the undergrad TAs the TAs and the professors. We will not be. The other special accommodation we are happy to support those feel free to let us know about that. We'll make whatever arrangements are necessary. Okay, I hate to do this, but it happens all the time. So, plagiarism is actually a serious deal. Part of what I like to think is, and it is true what you're doing now is kind of practicing and developing your skills so that, you know, you can get a job in the future. And if you're not actually doing those skills and you're just talking with somebody else, then you're cheating yourself out of the practice you need to get better at getting those jobs. And the thing that really bugs me is I used to teach. They've taken like 340. Some people. Okay, well, yeah. I used to teach 340 for a while. And I had students who tried super hard life would work on the SAP in every single office hour do the assignments work 1020 30 hours a week on the assignments and still get a seat. And then I had other students who would copy from people and get an A and not work hard. And so that that part really bugs me. So that's why I, you know, we take plagiarism super seriously. I don't want to do it but when I do it I will like if I see it when we see it we will do stuff about it so So, read this out if you're unclear about this. You can use code snippets we're also not silly like I use code snippets all the time I Google something, find something on Stack Overflow, copy a piece of it. That's actually part of the natural development environment, what you should do. And what your responsibility is just like when you're writing an English paper. If you're borrowing words from somebody else. You cite them so that it's clear that you're not claiming these words as your own you're saying they came from another source. So all you need to do is put a comment that says this comes from this boom this you are. And that's it. And that way, when we run our stuff and we see hey the code, the code matches somebody else we can see oh yeah these functions are both from that. That Stack Overflow article. Great. No academic integrity issues here. And zero tolerance policy so this is just helpful to talk about so we will report any incidents we've seen to the dean's office. The dean's office keeps a list of this so that if you're a repeat offender, the penalty goes up significantly. And that's because if you don't report it then the people who do this do it again so even if they get a zero one assignment in one class. If it's not trapped. So examples that are not going to be sharing code with a fellow student. So this means don't put your code when you're having problems on the thing I have to yell at people. Oh it's about a few times a year on discord and piazza, or it's like whoa that's way too much go to share like talking about the problems you're having and people can definitely help you out submitting another students code as your own. I've seen this with the other students name and ASU ID as a comment in the file. This also extends to past years as well so submitting a prior students code is also academic integrity violation for you and the other student guess what we can go back and fail them to. I don't want to. So don't do it. Another thing that a lot of students don't think about is hosting your assignment put online is forbidden so don't post your assignment code to get hub and then complain when somebody else submits that as their code. This has also happened to me. Both students got in trouble as if they shared code in the first place, because it's your responsibility to save target code. Students say oh but I'm trying to build a give up profile that shows employers that I can code. And usually what I say to that is, honestly, employers don't care about the code you're writing class, because guess what everyone writes that code, every single employee that applies their jobs has written those back code. As employers, you should do something outside of a classroom or an extension or something that's maybe related to an assignment but not the assignment itself. That actually speaks volumes with employers. It's basically how I got my job at Microsoft one of the reasons is I was running a website at the time, and so I could talk about it and show them the website and everything. Yeah, and you have, you all have access to the GitHub student developer pack which has unlimited private repositories. I think even by default now GitHub has default unlimited private repositories so definitely use things like GitHub. I use GitHub for everything. I almost saw my stuff in there. The stuff that's private is that I'm a private. Questions on plagiarism stuff. That one sucks. We may update the syllabus but we'll tell you about it. This is something that we care about, especially, you know, you think even this came in pre pandemic but during the pandemic it's even more important to have a work life balance. So, you know, you gotta do your best, like, and we know like stuff comes up. The key thing is to talk to us about it early. The next situation that can occur is a student struggles and they have work problems, relationship problems, whatever it is, and their grades start slipping and they start being laid on assignments and then it's not to the third assignment that they talk to us about it and tell us what's going on. And we, it's kind of like a well it's hard to go back, you know, three months and let you give you extra time on an assignment three months ago. So, you know, just talk to us about it like we were here to help you. We know things are difficult so just talk to us and we're reasonable people like it's okay. Try not to be scared but for another list. Okay. So, Title IX is a, is a law university policy so sexual harassment is something to take very seriously. We are mandated for partners that's something to know so if we are aware of something we have an obligation to report it. There's a lot of good resources out there you can find information about. Okay, any questions on the syllabus. So website quickly. There will be links up here when there's assignments, we don't have any yet. You go to syllabus, the other part of website is the schedule. So we have a Google calendar here with the class schedule. So as professors, TAs, undergrad TAs have office hours and things we'll post them on here. There's actually a very handy link at the bottom but you can add this to your Google calendar so you have all of these dates and everything. We also try to keep up to date with assignments when they're assigned, when they're due, these kinds of things that's going to help you stay organized on the course. And then below that will be the links to all the class recordings. So this is October 11th, so that was Tuesday. So this is the link to the recording on Tuesday, which is on YouTube and links to the slides that were discussed in that class. So just after this class, there'll be one for Thursday that I'll post. And then so this is where you can find recordings, they'll also all be on YouTube. So you can find them all there, they'll be weird to watch this while we talk about it. Yeah, question. I did meet, Jay, why does it say October? I definitely messed something up. So thank you. Yeah, you look at that it's a very well staged thing we did this back in October we hired actors in here. Pretend to be students. Yeah. Okay, so Tiffany and I, I mean, the office hours are what they are, if you need to meet with us in person for outside for whatever reason just email me, email us to make a Piazza post, and we'll schedule some. But yeah, usually, I've done a bit about course stuff. It's always better just meet with whoever the next office hour is. And that fits your time schedule. You can also use Piazza and you know it is. There's a ton of you so if we, you know, we're just scheduled even meetings with, I don't know half our meetings with a 10th of you that's 50 a week, 25 hours a week to meet in person with people in class. So we, we typically don't if it's an emergency we can we can hop on a zoom if you know if it's something like it's urgent we got to talk whatever. So, you know, we're, we're reasonable and flexible homepage also has more information. So has the sessions zoom links. The TAs I'm going to update this office hours here as well. And we'll have some undergrad TAs will have office hours probably. Sorry, the idea is to get office hours across the week and time so that you know you have there's always some office hours you can go to. So that's the other thing usually the undergrad TAs we found it effective. They do like homework help sessions so closer to the due date, they'll host things and we'll post those on Piazza when those are so and when and where. Cool. All right, let's get into some content. We've talked about course. We're not gonna make it super far so don't worry but there are things we definitely talk about here. You're here. And of course, that's essentially about security. What is security. And we know what we're doing or we started how do you how would you define security, making something safe. It's pretty good. What else. Okay, so prevent people that you don't want to reach things to be able to reach things. Yeah, that's good. Okay, making sure that stuff like people who should be able to access things should be able to access great safety, somebody wrote on the zoom. Right, which is kind of implied in the keeping people safe but are keeping things safe but also kind of safety, the word security itself is very broad right you can think of physical security. So you have Isaac cards that allow you to access in the different buildings in ASU, maybe an attack against this room for us to get access if somebody tied a lock on the door, and we wouldn't have access to this room and that would destroy things definitely. What else do you care about security. Some people are not in there. Not all. So what do we mean by cybersecurity better. Okay, cool. So, yeah, good. Well, malware prevention so preventing malicious software from executing. Yeah, so the way I think about it is kind of cyber security is anything to do or related to computers in some sense right so that could be the computers the networks the Wi-Fi networks. Usually, you know, would stop it like physical security except now things are kind of bleeding into each other so we have now a lot of the physical systems like like Iran's nuclear enrichment facilities are physical systems that are controlled by computers. One of the things that Israel in the US did was create a, essentially a virus called Stuxnet that would propagate to machines until it got to a machine that it knew was connected to a nuclear enrichment facility, and lie to the operator about what was happening to the machine, but haven't spin and, and the shake at such a level that it caused the machine to fail. But the operators didn't know what was going on because they look at the computer and they see everything's fine but really this machine has been spun to death. And so, yeah, I don't remember what the estimates I read were how far back that putty ran to do capabilities but the other problem is then that got out beyond the intended target and infected. So the line is often hard, hard to understand here or something like, would you consider your car a computer. Yeah, how old of a car would you have to consider a computer, probably a Tesla, you probably consider that a computer right kind of big old console. What about remotely from your phone. What about like a 2001 Honda Civic. Yeah, so in 96 so engines are essentially controlled by computers, it's ECU engine control unit or something like that. So there's been computers and cars for a long time. I've never seen any of the Fast and Furious movies, like part of the reason why they'll hook a laptop up to those computers is so they can change the timings and everything of the engine to give themselves more, more whatever. So yeah, like, anyways, computers are basically everywhere. Okay, but when we're thinking about security and security of a system. So think about three different aspects that are really important. And this is something to burn, burn into your brain of this, these three things. And it has a very easy acronym that you can use to remember it and that's the CIA. So what we think about in terms of security is things like confidentiality. So confidentiality would be like we said, preventing people from getting access to things that shouldn't have access. Right. So what types of data or information would you want to be kept confidential credit card data. Yeah, your credit card number. Right if somebody has a credit card number they could use it and buy things and it would go to your password your passwords with your passwords other people can get in. So the security number what can somebody do with your social security number. What's the identity which means what that just sounds like a nebulous thing. Maybe that'd be great. If somebody else just came in and started teaching this class and answering all my emails. What's the real problem of stealing your identity. They take out loans in your name that you're technically on the book store because they don't know they can set up. Yeah, what are the things confidentiality is all good. Health care info. Yeah, you want maybe want your health care info private yeah. What about your social security number. What about your pictures on your phone. Your text messages. Your. What was that. Home address. What about your grades. Do you know that if one of your parents, your search. Hey, that was a great one. Your search history. You know, one of your parents called me is that I'm super worried about my son or daughter. They're in your 365 class. What's their grade in the course. I legally cannot tell them what your grade is because of confidentiality student confidentiality laws. And so part of the things we think about in terms of quality that we'll get into the course is things like access control who can access what types of information. We also think about encryption. So we'll look at how we can use mathematics in order to keep information secret such that I can literally send everyone in this room of file. And you would not know the contents of that file what's actually in that file, unless you knew my secret key. The other thing, so we're running away but I need to sync up with where we left off Tuesday. The other part. So the I part is integrity. And this is integrity. The truth is about modifying or changing that. So if you think about people talked about you may want to keep your bank, your bank information confidential, you may actually want the integrity of your bank account so somebody can't go in there and set your balance to zero. Right, some of you would think wow zero would be a great number of my bank account but many of us that would be a bad thing right so integrity there is really important. So we think about in terms there, how do we prevent people from modifying our, our information, and how do we specifically detect when somebody has alter our information those are actually two different concepts there. So we have probability integrity, the third one availability was what we touched on earlier. And that's if we're able to deny somebody service or access that actually compromises the security so this is when we approach and think about okay how do I secure system X, how do I secure this thing. I think about it in terms of these three things confidentiality integrity availability. I think we're done. I'll see you all online or on the video on Tuesday or in person if you want.