 Test test? Test test? How are we doing live now? Hey, that's me. Okay, can you verify that we can hear? I think so. The thing is moving. All right. Good afternoon everyone. 130, right? Yeah. Cool. Everyone in the right place? CSE 365? If you're not, you can leave now. I promise nobody's going to laugh or you can just stay. That never gets anyone because everyone go always to the right classes. Cool. Well, hey everyone. Adam Dupay here. Like I said, this is CSE 365. You'll notice we're in the midst of a little name changing process. Eventually this class will be called Introduction to Cybersecurity. It is currently Introduction to Information Assurance. What are those differences? Somebody said none. You're just saying that because we're changing the name. So you think why would we make a change if that made no difference at all? Yeah. Cybersecurity means something a little bit more. What about that? Oh, sounds cooler. Cybersecurity sounds cooler. These are all kind of correct, actually. So Information Assurance is more the older term in phrase. It does have nowadays a very specific connotation. In my view, the problem is it focuses too much on the information part of security. As we'll see, there's a lot of aspects to security that may include systems. It may include or not include information. And it's cool. If you go out in the job market and tell somebody, hey, I'm really good at Information Assurance, they'll be like, oh, cool. But if you say you're good at cybersecurity, they'll go, oh. So we want you to get those ohs. And as we'll see, we have a cybersecurity concentration, so it also doesn't match. Cool. I will let my colleague introduce himself in a bit when we get to his slides. Okay, so I hope you're not sick of me emailing you. It's only been two emails, I think, so far. So hope that's not too much overhead. I talked about that a bit in the emails, but just to kind of, in case you're wondering, what is this hybrid course where, how many of you are in the Monday section? Is it most of the people in the room? Anybody from Wednesday sneaking in here? Yeah, it's cool. They can't see this on the stream, but there's tons of open space, so feel free to come to any section. If I ever do, I don't know. Literally, we've done this, I think, several times, and we've never had the space be full, so we've never had to kick anybody out, even though I think technically we're at capacity, because it's like 357 people. I kept trying to add and increase the space, but they wouldn't let me. So the idea with this hybrid class is there's a Monday section, which is many of you. There's a Wednesday section, which is some of you in this room, and hopefully people online. You're responsible for both content, right, in both classes. So we're just going to go lecture after lecture. Like I said, you want to come in person on Wednesdays. Feel free. I am very confident we will not, if you've been to any classes, and those of you, I guess, who don't, then you don't care either way. We won't have space problems. But if we do, I may have to ask some people to leave just to be clear. This class goes to 245? Wow. Okay. So how do you go to class if you can't be in the room? That seems crazy. We have people on the Discord. Sorry, Twitch. Oh, that's weird. I'm seeing the delay now. It's really, okay. So if you want to attend live, so on Wednesday, you don't want to go to class or on Monday, actually don't care. You're all adults, right? Everyone an adult. So you can decide you're paying for this class. You want to attend in person. I think that's great. I think it's going to be much better. You want to stay at home and watch on Twitch. That's fine. You want to never watch. I don't care either. But if you want to, you can watch synchronously with everyone else on Twitch. We will try to keep the chat up here looking at it. So if you have questions, feel free to ask them as we're lecturing. I think that's actually a really nice thing of this. I think in person, I know with 350 people, it can be maybe a little apprehensive to raise your hand and answer a question like some of you just did. But it can be a little easier to type things. So we have that. We will also record and post publicly all the classes. So this is also for you if you miss a class, you're sick, you have COVID, whatever it is, I don't care. You will be able to watch the classes again. I guess if we screw up the recording, which still has never happened, we'll figure out what to do. But I think we still have a lot of stuff we can point you to. Any questions on this aspect of the course setting? We'll dive into syllabus, which is kind of what you have to do the first day and other stuff. Any questions on this high level? So you have to wait for like 10 seconds for the Twitch questions to come in? I guess for Wednesday's classes, is it the same like this room? Yes, it's exactly in this room, in this space at the same time. So you just think you have a Monday, Wednesday class, and you just show up here, you'll be good. Yeah, great question. Yeah. So Monday's and Wednesday's will be here? Yes. So what do you need more for that? This is your online, like if you're in the Monday course, your online part is the Wednesday course. So you're available to view it online, just like you can. But if you want to come here, you are welcome. Yeah. Yeah. And watching this stuff online is completely different, right? So like, it's not like I come today and then I'm gonna go online Wednesday and then the online stuff is the exact same thing we went over today. Correct, we will be continuing. So Monday, Wednesday, so it'll be a series of lectures just like in a normal class. It's just that to accommodate all these people, rather than having two sections of 350 people that we have to give the same lectures twice, to me that seems like almost insane. So this is a way that we can give, scale up to teach 700 plus students in one semester. We've actually started this during the pandemic when we had to go online. And then we followed it up in 2022 and it's actually been super helpful because I think we fill a room with 300 people and only 150 to 100 students show up every class. And so this allows us to teach more students and gives you flexibility for how you want to attend. Anything else? Yeah, in the back. There are absolutely no ramifications for not showing up to the lecture hall. You could leave right now and I won't. There's too many of you. I won't even remember you except that you have a red shirt. Yeah. Yeah, why use Twitch instead of Zoom? Great question. It's an experiment. So part of the reason is we, as we'll talk about, the poem called platform later that we're using to like run all the assignments in the class. That was created as an experiment to make a massive like a big course that had people on ground and people. So this allows people who are outside of ASU to join us if they want to and watch the material and be engaged. I don't know. I've been told Twitch is cooler than Zoom but I don't, I'm too old to comment on that. Yeah, I don't know. Any other reasons, Connor, that you want to? I think that's the first time we've ever gotten a question. Yeah. If you, at the end, prefer, would prefer Zoom or Zoom over something else, please let me know. I think the only differences that I see are like Zoom is more immediate. There's the slight, I think it's like a three, four second delay on Twitch and we've lowered that down as far as possible. That's one difference that I see. The ability to ask questions verbally is another one. But I think even when we did that, we, like these hybrid courses, we get questions like in chat, so. Yeah. The recordings will be put on YouTube somehow. I'm not sure where they'll live, but I'll show you in the syllabus where links to them will be and we'll also, once the discord is set up, announce them there. Yeah, so you shouldn't, it shouldn't be a question of where to go to find X-Days video. Yeah. How would you? Yes, we will talk, we're gonna get to that. Cool. All right. Somebody on, see, this is when I look at the Twitch chat. Somebody on chat says, we'll be covering X-A6 assembly right now, MIPS, correct. We'll get to that in a second but we'll be focusing on X-A6 assembly. Okay. So, after all that chatting, I guess I'll actually introduce myself. I'm Adam. You can call me, I guess, Professor DuPay, Dr. DuPay, or just Adam. Adam works very well. I did my PhD at UC Santa Barbara way back in the day. I actually did, in case anybody, my background is I did a four plus one at UC Santa Barbara, so undergrad plus one year of masters, then graduated and said, I'm never going back to academia again. I'm going to make tons of money in industry. And so I went to Microsoft, had a job at the Microsoft as a software developer in Seattle, lived there for a year before deciding, I actually really want to like research and I want to get a PhD. So then I came back to UC Santa Barbara for my PhD. And then from there, I ended up here and now I'm with all of you fine people. I am very much a fan and you'll see this in this course of, I can stand up here kind of the philosophy is I can stand up here and lecture to you about cybersecurity concepts and we'll do some talking about theory so we can understand how to think about things. But at the end of the day, the coolest thing that you'll ever do is actually breaking things. And that requires putting your fingers to the keyboard and actually doing stuff. And part of that came out of how I got into research and specifically security was through competitions called the capture the flag competition. So CTFs, these are like ethical hacking competitions. I'll talk about them in a bit. I originally started at UCSB with Shellfish. Then I started the I reintroduced and restarted the Pone Devils group at ASU which is now morphed to the ASU hacking club. So if you want more information about that, please ask me or start Googling around and looking for them. There's I think a challenge of how to get into their discord. And now I'm actually also now part of Shellfish. So Shellfish is now used to be mainly UCSB. It's now Purdue, UCSB, ASU and a bunch of other places. So kind of ASU hacking clubs are a way to get people into and interested in capture the flag competitions. And then when they decide, yeah, I really love this stuff, then we sneak them up into Shellfish where we play a lot of times in capture the flags. Cool. Oh man, I didn't realize I had that link here. I'll have office hours. They're on the thing. So you can come chat with me. I'll probably be bugging you about office hours. It's really sad when I have 700 students in the class and I'm just sitting by myself in my office just waiting for somebody to join me. So feel free if you want to talk about industry or what you want to do. I don't know. It doesn't have to be questions on class, but just like I'm in my office. Just come and talk to me. Cool. All right. And you may have noticed we have two professors for this course. So this is kind of having the hybrid things. We have two people in charge of these 700 plus people. And so I'm going to turn it over to JJ who's going to introduce himself. Hi. Nice to meet you. Yes. I'm co-instructor. We've got a new guest. My name is JJ Wang. You can call me just JJ. Yes. I joined the Sky School as a new assistant teaching professor. So I was a research scientist. So I graduated from New Jersey University in South Korea. And my research topics, as you can see, it does not kind of hack himself. Anyway, based on my background, I have worked on maybe a pizza for 10 years. So I have a lot of experience to leverage the science skills to be available to you. So you know, very good content me if you are interested in any research topics and other concepts. So I'm using my office hours on Wednesday. And yes, I know the lack of some huge class and also the hybrid class. So we will try our best to get the real depth of these class. Thank you. Cool. All right. Oh, that's my girl. I can't even log in to Twitch. All right. Thank you, JJ. To talk a little bit about some of JJ's research, anybody use Wi-Fi calling on their phone? So there's a setting you can enable some of you, right? So JJ found critical vulnerabilities that were in that standard that we were able to address for some privacy attacks, which is really cool. Also doing inference and trying to break privacy on LTE networks when people are connected and stuff. So yeah, we do a lot of cool research blockchains. Anybody wants to become rich for the second blockchain wave when that comes up, you know? Lots of interesting problems there. So we'll be probably sharing off content. So it'll probably be like all give lectures on, I don't know, assembly and JJ will talk about network security. And so you'll see us in and out. But we'll always have office hours. We'll be available for help on Discord. Cool. So we'll talk about a little bit, to talk about more about Capture the Flags. So part of what I did from 2018 to 2021, is that right? 19, 20, 21. Yeah, was a host, co-host one of the largest Capture the Flag competitions in Vegas. So anybody heard of the DEF CON conference, security conference? Anybody go this week or so ago? No? Okay. Oh no, I thought I, this little robot is too smart for me. I'm sorry, I'm not just weird. I'm talking to a robot that now the robot will follow me. If you're on Twitch, you can see that it actually follow me. So DEF CON is a security conference that has been going for 31 years now. And it's kind of like an underground conference. It's not like if you've heard of Black Hat or RSA, these are more like vendor focused people trying to sell you, where DEF CON is like, you show up, registration is like, I don't know, it's like $10 for four days and you can only pay cash because they don't want to keep track of any information. Like I didn't even get a receipt when I paid for my badge. So I tried to tell ASU like I had this badge and I will need to be reimbursed because I paid money for this. So, and it's, it's got a very interesting history. The thing that I've always done there is play and capture the flag games. So we'll be getting, actually a lot of the assignments are based on this model, but the idea is there's different styles of this game. You can check out kind of the stuff here on the bottom of stuff that we're into. The group that we created was called Order of the Overflow. And the idea was we were kind of like the referees of this competition and we were creating challenges. So like custom pieces of software that the teams had never seen before that we injected security bugs in and the teams had to compete with each other to find them. And specifically this event I really like at this was, so in DEF CON 27, so this was in 2019, there were six other, there's actually like capture flags every weekend if you want to get into that. We chose six capture flag competitions as qualifiers and 1200 teams from around the world competed in May and the top 16 teams were invited to play in person in Las Vegas. So this was like the scoreboard, which you can actually still go check out and download these things. So this was a 48 hour straight competition. So the teams hacked against each other while they were solving challenges that we created so they actually weren't attacking each other directly. And then, so this was like a view of what that looked like. So you had each of the teams, they had eight people at a table and then we had to string ethernet cables to each of those teams so they could have internet access. But even with all this there was usually, depending on the size of the team, some teams are as small as eight and some teams are as large as 80, if not 100 or 120. So some people will have, like when shellfish goes, we usually have a suite somewhere in one of the casinos that we can put 30, 40 people in. And so we all have our laptops and we're just sitting there for like two days hacking on these laptops and then some people go down to the floor and some people go back. Other people have 20, 30 people. Some people, there's a lot of, it's an international thing. So there's a lot of teams from China that will play and they can't get visas for all of their team members to come in person. So they'll have like, I think this year, there was one dude sitting at one of the tables and he's like, yeah, my whole team is like back in China. It's like 50, 60 people and he was the one person there. So when we had to yell at somebody, we had to yell at him because he was there in person. So for these competitions, the way this game works is every team would get, so we would write these custom services that's like some custom piece of software and we'd give it to each, we basically have a machine that each of these teams were running and it'd be running this custom software. And so they'd have to study that software, find the security vulnerabilities, launch an exploit that when they launched it on another team would steal a piece of data on the computer called the flag. That would be sent back to them. They would give the flag to us, the organizers and we would say, oh, great, we know you hacked team foo and now we'll give you points. While also fixing the security bugs in their systems without causing this thing to crash or to have it do, have it fail. So this was really, it's called an attack defense CTF because they're attacking each other while also playing defense and fixing things. So this was what the teams kind of look like. Oh, I wonder if this video still works, yeah. And this is like a video panning through. We had screens that were one showing just like silly videos we were doing. This screen right here, the teams were playing a game every five minutes. So you know, it was like a little triangle that would move around and shoot. But to control this triangle, they had to use insane, like, I think in this one they had to train a neural network to be able to move it. And so the inputs would go into the neural network and how to move it would go out. But there were security things they could do to get more control. And so they're like, you could see teams actually following and shooting each other. And then another cool, all right, that's either there. Anyways, that's us at the organizing table. We also gave the teams Saturday morning an Xbox, an original Xbox. And we said, hey, here's your next challenge. Go plug this into that Ethernet special Ethernet table that's at your table. They plugged it in, connected to Ethernet, turned on the Xbox, and then all of a sudden, Doom, they're playing the game Doom that was running on an Xbox. But when they played, they couldn't actually fire their weapons or anything, so they were just running around. So they actually had to figure out how to hack the game that we had given them in order to let themselves be able to fire and do all this other stuff. So for like eight hours, they were trying to hack each other while playing Doom. And you can see, we actually had a console up that random people could play Doom with them. Oh, good, great. So somebody on Twitch is asking, sounds very fun. It was very fun. What are the assignments in the class like? Yeah, they're to prepare you to do this. I'm trying to give you a glimpse of where all this can go, right? And that's what the goal here is, of showing you what like the kind of top-of-the-level hackers can do is analyze this stuff, find these vulnerabilities, and we're going to develop the skills in this class to get there if you so choose to put in that effort. At the very least, what we want out of this class is for you to, when you go out and develop software, introduce insane security bugs. And to actually be aware of security things. You've ever seen, anybody ever had their credit card information leaked as part of a breach or something? Yeah? Or had a thing where your identity was stolen that happened to me. I had a, I think when I was in a freshman I had my debit card stolen and it got canceled. And I was like, wait a minute, I can't get any money out. How the heck am I supposed to like live? And they had to replace it and they could give me the money back. You know, like a lot of these bow down to security mistakes. So by learning how, what kind of security mistakes there are, how to take advantage of them, that teaches you how to be aware and to think about these things securely. Cool, so if you're interested, oh there it is, it's still working. Interested in any of this stuff? Some of the crazy things were iOS apps that they hacked, deep learning models and neural networks, the DOOM on the Xbox, LISP machine, if you're interested super weird old esoteric architectures like I am. That was my challenge. I wrote a web server running on a LISP machine and found bugs in it. And all right, since people want to get on the class this is us giving up the things. This was our last year. So this was 2021, post pandemic. This was, oh, this is me getting, what is happening here? Oh yeah, that's right. I had no sleep that night. So I had to set up this insane infrastructure. This is Jan Schoeschisch-Dachfeli, if anybody knows him, professor at ASU. He teaches 466. I was very cold and very upset that I had to spend all night trying to get stuff set up for him. That was still not working and he's here trying to encourage me. I eventually got so bad I had to sleep under the table while the teams were hacking away. But everything did end up working in the end, which was cool. This was revenge of Jan. So the next night Jan pulled it all nighter and I came in the morning and saw him under there like this. So I think I put on like baby, like white noise machine and like womb sounds if anybody has younger siblings or cousins or something. That's what like people do. And he really liked that. He really like, I'd say purred like a kitten, but that's weird. Anyway, so this is our last year. We're done with that. And now, so this is showing you where you can go. Like I started to, it's going to be hard to remember, but I started to not knowing anything and just taking a security class as a junior at UC Santa Barbara. And then now this is like my whole life and I love this stuff. So that's where you can be too. Okay. And if you're so fancy and you say, this stuff I love, I want to do more security, more, more, more security. We have two undergraduate cybersecurity concentrations. Yeah. So we have a BS. If you're doing a computer science BS, you can choose to do a concentration. If you're in the BSE program and, or in the computer systems engineering, there's also a concentration. I don't know about the details there, but we also have graduate programs. Like, so the concentration, you get something on your diploma that says, yes, I have a bachelor's of science in computer science with a concentration in cybersecurity. Like literally says that on your diploma. You can learn more here. Ask me for details. I'm happy to pass it out to do this. It's actually not even that crazy, although I guess it depends on how, what you think about that. So this course is one of the required courses you have to take. Also all undergrads have to take this course in computer science. So you're already literally a third of the way there. You choose two other classes from this list of class. 466 is basically like hardcore binary exploitation that builds on this course and goes super in depth there. Network security looks at network security things. JJ teaches 469 of computer forensics. So if you want to learn more about forensics, that's another rep to go. So the idea is you take this class, which gives you an overview of all of these areas, and then you can decide where to go in depth on those things that you want to. So is the concentration any questions on that? If you're already taking a concentration, can you switch into this one? I assume that is definitely possible, but I'm not like, I actually know very little about all of those mechanics of how the university works, but we have great advising people that they know how to make that happen. I want to say yes, because it would be silly to be locked into a concentration forever just because you said yes once. So I'm sure you could switch at any point, but don't hold me to that, because I don't know anything about that. More questions? Cool, concentrate. Okay, great. Oh, and you have to take elective courses, yeah. Anyways, so yeah, ASU is a designated academic, a National Center of Academic Excellence in Information Assurance Education and research based on the cool research that we do. All right, let's dive into this illness. This is the important thing. Verification. What's it? Is it worried? I have an advanced left for picture. What do you think? Skip verification or cancel nav? Cancel nav. This was a test, you all failed. Because I already have that linked up. Question. Is cyber concentration the same thing as the cyber minor? I don't know that in Sky, the computer science department has a minor. This is a question from the Twitch. It's a different department that has a cyber security minor, right? Or thing? Maybe? I don't know. Nobody knows. Sorry, Twitch. Ask your advisor, and they will happily be able to tell you the difference. Do they don't have any cyber security minor at ASU? There's no cyber security minor at ASU? Yeah. So the difference, I actually don't know what the difference is. That's interesting. All I know is concentration goes on your Diploma 2, and so you can put it on your resume or your CV when you're applying to companies that you have this concentration. So there's a certificate and this is a required course. Yeah, there is a certificate. I know that, but that's not a minor. So there's the concentration. I think a minor. So there's your major, your minor, your concentration, your certificates. Yeah. Is there anything else weird that anyone's doing? Is anybody just here for fun and just decided to show up? Cool. Okay. See, we're learning about the university together. Okay. This is the fun thing that everybody loves of going over the syllabus. Why do we all love this? Because it's required. Because it's required. What is the syllabus? The class. Yeah, it's not just information about the class. It's part of it. Yeah, in the back. Oh, information about the class? Good. What else? Policy. Information about the professor. This essentially is the contract between us. So that, and I say, hey, if you say, hey, I got a 96 in this class, shouldn't that be an A plus? And I say, what does the syllabus say? And we'll know what is right because of the syllabus, right? This is the contract. It goes both ways. This is what I expected of you. And this is what you can expect because we won't change this stuff unless we like absolutely have to and even then with announcements and everything. So this is why we do this and why like, I guess all of your first classes should be doing some version of this of going over the syllabus. It's about setting expectations. So we all know that we're all on the same page. Yeah? Cool. Okay. Information people are asking about recitations. There's like a ton of recitation locations to house all of you people. We're going to try to just put everybody in one room to see how that goes. If we need to overflow into other rooms, we'll do that. I've selected Brickyard 210, but does it make sense to have recitations before we've learned anything? Not really. It's hard to recitate, recite. I don't know. Whatever the past tense there is. So we'll do that next week. So we'll start next week. Don't worry about going to recitation. Relax. Enjoy your first week of school or first and a half, whatever. Okay. Talk about all that. This is us. I'll announce the TAs. Description. This is like the official, I think, description that's in the handbook. The basic idea you can think of this class is we're going to give you an overview of cybersecurity. So all the different areas. We're going to be... Oh, is attending recitation required? We'll get to that in a second. Thank you, Twitch. So follow-up question to the certificate concentration thing. A certificate is like something you get that's separate, right? And the concentration is part of your major. So you still have to graduate with your major to get that concentration. So you have to satisfy all those requirements. Whereas the certificate, I think you just get to satisfy those things. And it's like a separate thing. Sorry, this is going back to the room for recitation. Sure. But my room says on my ASU, EYAC, yeah, there's many rooms. There's like four rooms that we have reserved. They're all at this time. So we set up all the recitations to happen at this time. We're just going to use one room for now and see how that goes. If we need more room, because our recitation will be optional. You don't have to return your recitation either. Even if you find this, it says a different room. I'll just go to that room. Correct. That's why it's on the syllabus. Cool. Thanks for the follow up. Okay. Cool. Yeah, so those will be overflow rooms and we'll use them as needed. Okay. So course description. Anyways, we're going to cover a lot of things. We're going to touch on a lot of things related to cybersecurity and the enrollment requirements. I guess I have to put this here, but I don't know how you're enrolled if you're not doing these things, but you can check it out there. So we're going to cover what the goal is of security. We're going to talk about this week's security privacy mechanisms. We're going to go talking about threats and attacks so we can understand what do we mean by securing a system? How do we think about those things? And then we're going to dive deep. And like I said, we're going to get technical with these things. We're going to do web security. We're actually going to be exploiting web vulnerabilities, identifying them and exploiting them. We're going to do system security. We're going to go in depth. So you're going to learn how to do, not just how to, but like you'll be exploiting buffer overflows in x86 binaries that you do not have the original source code for. You'll learn how to write and read x86 assembly code. So why don't we do MIPS? You all learn MIPS, right? Yeah. What runs MIPS? Yeah, it's a great question. Yeah. Thank you. That's why I'm up here. Sorry. Louder? I can't hear. Sorry. Oh, the Mars rover. Yeah. There's definitely some like, yeah, yeah, yeah. That's great. There's definitely like, I don't know if that's true or not, but I'll believe you for right now. There's a MIPS compiler. Oh, got it. Got it. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. Yes. No. Yeah. No. Is there any Playstations using MIPS? Yeah. One are five point this year. Yeah. Five points 32. Interesting. I don't know about that. I'm wondering what 32-bit machines there are. It may be true, because a lot of them moved to XA664. Yeah. So like everybody, the point is MIPS machines do exist, but nowadays, well, all right. I'd say, well, I'm not even running any XA664 machines here. machine. Anybody have a non-Apple laptop on their desk right now? Yeah, those are all if it's not an Apple and you know it's not an ARM it's an X8664 so it's either an Intel or an AMD processor that's running X8664 assembly that's also the dominant share of servers so almost every website you go to will be running that processor so much software is there maybe at some point we'll switch everything to ARM but the idea and this is why I love security and cybersecurity in general is like you don't just learn abstract concepts you have to apply them to real-world things that are important so we also don't study let's say Windows XP for vulnerabilities why there's a lot yeah nobody really uses it anymore yeah so it's not important it's not interesting to find bugs there now there are things that run MIPS on routers that I just thought about a ton of your like routers at home the Wi-Fi routers and stuff will run MIPS so it's important if you're in that nation it's important and it's a fine learning language but for applying the security skills you've got to learn X8664 and that's why that's what we're focusing on here so it'll be a gradual counter a gradual ramp up to going there we're not going to go full board like buffer overflows and rock chains and stuff like that but we will guide you up and you will learn how to do that because it's very important it's a very similar concept it's like learning a new language like a program language right it's like your first one probably pretty hard your second probably also pretty hard and then as you learn more and more it gets like you like oh yeah that's like this thing in this other language it's the same with assembly like this okay so go on the system security we'll touch on and discuss access control part of how we think about security cryptography we'll learn about public key private key crypto authentication how do we like to something to think about how do you know I'm actually me and not somebody else like who's just standing up here pretending to be me I don't know none of you know me network security so we'll look at like how networks how data actually gets like from my machine to twitch and then to your screens back on the other side of your whatever screen how that works how we can break it how we can attack it we'll talk about privacy issues anonymity and legal and ethical issues so you can read the expected learning outcomes that basically follows from the stuff that I talked about if you have questions or there's things that you want to cover because security is a very broad topic feel free to let me know depending on time happy to talk about those things there's some things that are just it's hard to get everything in like cybercrime is one thing that if you want to go more into that there's the forensics force where you can dig in there we do a lot of research on that okay questions I guess so far we'll talk about it right now it's just a syllabus questions on the syllabus okay cool so course communication there's a discord yay I guess I don't know join the discord for now there will be at some point a yeah yeah there's way too many channels I'm a stupid admin on this thing it's too much okay there we go so there's like this I don't think you can see this is insanely small asus cse 464 fall 2023 you'll have a similar grouping for our class so you can so announcements will be there class specific things will be there but we're still in the process of setting that up we need some stuff to connect and figure out link all of you with being registered class and then automatically give you these roles so I don't have to like click on 750 students and be like yes this student should be in this class so it's getting set up but okay this is a good one if you've never seen this before you should check this out perhaps has anybody been in a discord or a discussion group or a piazza or something with their classmates yeah have you ever felt that some people ask bad questions but you're not allowed to say that that's a bad question and maybe it's weird for a professor to say that if you notice I said it in a questioning way yeah I'm sure that's none of you but there are so it's not about good or bad questions right fundamentally when you're stuck on something it's incredibly frustrating and you want your question answered or if you don't understand something the whole point of this class is to understand things so we never want you to not ask questions but there is a different way so there are ways of asking a question that significantly increases your chance of getting a response if you write a question on the discord that says why this error and then you just have a screenshot of the error message you know that's asking a lot of somebody else of like how to help you right and it also if I can if I compare that with hey I'm trying level blah blah blah I'm getting this specific error message I tried googling for that but they told me to do this thing and I tried that and it doesn't work and I'm still getting this error like what's the difference between those two questions it's still the same problem they're stuck on yeah yeah that you put in some effort to look you're not just like using the course or using your classmates as the free answer service right you look into it and you're stuck and that's a great place for somebody to help you it also shows what you try right it provides context over what is the problem that you're trying to solve what is the thing that you're having trouble with so this is actually if you want to like read this whole thing this is actually like an amazing amazing resource that I highly recommend will pay dividends because this also is not just class stuff this is also like industry stuff like this is people things that people think about their coworkers right like a lot of companies use slack and stuff for discussing on their team and you don't want to be the person that's always asking terrible questions right you want to be known as the third person that like ask good questions and questions that people can help you and this is a great way to practice doing that for when you're in the real world cool uh okay and this is where it gets tricky and uh we'll talk about like academic integrity and all that fun stuff um we want people to help each other right especially help you know concepts I don't understand this thing um I uh I'm getting this crazy error message or I don't understand this concept these are all absolutely great things of course like again I mean part of this stuff is you're going to learn this stuff well a I guess you have to take this course so I guess it sucks for you but b like our goal is not to just make you do busy work that has no benefit to you like these things actually will help you get better and translate to your jobs so like we want you to do the things right and so uh there's a fine line between hey here's how to solve that error versus hey here's this code that I wrote that solves like 90 of the project right and so we just be uh aware you know I as only as with it ever becomes a problem if it's like happening frequently but uh you know if you have a question about like hey I'd like to help this person out and send them this code is that okay or not just ask us like we can tell you or just do it and if I really think it's egregious I'll message you privately and ask you to delete it and then we're fine like you know as long as it's not a consistent trend over and over uh we just like you know you got to do your work like this is the nature of the beast um like and this is my strategy I'm sure you will look back and think to this very first lecture at the end of this semester man uh Adam was really annoying because he points out the mistakes or problems and never answers my questions and this is like a thing a teaching style of trying to get you to lead you to the answer rather than just telling you the answer right away you can also apply that when asking questions right you say hey this doesn't work like oh well what were you expecting it to do this is like a classic question right like ah doesn't work like okay but why did you think it even would work in the first place right you must have some theory of why it's working and then you can go from there to debug and understand and figure out why it's not working um uh sharing solutions or answers expressive prohibitive we'll talk about that in a second uh if you need if you need to there are tons you know in a class of 700 people you may imagine things happen so you need to email us email us that's totally happy you can email one of us or both of us it can be just like we will share those things uh if you need to uh but sometimes like if i get so you gotta think about scale right if i get a question that's about an assignment that i think will benefit the rest of the class let me just take that question put it in discord into an FAQ and answer it there so that everyone can see um if it's obviously something private i won't do that that would be ridiculous uh so just you know feel free ask for help on the discord that way we all benefit this is like one of the key things here okay uh yeah we're getting to that there that's good okay recorded lectures uh we'll post links to the recorded lectures here i think i'm trying to debate i guess if you have a strong opinion on whether you want the recorded lectures here on a different page or uh like here in the syllabus or on a different page i guess let me know i'm just going to put them here so they're kind of all one place for all the course stuff uh they'll may also be in other places okay grade policies there's another thing or where we will post uh the assignments okay you don't have any assignments due so don't freak out but we will start having assignments like next week and these will all require you to use the command line and be proficient with like using a linux system and using the command line so i know some of you all have different backgrounds and that's totally fine but so to point you in a direction to improve those skills that next week when you have an assignment and you're not freaking out about just using the command line first uh this is a suggestion could be a great thing i i know well i don't want to say that anyways i'm very optimistic that many many many many of you will do this because you always listen to your professors when they suggest good ideas and good things um so it's not for credit we're not going to grade this we're not going to do anything with this this is for you this is a great resource i literally like this bandit over the wire i've uh it's a oh no it didn't link all right i'll fix that link um it has all the way if you want to crank all on this there's like 30 different levels but it's how do the very first level is sshing into a machine so you're getting a remote terminal on a remote machine and then successive levels are looking around looking for files learning different commands it's actually fantastic because for each of these things it says oh well you may need to know these commands and you say hey i don't know what this ls command does well guess what you can click on this read the manual understand about it go back say i don't know what this cat command is i can read that go to there do anything i need to do this in the syllabus is what somebody's asking me where is this model um on twitch so all of that's on here so you do not have to do this but if you feel like you don't you're not comfortable with the command line highly recommended 10 levels they're very they're not crazy um and because there's no credit i don't care if you talk to each other about it i don't care if you read walkthroughs there's like a million walkthroughs on these over the wire challenge if you get stuck read a walkthrough or ask each other uh talk about it like this is a this is a non graded module that's why i call it module zero ungraded just do it if you want help each other learn question about that i'm upset that i gave you homework on my first day without any grades it's like a mixed bag okay cool we'll see how that goes okay uh there will be other modules that will be for credit all the grading in the course will be based on assignments and you will know your graded at any time in the course right connor yes yes you'll be able to check your grade at any moment there are opportunities for extra credit you want to go above and beyond oh my mac will sleep soon unless it's okay this is another thing i'm attempting i've never done this before in a class but uh it's been used mildly successfully in other iterations of the course uh about extra credit for memes so there'll be a meme channel in the discord if you have a and this is important uh educational meme so if it's something other garbage i don't know it's not education or class related just post it literally to your friends or somewhere else i don't i don't care um but it must be uh relevant so related to the course or the material educational and non-offensive does everyone agree with that do whatever you want your own personal time and your own personal discord this discord is for our class so don't be offensive if you are questions about that ask me you can send it to me if i say ha ha or lol it's probably good if i say do not post that to the class don't post to the class yeah you have to make your own if it's like a garbage meme that is very clearly you stole from like the programming subreddit or something then don't bother posting that it's it's clear to see those like a mile away yeah yep yeah that's a great question so the good ones demonstrate an understanding of a concept or explain it in an interesting way right or you know it's up to the judgment of us uh of what are and are not well there's actually a discord bot that we will acknowledge good ones and you'll be able to see like yep that was a good one um and that's how it's recorded uh i may go over them in class to show you examples of good memes i don't have any off the top of my head um yo uh if you in case that's not picked up if you uh uh yeah if if you have a favorite programming language would you make memes that make fun of other languages i is it relevant and educational i don't know good question if as long as it's not offensive and it's like you're a garbage human being for using c then like that's not fun uh should be in the spirit of fun right poking fun can be fine uh you could there's a lot of fun you can poke at like python people like me but uh you know i think it goes both ways so i don't know this has been a fun this supposed to be a fun thing and at max this will be one percent of your grade so you know if you're on the border line that will bump you up otherwise this is for fun yep say it louder it is highly highly highly unlikely that you find a meme online that is that we will find relevant and useful maybe you can always try but you may get some down thumbs i can't control that that's not me right so that's just you know there's a lot of people on this discord server so they they uh think of memes so if you see it somewhere else it's highly likely we've already seen it if you make it yourself those like that's like high quality that's your significantly increasing your chances um and it's not a the bot will tell you like we are the ones that decide so the staff like decides which one's good or not good and you will get to know if it's good so the bot is not judging it you're not trying to impress an ai you're trying to impress humans with brains right everyone knows the difference like there's a lot of blank faces here okay okay uh helpfulness yeah we want to help people and guess what you can get rewarded for help uh how does the thinking work Conor like yeah so if you if somebody helped you you can right click on that message and say thank you do i have that can i show them this is this actually gonna work okay okay uh who oh me obviously can i do this what okay you said this would work okay apps thanks and then it said boom adam to use thanks you thanks artists and we get a log of this and so we can see who's helping each other um this is a security class of course and we will be thinking about attacking things adversarially uh please do not abuse this system and create insane thinking rings or something absurd because we will have to see these things and if we see people thanking things for things that aren't actually things that should be thanked i do not want to have to wait into this it's not worth the two percent so like risk your academic career on you already have script statistical analysis on your page so there's already like scripts that look at these analyze these things just like man if i have to like do academic integrity and stuff like this i'll be the i'll be a very sad person and then i'll probably put your example up here in the syllabus for later um max two percent of extra credit for thanks so also there's no reason to go crazy again these are things to like if you're on the border this will bump you up right yeah yes and i don't think you can do that directly i'm sure you're good yes yeah yeah it will automatically record it so once you right click under apps and you say thanks then boom it gets recorded and we have those logs forever yeah it's up to my discretion we'll see our discretion sorry nobody wants a meme target it's not like you guys work for i don't know they're like a meme factory like i want you out there cranking out memes but like cool okay final opportunity for extra credit maybe i'll lower that okay we'll see anyways okay uh bug bounties so we'll actually talk about it a bit this week um in bug bounty programs but if you disclose to us the instructors administrators of the systems like serious security issues in the course infrastructure you can earn up to a 10 extra credit bump because we want to build secure systems it's a security course but uh don't like be like hey look i can fill up this disk and now nobody can use the system that's lame and like don't uh this testing or these ideas it's something if you find them we will reward you but don't like impact your fellow students usage of the service by trying to do stuff like this um and the other thing is this is come comes up because some people do crazy things uh if you're not sure maybe talk to us first if it's a real one or not people that run bug bounty programs will very frequently get reports like hey you don't have the right ssl certificate give me like a thousand dollars and uh that's like on the we'll talk about severity of problems and vulnerabilities that's on the far low end of things and if it's something that's like not true or wastes our time we may lower give you some negative points for that because that's a waste of our time i don't expect to use this i just we want this in our back pocket if we have to somebody's like abusing these things again we do have to think slightly adversarily but uh you know if it's a mistake like an honest mistake yeah that's absolutely fine but don't waste our time on purpose there should be something we never have to do this actually 90% of the syllabus is stuff we never want to do uh but we need to have to have those policies in place uh okay cool uh okay so the thresholds for letter grades uh i may think about lowering this with the amount of no that should be fine i want you to like do more okay it's great uh so okay these are just the thresholds we do not round if you are so if you're a 93 up to 99.9999% that's an a that's what these thresholds are if you're at 100 or above that's an a plus if you're at whatever this is this is like really big and hard to read but 86 or above b plus okay as you'll see in this course it is very clear to understand where you are how much you've done it is very easy to do more assignments uh so we don't do any rounding there's don't come to me with like I have a 99.99 and I really want the a plus actually those are the worst people no offense is that to you or you've done that in the past you've not haven't done that to me because I haven't taught in a while but uh those people get the angriest and it's not the people that are at like a 69.9 that want a c instead of a d or e um so the these are the uh highest these thresholds would go so we're not going to curve it up so if you get a 93 that is a guaranteed a uh if you get like a but we do reserve the right to lower them so we may say actually it looks like this course this assignment was to I don't know whatever this can happen is like maybe the a minus will get brought down to an 89 percent or an 88 percent but it will never go up above 90 does that make sense yeah you will find your ribs on this website yeah yep is it possible I guess you can go 103 percent total if you do mean helpfulness 2 percent means 1 percent and if you find a security bug I guess you get 113 possible points are you looking for like an achievement to unlock you don't need to shoot for that though it's fine just learn stuff do stuff cool okay so uh let's see absence policies uh why didn't any oh it's a hybrid course like we said show up don't show up feel free to not email us if you're not going to show up that's also fine um email us if you have crazy circumstances that impact your ability to do assignments and deliver them on time um okay as you can tell because there's a camera yeah sure yeah yes yeah yeah anything we reserve the right to lower them but we'll never raise them that way whatever grade you get will always be like you'll never be surprised like I thought I had an a but I got a b minus because the thing was curved we never curve in that direction that's just we will not have tests we'll not have exams it'll all be course material um we're working out the breakdown it may depend on exactly how many modules we end up having it's unclear how fast we'll go it kind of depends on the class and and how we do things in class but it will be you will know your grade on each module and we'll be able to give you let you know your overall grade as we go yes yeah so 100 of your grade comes from doing assignments on the website there'll be a link yeah once that's up and working we will post links you don't have any assignments though so okay as you can tell because it's been happening uh we're recording these class sessions so when you ask a question you your voice will be recorded this is to help all of the students we don't want to record any of you so don't stand in front of this guy this way it's just us will be recorded um looks like coke oh my drink Jesus isn't that useful twitch messages just start banning people okay um yeah so we do this so you can attend or not attend or to be very flexible it's actually super useful yeah yes we will also post the slides yes i don't know exactly where yet but we will have links to the slides as well i think i'll create a separate page but yeah we will have like recordings links to slot links to slides everything you need will be available to you cool okay uh there's an optional textbook uh wow my thing isn't good okay we have an optional textbook this is actually a very good textbook but we like to teach like teach and not assign readings uh we have it here so in case you want like supplemental material or you really want like more information you can definitely go check out the book um like we said assessment so we graded on just the how we how you do on each of the modules which you'll know right away uh the weight of each module will be announced kind of as we do it just gives us a little bit of flexibility like i said we're gonna have seven eight nine ten modules it kind of depends on how fast we go through stuff uh he said while realizing they are going to slow him down okay we talked about the structure that's great expected student behavior uh read this link if you don't know how to be a professional uh all i guess fse students have to be act professionally this also extends to the discord so i don't want to like this is also an extension of our classroom so like don't make me go in and i don't know how to ban people or do insane stuff i really don't want to do that uh this is fun classroom environment let's help each other uh academic integrity we touched on it a little bit uh zero tolerance policy i've reported probably about 20 30 cases i think in my career and i will do it again if i have to uh it's not because i really care i actually care more about like the students who work really hard and get a c and they don't cheat but the other students cheat and get an a and don't do any work and that sucks to me so uh we will look for that stuff uh and we will report them as necessary don't post your assignment solutions online a lot of students tell me but hey how are employers going to know how cool i am uh and i say well 700 students literally your semester also did the same assignment so that's not like very cool and there's been thousands of students that have done these assignments uh and then across the country it's not like this is the only cyber security course many students do many things um if you really want to stand out in the job market like write code like write an open source thing that does the stupidest simplest thing you could possibly think of that will make you stand out way more than like hey here's my assignment that i did in 365 um you also i've seen this happen see this is again like this is like why you have to have signs on everything is because things happen and there's a story behind them uh don't work out of a public github repo i had a student that their code matched another student's code and like exactly as like why is this happening and one student like didn't understand and the student admitted that they googled and found the public github repo of that student and stole their code without their knowledge we'll talk about that but as you can probably see is very clear like that is actually your fault and both students can get written up record integrity uh issues um if you need private github repos you have a github student developer pack that you can get unlimited private repos because you're a student and pays zero zero dollars so there's no reason not to do that um yeah uh people are asking on the chat like chat gbt and stuff um you can use i don't know use it i there's actually you'll see if you opt in there's a way to actually use them through the course that is very cool which may or may not help you um it depends on what you're exactly doing but yeah i think it's cool and if you have good experiences with it tell us i think i'd like to know this stuff i've had some good experiences and some insane experiences where it's really bad uh okay collaboration policy we talked about sorry yeah questions and answers focused on concept not how do i solve this challenge um don't discuss full or significant portions of a solution and don't solve challenges as a group like these assignments are meant to be done individually yeah i'm a little confused but one of the last sentences is a new section making it easy to begin with a private github repo and easily make a public after the assignment deadline these assignments so you need to the semester that once a deadline's over you can make a public or that just kind of i have no idea what that means it's a great question it should just stop right there yeah that's why i heard yeah it should not be public that's great should we edit it right now okay what's on my emacs terminal though let's see we'll do something else okay uh github go use that and never make it public i'm surprised nobody's i've used that language for like a long time see people actually read things thank you it should update in a few minutes okay thank you uh cool collaboration policy uh yeah we talked about that uh there's a lots wait what which one's the correct one so that's like uh yeah don't upload our like content to other things like uh i don't know i guess i probably shouldn't name those websites i'm sure you know what they are but like it's like our stuff don't upload them they're actually like all of our stuff is available online so there's no reason to upload them to anyone else um no threatening behavior i can't believe there's like stuff we have to put in here but uh don't threaten people otherwise we have to do stuff like report you don't be offensive and post any offensive materials of course again if you have questions about what is or is not feel free to ask me um disability accommodations we're very happy to do that and we're going through and approving all those requests this should be absolutely no problem uh harassment and sexual discrimination uh do not harass people or discriminate against them uh in general um title nine policy there's more resources here we're mandatory of reporters this part isn't is important uh so we are obligated if anybody reports anything involving sexual discrimination some sexual violence or dating violence we have to report that there's great resources here that you can go learn more and get more information uh i guess there's a photo requirement now which is a new thing um the syllabus we may update the syllabus but we won't do so without notifying you about that so except i guess for the parts in there that's like this is where lectures are going to go right because those will be constantly be updating but we're not going to fundamentally change the policies okay oh you guys think you're going after this right because we can get started all right so what is security we got six minutes no longer than that however long it is you paid for an hour and 15 minutes you're getting an hour 15 minutes every day that's exactly all right so what is security you're here taking a class on security what is it seems like a good place to start right yeah okay preventing unauthorized access to some system or what was the other part to information yeah is that important does anybody care do you have information that you want people not to access a lot of more people looking up yeah what other aspects so maybe preventing access to information what else places yeah physical security could be data centers it could be your house anybody have any physical security on their house or apartment or the place that they live yeah why is that like owning things you like owning things and you'd like to keep owning them you maybe want to control but you don't like live in a fortress by yourself you're the only person in there right you don't think it's a uh go somewhere else yeah peace of mind yeah maybe you want to only let certain people into those areas right and not others and so you have ways to do that yeah you can think of security very broadly the way we it's a very easy way to think about security and this is like a key thing to take away from this course um you can remember it and I always remember it based on the government agency the c i a so the first one c is confidentiality so what does confidentiality mean but let's go over here sorry yeah privacy like keeping things secret that you want to be secret right so like uh your login account like maybe your grades anybody care that their grades are secret yeah you know that's like a law that like even if your parents called me and demanded me to tell them your grade i legally am not allowed to give that information over and i've had that happen but well not call me but email me it's very weird don't let them do that but i will handle that and i will not give them your your information because you're legally like that is information that we have to keep confidential about your grade and that is your private information right what other pieces of information or things would you like confidential yeah medical records what else social security number because people can create loans in your name that you're liable for maybe yeah your bank account information you don't want anybody seeing that zero right uh so yeah and this underneath confidentiality and you already know a lot of these concepts a lot in this course is just like talking about them and thinking about them and applying them to security so things like access control so you may want to control who has access to let's say your house how do you do that for your house a lock a lock a lock by itself is that yeah somebody else said a key and how do you give other people access you give them the key how do you know that only they use that key yeah you don't actually right so it's kind of weird and we'll talk about that in the like these physical things don't always translate over properly we'll talk about later encryption ways that i can give you some information that you can derive zero knowledge about what's inside of it like my password i can give you a file full of all my passwords for all my computers and because of the way that it's encrypted with math and stuff you cannot read that information other things we talked about bank accounts if you had a very large bank account and you woke up one morning and it was a zero would you be happy about that but it's still not breaking confidentiality because nobody else knows it but the problem is that data was modified without your authorization and in an unintended way and that's integrity so that's the idea of the integrity is how do we make sure data is not modified and we'll see techniques to how do we prevent people from modifying our data and how do we detect when our data has been modified and the final thing that a here is availability so why is availability important and why do we think of it as part of security yeah so somebody to respond to security threats there's actually a service you can use on the dark web that you put in an email address and they don't send spam to there they send random gibberish emails to an email address why basically unusable yeah so unusable so what criminals do is when they're going to break into like a bank or something they find the email addresses of everyone on the security team they sign them up for these services so they flood their inbox so their email inbox is just a bunch of garbage so they missed the alerts from the internal systems that say hey there's this like weird alert that you should look at yeah and that's separate the intention is separate from adidas adidas is a is a style of that yeah so if i can take off their computers offline that's even better but hey they may go to other machines but yeah so that's the one of the main attacks is a denial of service there's actually cybercrime syndicates that their whole business model is they take down somebody's website and then like a small business obviously amazon it's very hard to take down but a small business and they take down their website for an hour and they call them they say hey your website's down that sucks we offer website availability services we'll show you here's 15 minutes of your website up and then boom your website's up for 15 minutes they say if you want to continue using our service pay us a thousand dollars and then they'll pay that money because it's worth it for their website to be up and knock down if you were it was not clear they are the ones doing this and causing these denial of service attacks cool so cia try and remember that yeah in the back it is definitely illegal yeah so uh we will get to legal parts so please don't leave thinking that's up as legal that i said uh all all although i'm also not a lawyer so this is a very deep area of what is or is not legal uh there's also that is that ethical it's definitely not ethical and i'm pretty sure it's not legal uh either okay do we do oh we got one more minute uh i have nothing to say cia try and remember that and i'll see the wednesday people that are online in class and you guys online unless you want to be here whatever