 Software security, everyone in the right place? Yeah, I know. Cool. All right. You always got to check. That's a key pro tip if you ever become a professor. OK. So a little introduction. So does this sound echo-y to everyone? A little bit? It's kind of like, all right. So this is Software Security CSE 545. For those that don't know me, I'm Adam Dupay. I'm a professor here in computer science at SidSea. Let's see, I've been doing this now for three years. I started in August 2014. The fourth year, I got three degrees from UC Santa Barbara. So I did essentially the equivalent of a 4 plus 1 there, so a master's plus one year for a bachelor's plus one year for a master's. Did that, and decided I'm so done with school. I'm never coming back to academia. I want to go work and make a lot of money. So I had a full-time job at Microsoft. And I was there for about, I think, like four or five months before I realized, I loved it. Don't get me wrong. What I really missed was doing research, because I'm involved in research when I was doing my master's. So then I decided to leave Santa Barbara, or to leave Microsoft and go back to Santa Barbara for my PhD. And so when I was there, I did basically my dissertation on how to automatically find vulnerabilities in web applications through either black box interactions or by source code analysis. And so I did that. And then I was fortunate enough to come here. And I've been here ever since. Any questions about me? It's OK, I don't have to be shy. Yes? What did you do at Microsoft? At Microsoft, I was a software developer, or what they call them there, SDE, which is like a software developer engineer, I think. And I worked in. So internally, I was on the big Windows server team on the user experience group. And so basically we created tools to help technical writers write and manage their technical content, because they wanted to know every. So basically, the technical writers would write using one of our tools, XML, which it turns out technical writers love the idea of XML, because you can then spit it out into different formats, but they actually hate writing XML itself. So we developed tools to help them make that process easier for them. Then they would basically check it into our content management system. And then we had various pipelines to publish it to MSDN or create a help file. So when you hit F1 in your program, you'd see the same help content you saw there, or you saw it on the web. Yeah, it was really fun. I wanted to get more into security. And I just decided that I'd really love doing research. And now I'm here back in academia, where I said I'd never be. So never say never. Any other questions about me? Cool. OK, so we have office hours. We'll be updating them shortly. I'd like to introduce you to your TAs. Where did they let me go? Connor, stand up. You want to introduce yourself? Yeah, so my name is Connor Nelson. I kind of recognize some of you. I am a 4-plus-1 student here at ASC. So I'm currently in my master's, graduating with my bachelor's last semester. I took this course with Adam last year. Definitely a good course. You picked the right one. I do research with Adam, and I'll be in this course as T.A. Great. Other Adam, you want to introduce yourself? My name is Adam Most. I'm going to be called the other Adam a lot. I'm more into my Adam's lab, but focusing on social engineering and professional human security. I also took this course last year. You'll be too soon. I haven't finished. Cool. I know that one. Just so you think I don't know. Great. OK. That's good. And the ways of introductions. Let's go to our handy-dandy syllabus. This is something we, I guess we don't have to do, but basically you're going to be doing this all day. But as soon as we get to the syllabus stuff, we're going to go right into actual stuff. So this should be fun. OK. So let's see. Important things. So there's three of us. T.A. is plus us. So when I've had this happen before, most annoying, well, I guess I shouldn't say that. One annoying thing that students can do is to ask all three of us the exact same question, but not email all of us in the same email. So we each get a message, we each individually respond, and now you've wasted three people's time. So to prevent that from happening, and to ensure that you get a quick response to your queries, because you guys have questions, I'm frequently very busy and have a lot of things going on, so sometimes emails get buried among other emails. And so that way, if you email this alias, so cse545-admin at asu.edu, that will go to all three of us, so somebody will respond to you right as quickly as possible. So please, please, please use this for all communications with the TAs and professors, so this is the absolute best way to hold a bus. Questions about that? Cool. Okay, so about this course, so the course, the description of this course, essentially this is a class on software insecurity. So is that like crooked on the edge there? Can you all see the board? It's all readable. That's in three dimensions. Okay, so the idea behind this course is we want to study the ways in which software can be insecure and can introduce, and vulnerabilities can be introduced. This is incredibly important because without knowing how to find, identify and exploit vulnerabilities, how can you ever build defenses against those vulnerabilities? So we're really gonna study in a hands-on way, but also the practicality behind exploits and vulnerabilities. So this is really the key behind this course. For prereqs, this course you can talk to the TAs, Adam or Connor. They can tell you that, hopefully, I don't know, maybe, is this course hard for challenging with cool? Yes. Requires a lot of time to do it. A lot of time, a lot of programming. Yes, a lot of time, a lot of programming. And I didn't pay them to say that. So you can at least mildly trust what they say. So this is not only just for challenging, but this is also a grad class. So this is not an undergrad class. I'm not going to spoon-feed you about, I don't know, how to do things. I trust that you're all at the level where you can, if you don't know something, not knowing something is fine, right? We all start in a state of not knowing something. So do you just give up your hands and cry like, oh, I don't know. Like, whoa is me. No, you go out there and you learn in order to have problems with what you need to do. So that is what I'll expect of you. Of course, we're your resource, so us and as you'll see your fellow students. So feel free to ask those questions, but on the same time, you should be focusing on finding the answers yourself, and you'll find that that's a very rewarding process. So some of the things that, so like Connor had said, it's a very programming-intensive course. It's also a very hands-on course. This is not a theoretical computer security course. So in order to succeed at this course, you need to be a very good programmer or you will become a very good programmer by the end of this course. I highly recommend you know C or C++ very well, because a lot of the we're going to look at C code, we're going to be looking at assembly, and if you've never seen this kind of thing before, you will have to spend the time to learn that beforehand. It's also very handy to know a scripting language, Python, Ruby, or some ITHP, and a really solid background in operating systems, and I'm going to update this, Connor, at a good point, networking. So networking, sockets, IP, we're going to cover these things. We're going to cover these things in the context of attacks, though. So while I'll briefly cover the basics, you're going to have to learn on your own what the structure of a IP header or PCP header looks like Yeah, there you go. This is a good line. If you don't have these skills or don't plan on acquiring them, you will not succeed in this course. So it's no shame in not taking a course. This just may not be for you. Questions on prereqs? Textbooks. So there's nothing... Most of this material is compiled from my knowledge of security, as well as parts from some other professors and that I've improved upon. But these two textbooks I know have been useful for students. So if you're looking for something to buy or something to have as a resource, these are actually fantastic resources. So hacking the art of exploitation is... I know a student who has taken that read this book and has become very good at doing binary analysis and finding binary vulnerability. So it's a very good book. Also the Web Application Hackers Handbook is a great book for web security. So I both... I own... I think there are four copies of this hacking art of exploitation book so I keep lending them out to students and they like it so much they don't return it, which is good. And this other book is really awesome for web security. This is like the Web Security Bible. All right. Cool. Course communication? So, as you'll notice... As I won't tell you directly, I do not like Blackboard, so I will not use Blackboard for this course at all. Everything... So this website will be your... will tell you everything that's going on here. We'll also use a... a Google group for classes session and class communication. So basically you have to sign up for this because anything... Like if I say, hey, classes canceled and you won't go to Yale, you'll know about that through the mailing list. Let's say you got a pop quiz, but hey, it's whatever. All announcements will go through this list. Plus, the really important thing... If you look around this room, there's 132 people enrolled in this course. There are three people trying to help everyone in this. So this course will be much better if you end up helping each other, right? And the best way to do that is to ask questions on a mailing list where fellow students can see them and can say, hey, if you check out this resource, this may have the answer to your question. How are you opening that file? All these kinds of things will help a lot. So I strongly encourage you to use the course mailing list. Also, what we'll do is if we get a question from one of you that is not a personal or some kind of restricted question, often time we'll reply and include the course mailing list that way again. When one of you has this question, it's likely that many have the same question. So if we reply on the mailing list, so another good tip is to search this before you ask your question because this happens less in grad classes, much more in grad classes where students will ask the same question like four times and wonder why nobody is replying to them and it's because like two days ago somebody asked that same question and they already had an answer. So that's good. Don't share solutions and answers. That's pretty easy, cool topics. We'll cover mainly so we'll look at network attacks and how to attack networks. We'll look at application security and mainly we'll focus on binary security so how to identify vulnerabilities and exploit them binaries and then web security, we'll look at how to identify and exploit vulnerabilities in web applications. Those will be the three main areas covering all kinds of these cool technologies. There'll be a number of homework assignments that may vary depending on how much time we have for the exam. No notes, material. There will be a project for this course. I need to update this. There will be a project this is for those MCS students that are doing the project portfolio. This course will count as that. There'll be a final exam. This is how the grading is split. I don't know if this is all stuff. I feel like you can read it in your own time. So let's see. Late assignment. 100% deduction per day that your assignment is late. That's on you for all of the assignments, I think. Yeah, for all the assignments they'll basically be automated grading so you'll know right away what your exact grade is on that submission that you made. So that should be pretty easy. Any questions before we get to the super fun part about plagiarism? Let's see if it wasn't fun already. Okay, so I have to do this because it ends up being an issue every single semester. I don't want to write anyone up for academic integrity violations. I don't want to have to report to the dean's office. But when we find people cheating we will do those things. And the reason why is because it's not fair to everyone else in the course who put in a bunch of time and effort and struggled and spent, I don't know, do you have a rough estimate for how long you spent on an assignment? You don't want to know. Yeah, when you put in all this effort and then somebody else puts in zero effort that's not good for anyone, right? So I do take plagiarism and cheating very seriously even though this is a crack class. So consider this you are essentially first warning because you will not get any other warnings. When we find stuff we go through the procedures and we will write you up. I don't care. I mean, I do care. I care about all of you but just because you're in certain circumstances you're here from out of the country. Your parents are paying for your loans. Obviously I feel bad for you but your actions have consequences and so it's not fair to all the other students who put in the work. So I've written up every single person that I caught cheating and so that's just a fair warning. So basically it's a zero on the assignment and will be reported to the dean's office. So just don't do it that way. I don't want to increment this number. I always have to increment this number so don't make me do that. The rules of academic integrity violations. Sharing code with a student. So sharing, hey, use the snippet. And then this is if it's a how do I open a file or something I guess that would be more fine if it's like, hey, here's this web page that tells you how to open a file. But if you're coding somebody else's code or they send you snippets don't do that. We're going to find it. It's not going to be good. Collaborating with a student on code. Getting another student's code as your own. This is a big one. I think people might even change the name. Yeah, like here's a reading file with your name. And here's C code at the top of it with somebody else's name. Submitting a prior student's code so this is another one. So getting code from previous semesters we have a code. We run cheating detection stuff. Just don't do it. I don't know. I hope you're here because you want to learn and expand your horizons and become security experts. And the only way you're going to do that is to quickly end the time and effort. We're not asking you to do busy work stuff we're just asking you to code things because you need to know how to code to do security. So the kind of corollary to this is posting your projects online is expressly forbidden. We can retroactively fail you and that has happened to people. So don't do that. And a lot of students say, but I want my projects to be out there so that my potential employers maybe can find it and use it. That is great, but there's a GitHub student developer pack to get unlimited private opportunities so you can have you can make your repos private. Actually the this is actually a key thing so everyone does projects in school. So employers aren't really impressed that you took a course and you were forced to do this homework assignment because you're literally doing that to the grade. What employers want to see and this is something coming from my year? My year at Microsoft is that what impresses me when I'm looking at a resume is hey here's this open source code that I wrote. This is something I didn't have to do but I did anyway because I thought it was cool and fun. That really stands out to employers not hey I coded thing X that 200,000 other people across the country also coded thing. Any questions? Super fun plagiarism. Don't do it. Class over. I'm just kidding. Now we will get right to it. What is software security? What is this course going to be? We first need to think about what is security? So I'm asking you what is security? What is the word, the term, how do we use the word security? You don't have to be shy. You're trying to buy 131 under a friend. What was that? Protection. Protection against what? Against an attack outside of attack. What's in a sack? Someone trying to take your data and you don't want to share your data. So I'm trying to take your data. What is it? I'm an authorized person. An authorized person should not be able to access what? Private data. What else? Confidential information. Confidential information. What does that mean? It may be a great part of the confidential information. So like a person, so like a private information? Or company. Or company. Okay, cool. Yeah. I guess controlling interaction has just got anything in the process. Ooh, security. So controlling any type of interactions. Yeah. Opposite technology, you will be able to manipulate the data that you want to send. You know, within the computer or even in the network. Okay, so maybe, so unauthorized modification of data either at rest of the time. Yeah. Defining what a person can do in the system. Defining what a person can do in the system. Yeah, so kind of all these things. So basically when we think about security, we bring it down into three things. This is incredibly important things that you really have to drill into your head about what is security. So broadly we think about security in three different ways. We think of it as very easy to remember. So confidentiality, integrity, and availability. So confidentiality, we want to keep things that we want to be private. Other people will phrase it other ways. We want to allow people access only who should have access. These are all kind of ways of thinking about confidentiality. So keeping secret things secret. Integrity is what we talk about with modification. If I send my stockbroker a message that says hey, buy a thousand shares of whatever, Apple, and somebody changes it to say buy a million shares of Apple. That would be bad for me. Or if they change it and say sell all of my shares of Apple, that would be another bad thing. So I want to make sure that that message that I send, the other party knows that that data doesn't remain changed and transit. So availability. What is availability? Access control. Access control? Define it. It related to availability. So from a sort of systems level, a user can only access what he's supposed to access. That's how I'm defining access control. Okay. What about availability? Yeah, so being able to access something is how important it is to you. Interesting. Yeah, I buy that. Yeah, that's okay. So when we want to access a particular data, no one should prevent us from accessing that data. Okay. Yeah, so actually that's interesting. It's almost the flip side of confidentiality, right? So if we want something to be confidential, that means only confidentiality, right? So from a confidentiality perspective, if I can see something but I can't because that system is down, then it's still confidential, right? But it's made unavailable. So actually a good way, one of the good ways I like, one of the good attacks I like thinking about availability. So the big thing everyone thinks of is denial of service, right? Just take down some system. But one of the coolest things I heard about is when criminals are going to do is they'll set up a thing that will send all the IT admins and basically spam them, but not with like, I don't know, links to Vi Viagra. What they'll do is they'll just send them emails with random gibberish that gets through their spam filters because it's literally nonsense, but it fills up their inbox so they don't see the alerts that are happening of oh, we tripped this intrusion detection system or oh, this system or oh, there's a weird suspicious transaction that's happening. So that's an interesting attack on the availability of a person with the ability to see the alerts. So, what we're going to look at with software insecurity is we're going to be looking a lot at terms of software fault. So what are the ways that software can be incorrect? So why, when we step back for a moment, why do we even have to do this? Shouldn't software be perfect and just work? Our entire lives and everything runs on software, right? I mean, there's software running literally on an airplane, your car, everywhere. Yeah. Hardware can be imperfect. Hardware can be imperfect. That's a good response. I love that idea. Let's blame it on hardware. Even if we write perfectly 100% correct software, the hardware could be wrong. And we're actually seeing examples of that in some recent vulnerabilities now. What else? Why else? Has any of you written software that is 100% correct? It doesn't exist. Interesting. I don't know how to think about that. It's all ignored. Isn't it because of abstraction? You always write in software on another layer where you don't really add. But let's say my goal is to write 100% secure software. If abstraction was a problem then I would get rid of abstraction and just do it. I'll write to the hardware directly or maybe I'll write in a assembly or something. You don't have the budget of the time to Yeah. That's how you gave me how much money do you want? How much money is it going to take? 10 million to 100 million? A billion? Would you still guarantee at the end that you have something that's 100% secure? Yeah. Who's the human that's actually at fault? The intern. The intern? Yeah. I think as people there's many different ways. This is kind of a pretty broad question. But I think of it as like software is developed by humans and we're not perfect therefore the software that we develop can almost never be perfect. And that doesn't even include things like hardware configuration or all these different ways that software can break because of things that aren't necessarily the cause of the person who broke it. But so we think of it as basically you know a developer mistake or human error introduces some bug. So what's the difference between like a bug and a security error? So what's the example of a bug? Functional it might be a bug but it works perfectly in the functional perspective but from the security perspective I think it makes some problems. Right, so from so correctness is an idea of functionality or what things it should do so if it's something wrong with the functionality that could be a bug. But what are some examples of bugs? Like why do you think it was fair that you compiled an error before that said that you did something wrong. What is the general reward which can be defined. There are a lot of bugs for example in the user experience of an application maybe there's some bug in one of the drop-down bugs and it does not work correctly but it does not necessarily only mean that it may be caused by security or vulnerability or something like that. But when you are talking about security it means that there is a vulnerability which comes from bugs but it's about a really big gap that can cause some access to the program from both sides and it can change the integrity of the system or something like that. So when we think about it we think about our all software fault security bugs probably know so let's say we're going to company and have a bug tracker work with bug trackers what are some examples of bugs that you've seen generally maybe what's an example of a bug can you give me a broad example you don't have to give us any details. Like a corner case, an unanticipated corner case with multiple scenarios that you did. So I had an example I think it was when I was an intern at Microsoft and we had SCETs which were dedicated testing people and it was a bug in some thing that I've done where they said it works right most of the time but if you have two monitors and you're on the secondary monitor the feature that I implemented didn't work and I like blew my mind at the time like how could anybody test it on two monitors but they were right it was a bug but that wasn't necessarily a security bug or like I've had bugs where like change this text from this to this but it's not necessarily a bug in the software company it's not necessarily a security bug but it's clearly a bug something's not correct so the main way to think about it when we go back to what is security so I think of it as a bug is something that allows an attacker allows somebody to violate one of these properties of the software so some to violate commonality, integrity or availability of the system so software is buggy because humans are imperfect we're writing software that is not perfect and a software bug or fault as we said may or may not be a security bug or security vulnerability this is kind of a key point so I think in terms of vulnerability is something like a bug that exists you could say this vulnerability exists in the code there is on line 50 there is a statement that is not only a bug but can allow an attacker to completely take over this application or in a web application can allow an attacker access to our entire database so when a bug is actually triggered when somebody maliciously exploit triggers that bug we call that an exploit so security is kind of this field that's full of margin and terms and this is actually a subtle distinction and I will demonstrate that you know about security is being able to talk about vulnerabilities different from exploits right so when I say like oh they found a vulnerability in whatever some libc version you would know oh there's a bug that exists somewhere in some code somewhere which may or may not have an exploit because you may not even have to demonstrate that you could control it often times it's enough to just say hey look there's a vulnerability here somebody could do this and then you should let things fix that in that way so that's what we think of when I think of software and security is all the ways that software can work and so software security is super easy right just write perfect software and buy perfect hardware but is this actually enough so let's assume that you could write perfect software like let's say it's easy you could write perfect software you could write through some magic program that can exist but let's assume that it does that says yes this software is 100% secure so is this enough it's a super fast end of the year I can choose all three sometimes the platform on duty softwares maybe that is a problem say it again the platform on duty softwares it's an operating system but I'm awesome I've put in my own operating system that's perfectly secure and I've put in my own firmware that's perfectly secure and I'm running perfectly secure hardware is that enough the users why do I care about the users it's like you can introduce vulnerabilities by doing things incorrectly yeah so you have maybe the admins that they're doing things correctly you have the users themselves what if my users are every user in my system has their password right or if I have a user account admin and my policy says nobody unauthorized should act as my system and that guy just types an admin admin and then gets in the code is 100% correct the code that software is 100% secure but I'm not considering my users in terms of security so is that right well I can actually write software perfectly secure let's say I can write software perfectly secure I can have perfect users but I need to actually configure that software correctly so it's incredible so I'll tell a story back when I was in undergrad I had this website that I was running and I had some problem with some permission issue and it was a Linux machine and I was very new at using Linux it's an operation error so I was like oh I'll just chmod slash 777 which is everything gets all permissions and let me tell you that bug went away everything works perfectly it's like a common refrain is everything works perfectly when it's running as a root and we have all the permissions right but then actually what happened so the finished act is I longed off that machine and I couldn't ssh back into the machine because now my authorized key file in ssh was publicly readable and so I had this file support ticket for like oh my gosh what did you do to this machine I was like I don't know if things weren't working I just like fixed it but if I was running something important on there and my permissions are just all open right that can open up avenues for attack that aren't necessarily in the software itself but because of how the system was configured or administered so it does have some user components right like I probably shouldn't have server so I should have read on there but again it goes to if we assume just our software is in here right we have our operating systems we have the firmware we have the hardware we have all these other pieces that could potentially break and so this is actually important to think about so this is why we have vulnerabilities why vulnerabilities exist yeah so oh yeah perfect hypervisor I think that's the one we just talked about so it's hard to have you know it's kind of actually I think constantly that like what are we doing where this all actually works like I don't know playing still fly when it gets sent around like you all signed up for classes on my system all your information is stored on these databases again everything it's like everything is clearly insecure but it also kind of works somehow so that's nice so how do you develop secure software when we say 100% secure software is impossible should we just give up say time to go home let's just write whatever garbage code we think we should and if it's functional and it works then we just call it a feel a lot easier that way although I wouldn't have a job security wouldn't be interesting so how do we develop secure software so what are some things that we can do identify other things like doing a band test or something like that so we can hire somebody to tell us all the problems in our software we can hire somebody who claims an awful lot of security to find problems so let's say they find five things you fix all those five things is that mean you're secure why not because we don't know because they might not be perfect right so it's an interesting situation right it's because we definitely know we've improved we've gotten more secure than before we did this test but we actually don't have a way to prove that we definitely are really secure right it could be, this company may be terrible but they may be experts in one area but you have a ton of bugs in another area right what are some other ways do I do that? no you do it yeah a static analysis tool a static analysis tool what does that like a winter something that specifically is looking for a security known security a security security yeah so we can buy tools that look at our source code and look for either patterns or the reason about we're trying to analyze the code to say hey there could be a potential vulnerability here and those tools are interesting because depending on the kind that you use some of them can be um you can get one so I can easily write a tool that can find every single vulnerability in your code would you buy that tool why not because it may not work for someone else it might be too old oh it will we'll find all their vulnerabilities in anybody's program in anyone's okay ship it ship it? I'll buy it and once give me one I'll put my bitcoin on super easy you can do this too just print out on line one there's this vulnerability on line two there's this vulnerability the same vulnerability you say there's every vulnerability that exists on every single line and there we go I definitely found all the vulnerabilities in your program what's the problem with that I'll just add it to my list and I'll spit it out too yeah I'm not actually telling you I'm not giving you information I may have found all the vulnerabilities but I gave you so much information but I haven't narrowed it down so there's a lot of false positives where I said there's a vulnerability but it doesn't actually exist right and so yeah so that's it's an interesting thing to think about so static analysis tools can have this problem where they'll say hey there's a vulnerability here and you'll spend an hour investigating and then come to the conclusion that it does not and now you've lost all faith and trust in this tool so you're like why would I ever listen to these reports that just waste my time on them so it's a really interesting trade off the flip side of that is I've built some static analysis tools where I look at the results and it's like this tool is broken this is clearly not a vulnerability and I stared at it for longer and I realized oh my gosh this is correct if you go through these crazy code paths it's actually vulnerable so we can do that so let me talk about spending a bunch of money so we spend a bunch of money so there are various levels of code certification that you go through that you develop engineering process where essentially every code change is like double and triple checked and you have insane amounts of validation and testing but you know how much are you willing to pay for a piece of software you have to be $5, $10 or $5 million or $10 million so it's definitely increasing the cost for some things like airplanes that's worth it or nuclear reactors or something like that but for everyday software that's not always the case so it's important to think about these things so how does software break so this is really going to be the key thing like when you leave this course I want you to be able to look at not just a piece of software but most things and think how does it break so this is kind of developing that tester mindset of how does software break and really we're focused on here is developing not just an average tester like how could this thing break like somebody brought up the thing on a website where you have a drop down list and one of the buttons doesn't work I don't care about that as a security person but what I care about is how can I make that website give me all its usernames and passwords and how can I steal all the credit card information and so this is what you have to develop it's kind of like anyone who got locked out of their house before what's the first thing you start doing trying to break it trying to break it other ways to get in other ways to get in right you start like breaking your own house you start like scheduling the lock like maybe you left the front door unlocked you're on the back maybe you left the back door unlocked you're in the back how close are the trees to my house you can't get to that second story window because I know that the window on the second floor is unlocked in the back of the room so I know if I get up there I can scoot it over pop out the the screen and then get into the house and when you get in it feels awesome and then you think I was working in my house how easy it was back but the problem is you only have this mindset when you're in this situation that demands it and so what this course is about really being good security professionals you need to develop this mindset and that's what we're going to be doing you'll be looking at pieces of software and trying to figure out how can I break this how can I make it do something it's not supposed to do so you need to develop always this questioning and inquisitive mindset of well what if I did this or what if I did this what if I pushed here like you're developing a kind of hypothesis of vulnerabilities you want to think about where does this data go who processes this data I've seen on the web processing vulnerabilities that can come in from a tweet so the company will pull onto their website let's say recently made tweets and so you can actually if you can get your tweet to load there you can get some JavaScript for Ron and I've got to control on their website super crazy to think about because it's not content but you've got to think of what you're going from a key is what assumptions is the system making so what did the developer not think about because there we make assumptions all the time so I was telling Adam and Connor one example of a student who I think it was in this class probably two years ago was like I don't understand my code is 100% correct I'm looking at it it works flawlessly it's a machine that made all these test cases when I submit to your system it says it doesn't pass any test cases this happens a lot by the way and it is never the submission server by the way it's never that environment I think that happens one, I don't know like a thousand times and it's like the first person to submit and so they send me their code and immediately I see what the problem is they're opening a file so you cut open this file and it was slash home slash username whatever so they were making an assumption that they were running on their machine with access to that file but that was not in the description so this is one of these things where you need to constantly be thinking put your mind in the mind of the developer you've written software you know how lazy you could be sometimes it's not a judgment call I'm lazy all the time especially when I'm coding this feature that maybe doesn't understand the security implications I'll go back to submissions so because of you how do you submit this it'll be multiple times, we'll get there we'll get there, don't worry about that so you always want to be thinking and trying to understand what assumption we're made in here and really the big way to do this and to understand this is to get hands on experience of breaking so this is and this is really the key of this course is I can I can stand up here, I can lecture all day I can teach you about various vulnerability classes you can understand them in an intellectual way it's so simple, you just overwrite the safety IP that's on the stack and then I put you in front of a program and go like hey, find the vulnerability here and by the way, write the buffer load that actually exploits that that gives you access and then you have to start dealing with real world problems and that completely changes your mind and your understanding of these vulnerabilities and this is something that I know from talking with students we've gotten back to here, this is something that employers really like too they want security people who can actually do things and not just say, ah yes, I know I can explain buffer overflows or formats or anything but you can really put fingers to keyboard, that's when you can really do it any questions on this stuff this isn't the other class but we've got more go, go, go just in terms of how the lecture is being recorded yes the lecture is not recorded so I should be recording this now I post them all on youtube roughly ish after class I do take a day or so, but I'll try to be quick as I can with that if I have uploaded a lecture just ping me, this is not a guarantee though I do not guarantee because stuff happens sometimes sometimes the audio is really crappy because I'll forget the mic sometimes or sometimes if it crashes halfway through I lose a whole half a lecture I'm not going to redo that so use it really to like the best way probably to be successful as this class is come to class participate in the discussion I try to have a discussion style class don't worry so much about writing out every little thing I say because I will try to record most things and just absorb and participate and I think we'll get a lot out of it that way rather than you can just go be in your home and watch the lectures at 2x speed or whatever that's fine, I mean whatever I mean so do whatever you want yeah, yeah is it the breaking short or the leading? no, we will not be doing anything illegal in this course I think it's because I'm going to talk about people who live in jail here so that's a good lead in so history, so we got to this is you know career science and career security it wasn't established in the 1500s so the history is relatively short I think it's important to appreciate and understand the history to put things in a historical context so you can understand the evolution of not only famous security problems but also people that were involved and the history and we'll take this approach to other aspects to look at historical attacks and vulnerabilities because we're trying to get out of them what are the trends here so the internet does anybody not use the internet today are some of you using the internet right now? yes right I would actually be, does anyone genuinely feel like they did not use the internet at all today I think it's possible but highly unlikely so yeah, so the internet we're going to study, look at all the protocols essentially a network of networks it's insane so I'm going to go fast on this because I want to get into some meat and it's critical to our lives, I think we can all agree on that right so the internet, if you are not aware was started by DARPA so this is actually one of the big claims to things obviously of DARPA one of the most successful projects that they've ever done and this is a good kind of advertisement for why research is important they didn't know they were going to be creating this communication infrastructure that was going to completely change the way we live our lives, but they did it's really cool that it came from that so the first four nodes in 1969 was UCLA UCSB, Stanford Research Institute and they added one more why do you think they added one more, put yourself in the program and your shoes at DARPA you're going to fund some kind of weird networking thing that you don't really understand what it's going to be all this crazy stuff why would you add a fourth one because think about a network of at least three people but why did a fourth one just complicate things redundancy redundancy redundancy, no, that they were thinking about making it work yeah well what was that? is it back though? yes, they wanted one outside that was political basically they wanted to say that they're funding people not all California so at least that's the story that occurred I think it makes a lot of sense there's actually the napkin a picture of the napkin where the first architecture of the internet was laid out so yeah, UCSB my alma mater is here which is pretty cool and yes, because you can think about it and just put it off to Utah although you do have interesting things here when SRI has choices of where they want things to go, so that does actually make it interesting rather than just the triangle so yeah, so this is it's literally insane to think about it came just from these four places and it was based on NCP which we're not going to go into too much transitioning to the TCP that we know and love now in 1983 the mill net, so the military network is actually a completely separate network from the current internet this is an incredibly important thing I love this little fact that NSF created this crazy super computer network supported by a backbone of 56 kilobits per second but that must have seemed like insanely fast so the 90s and the 2000s, what was the big game here what was that but who said that now yeah, WWW the World Wide Web so before this is actually another important thing to part of jargon to make sure when you're talking about the internet as a whole the internet, the interconnected series of networks and the World Wide Web there are actually separate things the web is just one of the protocols that run on top of the internet in addition other protocols that existed before like FTP and email pre-gates of the web all these kind of things and this is when things started to explode and go crazy and this is when the internet came to something that weird academics used to send us other emails on a computer terminal like who would ever want to do that as part of their everyday lives to this insane thing that we all use and use everyday we think about 1991 by the end of the 90s we had the first dot com bubble and it literally now search members really created the first version of the World Wide Web search and it got crazy from there so we can look at like these are growth numbers from 99 to 2015 of what are these the number of websites, the number of sites on the web how it's growing over time this is a I think it's websites like a crawl of just websites this isn't even users so users probably growing much faster than the number of servers and this is like a graphic of all of that doesn't show up very well it's just really complicated and cool all these networks talking to each other and you can pull up all kinds of ridiculous facts about how big the internet is I mean even Facebook itself when you think about that more than a million active users in a month or something crazy like that that's just this is from 1991 like literally it was nothing until 1991 so yeah I love thinking about that so going into security so you can actually trace the origins of modern computer security to Captain Crunch boxes so sorry the reason is so it started with what we now call phone freaking so I know it's crazy to think about that back in the day you actually had to pay like per phone call and it was pretty expensive it wasn't just like you have unlimited calls although we've had that now and nobody calls anybody they just text but it turns out that phone line so for you to make like an international call was a lot of money you're paying per minute a lot of money to make a phone call so what some enterprising people found out is that the way that they phone network like your terminal like your literal telephone would talk to other like the switches at the network was be through sounds over that same channel so and what John Draper so he's his nickname is Captain Crunch he found out that this whistle that came as like a free thing in these Captain Crunch cereal boxes would blow and exactly that frequency of 2600 and so he could use that you would open the phone call you blow and that would be the signal for the terminal to tell the switch that this is like a free like the internet the calls been paid for and so you could use that to make free phone calls and this is on AT&T I believe yeah it must have been in the monopoly date so they owned basically the entire phone network and so this is when phone freaking was born so he built this blue box and it turns out 2600 wasn't the only frequency so what these people did is they essentially reverse engineered the phone system completely on the outside messing with and playing with all these audio frequencies to figure out how to how to figure out the different tones to make to do different things so not only could you do different like make phone calls for free which is like practically interesting but you could like wrap your call from a machine to like a machine in Russia to a switch in Russia to a switch over here like you could tell it how to route your call and do all kinds of crazy stuff and he was eventually sentenced to five years probation for going fraud and this story is actually really sad you can look it up if you're interested but he was eventually caught and he's for perpetuating fraud against the telephone systems and so you know we this is really interesting because this led to the birth of kind of bottom acting right it's all about people exploring systems and using knowledge in order to do things that the system wasn't authorized to do what we're not supposed to do yeah what they acted the same way he didn't get it yes was had a lot of weird stuff with phone networks like he had built a joke a day box like a phone box we could call into it and give out jokes and that's right yeah he built the box too interesting I think I don't know I'm not a lawyer by the way started this but I think building the box is probably not illegal it's just a tool that makes noises maybe I don't know how much persuasion you have over the lobby but he definitely used it illegally and so I think that was more of what came there so and really this is going to be a a theme over and when I think about security security is not like this magical domain of crazy hackers who just like are brilliant and just look at something and be like aha it's broken here just type this and it's done it's a lot of hard work but more than that it's about just knowledge like you just understand how all these layers work and you can use that knowledge to make a system do something that wasn't supposed to do and that's really all it is at the end of the day so this is actually why I love security because it's about knowledge and so literally anyone can do this all of you have the potential for security inside you because you need to put in the time of that work and it will be awesome so in the early days of the ARPANET there was RFC number 602 what's an RFC the question for comments what actually is it so for protocol it has all the information it even has like the information yeah it's used to kind of it's usually offered proposed new protocols I think it's the Internet Engineering Task Force manages the RFCs but I don't know if that's correct so it is I appreciate that so but it's also there's really funny RFCs so there's an RFC for transmitting TCPIP packets over pigeons like a pigeon net and so Bob Metcalf wrote this thing called the stockings were hung by the chimney with care so it's super interesting because you already see some of the seeds back here in 1973 about what the potential problems could be here so I'll read some of this so individual sites used to physical limitations on machine access have not yet taken sufficient precautions towards securing their systems against unauthorized remote use sounds really this happens all the time as people don't think that they're now connected to the internet where literally any long earth can attack their machine right we're used to thinking about it's very natural to think about in terms of our physical security that doesn't necessarily exist on the net for example many people still use passwords that are easy to guess wow are easy to guess passwords still a problem yes literally everywhere yes okay so tip so tip is access over the phone networks tip allows access to our internet to a much wider audience than it's thought more intended actually right around this time so in so Dick Kemmer who is now an emeritus professor at UC San Marga he was actually around right when they were doing all this this in the early stages of the internet and he actually has a phone book I believe it was mid late 70s of the internet and it's literally like here's this IP address is administered by this person and this is their phone number and how to contact them and it's only this day literally everyone who was using the internet at that time was known to everyone else but now here they introduced new interesting features that give people access that they didn't think about beforehand the TIP requires no user identification before getting service how important and thus many people including those who used to spend their time ripping off mobile this is the phone freakers the people who so this is literally he's stating people transition from learning how to have a phone network to have a computer systems give access to our stockings in the most anonymous way there is lingering affection for the challenge of breaking someone's system this affection lingers despite the fact that everyone knows that it's easy to break systems even easier to crash them there's actually still a I think the thing here that's really persistent is this part at the end like denial of service and availability attacks are usually super lame because that's really easy to take a system down what's more interesting is how to take it over and exploit it and I'd say now it's changed where it's actually much cooler to break things because of how secure things have gotten we think about it, it's like it'd be like going to a town and being like the best thief in the world because everyone leaves their door like they don't even have doors like everyone just has an open square that you just walk into and take everything you want not super awesome at that point modern vulnerabilities are pretty awesome and require a huge depth of knowledge all of this would be quite humorous and cause for a raucous eye-winking and elbow-nudging if it weren't for the fact that in recent weeks at least two major servings were crashed under suspicious circumstances by people who knew what they were risking and yet a third system so it crashes again being a problem a third system, the system wheel password which is like the root password or the admin password by two high school students in Los Angeles no less so the kids are not going to do the hack systems we suspect that the number of dangerous security violations is larger than any of us know is growing right so here this is actually a key thing of that actually these are only cases that have been found and reported right this is a classic security problem where yes if you find an intrusion and report it you've found and done something but what about like we talked about a pen test what about the things they didn't find outside your network that you don't know about right so I deep you know probably this number is much larger and we're advised not to just sit here and do nothing so the next super interesting thing was the German hacker incident which is probably a super cool name this would make for a good movie I think if they could figure this out so Cliff Stoll was a system admin at Lawrence Berkeley Laboratories or yeah in August of 1986 he's not a computer person he's not a computer scientist in the traditional sense he was not a security person because that term didn't really exist yet he was just a physics student who wanted to do physics work and he was tasked with admitting their name frame that charged people for how much they used the system and on his first day think about this like this you can see how like the start of this the German hacker incident he started on his very first day he looked at the accounting and found out that they were missing and even though this was in 1986 I still don't think 75 cents was a lot of money back then right so he started looking at this and he started to say like wow we used this much CPU but we only charged like this much with that gap being 75 cents for worth of time so I'm sure many of us I probably would be the same be like oh that's weird like whatever I haven't worked retail is this enough like cause problems if you're till the short 75 cents no? yeah I would think that's like a random term to be fine but who knows so he dug in and this is where things got interesting he found that an account had been created with no billing address what? more investigation basically identified the presence of an intruder so they ended up finding that somebody was inside their systems and then at this point he freaks out contacts FBI all these agencies they basically say yeah go ahead do whatever you could do to find out more information so he developed like a way to tap and see when people were calling in to see like the commands that they were running on the system in real time so the hacker gained, I'm skipping over the technical details but basically founded vulnerability in their send mail program and used that to gain access and created accounts fake accounts backdoor programs he connected through there to the mail net so they were doing they were connected to the military network they searched military sites and databases for keywords such as SDI the strategic defense initiative stealth, sac, the strategic aircraft nuclear and NORRAP and this is at the point where you're calling in now this is clearly not somebody who's just stealing computer time he called the FBI and they were actually able to trace this call so it came, they were calling from a phone line they traced that call of the help of AT&T back to Hanover in Germany and this actually ended, they actually arrested the person responsible for this in 1989 who apparently worked for the Eastern Bloc and he was sentenced to a year in eight months probation and other people were actually found tied up in this if it sounds like a super interesting story and it is there is a book called The Cruising that Cliff Stoll wrote that is freaking amazing I love creating this book and it's still interestingly technical and I think it's a UNIX system so the things are kind of familiar and it explains it he talks about this whole process and how they found out and how they traced it back and it gives a really interesting idea in kind of the first days of security of the web which led then to the internet war internet war was released on 1988 which was by RTM Robert Tappet Morris who's now I believe still a professor he's a professor at MIT I believe and this wouldn't have been such a big deal except there was a mistake in the replication process so basically this worm would scan for other computers on the local and outside networks it would identify if they had a vulnerable version of vulnerabilities that would try it would try those vulnerabilities that would get into the machine and then it was supposed to check if this machine already infected and then stop and then if it wasn't infected it would replicate copy itself over there compile it and run it on that machine which would scan other machines so you can see it spreads in this virus like manner the problem is that this detection mechanism of is it running was broken exploited again and again and again slowing down your system and grinding things to a halt the internet literally had to be turned off so they had to coordinate with each other call everyone shut off the internet, patch all their systems and turn it back on because you couldn't even patch the system because it was getting so many calls and things were running like it was crazy he was sentenced to 3 years probation $10,000 fine and 400 hours of community service and I believe his dad was maybe I should say that you can look up this story because I don't want to say that's false so they actually the computer emergency response team CERT they were seeing vulnerability notifications through CERT they came out of this and so super interesting they had a main program and a bootstrap program it first used a buffer overflow in the finger program which I'm going to show you the code for you'll know how to exploit this type of vulnerability in the future and the send mail program had a debug option that allows somebody to specify a command to run on that system literally when you're backdoor in the debugging functionality so this goes back to somebody's comment about user functionality and user experience versus security it would be awesome to have a debug way if you're debugging some server, why is it working? we'll just run this command so transfer literally a C program because not every system was the same architecture so transfer a C program compile it, run it, and then transfer other versions I'm going to skip over this a little bit but I basically tried to look for every single host that was known to this machine to propagate you can read kind of a history here and it is really good ah I'm going to finish it Kevin Mitnick is one of the most famous hackers he was hacking from a young age broken into several different things he actually then after all of this was wanted by the FBI or by the US Marshals he was one of America's most wanted for computer stuff or he was into kind of creating fake identities and he went underground he finally was released from prison after five years and when he could not connect to the internet more recently Albert Gonzalez I love this story so he he and his crew used a web vulnerability SQL injection to steal credit cards in total they stole 170 billion credit cards he was responsible for David Russier's breach in 2008 the TJ Maxx in 2008 hard net payment systems which literally managed credit card transactions you'd scan a credit card some of them would go to hard net payment systems and they got into their systems and basically just wrote something to collect all these numbers and siphoned them back and he in March 25, 2010 was sentenced to 20 years in federal prison which is a long time and so this actually I like this story because not only were they like hackers super in the underground Rolling Stone wrote this really great article about them this would also probably make a cool movie of the fast times and hard fall of the green hat gang they apparently did a lot of drugs along with their hacking exploits so they would have hacked huge drugs party with all the same money that they have like I don't know it's like insane reading about all of their crazy stuff that they got into so some other interesting things this is a great so this is a former this person was a former employee of the company that ran a sewage systems in Australia he got fired and they did not terminate his access so he caused raw sewage to overflow in all their sewage systems and literally it was like flooding the coasts and like yeah thousands you know actually this is kind of sad I mean it's funny and also sad like marine life died really terrible and so he was sentenced to two years in prison all kinds of crazy words and stuff that all ended badly so