The lectures and readings listed here are subject to change, including in response to current events (e.g., major news items). The most important readings for each lecture are shown in boldface.

Tuesday, January 17
Introduction and Administrivia
Readings:
  • Bellovin, Chaps 1–3.
  • “Defining Security”, via Courseworks
Thursday, January 19
Authentication
Readings:
  • Bellovin, Chapter 7.
  • Lorrie Cranor. Time to rethink mandatory password changes. Tech@FTC blog, March 2, 2016. LINK.
  • Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, 176–186. New York, NY, USA, 2010. ACM. LINK, doi:http://doi.acm.org/10.1145/1866307.1866328.
  • Andy Greenberg. So hey you should stop using texts for two-factor authentication. Wired, June 26, 2016. LINK.
  • Brian Krebs. The limits of SMS for 2-factor authentication. Krebs on Security, September 16, 2016. LINK.
  • Robert H. Morris and Ken Thompson. Unix password security. Communications of the ACM, 22(11):594, November 1979. LINK, Very important to read!.
  • Daniel Terdiman. Google security exec: 'passwords are dead'. CNET, September 10, 2013. LINK.
  • Sampath Srinivas, Dirk Balfanz, Eric Tiffany, and Alexei Czeskis. Universal 2nd factor (U2F) overview. FIDO Alliance Proposed Standard, April 11, 2017. LINK.
  • Salah Machani, Rob Philpott, and. John Kemp Sampath Srinivas, and Jeff Hodges. FIDO UAF architectural overview. FIDO Alliance Proposed Standard, October 20, 2020. LINK.
  • Dan Goodin. Passkeys—Microsoft, Apple, and Google's password killer—are finally here. Ars Technica, October 25, 2022. LINK.
  • Ron Amadeo. RIP passwords? Passkey support rolls out to Chrome stable. Ars Technica, December 09, 2022. LINK.
  • Brian Krebs. Hackers claim they breached T-Mobile more than 100 times in 2022. Krebs on Security, February 28, 2023. LINK.
  • Dr. Fun
  • Dilbert
  • Dilbert
  • Dilbert
  • Dilbert
  • User Friendly
Optional:
  • Rolf Lindemann. FIDO security reference. FIDO Alliance Proposed Standard, April 11, 2017. LINK.
Tuesday, January 24
Authentication Analysis
Readings:
  • Bellovin, Chapter 7.
  • Wesley Hilliard. LastPass denies claims that master passwords may have been compromised. Apple Insider, December 28, 2021. LINK.
  • Dan Goodin. LastPass users: your info and password vault data are now in hackers' hands. Ars Technica, December 22, 2022. LINK.
  • Gabor Angyal. Unusual attempted login activity: how LastPass protects you. LastPass Security News Blog, December 28, 2021. LINK.
  • Jeffrey Goldberg. Secret Key: what is it, and how does it protect you? 1Password Blog, December 6, 2021. LINK.
Thursday, January 26
Biometrics
Readings:
  • Bellovin, Chapter 7.6.
  • Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. LINK, Chapter 15.
  • Stephen T. Kent and Lynette I. Millett, editors. Who Goes There? Authentication Through the Lens of Privacy. National Academies Press, 2003. LINK, Chapter 5.
  • Kim Zetter. German hackers say they cracked iPhone's new fingerprint scanner. Wired: Threat Level, September 23, 2013. LINK.
  • Alex Hern. Hacker fakes German minister's fingerprints using photos of her hands. The Guardian, December 30, 2014. LINK.
  • Karen Shonesy. Security risk: automated voice imitation can fool humans and machines. Science Daily, September 26, 2015. LINK.
  • Craig Watson, Gregory Fiumara, Elham Tabassi, Su Lan Cheng, Patricia Flanagan, and Wayne Salamon. Fingerprint vendor technology evaluation. NISTIR 8034, NIST, December 2014. LINK, Executive Summary.
  • Patrick Grother, Mei Ngan, and Kayee Hanaoka. Recognition vendor test (FRVT) part 2: identification. NISTIR 8271, NIST, September 11, 2019. LINK, Executive Summary; Figures 9-16.
  • NIST. NIST study evaluates effects of race, age, sex on face recognition software. December 19, 2019. LINK.
  • Sean Gallagher. London to deploy live facial recognition to find wanted faces in crowd. Ars Technica, January 28, 2020. LINK.
  • Dan Goodin. Hackers say they broke Apple's Face ID. here's why we're not convinced. Ars Technica, November 13, 2017. LINK.
  • Apple Support. About Face ID advanced technology. January 14, 2020. LINK.
  • Ron Amadeo. Anyone can fingerprint unlock a Galaxy S10—just grab a clear phone case. Ars Technica, October 17, 2019. LINK.
  • Jose Pagliery. iPhone encryption stops FBI, but not this 7-year-old. CNN, December 1, 2014. LINK.
  • Marc Prosser. 3d printed heads can unlock phones. What does that mean for biometric security? SingularityHub, January 7, 2019. LINK.
  • NSTC. Fingerprint recognition. National Science and Technology Council, Committee on Technology, 2013. LINK.
  • Kashmir Hill and Corey Kilgannon. Madison square garden uses facial recognition to ban its owner's enemies. New York Times, December 22, 2022. LINK.
  • Why the iPhone's fingerprint sensor is better than the ones on older laptops, Y. Narasimhulu (blog).
Tuesday, January 31
Public Key Infrastructure (PKI)
Readings:
  • Bellovin, Chapter 8.
  • Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. LINK, Section 21.4.5.7.
  • Dennis Fisher. Final report on DigiNotar hack shows total compromise of CA servers. Threatpost, October 31, 2012. LINK.
  • Kim Zetter. Meet “Flame,” the massive spy malware infiltrating Iranian computers. Wired, May 28, 2012. LINK.
  • Dan Goodin. Crypto breakthrough shows Flame was designed by world-class scientists. Ars Technica, June 7, 2012. LINK.
  • Brian Fonseca. VeriSign issues false Microsoft digital certificates. ITWorld, 2001. LINK.
  • Zack Whittaker. Hackers are selling legitimate code-signing certificates to evade malware detection. ZDnet, February 22, 2018. LINK.
  • Sean Gallagher. Patch Windows 10 and Server now because certificate validation is broken. Ars Technica, January 14, 2020. LINK.
  • Yiming Zhang. Investigating hidden root certificates in the wild. APNIC blog, January 21, 2022. LINK.
  • InCommon Certificate Practices Statement
  • InCommon Relying Party Agreement
  • Columbia CS Department certificate
  • Columbia University certificate
Thursday, February 02
Secure System Design: Authentication
Readings:
  • Federal Trade Commission. Twitter settles charges that it failed to protect consumers' personal information; company will establish independently audited information security program. June 24, 2010. LINK.
  • Andrew Hutchinson. Login details of 32 million Twitter accounts leaked online—time to update your password. Social Media Today, June 9, 2016. LINK.
  • John Philips. 7 examples of what happens when your Twitter account is hacked. Jeff Bullas (blog), July 11, 2013. LINK.
  • Troy Hunt. Beyond passwords: 2FA, U2F and Google Advanced Protection. Troy Hunt (blog), November 15, 2018. LINK.
  • Mat Honan. How Apple and Amazon security flaws led to my epic hacking. Wired, August 6, 2012. LINK.
  • Abdi Latif Dahir. Kenya's new digital IDs may exclude millions of minorities. New York Times, January 29, 2020. LINK.
  • Abdi Latif Dahir and Carlos Mureithi. Kenya's high court delays national biometric id program. New York Times, January 31, 2020. LINK.
  • Shalanda D. Young. Moving the U.S. government toward zero trust cybersecurity principles. Executive Office of the President, Office of Management and Budget, January 26, 2022. M-22-09. LINK, Section III.A.
Tuesday, February 07
Viruses and Worms
Readings:
  • Bellovin, Chapter 4.
  • Fred Cohen. Computer viruses—theory and experiments. In DOD/NBS 7th Conference on Computer Security. 1984. LINK.
  • Ken Thompson. Reflections on trusting trust. Communications of the ACM, 27(8):761–763, August 1984.
  • Tom Duff. Experiences with viruses on UNIX systems. Computer Systems, 2(2):155–171, Spring 1989. LINK.
  • M. W. Eichin and J. A. Rochlis. With microscope and tweezers: an analysis of the Internet virus of November 1988. In Proc. IEEE Symposium on Research in Security and Privacy, 326–345. Oakland, CA, May 1989. LINK.
  • John F. Shoch and Jon A. Hupp. The “worm” programs—early experience with a distributed computation. Commun. ACM, 25(3):172–180, March 1982. LINK, doi:10.1145/358453.358455.
  • Timothy B. Lee. How a grad student trying to build the first botnet brought the Internet to its knees. Washington Post, November 1, 2013. LINK.
  • Joris Evers. Tool turns unsuspecting surfers into hacking help. CNET, March 21, 2007. LINK.
  • Joris Evers. JavaScript opens doors to browser-based attacks. CNET, July 31, 2006. LINK.
  • Nicolas Falliere, Liam O Murchu, and Eric Chien. W32.Stuxnet dossier. Symantec Security Response, February 2011. Version 1.4. LINK.
  • Catalin Cimpanu. New Ramsay malware can steal sensitive documents from air-gapped networks. ZDnet, May 13, 2020. LINK.
  • Kim Zetter and Huib Modderkolk. Revealed: how a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran. Yahoo, September 2, 2019. LINK.
  • Sergiu Gatlan. Microsoft plans to kill malware delivery via Office macros. Bleeping Computer, February 7, 2022. LINK.
  • Recreating the Trojan Horse?
  • PandaLabs detected more than 21 million new threats, Panda Security, September 15, 2015.
  • Oldest known depiction of the Trojan Horse, from the "Vase of Mykonos", almost 2700 years old
  • Bad flash drive caused worst U.S. military breach
Optional:
  • Ignacio Sanmillan. Ramsay: a cyber‑espionage toolkit tailored for air‑gapped networks. We Live Security, May 13, 2020. LINK.
  • Kim Zetter. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. Crown Publishers, New York, 2014, The best single reference on Stuxnet.
Thursday, February 09
Internet of Things
Readings:
  • Katie Benner. U.S. charges Chinese military officers in 2017 Equifax hacking. New York Times, February 10, 2020. LINK.
  • Paul Mozur. With harsh words, China's military denies it hacked Equifax. New York Times, February 13, 2020. LINK.
  • Jon Brodkin. Huawei fires back, points to US' history of spying on phone networks. Ars Technica, February 13, 2020. LINK.
  • Greg Miller. “The intelligence coup of the century”. Washington Post, February 11, 2020. LINK.
  • Bellovin, Section 17.4.
  • Dan Geer. Von Neumann's monster. Speech, February 7, 2020. LINK.
  • Adi Shamir Eyal Ronen, Colin O'Flynn and Achi-Or Weingarten. IoT goes nuclear: creating a ZigBee chain reaction. 2016. LINK.
  • Yossef Oren and Angelos D. Keromytis. From the aether to the Ethernet—attacking the Internet using broadcast digital television. In 23rd USENIX Security Symposium (USENIX Security 14), 353–368. San Diego, CA, August 2014. USENIX Association. LINK.
  • Brian Krebs. IoT device maker vows product recall, legal action against Western accusers. Krebs on Security, October 16, 2016. LINK.
  • Brian Krebs. Hacked cameras, DVRs powered today's massive internet outage. Krebs on Security, October 16, 2016. LINK.
  • Elie Bursztein. Inside the infamous Mirai IoT botnet: a retrospective analysis. Cloudflare Blog, December 14, 2017. LINK.
  • Paul Roberts. Blade Runner redux: do embedded systems need a time to die? Security Ledger, May 13, 2014. LINK.
  • SCS computing facilities support lifecycle guide. December 16, 2019. LINK.
  • Martim Lobao. Android versus iOS software updates revisited: two years later and not much has changed. Android Police, November 2, 2017. LINK.
  • Updated: how to: reset C by GE light bulbs. January 3, 2019. LINK.
  • Frank Stajano and Ross Anderson. The resurrecting duckling: security issues for ad-hoc wireless networks. In International workshop on security protocols, 172–182. Springer, 1999. LINK.
  • Sean Gallagher. Unpatchable bug in millions of iOS devices exploited, developer claims. Ars Technica, September 27, 2019. LINK.
  • Jonathan M. Gitlin. Driver stranded after connected rental car can't call home. Ars Technica, February 18, 2020. LINK.
  • Cybersecurity and Infrastructure Security Agency. Ransomware impacting pipeline operations. Alert AA20-049A, CISA, February 18, 2020. LINK.
  • Kevin Purdy. Appliance makers sad that 50% of customers won't connect smart appliances. Ars Technica, January 24, 2023. LINK.
Optional:
  • Andy Greenberg. Sandworm. Doubleday, New York, 2019.
Tuesday, February 14
Homework due:
Mobile Device and Application Security
Readings:
  • Ivan Krstić. Behind the scenes with iOS security. In Black Hat. 2016. LINK.
  • Ms. Smith. Report: over 80% mobile apps have crypto flaws, 4 of 5 web apps fail OWASP security. NetworkWorld, December 6, 2015. LINK.
  • Jon Oberheide and Farnam Jahanian. When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile '10, 43–48. New York, NY, USA, 2010. ACM. LINK, doi:10.1145/1734583.1734595.
  • M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In 2011 IEEE Symposium on Security and Privacy, 96–111. May 2011. doi:10.1109/SP.2011.29.
  • Matthew Green. Why can't Apple decrypt your iPhone? A Few Thoughts on Cryptographic Engineering, October 4, 2014. LINK.
  • Kim Zetter. “Sloppy” mobile voting app used in four states has “elementary” security flaws. Vice Motherboard, February 13, 2020. LINK.
  • Carnegie Foundation. Moving the encryption policy conversation forward. September 2019. LINK.
  • Adam J Aviv, Katherine L Gibson, Evan Mossop, Matt Blaze, and Jonathan M Smith. Smudge attacks on smartphone touch screens. Woot, 10:1–7, 2010. LINK.
  • Sergei Skorobogatov. The bumpy road towards iPhone 5c NAND mirroring. In HardwearIO. Hague, Netherlands, September 2017. LINK.
  • Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. Why Eve and Mallory love Android: an analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, 50–61. New York, NY, USA, 2012. Association for Computing Machinery. LINK, doi:10.1145/2382196.2382205.
  • Gillian Cleary. Mobile privacy: what do your apps know about you? Symantec Threat Intelligence (blog), August 16, 2018. LINK.
  • Aaron Krolik. Your apps know where you were last night, and they're not keeping it secret. New York Times, December 10, 2018. LINK.
  • Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, and Harlan Yu. Mass extraction: the widespread power of U.S. law enforcement to search mobile phones. Upturn, October 2020. LINK.
  • Jessica Lyons Hardcastle. US border cops harvest info from citizens' phones, build massive database. The Register, September 15, 2022. LINK.
  • Tripp Mickle. Apple details plans to beef up encryption of data in its iCloud. New York Times, December 7, 2022. LINK.
Skim:
  • Apple. Apple platform security. Fall 2019. LINK.
Thursday, February 16
Privacy Considerations
Readings:
  • Stephen T. Kent and Lynette I. Millett, editors. Who Goes There? Authentication Through the Lens of Privacy. National Academies Press, 2003. LINK, Chapters 3-4.
  • Merritt Baer and Chinmayi Sharma. What cybersecurity standard will a judge use in Equifax breach suits? Lawfare, 2017. LINK.
  • Tara Siegel Bernard. Equifax breach affected 147 million, but most sit out settlement. New York Times, January 22, 2020. LINK.
  • Kim Zetter. Sarah Palin e-mail hacker sentenced to 1 year in custody. Wired: Threat Level, November 12, 2010. LINK.
  • T. Narten, R. Draves, and S. Krishnan. Privacy Extensions for Stateless Address Autoconfiguration in IPv6. RFC 4941, RFC Editor, September 2007. LINK.
  • Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner of Alberta. Report of an investigation into the security, collection and retention of personal information. September 25, 2007. PIPEDA Report of Findings #2007-389. LINK.
  • Peter Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium (PETS), 1–18. Springer, 2010. LINK.
  • Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: the second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. August 2004. LINK.
  • Quinn Emanuel Urquhart & Sullivan, LLP. Private data breach litigation comes of age. JD Supra, February 13, 2023. LINK.
  • Mapping Data Flows
  • Dr. Fun
Very optional:
  • Secretary's Advisory Committee on Automated Personal Data Systems. Records, Computers, and the Rights of Citizens. DHEW Publication, no. (OS) 73-94. United States Deptartment of Health, Education, and Welfare, 1973. LINK.
Tuesday, February 21
Usability and People Issues
Readings:
  • Bellovin, Chapter 14.
  • Alma Whitten and J.D. Tygar. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In Proceedings of Usenix Security Symposium. 1999. LINK.
  • Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. A study of privacy setting errors in an online social network. In Proceedings of SESOC 2012. 2012. LINK.
  • Y. Acar, S. Fahl, and M. L. Mazurek. You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In 2016 IEEE Cybersecurity Development (SecDev), 3–8. Nov 2016. doi:10.1109/SecDev.2016.013.
  • Paul Stepahin. We got phished. Exploratorium Tangents (blog), October 20, 2016. LINK.
  • Ian Barker. American Express customers phished using phishing prevention scam. Betanews, September 14, 2016. LINK.
  • Lorenzo Franceschi-Bicchierai. How hackers broke into John Podesta and Colin Powell's Gmail accounts. Motherboard, October 20, 2016. LINK.
  • Anne Adams and Martina Angela Sasse. Users are not the enemy. Commun. ACM, 42(12):40–46, December 1999. LINK, doi:10.1145/322796.322806.
  • Lorrie Faith Cranor. A framework for reasoning about the human in the loop. In Usability Psychology and Security Workshop. 2008. LINK.
Thursday, February 23
Complexity and Security
Readings:
  • Edsger W Dijkstra. The humble programmer. Communications of the ACM, 15(10):859–866, 1972. LINK.
  • Steven M. Bellovin. Attack surfaces. IEEE Security Privacy, 14(3):88–88, May 2016. doi:10.1109/MSP.2016.55.
  • Michael Howard, Jon Pincus, and Jeannette M. Wing. Measuring relative attack surfaces. In D.T. Lee, S.P. Shieh, and J.D. Tygar, editors, Computer Security in the 21st Century, pages 109–137. Springer US, 2005. LINK, doi:10.1007/0-387-24006-3_8.
  • Helen J. Wang, Chris Grier, Alex Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. The multi-principal OS construction of the Gazelle web browser. In Proc. USENIX Security Symposium. 2009. LINK.
Tuesday, February 28
Midterm Exam
Thursday, March 02
Wirelesss Security Issues
Readings:
  • Bellovin, Chapter 9; Section 10.3; Section 17.3.
  • Larry Seltzer. NFC phone hacking and other mobile attacks. Information Week, July 25, 2012. LINK.
  • Zak Doffman. New Google Android threat: NFC exposes devices to malware attack—update settings now. Forbes, November 2, 2019. LINK.
  • K. Haataja and P. Toivanen. Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. IEEE Transactions on Wireless Communications, 9(1):384–392, January 2010. doi:10.1109/TWC.2010.01.090935.
  • Thomas Brewster. Update your iPhones and Androids now if you don't want your Bluetooth hacked. Forbes, July 24, 2018. LINK.
  • Ben Seri and Gregory Vishnepolsky. Blueborne. Armis, 2017. LINK.
  • Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications: the insecurity of 802.11. In Proceedings of MOBICOM 2001. July 2001. LINK.
  • Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In Proceedings of the 2002 Network and Distributed Systems Security Symposium, 17–22. San Diego, CA, feb 2002. LINK, skim.
  • Andy Greenberg. Hackers remotely kill a Jeep on the highway—with me in it. Wired, July 21, 2015. LINK, focus on the Sprint parts.
  • Threat Lab. Gotta catch 'em all. EFF White Paper, July 1, 2019. LINK.
  • Dan Goodin. Flaw in billions of wi-fi devices left communications open to eavesdropping. Ars Technica, February 26, 2020. LINK.
Tuesday, March 07
Homework due:
Security Aspects of Blockchain
Readings:
  • Satoshi Nakamoto. Bitcoin: a peer-to-peer electronic cash system. 2009. LINK.
  • Timothy B. Lee. Want to really understand how Bitcoin works? Here's a gentle primer. Ars Technica, December 15, 2017. LINK.
  • Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. A fistful of bitcoins. In Proceedings of the 2013 conference on Internet measurement conference. ACM, October 2013. LINK, doi:10.1145/2504730.2504747.
  • Dylan Yaga, Peter Mell, Nik Roby, and Karen Scarfone. Blockchain technology overview. NISTIR 8202, National Institute of Standards and Technology (NIST), October 2018. LINK.
  • Dan Goodin. Almost $500,000 in Ethereum Classic coin stolen by forking its blockchain. Ars Technica, January 08, 2019. LINK.
  • Timothy B. Lee. Blockchain-based elections would be a disaster for democracy. Ars Technica, November 06, 2018. LINK.
  • Dan Goodin. Crypto flaws in blockchain Android app sent Bitcoins to the wrong address. Ars Technica, May 29, 2015. LINK.
  • Timothy B. Lee. A brief history of Bitcoin hacks and frauds. Ars Technica, December 05, 2017. LINK.
  • Kate Rooney. $1.1 billion in cryptocurrency has been stolen this year, and it was apparently easy to do. CNBC, June 7, 2018. LINK.
  • Steven M. Bellovin. Bitcoin—the Andromeda Strain of computer science research. SMBlog: Steve Bellovin's Blog (blog), December 30, 2017. LINK.
  • Matthew Leising. The Ether thief. Bloomberg, June 13, 2017. LINK.
  • Cecille De Jesus. The DAO heist undone: 97% of ETH holders vote for the hard fork. Futurism, July 19, 2016. LINK.
  • IBM Blockchain Pulse. Building enterprise blockchains that stand for good: 5 principles for blockchain. Blockchain Pulse: IBM Blockchain Blog, May 13, 2019. LINK.
  • Jordan Tuwiner. Best bitcoin & cryptocurrency wallets. Buy Bitcoin Worldwide, December 20, 2019. LINK.
  • Joeri Cant. Chinese Bitcoin miners pressured to scale down due to electricity shortages. Cointelegraph, December 30, 2019. LINK.
  • Stan Schroeder. Wallet bug freezes more than $150 million worth of Ethereum. Mashable, November 8, 2017. LINK.
  • James Vincent. Bitcoin consumes more energy than Switzerland, according to new estimate. Verge, July 4, 2019. LINK.
  • Aseeb Qureshi. A hacker stole $31m of Ether — how it happened, and what it means for Ethereum. freeCodeCamp, July 20, 2017. LINK.
  • Gavin Phillips. What is a bitcoin tumbler? are they legal? Blocks Decoded, December 19, 2019. LINK.
  • Ian Miers, Christina Garman, Matthew Green, and Aviel D Rubin. Zerocoin: anonymous distributed e-cash from Bitcoin. In 2013 IEEE Symposium on Security and Privacy, 397–411. IEEE, 2013. LINK.
  • Team Rocket, Maofan Yin, Kevin Sekniqi, Robbert van Renesse, and Emin Gün Sirer. Scalable and probabilistic leaderless BFT consensus through metastability. CoRR, 2019. LINK, skim.
  • Fitz Tepper. People have spent over $1M buying virtual cats on the Ethereum blockchain. TechCrunch, December 3, 2017. LINK.
  • Nathaniel Popper. Hal Finney, cryptographer and Bitcoin pioneer, dies at 58. New York Times, August 30, 2014. LINK.
  • Timothy B. Lee. Judge savages self-proclaimed bitcoin inventor craig wright. Ars Technica, August 28, 2019. LINK.
  • Jamie Redman. A deep dive into Satoshi's 11-year old Bitcoin Genesis Block. Bitcoin News, January 3, 2020. LINK.
  • Timothy B. Lee. Bitcoin's “halving” is bad for miners, good for everyone else. Ars Technica, May 12, 2020. LINK.
  • Dan Goodin. How $323m in crypto was stolen from a blockchain bridge called wormhole. Ars Technica, February 04, 2022. LINK.
  • Ryan Naraine. Coinbase pays \$250K for `market-nuking' security flaw. Security Week, February 21 2022. LINK.
  • Mitchell Clark. NFTs, explained. Verge, August 18, 2021. LINK.
  • Kyle Chayka. Why Bored Ape avatars are taking over Twitter. New Yorker, July 30, 2021. LINK.
  • Jordan Pearson and Jason Koebler. A hacker is actively stealing high-value NFTs from OpenSea users. Vice Motherboard, February 19, 2022. LINK.
  • Dirty Bubble Media. Phishing on the Opensea. Dirty Bubble Media, February 20, 2022. LINK.
  • Jon Brodkin. Ethereum completes the “merge,” which ends mining and cuts energy use by 99.95. Ars Technica, September 15, 2022. LINK.
  • Hilary J. Allen. The `merge' did not fix Ethereum. Popular Media, October 19, 2022. LINK.
Optional:
  • Kyle Orland. Ars Technica's non-fungible guide to NFTs. Ars Technica, March 29, 2021. LINK.
  • Andy Greenberg. Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. Doubleday, 2022.
Thursday, March 09
Cloud Services
Readings:
  • Bellovin, Chapter 10.
  • Antonio Regalado. Who coined “cloud computing”? MIT Technology Review, October 31, 2011. LINK.
  • Steven M. Bellovin. Testimony for the New York City Council Committee on Technology and Committee on Small Business hearing on “Cybersecurity for Small Businesses”. February 25, 2020. LINK, sections on cloud uses.
  • Teri Robinson. Open AWS S3 bucket exposes private info on thousands of Fedex customers. SC Media, February 15, 2018. LINK.
  • Emma Brown. UC-Berkeley students sue Google, alleging their emails were illegally scanned. Washington Post, February 1, 2016. LINK.
  • Chris Hoofnagle. bMail and Google's“content one box”. Berkeley Blog, March 1, 2014. LINK.
  • Microsoft. Azure encryption overview. March 23, 2020. LINK.
  • Microsoft. Azure confidential computing. March 2020. LINK.
  • Google. Google cloud security and compliance whitepaper. May 18, 2017. LINK.
  • Mark Russinovich. Introducing Azure confidential computing. Microsoft Azure Blog, September 14, 2017.
Tuesday, March 21
System Security Evaluation
Readings:
  • Bellovin, Chapter 11; 16.3.
Thursday, March 23
Secure System Design: E-Commerce
Readings:
  • Bellovin, Section 17.2.
Tuesday, March 28
Secure System Design: Corporate Encryption
Readings:
  • Seny Kamara. Encrypted search: intro & basics. SAC Summer School, 2019. LINK.
  • Raphael Bost, Raluca Ada Popa, Stephen Tu, and Shafi Goldwasser. Machine learning classification over encrypted data. In NDSS. 2015. LINK.
  • Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael A. Specter, and Daniel J. Weitzner. Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, September 2015. LINK, doi:10.1093/cybsec/tyv009.
  • Lars Stoltenow. Recover the volume key of EncFS volumes created around 2007 on Debian, without password. April 5, 2020. See the README.md file. LINK.
  • Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J AlexHalderman. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium. 2012. LINK.
  • Dan Goodin. Flaw crippling millions of crypto keys is worse than first disclosed. Ars Technica, November 06, 2017. LINK.
  • Stilgherrian. The encryption debate in Australia. May 30, 2019. LINK.
  • Cyrus Farivar. Australia passes new law to thwart strong encryption. Ars Technica, December 06, 2018. LINK.
  • Asim Mehmood. HSMs and key management: effective key security. January 24, 2018. LINK.
  • Kwadjo Nyante. Does an HSM guarantee cryptographic key security? LinkedIn, January 24, 2019. LINK.
  • David Gunning, Awni Hannun, Brian Knott, Laurens van der Maaten, Vinicius Reis, Shubho Sengupta, Shobha Venkataraman, and Xing Zhou. Crypten: a new research tool for secure machine learning with PyTorch. Facebook AI blog, October 10, 2019. LINK.
  • Mariana Raykova, Ang Cui, Binh Vo, Bin Liu, Tal Malkin, Steven M. Bellovin, and Salvatore J. Stolfo. Usable secure private search. IEEE Security & Privacy, September-October 2012. LINK, doi:10.1109/MSP.2011.155.
  • Dan Goodin. Researcher uses 379-year-old algorithm to crack crypto keys found in the wild. Ars Technica, March 14, 2022. LINK.
  • Mike Hanley. We updated our RSA SSH host key. GitHub Blog, March 23, 2023. LINK.
  • Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. LINK.
Thursday, March 30
Physical and Procedural Security
Location:Zoom
Guest lecturer: Mark Seiden
Readings:
  • Bellovin, Sections 16.1, 16.2.
  • NSA. Media destruction guidance. 2015. LINK.
  • Federal Commissioner for the Records of the State Security Service of the Fomer German Democratic Republic. The reconstruction of torn documents. 2019. LINK.
  • Aaron Tilley. How a few words to Apple's Siri unlocked a man's front door. Forbes, September 21, 2016. LINK.
  • Andy Greenberg. Flaws in Samsung's `smart' home let hackers unlock doors and set off fire alarms. Wired, May 2, 2016. LINK.
  • Matt Blaze. Cryptology and physical security: rights amplification in master-keyed mechanical locks. IEEE Security and Privacy, 1(2):24–32, March/April 2003. LINK.
  • Matt Blaze. Safecracking for the computer scientist. Technical Report, U. Penn CIS Department, December 2004. LINK.
  • Lewis Page. US Navy malware infection risked submarine prang. The Register, April 18, 2007. LINK.
  • Lewis Page. Disgruntled techie attempts Californian power blackout. The Register, April 20, 2007. LINK.
  • Maxim Kelly. Chocolate the key to uncovering PC passwords. The Register, April 17, 2007. LINK.
  • Claudia Himmelreich. Piecing together Germany's shredded Stasi files. Time, April 21, 2010. LINK.
  • Sean Gallagher. Power strip or network hacking tool? it's both, actually. Ars Technica, July 23, 2012. LINK.
  • Director of Central Intelligence. Physical security standards for sensitive compartemented information facilities. Directive 6/9, CIA, November 18, 2002. LINK.
  • BBC. Service station thieves 'using car key jammers'. BBC News, December 3, 2016. LINK.
  • Lily Hay Newman. How a hacker's mom broke into a prison—and the warden's computer. Wired, February 26, 2020. LINK.
  • Prison break-in video, starting at about 13:30
  • The Graphing Calculator Story, Ron Avitzur, 2004.
Very optional:
  • Kevin Mitnick and William Simon. The Art of Deception. Wiley, 2002.
Tuesday, April 04
Zero-Trust Architectures
Readings:
  • Steven M. Bellovin. Distributed firewalls. ;login:, pages 39–47, November 1999. LINK.
  • Bellovin, Sections 5.1–5.2.
  • Google. A new approach to enterprise security. 2018. LINK, Read the linked-to documents, too.
  • Shalanda D. Young. Moving the U.S. government toward zero trust cybersecurity principles. Executive Office of the President, Office of Management and Budget, January 26, 2022. M-22-09. LINK.
  • National Security Agency. Embracing a zero trust security model. February 25, 2021. LINK.
  • Matthew Garrett. ZTA doesn't solve all problems, but partial implementations solve fewer. MJG59's Journal, March 31, 2022. LINK.
  • Virgil D. Gligor. Zero trust in zero trust? Technical Report CMU-CyLab-22-002, CyLab, Carnegie Mellon University, December 17, 2022. LINK.
Optional:
  • William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA, second edition, 2003. ISBN 078-5342634662. LINK, Section 9.6.
Thursday, April 06
Homework due:
Data Protection and Computer Crime Law
Guest lecturer: Dr. Sunoo Park
Computer crime law:
  • Charles Doyle. Cybercrime: an overview of the Federal Computer Fraud and Abuse statute and related Federal criminal laws. Congressional Research Service Report, October 15, 2014. LINK, page 2.
  • Hilarie Orman. The Morris Worm: a fifteen-year perspective. IEEE Security and Privacy, 1(5):35–43, September/October 2003. LINK.
  • National Association of Criminal Defense Lawyers. Computer Fraud and Abuse Act. LINK.
  • Sunoo Park and Kendra Albert. A researcher's guide to some legal risks of security research. October 2020. LINK, pages 1–7.
  • National Cyber Security Centre. Vulnerability disclosure toolkit. 2020. LINK.
Data protection law:
  • Federal Trade Commission. What the FTC does. LINK.
  • Federal Trade Commission. Privacy and security. LINK.
  • Lesley Fair. $575 million equifax settlement illustrates security basics for your business. Federal Trade Commission (Business Blog), July 22, 2019. LINK.
  • National Conference of State Legislatures. 2022 security breach legislation. September 29, 2022. LINK.
  • State of California Department of Justice. California consumer privacy act. LINK.
  • Matt Burgess. What is GDPR? the summary guide to GDPR compliance in the UK. Wired UK, March 23, 2020. LINK.
Optional data protection law:
  • FTC v. Equifax, Inc. complaint for permanent injunction and other relief. July 7, 2019. LINK, Paragraphs 1–31.
Tuesday, April 11
Fuzzing
Readings:
  • Andy Greenberg. Hacker lexicon: what is fuzzing? Wired, June 2, 2016. LINK.
  • John Neystadt. Automated penetration testing with white-box fuzzing. MSDN, February 2008. LINK.
  • J. Postel. TCP and IP bake off. RFC 1025, RFC Editor, September 1987. LINK.
  • Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268–274, April 2009. LINK.
  • Peter Gutmann. Fuzzing code with AFL. ;login:, 41(2):11–14, Summer 2016. LINK.
  • A warm welcome to ASN.1 and DER. April 2020. LINK, skim.
  • CERT Advisory CA-20002-03 Multiple Vulnerabilities in Many Implementations, February 12, 2002
Optional:
Thursday, April 13
Secure System Design: Collaboration
Readings:
  • Bellovin, Section 11.3; 16.3.
  • Nicole Perlroth. A tough corporate job asks one question: can you hack it? The New York Times, July 21, 2014. LINK.
  • Brian Krebs. Target hackers broke in via HVAC company. Krebs on Security, February 5, 2014. LINK.
  • Paul Roberts. Third party vendor source of breach at Home Depot. Security Ledger, November 7, 2014. LINK.
  • Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268–274, April 2009. LINK.
  • R. Callon and M. Suzuki. A Framework for Layer 3 Provider-Provisioned Virtual Private Networks (PPVPNs). RFC 4110, RFC Editor, July 2005. LINK, skim.
  • L. Fang. Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs). RFC 4111, RFC Editor, July 2005. LINK, skim.
Tuesday, April 18
Secure Operations
Readings:
  • Bellovin, Chapters 12, 13, 15.
  • Parker Thompson and Sarah Zatko. Build safety of software in 28 popular home routers. December 2018. LINK.
  • Steven M. Bellovin. The open source quality challenge. SMBlog: Steve Bellovin's Blog (blog), April 29, 2009. LINK.
  • Christopher Bing and Joseph Menn. Flaw in iPhone, iPads may have allowed hackers to steal data for years. Reuters, April 22, 2020. LINK.
  • Microsoft. Life in the digital crosshairs: the dawn of the Microsoft Security Development Lifecycle. 2014. LINK.
  • Bill Gates. Trustworthy computing. January 15, 2002. LINK.
  • Brian Krebs. Microsoft Patch Tuesday, April 2022 edition. Krebs on Security, April 13, 2022. LINK.
  • Natasha Singer and Nicole Perlroth. Zoom's security woes were no secret to business partners like Dropbox. New York Times, April 20, 2020. LINK.
  • Darren Pauli. Apple's iOS updates brick iPads. The Register, May 17, 2016. LINK.
  • National Telecommunications and Information Administration. Software bill of materials. 2021. LINK.
  • Read several of the web pages of Cyber ITL, including especially their methodology page
Thursday, April 20
Conferencing System Security
Readings:
Optional:
  • Nicole Perlroth. This is How They Tell Me the World Ends. Bloomsbury Publishing, New York, 2020, Chapter 7.
Tuesday, April 25
After an Attack
Guest lecturer: Dr. Sunoo Park
Readings:
  • Cliff Stoll. Stalking the wily hacker. Communications of the ACM, 31(5):484–497, May 1988. LINK, doi:10.1145/42411.42412.
  • Microsoft Threat Protection Intelligence Team. Ransomware groups continue to target healthcare, critical services; here's how to reduce risk. April 28, 2020. LINK.
  • Dan Goodin. Lockbit, the new ransomware for hire: a sad and cautionary tale. Ars Technica, May 01, 2020. LINK.
  • William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security; Repelling the Wily Hacker. Addison-Wesley, Reading, MA, second edition, 2003. ISBN 078-5342634662. Chapter 17: “The Taking of Clark”. LINK.
  • Brian Krebs. Banks: credit card breach at Home Depot. Krebs on Security, September 14, 2014. LINK.
  • Brian Krebs. What the Marriott breach says about security. Krebs on Security, December 18, 2018. LINK.
  • Nicole Perlroth, Amie Tsang, and Adam Satariano. Marriott hacking exposes data of up to 500 million guests. New York Times, November 30, 2018. LINK.
  • Sean Gallagher. Sony pictures hackers release list of stolen corporate files. Ars Technica, November 26, 2014. LINK.
  • Sean Gallagher. Home Depot ignored security warnings for years, employees say. Ars Technica, September 20, 2014. LINK.
  • Nicole Perlroth. Yahoo says hackers stole data on 500 million users in 2014. New York Times, September 22, 2016. LINK.
  • Josh Fruhlinger. The OPM hack explained: bad security practices meet China's Captain America. CSO Online, February 12, 2020. LINK.
  • Brendan I. Koerner. Inside the cyberattack that shocked the US Government. Wired, October 23, 2016. LINK.
  • William R. Cheswick. An evening with Berferd, in which a cracker is lured, endured, and studied. In Proc. Winter USENIX Conference. San Francisco, CA, January 1992. LINK.
  • William R. Cheswick. Back to Berferd. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, 281–286. New York, NY, USA, 2010. ACM. LINK, doi:10.1145/1920261.1920303.
  • Andy Greenberg. The untold story of NotPetya, the most devastating cyberattack in history. Wired, August 22, 2018. LINK.
  • Bellovin, Section 16.4.
  • Mandiant. Apt1: exposing one of China's cyber espionage units. White paper, 2013. LINK.
  • John Lambert. Microsoft shifts to a new threat actor naming taxonomy. Microsoft Security Blog, April 18, 2023. LINK.
  • Steven M. Bellovin. Exploiting linkages for good. SMBlog: Steve Bellovin's Blog (blog), December 31, 2007. LINK.
Optional:
Very optional:
  • Cliff Stoll. The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, 1989, A longer, less technical version of Stoll's paper, but worth reading if you're interested in this area.
Thursday, April 27
Homework due:
Ethical Issues in Computer Security
Note: this class will be conducted as a seminar—come prepared to discuss the issues.
Readings:
  • Nicole Radziwill, Jessica Romano, Diane Shorter, and Morgan C. Benton. The ethics of hacking: should it be taught? CoRR, 2015. LINK, arXiv:1512.02707.
  • Gregory Conti and James Caroland. Embracing the Kobayashi Maru: why you should teach your students to cheat. IEEE Security & Privacy, 9(4):48–51, July–August 2011. LINK.
  • National Academies of Sciences, Engineering, and Medicine. Fostering Responsible Computing Research: Foundations and Practices. National Academies Press, 2022. LINK, Executive summary.
  • C. T. Holzer and J. E. Lerums. The ethics of hacking back. In 2016 IEEE Symposium on Technologies for Homeland Security (HST), 1–6. 2016. LINK.
  • Dan Goodin. Vigilante botnet infects IoT devices before blackhats can hijack them. Ars Technica, April 19, 2017. LINK.
  • Peter Bright. DoJ, FBI set up command-and-control servers, take down botnet. Ars Technica, April 14, 2011. LINK.
  • Catalin Cimpanu. Avast and French police take over malware botnet and disinfect 850,000 computers. ZDnet, August 28, 2019. LINK.
  • A. M. Matwyshyn, A. Cui, A. D. Keromytis, and S. J. Stolfo. Ethics in security vulnerability research. IEEE Security Privacy, 8(2):67–72, 2010. LINK.
  • Sean Gallagher. Maryland bill would outlaw ransomware, keep researchers from reporting bugs. Ars Technica, January 27, 2020. LINK.
  • Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro. The computer worm. February 6, 1989. LINK.
  • Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford. As simple as possible—but not more so. Communications of the ACM, 2011. Note: this is a shorter version of “Can it really work?”. LINK.
  • Michael Levenson. F.B.I. secretly bought Israeli spyware and explored hacking U.S. phones. New York Times, January 28, 2022. LINK.
  • Ronen Bergman and Mark Mazzetti. The battle for the world's most powerful cyberweapon. New York Times, January 28, 2022. LINK.
  • Craig Timberg. NSO offered `bags of cash' for access to U.S. cell networks, whistleblower claims. Washington Post, February 1, 2022. LINK.
Optional:
  • Nicole Perlroth. This is How They Tell Me the World Ends. Bloomsbury Publishing, New York, 2020.
  • Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro. The computer worm. February 6, 1989. LINK.
Tuesday, May 09
Final Exam (13:10-16:00)