University home »
Faculty of Science »
Department of Computer Science »
Courses » COMPSCI 725 S2 C » Lectures »
Computer Science
Lectures
Announcements
Security in the news:
Online resources for this course:
Handling absence or illness:
Archived announcements.
- 9 Nov: NZISF Breakfast meeting, registration required. Speaker: David Harvey, Director of NZ Centre for ICT Law, University of Auckland; 1989-2016 District Court Judge; helped draft the 2015 Harmful Digital Communications Act, author of internet.law.nz: selected issues, 4th ed., LexisNexis, 2016. Title: Legal Obstacles to Vulnerability Research. Abstract: Under the current law, access to a computer system without authorisation is a crime. This means that conducting vulnerability research can be very constrained. Yet the proper testing of systems for possibly vulnerabilities is necessary to maintain up to date security. In this presentation I set out the current law, why it poses problems for vulnerability research which, it is contended, is necessary, the risk of criminal liability and a proposal for a specific defence to a charge of unauthorised access to a computer system.
- An author-published preprint of an article to appear in CCS'17, an explanatory webpage, and an abstract at BlackHat Europe 2017 attracted great attention in the popular press worldwide on 16 October 2017. In their webpage, the authors discuss their prior notifications of vendors and CERT/CC: "We sent out notifications to vendors whose products we tested ourselves around 14 July 2017. After communicating with these vendors, we realized how widespread the weaknesses we discovered are (only then did I truly convince myself it was indeed a protocol weaknesses and not a set of implementation bugs). At that point, we decided to let CERT/CC help with the disclosure of the vulnerabilities. In turn, CERT/CC sent out a broad notification to vendors on 28 August 2017." In response to an article published on 16 October 2017, a Google spokesperson said their company is "aware of the issue, and we will be patching any affected devices in the coming weeks."
- Facebook phishing scam may collect passwords, Netsafe warns, Amber-Leigh Woolf, press release via Stuff, last updated 16 Oct 2017. Facebook messaging services were being compromised to send a message to Facebook friends, claiming the account holder is in a YouTube video. The message reads: "It's you [account holder's name]!", or "Is this yours?" and could be mistaken for a harmless message. If clicked, the link asks for a password login, and then forwards the message to more people..." See also New multi platform malware/adware spreading via Facebook Messenger, David Jacoby, Kaspersky Lab, 24 August 2017.
- Upcoming review of the Copyright Act, ITP Newsline Extra, email of 13 October 2017 to Members of ITP, and subscribers to their Newsline: "As some will know, the Government recently announced that a major review of the Copyright Act 1994 will shortly commence, having been delayed since 2013 due to the Trans Pacific Partnership (TPP) negotiations. This is significantly relevant to the tech community given the impact that technology has had on copyright in recent times. The Ministry of Business, Innovation and Employment (MBIE) have released a Terms of Reference for the review, and intend to kick things off with an Issues Paper in February next year. We are likely to be heavily involved, representing the IT profession. We've begun initial work on the issue, including initial meetings with some of the other stakeholders who are likely to be involved in the review. In addition, we're looking to establish a Copyright Reference Group to help formulate ITP's position as the review progresses, and you'll also see wider consultation of our membership on what you see as the key issues, challenges and opportunities the review (and copyright as a whole) represents. In the meantime, please drop us a note at nominations@itp.nz if you'd like to express an interest in being a part of the Copyright Reference Group. We'll then provide more details once the scope and details of the group have been finalised."
- Domino's rolls the dice on personal data protection (scores critical miss), Brislen on Tech, ITP, 13 Oct 2017. "... I got an email the other day from `Sarah' asking if I was from Sandringham, and I knew I'd been caught up in the Domino's hack... they're not notifying customers of the breach and the 0800 number they've set up for people to call if they have any concerns is just the 0800 number the company always has for customers to ring through to if they have any concerns. This is How Not To Handle a Data Breach 101..."
- The Seven Deadly Sins of AI Predictions, MIT Technology Review, 6 October 2017. We are surrounded by hysteria about the future of artificial intelligence and robotics—hysteria about how powerful they will become, how quickly, and what they will do to jobs...
- UMass Lowell Professor Steers Ethical Debate on Self-Driving Cars, press release, 5 October 2017. "The first question is, ‘How do we value, and how should we value, lives?' This is a really old problem in engineering ethics," Evans said... At least one economist has proposed a `pay-to-play' model for decision-making by autonomous vehicles, with people who buy more expensive cars getting more self-protection than those who buy bare-bones self-driving cars. "While that offends basic principles of fairness because most people won’t be able to afford the cars with better protection," Evans said, "it speaks to some basic belief we have that people in their own cars have a right to be saved, and maybe even saved first."
- We use the Canvas-site for COMPSCI 725 S2 2017 for scheduling, for assessment, and for distribution of any successful videorecordings of the instructor's lectures. All other instructional materials are delivered through links on this webpage.
- Student oral presentations will
not be videorecorded. Our oral discussions of issues raised by student oral presentations will not be videorecorded, and are examinable. - Student slideshows will be published on the web by default, and will be preserved in the COMPSCI 725 archives on a best-effort basis. If you do not want your slideshow to be web-published, please let me know and I'll tear it down (if it is already published); and I will set up a private-viewing area on the Canvas-site for this course so that it will be available for your fellow students, but it will not be visible to your prospective future employer, friends, etc.
- A number of prior students have given me permission to publish their written report to the COMPSCI 725 Written Report Archive. A few of these reports have been cited by other scholarly researchers, see e.g. the Google Scholar citations for Gareth Cronin's report. At any time after you have received your marks and my feedback on your written report, please considering sending me a copy of your report -- with revisions if you want to do this -- in an email granting me permission to publish it in the class archives.
- I will do my best to videorecord my lectures. However the recording equipment in small lecture rooms (such as the ones we're using this semester) is not highly reliable, so I cannot guarantee that all of my lectures will be recorded.
- If you must leave for family emergencies etc, PLEASE talk to the lecturer, or somehow get a message to the department. Very few problems are so urgent that we cannot be told quite quickly.
- For problems affecting assignments or tests, see the lecturer (or send email, or call on the telephone). This must be done as soon as reasonably possible, if we are to make alternative arrangements that will prevent you from getting a poor mark on this test or assignment.
- For illness during exams (or other problems that affect exam performance) students MUST contact the Examinations Office as soon as possible, and in any event within a week. The time limits and other rules of the University's Aegrotat Policy are strictly enforced.
- Many students have missed out on a whole semester of study because they just went away. Many students have failed an examination because they did not report problems until they received the failing grade. In general, if there is a problem that will affect your study you should speak to someone as soon as possible.
- Students should sit the examination if at all possible, even if they do nothing much more than hand in a script with their name.
- Students should read the exam instructions and regulations, and they should double-check the examination timetable to make sure they don't miss any of their exams. Other relevant information is available in the academic information webarea for current students.
Schedule (tentative)
- Week 1 (24 July - 28 July): Introduction; Basics of Security.
- Reading assignment (to be completed by the second day of lectures): B. W. Lampson, "Computer Security in the Real World", C. ACM 37(6) 37-46, 2004.
- Select class representative. Representatives are expected to attend our department's staff-student meetings on Monday 14 August and Monday 9 October (tentative date, tbc), 1-2pm, perhaps in Room 303S-561 (tbc). Sign-up sheet. Training Venues & Timing. Information sheet.
- Course Information Sheet, v1.0 of 2017-07-11.
- Article List for Oral Presentations, version 1.0 of 2017-07-24.
- Introduction to COMPSCI 725 (PDF version), v1.0 of 2017-07-11.
- Week 2 (31 July - 4 August): Real world security (cont.); oral
& written reports; soft security.
- Oral Report Schedule, v2 of 2017-10-25.
- Oral and Written Reports (PDF version), Version 1.0 of 2 August 2017.
- "Soft" security: social, legal, economic, and architectural controls, PDF version, v1.1 of 2017-08-10.
- Week 3 (7 August - 11 August): Soft security (cont.); oral &
written reports (cont.); cryptographic standards and protocols.
- Students who are scheduled to present in Week 5 should make a reservation for a tutorial session in Week 4, to practice their oral presentation.
- Introduction to Cryptography and Steganography. PDF version.
- Reading assignment from
Mark
Stamp, Information Security: Principles and Practice, Wiley,
2011:
- Symmetric encryption: p. 20
- Kerckhoff's principle: p. 21
- Public-key encryption: pp. 89-91
- Message integrity (HMAC): pp. 136-7
- Authentication protocols: p. 320-4
- Cryptographic Standards and Protocols, version 1.21 of 2017-08-14. PDF version.
- Week 4 (14 August - 18 August): Oral and written reports (cont.);
cryptographic standards and protocols (cont.).
- All students should produce a synopsis and a preliminary list of references for their written report before the end of week 6. This submission is worth 1 mark (out of 25 possible marks) for your written report.
- Students who are scheduled to present in Week 6 should make a reservation for a tutorial session in Week 5, to practice their oral presentation.
- Week 5 (21 August - 25 August): Soft security (cont.). A process for writing reports. Student oral presentations begin.
- Week 6 (28 August - 1 September): Student oral presentations continue.
- Students who are scheduled to present in Week 8 should make a reservation for a tutorial session in Week 7, to practice their oral presentation.
- Note: there are no tutorial sessions this week.
- Mid-semester break (2 September - 17 September)
- Week 7 (18 September - 22 September). Soft security (cont.),
completing your written report.
- Students who are scheduled to present in Week 9 should make a reservation for a tutorial session in Week 8, to practice their oral presentation.
- Lecture Slides, set #7, Completing your Written Report. PDF version.
- Week 8 (25 September - 29 September). Student oral
presentations resume.
- Students who are scheduled to present in Week 10 should make a reservation for a tutorial session in Week 9, to practice their oral presentation.
- Week 9 (2 October - 6 October). Student oral
presentations
- Students who are scheduled to present in Week 11 should make a reservation for a tutorial session in Week 10, to practice their oral presentation.
- Week 10 (9 October - 13 October). Student oral presentations.
- Week 11 (16 October - 20 October). Student oral
presentations. Practice final exam.
- Students who are scheduled to present in Week 12 should make a reservation for a tutorial session in Week 11, to practice their oral presentation.
- Tuesday: Practice final exam (ungraded, anonymous), 15 minutes. I'll mark a sample of your answers, and we'll discuss my marks on the last day of lectures.
- Due 5pm Friday: written report, in .pdf or .docx or .odt format (5 MB limit), submit via Canvas.
- Week 12 (23 October - 25 October). Student oral
presentations. Revision. .
- Thursday (penultimate lecture): Discussion of sample answers to the sample exam question of week 11. Course revision.
- Friday (last lecture): Guest lecture by Ofer Reshef of Fonterra, on "Cyber resilience in a disruptive world: managing security in Fonterra".