Computer Science


Lectures

Announcements
  • 21 February 2020, 9am - 6pm. Eleventh OWASP New Zealand Day, a one-day conference dedicated to information security, with an emphasis on secure architecture and development techniques to help Kiwi developers build more secure applications. I'm sure they'd be grateful if you offered to help with local arrangements! OWASP on FB.
  • 14 November, 7.30am - 9am: NZISF breakfast meeting, registration required. Speaker: Sergey Ozernikov, security consultant. Title: One breach, several perspectives. Abstract: Each one is pretty much like any other: reported by a third-party, not that difficult to exploit vulnerability, millions of people affected. Should we assume all our data to be already compromised in order not to bother about the next one? In this talk I will cover one of the most recent high-profile data breaches from the perspectives of mass media coverage, business impact, legal consequences for an attacker, the attack itself and what could have been done from the defense perspective.
  • Corrections/updates to discussions in lecture:
    • In our classroom discussion of Domingues (2016), I had asked for a technical explanation of the authors' assertion that "... the creation of the JSON-based files augments the probability of being able to recover data through carving techniques". We came to no firm conclusion. If (as I had asserted) Windows doesn't overwrite sectors in the secondary-storage when it updates files, then carving the disk for fragments in JSON format is likely to reveal many partial copies of the AppCacheTIMESTAMP.txt file -- which would be a goldmine for a forensic investigator. My subsequent review of Domingues (2016) suggests that this is indeed what the authors had in mind when they wrote this sentence in their concluding section: "Additionally, the periodic creation of the JSON-based files augments the probability of being able to recover data through carving techniques, while resorting to a JSON text-based format means that partial data might still be useful." In the Related Work section of Domingues (2016), I find a brief mention of the second clause "partial data might still be useful"; but nowhere in Domingues (2016) do I find a discussion of the likelihood that an update of the contents of a file (without changing its name) will use different sectors on a disk (or different blocks of an SSD). The most relevant Stack-Exchange discussion of this issue I can find is entitled "Does a rewritten file on NTFS use the same blocks?", and I'd recommend you read this if you want to learn a bit more about this topic. And... I now realise that the filename is different each time the JSON data is written: "Periodically data are dumped to a text file named AppCacheTIMESTAMP.txt, where TIMESTAMP represents the value of the current timestamp expressed in Microsoft’s 64-bit FILETIME format [19]. For instance, App-Cache131053178802735320.txt corresponds to the file saved on Sat, 16 Apr 2016 22:04:40 UTC." This nicely explains the authors' reasoning -- I'd say the sequence of (partially) reconstructed JSON files is likely to be a goldmine for a forensic investigation of "what exes were run, when" on a Windows 10 computer. Any forensic examiner who is reasonably proficient in the use of EnCase would be, I think, likely to use its JSON plugin and the EnScript module to develop evidence from this source.
    • The situation for credit-card surcharging is more complicated than I had indicated in lecture on Mon 23 Sept. In the USA: "As a result of a legal settlement to resolve claims brought by a group of U.S. merchants, merchants in the U.S. and U.S. territories may add a surcharge to certain credit card transactions, starting January 27, 2013... In cases where the applicable merchant discount rate exceeds 4% of the underlying transaction amount, in no event can the merchant assess a surcharge above 4%." In NZ, credit cards issued by Australian-owned banks are subject to regulations in Australia: "The Bank's reforms that took effect in 2003 required schemes to remove no-surcharge rules and rules that prevented merchants from steering consumers to lower-cost payment methods... The ability to surcharge has been a valuable reform, but practices have emerged in some industries where surcharge levels on some transactions appear to be well in excess of merchants' likely acceptance costs. The Bank sought to address these cases with changes to its standard, effective from March 2013, that enabled schemes to limit surcharges to the reasonable cost of acceptance. However, there is wide agreement that the enforcement of this framework has been ineffective..."; January 2018 guide to business: "From 1 September 2017, all businesses that impose payment surcharges on card transactions need to comply with the new law that bans excessive payment surcharges." If you're interested in learning more about how the economic costs of a secure system can be estimated and managed, I'd recommend you read articles in the WEIS conference series. Of particular relevance to this offering of CompSci 725 is "Standardisation and Certification of the 'Internet of Things'" (WEIS 2017) which reports "on a research project for the European Commission into what will happen to safety regulation once computers are embedded invisibly everywhere."
  • Security in the news:
    • What Google's Quantum Supremacy Claim Means for Quantum Computing, IEEE Spectrum, 27 Sep 2019. "... The moment when quantum computing can seriously threaten to compromise the security of digital communications remains many years, if not decades, in the future. But the leaked draft of Google’s paper likely represents the first experimental proof of the long-held theoretical premise that quantum computers can outperform even the most powerful modern supercomputers on certain tasks, experts say..."
    • Your Navigation App Is Making Traffic Unmanageable, IEEE Spectrum, 19 Sep 2019. "The proliferation of apps like Waze, Apple Maps, and Google Maps is causing chaos...
traffic jams are popping up unexpectedly in previously quiet neighborhoods around the country and the world... The apps are typically optimized to keep an individual driver’s travel time as short as possible; they don’t ... take into account that [Baxter Street, in Los Angeles] has a 32 percent grade and that when you're at the top you can’t see the road ahead or oncoming cars. This blind spot has caused drivers to stop unexpectedly, causing accidents on this once-quiet neighborhood street..."
    • Identity Theft by the Numbers, Newsroom, 28 August 2019: "Every year, 130,000 New Zealanders are hit by identity theft... By far the number one motivation of identity thieves is accessing your bank account. In 28.7 percent of IDCARE's NZ cases, the scammers used the stolen information to access victims' bank accounts. Fraudulently using debit and credit cards came second, with 16 percent of cases, followed by fake tax lodgements at 6.8 percent. Sending unauthorised emails was also a motive, with 5.8 percent of scammers engaging in this behaviour. According to [Prof. David] Lacey, the average Kiwi identity theft victim lost $12,213. ..."
    • Hackers cracked Jack Dorsey's Twitter account using a very simple technique, Business Insider, 31 Aug 2019: "Twitter founder and CEO Jack Dorsey's official Twitter account was hacked on August 30, shocking his followers as his account spewed racial slurs, anti-Semitic tweets, and more offensive content, before all the tweets and retweets were eventually removed. According to an initial Twitter statement, a 'security oversight' by the provider let the hackers gain control. Twitter's communications team later clarified that 'the phone number associated with the account was compromised due to a security oversight by the mobile provider'... Daniel 'Keemstar' Keem, who has communicated with the hackers on several occasions, suggested in a tweet that the phone service provider was to blame, and alleged that the company inadvertently allowed hackers to call in and request a SIM card change on behalf of the high-profile accounts."
    • How to Protect Yourself Against a SIM Swap Attack, Wired, 19 Aug 2019: "A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all have roots in an old problem that has lately found new urgency: SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life. At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts..."
    • 'Anonymised' data can never be totally anonymous, says study, The Guardian, 23 July 2019. "'Anonymised' data lies at the core of everything from modern medical research to personalised recommendations and modern AI techniques. Unfortunately, according to a paper, successfully anonymising data is practically impossible for any complex dataset..."
  • Archived announcements.
  • Online resources for this course:
    • We use the Canvas-site for COMPSCI 725 S2 2019 for scheduling, for assessment, for distribution of any successful videorecordings of the instructor's lectures. All other instructional materials are delivered through links on this webpage.
    • We will not be videorecording the oral presentations made by students. However their comments during their presentation, and our classroom discussions after their presentations, are examinable. Your attendance at lectures, your careful reading of articles before they are presented, and your participation in our oral discussions are thus important -- both for your final grade in this course, and also to add breadth and depth to our discussions.
    • Student slideshows will be published on the web by default, and will be preserved in the COMPSCI 725 archives on a best-effort basis. If you do not want your slideshow to be web-published, please inform an instructor and we will tear it down (if it is already published); and we will set up a private-viewing area on the Canvas-site for this course so that it will be available for your fellow students. Please note that the "walled-garden" security model of Canvas will prevent your slideshow from being visible to your friends, your family, and your prospective future employers.
    • Many prior students have released their written report to the COMPSCI 725 Written Report Archive. A few of these reports have been cited by other scholarly researchers, see e.g. the Google Scholar citations for Gareth Cronin's report. At any time after you have received your marks and feedback on your written report, please consider sending Clark a copy of your report -- with revisions if you want to do this -- in an email which explicitly grants him permission to publish this version of your report in the class archives.
    • Instructors will do our best to videorecord our lectures. However the recording equipment in small lecture rooms is not highly reliable, so we cannot guarantee that all of our lectures will be recorded.
  • Handling absence or illness:
    • If you must leave for family emergencies etc, PLEASE talk to the lecturer, or somehow get a message to the School of Computer Science. Very few problems are so urgent that we cannot be told quite quickly.
    • For problems affecting assignments or tests, see the lecturer (or send email, or call on the telephone). This must be done as soon as reasonably possible, if we are to make alternative arrangements that will prevent you from getting a poor mark on this test or assignment.
    • For illness during exams (or other problems that affect exam performance) students MUST contact the Examinations Office as soon as possible, and in any event within a week. The time limits and other rules of the University's Aegrotat Policy are strictly enforced.
    • Many students have missed out on a whole semester of study because they just went away. Many students have failed an examination because they did not report problems until they received the failing grade. In general, if there is a problem that will affect your study you should speak to someone as soon as possible.
    • Students should sit the examination if at all possible, even if they do nothing much more than hand in a script with their name.
    • Students should read the exam instructions and regulations, and they should double-check the examination timetable to make sure they don't miss any of their exams. Other relevant information is available in the academic information webarea for current students.
Schedule (tentative)
  1. Week 1 (22 July - 26 July): Introduction; real world security.
  2. Week 2 (29 July - 2 August): Real world security (cont.); oral & written reports; soft security.
  3. Week 3 (5 August - 9 August): Soft security (cont.); oral & written reports (cont.); cryptographic and steganographic systems.
  4. Week 4 (12 August - 16 August):
    • All students should produce a synopsis and a preliminary list of references for their written report before the end of week 6. This submission is worth 1 mark (out of 25 possible marks) for your written report.
    • Students who are scheduled to present in Week 6 should make a reservation for a tutorial session in Week 5, to practice their oral presentation.
  5. Week 5 (19 August - 23 August): Student oral presentations begin.
  6. Week 6 (26 August - 30 August): Student oral presentations continue.
    • Students who are scheduled to present in Week 8 should make a reservation for a tutorial session in Week 7, to practice their oral presentation.
    • Don't forget Assignment 2 (your synopsis and preliminary list of references for your written report, due at midnight)!
    • Quizzes 1 and 2.
  • Mid-semester break (31 August - 15 September)
  1. Week 7 (16 September - 20 September). Student oral presentations continue. Completing your written report.
  2. Week 8 (23 September - 27 September). Student oral presentations continue.
  3. Week 9 (30 September - 4 October). Student oral presentations
    • Students who are scheduled to present in Week 11 should make a reservation for a tutorial session in Week 10, to practice their oral presentation.
  4. Week 10 (7 October - 11 October). Student oral presentations.
  5. Week 11 (14 October - 18 October). Student oral presentations. Practice final exam.
    • Thursday: Practice final exam, 25 minutes. Spreadsheet of experimental data extracted from Figure 4 of Mohanty (2019), with precision-recall calculations. I'll mark a sample of your ungraded, anonymous answers. We'll discuss my marks on the last day of lectures.
    • Due 5pm Friday: written report, in .pdf or .docx or .odt format (5 MB limit), submit via Canvas.
  6. Week 12 (21 October - 25 October).
    • Monday: possible writing workshop (if at least one student has indicated their willingness to play the role of an author seeking advice from peers).
    • Tuesday: possible writing workshop.
    • Thursday: Discussion of sample answers to the sample exam question of week 11, not yet available. Revision.


Apply now!

Computer Science Blog



Please give us your feedback or ask us a question

This message is...


My feedback or question is...


My email address is...

(Only if you need a reply)

A to Z Directory | Site map | Accessibility | Copyright | Privacy | Disclaimer | Feedback on this page