The lectures and readings listed here are subject to change, including in response to current events (i.e., major news items).

Friday, January 24
  • Bellovin, Chaps 1–3.
  • “Defining Security”, via Courseworks

  • Bellovin, Chapter 7.
  • Lorrie Cranor. Time to rethink mandatory password changes. Tech@FTC blog, March 2, 2016. LINK.
  • Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, 176–186. New York, NY, USA, 2010. ACM. LINK, doi:
  • Andy Greenberg. So hey you should stop using texts for two-factor authentication. Wired, June 26, 2016. LINK.
  • Brian Krebs. The limits of SMS for 2-factor authentication. Krebs on Security, September 16, 2016. LINK.
  • Robert H. Morris and Ken Thompson. Unix password security. Communications of the ACM, 22(11):594, November 1979. LINK.
  • Daniel Terdiman. Google security exec: 'passwords are dead'. CNET, September 10, 2013. LINK.
  • Dr. Fun
  • Dilbert
  • Dilbert
  • Dilbert
  • Dilbert
  • User Friendly
Friday, January 31
  • Bellovin, Chapter 7.6.
  • Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. LINK, Chapter 15.
  • Stephen T. Kent and Lynette I. Millett, editors. Who Goes There? Authentication Through the Lens of Privacy. National Academies Press, 2003. LINK, Chapter 5.
  • Kim Zetter. German hackers say they cracked iphone's new fingerprint scanner. Wired: Threat Level, September 23, 2013. LINK.
  • Alex Hern. Hacker fakes German minister's fingerprints using photos of her hands. The Guardian, December 30, 2014. LINK.
  • Karen Shonesy. Security risk: automated voice imitation can fool humans and machines. Science Daily, September 26, 2015. LINK.
  • Craig Watson, Gregory Fiumara, Elham Tabassi, Su Lan Cheng, Patricia Flanagan, and Wayne Salamon. Fingerprint vendor technology evaluation. NISTIR 8034, NIST, December 2014. LINK, Executive Summary.
  • Patrick Grother, Mei Ngan, and Kayee Hanaoka. Recognition vendor test (FRVT) part 2: identification. NISTIR 8271, NIST, September 11, 2019. LINK, Executive Summary; Figures 9-16.
  • NIST. NIST study evaluates effects of race, age, sex on face recognition software. December 19, 2019. LINK.
  • Sean Gallagher. London to deploy live facial recognition to find wanted faces in crowd. Ars Technica, January 28, 2020. LINK.
  • Dan Goodin. Hackers say they broke Apple's Face ID. here's why we're not convinced. Ars Technica, November 13, 2017. LINK.
  • Apple Support. About Face ID advanced technology. January 14, 2020. LINK.
  • Ron Amadeo. Anyone can fingerprint unlock a Galaxy S10—just grab a clear phone case. Ars Technica, October 17, 2019. LINK.
  • Jose Pagliery. iPhone encryption stops FBI, but not this 7-year-old. CNN, December 1, 2014. LINK.
  • Marc Prosser. 3d printed heads can unlock phones. What does that mean for biometric security? SingularityHub, January 7, 2019. LINK.
  • Why the iPhone's fingerprint sensor is better than the ones on older laptops, Y. Narasimhulu (blog).

  • Bellovin, Chapter 8.
  • Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. LINK, Section
  • Dennis Fisher. Final report on DigiNotar hack shows total compromise of CA servers. Threatpost, October 31, 2012. LINK.
  • Kim Zetter. Meet “Flame,” the massive spy malware infiltrating Iranian computers. Wired, May 28, 2012. LINK.
  • Dan Goodin. Crypto breakthrough shows Flame was designed by world-class scientists. Ars Technica, June 7, 2012. LINK.
  • Brian Fonseca. VeriSign issues false Microsoft digital certificates. ITWorld, 2001. LINK.
  • Zack Whittaker. Hackers are selling legitimate code-signing certificates to evade malware detection. ZDnet, February 22, 2018. LINK.
  • Sean Gallagher. Patch Windows 10 and Server now because certificate validation is broken. Ars Technica, January 14, 2020. LINK.
  • InCommon Certificate Practices Statement
  • InCommon Relying Party Agreement
  • Columbia CS Department certificate
  • Columbia University certificate
Friday, February 07
  • Federal Trade Commission. Twitter settles charges that it failed to protect consumers' personal information; company will establish independently audited information security program. June 24, 2010. LINK.
  • Andrew Hutchinson. Login details of 32 million Twitter accounts leaked online—time to update your password. Social Media Today, June 9, 2016. LINK.
  • John Philips. 7 examples of what happens when your Twitter account is hacked. Jeff Bullas (blog), July 11, 2013. LINK.
  • Troy Hunt. Beyond passwords: 2FA, U2F and Google Advanced Protection. Troy Hunt (blog), November 15, 2018. LINK.
  • Mat Honan. How Apple and Amazon security flaws led to my epic hacking. Wired, August 6, 2012. LINK.
  • Abdi Latif Dahir. Kenya's new digital IDs may exclude millions of minorities. New York Times, January 29, 2020. LINK.
  • Abdi Latif Dahir and Carlos Mureithi. Kenya's high court delays national biometric id program. New York Times, January 31, 2020. LINK.

  • Bellovin, Chapter 4.
  • Fred Cohen. Computer viruses—theory and experiments. In DOD/NBS 7th Conference on Computer Security. 1984. LINK.
  • Ken Thompson. Reflections on trusting trust. Communications of the ACM, 27(8):761–763, August 1984.
  • Tom Duff. Experiences with viruses on UNIX systems. Computer Systems, 2(2):155–171, Spring 1989. LINK.
  • M. W. Eichin and J. A. Rochlis. With microscope and tweezers: an analysis of the Internet virus of November 1988. In Proc. IEEE Symposium on Research in Security and Privacy, 326–345. Oakland, CA, May 1989. LINK.
  • John F. Shoch and Jon A. Hupp. The “worm” programs—early experience with a distributed computation. Commun. ACM, 25(3):172–180, March 1982. LINK, doi:10.1145/358453.358455.
  • Timothy B. Lee. How a grad student trying to build the first botnet brought the Internet to its knees. Washington Post, November 1, 2013. LINK.
  • Joris Evers. Tool turns unsuspecting surfers into hacking help. CNET, March 21, 2007. LINK.
  • Joris Evers. JavaScript opens doors to browser-based attacks. CNET, July 31, 2006. LINK.
  • Nicolas Falliere, Liam O Murchu, and Eric Chien. W32.Stuxnet dossier. Symantec Security Response, February 2011. Version 1.4. LINK.
  • Catalin Cimpanu. New Ramsay malware can steal sensitive documents from air-gapped networks. ZDnet, May 13, 2020. LINK.
  • Ignacio Sanmillan. Ramsay: a cyber‑espionage toolkit tailored for air‑gapped networks. We Live Security, May 13, 2020. LINK, optional.
  • Recreating the Trojan Horse?
  • PandaLabs detected more than 21 million new threats, Panda Security, September 15, 2015.
  • Oldest known depiction of the Trojan Horse, from the "Vase of Mykonos", almost 2700 years old
  • Bad flash drive caused worst U.S. military breach
Friday, February 14
  • Katie Benner. U.S. charges Chinese military officers in 2017 Equifax hacking. New York Times, February 10, 2020. LINK.
  • Paul Mozur. With harsh words, China's military denies it hacked equifax. New York Times, February 13, 2020. LINK.
  • Jon Brodkin. Huawei fires back, points to US' history of spying on phone networks. Ars Technica, February 13, 2020. LINK.
  • Greg Miller. “The intelligence coup of the century”. Washington Post, February 11, 2020. LINK.
  • Bellovin, Section 17.4.
  • Dan Geer. Von Neumann's monster. Speech, February 7, 2020. LINK.
  • Adi Shamir Eyal Ronen, Colin O'Flynn and Achi-Or Weingarten. IoT goes nuclear: creating a ZigBee chain reaction. 2016. LINK.
  • Yossef Oren and Angelos D. Keromytis. From the aether to the Ethernet—attacking the Internet using broadcast digital television. In 23rd USENIX Security Symposium (USENIX Security 14), 353–368. San Diego, CA, August 2014. USENIX Association. LINK.
  • Brian Krebs. IoT device maker vows product recall, legal action against western accusers. Krebs on Security, October 16, 2016. LINK.
  • Brian Krebs. Oct 16 hacked cameras, DVRs powered today's massive internet outage. Krebs on Security, October 16, 2016. LINK.
  • Elie Bursztein. Inside the infamous Mirai IoT botnet: a retrospective analysis. Cloudflare Blog, December 14, 2017. LINK.
  • Paul Roberts. Blade Runner redux: do embedded systems need a time to die? Security Ledger, May 13, 2014. LINK.
  • SCS computing facilities support lifecycle guide. December 16, 2019. LINK.
  • Martim Lobao. Android versus iOS software updates revisited: two years later and not much has changed. Android Police, November 2, 2017. LINK.
  • Updated: how to: reset C by GE light bulbs. January 3, 2019. LINK.
  • Frank Stajano and Ross Anderson. The resurrecting duckling: security issues for ad-hoc wireless networks. In International workshop on security protocols, 172–182. Springer, 1999. LINK.
  • Sean Gallagher. Unpatchable bug in millions of ios devices exploited, developer claims. Ars Technica, September 27, 2019. LINK.
  • Jonathan M. Gitlin. Driver stranded after connected rental car can't call home. Ars Technica, February 18, 2020. LINK.
  • Cybersecurity and Infrastructure Security Agency. Ransomware impacting pipeline operations. Alert AA20-049A, CISA, February 18, 2020. LINK.

  • Ivan Krstić. Behind the scenes with iOS security. In Black Hat. 2016. LINK.
  • Ms. Smith. Report: over 80% mobile apps have crypto flaws, 4 of 5 web apps fail OWASP security. NetworkWorld, December 6, 2015. LINK.
  • Jon Oberheide and Farnam Jahanian. When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile '10, 43–48. New York, NY, USA, 2010. ACM. LINK, doi:10.1145/1734583.1734595.
  • M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In 2011 IEEE Symposium on Security and Privacy, 96–111. May 2011. doi:10.1109/SP.2011.29.
  • Matthew Green. Why can't Apple decrypt your iPhone? A Few Thoughts on Cryptographic Engineering, October 4, 2014. LINK.
  • Kim Zetter. “Sloppy” mobile voting app used in four states has “elementary” security flaws. Vice Motherboard, February 13, 2020. LINK.
  • Carnegie Foundation. Moving the encryption policy conversation forward. September 2019. LINK.
  • Adam J Aviv, Katherine L Gibson, Evan Mossop, Matt Blaze, and Jonathan M Smith. Smudge attacks on smartphone touch screens. Woot, 10:1–7, 2010. LINK.
  • Sergei Skorobogatov. The bumpy road towards iPhone 5c NAND mirroring. In HardwearIO. Hague, Netherlands, September 2017. LINK.
  • Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. Why Eve and Mallory love Android: an analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, 50–61. New York, NY, USA, 2012. Association for Computing Machinery. LINK, doi:10.1145/2382196.2382205.
  • Gillian Cleary. Mobile privacy: what do your apps know about you? Symantec Threat Intelligence (blog), August 16, 2018. LINK.
  • Aaron Krolik. Your apps know where you were last night, and they're not keeping it secret. New York Times, December 10, 2018. LINK.
  • Apple. Apple platform security. Fall 2019. LINK, skim.
Friday, February 21

  • Stephen T. Kent and Lynette I. Millett, editors. Who Goes There? Authentication Through the Lens of Privacy. National Academies Press, 2003. LINK, Chapters 3-4.
  • Merritt Baer and Chinmayi Sharma. What cybersecurity standard will a judge use in Equifax breach suits? Lawfare, 2017. LINK.
  • Tara Siegel Bernard. Equifax breach affected 147 million, but most sit out settlement. New York Times, January 22, 2020. LINK.
  • Kim Zetter. Sarah Palin e-mail hacker sentenced to 1 year in custody. Wired: Threat Level, November 12, 2010. LINK.
  • T. Narten, R. Draves, and S. Krishnan. Privacy Extensions for Stateless Address Autoconfiguration in IPv6. RFC 4941, RFC Editor, September 2007. LINK.
  • Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner of Alberta. Report of an investigation into the security, collection and retention of personal information. September 25, 2007. PIPEDA Report of Findings #2007-389. LINK.
  • Peter Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium (PETS), 1–18. Springer, 2010. LINK.
  • Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: the second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. August 2004. LINK.
  • Secretary's Advisory Committee on Automated Personal Data Systems. Records, Computers, and the Rights of Citizens. DHEW Publication, no. (OS) 73-94. United States Deptartment of Health, Education, and Welfare, 1973. LINK, Very optional.
  • Mapping Data Flows
  • Dr. Fun

  • Bellovin, Chapter 14.
  • Alma Whitten and J.D. Tygar. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In Proceedings of Usenix Security Symposium. 1999. LINK.
  • Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. A study of privacy setting errors in an online social network. In Proceedings of SESOC 2012. 2012. LINK.
  • Y. Acar, S. Fahl, and M. L. Mazurek. You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In 2016 IEEE Cybersecurity Development (SecDev), 3–8. Nov 2016. doi:10.1109/SecDev.2016.013.
  • Paul Stepahin. We got phished. Exploratorium Tangents (blog), October 20, 2016. LINK.
  • Ian Barker. American Express customers phished using phishing prevention scam. Betanews, September 14, 2016. LINK.
  • Lorenzo Franceschi-Bicchierai. How hackers broke into John Podesta and Colin Powell's Gmail accounts. Motherboard, October 20, 2016. LINK.
  • Anne Adams and Martina Angela Sasse. Users are not the enemy. Commun. ACM, 42(12):40–46, December 1999. LINK, doi:10.1145/322796.322806.
  • Lorrie Faith Cranor. A framework for reasoning about the human in the loop. In Usability Psychology and Security Workshop. 2008. LINK.
Friday, February 28
Hardware Security
Guest lecturer: Prof. Simha Sethumadhavan
  • Gus W. Weiss. The farewell dossier: duping the Soviets. CIA, 1996. LINK.
  • Jann Horn. Reading privileged memory with a side-channe. Project Zero, January 3, 2018. LINK.
  • Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. CLKSCREW: exposing the perils of security-oblivious energy management. In 26th USENIX Security Symposium (USENIX Security 17), 1057–1074. Vancouver, BC, August 2017. USENIX Association. LINK.
  • Mark Seaborn. Exploiting the DRAM rowhammer bug to gain kernel privileges. Project Zero, March 9, 2015. LINK.
  • M. Rostami, F. Koushanfar, and R. Karri. A primer on hardware security: models, methods, and metrics. Proceedings of the IEEE, 102(8):1283–1295, Aug 2014. doi:10.1109/JPROC.2014.2335155.
  • S. M. Trimberger and J. J. Moore. FPGA security: motivations, features, and applications. Proceedings of the IEEE, 102(8):1248–1265, Aug 2014. doi:10.1109/JPROC.2014.2331672.
Friday, March 06
Wirelesss Security Issues
  • Bellovin, Chapter 9; Section 10.3; Section 17.3.
  • Larry Seltzer. NFC phone hacking and other mobile attacks. Information Week, July 25, 2012. LINK.
  • Zak Doffman. New Google Android threat: NFC exposes devices to malware attack—update settings now. Forbes, November 2, 2019. LINK.
  • K. Haataja and P. Toivanen. Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. IEEE Transactions on Wireless Communications, 9(1):384–392, January 2010. doi:10.1109/TWC.2010.01.090935.
  • Thomas Brewster. Update your iPhones and Androids now if you don't want your Bluetooth hacked. Forbes, July 24, 2018. LINK.
  • Ben Seri and Gregory Vishnepolsky. Blueborne. Armis, 2017. LINK.
  • Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications: the insecurity of 802.11. In Proceedings of MOBICOM 2001. July 2001. LINK.
  • Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In Proceedings of the 2002 Network and Distributed Systems Security Symposium, 17–22. San Diego, CA, feb 2002. LINK, skim.
  • Andy Greenberg. Hackers remotely kill a Jeep on the highway—with me in it. Wired, July 21, 2015. LINK, focus on the Sprint parts.
  • Threat Lab. Gotta catch 'em all. EFF White Paper, July 1, 2019. LINK.
  • Dan Goodin. Flaw in billions of wi-fi devices left communications open to eavesdropping. Ars Technica, February 26, 2020. LINK.

Friday, March 13

Zoom Instructions; Security Implications of COVID-19

  • Edsger W Dijkstra. The humble programmer. Communications of the ACM, 15(10):859–866, 1972. LINK.
  • Steven M. Bellovin. Attack surfaces. IEEE Security Privacy, 14(3):88–88, May 2016. doi:10.1109/MSP.2016.55.
  • Michael Howard, Jon Pincus, and Jeannette M. Wing. Measuring relative attack surfaces. In D.T. Lee, S.P. Shieh, and J.D. Tygar, editors, Computer Security in the 21st Century, pages 109–137. Springer US, 2005. LINK, doi:10.1007/0-387-24006-3_8.
  • Helen J. Wang, Chris Grier, Alex Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. The multi-principal OS construction of the Gazelle web browser. In Proc. USENIX Security Symposium. 2009. LINK.
Friday, March 27
  • Satoshi Nakamoto. Bitcoin: a peer-to-peer electronic cash system. 2009. LINK.
  • Timothy B. Lee. Want to really understand how Bitcoin works? Here's a gentle primer. Ars Technica, December 15, 2017. LINK.
  • Dylan Yaga, Peter Mell, Nik Roby, and Karen Scarfone. Blockchain technology overview. NISTIR 8202, National Institute of Standards and Technology (NIST), October 2018. LINK.
  • Dan Goodin. Almost $500,000 in Ethereum Classic coin stolen by forking its blockchain. Ars Technica, January 08, 2019. LINK.
  • Timothy B. Lee. Blockchain-based elections would be a disaster for democracy. Ars Technica, November 06, 2018. LINK.
  • Dan Goodin. Crypto flaws in blockchain Android app sent Bitcoins to the wrong address. Ars Technica, May 29, 2015. LINK.
  • Timothy B. Lee. A brief history of Bitcoin hacks and frauds. Ars Technica, December 05, 2017. LINK.
  • Kate Rooney. $1.1 billion in cryptocurrency has been stolen this year, and it was apparently easy to do. CNBC, June 7, 2018. LINK.
  • Steven M. Bellovin. Bitcoin—the Andromeda Strain of computer science research. SMBlog: Steve Bellovin's Blog (blog), December 30, 2017. LINK.
  • Matthew Leising. The Ether thief. Bloomberg, June 13, 2017. LINK.
  • Cecille De Jesus. The DAO heist undone: 97% of ETH holders vote for the hard fork. Futurism, July 19, 2016. LINK.
  • IBM Blockchain Pulse. Building enterprise blockchains that stand for good: 5 principles for blockchain. Blockchain Pulse: IBM Blockchain Blog, May 13, 2019. LINK.
  • Jordan Tuwiner. Best bitcoin & cryptocurrency wallets. Buy Bitcoin Worldwide, December 20, 2019. LINK.
  • Joeri Cant. Chinese Bitcoin miners pressured to scale down due to electricity shortages. Cointelegraph, December 30, 2019. LINK.
  • Stan Schroeder. Wallet bug freezes more than $150 million worth of Ethereum. Mashable, November 8, 2017. LINK.
  • James Vincent. Bitcoin consumes more energy than Switzerland, according to new estimate. Verge, July 4, 2019. LINK.
  • aseeb Qureshi. A hacker stole $31m of ether — how it happened, and what it means for ethereum. freeCodeCamp, July 20, 2017. LINK.
  • Gavin Phillips. What is a bitcoin tumbler? are they legal? Blocks Decoded, December 19, 2019. LINK.
  • Ian Miers, Christina Garman, Matthew Green, and Aviel D Rubin. Zerocoin: anonymous distributed e-cash from Bitcoin. In 2013 IEEE Symposium on Security and Privacy, 397–411. IEEE, 2013. LINK.
  • Team Rocket, Maofan Yin, Kevin Sekniqi, Robbert van Renesse, and Emin Gün Sirer. Scalable and probabilistic leaderless BFT consensus through metastability. CoRR, 2019. LINK, skim.
  • Fitz Tepper. People have spent over $1M buying virtual cats on the Ethereum blockchain. TechCrunch, December 3, 2017. LINK.
  • Nathaniel Popper. Hal Finney, cryptographer and Bitcoin pioneer, dies at 58. New York Times, August 30, 2014. LINK.
  • Timothy B. Lee. Judge savages self-proclaimed bitcoin inventor craig wright. Ars Technica, August 28, 2019. LINK.
  • Jamie Redman. A deep dive into Satoshi's 11-year old Bitcoin Genesis Block. Bitcoin News, January 3, 2020. LINK.
  • Timothy B. Lee. Bitcoin's “halving” is bad for miners, good for everyone else. Ars Technica, May 12, 2020. LINK.

  • Bellovin, Chapter 10.
  • Antonio Regalado. Who coined “cloud computing”? MIT Technology Review, October 31, 2011. LINK.
  • Steven M. Bellovin. Testimony for the New York City Council Committee on Technology and Committee on Small Business hearing on “Cybersecurity for Small Businesses”. February 25, 2020. LINK, sections on cloud uses.
  • Teri Robinson. Open AWS S3 bucket exposes private info on thousands of Fedex customers. SC Media, February 15, 2018. LINK.
  • Emma Brown. UC-Berkeley students sue Google, alleging their emails were illegally scanned. Washington Post, February 1, 2016. LINK.
  • Chris Hoofnagle. Bmail and google's “content one box”. Berkeley Blog, March 1, 2014. LINK.
  • Microsoft. Azure encryption overview. March 23, 2020. LINK.
  • Microsoft. Azure confidential computing. March 2020. LINK.
  • Google. Google cloud security and compliance whitepaper. May 18, 2017. LINK.
  • Mark Russinovich. Introducing Azure confidential computing. Microsoft Azure Blog, September 14, 2017.
Friday, April 03

  • Bellovin, Chapter 11; 16.3.

  • Bellovin, Section 17.2.
Friday, April 10
The Evolution of IPsec
  • John Ioannidis and Matt Blaze. The architecture and implementation of network-layer security under unix. In Proceedings of the Fourth Usenix Unix Security Symposium, 29–39. October 1993. LINK.
  • Steven M. Bellovin. Problem areas for the IP security protocols. In Proceedings of the Sixth Usenix Unix Security Symposium, 205–214. July 1996. LINK.
  • Charles Dinkel, editor. Secure Data Network Systems (SDNS) Network, Transport, and Message Security Protocols. Number 90-4250. National Institute of Standards and Technology, 1990. LINK, pp 1-39; skim.

  • Seny Kamara. Encrypted search: intro & basics. SAC Summer School, 2019. LINK.
  • Raphael Bost, Raluca Ada Popa, Stephen Tu, and Shafi Goldwasser. Machine learning classification over encrypted data. In NDSS, volume 4324, 4325. 2015.
  • Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael A. Specter, and Daniel J. Weitzner. Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, September 2015. LINK, doi:10.1093/cybsec/tyv009.
  • Lars Stoltenow. Recover the volume key of EncFS volumes created around 2007 on Debian, without password. April 5, 2020. See the file. LINK.
  • Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J AlexHalderman. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium. 2012. LINK.
  • Dan Goodin. Flaw crippling millions of crypto keys is worse than first disclosed. Ars Technica, November 06, 2017. LINK.
  • Stilgherrian. The encryption debate in Australia. May 30, 2019. LINK.
  • Cyrus Farivar. Australia passes new law to thwart strong encryption. Ars Technica, December 06, 2018. LINK.
  • Asim Mehmood. Hsms and key management: effective key security. January 24, 2018. LINK.
  • January 24. Does an HSM guarantee cryptographic key security? LinkedIn, January 24, 2019.
  • David Gunning, Awni Hannun, Brian Knott, Laurens van der Maaten, Vinicius Reis, Shubho Sengupta, Shobha Venkataraman, and Xing Zhou. Crypten: a new research tool for secure machine learning with PyTorch. Facebook AI blog, October 10, 2019. LINK.
  • Mariana Raykova, Ang Cui, Binh Vo, Bin Liu, Tal Malkin, Steven M. Bellovin, and Salvatore J. Stolfo. Usable secure private search. IEEE Security & Privacy, September-October 2012. LINK, doi:10.1109/MSP.2011.155.
Friday, April 17

  • Andy Greenberg. Hacker lexicon: what is fuzzing? Wired, June 2, 2016. LINK.
  • John Neystadt. Automated penetration testing with white-box fuzzing. MSDN, February 2008. LINK.
  • Ari Takanen, Jared DeMott, Charles Miller, and Atte Kettunen. Fuzzing for Software Security Testing and Quality Assurance. Artech House, Boston, MA, second edition, 2018. LINK, online book; skim if you wish.
  • J. Postel. TCP and IP bake off. RFC 1025, RFC Editor, September 1987. LINK.
  • Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268–274, April 2009. LINK.
  • A warm welcome to ASN.1 and DER. April 2020. LINK, skim.
  • CERT Advisory CA-20002-03 Multiple Vulnerabilities in Many Implementations, February 12, 2002

  • Bellovin, Section 11.3; 16.3.
  • Nicole Perlroth. A tough corporate job asks one question: can you hack it? The New York Times, July 21, 2014. LINK.
  • Brian Krebs. Target hackers broke in via HVAC company. Krebs on Security, February 5, 2014. LINK.
  • Paul Roberts. Third party vendor source of breach at Home Depot. Security Ledger, November 7, 2014. LINK.
  • Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268–274, April 2009. LINK.
  • R. Callon and M. Suzuki. A Framework for Layer 3 Provider-Provisioned Virtual Private Networks (PPVPNs). RFC 4110, RFC Editor, July 2005. LINK, skim.
  • L. Fang. Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs). RFC 4111, RFC Editor, July 2005. LINK, skim.
Friday, April 24
  • Bellovin, Chapters 12, 13, 15.
  • Parker Thompson and Sarah Zatko. Build safety of software in 28 popular home routers. December 2018. LINK.
  • Steven M. Bellovin. Zoom security: the good, the bad, and the business model. SMBlog: Steve Bellovin's Blog (blog), April 2, 2020. LINK.
  • Steven M. Bellovin. Zoom cryptography and authentication problems. SMBlog: Steve Bellovin's Blog (blog), April 4, 2020. LINK.
  • Steven M. Bellovin. Trusting zoom? SMBlog: Steve Bellovin's Blog (blog), April 6, 2020. LINK.
  • Steven M. Bellovin. Is zoom's server security just as vulnerable as the client side? SMBlog: Steve Bellovin's Blog (blog), April 13, 2020. LINK.
  • Steven M. Bellovin. The open source quality challenge. SMBlog: Steve Bellovin's Blog (blog), April 29, 2009. LINK.
  • Christopher Bing and Joseph Menn. Flaw in iPhone, iPads may have allowed hackers to steal data for years. Reuters, April 22, 2020. LINK.
  • Microsoft. Life in the digital crosshairs: the dawn of the Microsoft Security Development Lifecycle. 2014. LINK.
  • Bill Gates. Trustworthy computing. January 15, 2002. LINK.
  • Brian Krebs. Microsoft patch tuesday, april 2020 edition. Krebs on Security, April 20, 2020. LINK.
  • Natasha Singer and Nicole Perlroth. Zoom's security woes were no secret to business partners like Dropbox. New York Times, April 20, 2020. LINK.
  • Darren Pauli. Apple's iOS updates brick iPads. The Register, May 17, 2016. LINK.
  • Read several of the web pages of Cyber ITL, including especially their methodology page

  • Bellovin, Sections 16.1, 16.2.
  • NSA. Media destruction guidance. 2015. LINK.
  • Federal Commissioner for the Records of the State Security Service of the Fomer German Democratic Republic. The reconstruction of torn documents. 2019. LINK.
  • Aaron Tilley. How a few words to Apple's Siri unlocked a man's front door. Forbes, September 21, 2016. LINK.
  • Andy Greenberg. Flaws in Samsung's `smart' home let hackers unlock doors and set off fire alarms. Wired, May 2, 2016. LINK.
  • Matt Blaze. Cryptology and physical security: rights amplification in master-keyed mechanical locks. IEEE Security and Privacy, 1(2):24–32, March/April 2003. LINK.
  • Matt Blaze. Safecracking for the computer scientist. Technical Report, U. Penn CIS Department, December 2004. LINK.
  • Kevin Mitnick and William Simon. The Art of Deception. Wiley, 2002. (Recommended).
  • Lewis Page. US Navy malware infection risked submarine prang. The Register, April 18, 2007. LINK.
  • Lewis Page. Disgruntled techie attempts Californian power blackout. The Register, April 20, 2007. LINK.
  • Maxim Kelly. Chocolate the key to uncovering PC passwords. The Register, April 17, 2007. LINK.
  • Claudia Himmelreich. Piecing together germany's shredded Stasi files. Time, April 21, 2010. LINK.
  • Sean Gallagher. Power strip or network hacking tool? it's both, actually. Ars Technica, July 23, 2012. LINK.
  • Director of Central Intelligence. Physical security standards for sensitive compartemented information facilities. Directive 6/9, CIA, November 18, 2002. LINK.
  • BBC. Service station thieves 'using car key jammers'. BBC News, December 3, 2016. LINK.
  • Lily Hay Newman. How a hacker's mom broke into a prison—and the warden's computer. Wired, February 26, 2020. LINK.
  • Prison break-in video, starting at about 13:30
  • The Graphing Calculator Story, Ron Avitzur, 2004.
Friday, May 01

  • Cliff Stoll. Stalking the wily hacker. Communications of the ACM, 31(5):484–497, May 1988. LINK, doi:10.1145/42411.42412.
  • Microsoft Threat Protection Intelligence Team. Ransomware groups continue to target healthcare, critical services; here's how to reduce risk. April 28, 2020. LINK.
  • Dan Goodin. Lockbit, the new ransomware for hire: a sad and cautionary tale. Ars Technica, May 01, 2020. LINK.
  • William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security; Repelling the Wily Hacker. Addison-Wesley, Reading, MA, second edition, 2003. ISBN 078-5342634662. Chapter 17: “The Taking of Clark”. LINK.
  • Brian Krebs. Banks: credit card breach at Home Depot. Krebs on Security, September 14, 2014. LINK.
  • Brian Krebs. What the Marriott breach says about security. Krebs on Security, December 18, 2018. LINK.
  • Nicole Perlroth, Amie Tsang, and Adam Satariano. Marriott hacking exposes data of up to 500 million guests. New York Times, November 30, 2018. LINK.
  • Sean Gallagher. Sony pictures hackers release list of stolen corporate files. Ars Technica, November 26, 2014. LINK.
  • Sean Gallagher. Home Depot ignored security warnings for years, employees say. Ars Technica, September 20, 2014. LINK.
  • Nicole Perlroth. Yahoo says hackers stole data on 500 million users in 2014. New York Times, September 22, 2016. LINK.
  • Josh Fruhlinger. The OPM hack explained: bad security practices meet China's Captain America. CSO Online, February 12, 2020. LINK.
  • Brendan I. Koerner. Inside the cyberattack that shocked the US Government. Wired, October 23, 2016. LINK.
  • William R. Cheswick. An evening with Berferd, in which a cracker is lured, endured, and studied. In Proc. Winter USENIX Conference. San Francisco, CA, January 1992. LINK.
  • William R. Cheswick. Back to Berferd. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, 281–286. New York, NY, USA, 2010. ACM. LINK, doi:10.1145/1920261.1920303.
  • Andy Greenberg. The untold story of NotPetya, the most devastating cyberattack in history. Wired, August 22, 2018.
  • Bellovin, Section 16.4.
  • Cliff Stoll. The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, 1989, Very optional—a longer, less technical version of Stoll's paper, but worth reading if you're interested in this area.
  • Mandiant. Apt1: exposing one of China's cyber espionage units. White paper, 2013. LINK.
  • Thomas Rid and Ben Buchanan. Attributing cyber attacks. Journal of Strategic Studies, 38(1-2):4–37, 2015. LINK, arXiv:, doi:10.1080/01402390.2014.977382, optional.
  • Jason Healey. Beyond attribution: seeking national responsibility for cyber attacks. January 2012. LINK, optional.

Note: this class will be conducted as a seminar—come prepared to discuss the issues.
  • Nicole Radziwill, Jessica Romano, Diane Shorter, and Morgan C. Benton. The ethics of hacking: should it be taught? CoRR, 2015. LINK, arXiv:1512.02707.
  • Gregory Conti and James Caroland. Embracing the Kobayashi Maru: why you should teach your students to cheat. IEEE Security & Privacy, 9(4):48–51, July–August 2011. LINK.
  • C. T. Holzer and J. E. Lerums. The ethics of hacking back. In 2016 IEEE Symposium on Technologies for Homeland Security (HST), 1–6. 2016. LINK.
  • Dan Goodin. Vigilante botnet infects IoT devices before blackhats can hijack them. Ars Technica, April 19, 2017. LINK.
  • Peter Bright. DoJ, FBI set up command-and-control servers, take down botnet. Ars Technica, April 14, 2011. LINK.
  • Catalin Cimpanu. Avast and french police take over malware botnet and disinfect 850,000 computers. ZDnet, August 28, 2019. LINK.
  • A. M. Matwyshyn, A. Cui, A. D. Keromytis, and S. J. Stolfo. Ethics in security vulnerability research. IEEE Security Privacy, 8(2):67–72, 2010. LINK.
  • Sean Gallagher. Maryland bill would outlaw ransomware, keep researchers from reporting bugs. Ars Technica, January 27, 2020. LINK.
  • Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro. The computer worm. February 6, 1989. LINK.
  • Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford. As simple as possible—but not more so. Communications of the ACM, 2011. Note: this is a shorter version of “Can it really work?”. LINK.
Friday, May 08