CS78 Secure Server Installation & Administration

This Website (http://homepage.smc.edu/morgan_david/cs78/) will be used to communicate with you. Announcements, grade reports, and assignments will be posted here. The site can be viewed from an internet-connected browser anywhere. You are responsible for awareness of the information posted here.

Grades - posted current ones as of today, including all the individual late-arrival patch-ups I'm aware of. Check your grade and call to my attention any omissions, errors, anomalies, or concerns. (12/22)

Thank you - for your interest in the course and the subject. I enjoyed the class. (12/16)

Grades - updated. They now include the exam. They also include all the individual changes done last night. (12/16)

Grades - updated. They now include the Truecrypt exercise. Check your grades, talk to me about any anomalies, oversights or errors on my part. Address these either by email or when we meet for the exam tonight. (12/15)

Grades - updated. They now include the 2 parts of the GPG community exercise, the decrypt of a random string with RSA, the forensics DETER exercise, and the tunnels DETER exercise. Many of these grades suffer a lot from omitted assignments. As I pointed out the first day of class, a missing number in an average impacts it greatly. Missing assignments are grade killers. In particular, it looks like many people did not perform the recent 2 DETER exercises, concerning forensics and tunnels. Check your grades, talk to me about any anomalies, oversights or errors on my part. Address these either by email or when we meet for the exam Thursday. Know that my tracking of the tunnels assignment was to see whether I saw one on DETER under your account or not. If so, 100; if not, 0. If you never renamed your assigned account with your real name, or you did the tunnels experiment but terminated (destroyed) it, you got zero. In those cases, tell me that you did the experiment and I will verbally quiz you and give you credit if warranted. Yet-to-be-graded are the Truecrypt homework due tomorrow night, and the exam we'll do the next night. (12/13)

If you want to learn a lot of linux in a little time - I recommend the SCaLE 10x (Southern California Linux Expo) held Friday - Sunday January 20-22, 2012. It's intense, inexpensive, local. (12/11)

Education - it was suggested to us last night by the outside students who asked to speak that education is a right not a privilege. Which is it, if either? Why? (12/9)

Final exam - is scheduled for December 15 in our usual classroom. It will be multiple-choice, closed book. There will be 20-40 questions. Please bring a scantron form. (12/8)

Grades - I have not updated them. I will try to do that over the next days so you will have opportunity to review them in advance of our last meeting date next Thursday, and raise any issues. (12/8)

Assignment 13 - encrypted filesystems
read the page at the link, left column, entitled "filesystem encryption." That page has 4 links at the bottom. Read them too ( except for the last one, concerning FreeOTFE).
listen to this discussion about Truecrypt. You can skip over the conversational chit-chat at the beginning and start listening at the beginning of the description of the Truecrypt product.
visit Truecrypt's website
view - the slides at the link, left, entitled "sshfs - remote filesystem." What relation does the ssh file system bear to encrypted filesystems? to encryption?
do the assignment at the link entitled "truecrypt" under the heading "filesystem encryption" in the column at right. Where asked to get files, obtain them from the home directory of user "public" on sputnik (password "CS78password"). You are supposed to submit to me a file you create, and to send me information about a file of mine. Do so by sending me a single email message. Make your file an attachment, and include the required information within the message. Make sure the message title is "Assignment 13 Truecrypt". I will use an email message filter that finds such messages and that's what I will grade. If you title your message differently your assignment may get lost. Send your message to dmorgan@world.oberlin.edu (not to my smc.edu address please). - due end-of-day Wednesday, December 14 (12/8)

DETER "Tunnels and vpns" assignment ready - please see the link at the bottom of the right-hand column entitled "Tunnels and vpns". Use this network specification (ns) file, not the one offered within the instructions. Important: you need to make an adjustment. Our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former. You need not answer the questions found at the end of the assignment. I will grade you by observing the presence of evidence on DETER that you did the assignment. However, as a self-measurement, read the questions and see whether you think you understood their points or not. (12/4)

Software security - flaws or exploitable characteristics particular to specific applications
stack overflow demo - the environment suitable for reproducing and playing with it is in the form of a VMware virtual machine. The virtual machine is in the file "Snort on Centos 4.3 minimal-with-gdb.zip". That file can be found in the home directory of user "public" on sputnik (password "CS78password"). Here are instructions for causing/observing the stack overflow within that environment (they can be expected not to work in other environments). Within your virtual machine, get the debugger and the sample files from sputnik. You need 2 files, both in sputnik's /home/public. They are gdb-6.3.0.0-1.162.el4.i386.rpm and softwaresecurity.zip. You can use scp to get them, for example:

scp public@sputnik.smc.edu:/home/public/softwaresecurity.zip . (don't omit the dot)

Once you have them:

rpm -Uvh gdb-6.3.0.0-1.162.el4.i386.rpm
unzip softwaresecurity.zip

The slides are at the link, below left, entitled "software security".
sign extension bug - the podcast "Anatomy of a Security Mistake" by Steve Gibson. It discusses a bug in a library of code that applies the blowfish block cipher algrorithm to the task of hashing passwords. It was utilized as the tool for doing that in some linux distributions (not fedora). The bug was there since about 1998 until patched this year. It substantially weakens the passwords it processes. It was found while trying to crack some passwords with John the Ripper. (12/1)

Research internships for community college students. "The majority of these projects do not require students to have a rocket scientist background. Most of them require computer literacy, with possibly MS office, but most importantly interest and discipline.... Students must be at least 18 years of age, and a U.S. citizen." If interested please contact SMC computer science professor Jinan Darwiche (DARWICHE_JINAN@smc.edu). (11/28)

DETER "forensics" assignment ready - please see the link at the bottom of the right-hand column entitled "Computer forensics." Important: you need to make an adjustment. Our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former. (11/27)

Paid internship related to linux, seeking SMC student candidates. (11/27)

Saving Bletchley Park. (11/18)

Assignment 12
the 2 remaining DETER assignments are hereby assigned, but don't do them quite yet (DETER is on heavy usage schedule till Nov 20). The slide for these assignments are those at links (left column) entitled "Tunnels and vpns" and "computer forensics". The links to the assignments themselves will be posted in the right-hand column on or after Nov 20. (11/17)

Grades -posted. Includes the ssh key placement and Diffie-Hellman primitive roots assignments. These were the 2 assignments for the week of my recent absence, i.e. Assignment 10. Please check your average. (11/17)

Please proceed with "GPG community" exercise part 2 - in sputnik's /home/common (password: CS78password) I have put a file for each of you, encrypted with the public key you gave me (by uploading it into /home/common). You can now proceed to decrypt it. Credit for this part of the assignment is given when you give me a copy (unencrypted) of the file I encrypted for you. The assignment asks you to do so on paper. You may, tomorrow when we meet. Or, by the deadline Sunday, you may email it to me instead. Please see both the GPG community section of Assignment 9 below, and the assignment itself at the link entitled "GPG, community" at right. give me the file I gave you either on paper November 17 or as email attachment by end of Sunday, November 20 (11/16)

Please proceed with "GPG community" exercise part 1 - in sputnik's /home/common (password: CS78password) your signed copies of the gettysburg address have been renamed, per the assignment. You can now proceed to figure out who signed each one and submit "signers.txt". The students who signed these files have all published their public keys to us (by putting them in /home/common where they are at our disposal). Please see both the GPG community section of Assignment 9 below, and the assignment itself at the link entitled "GPG, community" at right. "signers.txt" due on sputnik end of Sunday, November 20 (11/15)

Change in lecture topics for Thursday - I will try to cover the topics of both the upcoming DETER exercises-- "computer forensics" and "tunnels and vpns". In order to position you to do them both, and clear the decks for other topics in the remaining 2 lectures on 12/1 and 12/8. The DETER exercises are to be done in prescribed weeks:
Computer forensics - week of 11/28 (do not start before 11/21)
Tunnels and vpns - week of 12/5.
That means the "software security" topic will be deferred till after Thanksgiving. (11/14)

Please pick up and decrypt your random strings - they're ready. You can find them in /home/common (password: CS78password) on sputnik. Get yours. Then decrypt it using the "decr" script and your private key, per the "Using RSA" assignment in column at right and "Assignment 11" below. You could transfer files and do this on your own linux machine, or you could do it just as well in place on sputnik itself where the files already are. Tell me what your random string is at our next class meeting Thursday. (11/13)

Guzman, Heron, Rubio - please give me another "outfile". I see from your outfile's that you chose very small prime numbers. So small, they won't work for our exercise. That's because the RSA's mathematics only work for encrypting values less than n (the product of the 2 prime you choose). You chose primes such that, respectively, your n's are 10, 35, and 6. But we need to encrypt and decrypt random strings composed of capital letters. That means we have to be able to encrypt/decrypt their ascii values. The ascii value of capital letters range from 65 (A) to 90 (Z). Too high for you, your keys won't do the job. So please choose some higher primes, whose product is at least 90, and give me the new outfiles in your assignments directories. (11/13)

Slides we have viewed - identified in case you wish to review them. These are the ones from which I have lectured, given by the title of the link where you can view them at lower left.

Week 1	general considerations users/processes/resources
Week 2	steganography Users
Week 3	processes
Week 4 (9/22)	authorization ProcessUID control
Week 5	Pluggable Authentication Modules (PAM) Passwords message digests
Week 6	cryptography s-des backgrounder s-des operation example
Week 7 (10/13)	packet filter firewalls stream and block ciphers (stream)
Week 8	Japanese Naval Code JN-25 stream and block ciphers (block) arp spoofing
Week 9 (10/27)	GNUPrivacyGuard (gpg) RSA algorithm
Week 10 (11/3)	ssh - secure shell key exchange
Week 11 (11/10)	(review, reinforcement of above 4 topics gpg, rsa, ssh, diffie-hellman) stunnel
Week 12 (11/17)	Computer forensics Tunnels and vpns
Week 13 (12/1)	Software security (stack overflow, representing the category)
Week 14 (12/8)	encrypted filesystems

Assignment 11 - using your RSA private key to decrypt a message from me
do the assignment at the link entitled "Using RSA" in the column at right. Of the 7-item list at the beginning of the assignment, we've accomplished the first 3 steps in last week's RSA component of Assignment 7. You generated a key pair. Then you published your public key to me when you put your "outfile" containing it within my reach in your sputnik directory. I have since performed step 4, encrypting a random string with your public key. All my random strings are 3-character uppercase-alpha strings.

The assignment calls upon you to get files:
ciphermessage-<yourname> [containing string encrypted with your pubkey]
decr [script to process above file, yielding the string]
Both can be found in the home directory of user "public" on sputnik (password "CS78password").

When you have decrypted my random string please email it to me to get credit for this assignment. - due in class November 17. I will bring my list of students, with random string for each. You will verbally tell me what your random string is and I will check you off on my list if it's right.

preview - "Tunnels and vpns" slides. I will present them next week, and you'll do the related DETER experiment thereafter. (11/10)

Grades -posted. Includes the encryption modes exercise and the DETER arpspoof exercise. Please check your average. (11/8)

Help wanted (10/27)

Important: special provisions for November 3 - I will be absent. Please attend class virtually. Assignment 10 is the work assigned under that link. Listen to the lectures and do the in-class activity. I will see you November 10. Homework for the virtual class, both parts due on sputnik end-of-day Sunday, November 13 (10/27)

Distributing files to you from sputnik - for that purpose, there is a user account on sputnik named "public". Its password is "CS78password". It contains a lot of files. You can download them using sftp/scp with those account credentials. (This is comparable to anonymous ftp however ssh/sftp/scp have no "anonymous" feature so this is a functionally similar workaround. Unlike your own home directory, you cannot only download from public's, not upload.) I will from time to time ask you to acquire files from this source. (10/27)

Assignment 9

1 - Encryption and digital signing with Gnu Privacy Guard (GPG)
read
GPG (GNU Privacy Guard) official page

GPG Mini HowTo

GNU Privacy Handbook

RFC2440 - OpenPGP message format

Enigmail

do the assignment at the link entitled "GNUPrivacyGuard". There are no questions to answer and nothing to turn in. But importantly this will familiarize you with how GPG works. You will need that familiarity to apply GPG in doing the next assignment immediately below.
do the assignment at the link entitled "GPG, community." Obtain gettysburg.txt (you can get it by sftp/scp from sputnik.smc.edu's "public" account, password is CS78password). As a commonly accessible file-exchange mechanism among class members for this assignment, use the account "common" whose password is "CS78Password" and sftp/scp to up- and download files from common's home directory on sputnik. No later than the end of Sunday, November 6 upload both your gpg-created key for this assignment and your signed copy of gettysburg.txt. I will process the student uploads and deposit resultant files in the "common" home directory for you to do the next step in the assignment. When I have done so and all is ready, I will notify you here on the website. Then, you will be able to proceed and do the assignment's "Part 1" and "Part 2." which will be due...date to-be-determined. For Part 1, please name your file "signers.txt" (assignment says "signers" but please add the txt filename extension). For Part 2, please email to me the word that I encrypted for you. (The assignment asks for it on paper but ignore that.)

2 - RSA public-key encryption algorithm
read the section entitled "RSA: The Most Used Asymmetric Algorithm" at http://www.informit.com/articles/printerfriendly.aspx?p=102212
do the assignment at the link entitled "RSA encryption 2" on your linux VM. The assignment produces a file named "outfile". Please submit it to me by placing it in your "assignments" subdirectory on sputnik.smc.edu. Retain the values you generated for keys in this exercise (e.g., don't delete outfile) because I will ask you to use these keys again later. (I plan to encrypt something for you with the public key you give me in "outfile", then expect you to decrypt it. You'll need your matching private key to manage that, so retain it. Next week. See "Using RSA" exercise link.) - this portion will be due end-of-day Sunday, November 6.

"Designated student number" assignments:
ahmed: student101
bari: student102
bower: student103
bratko: student104
burgo: student105
bustamante: student106
castillo: student107
dickens: student108
donnelly: student109
duong: student110
faith: student111
fox: student112
guzman: student113
harrington: student114
heron: student115
jordan: student116
kronk: student117
laroche: student118
maat: student119
morris: student120
murillo: student121
rubio: student122
shafi: student123
(10/27)

Grades -posted. Includes the DETER firewall exercise. Please check your average. (10/24)

Internet Invented Here - there's a grand opening party Saturday. (10/24)

Three purposes of cryptography - 1) confidentiality, 2) sender authenticity, 3) data integrity. (10/20)

Punch line to the Battle of Midway story: all those 4 carriers that had attacked Pearl Harbor the previous December were sunk that day. Cryptanalysis (with a little help) sank them. (10/20)

Assignment 8
read - from textbook chapters 11 and 12. Chapter 11 "TCP/IP Networks" should come in large measure as review to you. Chapter 12 "Securing TCP and UDP Services" is long, and covers a range of security considerations. Some of them are general but many are specific to particular services. The latter part of the chapter devotes a page or two to each of a dozen common services, describing it and its own unique security related characteristics. Read these chapters over the course of the next 3 or 4 weeks. They relate loosely to the network related class lectures and activities (e.g., firewalls and arp spoofing).

do - the assignment at the link entitled "encryption modes," at right. Submit your answers to the assignment's questions, as the assignment indicates, to sputnik.. - due end-of-day Sunday, October 30

do - the assignment at the link entitled "Arp spoofing (DETER)." You need to make a couple of adjustments. Our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former (e.g., where told to execute:
cp /proj/USCCSci530/exp/server4.c /root
execute instead:
cp /proj/SMC-CS78/exp/server4.c /root )
The questions for you to answer are the following, which are the same ones found at the end of the exercise in non-multiple-choice form, recast into multiple-choice form.

1. ARP poisoning of node4 from node1
a. can be done the same way as ARP poisoning of node0 from node1
b. can be done the same way as ARP poisoning of node2 from node1
c. can be done the same way as ARP poisoning of node3 from node1
d. cannot be done from node1

2. At the end of section 6 the question is posed,"How does traffic between node2 and node0 get from node2 to node0?" Under the circumstances of that section, how??
a. via/through node1
b. via/through node3
c. via/through both node1 and node3, duplicate copies being sent
d. via no other nodes than themselves

3. Consider the question "How?" that appears at the end of section 7. Recall that node2 logged into ftp on node4 and somehow node1 figured out the user password given by node2. How??
a. the password that node2 issued to node4 transited node1 on the way from node2 to node4, and node1 decrypted it
b. node2 broadcast the password for node4, and node1 decrypted it
c. the password that node2 issued to node4 transited node1 on the way from node2 to node4, and was unencrypted
d. node2 broadcast the password for node4, and it was unencrypted

4. Imagine you run a web hosting company. The manager at one of your clients, a medium sized business, calls you in alarm and reports the apparent defacement of his website running on your host machine. Images on the site have all been replaced with various hacker images like the laughing skull. He heard about it from several of his employees, then saw it with his own eyes on their terminals. His website has fallen victim to the same mischief as the one on our node4. What is your course of action?
a. temporarily block access to the web server machine that contains the customer's site, while you diagnose the site's corruption
b. examine the site's constituent files within the web server machine, to pinpoint (and fix) the corrupted ones
c. both a and b
d. no action, because the site isn't corrupted

Submit your answers to the preceding 4 questions following these preparation and submittal instructions (you will use ftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "arpspoof.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility. - due end-of-day Sunday, October 30 (10/20)

Grades -posted. Includes the sdes (simplified DES) exercise. Please check your average. (10/20)

Assignment 7
do - the firewall construction experiment on DETER, found at the link entitled "firewall construction (on DETER)" in the righthand column.
Please note:
a) you should use the right network specification file, firewall3.ns as emphasized in the bold notice at the top of the instruction page you will visit for creating the DETER network for this experiment.
b) the names of this project, and the one for which the instructions were written, differ. Our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former (e.g., where told to execute:
cp /proj/USCCSci530/exp/server4.c /root
execute instead:
cp /proj/SMC-CS78/exp/server4.c /root )
c) the instructions invite you to contact a Netgear router that's on the internet.You can reach it and take a look around per the steps given in the instructions.
d) the instructions end by assigning you questions to answer. Don't answer the questions. Instead, I have recast them in a multiple-choice form and posted them as >>>your assignment here<<<. Submit your answers to those questions following these preparation and submittal instructions (you will use sftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "firewalls.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility. - due end-of-day Sunday, October 23 (10/13)

Grades -posted. Includes the 2-part passwords exercise and the message digest exercise. Please check your average. (10/13)

Some questions for fun next time - are you smart enough to answer any? you for sure need to be able to answer the first one.
- what are the 3 functional purposes of cryptography?
- for hash/message-digest algorithms, is producing collisions the exception or the rule? that is, do most of these algorithms normally produce them or are most of them immune and collision-free? why?
- what's wrong with my post, below, titled "Manual brute force password attack for you to perform?"
- what's a password haystack?
- what is a "hash table?" what does it have to do with a "hash," as discussed in class?
(10/10)

Narrated lecture on the step-by-step procedure for doing s-des encryption and decryption. This is the one we were listening to when we ran out of time in class tonight. (10/6)

Grades -posted. Includes process UID exercise (7 students did it, 16 did not). No late credit for this assignment, do not ask. Please check your average. (10/6)

Assignment 6 - due end-of-day Friday, October 14
read - this article about one-time pad (perfect, unbreakable) encryption
read - the write-up at the link entitled "Simplified DES" in the column at left.
listen - to the two audio clips (see the icon) "1. SDES - Simplified DES" and "3. SDES Mangler Function." Optionally, also hear "8. Cipher Block Chaining."
do - the assignment at link entitled "S-DES algorithm". The assignment asks you to perform the S-DES algorithm on paper and turn in the paper. Do not turn in any paper, but please do perform the assignment on paper nonetheless. I have created some multiple-choice questions about your solution, and posted them as >>>your assignment here<<<. Submit your answers to those questions following these preparation and submittal instructions (you will use sftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "sdes.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility. (10/6)

R.I.P. Steve Jobs - pioneer (10/5)

Manual brute force password attack for you to perform-
I chose a password and hashed it using md5. The hashed password is aac9ed1d22c81ffd6c84db03b975de59 (no salt). My password is one of the 2-letter words in English, which are

ad ah am an as at aw ax ay be by do go ha he hi if in is it me my no of oh on or ow ox pi so to uh um up us we

it's in lowercase. What is my password? (9/30)

Grades - published, at link entitled "Grade reports" at left. (9/29)

Assignment 5 - due end-of-day Friday, October 7
submit - the file named uid.txt you produced in assignment 4. Now that sputnik is available you have a place to submit it. See assignment 4.
read - from textbook, chapter 7 "Cryptography Basics"
message digests:
listen to this discussion about message digests (cryptographic hashes). It's is a 34 minute conversation, of which you can skip the last 14 minutes for our purposes. Just listen to the first 20 minutes.
perform - the exercise at the link entitled "message digests" at right.
The assignment asks you to acquire a file called "makebigfiles." You can get it by anonymous ftp from unexgate.dmorgan.us (as in Assignment 4 below). Do this assignment while logged in to your account on sputnik.smc.edu, in your home directory. Don't delete the files created while performing the assignment. I will look for them in your home directory later to evaluate you. (To move files around among the various computers, see the comments below under "A remote Unix system utility account.")
passwords:
perform - the exercise at the link entitled "Cracking passwords John the Ripper (2)" at right. Use your Windows XP and fedora 7 virtual machines. (One way, when asked, you could transfer a file between them would be to ftp up to your sputnik account from one, then ftp down from your sputnik account to the other.) This exercise has 5 parts. Do the first 4 only. When finished, maximize your command window and dump the file john.pot to the screen with the command:
type john.pot
submit - two results to me from this exercise. First, take a screenshot of your screen showing the john.pot dump in the command window and send it to me as an email attachment. Second, consider the 4th question at the bottom of the exercise and use the Mandylion spreadsheet as it asks. Then answer these questions, which recapitulate the exercise's 4th question (refer to it in answering these):
1. the length of the numbers-only password that requires at least 50 years to crack, in characters, according to the spreadsheet, is:
a. 12 b. 15 c. 17 d. 19 e. 24
2. with today's computing power, the length of the password that requires at least the rest of your life to crack, in characters, is:
a. 12 b. 15 c. 17 d. 19 e. 24
3. accounting for the continued operation of Moore's law, the length of the password that requires at least 50 years to crack is:
a. 12 b. 17 c. 19 d. 24 e. 28
4. the shortest "mixed character" password that'll last 50 years, in characters, is:
a. 12 b. 17 c. 19 d. 24 e. 28
Submit your answers to the preceding 4 questions following these preparation and submittal instructions (you will use ftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "passwords.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.

A remote Unix system utility account has been created for you.
Your username - your last name as it appears on my class list, all lowercase.
Your password - is 5 digits extracted from your phone number. If your phone number is 123-456-9876, then your password will be 56987 (final 2 digits from the 3-digit exchange, plus first 3 digits of the 4-digit number).
The target computer - is sputnik.smc.edu
Usage method - you will use it by independent methods for two independent purposes:
- to log in to it remotely, obtaining a shell and conducting a usage session
- to transfer files back and forth between it and the computer you are using locally
Students sometimes confuse these 2 different access methods and purposes.
To log in, use ssh as described in the "Remote Unix access with ssh" link at left. Accordingly if your name is John Smith for example, and you are using a command-line ssh client:

ssh smith@sputnik.smc.edu

and give your password when then prompted.
To transfer files, use any graphical ftp client that also supports sftp, and point it to sputnik.smc.edu. A good free graphical multi-platform client is filezilla. Alternatively use sftp and/or scp. They are command-line file transfer components of the ssh program. They are built-in to Filezilla, see this youtube tutorial. sftp and scp could also be used on the command line in OpenSSH/linux, or as "pscp" and "psftp" as part of PuTTY. When you perform an ftp or sftp login, you will be in a private directory on the remote sputnik computer. Each student has his own. It would be named /home/smith for our hypothetical friend John Smith. There, you'll see a subdirectory named "assignments." To use scp from the command line, the most quick-and-dirty option, the syntax is:

scp <filename> <user>@<server address>:/home/<user>

I will ask you to transfer homework files into your "assignments" subdirectory as the means of submitting them. (9/29)

DETER assignments - there will probably be 4:
- firewalls, midOctober
- arp spoofing, late October
- computer forensics, late November
- tunnels & VPNs, early December (9/28)

Upcoming topics - authentication (passwords and pluggable authentication modules) then cryptography. (9/22)

Assignment 4 -
su, suid, sudo and process UID control
perform the exercise at the link entitled "version 1 - local" under the heading "ProcessUID control" at right. Do it on your fedora 7 VMware virtual machine..
getting the needed files - the assignment asks you to acquire 2 files. They are available by anonymous ftp from unexgate.dmorgan.us. Use the character mode ftp client from within your VM (see the link entitled "Transfering files with ftp" for related discussion). Once logged in as user "anonymous" on unexgate.dmorgan.us, issue the command "passive" (to overcome certain specialized settings in the server's firewall). You will find the files in the "pub" subdirectory, so do "cd pub" and then "get" the files.
submit - When you are finished, answer the 3 questions at the end. Submit your answers following these preparation and submittal instructions (you will use ftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "uid.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility. - the files are ultimately to be turned in by placing them on a server called sputnik that is not yet ready. Please hold the uid.txt file and when the server is ready I will ask you to put your file there.
read from additional (non-textbook) sources
a - the link entitled "File permissions" at left
b - Part 1 and part2 of an article from IBM about passwords. Don't worry about the parts where specific code examples are analyzed (unless particularly interested). Note the article's suggestion to utilize dice for composing passwords in order to achieve "a completely random distribution of passwords of a given length." Randomness is a virtue, and dice achieve it better than any computer.
c - a discussion of the importance of randomness for producing "perfect passwords" at Gibson Research Corporation.
visit - sites for a couple of password safes, products where you put a password on your collection of passwords.
Password Safe
LastPass
podcast discussion about LastPass (9/22)

Getting files from unexgate.dmorgan.us by anonymous ftp
I may occasionally ask you to get files from unexgate.dmorgan.us by anonymous ftp. To use anonymous ftp on unexgate in particular, your ftp client must use ftp's "active" mode as opposed to its "passive" mode. There are numerous ftp clients for you to use. I suggest either command-line ftp or the graphical program Filezilla. (Get it free at http://filezilla-project.org/.) Once logged in, the directory where the files are is /pub/class/shellprogramming.

FTP: how do you make it use its "active" mode? If you use the command-line client, you get an interactive prompt. There, repeating the command "passive" toggles it back and forth between passive and active. Make it active. If you use Filezilla edit its settings:

and in the setting set FTP to Active:

(9/22)

Assignment 3 -
read from textbook
a - chapter 6 "Filesystems and Security"
b - pp. 600-610 in the section of Chapter 19 "Defending Accounts" entitled " Administrative Techniques for Conventional Passwords."
c - pp 850-61 about processes and the ps command that reports on them; read this at a scan level, not to learn the detail in the tables and figures but the concepts in the narrative
read additional resources
the link at left entitled "File permissions"
the link at left entitled "Remote Unix access with ssh"
road-test your DETER account by doing the exercise at

http://homepage.smc.edu/morgan_david/cs78/smc-deter-account.htm

Complete it by Wednesday 9/21 end-of-day. You need send me nothing for this, I can see as a DETER administrator. We'll use DETER more seriously later. This is just to get you familiar with it first. (9/15)

ssh client alternatives - we use ssh as a connectivity tool. Here are some ssh clients. If your machine is a linux machine ssh is very likely already installed as a command-line utility. If it's a Windows machine you need to install a client. Depending if you prefer command lines or GUI dialogs, get OpenSSH for Windows or PuTTY. There are also a few others. OpenSSH delivers ssh to Windows in the same command-line form as it's found in linux, while PuTTY is graphical A particular version of PuTTY useful for portability is portaputty. It's a version of PuTTY that avoids the registry so as to be portable. So, you could carry it around to different computers on a USB flash drive and have your accustomed configuration right there with you instead of in the registry back home. Read the link at left entitled "Remote Unix access with ssh." (9/15)

DETER accounts were created today - an advisory email message should be generated to each of you informing you of your account credentials and requiring you to make a minor change in your profile. It should be self-explanatory. The message will go to your smc.edu email account. (9/13)

Dropped from class - Johnathan White and Brian Yeh. You may be reinstated if you wish; if so, please contact me. (9/9)

Assignment 2 - due before end-of-Wednesday-9/14, by email as per the instructions
do -steganography - use s-tools in Windows to create an image file containing an embedded text file. Get s-tools here. Be guided closely but not completely by the instructions at the link entitled "steganography" in the assignments column at right. Assuming your name is John Smith (substitute your own real name), please name your files
smith.bmp and
smith.txt
In the txt file, put the sentence, naming you, like "my name is John Smith". The image file itself should be sunset.bmp, produced from sunset.jpg. Embed the text file into the image file, using password "Password" and encryption algorithm triple-DES. email to me the resultant file attached to a message entitled "steganography" (I will use an email filter based on that title, if you name it something else I won't get it). You get credit if I can extract your text file and read your name. (In the assignment as written up at the "steganography" link, ignore the 2nd portion about covert channels. That assignment was written for use in a slightly different setting. Follow it in terms of its step-by-step for using s-tools but not in terms of the assignment administration. Those just described here are the ones that apply for this class. In particular ignore the questions at the end.)
listen - to this narrated lecture about users. I will assume your knowledge of its content going forward, equivalently as lectures given live in class.(9/8)

Assignment 1
1 - view the links entitled "Syllabus" and "Course description" at the top of the left column
2 - get/order Practical UNIX and Internet Security textbook ("Syllabus" link, upper left)
3 - read textbook chapter 4 "Users, Passwords, and Authentication" and chapter 5 "Users, Groups, and the Superuser." Scan the introductory 3 chapters as well.
4 - review (optionally) the slide presentations at the links entitled "general considerations" and "users/processes/resources" at left.
5 - install VMware and 2 virtual machines
a Fedora 7 linux virtual machine
a Windows XP virtual machine
as platforms for doing exercises in this class. In the future I will feel free to ask you to do work on these machines.
6 - as a tourist, visit the informational links listed at left under the heading "DETER net testbed". Gain initial familiarity with DETER at casual level. We will arrange DETER accounts for you shortly. (9/1)

Textbook - an electronic alternative
A student pointed out to me a commercial, electronic option for obtaining the textbook. I don't specifically recommend it but want to offer it to your attention. See
http://my.safaribooksonline.com/0596003234
and
http://my.safaribooksonline.com/?portal=oreilly

Introductory - this class, this website
Thank you for your interest in this class and its subject matter. Computer security is current, evolving, important, and fascinating.

This is a traditional on-ground class. I plan to use several supplementary, online vehicles to deliver it:

- a static website
- recorded, narrated slide presentation lectures
- virtual machines, local and/or remote
- the DETER network testbed

More information about these will follow. As for what's on this website, there is more material on it than we will necessarily use. In particular the assignments shown at right are not specifically assigned to you merely due to their presence there. When I want you to perform one of them, you can be sure I will post an explicit instruction here, formally assigning exactly what I want you to do, simliar to the one I already posted above.

The primary "home" of the course is this website. Assignments and announcements will be posted here. I suggest you check regularly.

Operating system platform for studying computer security - doesn't matter! Security is operating-system-agnostic. Individual operating systems have their particular security characteristics and vulnerabilities but broad security concerns and topics span platforms and devices. For example, password strength and cracking are the same no matter where a password might be implemented. The implementation of a password system will differ between two OS's but a strong or weak password strong or weak everywhere, intrinsically. Having said that, I am knowledgeable about linux and will tend to use it as the primary operating system environment where the work in this class will be done. There will be some use of Windows. Knowledge of linux will be a big help to you, however exercises are usually designed to give you the commands you are supposed to run, in order to reveal whatever lesson I'm trying to convey. So, you don't have to know linux commands deeply because I'm going to give you the ones you need when you need them.

Categories of security to be studied
The one that gets the headlines is network security. The way I look at it, there are 4 areas:

- local security
- network security
- application security
- routine maintenance - prevention, detection, recovery

An example of local security is physical access-- whether a machine sits behind locked doors or not. Another is password strength. Those are considerations independent of the network, if any. An example of application security is a flaw in code, for example a stack overflow opportunity due to the way the code is written. This permits some side-effect behavior/result unintended by the programmer, classically a way to gain the privileges of the root/administrator/supervisor superuser found in most operating systems. That's a shortcoming of the application. This problem too, like physical security or password strength, is unrelated to the network, if any. And "routine maintenance" practices to detect or prevent problems (security hardening, anti-virus software), detect them (intrusion detection, disk analysis), and recover from them (backup regimens, log analysis), are not specific to networks either. The network attacks in the news are dramatic and sexy, but though computer security encompasses concern for network security, my point is that it goes well beyond it. For a list of specific topics under these categories see the link entitled "Course description" under the Administrativa heading at upper left.

The class plan is to devote some initial time to some introductory concepts and "review" of important local security foundations having to do with resource/file access control-- users, processes, permissions. These are aspects of system administration. If you took my linux class at SMC this is indeed review. But they are security aspects of the operating system environment. Indeed user authentication and resulting file access control are a cornerstone of system security. We simply could not omit them. Thereafter we'll cover some foundations of networking as we need to know them. After that comes all the other stuff. The "Course description" and the links on this page give you pretty good hints what we'll study.

I will post lectures, which I expect you to listen to. They consist of narrated powerpoint slides. You need an up-to-date browser and Flash installed. The lectures are found under the section heading, left column, entitled "Narrated slide presentations for online section." The lectures are fairly heavy, multi-megabyte files. Be patient while they load. If you have a dial-up connection go listen to them elsewhere (e.g., SMC computer lab would do). After they load they will play. You must click to advance slide-to-slide.

My assumptions about you -
the formal prerequisite is that you took CS70, my SMC class about computer networking. If not, but you have alternative exposure to the concept of network frames/packets and computer addressing you will probably be OK. In particular, I will take that in consideration and make grading allowance in that case should you let me know that you are uncertain about your networking background and tell me a little bit about it. For my email address please see the "Syllabus" link at upper left. In general, this is a relatively advanced course. Somebody who chooses to take it probably doesn't do so casually, and knows a fair bit about computers already or wouldn't be interested. I assume you are generally a technically inclined and experienced person.

My assumptions about your equipment-
I assume you have access to a Windows machine on which you are free to install software. You need access to a linux machine but I'm going to give you that virtually and/or remotely. Windows won't be used extensively but some of the exercises I want to assign do use it. Again, if you don't have a Windows machine please let me know.

How much time can you expect to spend on this class? Gee, I don't know. But a 3-credit non-online course at SMC would meet a little over 3 hours per week. So if I want it, I guess I own at least 3 hours of your time. If nothing else the lectures and reading will consume some time. And the exercises I assign you add something to that. I am a believer in learning this stuff by doing it, so the exercises are important.

Again, thanks for coming. I think we'll have fun. I think we'll have fun. (9/1)

College "dates and deadlines":

(9/1)