CS78 Secure Server Installation & Administration
TCP/IP paper - "Intro to the IP Protocols"
Sockets: socket programming
This Website (http://homepage.smc.edu/morgan_david/cs78/) will be used to communicate with you. Announcements, grade reports, and assignments will be posted here. The site can be viewed from an internet-connected browser anywhere. You are responsible for awareness of the information posted here.
Thank you - for taking this course. It looks like cybersecurity will remain of relevant interest and concern to us as individuals and society for the indefinite future. You understand it better than 95% of the population. I hope you will be able to use your knowledge to your benefit. (12/15)
Other classes I teach - are known to you from the main website front page. There, you can see the class-specific pages from recent semesters for a fully concrete idea what they are.
CS40 - Operating Systems (3hr credit, next offered Spring 2018)
CS41 - Linux Workstation Administration (3hr credit, next offered Fall 2018)
CS70 - Network Fundamentals and Architecture TCP/IP networking (3hr credit, next offered Spring 2018)
CS75 - Network Protocols further depth and variety beyond CS70 (2hr credit, next offering unscheduled.)
I also teach related courses at UCLA Extension including a new one on shells and shell scripting (UCLA's fall quarter, September) and a "linux intermediate" which amounts to system administration topics that go beyond my SMC CS41 curriculum.. They are more costly than those of community college, but are public and available. (12/15)
If you want to learn a lot of linux in a little time - I recommend the SCaLE 16x (Southern California Linux Expo) held Thursday - Sunday March 8-11, 2018. It's intense, inexpensive, local. (12/15)
Legality, encryption, privacy - a few interesting perspectives. (12/15)
Test - to be done outside/online via Canvas, as described in class tonight. (12/13)
Extra Credit Assignments
Extra credit 2 - encryption modes
Either/both of these two, should you choose to do them, will be accepted through Friday December 22
Deadline extension for previously assigned
Grades - posted at link, upper left, entitled "Grade reports." Includes past assignments, and place-holders for the assignments that are eith yet to be recorded (because not yet due) or extra credit. The cumulative average does not incorporate these latter. They are shown to indicate what further work you should expect to do. Please call any anomalies to my attention. (12/13)
Grades - posted at link, upper left, entitled "Grade reports." Includes past assignments, and place-holders for the assignments yet to be recorded for the remainder of the course. The cumulative average does not incorporate the latter. They are shown to indicate what further work you should expect to do. Please call any anomalies to my attention. (11/22)
Exam - Wednesday, December 13 in our classroom 6:30pm
Devices, etc. - understanding distinctions among these entities is fundamental to understanding what you are encrypting when you perform data storage encryption.
Western Digital manufactures hard disks
Assignment 6 -
VeraCrypt successor to TrueCrypt - TrueCrypt was a widely used open source data encryption tool whose developers abruptly and without explanation "left town" one day in 2014. VeraCrypt is a fork, using TrueCrypt's source code and extending it. Speculation is that TrueCrypt's developers may have been required to desist from their project by law enforcement, to whom the product's effectiveness was daunting. VeraCrypt's website features a "warrant canary" link. Visit it. What is that for? Why is it there? (11/29)
Binary-to-text encoding - is why gpg keys are so funny looking! The keys themselves have arbitrary binary content. So you can't print them. Nor use them with protocols that don't handle what you can't print (email). For such problems, there are a number of encoding scheme solutions to map arbitrary binary bytes into a subset of bytes that are all printable. gpg uses one called Radix-64 (almost identical, better known as, base64). From a text or stream, it divides every 3 consecutive bytes (24 bits) into 4 units (6 bits apiece). Printing 8-bit units would require 256 distinct characters whereas printing 6-bit units would require 64. We don't have 256 characters. We have about 100. So while we don't have enough to go around for 256 values, we can accommodate 64 of them: with conversion we can print anything. (11/29)
Authentication without confidentiality - below is one of our slides. What's the stuff in the red box?
Note there is no encryption of the data, the purpose is not to obscure the data but to make certain it came from Fedora. (11/29)
Assignment 5 -
listen - to the recorded lecture on
do - the firewall construction experiment on DETER, course outline section
7 homework column - due on sputnik by end-of-day
Jet Propulsion Lab summer internship opportunities - Application deadline December 8. Public talk at SMC December 5. If you might want to apply please ask me for links to some application material and forms. (11/22)
Current events - our author Bruce Schneier testified before a congressional committee. Some vulnerabilities in Intel's motherboard Management Engine appeared. See Schneier's blog, also the SecurityNow podcast talked about both in the past 2 weeks. (11/22)
Grades - posted at link, upper left, entitled "Grade reports." Includes the assignments Simplified-Data-Encryption-Standard and one-time pad. Please call any anomalies to my attention. (11/22)
Assignment 4 -
listen - to the recorded lectures on
Grades - posted at link, upper left, entitled "Grade reports." Please call any anomalies to my attention. (11/15)
Forthcoming homework - to be assigned next Wednesday to be done the following week will include course outline section 10's "RSA encryption 2" exercise, wherein you will manually operate the RSA asymmetric encryption algorithm. (This is done "under the hood," not manually, by encryption software like tls which supports https.) Anticipate this assignment. (11/8)
Assignment 3 -
listen - to the recorded lectures on
do - see Course outline
topic 5, homework column. There, do both the activities you are asked to
"perform." One, about message digests or hashes, the
other cracking passwords with hashcat.
Available - if you are interested, my polyalph script demonstrating polyalphabetic substitution (where substitution of a symbol with some 2nd symbol does not always use the same 2nd symbol). It is in the /home/public directory of sputnik. (11/8)
Available - if you are interested, my covertping_transmitter.sh and covertping_receiver.sh scripts demonstrating a covert channel.. They are in the /home/public directory of sputnik. (11/2)
Notes on stools homework - It was assigned last week (see 10/25 "Assignment1" link below) without specified due date. Please do it (send required email message/attachment to me) Due to me by email per the assignment by end-of-day Tuesday 11/7
The Windows XP virtual machine requires you to obtain the stools program via network from a website, therefore needs to be internet-connected. It will be, provided that
1) your host machine (the one in which you installed VMware and run Windows XP as a guest) is itself connected and
2) there is a DHCP server in your local network. If you have any standard ISP service there will be, coming from the device that the ISP placed in your home or office.
Internship opportunity. (10/26)
Career information event Nov 7. (10/26)
Whats wrong with the premise here? (10/25)
and blogs - follow these during this course. Visit each at
least once a week, read and listen to what you find there, guided by what
Practicum - a couple CS78 students in a previous semester classes expressed specific interest in practice as opposed to theory. Specifically, "I run a server and I want to learn what I need to do to it to give it better security." This course has a rich curriculum, but it isn't primarily a vocational how-to. However I think it would be fun to spend a little time on the side taking a virgin machine, installing an OS on it from scratch with security considerations in mind. In following weeks as we study various topics we may learn some things we could do to harden it. It will be unstructured. I have an available laptop and will install Fedora 17 on it as demonstration. (Things that may come up: setup passwords, bootloader password, disk encryption, streamlined service set, firewall, 2-factor authentication, TPM.)
Passwords we can apply when setting up our scratch laptop:
Opportunity - I'm happy to tell you that as a class we have the fortunate invitation to use a network testbed facility operated by USC/ISI called DETER. I will request individual DETER accounts for you; when they are created you will get an email message with info and credentials. In class I will describe DETER and how we will use it. This will come some weeks into the semester. In the meantime, you can explore the links under the heading "DETER net testbed" at left if you like.
assignments - there will probably be 4:
Introductory - this class, this
This is a hybrid class, half on-ground and half on-line. I plan to use several online vehicles:
- a static website
More information about these will follow. As for what's on this website, there is more material on it than we will necessarily use.
The primary "home" of the course is this website. Assignments and announcements will be posted here. I suggest you check regularly.
Operating system platform for studying computer security - doesn't matter! Security is operating-system-agnostic. Individual operating systems have their particular security characteristics and vulnerabilities but broad security concerns and topics span platforms and devices. For example, password strength and cracking are the same no matter where a password might be implemented. The implementation of a password system will differ between two OS's but a strong or weak password is strong or weak wherever it is, intrinsically. Having said that, I am knowledgeable about linux and will tend to use it as the primary operating system environment where work in this class will be done. There will be some use of Windows. Knowledge of linux will be a big help to you, however exercises are usually designed to give you the commands you are supposed to run, in order to reveal whatever lesson I'm trying to convey. So, you don't have to know linux commands deeply because I'm going to give you the ones you need when you need them.
Categories of security to be
- local security
An example of local security is physical access-- whether a machine sits behind locked doors or not. Another is password strength. Those are considerations independent of the network, if any. An example of application security is a flaw in code, for example a stack overflow opportunity due to the way the code is written. This permits some side-effect behavior/result unintended by the programmer, classically a way to gain the privileges of the root/administrator/supervisor/superuser found in most operating systems. That's a shortcoming of the application. This problem too, like physical security or password strength, is unrelated to the network, if any. And "routine maintenance" practices to detect or prevent problems (security hardening, anti-virus software), detect them (intrusion detection, disk analysis), and recover from them (backup regimens, log analysis, failover systems), are not specific to networks either. The network attacks in the news are dramatic and sexy, but though computer security encompasses concern for network security, my point is that it goes well beyond it. For a list of specific topics under these categories see the link entitled "Course description" under the Administrativa heading at upper left.
The class plan is to devote some initial time to some introductory concepts and "review" of important local security foundations having to do with resource/file access control-- users, processes, permissions. These are aspects of system administration (if you took my linux class at SMC this is in part review). But they are security aspects of the operating system environment. Indeed user authentication and resulting file access control are a cornerstone of system security. We simply could not omit them from a security class. Thereafter we'll cover some foundations of networking as we need to know them. After that comes all the other stuff. The "Course description" and the links on this page give you pretty good hints what we'll study. And the "Course outline" tells you in concrete detail.
I may post certain lectures, which I expect you to listen to. They consist of narrated powerpoint slides. You need an up-to-date browser and Flash installed. The lectures are fairly heavy, multi-megabyte files. Be patient while they load. If you have a slow connection go listen to them on a faster one (e.g., SMC computer lab would do). After they load they will play. Another alternative is to download them (they are mp3 files) and listen to them with your local media player software. You must click to advance slide-to-slide.
My assumptions about you -
My assumptions about your equipment-
Thanks for coming. I think we'll have fun.
Colossus - 1944