COMP 2109A for Winter 2023 (updated: 14-Apr-2023)
Introduction to Security and Privacy


Course Information  

Updated course page:


Classroom location: ME3165, as posted on the public class schedule

Lectures: Tues/Thurs  11:30am–1:00pm (in person), Jan.10-Apr.11 2023, excluding Feb.20-24 (break)

Instructor: Paul Van Oorschot  (email: paulv +AT 

Office hours: TA Thurs 2-3pm@4125HP or via email, Instructor Tues 1:30-3:00pm@5173HP.   
TA (head): Srivathsan Morkonda Gnanasekeran (email: see Brightspace)
TA (other): Andy Tran (email: see Brightspace)

Students not meeting the prerequisites below are required to withdraw from the course
(otherwise you will be de-registered at some time during the term). 


Course Calendar Description

A tour of Internet security and privacy. Societal impacts and case studies. Topics from: protection goals of stakeholders; history of public key cryptography; programming languages and security; security engineering and testing; cybercrime and malware; Internet privacy and anonymity; government surveillance; regulation; ethics; blockchain applications.
COMP 1406 and COMP 2401, both with a minimum C- grade.   Lectures: 3 hours/week.


Required Textbook and Other Resources

1. Permanent Record, Edward Snowden (Picador softcover, Metropolitan Books hardcover, 2019).  Please acquire/order a copy for the first week of class. It is essential for Project 1 (20% of term mark).

2. Other resources will be online or available through Carleton library (electronically) or Brightspace.


Class format: In person.  All students are expected to attend all classes in person. Students are expected to read any materials indicated on the updated course page prior to each class, in order to contribute to their learning, and their ability to ask relevant questions and contribute in class.


Grading Scheme  To pass the course requires a passing grade (50%) overall AND on the sum of the two terms tests (25/50) AND on the sum of the two projects (17/34).  For inquiries about marks, contact the following individuals: head TA (for summary reflections and midterms), instructor (for projects).   

25%  midterm 1 (in class, closed book). Tues 14-Feb-2023

25%  midterm 2 (in class, closed book). Tues 28-Mar-2023

16%  Summary reflections (weekly), 8@2% each (individual student work). Detailed instructions here.

          Due 11:00pm Fri for each of: Jan.20  Jan.27  Feb.3  Feb.10  Mar.10  Mar.17  Mar.24  Apr.7

20%  Project 1. A technical report on the book: Permanent Record.  Detailed instructions are here.

          Due: Fri 3-Mar-2023, 11pm. 

14%  Project 2. A written report on a prescribed topic (some choice possible). Detailed instructions here.
12-Apr-2023, 11pm.


Academic integrity: Students may discuss general aspects of summary reflections and the projects, but may not share, post or distribute any written, video or voice recordings of any such discussions, or use those from anyone else (your own personal notes of any such discussions may be kept and used); other sharing is considered plagiarism is this course, as is cut-and-pasting of images, and use of answer-tools like ChatGPT.  Original sources must be cited; any passages used verbatim must be both quoted and cited; failure to cite resources used is considered plagiarism in this course. If unsure about expectations regarding collaboration and academic integrity (or how to cite sources), ASK the instructor. You are NEVER permitted to post, share, or upload course materials without written permission from your instructor. Academic integrity offences are reported to the office of the Dean of Science; information, process and penalties for such offences can be found at: 

Timeliness: Projects are handled electronically using Brightspace. By default, late assignments get a zero (0) grade, unless advance permission has been granted in writing from the course instructor.  With advance permission, a penalty of 25% per day for any part or whole day late may be allowed. There is no “grace period” (0 minutes) or exemption for technical or connectivity problems or system outages. Thus students are advised to submit final work at least an hour before official due dates/times.  


Topics Covered   

2 classes: Security and privacy landscape (areas and subareas, and what they comprise).

·       Jan.10: why study security, unofficial roadmap for courses in security stream, and first reading:
Co-evolution of security’s Body of Knowledge and curricula (or: IEEE version)

·       Jan.12: A view of security as 20 subject areas in four themes (or: IEEE version)  
video opener for Jan.12 class (4m54s): 
What is Pegasus spyware?

4 classes: Public key cryptography (history + impact on society) + Bitcoin.

·       Jan.17,19,24: Public Key Cryptography's Impact on Society: How Diffie and Hellman Changed the World;
(supplementary, history of info security: Diffie’s Turing Award lecture, 1h29m, Aug.16 2016)

·       Jan.26: Bitcoin overview, using Ch.13 of Tools and Jewels book (focus: 13.1, 13.2, 13.4, p.387, 13.7)
(supplementary, non-technical primer:
Will the bitcoin dream succeed?, 10m44s, Jun.12 2021, The Economist)

2 classes: Assets, protection goals, different stakeholders and their priorities.  

·       Jan.31: more bitcoin, then T&J Ch.1 sec.1.1-1.2. For Feb.2: pp.235-237 of sec.8.6 (secure email overview)

·       Feb.2: case study, pp.1-17 of: Secure email – A stakeholder-based analysis (appears in FC 2021)

2 classes: Computer and Internet architecture, relevant to threat models, security and privacy.

·       Feb.7: sec.1.5-1.6 in: Ch.1 (Tools and Jewels)

How the internet works: networking stack + sec.10.5 p300 + 10.6 + 11.6 p329-330  

·       Feb.9: OS, kernel, virtual memory spaces; how an OS works and how unauthorized software enters/runs.  Class notes.

1 class: midterm 1 (Feb.13).

4 classes: Privacy & anonymity, pseudonymity, linkability, partial identity (persona)  

·       Feb.16: defining privacy; Tor intro (4m33s), motivation (J. Appelbaum, 18m33s, TEDx 2012), simple overviews 6m49s, 6m59s, 5m01s
Tor technical details, 2004)

·       Feb.28: PET terminology, anonymous remailers, PET overview (L. Fritsch, 2007), traffic analysis & metadata.
(Supplementary: anonymity terminology & definitions,
Pfitzmann 2010)

·       Mar.2: Myths and fallacies of personally identifiable information (2010), data cross-correlation & re-identification, Netflix dataset case study.
Robust de-anonymization of large sparse datasets, 2008; Deriving mother’s maiden names using public records, 2005)

·       Mar.7: tracking users. Browser cookies (explainer), email bugs (see p.1), phones/desktop apps, social network issues.
Cambridge Analytica case study:
overview (3m8s), $5b fine, Trinidad election 2m54s (excerpt, The Great Hack), C. Wylie book excerpt (2019).
A future without secrets, 14m47s, Acquisti, 2013; ad blockers, USENIX 2020; phasing out 3rd-party cookies;
FB privacy study, PET 2006 and on same topic: Why We Disclose, 2010)

2 classes: Privacy regulation, governments, and ethical issues.  

·       Mar.9: GDPR, PIPEDA, CCPA; privacy-by-policy vs privacy-by-architecture (extra details: Engineering Privacy, 2009).
GDPR and app privacy, 2019)

·       Mar.14:  zero-day markets (p.1-4 ethics background) and other ethical issues. Govt access, interception, surveillance; Snowden.  
(Supplementary, on NSA stockpiling:
C.ACM 2021, VCE 2022; security ethics case studies and more trolley car problems 2023;
ethical disclosure, Part I of
Ethical Hacker’s Handbook; Pegasus spyware, Part 1/Part 2 53min each, 2023)

3 classes: Programming languages & software security.

·       Mar.16, 21, 23: Memory errors and memory safety (extended notes; shorter notes for C + Java and Rust)
(Supplementary, advanced:
memory layout of various Rust data types, 39min)

1 class: midterm 2 (Mar.28)

3 classes: Cybercrime and crimeware.

·       Mar.30: Ransomware case study—Conti cyberattack on Ireland Health Services (2021 pwc report)

·       Apr.4: Cybercrime & underground economies (class notes; overview).
Commoditizing malware distribution:
pay-per-install ecosystem, 2011.
(Supplementary introductions:
IRC-based markets, 2007; spam ecosystem, 2008)

·       Apr.6: Malware categories; virus example; history & evolution of computer viruses (49min 2011 DEF CON, Hyponnen). 
This is How They Tell Me the World Ends, 2021 bestseller)

1 class: Software security - security testing and software development.

·      Apr.11: Security testing & fuzzing; secure development lifecycle (2004).
Smart fuzzing and automated bug finding (16 of 46min 2016, D. Guido). Fuzzing misses the root problem (35min 2020, A. Ionescu)
(Supplementary:  “Simplified Implementation of the Microsoft SDL” & list of Tools on
resources page; SDL main page)

·      Project 2 due: 12-Apr-2023, 11pm; see “Timeliness” (above) for course policy on deadlines. 



·       20-year retrospective on Microsoft’s SDL (S.Lipner and M.Howard, IEEE Security & Privacy magazine, Mar-Apr 2023, pp.24-31)

·       landscape and hype of Quantum Computing (20min, 2022, theoretical physicist Sabine Hossenfelder)

·       censorship: GFC case study (overview 2012, short study FOCI 2014, great cannon FOCI 2015, measurements 2021 USENIX Security)


Objectives (Learning Outcomes) Students will gain an overview understanding of security and privacy, and how its subareas fit together and relate to other CS courses, giving context for later studies.  Students will gain technical understanding to be in a stronger position to independently evaluate or fact-check (against underlying technical realities) security content in general articles such as media and online reports.  Students will gain English technical writing experience over two modest-length technical reports and eight short weekly reports.


SCS-specific Information

Undergraduate Academic AdvisorsThe Undergrad Advisors for SCS are available in 5302HP, or  They can assist with information on prerequisites and preclusions, course substitutions/equivalencies, understanding your academic audit and the remaining requirements for graduation; and will refer students to appropriate resources such as the Science Student Success Centre, Learning Support Services, and Writing Tutorial Services.


SCS Laptop Requirement. Every student enrolled in an SCS 1000-level course after the 2020-21 school year must have a laptop. See and the requirements at for details.


SCS Computer Laboratory. Students in COMP courses can access SCS computer labs. The lab schedule and location can be found at: All SCS computer lab and technical support information can be found at: Technical support staff may be contacted in-person or virtually, see this page for details:


University Policies For information on Carleton's academic year, registration and withdrawal dates, see Carleton's Academic Calendar.

Pregnancy Obligation. Contact your instructor to request academic accommodation during the first 2 weeks of class, or as soon as possible once the need is known to exist. For details see Equity Services

Religious Obligation. Contact your instructor for any request for academic accommodation during the first 2 weeks of class or as soon as possible once a need is known to exist. For details see:

Academic Accommodations for Students with Disabilities If you have a documented disability requiring academic accommodations in this course, please contact the Paul Menton Centre for Students with Disabilities (PMC) at 613-520-6608 or for a formal evaluation or contact your PMC coordinator to send your instructor your Letter of Accommodation at the start of the term. You must also contact the PMC no later than 2 weeks before the first in-class scheduled test or exam requiring accommodation (if applicable). After requesting accommodation from PMC, meet with your instructor as soon as possible to ensure accommodation arrangements. For details, see the PMC site.

Survivors of Sexual Violence. As a community, Carleton is committed to maintaining a positive learning, working and living environment where sexual violence will not be tolerated, and survivors are supported through academic accommodations per Carleton's Sexual Violence Policy. For information on services available and about sexual violence and/or support, see:

Accommodation for Student Activities. Carleton recognizes the substantial benefits to individual students and the university, resulting from students participating in activities beyond classrooms. Reasonable accommodation will be provided to students competing at national and international levels. Contact your instructor with requests for academic accommodation during the first 2 weeks of class, or as soon as possible after the need for accommodation is known to exist. For more details, see the policy.

Student Academic Integrity Policy. Students should be familiar with Carleton’s student academic integrity policy. A student found in violation of academic integrity standards may be awarded penalties ranging from a reprimand to an F grade in the course or even being expelled from the program or University. Examples of punishable offences include: plagiarism and unauthorized co-operation or collaboration. Information on this policy may be found here.

Plagiarism. As defined by Senate, "plagiarism is presenting, whether intentional or not, the ideas, expression of ideas or work of others as one's own". Such reported offences will be reviewed by the office of the Dean of Science.  Standard penalty guidelines can be found here. Further specific information for COMP 2109 is given above under: Grading Scheme.

Unauthorized Co-operation or Collaboration. Senate policy states that "to ensure fairness and equity in assessment of term work, students shall not co-operate or collaborate in the completion of an academic assignment, in whole or in part, when the instructor has indicated that the assignment is to be completed on an individual basis". Refer to the course outline or the instructor concerning this issue.


Special Medical Information

COVID is still present in Ottawa.  The situation can change at any time and the risks of new variants and outbreaks are very real.  You can take a number of actions to lower your risk and the risk you pose to those around you including being vaccinated, wearing a mask, staying home when sick, washing your hands and maintaining proper respiratory and cough etiquette.

Feeling sick? Remaining vigilant and not attending work or school when sick or with symptoms is critically important.  If you feel ill or exhibit COVID-19 symptoms do not come to class or campus.  If you feel ill or exhibit symptoms while on campus or in class, please leave campus immediately.  In all situations, you must follow Carleton’s symptom reporting protocols.

Masks: Carleton has paused the COVID-19 Mask policy, but continues to strongly recommend masking when indoors, particularly if physical distancing cannot be maintained.  It may become necessary to quickly reinstate the mask requirement if pandemic circumstances change.

Vaccines: Proof of vaccination is no longer required to attend campus or in-person activity, but it may become necessary for the University to bring back proof of vaccination requirements on short notice if the situation and public health advice changes. Students are strongly encouraged to get a full course of vaccination, including booster doses as soon as they are eligible, and submit booster dose information in cuScreen as soon as possible.  Carleton cannot guarantee that it will be able to offer virtual or hybrid learning options for those unable to attend campus. 

All members of the Carleton community are required to follow requirements and guidelines regarding health and safety which may change from time to time.  For the most recent info about Carleton’s COVID-19 website and review the Frequently Asked Questions (FAQs).  Should you have additional questions after reviewing, please contact

Doctor’s note or medical certificate: In place of a doctor’s note or medical certificate, students are advised to complete the self-declaration form available on the Registrar’s Office website to request academic accommodation for missed course work including exams and assignments. Students should discuss with their instructor required accommodations arising from COVID-19.