From 33e5d8ec910ae265f3a40019196f9d907d9d9911 Mon Sep 17 00:00:00 2001
From: Trance-0 <60459821+Trance-0@users.noreply.github.com>
Date: Thu, 15 Jan 2026 12:06:21 -0600
Subject: [PATCH] updates

---
 content/CSE4303/CSE4303_L2.md | 108 ++++++++++++++++++++++++++++++++++
 content/CSE4303/_meta.js      |   1 +
 2 files changed, 109 insertions(+)
 create mode 100644 content/CSE4303/CSE4303_L2.md

diff --git a/content/CSE4303/CSE4303_L2.md b/content/CSE4303/CSE4303_L2.md
new file mode 100644
index 0000000..dc2d454
--- /dev/null
+++ b/content/CSE4303/CSE4303_L2.md
@@ -0,0 +1,108 @@
+# CSE4303 Introduction to Computer Security (Lecture 2)
+
+[Configuring VM](https://github.com/seed-labs/seed-labs/blob/master/manuals/vm/seedvm-from-scratch.md)
+
+## Course introduction and security fundamentals
+
+### Other security goals
+
+Authenticity: identity of an entity (issuer of info/message) is verified
+
+Anonymity: identity of an entity remains unknown
+
+Non-repudiation: messages can’t be denied or taken back (e.g. online transaction commitments)
+
+### Security foundations
+
+Security is about people, processes, technology
+
+- need all 3 to be secure!
+
+Security is about *trust in* people, processes, technology
+
+- Fundamental question: where is trust being placed, and is it justified?
+- Computing stack: compromise at a given level can impact any higher level
+
+Attackers often exploit assumptions
+
+"I assumed everyone would log out when they leave”
+
+"I didn’t expect anyone to do that"
+
+The assumptions we make are often hidden or implicit, making them easy to forget when reasoning about security of a system
+
+Reasoning about security requires properly defining security relative to the particular system:
+
+- What assets are being secured?
+- What properties should the system enforce?
+  - CIA triad, anonymity, non-repudiation
+- What capabilities does the threat have?
+- Where does the system place trust?
+- What assumptions are being made?
+
+### Modeling attacks
+
+Common components:
+
+- System being attacked
+  - Architecture of the system, trust model, assumptions, assets
+- Threat model
+- Attack surface: what can be attacked
+  - Open ports and exposed services
+  - Public APIs and their parameters
+  - Web endpoints, forms, cookies
+  - File system permissions
+  - Hardware interfaces (USB, JTAG)
+  - User roles and privilege boundaries
+- Attack vector: how the attacker attacks
+  - SQL injection via POST /login
+  - Phishing to steal credentials, then SSH login
+  - Buffer overflow in a network daemon
+  - Cross-site scripting through a comment field
+  - Supply-chain poisoning of a dependency
+- Vulnerability: what the attacker can do
+- Exploit: how the attacker exploits the vulnerability
+- Damage: what the attacker can do
+- Mitigation: mitigate vulnerability
+- Defense: close vulnerability gap
+
+<details>
+<summary>Example</summary>
+
+Stealing credit card info via hidden scanner ("skimming")
+
+- System being attacked: card-swipe payment kiosk (alternative models?)
+- Threat model: professional criminal gang with substantial knowledge and resources
+- Attack surface: magstripe scanner
+- Attack vector: rogue scanner inserted into machine (e.g. at pay-at-the-pump gas station), or on top of existing scanner
+- Vulnerability: physical scanner easy(ish) to remove, and magstripes easy to read
+- Exploit: record card info as it’s scanned, then store/exfiltrate
+- Mitigation: 2FA in addition to magstripe (chip, PIN, zip code, etc.)
+- Defense: anti-tamper strips on card swiper
+
+</details>
+
+Importance of correct modeling
+
+- Attack-surface awareness guides defenses
+  - E.g. pre-Covid-19 vs. post-Covid attack surface of company
+servers
+- Match resources to expected threat actors
+- Common threat actors
+  - "Script kiddie": individual or group running off-the-shelf attacks
+    - Caveat: off-the-shelf attacks can still be quite powerful! Metasploit, Shodan, dark web market.
+  - "Insider attack": employee with access to internal machines/networks
+  - "Advanced Persistent Threat (APT)": nation-state level
+resources and patience
+  - All these threats have different motivations, require different defenses/responses!
+
+### Specific vulnerabilities
+
+Goal of the course: exposure to common threats in broad range of areas of computing stack
+
+- Hardware
+- OSes
+- Networks
+- Apps: web, AI/ML
+
+Studio time!
diff --git a/content/CSE4303/_meta.js b/content/CSE4303/_meta.js
index 034bd0d..05d5eac 100644
--- a/content/CSE4303/_meta.js
+++ b/content/CSE4303/_meta.js
@@ -4,4 +4,5 @@ export default {
         type: 'separator'
     },
     CSE4303_L1: "Introduction to Computer Security (Lecture 1)",
+    CSE4303_L2: "Introduction to Computer Security (Lecture 2)",
 }