COURSE

• Detailed program (and lot of additional material) in the course website

• Slides on Microsoft Teams (yes: Microsoft Teams). Enrollment in the team will be automatic. Participants that are not enrolled automatically should contact me by email.

EXAM

1. Delivery of a report.

2. Execution of a demo. 

3. Written exam (open questions, closed book). Exam sample here.

4. Oral exam unlikely but possible, at my sole discretion.

The report and demo are specified below and may result in a grade increase in the range of [0,3]. Both should be completed one week before the written exam (or before the second partial exam). In exceptional cases, the demo may be completed a few days later.

Regarding the written exam:

4. • Official calls: 8 questions. If 2 answers are missing or completely wrong, the exam is failed.

   • Partial exams: two partial exams during class time, one in the middle of the semester and one at the end; 5 questions each; if 2 answers in a partial exam are missing or completely wrong, then the entire exam is failed.
     
     The two partial exams will be graded together, at the end of the semester (advantage for students is a division and distribution of the load; please participate only if you are really motivated). 

Report

A textual description of the activities that will be executed in the demo.

No more than 2000 words in Markdown, no more than 8 screenshots, structure and format described in the course web site ("Demo Requirements" page).

The report must clearly list the sources used for preparing and executing the demo (more on this below).

Demo: 

Live execution of "some activity" related to the course on the PC of the candidate (usually by executing two or more VMs) and/or on some cloud service.

The demo must be delivered as a video, no longer than 15 minutes. The video must make it evident that the activity has been carried out by the student. I will ask for details and clarifications only if necessary. Clarifications may include the request to see a live execution of the demo.

The activity is at the discretion of the student (if in doubt, ask me before starting). It can be either a small variation of one of the relatively simple lab activities that will be proposed during the course ("Labs" section and "Hacking Lab" section of the course website), or some completely different and possibly more complex activity chosen by the student. Some ideas:

4. • execution of a tutorial of some "attack tool" or of some "defense tool";

   • execution of some attack steps on a vulnerable machine described in a hacking write up found on the web (search the "Vulnerable platforms" page on the course website)

   • execution of some attack steps autonomously defined by the candidate on a vulnerable machine;

The demo is not meant to prove that the candidate has become a hacker or something like that. The demo need not show any "original" material.

The demo is only meant to prove that the candidate is indeed able to "use some real tool in practice".

Showing the execution of a guide found somewhere on the web is perfectly fine, provided the source is cited in the accompanying report. Showing an activity that has been found somewhere but is described as having been developed independently by the candidate is unethical behavior and will have consequences if discovered.

Assessment

After delivery of the Report and execution of the Demo a grade increase in the range [0,3] will be communicated to the student (hopefully prior to the exam). This increase will be added to the grade of the written part.

The grade increase will be determined based on a combination of:

• clarity of the report;

• technical difficulty of the demo;

• autonomous contribution of the student.

The maximum grade increase can be obtained even with little or no autonomous contribution.

Submission and Archival

The video can be uploaded to some service and shared privately with me (e.g., search for "share youtube video privately"). I will not download the video. 

I would like to keep reports and/or videos publicly available for future students. The submission form (indicated below) will have a checkbox for selecting this option.

Reports must have a concise but clear title and can be anonymized.

Report and optional video have to be submitted by filling this form. 

The form must be filled at least one week before the official call, with these only exceptions:

• partial call ("seconda provetta") or first official call;

• in those cases, the form can be filled even after the written exam but no later than June 9-th. 

In order to participate in the second partial call, it is necessary to:

1. Fill in the teaching evaluation form on esse3

2. Register for the first official call on esse3, specifying in the notes "provette"

Those who cannot register on esse3 for bureaucratic reasons, please contact me by email clearly stating the reason.