Cybersecurity
COURSE
First edition: March 2024-May 2024
Detailed program (and lot of additional material) in the course website
Slides on Microsoft Teams (yes: Microsoft Teams). Enrollment in the team will be automatic. Participants that are not enrolled automatically should contact me by email.
EXAM
Delivery of a report.
Execution of a demo.
Written exam (open questions, closed book).
Oral exam unlikely but possible, at my sole discretion.
The report and demo are specified below and may result in a grade increase in the range of [0,3]. Both should be completed one week before the written exam (or before the second partial exam). In exceptional cases, the demo may be completed a few days later.
Regarding the written exam:
Official calls: 8 questions. If 2 answers are missing or completely wrong, the exam is failed.
Partial exams: two partial exams during class time, one in the middle of the semester and one at the end; 5 questions each; if 2 answers in a partial exam are missing or completely wrong, then the entire exam is failed.
The two partial exams will be graded together, at the end of the semester (advantage for students is a division and distribution of the load; please participate only if you are really motivated).
Report
A textual description of the activities that will be executed in the demo.
No more than 2000 words in Markdown, no more than 8 screenshots, structure and format described in the course web site ("Report Docsify-This" page).
The report must clearly list the sources used for preparing and executing the demo (more on this below).
Demo
Live execution of "some activity" related to the course on the PC of the candidate (usually by executing two or more VMs) and/or on some cloud service.
The activity is at the discretion of the student (if in doubt, ask me before starting). It can be either a small variation of one of the relatively simple lab activities that will be proposed during the course ("Labs" section and "Hacking Lab" section of the course website), or some completely different and possibly more complex activity chosen by the student. Some ideas:
execution of a tutorial of some "attack tool" or of some "defense tool";
execution of some attack steps on a vulnerable machine described in a hacking write up found on the web (search the "Vulnerable platforms" page on the course website)
execution of some attack steps autonomously defined by the candidate on a vulnerable machine;
The duration should be approximately 20 minutes. It will be shown to me, preferably via a video call, in group sessions with several students organised on request.
The demo is not meant to prove that the candidate has become a hacker or something like that. The demo need not show any "original" material.
The demo is only meant to prove that the candidate is indeed able to "use some real tool in practice".
Showing the execution of a guide found somewhere on the web is perfectly fine, provided the source is cited in the accompanying report. Showing an activity that has been found somewhere but is described as having been developed independently by the candidate is unethical behavior and will have consequences if discovered.
Assessment of Demo and Report
After delivery of the Report and execution of the Demo a grade increase in the range [0,3] will be communicated to the student (hopefully prior to the exam). This increase will be added to the grade of the written part.
The grade increase will be determined based on a combination of: clarity of the report, technical difficulty of the demo, autonomous contribution of the student. The maximum grade increase can be obtained even with little or no autonomous contribution.
Updates May 2024
The demo can be optionally delivered as a video, no longer than 15 minutes. The video must make it evident that the activity has been carried out by the student. The video can be uploaded to some service and shared privately with me (e.g., search for "share youtube video privately"). I will not download the video. I will ask for details and clarifications only if necessary. I think this is simpler and more efficient than the video call.
I would like to keep reports (but not videos) publicly available for future students. The submission form (indicated below) will have a checkbox for selecting this option.
Reports must have a concise but clear title and can be anonymized (which might encourage people to maintain them publicly available).
Report and optional video have to be submitted by filling this form (we do not have this capability with Microsoft Teams; it is probably too esoteric for Teams to consider). If the optional video is not submitted then a live demo will have to be executed with a video call; I will contact the student shortly after the form submission.
The form must be filled at least one week before the official call, with these only exceptions: partial call ("seconda provetta") or first official call: the form can be filled even after the written exam but no later than June 9-th.
Per partecipare alla seconda provetta è necessario (oltre che, ovviamente, avere consegnato l'elaborato della prima provetta):
Riempire il modulo di valutazione della didattica su esse3
Iscriversi al primo appello ufficiale su esse3, specificando nelle note "provette"
Chi non può iscriversi su esse3 per motivi burocratici mi contatti per email specificando chiaramente il motivo.
Apprezzo molto ogni feedback, commento, critica costruttiva (che non sia "ci vorrebbero molte più esercitazioni" questo lo so già; il commento "ci vorrebbe una esercitazione sull'argomento X" oppure "avrebbe dovuto essere fatta meglio l'esercitazione sull'argomento Y" invece può essere utile). Mettetele senza esitare nella valutazione della didattica su esse3.
Le valutazioni su esse3 non le vedo solo io, le vedono anche alcuni altri colleghi. Se avete feedback o commenti che volete fare arrivare direttamente a me in forma anonima, potete usare uno dei numerosi servizi di email anonimi e gratuiti, ad esempio Mailinator o altri.