CS1660 (formerly called CS166) is a course on computer systems security through a balanced mixture of theory and practice.

We’ll start out with building the foundations of security through an exploration of cryptography. From there, we’ll move to more complex, multi-faceted systems such as web applications, operating systems, and networks. Along the way, we’ll explore complementary topics such as authentication, physical security, social engineering, privacy, anonymity, usability, and the security of emergent systems such as blockchains and machine learning.

By learning about security through these multiple domains, you’ll concretely learn how various classes of attacks appear in a vast variety of scenarios and how they work in practice. You’ll also learn how to evaluate systems adversarially, from writing precise security analyses about subtle issues in protocols to discovering and exploiting vulnerabilities in concrete technical systems for yourself.

Through all of these activities, you’ll ultimately work to develop a specific kind of intuition—a “security mindset”—that will give you the knowledge, vocabulary, and confidence to critically analyze and effectively defend the software and systems you approach as a computer scientist even after the course.

We encourage you to take additional half-credit “lab”, called CS1620 (for undergraduates) or CS2660 (for master’s and graduate students). Senior undergraduates may use the lab portion to count for their capstone requirement.
Students taking the lab have the opportunity to work on advanced challenges that will provide you with a greater appreciation of systems security and the “security mindset” as a whole:

CS1620/CS2660 provides students with a deeper understanding of the material by doing advanced versions of the CS1660’s projects and advanced questions on the written assignments. These advanced versions focus on real-world skills: performing attacks that are more difficult and rely on less serious vulnerabilities, performing attacks against systems with more real-world constraints, and creating attacks that achieve a higher standard of quality than a mere proof of concept.

CS1620 vs. CS2660: Due to credit-counting logistics, the lab portion of the course has two different course numbers: CS1620 and CS2660. Undergraduate students wishing to do the half-credit lab should sign up for CS1620 in addition to CS1660. CS2660 combines both CS1660 and CS1620 in one, 2000-level course. If you are a graduate student (or an ScB student who has applied for the concurrent CS master's program), and wish to earn 2000-level credit for this course, you should sign up for CS2660 only. What’s the difference? Both CS1620 and CS2660 share the same extra course content, but only CS2660 counts for 2000-level credit. In course materials, we will refer to the lab portion simply as CS1620–this includes both CS1620 and CS2660 students.

How much work is the lab?: In previous years, students taking the lab report spending approximately 8–20 extra hours on each project throughout the semester, though they also note that the additional components are more front-loaded so the second half of the semester is much more flexible. (We anticipate that this will be the same this year.) You do not need any additional experience beyond the base prerequsites of the course to succeed with the lab-—anyone who feels comfortable taking CS1660 should also feel comfortable taking CS1620/CS2660, so long as you are comfortable with the extra time requirement. Note that students taking CS2660 are committed to completing the requirements for both the lab and main portion of the course–after the add/drop period ends, it is not possible for a CS2660 student to drop the lab portion and still get credit for CS1660 in the same semester.

How do I sign up?: If you are interested in the lab portion, undergraduates should register for CS1660 and CS1620 on CAB. Senior undergraduates are eligible to capstone with CS1620—-email the HTA list if you intend to have the lab count for your capstone credit. If you intend to take CS2660, please fill out this form and request an override code on CAB.

Interested in taking the course? That’s great! The course commonly fills up during pre-registration—when this happens, please do the following:

• Register for the waitlist by filling out this form. If you have any particular reasons you want to take the course, please let us know on the form. Please avoid sending us email about this (it will take longer!)–the form is designed to help us process your requests efficiently.

• Add the course to your shopping cart. This will grant you access to EdStem and Gradescope, when they become available at the start of the semester.

• Read about the lab component of the course, and consider if you want to take it. If you’re interested in taking the lab, make sure to note that in the waitlist form! (If you already submitted the form, don’t worry, you can visit the link again to edit your response!)

• If possible, attend (in person or via Zoom) the first lecture on Thursday, January 25 or watch the recording as soon as is feasible.

How does the waitlist work? We will give priority to students who are unable to take the course at another time–otherwise, we admit students on a first-come, first-serve basis. If you have any strict program requirements or other constraints that limit when you can take the course, please indicate this in your form response. If you already responded and need to edit your response, you can do so by clicking on the form link again.

What are my chances? While we cannot officially guarantee that all students on the waitlist will be able to take the course, we have typically been able to accommodate all students by the end of shopping period.

You should have an intro-sequence’s worth of programming experience (0160, 0180, or 0190) and have a good understanding of systems programming (0300, 0330, 1310, or 1330). This concretely means that:

• You should be comfortable writing programs and scripts in the language of your choice (such as Python, Ruby, Bash, Go, C++, etc.), be comfortable in a Unix command-line environment (running binaries, filesystem navigation, etc.) and using SSH with the Brown CS filesystem, have a basic understanding of systems programming concepts such as memory management and networking.
• You also should have heard of the terms “race condition”, “packet”, “TCP”, “UDP”, “buffer overflows”, and “DNS”. (If you forget what these are, don’t worry—we’ll describe them again when they come up in the latter half of the course.)
• You should also be at least somewhat comfortable (and very willing) to learn new programming languages and reading code in languages and programs that you’ve never used before. (You’ll get lots of practice with this in this course!)

If you don’t meet the official prerequisites but still want to take the course, please feel free to ask the instructors–we are happy to discuss your individual situation to determine if the course is right for you!

Your willingness to challenge yourself is perhaps the most important prerequsite for the course. Security can be frustrating at times, but the rewards are great. In exchange for engaging with some difficult intellectual challenges, you’ll have the opportunity to gain concrete insights about systems and security and become a better computer scientist along the way!

We will have live lecture on Tuesdays and Thursdays @ 2:30pm - 3:50pm ET in person at CIT 368 and on Zoom via this link. All lectures will be recorded and will be posted on Panopto following the lecture.
NOTE: We are encountering an issue with the recording for the first lecture. An update will be posted on Ed soon.

Attendance: Students are encouraged to attend lecture in-person or synchronously via Zoom, though this is not required. Attendance does not impact your course grade. Lecture may use TopHat questions to poll students during class–these are optional and are only used to gauge your understanding during class. TopHat responses have no impact on your course grade.

Asking Questions:: We encourage students to ask questions in class, either by raising your hand (either in person, or as a reaction or chat message in Zoom). If you are participating remotely, we will ask you to unmute and ask your question.

Recordings:: All lectures will be recorded. Recordings and any notes/slides from lecture will be made available within 24 hours of the lecture date in Panopto.
During shopping period, students who are not officially registered should have CSCI1660 in your primary cart on CAB in order to have access to Panopto.

We are happy to work with you in office hours to help with understanding any course concept or homework/project work. We are happy to help with planning how to approach problems, working with tools, figuring out how to debug your work, or reviewing concepts from lectures/homework assignments.

In order to make office hours accessible to as many students as possible, we are holding hours in two formats:

• Collaborative hours (hybrid or fully-remote): Most hours will be collaborative hours. In this format, simply come to the designated room and members of the course staff will circulate and take questions. Students participating remotely can join a zoom link (available on the Hours platform)–a dedicated staff member will talk with everyone on Zoom in parallel with in-person discussion.
  In collaborative hours, you are welcome to stay and work and ask questions as they come up–this is meant to create a space where you can meet and collaborate with your peers, while course staff is available to help you get “unstuck”, or explain a concept to a group if you encounter a problem. We can provide all forms of help during this time, including debugging or help with concepts. Some projects (notably Flag and Handin) may have certain restrictions on what can be discussed during collaborative hours–more information will be provided when these assignments are released.

• Individual, queue-managed (remote): This is the standard format at Brown. When the hour begins, a queue will appear on the Hours platform designated for our course. Whether you are in-person or remote, simply join the queue! When your turn comes up, you will receive a Zoom link to talk with a member of the course staff. Course staff may limit the amount of time one person may spend with a TA (i.e. ~15 minutes), especially during peak times.

Depending on which assignments are out at a given time, we will hold specific hours sections to help with homeworks or projects. These sections will use slightly different formats:

• In Project Hours: everyone sits in the same room (or Zoom room) and can ask questions for anything related to the projects (clarifications, code, etc.), lecture material, or general concepts
• For homeworks, we will hold Homework Clinics, where students can work in groups (usually in Zoom breakout rooms) on a particular homework problem and a TA will circulate between rooms to answer questions and provide instruction

As the semester progresses, we may make adjustments to the balance of remote/in-person/hybrid hours or the mechanics of the different formats based on student and TA feedback. If you have thoughts on your experience in hours, please fill out our Anonymous Feedback Form!

The Collaboration Policy is available as a separate document. Please read this policy, as it may differ significantly from other courses you have taken.

By submitting any assignment, you agree to abide by the collaboration policy. If you have any questions, please ask on Edstem.

Students are have five late passes to use on homeworks and projects, though no more than two late passes may be applied to any deadline. Each late pass extends the deadline by one day.

Weekends and University holidays (long weekend, spring break, etc.) do not count towards lateness or use of late passes–in other words, an assignment due on Friday and submitted on Monday is considered one day late for the purposes of grading and use of late passes.

If you have no more late passes, each day a project or homework is submitted late will subtract 25% from that assignment’s grade.

Project 4 is a partner project that contains multiple deadlines. Late passes may not be applied to the intermediate deadlines of Project 4. On the final deadline, your group will be allowed to use the minimum of you and your partner’s remaining late days (up to a maximum of two, as for all assignments).

Late passes and penalties are automatically applied at the end of the semester in an optimal fashion; that is, we will apply late passes in such a way that gives you the highest grade.

CS1620 and CS2660 students receive two additional late passes (seven total). However, students who drop CS1620 lose the additional passes and receive late penalties under the default CS1660 policy.

Extenuating circumstances: If there are extenuating circumstances preventing you from completing an assignment on time (e.g., illness), you may use to request an extension (without using late days), most preferably before the assignment is due. In these situations, please contact the instructors as soon as it is feasible for you to do so using this form. This form is not meant to be impersonal–we simply want to make sure we can keep track of any requests!

Please note that only the instructors are authorized to grant extensions for the course. The Head TAs and UTAs cannot comment on the likelihood of or approve extension requests.