Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capitalization and whitespace fixes #42

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Capitalization and whitespace fixes #42

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 33 additions & 33 deletions data/installation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ information_page: true
---

The programming exercises in Securing Software and Advanced Topics
are based on python, save for few exceptions where javascript is used.
are based on Python, save for few exceptions where JavaScript is used.

In order to do programming exercises, you need to install several software packages:

Expand All @@ -15,90 +15,90 @@ In order to do programming exercises, you need to install several software packa

In addition, Securing Software requires

- several additional packages to test python exercises
- ChromeDriver + Chrome to test javascript exercises
- several additional packages to test Python exercises
- ChromeDriver + Chrome to test JavaScript exercises

## Installing TMC
## Installing TMC

TMC requires a fairly modern Java 8 or later to work properly.
Open jdk 1.8.0_212 for example works
OpenJDK 1.8.0_212 for example works
as should all 11.x and 12.x versions.
You can try to install and run tmc and update your java install if logging in with the cli fails.
You can try to install and run TMC and update your Java install if logging in with the cli fails.

Follow the instructions on the following page to install [TMC client](https://github.com/testmycode/tmc-cli).

Note that on this course we use the command line version of TMC, not netbeans
Note that on this course we use the command line version of TMC, not NetBeans
or any other IDE. So, you need to know the basics of command line use in the
terminal/command prompt.

If you detest command line usage, it is possible to use Visual Studio IDE (with
python) as there is also a Visual Studio
[plugin](https://www.mooc.fi/en/installation/vscode) for TMC client.
Python) as there is also a Visual Studio
[plugin](https://www.mooc.fi/en/installation/vscode) for TMC client.

## Installing Python 3

The exercises requires Python 3 (3.5 or higher). This may be confusing as for
example Macs come with preinstalled Python 2. There are many many ways to install Python 3

- Download it from the official [website](https://www.python.org/downloads/).
- Ubuntu/debian users can use apt-get.
- Ubuntu/Debian users can use apt-get.
- Mac users can use MacPorts if it is installed.
- Popular distribution of python, [anaconda](https://www.anaconda.com/products/individual) or [miniconda](https://docs.conda.io/en/latest/miniconda.html), has its own package installation system. This distribution should work but it has not been tested. If you already have anaconda installed, we suggest that you try to install the needed packages with anaconda.
- Popular distribution of Python, [Anaconda](https://www.anaconda.com/products/individual) or [Miniconda](https://docs.conda.io/en/latest/miniconda.html), has its own package installation system. This distribution should work but it has not been tested. If you already have Anaconda installed, we suggest that you try to install the needed packages with Anaconda.

We assume from now on that the command for Python 3 is `python3` which should
be the case for mac / linux. It may be also just `python`, in which case,
whenever we ask you to type `python3`, just type `python`. This is especially true if you are using windows.
be the case for Mac / Linux. It may be also just `python`, in which case,
whenever we ask you to type `python3`, just type `python`. This is especially true if you are using Windows.
You can see the
version of your python with
version of your Python with

```shell
python3 --version
```

It is not a bad idea to have python reachable via PATH environment variable. This should be more-or-less automatic
for mac and linux. Official Windows installer asks whether you want to have yout python in PATH (say yes).
It is not a bad idea to have Python reachable via PATH environment variable. This should be more-or-less automatic
for Mac and Linux. Official Windows installer asks whether you want to have your Python in PATH (say yes).

## Installing additional packages

This step is only required for Securing Software.

Package installer for Python (pip) should be already installed with modern python if you installed python from python.org or using conda distribution.
Package installer for Python (pip) should be already installed with modern Python if you installed Python from python.org or using conda distribution.
If you you installed it using apt-get or port, then most likely you will need to install pip. The package name is probably `python3-pip`,
alternatively follow these instructions to install [pip](https://pypi.org/project/pip/).


Install the following packages using pip

```shell
python3 -m pip install django selenium beautifulsoup4 requests
python3 -m pip install django selenium beautifulsoup4 requests
```

You need to allow your firewall software to allow python to listen and to connect to the internet.
You need to allow your firewall software to allow Python to listen and to connect to the internet.


## Installing ChromeDriver and Chrome
## Installing ChromeDriver and Chrome

This step is only required for Securing Software.

There are few programming exercises that require writing javascript.
In order to test these exercises locally, the tests rely on a chrome browser.
There are few programming exercises that require writing JavaScript.
In order to test these exercises locally, the tests rely on a Chrome browser.

Two pieces of software are required
- the browser [Google Chrome](https://www.google.com/chrome/)
- a software that allows python communicate with the the browser [ChromeDriver](https://sites.google.com/a/chromium.org/chromedriver/downloads)
- a software that allows Python communicate with the the browser [ChromeDriver](https://sites.google.com/a/chromium.org/chromedriver/downloads)

When installing ChromeDriver you need to make sure that the driver version matches the browser version,
otherwise the driver refuses to work.
The browser version can be seen by going to chrome://version .

You also need to make sure that both chrome and the chromedriver can be reached via PATH environment variable, that is,
you should be able to open the chromedriver and the browser via command line without specifying the exact location of the executable.
You also need to make sure that both Chrome and ChromeDriver can be reached via PATH environment variable, that is,
you should be able to open ChromeDriver and the browser via command line without specifying the exact location of the executable.

Chromedriver doesn't come with an installer. Instead it's a zipped executable.
ChromeDriver doesn't come with an installer. Instead it's a zipped executable.
You need to unzip the package, and place the executable somewhere where the PATH
can reach it.

Google Chrome has a tendency to update itself. When this happens you will need to update your chrome driver manually.
Google Chrome has a tendency to update itself. When this happens you will need to update your ChromeDriver manually.

### Sanity check

Expand All @@ -109,7 +109,7 @@ download the [script](/public/scripts/sanity.py) and test it with python
python3 sanity.py
```

The script will test if the python packages are installed and uses selenium to access google.com.
The script will test if the Python packages are installed and uses Selenium to access google.com.
Note that this script tests the installations required for the Securing Software course.
These packages are not needed for Advanced topics.

Expand All @@ -121,13 +121,13 @@ If it asks for a server address, then your TMC client is outdated. Re-install th

Provide login details, and use organization slug `mooc`.

Download the exercises for securing software with the command
Download the exercises for Securing Software with the command

```shell
tmc download mooc-securing-software-22
```

Download the exercises for the advanced topics with the command
Download the exercises for Advanced Topics with the command

```shell
tmc download mooc-cyber-advanced-topics-2022
Expand All @@ -139,12 +139,12 @@ You can test the exercises locally with `tmc test` and submit your solutions wit
See `tmc help` for additional commands.

You can test individual exercise by going to an exercise-specific folder, or
you can test all of them at once by issuing testing commands at root.
you can test all of them at once by issuing testing commands at root.

Every exercise has automated tests. If you end up in situation where `tmc test` cannot
find any test, you can locate the bug by either starting the application yourself
(if the programming exercise is django, then start the server with `manage.py`)
or submit the exercise and see the logs on TMC website.
(if the programming exercise is Django, then start the server with `manage.py`)
or submit the exercise and see the logs on TMC website.

NB! The TMC server tests the exercises with Python 3.7. Most likely, your
Python installation will be a newer version. Make sure that you do not use
Expand Down
8 changes: 4 additions & 4 deletions data/module-1/part-1/8-history.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ We will provide selected historical examples and comment on patterns and trends.
Malware predates commercial, wide-spread internet.
[Brain](https://www.youtube.com/watch?v=lnedOWfPKT0), the first _virus_
for PC (with MS-DOS being the operating system) was written in January 1986.
The virus infected the boot sector of floppy disks.
The virus infected the boot sector of floppy disks.
If the floppy disk was inside the PC during its boot,
a contemporary computer would first try boot it from the floppy, before moving
to the hard disk (if such was present). Booting from the floppy disk allowed
Expand Down Expand Up @@ -68,9 +68,9 @@ possible due to the significant scripting abilities in Microsoft office programs
led to a significant rise of macro viruses as now viruses could spread through
documents, especially as email attachments.

The first email virus/worm/trojan, _Happy99_ appeared in January 1999.
The first email virus/worm/trojan, _Happy99_ appeared in January 1999.
The virus consisted of a trojan executable that upon execution would show firework
animation, and attached itself to an existing windows library. Under certain conditions,
animation, and attached itself to an existing Windows library. Under certain conditions,
it would then send itself further over email to a new machine.
In May, 2000, an internet worm _ILOVEYOU_ infected over 10 million Windows users.
The worm consisted of an email asking to open an attachment "LOVE-LETTER-FOR-YOU.txt.vbs".
Expand Down Expand Up @@ -185,7 +185,7 @@ alleged connections as is, without further speculation.

Notable examples of APT actions include:

* [APT1](https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), a Chinese cyber espionage group
* [APT1](https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), a Chinese cyber espionage group
* [Guccifer 2.0](https://www.washingtonpost.com/world/national-security/cyber-researchers-confirm-russian-government-hack-of-democratic-national-committee/2016/06/20/e7375bc0-3719-11e6-9ccd-d6005beac8b3_story.html), a hacker group responsible for cyber security attack against Democratic National Committee in United States, supported by Russian government.
* [Lazarus Group](https://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html?_r=0), a hacker group responsible for hacking Sony Pictures as a retaliation for the movie "The interview", with possible links to North Korea.
* [Stuxnet](https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/) a significant and extremely sophisticated computer worm designed to attack
Expand Down
16 changes: 8 additions & 8 deletions data/module-1/part-1/9-internet.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,14 @@ connected to the Internet.
Internet has layers. Different protocols that are responsible for communication can be grouped
in 4 layers.

1. Link layer
1. Link layer
2. Internet/network layer
3. Transport layer
4. Application layer

Protocols at the link layer are responsible for direct communication between
two entities over the same link, for example, a protocol responsible
communication between a laptop and a WiFi-router establishes the
communication between a laptop and a WiFi-router establishes the
frequency, as well as how bits are transferred over that frequency. On the
other extreme, the protocols in the application layer establish common language between
two applications sharing information, for example, the HTTP protocol describes how
Expand Down Expand Up @@ -48,7 +48,7 @@ Grouping protocols in 4 layers is often referred as _TCP/IP model_ (named after
_internet protocol suite_. Often the link layer is split in 2 layers, physical link, and data link, leading to 5 layers instead of 4.

We can also use Open Systems Interconnection model (OSI model) which has 7 layers.

</text-box>

## Internet layer and IP protocol
Expand Down Expand Up @@ -77,14 +77,14 @@ packet size, and is smaller than the payload. That is, if the payload is larger
what the link layer can transmit in one packet, IP protocol will chop the packet in smaller
fragments, and transmit them individually.
A maximum size for a single IP
packet is 65535 bytes of which 20 bytes are an IP header. Naive implementations of IP fragmentation
packet is 65535 bytes of which 20 bytes are an IP header. Naive implementations of IP fragmentation
allowed for [exploits](https://www.kyberturvallisuuskeskus.fi/en/vulnerability-handling-ip-fragments) such as denial-of-service attacks.

IP also provides a checksum to make sure that the payload has not been
corrupted. Note that the goal of this checksum is to protect from non-malicious
errors due to, for example noisy underlying communication channel. If the packet
is modified by an attacker, it is trivial to compute a new valid checksum for
that particular packet.
that particular packet.

When a device, either the end host or a router, notices a corrupted IP packet,
it is dropped, and an error message is sent back.
Expand Down Expand Up @@ -170,7 +170,7 @@ of the protocol is significant overhead, especially due to the acknowledgment
packets. This latency is not acceptable in certain real-time applications,
for example, online gaming. An alternative protocol for TCP is User Datagram
Protocol (UDP), a simple protocol providing ports and a(n optional) checksum as
additional services, and nothing else.
additional services, and nothing else.

<figure>

Expand Down Expand Up @@ -205,7 +205,7 @@ measures are taken, traffic data can be intercepted or, worse, modified. This
is known as a man-in-the-middle attack, and modifying traffic can extremely
sophisticated, for example,
[injecting](https://thenextweb.com/insights/2017/12/11/comcast-continues-to-inject-its-own-code-into-websites-you-visit/)
(java script) code to a web browser when a user visits 3rd party websites.
(JavaScript) code to a web browser when a user visits 3rd party websites.

Data encryption can be done in a link layer, for example, WiFi can use WPA2 to
encrypt its traffic. Similarly, data over cellular connection is encrypted.
Expand All @@ -229,7 +229,7 @@ the actual payload cannot be observed.

It is possible to use the encryption protocol (known as TLS) used by HTTPS to
encode normal IP traffic. Here, the user connects to a special server and establishes
a secure channel. Using this channel the user sends IP data packets.
a secure channel. Using this channel the user sends IP data packets.
The server then decrypts the stream, and forwards the
packets to the address specified in the packets. The server also modifies the
TCP/IP headers (similar to NAT) so that it seems that the connection is coming
Expand Down
2 changes: 1 addition & 1 deletion data/module-2/part-1/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ participant will learn the principles of developing web applications, typical
security issues that are related to such applications, and how such issues are
discovered and mitigated.

This course assumes that you are (somewhat) familiar with programming in python and
This course assumes that you are (somewhat) familiar with programming in Python and
comfortable with using command line commands.

By continuing, you agree to not to do any harm with this information or other similar information on the internet.
Expand Down
14 changes: 7 additions & 7 deletions data/module-2/part-1/server.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ each of these resources are retrieved separately by the browser (except for the

Each resource that the browser retrieves is also a potential security threat.
For example, if a malicious user has found means to include his or her own
Javascript as a part of a site, the Javascript will be executed on the users'
JavaScript as a part of a site, the JavaScript will be executed on the users'
machine.

Whilst this may not at first sound like such a bad deal, it can -- for example
Expand Down Expand Up @@ -171,7 +171,7 @@ urlpatterns = [
```python
# views.py
from django.http import HttpResponse


def pathView(request):
return HttpResponse('Path')
Expand Down Expand Up @@ -212,7 +212,7 @@ urlpatterns = [
```python
# views.py
from django.http import HttpResponse


def greetView(request, user):
return HttpResponse('Hi ' + user)
Expand All @@ -236,7 +236,7 @@ urlpatterns = [
```python
# views.py
from django.http import HttpResponse


def greetView(request):
user = request.GET.get('user')
Expand Down Expand Up @@ -364,7 +364,7 @@ def homePageView(request):

The context variable is a
[dictionary](https://docs.python.org/3/tutorial/datastructures.html#dictionaries),
and it can also contain nested dictionaries and lists.
and it can also contain nested dictionaries and lists.

The context can be then rendered using the `{{}}` syntax in the template

Expand All @@ -390,7 +390,7 @@ application. Forms are defined in HTML (see
[form](http://www.w3schools.com/html/html_forms.asp)) using the `form`-element.
The form-element will contain the path to which the content will be sent to,
the type of the request, and the data. For now, the type of the request will be
POST. We will discuss POST and GET later.
POST. We will discuss POST and GET later.

The data is defined using fields such as the input field (`<input
type="text"...`), and the content is sent to the server using a button (`<input
Expand Down Expand Up @@ -498,6 +498,6 @@ Once finished, submit the assignment to the TMC server.
</programming-exercise>


During this part of the securing software course, we have taken the first steps
During this part of the Securing Software course, we have taken the first steps
into understanding web applications. The next part will look into using
databases and the underlying HTTP protocol.
Loading