FAQ about CS 194-138/294-138 (Cyberwar) Fall 2017

FAQ for undergraduates

Q: What is the Cyberwar course about?
A: The Cyberwar course will give students a chance to use the knowledge that they have gained in other CS courses to real-world scenarios:

Q: Have the details of the course been finalized?
A: No, the course is still under development, and the informatin on this web page is current as April 9. Everything -- and I mean everything -- described below is subject to revision.

Q: What will the workload of the course be?
A: The workload will be typical of a 4 unit course in CS. Almost all of the workload in the course will be project based.

Q: Has this course been given before?
A: No, this is an experimental course. If you are a student in this course, you'll be an alpha-tester of this course design, and if it is successful, I may use it in future courses. Because this is an experimental course, things will definitely go wrong at various points. If you are uncomfortable being in a course that is untested and rough-around-the-edges, then this is not the course for you. (However, I'll certainly take that into consideration any course problems that do arise when assigning grades. I expect that the grade distribution for the course will be the same -- or have higher grades -- than the course distribution for most upper division CS courses at Berkeley.)

Q: How will the course be graded?
A: Students will receive points for each project that they complete. Projects have a variable number of points ranging on the importance of the project. Since students will be examining real-world systems and submitting their analyses to companies (and thus earning eligibility for bug-bounty rewards), points generally are set at one point for each dollar of reward. (Some companies do not offer rewards, so in that case, we'll attempt to calculate the "dollar value" of the analysis.) Points are equally divided among your group. For example, suppose that you find a security vulnerability in company X that is worth a reward of $600, and you have a team of 3 people. Then each of the three people in your group will earn 200 points.

Q: Are big point rewards common?
A: According to the vulnerability testing platform that we will use, they are quite common. Rewards of tens of thousands of dollars (points) are not unheard of, and rewards of hundreds of dollars (points) are common. One reason I want to try this course to see how students do in practice with this platform.

Q: Wait -- there are monetary rewards involved? Who gets the money?
A: Yes, in most cases your work will receive monetary rewards from vendors. It is certainly possible earn considerable sums doing these type of analysis. If there is a reward, it will go to the student (or group of students) first reporting the vulnerability. If you are working by yourself, you keep all the money. If you are working in a group, you need to decide among yourselves how to split the money.

Q: How does this translate to class grades?
A: That has not yet been definitively decided. I am considering a logarithmic grading system, where an increase in a (decimal) order of magnitude will result in a letter grade improvement. Here are some possible grade thresholds (but there is a strong chance this will be revised before the class begins). Well prepared students should have little difficulty in earning 100 or more points each week.

Total points earned on projects
0 points
1 point
2-9 points
C-, C, C+
10-99 points
B-, B, B+
100-999 points
A-, A
1000 or more points

Q: What about homework, class presentations, reports, exams?
A: This course is project based. You'll do the following

  1. Find a vulnerability (or complete an analysis of an attack)
  2. Submit it (if applicable) for a reward
  3. Prepare a brief written write-up for class on each vulnerability found
  4. Give a brief presentation in classon each vulnerability found

Each week, even if you have no vulnerability found, you will still turn in a weekly report telling me what you tried to do (because even failed attempts give information.)

The course will not have an exam (unless campus demands that we hold an exam, in which case we will have a simple exam in which you simply recount all the activity that you attempted in the course.

Finally, graduate students in EECS or Information will have the option to take the graduate version of this course, where the focus will be on writing publishable research papers rather than on merely finding vulenerabilities and analyzing cyber-attacks

Q: I am an undergraduate -- can I take the 294 version?
A: No, the 294 version is restricted to graduate students

Q: I am a Berkeley graduate student, but in a department other than EECS or Information? Can I take the 294 version?
A: Generally no, but I may allow exceptions for graduate students with exceptional preparation in CS and/or Information.

Q: Can I pick the system I try to attack?
A: We are working with a specific vulnerability testing platform that includes dozens of companies that you have heard of. You can pick any of those systems to attack. You cannot propose your own system outside of that platform.

Q: Can you tell me more details about the vulnerability testing platform?
A: Not just yet, we are setting this up now. This course is still in development, and will be in development until the class begins. This is a public web page, so I don't want to put information here until the i's are dotted and the t's are crossed.

Q: You also mentioned that we may analyze cyber-attacks -- what is the detail on those?
A: Once again, we are setting this up now, so I don't have details yet.

Q: What will happen in lecture?
A: To start lecture, we will have student reports on successful exploits since the last class. Then we'll answer questions and give tips on finding vulnerabilities. Finally we'll talk about topics in cyberwar.

Q: When are projects due in the course?
A: Because each project is submitted independently, you can submit projects throughout the class (we'll probably require all projects to be submitted by November 24th to give us time to confirm the projects and calculate grades).

Q: When will the class crunch time occur?
A: That is totally up to you. I recommend trying to earn points early in the semester, while the workload in other classes is not yet at a peak -- that way, you'll avoid a class crunch. If you wait until the last minute, then you'll almost certainly have a rough time in November. Because of the modular nature of the projects, there is absolutely no disadvantage to turning them in as you finish them, and I recommend doing that. I hope that most students earn the vast majority of their points in September and October.

Q: What are the prerequisites for this course?
A: There are no official prerequisites. I recommend taking CS 152, CS 161, CS 162, and CS 168. Of course, few students have taken all those classes. But the more skills you bring to the table, the easier it will be for you to find vulnerabilities. I should also mention that many students are able to pick up material outside of the classroom; students who have a strong grasp of the topic of "systems" in computer science will find that it will help them a lot. Two more suggestions: (a) if you are familiar with the x86-64 architecture, that will be a big plus; and (b) because so many platforms today use the web, any web experience will be a plus.

Q: Will this course satisfy the upper division requirements for CS (or EECS)?
A: For students who earn a B- or above grade in the class, I will gladly support a petition to have this course count towards the upper division requirements for CS (or EECS). (In fact, I've heard that automatic approval is already in the works -- check with Student Affairs to find out whether that is has been taken care of or not.)

Q: Several students have asked me something along this line "I'm enrolling in Phase II -- what are my chances of getting into this course?"
A: I have no way of estimating this, since this is a new course, and demand for CS course has been unpredictable (that is, wildly popular) over the last few semester. The classroom we are in has a capacity of 98 seats, and I am reserving 20 seats for graduate students (if we don't get that many students, I will offer those seats to undergraduate students.) Nonetheless, I think that only some students are interested in taking a course as experimental as this one. So even if you end up on the waitlist, please don't give up -- once students realize what this course involves (and that may not take place until the first class actually meets), I think that a number of students will drop.

Q: How many units is the course offered for? On https://www2.eecs.berkeley.edu/Courses/CS194_2960/ near the top, it says the course is offered for 1-4 units.
A: The course is only offered for 4 units. Regarding the other note saying it was available for 1-4 units, IRIS tells me "The units info comes from campus and can't be changed." (Alert: potential software engineering anecdote.)

Q: (Student question) Would a student who had only studied the foundational CS courses and select upper division courses actually be able to succeed in this course?
A: I think so.  The more upper division system courses you have, the easier you are likely to find the course. Working on applied problems is a good way to extend the more theoretical knowledge you learn in the classroom.  The grading scale is not particularly aggressive, and you are welcome to work in groups as well.  And, of course, we'll have lectures that discuss a variety of techniques for penetration testing -- so you'll have a concrete set of starting points for finding flaws.  Students who apply themselves throughout the semester should be able to easily achieve their target grades.  (Students who wait until the last few weeks of the course may be asking for serious trouble.) At the same time, as I have emphasized throughout this FAQ, this is an experimental course -- and I am not aware of a course like this having ever been taught before.  If you are more comfortable with a well-established course, then there are many other CS courses to choose from.

Q: I have another question not answered in this FAQ.
A: Send me e-mail, and I'll try to add it to the FAQ or e-mail you a reply. However, since the course is still in development, the answer may be "I don't know yet -- please check back when the semester starts."

FAQ for graduate students

The format of the course for graduate students (who are in EECS or the School of Information) will be quite different, with students instead writing research papers that are publishable. Please check back later for more details.