New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Computer Security

by: Tamia Bernhard

Computer Security 22C 169

Tamia Bernhard
GPA 3.87

Eunjin Jung

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Eunjin Jung
Class Notes
25 ?




Popular in Course

Popular in ComputerScienence

This 84 page Class Notes was uploaded by Tamia Bernhard on Friday October 23, 2015. The Class Notes belongs to 22C 169 at University of Iowa taught by Eunjin Jung in Fall. Since its upload, it has received 31 views. For similar materials see /class/228048/22c-169-university-of-iowa in ComputerScienence at University of Iowa.


Reviews for Computer Security


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/23/15
THE UvaEmnv OF IOWA April 4 2005 Lecture 29 22C2169 Computer Security Douglas W Jones Deparlmenl 1 Computer Science Amcebe Andrew Tannenbaum39s Amoeba System Designed as a multicomputer OS Commodity computers as components Commodity interconnect ethernet Abandons TCPIP completely Amoeba was not designed for security Innovative use of trapdoor functions cryptographic protection of capabilities Fundamental idea of Amoeba Clientserver communication model Remote procedure call to server Servers implement classes of objects An Amoeba capability packages the right to call a particular server with regard to a particular object to perform a particular operation eg read a ri e using ri e server Amoeba Capability Format El SERVER 05 R CHECK Server 48bit public ID of server 139 24bit id of object relative to server 8 bit access rights to object ec 48bit validity check on capability Amoeba server addressing Server has random private ID IDPRIVATE Everyone knows trapdoor function f Server publishes IDPUBLIC fDPRIVATE This is the Server ID of the server Server says to kernel register IDPRIVATE capabilities with server eld leuauc now address this process as the server Amoeba message delivery Each machine has network address cache Mapping from leuauc to location On cache miss Broadcast quotwho has this server or use registration server or some combination On receipt of message with a bad ID discard it and report error so sender can clean cache Amoeba serverside authentication Most of capability belongs to the server 48 48 SERVER 05 R CHECK rver relates object ID to object itself checks access ri h s determines if capability is valid Minimal server operation Server maintains object table object ObjectTabe capability obj Each object contains check field valid if object check capability check Knowing object ID grants no access unless correct check eld is known This scheme would be sufficient except no support for access rights Support for access rights Simple scheme used if all rights are present caprights 11111111 Otherwise valid if f caprights obj check capcheck f is a publicly known trapdoor function Anyone may compare capabilities restrict rights from all rights to fewer Only the correct server can validate capability restrict rights from less than all t ECookies and web authentication EJ Jung 21208 Announcements 1 o l OMissed me 0 email with 22c169 9N0 hacking for your project 0 find a safe playground isolated network OHomework 1 0 find a partner or I ll get you one Proposal l names a 39quot H Stunt M h e an S descrifm n 31 yd duo how 00 Miner 1 9125 lflans L 1 0M 9quot imam e W 7quot mid l m 9 an L m in UNIVEWW OFWH I39I39P HyperText Transfer Protocol OUsed to request and return data o Methods GET POST HEAD OStateless requestresponse protocol 0 Each request is independent of previous requests 0 Statelessness has a significant impact on design and implementation of applications OEvolution o H39I39I39P 10 simple 0 H39I39I39P 11 more complex H ITP Request Headers Method File HTTP version 1 1 1 Blank line Data none for GET H ITP Response 1 ow HTTP version Status code Reason phrase Primitive Browser Session of IOWA wwwebuycom 39 7 Iebuylcom shoppingcfm pID269amp View catalog Select item Check out wwwe bu com WWWebuycom 39 y checkoutcfm h 39 f item1102030405 Store session information in URL Easily read on network Cookies Storing Info Across Sessions of IOWA 9A cookie is a le created by an Internet site to store information on your computer Enters form data H ITP is a stateless protocol cookies add state Cookie Management Flow OCookie ownership 0 Once a cookie is saved on your computer only the website that created the cookie can read it OVariations 0 Temporary cookies Stored until you quit your browser 0 Persistent cookies Remain until deleted or expire o Thirdparty cookies Originates on or sent to another website Privacy Issues with Cookies OCookie may include any information about you known by the website that created it o Browsing activity account information etc OSites can share this information 0 Advertising networks 0 207net tracking cookie OBrowser attacks could invade your privacy Novermber 8 2001 Users of Microsoft39s browser and e mail programs could be vulnerable to having their browser cookies stolen or modi ed due to a new security bug in Internet Explorer IE the company warned today Web Authentication via Cookies 1 mm 0 WA ONeed authentication system that works over H39I39I39P and does not require servers to store session data 0 Why is it a bad idea to store session state on server OServers can use cookies to store state on client 0 When session starts server computes an authenticator and gives it back to browser in the form of a cookie Authenticator is a value that client cannot forge on his own Example hash session id 0 With each request browser presents the cookie 0 Server recomputes and verifies the authenticator Server does not need to remember the authenticator Typical Session with Cookies client server W Ina POST ogincgi I SetCookieauthenticator GEI39 restrictedhtm Cookieauthenticator gt Check validity of authenticator Q eg recompute Restricted content KhashkeysessId Authenticators must be unforgeable and tamperproof malicious client shouldn t be able to compute his own or modify an existing authenticator Verify that this client is authorized uii w T iFatBraincom circa 1999 due to Fu et al OUser logs into website with his password authenticator is generated user is given special URL containing the authenticator p1memecomamp2 540555758 0 With special URL user doesn t need to reauthenticte Reasoning user could not have not kno n the special UR without authenticating first That s true BUT httpswwwfatbraincomHelpAccountaspt0 QAuthenticators are global sequene numbers 0 It s easy to guess sequence number or another use httpswwwfatbraincomHelpAccountaspt0ampp1SomeoneEIseampp2540555752 o m use random authenticators g EX WSJC0m Circa due to Fu et al OIdea use userhashuserkey as authenticator 0 Key is secret and known only to the server Without the key clients can t forge authenticators OImpIementation usercryptuserkey o crypt is UNIX hash function for passwords o crypt truncates its input at 8 characters 0 Usernames matching first 8 characters end up with the same authenticator o No expiration or revocation OIt gets worse This scheme can be exploited to extract the server s secret key L f fcckAA Wan Attack I username c t username ke 00 authenticator cookie Attacked 008H8LszUXvk Attacke g I 8H8LszUXvk AttackerZ 008H8LszUXvk Attacke z 08H8LszUXvk Create an account with a 7letter user name AttackeA 0073UYEre5rBQ Try logging in access refused AttackeB 00kachXBKno Access refused AttackeC 000fSJV6An1QE Login successful 1St key symbol is C Now a 6letter user name AttackCA 001mBnBErXRuc Access refused AttackCB 00T3JLquspdo Access refused and so on 3 o On X 39ueries instead of intended 1288 o 17 minutes with a simple Perl script vs 2 billion years 11 0M key 9 7 AA P39Pr Ahmkeg 3m I i am zzNZ MCQ w 3 mg 3 M06 Better Cookie Authenticator Capability Describes what user is authorized to do on the site that issued the cookie Cannot be forged by malicious user does not leak server secre OMain lesson don t roll your own 0 Homebrewed authentication schemes are often flawed OThere are standard cookiebased schemes 0 Example in IPSec Stealing Cookies by Cross Scripting victi m s naivecom browser evicom quotquot wino viloomfsheal cgi quotdocumentoookie Forces victim39s browser to call helloch on naivecom with script instead of name ocurrentoookieltscriptgt WeloomeltHTMLgt Interpreted as Javascript by victim s browser opens wndow and calls stealch on evicom PasswordBased Authentication OUser has a secret password System checks it to authenticate the user 0 Vulnerable to eavesdropping when password is communicated from user to system OHow is the password stored OHow does the system check the password OHow easy is it to guess the password 0 Easytoremember passwords tend to be easy to guess 0 Password file is difficult to keep secret UNIXStyle Passwords of IOWA user 39 cypherpunk hash function system password file t4h97t4m43 gtfa6326b1c2 N53uhjr438 H99658n53 Password Hashing OInstead of user password store Hpassword OWhen user enters password compute its hash and compare with entry in password file 0 System does not store actual passwords OHash function H must have some properties 0 Oneway given Hpassword hard to find password No known algorithm better than trial and error 0 Collisionresistant given Hpasswordl hard to find passwordZ such that Hpassword1Hpassword2 It should even be hard to find any pair p1p2 st Hp1Hp2 L UNIX Password System i ow OUses DES encryption as if it were a hash function 0 Encrypt NULL string using password as the key Truncates passwords to 8 characters 0 Artificial slowdown run DES 25 times 0 Can instruct modern UNIXes to use MD5 hash function OProbIem passwords are not truly random 0 With 52 upper and lowercase letters 10 digits and 32 punctuation symbols there are 943 m 6 quadrillion possible 8character passwords o Humans like to use dictionary words human and pet names m 1 million common passwords Dictionary Attack OPassword file etcpasswd is worldreadable 0 Contains user IDs and group IDs which are used by many system programs ODictionary attack is possible because many passwords come from a small dictionary 0 Attacker can compute Hword for every word in the dictionary and see if the result is in the password file 0 With 1000000word dictionary and assuming 10 guesses per second bruteforce online attack takes 50000 seconds 14 hours on average This is very conservative Offline attack is much faster THE UvaEmnv OF IOWA April 20 2005 Lecture 35 22C2169 Computer Security Douglas W Jones Deparlmenl 1 Computer Science Scme Mme Lawe Electronic Communications Bill British January 2000 Register crypto support service providers de ned broadly Makes electronic signatures legal de ned as a valid means of establishing the authenticity of the communication or data the integrity of the communication or data or both Prohibits this act from being used to require key escrow Export controls on Cryptography Unavoidable facts about Cryptography it is important to national defense many weapon systems must use it it is important to national diplomacy Therefore national laws have limited export of cryptographic tech limited use of cryptography One model has all crypto results quotborn classifiedquot History of US Crypto Regulations Early 197039s Assume all crypto born classi ed 1976 Hellman and Diffie openly publish New directions in cryptography NSA alarmed pushes for legislation Voluntary review system Please ask NSA before publishing Crypto tools subject to arms export controls Just like cannons and bombs State department permtt requtrecdl to expert streng eteu History of US Crypto Regulations ll CLIPPER crypto chip announced 1993 allowed for required key escrow system CALEA 1995 is what we got instead June 1995 BSA in Perl lusrlocalbinperl s export a crypto system sig RSA in 3 lines PERL k nARGV munpackH w m quot 0quotxw echo quot l6dow 240i0d quotl d2 Sa2 d0ltXdLalzUn0SXkquot m Eslexp dc squot Wgprint pack 39H39 while readSTDIN m w2d llength n ldiequot 0 d k nnquot ampl 2 British sold Tshirts with this to US Suggested tattoo to prevent deportation Two US newspapers printed snips of it Does first amendment apply to oode History of US Crypto Regulations Ill Jan 2000 Crypto export restrictions relax Blanket license to export for civilian use except embargoed countries at rue guarantee it Witt stay this wayi Export for government use still licensed Embargo list in constant flux Jan 2000 list was Cuba tram iraqa Libya Nertit Kereag Serbia Sealant Syria and Taietaaa certtreiied areas at Atgtiartistari Trusted Computing Initiative Stated goal harden the platform from softwarebased attacks based on the expected behavior trust of the platform and transactions INTEL Pro We desparately need it for secure systems Con Push comes from RIAA Hollywood Goal seems to be to build systems that guarantee no copyright infringement Goal could be to ban systems that do not incorporate the trusted platform Anonymity EJ Jung 41708 Announcements 9 Project grading o Proofread spellings grammars incomplete sentences 0 References are critical 0 Organization is important 0 What did you learn What s new 9 Presentation time will be reduced to 12 minutes 0 not enough volunteers on 24th 0 set up before class copy or download your files into computer 0 Final exam is at 7pm Monday May 12 W151 PBB Late days reminder 024 hours after the deadline 1 day 0 If you use three days you submit by 105pm on Sunday April 20 Zip everything and send to me via email Dropbox close at the deadline QAsk me if in doubt how many days you have left Netflix prize O httpwwwnet ixprizecom 9 1 million for 10 increase 50K for 1 OAnonymized dataset of over 1 million records for training purpose 9 Not so much anonymized can match with IMDb user for example ik V o httpwwwcsutexasedushmatnetflix dh tlrir O 08 O 22c196002 privacy and anonymity Fall 2008 0 available online too 0 22c031 Algorithms required 22c169 recommended 0 or Instructor s consent Privacy on Public Networks 1 OInternet is designed as an Intranet Machines on your LAN may see your traffic network routers see all traffic that passes through them ORouting information is public 0 IP packet headers identify source and destination 0 Even a passive observer can easily figure out who is talking to whom QEncryption does not hide identities Encryption hides payload but not routing information Even IPIevel encryption tunnelmode IPSecESP reveals IP addresses of IPSec gateways Applications of Anonymity I OPrivacy Hide online transactions Web browsing etc from intrusive governments marketers and archivists QUntraceable electronic mail 0 Corporate whistleblowers Political dissidents Socially sensitive communications 0 Confidential business negotiations QLaw enforcement and intelligence Sting operations and honeypots Secret communications on a public network Applications of Anonymity II ODigital cash Electronic currency with properties of paper money online purchases unlinkable to buyer s identity QAnonymous electronic voting QCensorshipresistant publishing What is Anonymity OAnonymity is the state of being not identifiable within a set of subjects 0 You cannot be anonymous by yourself Big difference between anonymity and confidentiality Hide your activities among others similar activities OUnlinkability of action and identity For example sender and his email are no more related after observing communication than they were before QUnobservability hard to achieve Any item of interest message event action is indistinguishable from any other item of interest Attacks on Anonymity OPassive traffic analysis Infer from network traffic who is talking to whom To hide your traffic must carry other people s traffic OActive traffic analysis Inject packets or put a timing signature on packet flow OCompromise of network nodes Attacker may compromise some routers It is not obvious which nodes have been compromised Attacker may be passively logging traffic 0 Better not to trust any individual router Assume that some fraction of routers is good don t know which Chaum s Mix OEarly proposal for anonymous email 0 David Chaum Untraceable electronic mail return addresses and digital pseudonymsquot Communications of the ACM February 1981 QPublic key crypto trusted remailer Mix Untrusted communication medium 0 Public keys used as persistent pseudonyms QModern anonymity systems use Mix as the basic building block Basic Mix Design r21r3lM pkEIEpkmix r31 M pkEI E r4lr51MnpkBIBpkmix all receivers but cannot link a sent message with a received message Mix Adversary knows all senders and J Anonymous Return Addresses l M includes K1Apkmix K2 where K2 is a fresh public key r11r01MpkBIBpkmiX AIr2IMK2K1 7 if KlApkmixr rZIMK2 Response MIX Secrecy without authentication Mix Cascade OMessages are sent through a sequence of mixes Can also form an arbitrary network of mixes mixnet OSome of the mixes may be controlled by attacker but even a single good mix guarantees anonymity OPad and buffer traffic to foil correlation attacks Disadvantages of Basic Mixnets OPublickey encryption and decryption at each mix are computationally expensive OBasic mixnets have high latency Ok for email not Ok for anonymous Web browsing OChallenge lowlatency anonymity network 0 Use publickey cryptography to establish a circuit with pairwise symmetric keys between hops on the circuit Then use symmetric decryption and reencryption to move data messages along the established circuits Each node behaves like a mix anonymity is preserved even if some nodes are compromised C a Spit Another Idea Randomized Routing lown QHide message source by routing it randomly Popular technique Crowds Freenet Onion routing ORouters don t know for sure if the apparent source of a message is the true sender or another router THEML I I aim onlon ROthlngReed Syverson Goldschlag 97 Bob QSender chooses a random sequence of routers Some routers are honest some controlled by attacker Sender controls the length of the path Route Establishment R21k1pkR1 Routing info for each link encrypted with router s public key Each router learns only the identity of the next router L THEM I O R UNIVERSITY OI lOWA OSecondgeneration onion routing network httptorefforg Developed by Roger Dingledine Nick Mathewson and Paul Syverson Specifically designed for lowlatency anonymous Internet communications ORunning since October 2003 0100 nodes on four continents thousands of users O Easytouse client proxy Freely available can use it for anonymous browsing TOR Circuit Setup 1 OCIient proxy establish a symmetric session key and circuit with Onion Router 1 TOR Circuit Setup 2 OClient proxy extends the circuit by establishing a symmetric session key with Onion Router 2 Tunnel through Onion Router 1 don t need TOR Circuit Setup 3 OClient proxy extends the circuit by establishing a symmetric session key with Onion Router 3 Tunnel through Onion Routers 1 and 2 Using TOR Circuit OClient applications connect and communicate over the established TOR circuit Datagrams are decrypted and reencrypted at each link TOR Management Issues OMany applications can share one circuit Multiple TCP streams over one anonymous connection OTOR router doesn t need root privileges Encourages people to set up their own routers More participants better anonymity for everyone ODirectory servers Maintain lists of active onion routers their locations current public keys etc 0 Control how new routers join the network Sybil attack attacker creates a large number of routers Directory servers keys ship with TOR code Deployed Anonymity Systems OFree Haven project has an excellent bibliography on anonymity httpfreehavennet OTOR httptorefforg Overlay circuitbased anonymity network Best for lowlatency applications such as anonymous Web browsing OMixminion httpwwwmixminionnet Network of mixes Best for highlatency applications such as anonymous email Dining Cryptographers OClever idea how to make a message public in a perfectly untraceable manner David Chaum The dining cryptographers problem unconditional sender and recipient untraceabilityquot Journal of Cryptology 1988 OGuarantees informationtheoretic anonymity for message senders This is an unusually strong form of security defeats adversary who has unlimited computational power QImpractical requires huge amount of randomness In group of size N need N random bits to send 1 bit ThreePerson DC Protocol Three cryptographers are having dinner Either NSA is paying for the dinner or one of them is paying but wishes to remain anonymous 1 Each cliner flips a coin and shows it to his left neighbor 0 Every diner will see two coins his own and his right neighbor s 2 Each cliner announces whether the two coins are the same If he is the payer he lies says the opposite 3 Odd number of same gt NSA is paying even number of same gt one of them is paying 0 But a nonpayer cannot tell which of the other two is paying NonPayer s View Same Coins W 2 cannot tell which of them is lying Without knowing the coin toss between the other two nonpayer NonPayer s View Different Coins Without knowing the coin toss between the other two nonpayer cannot tell which of them is lying Superposed Sending OThis idea generalizes to any group of size N OFor each bit of the message every user generates 1 random bit and sends it to 1 neighbor Every user learns 2 bits his own and his neighbor s OEach user announces own bit XOR neighbor s bit QSender announces own bit XOR neighbor s bit XOR message bit OXOR of all announcements message bit Every randomly generated bit occurs in this sum twice and is canceled by XOR message bit occurs once DCBased Anonymity is Impractical ORequires secure pairwise channels between group members 0 Otherwise random bits cannot be shared QRequires massive communication overhead and large amounts of randomness ODCnet a group of dining cryptographers is robust even if some members collude Guarantees perfect anonymity for the other members Location Hidden Servers OGoal deploy a server on the Internet that anyone can connect to without knowing where it is or who runsit OAccessible from anywhere OResistant to censorship OCan survive fullblown DoS attack OResistant to physical attack 0 Can t find the physical server uiiii ECreating a Location Hidden Server Client obtains service descriptor and intro point address from directory Alice tie iii 7 Introduction Server gives Intro pomts ii i P t descriptors and addresses gym 0m 5 t oservncelooku directo servlce Bob s Servicg p ry Fi Ii Lookup Server Using a Location Hidden Server Client creates onion route to a rendezvous point Rendezvous point mates the circuits from client amp server If server chooses to talk to client connect to rendezvous point Rendezvous Point Server Client sends address of the rendezvous point and any authorization if needed to server through intro point Introduction Points THE UvaEmnv OF IOWA April 22 2005 Lecture 36 22C2169 Computer Security Douglas W Jones Deparlmenl 1 Computer Science Pr vacy Lawe P vacy anacyis quotthe expectation that con dential personal information disclosed in a private place will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities quot RONALD B STANDLER ESQ 1997 What does confidential mean Why potential embarrassment or distress Classical privacy rights ban Unreasonable intrusion on seclusion home invasion eavesdropping harassing phone calls Appropriation of name or likeness plastering your name all over town Publication of private facts nancial data sexual info personal communications medical data Publication that misrepresents someone telling the truth in a bad way Some things are not private Purchases made in a public place Clerk can tell anyone what you bought So Stores can collect and sell this data AND THEY REGULARLY DQ S Garbage tends to be public Dumpster diving is common and fun US law does not guard privacy of trash SHQULD HT Privacy rights versus freedom of the press are Paparazzi journalists or stalkers Some privacy rights are old Ban on reading other people39s mail Rabbi Gershom of Mainz 9601040 Privacy of First Class Mail in US EX parte Jackson 1878 decided on 4th amendment grounds Privacy of telegraphic communications ICC act of 1887 requires subpoena 34 of states guarded this by 1900 Privacy of telephone communications Federal Communications Act of 1934 Observations Delay between Development of new technology and Extension of obvious privacy rights under the 4th ammendment Has been far tee Deng fer eeirnfen Focus of legislation has been on creating exceptions to privacy rights in order to allow reasonable law enforcement efforts Shen dn t 4th amendment and te egrepn ew autematiee y app y te Emai Current law Electronic Communications Privacy Act of 1986 Public electronic communication providers must ensure privacy of subscribers Subscribers ct tree Ernaii services might be tine advertisers not the usersi protection of Email in transit no protection of stored E mail no protection of internal business E mai Disclosure of Email by the recipient Sender owns copyright on the text Recipient may disclose content Except it sender nae reasonaipie expectation ct privacy eg it recipient is a doctor anyer or protessoru Horror story Steve Jackson Games Case Illuminati Bulletin Board Seized in 1990 along with the 3 computers of company side effect of investigation of employee Steve Jackson Games was a publisher Computers even included book manuscript Seizure of such work is illegal Seizure of copies would have been lega Seizure of private email questionable Steve Jackson and Illuminati clients sued and won appeal decided 1994 8 7K direct damages 42K lost pro t 195K atttorneys fees 57K plaintiff s costs Family Educational Privacy Rights Act 1974 Student rights to Inspect and review educational records amend inaccurate or inappropriate records control disclosure of public records Institution is permitted to disclose directory information by default release other information in emergency NEED TO KNOW BASIS WHEN SUCH RELEASE NECESSARY TO PROTECT HEALTH OR SAFETY release other info to privileged recipients FACULTY FINANCIAL AID SOURCES OTHER SCHOOLS FEDERAL AND STATE AUTHORITIES ACCREDITING ORGS Institution may not release data without student s permission to anyone else including parents Effect on computer use Creates a category of privileged data HIPAA 1996 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT Expectation of privacy in medical care is an ancient traditional right conflicts with needs of insurance industry may pose barrier to epidemiological studies HIPAA Requires that providers Explain patient rights and proposed info use Secure patient records REASONABLE AND APPROPRIATE ADMINISTRATIVE TECHNICALAND PHYSICAL SAFEGUARDS REQUIRED Assume responsibility for this HIPAA gives patient control of Release of health information Unless all personal identi ers are removed Except in emergency


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Allison Fischer University of Alabama

"I signed up to be an Elite Notetaker with 2 of my sorority sisters this semester. We just posted our notes weekly and were each making over $600 per month. I LOVE StudySoup!"

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.