diff --git a/website/docs/schedule/lectures.md b/website/docs/schedule/lectures.md
index 3c3b6fc..96c7f8d 100644
--- a/website/docs/schedule/lectures.md
+++ b/website/docs/schedule/lectures.md
@@ -13,30 +13,30 @@ Data Privacy* (AFDP) by Cynthia Dwork and Aaron Roth, available
 9/17  | What does differential privacy actually mean? <br> **Reading:** McSherry. [*Lunchtime for Differential Privacy*](https://github.com/frankmcsherry/blog/blob/master/posts/2016-08-16.md) (see also these [two](https://github.com/frankmcsherry/blog/blob/master/posts/2016-06-14.md) [posts](https://github.com/frankmcsherry/blog/blob/master/posts/2016-08-29.md)) | JH
 9/19  | Exponential mechanism <br> **Paper:** McSherry and Talwar. [*Mechanism Design via Differential Privacy*](http://kunaltalwar.org/papers/expmech.pdf). <br> <center> <h5> **Due: Project topics and groups** </h5> </center> | JH
 **9/21 (FRI)**  | Identity-Based Encryption from the Diffie-Hellman Assumption  <br> <center> **SPECIAL TIME AND PLACE: 4 PM, CS 1240** </center> | Sanjam Garg
-9/24  | Privacy for data streams <br> **Paper:** Chan, Shi, and Song. [*Private and Continual Release of Statistics*](https://eprint.iacr.org/2010/076.pdf).  |
-9/26  | Report-noisy-max and the Sparse Vector Technique <br> **Reading:** AFDP 3.3, 3.5 | JH
-10/1  | Answering lots of queries: Private multiplicative weights <br> **Paper:** Hardt, Ligett, and McSherry. [*A Simple and Practical Algorithm for Differentially Private Data Release*](https://papers.nips.cc/paper/4548-a-simple-and-practical-algorithm-for-differentially-private-data-release.pdf). |
-10/3  | Local and joint differential privacy <br> **Reading:** AFDP 12.1 | JH    
-10/8  | Local differential privacy <br> **Paper:** Erlingsson, Pihur, and Korolova. [*RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response*](https://arxiv.org/pdf/1407.6981.pdf). |
-10/10 | More differential privacy <br> **Paper:** |
+9/24  | Report-noisy-max and the Sparse Vector Technique <br> **Reading:** AFDP 3.3, 3.5 | JH
+9/26  | Privacy for data streams <br> **Paper:** Chan, Shi, and Song. [*Private and Continual Release of Statistics*](https://eprint.iacr.org/2010/076.pdf). | Yinglun
+10/1  | Local differential privacy <br> **Paper:** Erlingsson, Pihur, and Korolova. [*RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response*](https://arxiv.org/pdf/1407.6981.pdf). | JH
+      | <center> <h4> **Adversarial Machine Learning** </h4> </center> |
+10/3  | AML: overview and basics <br> <center> **GUEST LECTURE** </center> | Somesh Jha
+10/8  | History of Adversarial ML <br> **Paper:** Biggio and Roli. [*Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning*](https://arxiv.org/pdf/1712.03141). | Meghana
+10/10  | Adversarial examples <br> **Paper:** Szegedy, Zaremba, Sutskever, et al. [*Intriguing Properties of Neural Networks*](https://arxiv.org/pdf/1312.6199.pdf). | Shimaa
 10/15 | <center> **NO CLASS: INSTRUCTOR AWAY** </center> |
 10/17 | <center> **NO CLASS: INSTRUCTOR AWAY** <br> <center> <h5> **Due: Milestone 1** </h5> </center> |
+10/22 | Adversarial examples <br> **Paper:** Goodfellow, Schlens, and Szegedy. [*Explaining and Harnessing Adversarial Examples*](https://arxiv.org/abs/1412.6572). | Kyrie
+10/24 | Real-world attacks <br> **Paper:** Eykholt, Evtimov, Fernandes, et al. [*Robust Physical-World Attacks on Deep Learning Models*](https://arxiv.org/pdf/1707.08945.pdf). | Hiba
+10/29 | Detection methods <br> **Paper:** Carlini and Wagner. [*Towards Evaluating the Robustness of Neural Networks*](https://arxiv.org/pdf/1608.04644.pdf). | Yiqin
+10/31 | Detection methods <br> **Paper:** Carlini and Wagner. [*Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods*](https://arxiv.org/pdf/1705.07263.pdf). | Junxiong
+11/5  | Defensive measures <br> **Paper:** Steinhardt, Koh, and Liang. [*Certified Defenses for Data Poisoning Attacks*](https://arxiv.org/pdf/1706.03691.pdf). | Yaman
+11/7  | Defensive measures <br> **Paper:** Madry, Makelov, Schmidt, Schmidt, Tsipras, and Valdu. [*Towards Deep Learning Models Resistant to Adversarial Attacks*](https://arxiv.org/pdf/1706.06083.pdf). | Maddy
       | <center> <h4> **Cryptographic Techniques** </h4> </center> |
-10/22 | Crypto: overview and basics | JH
-10/24 | Secure multiparty computation <br> **Paper:** |
-10/29 | Homomorphic encryption <br> **Paper:** |
-10/31 | Verifiable computing <br> **Paper:** |
-11/5  | More applied crypto <br> **Paper:** | 
+11/12 | Applied crypto: overview and basics | JH
+11/14 | Verifiable computing <br> **Paper:** Braun, Feldman, Ren, et al. [*Verifying Computations with State*](https://eprint.iacr.org/2013/356.pdf). <br> <center> <h5> **Due: Milestone 2** </h5> </center> | Kan
+11/19 | Verifiable differential privacy <br> **Paper:** Narayan, Feldman, Papadimitriou, and Haeberlen. [*Verifiable Differential Privacy*](https://www.cis.upenn.edu/~ahae/papers/verdp-eurosys2015.pdf). | Fayi
+11/21 | Homomorphic encryption <br> **Paper:** Ducas and Micciancio. [*FHEW: Bootstrapping Homomorphic Encryption in Less than a Second*](https://eprint.iacr.org/2014/816.pdf). | Yue
       | <center> <h4> **Language-Based Security** </h4> </center> |
-11/7  | LangSec: overview and basics | JH
-11/12 | Secure Information Flow <br> **Paper:** |
-11/14 | Languages for privacy <br> **Paper:** <br> <center> <h5> **Due: Milestone 2** </h5> </center> | 
-11/19 | Symbolic cryptography <br> **Paper:** |
-11/21 | More LangSec <br> **Paper:** |
-      | <center> <h4> **Adversarial Machine Learning** </h4> </center> |
-11/26 | AML: overview and basics <br> <center> **GUEST LECTURE** </center> | Somesh Jha
-11/28 | AML: overview and basics <br> <center> **GUEST LECTURE** </center> | Somesh Jha
-12/3  | Adversarial examples <br> **Paper:** |
-12/5  | Training-time attacks <br> **Paper:** |
-12/10 | Model-theft attacks <br> **Paper:** |
-12/12 | More AML <br> **Paper:** |
+11/26 | Language-based security: overview and basics | JH
+11/28 | Languages for privacy <br> **Paper:** Reed and Pierce. [*Distance Makes the Types Grow Stronger: A Calculus for Differential Privacy*](https://www.cis.upenn.edu/~bcpierce/papers/dp.pdf). | Sam
+12/3  | Languages for authenticated datastructures <br> **Paper:** Miller, Hicks, Katz, and Shi. [*Authenticated Data Structures, Generically*](https://www.cs.umd.edu/~mwh/papers/gpads.pdf). | Zichuan
+12/5  | Languages for oblivous computing <br> **Paper:** Zahur and Evans. [*Obliv-C: A Language for Extensible Data-Oblivious Computation*](https://eprint.iacr.org/2015/1153.pdf). | Zhiyi
+12/10 | Languages for information flow <br> **Paper:** Griffin, Levy, Stefan, et al. [*Hails: Protecting Data Privacy in Untrusted Web Applications*](https://www.usenix.org/system/files/conference/osdi12/osdi12-final-35.pdf). | Arjun
+12/12 | Languages for preventing timing channels <br> **Paper:** Zhang, Askarov, and Myers. [*Language-Based Control and Mitigation of Timing Channels*](https://www.cs.cornell.edu/andru/papers/pltiming-pldi12.pdf). | Yan