\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{beamerthemeplainculight}
\usepackage[T1]{fontenc}
\usepackage[latin1]{inputenc}
\usepackage{mathpartir}
\usepackage[absolute,overlay]{textpos}
\usepackage{ifthen}
\usepackage{tikz}
\usepackage{pgf}
\usepackage{calc}
\usepackage{ulem}
\usepackage{courier}
\usepackage{listings}
\renewcommand{\uline}[1]{#1}
\usetikzlibrary{arrows}
\usetikzlibrary{automata}
\usetikzlibrary{shapes}
\usetikzlibrary{shadows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
\usepackage{graphicx}
\definecolor{javared}{rgb}{0.6,0,0} % for strings
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
\lstset{language=Java,
basicstyle=\ttfamily,
keywordstyle=\color{javapurple}\bfseries,
stringstyle=\color{javagreen},
commentstyle=\color{javagreen},
morecomment=[s][\color{javadocblue}]{/**}{*/},
numbers=left,
numberstyle=\tiny\color{black},
stepnumber=1,
numbersep=10pt,
tabsize=2,
showspaces=false,
showstringspaces=false}
\lstdefinelanguage{scala}{
morekeywords={abstract,case,catch,class,def,%
do,else,extends,false,final,finally,%
for,if,implicit,import,match,mixin,%
new,null,object,override,package,%
private,protected,requires,return,sealed,%
super,this,throw,trait,true,try,%
type,val,var,while,with,yield},
otherkeywords={=>,<-,<\%,<:,>:,\#,@},
sensitive=true,
morecomment=[l]{//},
morecomment=[n]{/*}{*/},
morestring=[b]",
morestring=[b]',
morestring=[b]"""
}
\lstset{language=Scala,
basicstyle=\ttfamily,
keywordstyle=\color{javapurple}\bfseries,
stringstyle=\color{javagreen},
commentstyle=\color{javagreen},
morecomment=[s][\color{javadocblue}]{/**}{*/},
numbers=left,
numberstyle=\tiny\color{black},
stepnumber=1,
numbersep=10pt,
tabsize=2,
showspaces=false,
showstringspaces=false}
% beamer stuff
\renewcommand{\slidecaption}{APP 01, King's College London, 25.~September 2012}
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}<1>[t]
\frametitle{%
\begin{tabular}{@ {}c@ {}}
\LARGE Access Control and \\[-3mm]
\LARGE Privacy Policies (1)\\[-6mm]
\end{tabular}}
\begin{center}
%\includegraphics[scale=1.3]{pics/barrier.jpg}
\end{center}
\normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
Of$\!$fice: & S1.27 (1st floor Strand Building)\\
Slides: & KEATS
\end{tabular}
\end{center}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}
\begin{center}
%\includegraphics[scale=2.1]{pics/barrier.jpg}
\end{center}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Security Engineers\end{tabular}}
According to Bruce Schneier, {\bf security engineers} require
a particular {\bf mindset}:\bigskip
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
{\normalsize\color{darkgray}
\begin{minipage}{10cm}\raggedright\small
``Security engineers --- at least the good ones --- see the world dif$\!$ferently.
They can't walk into a store without noticing how they might shoplift. They can't
use a computer without wondering about the security vulnerabilities. They can't
vote without trying to figure out how to vote twice. They just can't help it.''
\end{minipage}};
\end{tikzpicture}
\begin{flushright}
%\includegraphics[scale=0.0087]{pics/schneierbook1.jpg}\;
%\includegraphics[scale=0.0087]{pics/schneierbook2.jpg}\;
%\includegraphics[scale=0.85]{pics/schneier.png}
\end{flushright}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN\end{tabular}}
\begin{center}
%\includegraphics[scale=0.3]{pics/creditcard1.jpg}\;
%\includegraphics[scale=0.3]{pics/creditcard2.jpg}
\end{center}
\begin{itemize}
\item Chip-and-PIN was introduced in the UK in 2004
\item before that customers had to sign a receipt\medskip
\item Is Chip-and-PIN a more secure system?
\end{itemize}
\begin{flushright}
\small\textcolor{gray}{(Some other countries still use the old method.)}
\end{flushright}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Yes \ldots\end{tabular}}
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
{\normalsize\color{darkgray}
\begin{minipage}{10cm}\raggedright\small
``Chip-and-PIN is so effective in this country [UK] that fraudsters are starting to move their activities overseas,''
said Emile Abu-Shakra, spokesman for Lloyds TSB (in the Guardian, 2006).
\end{minipage}};
\end{tikzpicture}\bigskip
\begin{itemize}
\item mag-stripe cards cannot be cloned anymore
\item stolen or cloned cards need to be used abroad
\item fraud on lost, stolen and counterfeit credit cards was down \pounds{}60m (24\%) on 2004's figure
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}But let's see \ldots\end{tabular}}
\begin{textblock}{1}(3,4)
\begin{tabular}{c}
%\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm]
\small Bank
\end{tabular}
\end{textblock}
\begin{textblock}{1}(7,4.5)
\begin{tabular}{c}
%\includegraphics[scale=3]{pics/store.png}\\[-2mm]
\end{tabular}
\end{textblock}
\begin{textblock}{1}(4.5,9.9)
\begin{tabular}{c}
%\includegraphics[scale=0.16]{pics/rman.png}\\[-1mm]
\small costumer / you
\end{tabular}
\end{textblock}
\only<2->{
\begin{textblock}{1}(4.5,7.5)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (1,-1) node (Y) {};
\draw[red, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}}
\only<3->{
\begin{textblock}{1}(6.8,7.5)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (1,1) node (Y) {};
\draw[red, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(4.8,5.9)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (1.4,0) node (Y) {};
\draw[red, <->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}}
\only<4->{
\begin{textblock}{1}(12,6.5)
\begin{tabular}{c}
%\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm]
\small card\\[-2mm]\small terminal\\[-2mm] \small producer
\end{tabular}
\end{textblock}
\begin{textblock}{1}(10,7)
\begin{tikzpicture}[scale=1.6]
\draw[white] (0,0) node (X) {};
\draw[white] (-1,0.6) node (Y) {};
\draw[red, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}}
\begin{itemize}
\item A ``tamperesitant'' terminal playing Tetris on
\textcolor{blue}{\href{http://www.youtube.com/watch?v=wWTzkD9M0sU}{youtube}}.\\
\textcolor{lightgray}{\footnotesize(\url{http://www.youtube.com/watch?v=wWTzkD9M0sU})}
\end{itemize}
%\includegraphics[scale=0.2]{pics/tetris.jpg}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}}
\begin{itemize}
\item in 2006, Shell petrol stations stopped accepting Chip-and-PIN after \pounds{}1m had been stolen from customer accounts\smallskip
\item in 2008, hundreds of card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been
expertly tampered with shortly after manufacture so that details and PINs of credit cards were sent during the 9 months
before over mobile phone networks to criminals in Lahore, Pakistan
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Chip-and-PIN is Broken\end{tabular}}
\begin{flushright}
%\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\;
%\includegraphics[scale=1.5]{pics/anderson.jpg}
\end{flushright}
\begin{itemize}
\item man-in-the-middle attacks by the group around Ross Anderson\medskip
\end{itemize}
\begin{center}
\mbox{}\hspace{-20mm}%\includegraphics[scale=0.5]{pics/chip-attack.png}
\end{center}
\begin{textblock}{1}(11.5,13.7)
\begin{tabular}{l}
\footnotesize on BBC Newsnight\\[-2mm]
\footnotesize in 2010 or \textcolor{blue}{\href{http://www.youtube.com/watch?v=JPAX32lgkrw}{youtube}}
\end{tabular}
\end{textblock}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN is Really Broken\end{tabular}}
\begin{flushright}
%\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\;
%\includegraphics[scale=1.5]{pics/anderson.jpg}
\end{flushright}
\begin{itemize}
\item same group successfully attacked this year card readers and ATM machines
\item the problem: several types of ATMs generate poor random numbers, which are used as nonces
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}The Problem \ldots\end{tabular}}
\begin{textblock}{1}(3,4)
\begin{tabular}{c}
%\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm]
\small Bank
\end{tabular}
\end{textblock}
\begin{textblock}{1}(7,4.5)
\begin{tabular}{c}
%\includegraphics[scale=3]{pics/store.png}\\[-2mm]
\end{tabular}
\end{textblock}
\begin{textblock}{1}(12,6.5)
\begin{tabular}{c}
%\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm]
\small terminal\\[-2mm] \small producer
\end{tabular}
\end{textblock}
\begin{textblock}{1}(4.5,9.9)
\begin{tabular}{c}
%\includegraphics[scale=0.13]{pics/rman.png}\\[-1mm]
\small costumer / you
\end{tabular}
\end{textblock}
\begin{textblock}{1}(4.5,7.5)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (1,-1) node (Y) {};
\draw[gray, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(6.8,7.5)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (1,1) node (Y) {};
\draw[gray, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(4.8,5.9)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (1.4,0) node (Y) {};
\draw[gray, <->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(10,7)
\begin{tikzpicture}[scale=1.6]
\draw[white] (0,0) node (X) {};
\draw[white] (-1,0.6) node (Y) {};
\draw[gray, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{14}(1,13.5)
\begin{itemize}
\item the burden of proof for fraud and financial liability was shifted to the costumer
\end {itemize}
\end{textblock}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Being Screwed Again\end{tabular}}
\begin{flushright}
%\includegraphics[scale=0.3]{pics/rbssecure.jpg}
\end{flushright}
\begin{itemize}
\item {\bf Responsibility}\\
``You understand that you are financially responsible for all uses of RBS Secure.''\\
\textcolor{lightgray}{\footnotesize\url{https://www.rbssecure.co.uk/rbs/tdsecure/terms_of_use.jsp}}
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Web Applications\end{tabular}}
\begin{textblock}{1}(2,5)
\begin{tabular}{c}
%\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm]
\small Servers from\\[-2mm]
\small Dot.com Inc.
\end{tabular}
\end{textblock}
\begin{textblock}{1}(5.6,6)
\begin{tikzpicture}[scale=2.5]
\draw[white] (0,0) node (X) {};
\draw[white] (1,0) node (Y) {};
\only<2>{\draw[red, <-, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {};}
\only<3>{\draw[red, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X)!.5!(Y) $) {};}
\only<4>{\draw[red, <-, line width = 2mm] (X) -- (Y);
\node [inner sep=7pt,label=above:\textcolor{black}{POST data}] at ($ (X)!.5!(Y) $) {};}
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(9,5.5)
\begin{tabular}{c}
%\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm]
\small Client(s)
\end{tabular}
\end{textblock}
\begin{textblock}{13}(1,13)
\begin{itemize}
\item What are pitfalls and best practices?
\end{itemize}
\end{textblock}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Scala + Play\end{tabular}}
\footnotesize a simple response from the server:
%{\lstset{language=Scala}\fontsize{8}{10}\selectfont
%\texttt{\lstinputlisting{app0.scala}}}\bigskip
\footnotesize
alternative response:\\
{\lstset{language=Scala}\fontsize{8}{10}\selectfont
\texttt{\lstinline{Ok("<H1>Hello world!</H1>").as(HTML)}}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
%{\lstset{language=Scala}\fontsize{8}{10}\selectfont
%\texttt{\lstinputlisting{app1.scala}}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Cookies\end{tabular}}
\begin{textblock}{1}(1.5,5)
\begin{tabular}{c}
%\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm]
\small Servers from\\[-2mm]
\small Dot.com Inc.
\end{tabular}
\end{textblock}
\begin{textblock}{1}(5.6,5.6)
\begin{tikzpicture}[scale=2.5]
\draw[white] (0,0) node (X) {};
\draw[white] (1,0) node (Y) {};
\draw[white] (0.05,-0.3) node (X1) {};
\draw[white] (0.95,-0.3) node (Y1) {};
\only<1-2>{\draw[red, <-, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {};}
\only<1>{\draw[white, <-, line width = 1mm] (X1) -- (Y1);
\node [inner sep=2pt,label=below:\textcolor{white}{read a cookie}] at ($ (X1)!.5!(Y1) $) {};}
\only<2>{\draw[red, <-, line width = 1mm] (X1) -- (Y1);
\node [inner sep=2pt,label=below:\textcolor{black}{read a cookie}] at ($ (X1)!.5!(Y1) $) {};}
\only<3->{\draw[red, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X)!.5!(Y) $) {};}
\only<3->{\draw[red, ->, line width = 1mm] (X1) -- (Y1);
\node [inner sep=2pt,label=below:\textcolor{black}{write a cookie}] at ($ (X1)!.5!(Y1) $) {};}
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(9.5,5.5)
\begin{tabular}{c}
%\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm]
\small Client
\end{tabular}
\end{textblock}
\only<4->{
\begin{textblock}{13}(1,11)
\small\begin{itemize}
\item cookies: max 4KB data\\[-2mm]
\item cookie theft, cross-site scripting attacks\\[-2mm]
\item session cookies, persistent cookies, HttpOnly cookies, third-party cookies, zombie cookies
\end{itemize}
\end{textblock}}
\only<5>{
\begin{textblock}{11}(1,3)
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
{\normalsize\color{darkgray}
\begin{minipage}{10cm}\raggedright\small
{\bf EU Privacy Directive about Cookies:}\smallskip\\
``In May 2011, a European Union law was passed stating that websites that leave non-essential cookies on visitors' devices have to alert the visitor and get acceptance from them. This law applies to both individuals and businesses based in the EU regardless of the nationality of their website's visitors or the location of their web host. It is not enough to simply update a website's terms and conditions or privacy policy. The deadline to comply with the new EU cookie law was 26th May 2012 and failure to do so could mean a fine of up to \pounds{}500,000.''
\hfill\small\textcolor{gray}{$\rightarrow$BBC News}
\end{minipage}};
\end{tikzpicture}
\end{textblock}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\begin{itemize}
\item While cookies are per web-page, this can be easily circumvented.
\end{itemize}
\begin{textblock}{1}(1.5,4.5)
\begin{tabular}{c}
%\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
\small Pet Store\\[-2mm]
\small Dot.com\\[-2mm]
\end{tabular}
\end{textblock}
\begin{textblock}{1}(1.5,8)
\begin{tabular}{c}
%\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
\small Dating.com
\end{tabular}
\end{textblock}
\begin{textblock}{1}(10.5,7.5)
\begin{tabular}{c}
%\includegraphics[scale=0.07]{pics/servers.png}\\[-2mm]
\small Evil-Ad-No\\[-2mm]
\small Privacy.com
\end{tabular}
\end{textblock}
\begin{textblock}{1}(6,10.5)
\begin{tabular}{c}
%\includegraphics[scale=0.16]{pics/rman.png}\\[-1mm]
\small you
\end{tabular}
\end{textblock}
\begin{textblock}{1}(4,5)
\begin{tikzpicture}[scale=1]
\draw[white] (0,0.5) node (X) {};
\draw[white] (5.7,-1) node (Y) {};
\draw[red, ->, line width = 0.5mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(4,7.9)
\begin{tikzpicture}[scale=1]
\draw[white] (0,0) node (X) {};
\draw[white] (5.7,0) node (Y) {};
\draw[red, ->, line width = 0.5mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(3.3,9.3)
\begin{tikzpicture}[scale=1.2]
\draw[white] (0,0) node (X) {};
\draw[white] (1.5,-1) node (Y) {};
\draw[red, <->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\draw[white] (0.9,0.3) node (X1) {};
\draw[white] (1.9,-1) node (Y1) {};
\draw[red, <->, line width = 2mm] (X1) -- (Y1);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X1)!.5!(Y1) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(8.6,10.1)
\begin{tikzpicture}[scale=0.9]
\draw[white] (0,0) node (X) {};
\draw[white] (-2,-1) node (Y) {};
\draw[red, <->, line width = 0.5mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}My First Webapp\end{tabular}}
{\bf GET request:}\smallskip
\begin{enumerate}
\item read the cookie from client
\item if none is present, set \texttt{visits} to \textcolor{blue}{$0$}
\item if cookie is present, extract \texttt{visits} counter
\item if \texttt{visits} is greater or equal \textcolor{blue}{$10$}, \\
print a valued customer message\\
otherwise just a normal message
\item increase \texttt{visits} by \textcolor{blue}{$1$} and store new cookie with client
\end{enumerate}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\mbox{}\\[-9mm]
%{\lstset{language=Scala}\fontsize{8}{10}\selectfont
%\texttt{\lstinputlisting{app2.scala}}}
\footnotesize
\begin{itemize}
\item cookie value encoded as hash
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\begin{center}
%\includegraphics[scale=1.8]{pics/barrier.jpg}
\end{center}
\begin{itemize}
\item data integrity needs to be ensured
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\mbox{}\\[-7mm]
%{\lstset{language=Scala}\fontsize{8}{10}\selectfont
%\texttt{\lstinputlisting{app3.scala}}}
\small
\begin{itemize}
\item the counter/hash pair is intended to prevent tampering
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}SHA-1\end{tabular}}
\begin{itemize}
\item SHA-1 is a cryptographic hash function\\
(MD5, SHA-256, SHA-512, \ldots)
\item message $\rightarrow$ digest
\item no known attack exists, except brute force\bigskip\pause
\item but dictionary attacks are very ef$\!$fective for extracting passwords (later)
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\mbox{}\\[-9mm]
%{\lstset{language=Scala}\fontsize{8}{10}\selectfont
%\texttt{\lstinputlisting{app4.scala}}}
\begin{textblock}{1}(9,1)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (3,0) node (Y) {};
\draw[red, <-, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{\small should be random}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{1}(6.6,4.9)
\begin{tikzpicture}[scale=1.3]
\draw[white] (0,0) node (X) {};
\draw[white] (1,-1) node (Y) {};
\draw[red, <-, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:{}] at ($ (X)!.5!(Y) $) {};
\end{tikzpicture}
\end{textblock}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Unix Passwords\end{tabular}}
\begin{itemize}
\item passwords are \alert{\bf not} stored in clear text
\item instead \texttt{/etc/shadow} contains
\end{itemize}
{\small
\texttt{name:\$1\$QIGCa\$/ruJs8AvmrknzKTzM2TYE.:other\_info}
}
\begin{itemize}
\item \texttt{\$} is separator
\item \texttt{1} is MD5 (actually SHA-512 is used nowadays, \texttt{6})
\item \texttt{QIGCa} is salt
\item \texttt{ruJs8AvmrknzKTzM2TYE} $\rightarrow$ password + salt
\end{itemize}
\textcolor{gray}{\small
(\texttt{openssl passwd -1 -salt QIGCa pippo})
}
% Unix password
% http://ubuntuforums.org/showthread.php?p=5318038
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Password Blunders\end{tabular}}
\begin{itemize}
\item in late 2009, when an SQL injection attack against online games
service RockYou.com exposed 32 million \alert{plaintext} passwords
\item 1.3 million Gawker credentials exposed in December 2010 containing
unsalted(?) \alert{MD5} hashes
\item June 6th, 2012, 6 million unsalted SHA-1 passwords were leaked from linkedIn
% linkedIn password
% http://erratasec.blogspot.co.uk/2012/06/confirmed-linkedin-6mil-password-dump.html
\end{itemize}\medskip
\small
Web user maintains 25 separate accounts but uses just 6.5 passwords
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%For instance, SHA512crypt, which is included in Mac OS X and most Unix-based operating systems, passes text through 5,000 iterations, a %hurdle that would have limited Gosney to slightly less than 2,600 guesses per second. The Bcrypt algorithm is even more computationally %expensive, in large part because it subjects text to multiple iterations of the Blowfish cipher that was deliberately modified to increase the %time required to generate a hash. PBKDF2, a function built into Microsoft's .Net software developer framework, offers similar benefits.
% rainbow tables
% http://en.wikipedia.org/wiki/Rainbow_table
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Brute Forcing Passwords\end{tabular}}
\begin{itemize}
\item How fast can hackers crack SHA-1 passwords? \pause
\item The answer is 2 billion attempts per second\\
using a Radeon HD 7970
\end{itemize}
\begin{center}
\begin{tabular}{@ {\hspace{-12mm}}rl}
password length & time\smallskip\\\hline
5 letters & 5 secs\\
6 letters & 500 secs\\
7 letters & 13 hours\\
8 letters & 57 days\\
9 letters & 15 years\\
\end{tabular}
\end{center}
\small
5 letters $\approx$ 100$^5$ $=$ 10 billion combinations\\
(1 letter - upper case, lower case, digits, symbols $\approx$ 100)
\only<2->{
\begin{textblock}{1}(12,5)
\begin{tabular}{c}
%\includegraphics[scale=0.3]{pics/radeon.jpg}\\[-6mm]
\footnotesize graphics card\\[-1mm]
\footnotesize ca.~\pounds{}300
\end{tabular}
\end{textblock}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Passwords\end{tabular}}
How to recover from a breakin?\pause\medskip
\begin{itemize}
\item Do not send passwords in plain text.
\item Security questions are tricky to get right.
\item QQ (Chinese Skype) authenticates you via contacts.
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}This Course\end{tabular}}
\begin{itemize}
\item break-ins (buffer overflows)
\item access control\\ (role based, data security / data integrity)
\item protocols\\
(specification)
\item access control logic
\item privacy
\begin{quote}
Scott McNealy: \\``You have zero privacy anyway. Get over it.''
\end{quote}
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Books + Homework\end{tabular}}
\begin{itemize}
\item there is no single book I am following
\begin{center}
%\includegraphics[scale=0.012]{pics/andersonbook1.jpg}
%\includegraphics[scale=0.23]{pics/accesscontrolbook.jpg}
\end{center}\medskip\pause
\item The question ``Is this relevant for the exams'' is not appreciated!\medskip\\
Whatever is in the homework sheets (and is not marked optional) is relevant for the
exam. No code needs to be written.
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Take-Home Points\end{tabular}}
\begin{itemize}
\item Never store passwords in plain text.\medskip
\item Always salt your hashes!\medskip
\item Use an existing algorithm; do not write your own!
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Thinking as a Defender\end{tabular}}
\begin{itemize}
\item What are you trying to protect?
\item What properties are you trying to enforce?\medskip
\item Who are the attackers? Capabilities? Motivations?
\item What kind of attack are we trying to protect?
\item Who can fix any vulnerabilities?\medskip
\item What are the weaknesses of the system?
\item What will successful attacks cost us?
\item How likely are the attacks?
\end{itemize}
\small
\textcolor{gray}{Security almost always is {\bf not} free!}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}The Security Mindset\end{tabular}}
\begin{itemize}
\item How things can go wrong.
\item Think outside the box.
\end{itemize}\bigskip
The difference between being criminal is to only \alert{\bf think} about how things can go wrong.
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{c}Maps in Scala\end{tabular}}
\begin{itemize}
\item {\bf\texttt{map}} takes a function, say f, and applies it to every element of the list:
\end{itemize}
\begin{textblock}{15}(2,7)
\fontsize{13}{14}\selectfont
\bf\texttt{List(1, 2, 3, 4, 5, 6, 7, 8, 9)}
\end{textblock}
\begin{textblock}{15}(2,10)
\fontsize{13}{14}\selectfont
\bf\texttt{List(1, 4, 9, 16, 25, 36, 49, 64, 81)}
\end{textblock}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: