diff -r 3a5e09a2ae54 -r b606c9439fa6 slides01.tex --- a/slides01.tex Tue Sep 25 21:01:23 2012 +0100 +++ b/slides01.tex Wed Sep 26 02:08:55 2012 +0100 @@ -71,7 +71,7 @@ showstringspaces=false} % beamer stuff -\renewcommand{\slidecaption}{APP 01, King's College London, 25.~September 2012} +\renewcommand{\slidecaption}{AFL 01, King's College London, 26.~September 2012} \begin{document} @@ -81,12 +81,15 @@ \begin{frame}<1>[t] \frametitle{% \begin{tabular}{@ {}c@ {}} - \LARGE Access Control and \\[-3mm] - \LARGE Privacy Policies (1)\\[-6mm] + \\[-3mm] + \LARGE Automata and \\[-2mm] + \LARGE Formal Languages (1)\\[-3mm] \end{tabular}} \begin{center} - %\includegraphics[scale=1.3]{pics/barrier.jpg} + \includegraphics[scale=0.3]{pics/ante1.jpg}\hspace{5mm} + \includegraphics[scale=0.31]{pics/ante2.jpg}\\ + \footnotesize\textcolor{gray}{Antikythera automaton, 100 BC (Archimedes?)} \end{center} \normalsize @@ -104,183 +107,46 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ -\begin{frame} - -\begin{center} -%\includegraphics[scale=2.1]{pics/barrier.jpg} -\end{center} - -\end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Security Engineers\end{tabular}} - -According to Bruce Schneier, {\bf security engineers} require -a particular {\bf mindset}:\bigskip - -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\normalsize\color{darkgray} -\begin{minipage}{10cm}\raggedright\small -``Security engineers --- at least the good ones --- see the world dif$\!$ferently. -They can't walk into a store without noticing how they might shoplift. They can't -use a computer without wondering about the security vulnerabilities. They can't -vote without trying to figure out how to vote twice. They just can't help it.'' -\end{minipage}}; -\end{tikzpicture} - -\begin{flushright} -%\includegraphics[scale=0.0087]{pics/schneierbook1.jpg}\; -%\includegraphics[scale=0.0087]{pics/schneierbook2.jpg}\; -%\includegraphics[scale=0.85]{pics/schneier.png} -\end{flushright} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN\end{tabular}} - -\begin{center} -%\includegraphics[scale=0.3]{pics/creditcard1.jpg}\; -%\includegraphics[scale=0.3]{pics/creditcard2.jpg} -\end{center} -\begin{itemize} -\item Chip-and-PIN was introduced in the UK in 2004 -\item before that customers had to sign a receipt\medskip -\item Is Chip-and-PIN a more secure system? -\end{itemize} - -\begin{flushright} -\small\textcolor{gray}{(Some other countries still use the old method.)} -\end{flushright} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Yes \ldots\end{tabular}} - -\begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] -{\normalsize\color{darkgray} -\begin{minipage}{10cm}\raggedright\small -``Chip-and-PIN is so effective in this country [UK] that fraudsters are starting to move their activities overseas,'' -said Emile Abu-Shakra, spokesman for Lloyds TSB (in the Guardian, 2006). -\end{minipage}}; -\end{tikzpicture}\bigskip - - -\begin{itemize} -\item mag-stripe cards cannot be cloned anymore -\item stolen or cloned cards need to be used abroad -\item fraud on lost, stolen and counterfeit credit cards was down \pounds{}60m (24\%) on 2004's figure -\end{itemize} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}But let's see \ldots\end{tabular}} - - -\begin{textblock}{1}(3,4) +\begin{textblock}{1}(2,5) \begin{tabular}{c} -%\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm] -\small Bank +\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm] +\small Server \end{tabular} \end{textblock} -\begin{textblock}{1}(7,4.5) -\begin{tabular}{c} -%\includegraphics[scale=3]{pics/store.png}\\[-2mm] -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(4.5,9.9) -\begin{tabular}{c} -%\includegraphics[scale=0.16]{pics/rman.png}\\[-1mm] -\small costumer / you -\end{tabular} -\end{textblock} - -\only<2->{ -\begin{textblock}{1}(4.5,7.5) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (1,-1) node (Y) {}; - \draw[red, ->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock}} - -\only<3->{ -\begin{textblock}{1}(6.8,7.5) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (1,1) node (Y) {}; - \draw[red, ->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; +\begin{textblock}{1}(5.6,4) + \begin{tikzpicture}[scale=1.1] + \draw[white] (0,1) node (X) {}; + \draw[white] (2,1) node (Y) {}; + \draw[white] (0,0) node (X1) {}; + \draw[white] (2,0) node (Y1) {}; + \draw[white] (0,-1) node (X2) {}; + \draw[white] (2,-1) node (Y2) {}; + \draw[red, <-, line width = 2mm] (X) -- (Y); + \node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {}; + \draw[red, ->, line width = 2mm] (X1) -- (Y1); + \node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X1)!.5!(Y1) $) {}; + \draw[red, <-, line width = 2mm] (X2) -- (Y2); + \node [inner sep=7pt,label=above:\textcolor{black}{POST data}] at ($ (X2)!.5!(Y2) $) {}; \end{tikzpicture} \end{textblock} -\begin{textblock}{1}(4.8,5.9) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (1.4,0) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock}} -\only<4->{ -\begin{textblock}{1}(12,6.5) +\begin{textblock}{1}(9,5.5) \begin{tabular}{c} -%\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm] -\small card\\[-2mm]\small terminal\\[-2mm] \small producer +\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm] +\small Browser \end{tabular} \end{textblock} -\begin{textblock}{1}(10,7) - \begin{tikzpicture}[scale=1.6] - \draw[white] (0,0) node (X) {}; - \draw[white] (-1,0.6) node (Y) {}; - \draw[red, ->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}} - - +\only<2>{ +\begin{textblock}{10}(2,13.5) \begin{itemize} -\item A ``tamperesitant'' terminal playing Tetris on -\textcolor{blue}{\href{http://www.youtube.com/watch?v=wWTzkD9M0sU}{youtube}}.\\ -\textcolor{lightgray}{\footnotesize(\url{http://www.youtube.com/watch?v=wWTzkD9M0sU})} +\item programming languages, compilers \end{itemize} - - -%\includegraphics[scale=0.2]{pics/tetris.jpg} +\end{textblock}} \end{frame}} @@ -289,62 +155,93 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Chip-and-PIN\end{tabular}} + +transforming strings into structured data\\[10mm] +{\LARGE\bf Lexing}\medskip\\ +\hspace{5mm}(recognising ``words'')\\[6mm] -\begin{itemize} -\item in 2006, Shell petrol stations stopped accepting Chip-and-PIN after \pounds{}1m had been stolen from customer accounts\smallskip -\item in 2008, hundreds of card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been -expertly tampered with shortly after manufacture so that details and PINs of credit cards were sent during the 9 months -before over mobile phone networks to criminals in Lahore, Pakistan -\end{itemize} - +{\LARGE\bf Parsing}\medskip\\ +\hspace{5mm}(recognising ``sentences'') + \end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Chip-and-PIN is Broken\end{tabular}} -\begin{flushright} -%\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\; -%\includegraphics[scale=1.5]{pics/anderson.jpg} -\end{flushright} +The subject is quite old: \begin{itemize} -\item man-in-the-middle attacks by the group around Ross Anderson\medskip +\item Turing Machines, 1936 +\item first compiler for COBOL, 1957 (Grace Hopper) +\item but surprisingly research papers are still published now \end{itemize} -\begin{center} -\mbox{}\hspace{-20mm}%\includegraphics[scale=0.5]{pics/chip-attack.png} -\end{center} +\begin{flushright} +\includegraphics[scale=0.3]{pics/hopper.jpg}\\ +\footnotesize\textcolor{gray}{Grace Hopper} +\end{flushright} + +{\footnotesize\textcolor{gray}{(she made it to David Letterman's Tonight Show, \url{http://www.youtube.com/watch?v=aZOxtURhfEU})}} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}This Course\end{tabular}} -\begin{textblock}{1}(11.5,13.7) -\begin{tabular}{l} -\footnotesize on BBC Newsnight\\[-2mm] -\footnotesize in 2010 or \textcolor{blue}{\href{http://www.youtube.com/watch?v=JPAX32lgkrw}{youtube}} -\end{tabular} -\end{textblock} - +\begin{itemize} +\item regular expression / regular expression matching +\item a bit of sets (of strings) +\item automata +\item the Myhill-Nerode theorem +\item parsing +\item grammars +\item a small interpreter / webbrowser +\end{itemize} + \end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}This Course\end{tabular}} + +\begin{itemize} +\item the ultimate goal is to implement a small web-browser (really small)\bigskip +\end{itemize} + +Let's start with: + +\begin{itemize} +\item a web-crawler +\item an email harvester +\item a web-scraper +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN is Really Broken\end{tabular}} +\frametitle{\begin{tabular}{c}Scala\end{tabular}} + +\footnotesize a simple function for reading webpages -\begin{flushright} -%\includegraphics[scale=0.01]{pics/andersonbook1.jpg}\; -%\includegraphics[scale=1.5]{pics/anderson.jpg} -\end{flushright} +{\lstset{language=Scala}\fontsize{8}{10}\selectfont +\texttt{\lstinputlisting{app0.scala}}}\pause\bigskip -\begin{itemize} -\item same group successfully attacked this year card readers and ATM machines -\item the problem: several types of ATMs generate poor random numbers, which are used as nonces -\end{itemize} +\footnotesize +{\lstset{language=Scala}\fontsize{8}{10}\selectfont +\texttt{\lstinputlisting{app1.scala}}} + \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -352,170 +249,8 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}The Problem \ldots\end{tabular}} -\begin{textblock}{1}(3,4) -\begin{tabular}{c} -%\includegraphics[scale=0.3]{pics/bank.png}\\[-2mm] -\small Bank -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(7,4.5) -\begin{tabular}{c} -%\includegraphics[scale=3]{pics/store.png}\\[-2mm] -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(12,6.5) -\begin{tabular}{c} -%\includegraphics[scale=0.8]{pics/factory.png}\\[-1mm] -\small terminal\\[-2mm] \small producer -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(4.5,9.9) -\begin{tabular}{c} -%\includegraphics[scale=0.13]{pics/rman.png}\\[-1mm] -\small costumer / you -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(4.5,7.5) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (1,-1) node (Y) {}; - \draw[gray, ->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(6.8,7.5) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (1,1) node (Y) {}; - \draw[gray, ->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(4.8,5.9) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (1.4,0) node (Y) {}; - \draw[gray, <->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(10,7) - \begin{tikzpicture}[scale=1.6] - \draw[white] (0,0) node (X) {}; - \draw[white] (-1,0.6) node (Y) {}; - \draw[gray, ->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{14}(1,13.5) -\begin{itemize} -\item the burden of proof for fraud and financial liability was shifted to the costumer -\end {itemize} -\end{textblock} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Being Screwed Again\end{tabular}} - - -\begin{flushright} -%\includegraphics[scale=0.3]{pics/rbssecure.jpg} -\end{flushright} - -\begin{itemize} -\item {\bf Responsibility}\\ -``You understand that you are financially responsible for all uses of RBS Secure.''\\ -\textcolor{lightgray}{\footnotesize\url{https://www.rbssecure.co.uk/rbs/tdsecure/terms_of_use.jsp}} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Web Applications\end{tabular}} - - -\begin{textblock}{1}(2,5) -\begin{tabular}{c} -%\includegraphics[scale=0.15]{pics/servers.png}\\[-2mm] -\small Servers from\\[-2mm] -\small Dot.com Inc. -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(5.6,6) - \begin{tikzpicture}[scale=2.5] - \draw[white] (0,0) node (X) {}; - \draw[white] (1,0) node (Y) {}; - \only<2>{\draw[red, <-, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{GET request}] at ($ (X)!.5!(Y) $) {};} - \only<3>{\draw[red, ->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{webpage}] at ($ (X)!.5!(Y) $) {};} - \only<4>{\draw[red, <-, line width = 2mm] (X) -- (Y); - \node [inner sep=7pt,label=above:\textcolor{black}{POST data}] at ($ (X)!.5!(Y) $) {};} - \end{tikzpicture} -\end{textblock} - - -\begin{textblock}{1}(9,5.5) -\begin{tabular}{c} -%\includegraphics[scale=0.15]{pics/laptop.png}\\[-2mm] -\small Client(s) -\end{tabular} -\end{textblock} - -\begin{textblock}{13}(1,13) -\begin{itemize} -\item What are pitfalls and best practices? -\end{itemize} -\end{textblock} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Scala + Play\end{tabular}} - -\footnotesize a simple response from the server: - -%{\lstset{language=Scala}\fontsize{8}{10}\selectfont -%\texttt{\lstinputlisting{app0.scala}}}\bigskip - -\footnotesize -alternative response:\\ - -{\lstset{language=Scala}\fontsize{8}{10}\selectfont -\texttt{\lstinline{Ok("

Hello world!

").as(HTML)}}} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -%{\lstset{language=Scala}\fontsize{8}{10}\selectfont -%\texttt{\lstinputlisting{app1.scala}}} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -704,296 +439,23 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -%\includegraphics[scale=1.8]{pics/barrier.jpg} -\end{center} - -\begin{itemize} -\item data integrity needs to be ensured -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\mbox{}\\[-7mm] - -%{\lstset{language=Scala}\fontsize{8}{10}\selectfont -%\texttt{\lstinputlisting{app3.scala}}} - -\small -\begin{itemize} -\item the counter/hash pair is intended to prevent tampering -\end{itemize} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}SHA-1\end{tabular}} - -\begin{itemize} -\item SHA-1 is a cryptographic hash function\\ -(MD5, SHA-256, SHA-512, \ldots) -\item message $\rightarrow$ digest -\item no known attack exists, except brute force\bigskip\pause -\item but dictionary attacks are very ef$\!$fective for extracting passwords (later) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\mbox{}\\[-9mm] - -%{\lstset{language=Scala}\fontsize{8}{10}\selectfont -%\texttt{\lstinputlisting{app4.scala}}} - -\begin{textblock}{1}(9,1) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (3,0) node (Y) {}; - \draw[red, <-, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{\small should be random}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(6.6,4.9) - \begin{tikzpicture}[scale=1.3] - \draw[white] (0,0) node (X) {}; - \draw[white] (1,-1) node (Y) {}; - \draw[red, <-, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Unix Passwords\end{tabular}} - -\begin{itemize} -\item passwords are \alert{\bf not} stored in clear text -\item instead \texttt{/etc/shadow} contains -\end{itemize} - -{\small -\texttt{name:\$1\$QIGCa\$/ruJs8AvmrknzKTzM2TYE.:other\_info} -} - -\begin{itemize} -\item \texttt{\$} is separator -\item \texttt{1} is MD5 (actually SHA-512 is used nowadays, \texttt{6}) -\item \texttt{QIGCa} is salt -\item \texttt{ruJs8AvmrknzKTzM2TYE} $\rightarrow$ password + salt -\end{itemize} - -\textcolor{gray}{\small -(\texttt{openssl passwd -1 -salt QIGCa pippo}) -} -% Unix password -% http://ubuntuforums.org/showthread.php?p=5318038 - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Password Blunders\end{tabular}} - - -\begin{itemize} -\item in late 2009, when an SQL injection attack against online games -service RockYou.com exposed 32 million \alert{plaintext} passwords - -\item 1.3 million Gawker credentials exposed in December 2010 containing -unsalted(?) \alert{MD5} hashes - -\item June 6th, 2012, 6 million unsalted SHA-1 passwords were leaked from linkedIn -% linkedIn password -% http://erratasec.blogspot.co.uk/2012/06/confirmed-linkedin-6mil-password-dump.html -\end{itemize}\medskip - -\small -Web user maintains 25 separate accounts but uses just 6.5 passwords - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%For instance, SHA512crypt, which is included in Mac OS X and most Unix-based operating systems, passes text through 5,000 iterations, a %hurdle that would have limited Gosney to slightly less than 2,600 guesses per second. The Bcrypt algorithm is even more computationally %expensive, in large part because it subjects text to multiple iterations of the Blowfish cipher that was deliberately modified to increase the %time required to generate a hash. PBKDF2, a function built into Microsoft's .Net software developer framework, offers similar benefits. - - -% rainbow tables -% http://en.wikipedia.org/wiki/Rainbow_table - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Brute Forcing Passwords\end{tabular}} +\frametitle{\begin{tabular}{c}Exam\end{tabular}} \begin{itemize} -\item How fast can hackers crack SHA-1 passwords? \pause - -\item The answer is 2 billion attempts per second\\ -using a Radeon HD 7970 -\end{itemize} - -\begin{center} -\begin{tabular}{@ {\hspace{-12mm}}rl} -password length & time\smallskip\\\hline -5 letters & 5 secs\\ -6 letters & 500 secs\\ -7 letters & 13 hours\\ -8 letters & 57 days\\ -9 letters & 15 years\\ -\end{tabular} -\end{center} - -\small -5 letters $\approx$ 100$^5$ $=$ 10 billion combinations\\ -(1 letter - upper case, lower case, digits, symbols $\approx$ 100) - -\only<2->{ -\begin{textblock}{1}(12,5) -\begin{tabular}{c} -%\includegraphics[scale=0.3]{pics/radeon.jpg}\\[-6mm] -\footnotesize graphics card\\[-1mm] -\footnotesize ca.~\pounds{}300 -\end{tabular} -\end{textblock}} - - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Passwords\end{tabular}} - -How to recover from a breakin?\pause\medskip - -\begin{itemize} -\item Do not send passwords in plain text. -\item Security questions are tricky to get right. -\item QQ (Chinese Skype) authenticates you via contacts. -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}This Course\end{tabular}} - -\begin{itemize} -\item break-ins (buffer overflows) -\item access control\\ (role based, data security / data integrity) -\item protocols\\ -(specification) -\item access control logic -\item privacy -\begin{quote} -Scott McNealy: \\``You have zero privacy anyway. Get over it.'' -\end{quote} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Books + Homework\end{tabular}} - -\begin{itemize} -\item there is no single book I am following -\begin{center} -%\includegraphics[scale=0.012]{pics/andersonbook1.jpg} -%\includegraphics[scale=0.23]{pics/accesscontrolbook.jpg} -\end{center}\medskip\pause - -\item The question ``Is this relevant for the exams'' is not appreciated!\medskip\\ +\item The question ``Is this relevant for the exams?'' is not appreciated!\bigskip\\ Whatever is in the homework sheets (and is not marked optional) is relevant for the -exam. No code needs to be written. +exam.\\ No code needs to be written. \end{itemize} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Take-Home Points\end{tabular}} - -\begin{itemize} -\item Never store passwords in plain text.\medskip -\item Always salt your hashes!\medskip -\item Use an existing algorithm; do not write your own! -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Thinking as a Defender\end{tabular}} - -\begin{itemize} -\item What are you trying to protect? -\item What properties are you trying to enforce?\medskip - -\item Who are the attackers? Capabilities? Motivations? -\item What kind of attack are we trying to protect? -\item Who can fix any vulnerabilities?\medskip - -\item What are the weaknesses of the system? -\item What will successful attacks cost us? -\item How likely are the attacks? -\end{itemize} - -\small -\textcolor{gray}{Security almost always is {\bf not} free!} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}The Security Mindset\end{tabular}} - -\begin{itemize} -\item How things can go wrong. -\item Think outside the box. -\end{itemize}\bigskip - -The difference between being criminal is to only \alert{\bf think} about how things can go wrong. - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%