Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho01.tex
changeset 381 036a762b02cf
parent 379 11f5f86bf956
child 383 3e1a2c8ed980 
--- a/handouts/ho01.tex	Thu Sep 10 09:45:10 2015 +0100
+++ b/handouts/ho01.tex	Sun Sep 20 22:09:58 2015 +0100
@@ -47,7 +47,7 @@
 hypothetically, about ways in which you can cheat in an exam
 (whether it is by hiding notes or by looking over the
 shoulders of your fellow pupils). Right? To defend a system,
-you need to have this kind mindset and be able to think like
+you need to have this kind of mindset and be able to think like
 an attacker. This will include understanding techniques that
 can be used to compromise security and privacy in systems.
 This will many times result in insights where well-intended
@@ -137,13 +137,13 @@
 generate random enough numbers (nonces) on which the security
 of the underlying protocols relies. 
 
-The problem with all this is that the banks who introduced
-Chip-and-PIN managed with the new system to shift the
-liability for any fraud and the burden of proof onto the
+The overarching problem with all this is that the banks who
+introduced Chip-and-PIN managed with the new system to shift
+the liability for any fraud and the burden of proof onto the
 customer. In the old system, the banks had to prove that the
 customer used the card, which they often did not bother with.
-In effect, if fraud occurred the customers were either refunded
-fully or lost only a small amount of money. This
+In effect, if fraud occurred the customers were either
+refunded fully or lost only a small amount of money. This
 taking-responsibility-of-potential-fraud was part of the
 ``business plan'' of the banks and did not reduce their
 profits too much. 
@@ -191,7 +191,7 @@
 a web-application that has the feature of recording how many times a
 customer visits a page.  For example in order to give a discount
 whenever the customer has visited a webpage some $x$ number of times
-(say $x$ equal $5$). There is one more constraint: we want to store
+(say $x$ equals $5$). There is one more constraint: we want to store
 the information about the number of visits as a cookie on the
 browser. I think, for a number of years the webpage of the New York
 Times operated in this way: it allowed you to read ten articles per
@@ -200,8 +200,8 @@
 was visited, because if I switched browsers I could easily circumvent
 the restriction about ten articles.\footnote{Another online media that
   works in this way is the Times Higher Education
-  \url{http://www.timeshighereducation.co.uk}. It also uses cookies to
-restrict the number of free articles to five.}
+  \url{http://www.timeshighereducation.co.uk}. It also seems to 
+  use cookies to restrict the number of free articles to five.}
 
 To implement our web-application it is good to look under the
 hood what happens when a webpage is displayed in a browser. A
@@ -531,12 +531,12 @@
 as simple as it might seem. At the beginning only ``real''
 dictionaries were available (like the Oxford English
 Dictionary), but such dictionaries are not optimised for the
-purpose of cracking passwords. The first real hard data about actually
-used passwords was obtained when a company called RockYou
-``lost'' 32 Million plain-text passwords. With this data of
-real-life passwords, dictionary attacks took off. Compiling
-such dictionaries is nowadays very easy with the help of
-off-the-shelf tools.
+purpose of cracking passwords. The first real hard data about
+actually used passwords was obtained when a company called
+RockYou ``lost'' at the end of 2009 32 Million plain-text
+passwords. With this data of real-life passwords, dictionary
+attacks took off. Compiling such dictionaries is nowadays very
+easy with the help of off-the-shelf tools.
 
 These dictionary attacks can be prevented by using salts.
 Remember a hacker needs to use the most likely candidates 
@@ -629,6 +629,14 @@
 \url{http://goo.gl/dIzqMg}
 \end{center}
 
+\noindent Here is an interesting blog-post about how a group
+``cracked'' efficiently millions of bcrypt passwords from the
+Ashley Madison leak.
+
+\begin{center}
+\url{http://goo.gl/83Ho0N}
+\end{center}
+
 \noindent Clearly, passwords are a technology that comes to
 the end of its usefulness, because brute force attacks become
 more and more powerful and it is unlikely that humans get any
sen-material