\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{beamerthemeplaincu}
%\usepackage[T1]{fontenc}
\usepackage[latin1]{inputenc}
\usepackage{mathpartir}
\usepackage[absolute,overlay]{textpos}
\usepackage{ifthen}
\usepackage{tikz}
\usepackage{pgf}
\usepackage{calc} 
\usepackage{ulem}
\usepackage{courier}
\usepackage{listings}
\renewcommand{\uline}[1]{#1}
\usetikzlibrary{arrows}
\usetikzlibrary{automata}
\usetikzlibrary{shapes}
\usetikzlibrary{shadows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
\usepackage{graphicx} 

\definecolor{javared}{rgb}{0.6,0,0} % for strings
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc

\lstset{language=Java,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

\lstdefinelanguage{scala}{
  morekeywords={abstract,case,catch,class,def,%
    do,else,extends,false,final,finally,%
    for,if,implicit,import,match,mixin,%
    new,null,object,override,package,%
    private,protected,requires,return,sealed,%
    super,this,throw,trait,true,try,%
    type,val,var,while,with,yield},
  otherkeywords={=>,<-,<\%,<:,>:,\#,@},
  sensitive=true,
  morecomment=[l]{//},
  morecomment=[n]{/*}{*/},
  morestring=[b]",
  morestring=[b]',
  morestring=[b]"""
}

\lstset{language=Scala,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

% beamer stuff 
\renewcommand{\slidecaption}{APP 03, King's College London, 22 October 2014}
\makeatletter
\def\verbatim@font{\consolas\footnotesize}
\makeatother

\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}<1>[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (4)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

\normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Office: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also home work is there)\\
  \end{tabular}
  \end{center}


\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{center}
\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
two weeks ago: buffer overflow attacks
\end{center}

  
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{Buffer Overflows}

\begin{verbatim}
As a proof-of-concept, the following URL allows 
attackers to control the return value saved on 
the stack (the vulnerability is triggered when
executing "/usr/sbin/widget"):

 curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB

The value of the "hash" HTTP GET parameter consists in 
292 occurrences of the 'A' character, followed by four 
occurrences of character 'B'. In our lab setup, characters 
'B' overwrite the saved program counter (%ra).

Discovery date: 06/03/2013
Release date:   02/08/2013
\end{verbatim}

\mbox{}\footnotesize\hfill\url{http://pastebin.com/vbiG42VD}  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{Backdoors}

D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip

If you tell your browser to identify itself as Joel's backdoor, instead of (say) 
as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
  
"What is this string," I hear you ask?

You will laugh: it is 

\begin{verbatim}
xmlset_roodkcableoj28840ybtide
\end{verbatim}


\hfill\footnotesize October 15, 2013\\
\hfill\tiny\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
  
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Access Control in Unix}

\begin{itemize}
\item access control provided by the OS
\item authenticate principals (login)
\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
\item roles get attached with privileges\bigskip\\%
\hspace{8mm}
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\begin{minipage}{8cm}
\alert{principle of least privilege:}\\
programs should only have as much privilege as they need 
\end{minipage}};
\end{tikzpicture}
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Access Control in Unix (2)}

\begin{itemize}
\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
\end{itemize}

\begin{textblock}{1}(2.5,9.5)
  \begin{tikzpicture}[scale=1]
  
  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
  \draw (4.7,1) node {Internet};
  \draw (0.6,1.7) node {\footnotesize Interface};
  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
  
  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);

  \draw[white] (1.7,1) node (X) {};
  \draw[white] (3.7,1) node (Y) {};
  \draw[red, <->, line width = 2mm] (X) -- (Y);
 
  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
  \end{tikzpicture}
\end{textblock}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
\newcommand{\bl}[1]{\textcolor{blue}{#1}}  

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control}

\begin{itemize}
\item \bl{Discretionary Access Control:}\mbox{}\medskip\\
\small Access to objects (files, directories, devices, etc.) is permitted 
based on user identity. Each object is owned by a user. Owners can 
specify freely (at their discretion) how they want to share their objects 
with other users, by specifying which other users can have which 
form of access to their objects.\medskip

Discretionary access control is implemented on any multi-user OS 
(Unix, Windows NT, etc.).
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Access Control}

\begin{itemize}
\item \bl{Mandatory Access Control:}\mbox{}\medskip\\
\small Access to objects is controlled by a system-wide policy, for example 
to prevent certain flows of information. In some forms, the system maintains 
security labels for both objects and subjects (processes, users), based on 
which access is granted or denied. Labels can change as the result of an 
access. Security policies are enforced without the cooperation of users or 
application programs.\medskip

This is implemented today in special military operating system versions
(SELinux).
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Discretionary Access Control}

In its most generic form usually given by an Access Control Matrix 
of the form

\begin{center}
\begin{tabular}{r|c|c|c}
                 & /mail/jane & edit.exe & sendmail \\\hline
jane          & r, w & r, x & r, x\\\hline
john          & $\varnothing$ & r, w, x&  r, x\\\hline
sendmail  & a & $\varnothing$ &  r, x\\
\end{tabular}
\end{center}


access privileges: {\bf r}ead, {\bf w}rite, e{\bf x}ecute, {\bf a}ppend
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Mandatory Access Control}

\begin{itemize}
\item Restrictions to allowed information flows are not decided at the user’s 
discretion (as with Unix chmod), but instead enforced by system policies.

\item Mandatory access control mechanisms are aimed in particular at 
preventing policy violations by untrusted application software, which 
typically have at least the same access privileges as the invoking user.\medskip

Simple example: Air Gap Security.
Uses completely separate network and computer hardware for different application classes.
\end{itemize}

\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Setuid and Setgid}

The solution is that unix file permissions are 9 + \underline{2 Bits}:
\alert{Setuid} and \alert{Setgid} Bits

\begin{itemize}
\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. 
\item This enables users to create processes as root (or another user).\bigskip

\item Essential for changing passwords, for example.
\end{itemize}

\begin{center}
\texttt{chmod 4755 fobar\_file}
\end{center}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}

\begin{center}
\begin{tikzpicture}[scale=1]
  
  \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
  \draw (4.7,1) node {Internet};
  \draw (0.6,1.7) node {\footnotesize Slave};
  \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
  \draw (0.6,1.7) node {\footnotesize Slave};
  \draw (0.6,0.6) node {\footnotesize Slave};
  \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
  
  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
  \draw (-2.9,1.7) node {\footnotesize Monitor};

  \draw[white] (1.7,1) node (X) {};
  \draw[white] (3.7,1) node (Y) {};
  \draw[red, <->, line width = 2mm] (X) -- (Y);
 
  \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
  \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);

  \end{tikzpicture}
\end{center}

\begin{itemize}
\item pre-authorisation slave 
\item post-authorisation\bigskip
\item 25\% codebase is privileged, 75\% is unprivileged
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Network Applications}

ideally network application in Unix should be designed as follows:

\begin{itemize}
\item need two distinct processes
\begin{itemize}
\item one that listens to the network; has no privilege
\item one that is privileged and listens to the latter only (but does not trust it)
 
\end{itemize}

\item to implement this you need a parent process, which forks a child process
\item this child process drops privileges and listens to hostile data\medskip

\item after authentication the parent forks again and the new child becomes the user
\end{itemize}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}

There are thing's you just cannot solve on the programming side:\bigskip

\begin{itemize}
\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
\begin{itemize}
\item attacker:\\ 
\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
\item root:\\\texttt{rm /tmp/*/*}:
\item attacker:\\
\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
\end{itemize}
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}

Unix essentially can only distinguish between two security levels (root and non-root).

\begin{itemize}
\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause 

\item Information flow: Bell --- La Padula model

\begin{itemize}
\item read: your own level and below
\item write: your own level and above
\end{itemize}
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}

\begin{itemize}
\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause

\item Biba model is for data integrity  

\begin{itemize}
\item read: your own level and above
\item write: your own level and below
\end{itemize}
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}

According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
following view:

\begin{center}
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\begin{minipage}{10.5cm}
\small Access control does not matter. Computers are becoming single-purpose
or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't 
need much in the way of access control as there's nothing for operating system access controls
to do; the job of separating users from each other is best left to application code. As for the PC
on your desk, if all the software on it comes from a single source, then again there's no need 
for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)} 
\end{minipage}};
\end{tikzpicture}
\end{center}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}

\begin{itemize}
\item with access control we are back to 1970s\bigskip

\only<1>{
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\begin{minipage}{10cm}
\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
\mbox{}\hfill--- Roger Needham
\end{minipage}};
\end{tikzpicture}}\pause

\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
is dead now\bigskip
\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\ 
(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause

\item electronic voting
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}

\begin{itemize}
\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip

\item you as developer have to specify the resources an application needs
\item the OS provides a sandbox where access is restricted to only these resources
\end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}


Security theatre is the practice of investing in countermeasures intended to provide the 
\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}

\begin{itemize}
\item for example, usual locks and strap seals are security theatre
\end{itemize}

\begin{center}
\includegraphics[scale=0.45]{pics/seal.jpg}
\end{center}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{minipage}{11cm}
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
To: cl-security-research@lists.cam.ac.uk\\
Subject: Tip off\\
Date: Tue, 02 Oct 2012 13:12:50 +0100\\

I received the following tip off, and have removed the sender's
coordinates. I suspect it is one of many security vendors who
don't even get the basics right; if you ever go to the RSA 
conference, there are a thousand such firms in the hall, each
with several eager but ignorant salesmen. A trying experience.\\

Ross
\end{minipage}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]

\begin{minipage}{11cm}
I'd like to anonymously tip you off about this\\
product:\\

{\small http://www.strongauth.com/products/key-appliance.html}\\

It sounds really clever, doesn't it?\\
\ldots\\

Anyway, it occurred to me that you and your colleagues might have a
field day discovering weaknesses in the appliance and their
implementation of security.  However, whilst I'd be willing to help
and/or comment privately, it'd have to be off the record ;-)
\end{minipage}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}}

{\bf What assets are you trying to protect?}\bigskip

This question might seem basic, but a surprising number of people never ask it. The question involves understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems, and require different solutions.

\only<2>{
\begin{tikzpicture}
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
{\begin{minipage}{10cm}
\small You like to prevent: ``It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it.''
\end{minipage}};
\end{tikzpicture}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 2\end{tabular}}

{\bf What are the risks to these assets?}\bigskip

Here we consider the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it, and why.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 3\end{tabular}}

{\bf How well does the security solution mitigate those risks?}\bigskip

Another seemingly obvious question, but one that is frequently ignored. If the security solution doesnÕt solve the problem, it's no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 4\end{tabular}}

{\bf What other risks does the security solution cause?}\bigskip

This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 5\end{tabular}}

{\bf What costs and trade-offs does the security solution impose?}\bigskip

Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   


\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: