diff -r 948f4b39d55d -r 036a762b02cf handouts/ho01.tex --- a/handouts/ho01.tex Thu Sep 10 09:45:10 2015 +0100 +++ b/handouts/ho01.tex Sun Sep 20 22:09:58 2015 +0100 @@ -47,7 +47,7 @@ hypothetically, about ways in which you can cheat in an exam (whether it is by hiding notes or by looking over the shoulders of your fellow pupils). Right? To defend a system, -you need to have this kind mindset and be able to think like +you need to have this kind of mindset and be able to think like an attacker. This will include understanding techniques that can be used to compromise security and privacy in systems. This will many times result in insights where well-intended @@ -137,13 +137,13 @@ generate random enough numbers (nonces) on which the security of the underlying protocols relies. -The problem with all this is that the banks who introduced -Chip-and-PIN managed with the new system to shift the -liability for any fraud and the burden of proof onto the +The overarching problem with all this is that the banks who +introduced Chip-and-PIN managed with the new system to shift +the liability for any fraud and the burden of proof onto the customer. In the old system, the banks had to prove that the customer used the card, which they often did not bother with. -In effect, if fraud occurred the customers were either refunded -fully or lost only a small amount of money. This +In effect, if fraud occurred the customers were either +refunded fully or lost only a small amount of money. This taking-responsibility-of-potential-fraud was part of the ``business plan'' of the banks and did not reduce their profits too much. @@ -191,7 +191,7 @@ a web-application that has the feature of recording how many times a customer visits a page. For example in order to give a discount whenever the customer has visited a webpage some $x$ number of times -(say $x$ equal $5$). There is one more constraint: we want to store +(say $x$ equals $5$). There is one more constraint: we want to store the information about the number of visits as a cookie on the browser. I think, for a number of years the webpage of the New York Times operated in this way: it allowed you to read ten articles per @@ -200,8 +200,8 @@ was visited, because if I switched browsers I could easily circumvent the restriction about ten articles.\footnote{Another online media that works in this way is the Times Higher Education - \url{http://www.timeshighereducation.co.uk}. It also uses cookies to -restrict the number of free articles to five.} + \url{http://www.timeshighereducation.co.uk}. It also seems to + use cookies to restrict the number of free articles to five.} To implement our web-application it is good to look under the hood what happens when a webpage is displayed in a browser. A @@ -531,12 +531,12 @@ as simple as it might seem. At the beginning only ``real'' dictionaries were available (like the Oxford English Dictionary), but such dictionaries are not optimised for the -purpose of cracking passwords. The first real hard data about actually -used passwords was obtained when a company called RockYou -``lost'' 32 Million plain-text passwords. With this data of -real-life passwords, dictionary attacks took off. Compiling -such dictionaries is nowadays very easy with the help of -off-the-shelf tools. +purpose of cracking passwords. The first real hard data about +actually used passwords was obtained when a company called +RockYou ``lost'' at the end of 2009 32 Million plain-text +passwords. With this data of real-life passwords, dictionary +attacks took off. Compiling such dictionaries is nowadays very +easy with the help of off-the-shelf tools. These dictionary attacks can be prevented by using salts. Remember a hacker needs to use the most likely candidates @@ -629,6 +629,14 @@ \url{http://goo.gl/dIzqMg} \end{center} +\noindent Here is an interesting blog-post about how a group +``cracked'' efficiently millions of bcrypt passwords from the +Ashley Madison leak. + +\begin{center} +\url{http://goo.gl/83Ho0N} +\end{center} + \noindent Clearly, passwords are a technology that comes to the end of its usefulness, because brute force attacks become more and more powerful and it is unlikely that humans get any