diff -r 948f4b39d55d -r 036a762b02cf slides/slides01.tex --- a/slides/slides01.tex Thu Sep 10 09:45:10 2015 +0100 +++ b/slides/slides01.tex Sun Sep 20 22:09:58 2015 +0100 @@ -9,7 +9,7 @@ \hfuzz=220pt % beamer stuff -\renewcommand{\slidecaption}{APP 01, King's College London} +\renewcommand{\slidecaption}{SEN 01, King's College London} \lstset{language=JavaScript, style=mystyle, @@ -23,12 +23,11 @@ \begin{frame} \frametitle{% \begin{tabular}{@ {}c@ {}} - \LARGE Access Control and \\[-3mm] - \LARGE Privacy Policies (1)\\[-6mm] + \LARGE Security Engineering (1)\\[-3mm] \end{tabular}} \begin{center} - \includegraphics[scale=1.3]{../pics/barrier.jpg} + \includegraphics[scale=0.3]{../pics/barrier.jpg} \end{center} \normalsize @@ -46,90 +45,12 @@ \begin{frame} \begin{center} -\includegraphics[scale=2.1]{../pics/barrier.jpg} -\end{center} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame} - -\begin{center} -\begin{tikzpicture}[scale=1.3] - %\draw[very thick, scale=1] (0, 0) grid (6, -4); - \draw (0,0) node (X) {\includegraphics[scale=0.1]{../pics/rman.png}}; - \draw (6,0) node (Y) {\includegraphics[scale=0.1]{../pics/gman.png}}; - \node[below] at (X.south) {Alice}; - \node[below] at (Y.south) {Bob}; - - \draw[red,<->,line width = 3mm] (X) -- (Y); - \node [inner sep=5pt,label=above:{\begin{tabular}{c} - secure/private\\ - communication - \end{tabular}}] - at ($ (X)!.5!(Y) $) {}; - - \draw (1.0,-1.5) node {\includegraphics[scale=0.05]{../pics/nsa.png}}; - \draw (2.4,-1.5) node {\includegraphics[scale=0.3]{../pics/gchq.jpg}}; - \draw (1.7,-2.3) node {\huge\ldots}; - \draw (4.2,-1.5) node {\includegraphics[scale=0.05]{../pics/apple.png}}; - \draw (5.4,-1.7) node {\includegraphics[scale=0.15]{../pics/google.png}}; - \draw (5.0,-2.3) node {\huge\ldots}; -\end{tikzpicture} -\end{center} - -\begin{center} -\includegraphics[scale=0.1]{../pics/snowden.jpg} +\includegraphics[scale=0.5]{../pics/barrier.jpg} \end{center} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame} - -\begin{center} -\includegraphics[scale=0.45]{../pics/lavabit-email.jpg} -\end{center} -\small{}\mbox{}\hfill{} -Lavabit email service closed down on 8 August 2013. \\ -\mbox{}\hfill{}\url{www.goo.gl/bgSrVp} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame} -\frametitle{Also Bad Guys} - -\begin{textblock}{1}(4,2.5) - \begin{tikzpicture}[scale=1.3] - \draw (0,0) node (X) {\includegraphics[scale=0.1]{../pics/rman.png}}; - \draw (4,0) node (Y) {\includegraphics[scale=0.1]{../pics/gman.png}}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(1,5) -\begin{bubble}[11cm] -\small -Anonymous Hacker operating a 10k bonnet using the ZeuS -hacking tool wrote:\medskip\\ ``FYI I do not cash out the bank -accounts or credit cards, I just sell the information (I know, -its just as bad...), there isn't even a law against -such in most countries, dealing with stolen information is -most of the time a legally greyzone (I was just as surprised -when I looked it up), I'm not talking about 3rd world -countries, but about European like Spain (The Mariposa botnet -owner never got charged, because a botnet isn't illegal, only -abusing CC information is, but that did other guys).'' -\hfill{}\url{www.goo.gl/UWluh0} -\end{bubble} -\end{textblock} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame} @@ -140,7 +61,7 @@ \end{center} \centering -\begin{bubble}[9cm] +\begin{bubble}[10cm] \small There is some consensus that the NSA can probably not brute-force magically better than the ``public''. @@ -748,84 +669,6 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[t] -\begin{itemize} -\item While cookies are per web-page, this can be easily circumvented. -\end{itemize} - -\begin{textblock}{1}(1.5,4.5) -\begin{tabular}{c} -\includegraphics[scale=0.07]{../pics/servers.png}\\[-2mm] -\small Pet Store\\[-2mm] -\small Dot.com\\[-2mm] -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(1.5,8) -\begin{tabular}{c} -\includegraphics[scale=0.07]{../pics/servers.png}\\[-2mm] -\small Dating.com -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(10.5,7.5) -\begin{tabular}{c} -\includegraphics[scale=0.07]{../pics/servers.png}\\[-2mm] -\small Evil-Ad-No\\[-2mm] -\small Privacy.com -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(6,10.5) -\begin{tabular}{c} -\includegraphics[scale=0.16]{../pics/rman.png}\\[-1mm] -\small you -\end{tabular} -\end{textblock} - -\begin{textblock}{1}(4,5) - \begin{tikzpicture}[scale=1] - \draw[white] (0,0.5) node (X) {}; - \draw[white] (5.7,-1) node (Y) {}; - \draw[red, ->, line width = 0.5mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(4,7.9) - \begin{tikzpicture}[scale=1] - \draw[white] (0,0) node (X) {}; - \draw[white] (5.7,0) node (Y) {}; - \draw[red, ->, line width = 0.5mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(3.3,9.3) - \begin{tikzpicture}[scale=1.2] - \draw[white] (0,0) node (X) {}; - \draw[white] (1.5,-1) node (Y) {}; - \draw[red, <->, line width = 2mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \draw[white] (0.9,0.3) node (X1) {}; - \draw[white] (1.9,-1) node (Y1) {}; - \draw[red, <->, line width = 2mm] (X1) -- (Y1); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X1)!.5!(Y1) $) {}; - \end{tikzpicture} -\end{textblock} - -\begin{textblock}{1}(8.6,10.1) - \begin{tikzpicture}[scale=0.9] - \draw[white] (0,0) node (X) {}; - \draw[white] (-2,-1) node (Y) {}; - \draw[red, <->, line width = 0.5mm] (X) -- (Y); - \node [inner sep=5pt,label=above:\textcolor{black}{}] at ($ (X)!.5!(Y) $) {}; - \end{tikzpicture} -\end{textblock} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -860,7 +703,7 @@ \begin{frame}[c] \begin{center} -\includegraphics[scale=1.8]{../pics/barrier.jpg} +\includegraphics[scale=0.5]{../pics/barrier.jpg} \end{center} \begin{itemize} @@ -949,10 +792,10 @@ } \begin{itemize} -\item \texttt{\$} is separator +\item \texttt{\$} is the separator \item \texttt{1} is MD5 (actually SHA-512 is used nowadays, \texttt{6}) -\item \texttt{QIGCa} is salt -\item \texttt{ruJs8AvmrknzKTzM2TYE} $\rightarrow$ password + salt +\item \texttt{QIGCa} is the salt +\item \texttt{ruJs8AvmrknzKTzM2TYE.} $\rightarrow$ password + salt \end{itemize} \textcolor{gray}{\small @@ -1015,6 +858,10 @@ \item June 6th, 2012, 6 million unsalted SHA-1 passwords were leaked from linkedIn % linkedIn password % http://erratasec.blogspot.co.uk/2012/06/confirmed-linkedin-6mil-password-dump.html + +\item in July 2015, hackers leaked a password database from +Ashley Madison containing 31 million passwords, many of them +poorly hashed \end{itemize}\medskip \small @@ -1078,7 +925,6 @@ \begin{itemize} \item Do not send passwords in plain text. \item Security questions are tricky to get right. -\item QQ (Chinese Skype) authenticates you via contacts. \end{itemize} \end{frame} @@ -1089,20 +935,76 @@ \frametitle{This Course} \begin{itemize} +\item electronic voting \item break-ins (buffer overflows) \item access control\\ (role based, data security / data integrity) -\item electronic voting -\item protocols (specification) -\item access control logic +\item protocols +\item zero-knowledge proofs \item privacy \begin{quote} Scott McNealy: \\``You have zero privacy anyway. Get over it.'' \end{quote} -\item zero-knowledge proofs +\item trust, bitcoins +\item static analysis \end{itemize} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Books + Homework} + +\begin{itemize} +\item There is no single book I am following, but + + \begin{center} + \includegraphics[scale=0.012]{../pics/andersonbook1.jpg} + %%\includegraphics[scale=0.23]{../pics/accesscontrolbook.jpg} + \end{center}\medskip\pause + +\item The question ``\emph{Is this relevant for the exams?}'' + is not appreciated!\medskip\\ + + Whatever is in the homework (and is not marked optional) is + relevant for the exam. No code needs to be written. + +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Further Information} + +For your personal interest: + +\begin{itemize} +\item RISKS mailing list +\item Schneier's Crypto newsletter +\item Google+ Ethical Hacker group +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[c] +\frametitle{Take-Home Points} + +\begin{itemize} +\item Never store passwords in plain text.\medskip +\item Always salt your hashes!\medskip +\item Use an existing crypto algorithm; do not write your own!\medskip +\item Make the party responsible for losses that is in the position to improve +security. +\end{itemize} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] @@ -1189,60 +1091,9 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Books + Homework} - -\begin{itemize} -\item There is no single book I am following - - \begin{center} - \includegraphics[scale=0.012]{../pics/andersonbook1.jpg} - %%\includegraphics[scale=0.23]{../pics/accesscontrolbook.jpg} - \end{center}\medskip\pause - -\item The question ``Is this relevant for the exams'' is not appreciated!\medskip\\ - - Whatever is in the homework (and is not marked optional) is relevant for the - exam. No code needs to be written. -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Further Information} - -For your personal interest: - -\begin{itemize} -\item RISKS mailing list -\item Schneier's Crypto newsletter -\item Google+ Ethical Hacker group -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\end{document} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[c] -\frametitle{Take-Home Points} - -\begin{itemize} -\item Never store passwords in plain text.\medskip -\item Always salt your hashes!\medskip -\item Use an existing crypto algorithm; do not write your own!\medskip -\item Make the party responsible for losses that is in the position to improve -security. -\end{itemize} - -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -\end{document} %%% Local Variables: %%% mode: xelatex