# HG changeset patch # User Christian Urban # Date 1411467809 -3600 # Node ID 2866fae8c1cf7a2c5ab590aa167eaad154b7acec # Parent 793ae8926a974e377eb54b13e51555d7210297b6 updated diff -r 793ae8926a97 -r 2866fae8c1cf handouts/ho01.pdf Binary file handouts/ho01.pdf has changed diff -r 793ae8926a97 -r 2866fae8c1cf handouts/ho01.tex --- a/handouts/ho01.tex Tue Sep 23 10:31:03 2014 +0100 +++ b/handouts/ho01.tex Tue Sep 23 11:23:29 2014 +0100 @@ -38,13 +38,13 @@ mindset. This might be a mindset that you think is very foreign to you (after all we are all good citizens and not ahck into things). I beg to differ: You have this mindset already when in school you were -thinking, at least hypothetically, in which ways you can cheat in an +thinking, at least hypothetically, about in which ways you can cheat in an exam (whether it is about hiding notes or looking over the shoulders of your fellow pupils). Right? To defend a system, you need to have this kind mindset and be able to think like an attacker. This will include understanding techniques that can be used to compromise security and privacy in systems. This will many times result in -insights where well-intended security mechanism made a system actually +insights where well-intended security mechanisms made a system actually less secure.\smallskip {\Large\bf Warning!} However, don’t be evil! Using those @@ -58,19 +58,33 @@ tamper with any of King's systems. If you try out a technique, always make doubly sure you are working in a safe environment so that you cannot cause any harm, not even accidentally. -Don't be evil. Be an ethical hacker. +Don't be evil. Be an ethical hacker.\smallskip -In this lecture I want to make you familiar with the security -mindset and dispel the myth that encryption is the answer to -security (it certainly is one answer, but by no means a -sufficient one). This is actually an important thread going +In this lecture I want to make you familiar with the security mindset +and dispel the myth that encryption is the answer to all security +problems (it is certainly often part of an answer, but almost always +never a sufficient one). This is actually an important thread going through the whole course: We will assume that encryption works -perfectly, but still attack ``things''. By ``works perfectly'' -we mean that we will assume encryption is a black box and, for -example, will not look at the underlying -mathematics.\footnote{Though fascinating it might be.} +perfectly, but still attack ``things''. By ``works perfectly'' we mean +that we will assume encryption is a black box and, for example, will +not look at the underlying mathematics and break the +algorithms.\footnote{Though fascinating it might be.} +For a secure system it seems four requirements need to come together: +First a security policy (what is supposed to be achieved?); second a +mechanism (cipher, access controls, tamper resistance etc); third the +assurance we obtain from the mechanism (the amount of reliance we can +put on the mechanism) and finally the incentives (the motive that the +people guarding and maintaining the system have to do their job +properly, and also the motive that the attackers have to try to defeat +your policy). The last point is often overlooked, but plays an +important role. Lets look at an example. The questions is whether +the Chip-and-PIN system with credit cards is more secure than the older +method of signing receipts at the till. + + + \end{document} %%% Local Variables: diff -r 793ae8926a97 -r 2866fae8c1cf hws/hw01.pdf Binary file hws/hw01.pdf has changed diff -r 793ae8926a97 -r 2866fae8c1cf hws/hw01.tex --- a/hws/hw01.tex Tue Sep 23 10:31:03 2014 +0100 +++ b/hws/hw01.tex Tue Sep 23 11:23:29 2014 +0100 @@ -1,6 +1,5 @@ \documentclass{article} -\usepackage{charter} -\usepackage{hyperref} +\usepackage{../style} \begin{document} @@ -8,36 +7,38 @@ \begin{enumerate} \item {\bf (Optional)} If you want to have a look at the code - presented in the lectures, install Node.js available (for free) from + presented in the lectures, install \texttt{Node.js} available (for free) from \begin{center} \url{http://nodejs.org} \end{center} -It needs aslo the Node-packages: Express, Cookie-Parser, Body-Parser and -Crypto. +It needs aslo the Node-packages Express, Cookie-Parser, Body-Parser and +Crypto. They can be easily installed using the Node package manager \texttt{npm}. \item Practice thinking like an attacker. Assume the following situation: -\begin{quote}\it -Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip + + \begin{quote}\it + Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip + + \noindent + \begin{tabular}{@ {}l} + Write the first 100 digits of pi:\\ + 3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ + \end{tabular} + \end{quote} \noindent -\begin{tabular}{@ {}l} -Write the first 100 digits of pi:\\ -3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ -\end{tabular} -\end{quote} - -\noindent -Think of ways how you can cheat in this exam? +Think of ways how you can cheat in this exam? How would you defend +against such cheats. \item Explain what hashes and salts are. Describe how they can be used for ensuring data integrity and storing password information. \item What are good uses of cookies (that is browser cookies)? -\item Why is making bank customer be liable for financial fraud a bad -design choice for CC payments? +\item Why is making bank customers liable for financial fraud a bad +design choice for credit card payments? \end{enumerate} diff -r 793ae8926a97 -r 2866fae8c1cf slides/slides01.pdf Binary file slides/slides01.pdf has changed diff -r 793ae8926a97 -r 2866fae8c1cf slides/slides01.tex --- a/slides/slides01.tex Tue Sep 23 10:31:03 2014 +0100 +++ b/slides/slides01.tex Tue Sep 23 11:23:29 2014 +0100 @@ -572,7 +572,7 @@ \begin{frame}[c] \frametitle{The Bad Guy Again} -\begin{bubble}[10cm] +\begin{bubble}[10.5cm] \small The anonymous hacker from earlier:\medskip\\ ``Try to use `Verified-By-Visa' and `Mastercard-Securecode' as rarely as @@ -836,7 +836,7 @@ \item read the cookie from client \item if none is present, set \texttt{counter} to \textcolor{blue}{zero} \item if cookie is present, extract \texttt{counter} -\item if \texttt{counter} is greater or equal \textcolor{blue}{$5$}, \\ +\item if \texttt{counter} is greater or equal than \textcolor{blue}{$5$}, \\ print a valued customer message\\ otherwise just a normal message \item increase \texttt{counter} by \textcolor{blue}{$1$} and store new cookie with client