# HG changeset patch # User Christian Urban # Date 1379971435 -3600 # Node ID 3d585e6039272c4403220d8a965837c9c73d63be # Parent efcac30166130be541900b5ed3f128a1f2edc464 updated diff -r efcac3016613 -r 3d585e603927 progs/app1.scala --- a/progs/app1.scala Mon Sep 23 17:39:31 2013 +0100 +++ b/progs/app1.scala Mon Sep 23 22:23:55 2013 +0100 @@ -15,11 +15,10 @@ // POST data: processing the login data val receive = Action { request => - val form_data = Form (tuple ("login" -> text, "password" -> text)) - - val (login, password) = form_data.bindFromRequest()(request).get + val form_data = Form(tuple ("login" -> text, "password" -> text)) + def (login, passwd) = form_data.bindFromRequest()(request).get - Ok("Received login: " + login + " and password: " + password) + Ok(s"Received login: $login and password: $passwd") } } diff -r efcac3016613 -r 3d585e603927 progs/app2.scala --- a/progs/app2.scala Mon Sep 23 17:39:31 2013 +0100 +++ b/progs/app2.scala Mon Sep 23 22:23:55 2013 +0100 @@ -1,27 +1,27 @@ object Application extends Controller { - def gt_cookie(c: Option[Cookie]) : Int = c.map(_.value) match { - case Some(s) if (s.forall(_.isDigit)) => s.toInt + def gt_cookie(c: Cookie) : Int = c.value match { + case s if (s.forall(_.isDigit)) => s.toInt case _ => 0 } - def mk_cookie(i: Int) : Cookie = { - Cookie("visits", i.toString) - } + def mk_cookie(i: Int) : Cookie = Cookie("visits", i.toString) // GET request: read cookie data first def index = Action { request => - + + //reads the cookie and extracts the visits counter val visits_cookie = request.cookies.get("visits") - val visits = gt_cookie(visits_cookie) + val visits = visits_cookie.map(gt_cookie).getOrElse(0) - val msg1 = "You are a valued customer who has visited this site %d times." - val msg2 = "You have visited this site %d times." + //printing a message according to value of visits counter val msg = - if (visits >= 10) msg1.format(visits) else msg2.format(visits) + if (visits >= 10) + s"You are a valued customer who has visited this site $visits times." + else s"You have visited this site $visits times." - //send with new cookie - Ok(msg).as(HTML).withCookies(mk_cookie(visits + 1)) + //send message with new cookie + Ok(msg).withCookies(mk_cookie(visits + 1)) } } diff -r efcac3016613 -r 3d585e603927 progs/app3.scala --- a/progs/app3.scala Mon Sep 23 17:39:31 2013 +0100 +++ b/progs/app3.scala Mon Sep 23 22:23:55 2013 +0100 @@ -6,16 +6,15 @@ hash_fun.digest(s.getBytes).map{ "%02x".format(_) }.mkString } - def gt_cookie(c: Option[Cookie]) : Int = - c.map(_.value.split("/")) match { - case Some(Array(s, h)) - if (s.forall(_.isDigit) && mk_hash(s) == h) => s.toInt - case _ => 0 - } + def gt_cookie(c: Cookie) : Int = c.value.split("/") match { + case Array(s, h) + if (s.forall(_.isDigit) && mk_hash(s) == h) => s.toInt + case _ => 0 + } def mk_cookie(i: Int) : Cookie = { - val s = i.toString - Cookie("visits", s + "/" + mk_hash(s)) + val hash = mk_hash(i.toString) + Cookie("visits", s"$i/$hash") } def index = Action { request => ... } diff -r efcac3016613 -r 3d585e603927 progs/app4.scala --- a/progs/app4.scala Mon Sep 23 17:39:31 2013 +0100 +++ b/progs/app4.scala Mon Sep 23 22:23:55 2013 +0100 @@ -2,22 +2,21 @@ val salt = "my secret key" - //SHA-1, SHA-256 + salt + //SHA-1 + salt def mk_hash(s: String) : String = { val hash_fun = MessageDigest.getInstance("SHA-1") hash_fun.digest((s + salt).getBytes).map{ "%02x".format(_) }.mkString } - def gt_cookie(c: Option[Cookie]) : Int = - c.map(_.value.split("/")) match { - case Some(Array(s, h)) - if (s.forall(_.isDigit) && mk_hash(s) == h) => s.toInt - case _ => 0 - } + def gt_cookie(c: Cookie) : Int = c.value.split("/") match { + case Array(s, h) + if (s.forall(_.isDigit) && mk_hash(s) == h) => s.toInt + case _ => 0 + } def mk_cookie(i: Int) : Cookie = { - val s = i.toString - Cookie("visits", s + "/" + mk_hash(s)) + val hash = mk_hash(i.toString) + Cookie("visits", s"$i/$hash") } def index = Action { request => ... } diff -r efcac3016613 -r 3d585e603927 slides/slides01.pdf Binary file slides/slides01.pdf has changed diff -r efcac3016613 -r 3d585e603927 slides/slides01.tex --- a/slides/slides01.tex Mon Sep 23 17:39:31 2013 +0100 +++ b/slides/slides01.tex Mon Sep 23 22:23:55 2013 +0100 @@ -2,7 +2,7 @@ \usepackage{beamerthemeplaincu} \usepackage{fontenc,xltxtra,xunicode} \defaultfontfeatures{Mapping=tex-text} -\usepackage[latin1]{inputenc} +%%\usepackage[latin1]{inputenc} \usepackage{mathpartir} \usepackage[absolute,overlay]{textpos} \usepackage{ifthen} @@ -10,7 +10,7 @@ \usepackage{pgf} \usepackage{calc} \usepackage{ulem} -\usepackage{courier} +%%\usepackage{courier} \usepackage{listings} \renewcommand{\uline}[1]{#1} \usetikzlibrary{arrows} @@ -27,8 +27,13 @@ \definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords \definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc +\makeatletter +\lst@CCPutMacro\lst@ProcessOther {"2D}{\lst@ttfamily{-{}}{-{}}} +\@empty\z@\@empty +\makeatother + \lstset{language=Java, - basicstyle=\ttfamily, + basicstyle=\consolas, keywordstyle=\color{javapurple}\bfseries, stringstyle=\color{javagreen}, commentstyle=\color{javagreen}, @@ -49,7 +54,7 @@ private,protected,requires,return,sealed,% super,this,throw,trait,true,try,% type,val,var,while,with,yield}, - otherkeywords={=>,<-,<\%,<:,>:,\#,@}, + otherkeywords={=>,<-,<\%,<:,>:,\#,@,->}, sensitive=true, morecomment=[l]{//}, morecomment=[n]{/*}{*/}, @@ -59,7 +64,7 @@ } \lstset{language=Scala, - basicstyle=\ttfamily, + basicstyle=\consolas, keywordstyle=\color{javapurple}\bfseries, stringstyle=\color{javagreen}, commentstyle=\color{javagreen}, @@ -91,9 +96,10 @@ \includegraphics[scale=1.3]{pics/barrier.jpg} \end{center} + \normalsize \begin{center} - \begin{tabular}{ll} + \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ Office: & S1.27 (1st floor Strand Building)\\ Slides: & KEATS @@ -245,6 +251,36 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Breaking Things\end{tabular}} + +For example: + +\begin{center} +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{10cm}\raggedright\small +Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip + +\noindent +\begin{tabular}{@ {}l} +Write the first 100 digits of pi:\\ +3.\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_\,\_ +\end{tabular} +\end{minipage}}; +\end{tikzpicture} +\end{center} + +How do you ``break'' this and how to defend against it? + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] \frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN\end{tabular}} \begin{center} @@ -442,7 +478,7 @@ \end{flushright} \begin{itemize} -\item same group successfully attacked this year card readers and ATM machines +\item same group successfully attacked in 2012 card readers and ATM machines \item the problem: several types of ATMs generate poor random numbers, which are used as nonces \end{itemize} @@ -452,7 +488,7 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}The Problem \ldots\end{tabular}} +\frametitle{\begin{tabular}{c}The Real Problem \ldots\end{tabular}} \begin{textblock}{1}(3,4) @@ -520,7 +556,7 @@ \begin{textblock}{14}(1,13.5) \begin{itemize} -\item the burden of proof for fraud and financial liability was shifted to the costumer +\item the burden of proof for fraud and financial liability was shifted to the costumer (until approx.~2009/10) \end {itemize} \end{textblock} @@ -529,6 +565,31 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ +\begin{frame} +\frametitle{\begin{tabular}{@ {}c@ {}}The Bad Guy Again\end{tabular}} + + +\only<1->{ +\begin{textblock}{1}(1,4) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{11cm}\raggedright\footnotesize +``The Annonymous Hacker from earlier:\medskip\\ +Try to use `Verified-By-Visa' and `Mastercard-Securecode' as rarely as possible. If only your CVV2 code is getting sniffed, you are not liable for any damage, because the code is physically printed and could have been stolen while you payed with your card at a store. Same applies if someone cloned your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV or MCSC password can cause serious trouble.''\\ +\hfill{}\textcolor{blue}{\url{goo.gl/UWluh0}} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + + +\end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ \begin{frame}[c] \frametitle{\begin{tabular}{c}Being Screwed Again\end{tabular}} @@ -594,14 +655,82 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{\begin{tabular}{c}Why Scala?\end{tabular}} + +\begin{textblock}{6}(1,3) +\begin{tabular}{l} +\mbox{}\hspace{-1mm}\includegraphics[scale=0.36]{pics/twitter.png}\\[-1mm] +\includegraphics[scale=0.30]{pics/linked.png}\\ +\includegraphics[scale=0.30]{pics/guardian.jpg}\\[-3mm] +\mbox{}\hspace{-2mm}\includegraphics[scale=0.38]{pics/morgan.png}\\[-3mm] +\includegraphics[scale=0.30]{pics/suisse.png}\\ +\includegraphics[scale=0.20]{pics/edf.png}\\[-1mm] +\includegraphics[scale=0.08]{pics/novell.png}\\[-1mm] +\includegraphics[scale=0.30]{pics/foursquare.png}\\ +\includegraphics[scale=0.30]{pics/hsbc.png}\\ +{\large\bf ...} +\end{tabular} +\end{textblock} + +\only<2->{ +\begin{textblock}{6}(6,3) +\includegraphics[scale=0.35]{pics/jobgraph.png}\\ +\end{textblock}} + +\only<3->{ +\begin{textblock}{6}(7.3,9.2) +\begin{tabular}{l} +\footnotesize 2013: 1$\%$\\[-2mm] +\footnotesize 2014: 3$\%$\\[-2mm] +\footnotesize 2015: 9$\%$\\[-2mm] +\footnotesize 2016: 27$\%$\\[-2mm] +\footnotesize 2017: 81$\%$\\[-2mm] +\footnotesize 2018: 243$\%$ \raisebox{-1mm}{\includegraphics[scale=0.02]{pics/smiley.jpg}} +\end{tabular} +\end{textblock}} + +\only<3->{ +\begin{textblock}{6}(6,9.5) +\footnotesize 5 yrs $\begin{cases}\mbox{}\\[1.4cm]\end{cases}$ +\end{textblock}} + +\only<4->{ +\begin{textblock}{11}(5,14.1) +\textcolor{gray}{ +\footnotesize {\bf in London today:} 1 Scala job for every 30 Java jobs;\\[-2mm] +Scala programmers seem to get up to 20\% better salary} +\end{textblock}} + + +\only<5->{ +\begin{textblock}{1}(3,6) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{8.5cm}\raggedright\normalsize +Scala is a functional and object-oriented programming language; compiles to the JVM; does not +need null-pointer exceptions; a course on Coursera\\ +\mbox{}\hfill\textcolor{blue}{\url{http://www.scala-lang.org}} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] \frametitle{\begin{tabular}{c}Scala + Play\end{tabular}} -\footnotesize a simple response from the server: +\small a simple response from the server: + {\lstset{language=Scala}\fontsize{8}{10}\selectfont \texttt{\lstinputlisting{../progs/app0.scala}}}\bigskip -\footnotesize +\small alternative response:\\ {\lstset{language=Scala}\fontsize{8}{10}\selectfont @@ -609,6 +738,8 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] @@ -678,7 +809,7 @@ \begin{minipage}{10cm}\raggedright\small {\bf EU Privacy Directive about Cookies:}\smallskip\\ ``In May 2011, a European Union law was passed stating that websites that leave non-essential cookies on visitors' devices have to alert the visitor and get acceptance from them. This law applies to both individuals and businesses based in the EU regardless of the nationality of their website's visitors or the location of their web host. It is not enough to simply update a website's terms and conditions or privacy policy. The deadline to comply with the new EU cookie law was 26th May 2012 and failure to do so could mean a fine of up to \pounds{}500,000.'' -\hfill\small\textcolor{gray}{$\rightarrow$BBC News} +\hfill\small\textcolor{gray}{$\rightarrow$BBC News}, \textcolor{blue}{\url{goo.gl/RI4qhh}} \end{minipage}}; \end{tikzpicture} \end{textblock}} @@ -844,7 +975,7 @@ \item SHA-1 is a cryptographic hash function\\ (MD5, SHA-256, SHA-512, \ldots) \item message $\rightarrow$ digest -\item no known attack exists, except brute force\bigskip\pause +\item attack exists $2^{80} \rightarrow 2^{61}$ \bigskip\pause \item but dictionary attacks are very ef$\!$fective for extracting passwords (later) \end{itemize} @@ -869,7 +1000,7 @@ \end{tikzpicture} \end{textblock} -\begin{textblock}{1}(6.6,4.9) +\begin{textblock}{1}(6.6,5.1) \begin{tikzpicture}[scale=1.3] \draw[white] (0,0) node (X) {}; \draw[white] (1,-1) node (Y) {};