# HG changeset patch # User Christian Urban # Date 1385424110 0 # Node ID 86d1e2e6c211a3adf0765b0b74aebb9800c0a2b6 # Parent 6fc7de0f23baf5417e44a3a86d56bf529ac15d39 added diff -r 6fc7de0f23ba -r 86d1e2e6c211 slides/slides07.pdf Binary file slides/slides07.pdf has changed diff -r 6fc7de0f23ba -r 86d1e2e6c211 slides/slides07.tex --- a/slides/slides07.tex Mon Nov 25 20:31:01 2013 +0000 +++ b/slides/slides07.tex Tue Nov 26 00:01:50 2013 +0000 @@ -726,366 +726,9 @@ -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Privacy, Anonymity et al} - -Some terminology: - -\begin{itemize} -\item \alert{secrecy} is the mechanism used to limit the number of -principals with access to information (eg, cryptography or access controls) - -\item \alert{confidentiality} is the obligation to protect the secrets of other people -or organizations (secrecy for the benefit of an organisation) - -\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret) - -\item \alert{privacy} is the ability or right to protect your personal secrets -(secrecy for the benefit of an individual) - -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] -\frametitle{Privacy vs Anonymity} - -\begin{itemize} -\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review) -\end{itemize}\bigskip\bigskip\pause - - -But privacy?\bigskip\bigskip - -``You have zero privacy anyway. Get over it.''\\ -\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\ - - -If you have nothing to hide, you have nothing to fear. - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] -\frametitle{Privacy} - -private data can be often used against me - -\begin{itemize} -\item if my location data becomes public, thieves will switch off their phones and help themselves in my home -\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages) -\item my employer might not like my opinions\bigskip\pause - -\item one the other hand, Freedom-of-Information Act -\item medical data should be private, but medical research needs data -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] -\frametitle{Privacy Problems} - -\begin{itemize} -\item Apple takes note of every dictation (send over the Internet to Apple) -\item markets often only work, if data is restricted (to build trust) -\item Social network can reveal data about you -\item have you tried the collusion extension for FireFox? -\item I do use Dropbox and store cards\bigskip -\item next week: anonymising data -\end{itemize} - -\begin{textblock}{5}(12,9.8) -\includegraphics[scale=0.2]{pics/gattaca.jpg}\\ -\small Gattaca (1997) -\end{textblock} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] -\frametitle{Privacy} - -\begin{minipage}{1.05\textwidth} -\begin{itemize} -\item we \alert{do} want that government data is made public (free maps for example) -\item we \alert{do not} want that medical data becomes public (similarly tax data, school -records, job offers)\bigskip -\item personal information can potentially lead to fraud -(identity theft) -\end{itemize}\pause - -{\bf ``The reality'':} -\only<2>{\begin{itemize} -\item London Health Programmes lost in June last year unencrypted details of more than 8 million people -(no names, but postcodes and details such as gender, age and ethnic origin) -\end{itemize}} -\only<3>{\begin{itemize} -\item also in June last year, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. -\end{itemize}} -\end{minipage} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Privacy and Big Data} - -Selected sources of ``Big Data'':\smallskip{} - -\begin{itemize} -\item Facebook -\begin{itemize} -\item 40+ Billion photos (100 PB) -\item 6 Billion messages daily (5 - 10 TB) -\item 900 Million users -\end{itemize} -\item Common Crawl -\begin{itemize} -\item covers 3.8 Billion webpages (2012 dataset) -\item 50 TB of data -\end{itemize} -\item Google -\begin{itemize} -\item 20 PB daily (2008) -\end{itemize} -\item Twitter -\begin{itemize} -\item 7 Million users in the UK -\item a company called Datasift is allowed to mine all tweets since 2010 -\item they charge 10k per month for other companies to target advertisement -\end{itemize} -\end{itemize}\pause - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Cookies\ldots} - -``We have published a new cookie policy. It explains what cookies are -and how we use them on our site. To learn more about cookies and -their benefits, please view our cookie policy.\medskip - -If you'd like to disable cookies on this device, please view our information -pages on 'How to manage cookies'. Please be aware that parts of the -site will not function correctly if you disable cookies. \medskip - -By closing this -message, you consent to our use of cookies on this device in accordance -with our cookie policy unless you have disabled them.'' - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Scare Tactics} - -The actual policy reads:\bigskip - -``As we explain in our Cookie Policy, cookies help you to get the most -out of our websites.\medskip - -If you do disable our cookies you may find that certain sections of our -website do not work. For example, you may have difficulties logging in -or viewing articles.'' - - - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Netflix Prize} - -Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip - -\begin{itemize} -\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm -\item dataset contained 10\% of all Netflix users (appr.~500K) -\item names were removed, but included numerical ratings as well as times of rating -\item some information was \alert{perturbed} (i.e., slightly modified) -\end{itemize} - -\hfill{\bf\alert{All OK?}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Re-identification Attack} - -Two researchers analysed the data: - -\begin{itemize} -\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the -records can be identified -\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause -\item they took 50 samples from IMDb (where people can reveal their identity) -\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{} - -\begin{itemize} -\item Birth data, postcode and gender (unique for\\ 87\% of the US population) -\item Preferences in movies (99\% of 500K for 8 ratings) -\end{itemize}\bigskip - -Therefore best practices / or even law (HIPAA, EU): - -\begin{itemize} -\item only year dates (age group for 90 years or over), -\item no postcodes (sector data is OK, similarly in the US)\\ -\textcolor{gray}{no names, addresses, account numbers, licence plates} -\item disclosure information needs to be retained for 5 years -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}<2>[c] -\frametitle{How to Safely Disclose Information?} - -\only<1>{ -\begin{itemize} -\item Assume you make a survey of 100 randomly chosen people. -\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the -Gangnam video on youtube.\bigskip - -\item What can you infer about the rest of the population? -\end{itemize}} -\only<2>{ -\begin{itemize} -\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause - -\item Not even releasing only aggregate information prevents re-identification attacks. -(GWAS was a public database of gene-frequency studies linked to diseases; -you only needed partial DNA information in order -to identify whether an individual was part of the study --- DB closed in 2008) -\end{itemize}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Differential Privacy} - -\begin{center} -User\;\;\;\; -\begin{tabular}{c} -tell me \bl{$f(x)$} $\Rightarrow$\\ -$\Leftarrow$ \bl{$f(x) + \text{noise}$} -\end{tabular} -\;\;\;\;\begin{tabular}{@{}c} -Database\\ -\bl{$x_1, \ldots, x_n$} -\end{tabular} -\end{center} - - -\begin{itemize} -\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to -individual entries \bl{$x_1, \ldots, x_n$}\\ -\item Intuition: whatever is learned from the dataset would be learned regardless of whether -\bl{$x_i$} participates\bigskip\pause - -\item Noised needed in order to prevent queries:\\ Christian's salary $=$ -\begin{center} -\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian -\end{center} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Adding Noise} - -Adding noise is not as trivial as one would wish: - -\begin{itemize} -\item If I ask how many of three have seen the Gangnam video and get a result -as follows - -\begin{center} -\begin{tabular}{l|c} -Alice & yes\\ -Bob & no\\ -Charlie & yes\\ -\end{tabular} -\end{center} - -then I have to add a noise of \bl{$1$}. So answers would be in the -range of \bl{$1$} to \bl{$3$} - -\bigskip -\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots), -then one individual can change the dataset by \bl{$5$} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}} - -According to Ross Anderson: \bigskip -\begin{itemize} -\item Privacy in a big hospital is just about doable.\medskip -\item How do you enforce privacy in something as big as Google -or complex as Facebook? No body knows.\bigskip - -Similarly, big databases imposed by government -\end{itemize} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \end{document} diff -r 6fc7de0f23ba -r 86d1e2e6c211 slides/slides08.pdf Binary file slides/slides08.pdf has changed diff -r 6fc7de0f23ba -r 86d1e2e6c211 slides/slides08.tex --- a/slides/slides08.tex Mon Nov 25 20:31:01 2013 +0000 +++ b/slides/slides08.tex Tue Nov 26 00:01:50 2013 +0000 @@ -1,8 +1,8 @@ \documentclass[dvipsnames,14pt,t]{beamer} \usepackage{proof} -\usepackage{beamerthemeplainculight} -\usepackage[T1]{fontenc} -\usepackage[latin1]{inputenc} +\usepackage{beamerthemeplaincu} +%\usepackage[T1]{fontenc} +%\usepackage[latin1]{inputenc} \usepackage{mathpartir} \usepackage{isabelle} \usepackage{isabellesym} @@ -93,7 +93,7 @@ showstringspaces=false} % beamer stuff -\renewcommand{\slidecaption}{APP 08, King's College London, 20 November 2012} +\renewcommand{\slidecaption}{APP 08, King's College London, 26 November 2013} \newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions \newcommand{\bl}[1]{\textcolor{blue}{#1}} @@ -117,7 +117,7 @@ \begin{center} \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ - Of$\!$fice: & S1.27 (1st floor Strand Building)\\ + Office: & S1.27 (1st floor Strand Building)\\ Slides: & KEATS (also homework is there)\\ \end{tabular} \end{center} @@ -126,429 +126,13 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Last Week} - -Andrew Secure RPC Protocol: -\bl{$A$} and \bl{$B$} share a key private \bl{$K_{AB}$} and want to identify -each other\bigskip - - \begin{itemize} - \item \bl{$A \,\text{sends}\, B : A, N_A$} - \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$} - \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$} - \end{itemize} - - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[t] - \frametitle{Protocols} - -\mbox{} - -\begin{tabular}{l} -{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\ -\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\ -\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip -\end{tabular} - - \begin{itemize} - \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\ - but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip -\item<2-> indicates one ``protocol run'', or session, which specifies some -order in the communication -\item<2-> there can be several sessions in parallel (think of wifi routers) -\end{itemize} - - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Last Week} - - -\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify -each other\bigskip - - \begin{itemize} - \item \bl{$A \,\text{sends}\, B : A, N_A$} - \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$} - \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$} - \end{itemize} - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Defeating Challenge-Response} - -\noindent -A \alert{reflection attack}: an intruder \bl{$I$} impersonates \bl{$B$}. - -\begin{center} -\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}} -\begin{tabular}{@{}l@{}} -\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\ -\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\ -\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\ -\end{tabular} -& -\begin{tabular}{@{}l@{}} -\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\ -\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\ -\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\ -\end{tabular} -\end{tabular} -\end{center}\bigskip - -\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''\medskip\\ -was originally developed at CMU for terminals to connect to -workstations (e.g., file servers)} - - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Identify Friend or Foe} - -\begin{center} -\onslide<3->{\mbox{}\hspace{3.4cm}\includegraphics[scale=0.55]{pics/MigInMiddle.jpg}} -\end{center} - -\begin{textblock}{6}(0.3,2) -\onslide<2->{ -198?: war between Angola (supported by Cuba) -and Namibia (supported by SA)} -\end{textblock} - -\begin{textblock}{3}(12.5,4.6) - \onslide<3->{ - \begin{tikzpicture} - \node at (0,0) [single arrow, fill=red,text=white, rotate=-50, shape border rotate=180]{``bystander''}; - \end{tikzpicture}} - \end{textblock} - -\begin{textblock}{3}(10.9,10) - \onslide<3->{ - \begin{tikzpicture} - \node at (0,0) [single arrow, fill=red,text=white, rotate=-40, shape border rotate=180]{attacker}; - \end{tikzpicture}} - \end{textblock} - -\only<4->{ -\begin{textblock}{6}(0.3,9) -being outsmarted by Angola/Cuba -ended SA involvement (?) -\end{textblock}} -\only<5->{ -\begin{textblock}{6}(0.3,13) -IFF opened up a nice side-channel attack -\end{textblock}} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Encryption to the Rescue?} - - - \begin{itemize} - \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip - \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip - \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip - \end{itemize}\pause - -means you need to send separate ``Hello'' signals (bad), or worse -share a single key between many entities -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Protocol Attacks} - -\begin{itemize} -\item replay attacks -\item reflection attacks -\item man-in-the-middle attacks -\item timing attacks -\item parallel session attacks -\item binding attacks (public key protocols) -\item changing environment / changing assumptions\bigskip - -\item (social engineering attacks) -\end{itemize} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Replay Attacks} - -Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}: - -\begin{center} -\begin{tabular}{r@ {\hspace{1mm}}l} -\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ -\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ -\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ -\end{tabular} -\end{center}\bigskip\pause - -at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key -\bl{$K_{AB}$} and know that the other principal has the key - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Nonces} - -\begin{enumerate} -\item I generate a nonce (random number) and send it to you encrypted with a key we share -\item you increase it by one, encrypt it under a key I know and send -it back to me -\end{enumerate} - - -I can infer: - -\begin{itemize} -\item you must have received my message -\item you could only have generated your answer after I send you my initial -message -\item if only you and me know the key, the message must have come from you -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -\begin{tabular}{l} -\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\ -\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\ -\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\ -\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\ -\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\ -\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\ -\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\ -\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\ -\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\ -\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\ -\end{tabular} -\end{center}\pause - -\bl{$B$} believes it is following the correct protocol, -intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and -talks to \bl{$B$} masquerading as \bl{$A$} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -\includegraphics[scale=0.5]{pics/dogs.jpg} -\end{center} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{Replay Attacks} - -Andrew Secure RPC protocol: exchanging a new key -between \bl{$A$} and \bl{$B$} - -\begin{center} -\begin{tabular}{l} -\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\ -\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\ -\bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\ -\end{tabular} -\end{center}\bigskip\pause - -Assume nonces are represented as bit-sequences of the same length as keys -\begin{center} -\begin{tabular}{@{}l@{}} -\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\ -\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\ -\bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\ -\end{tabular} -\end{center} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Time-Stamps} - -The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos): - -\begin{center} -\begin{tabular}{r@ {\hspace{1mm}}l} -\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\ -\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\ -\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ -\end{tabular} -\end{center}\bigskip\pause - -but nothing is for free: then you need to synchronise time and possibly become a victim to -timing attacks - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -It can also be fixed by including another nonce: - -\begin{center} -\begin{tabular}{r@ {\hspace{1mm}}l} -\bl{$A \rightarrow B :$} & \bl{$A$}\\ -\bl{$B \rightarrow A :$} & \bl{$\{A, N_B\}_{K_{BS}}$}\\ -\bl{$A \rightarrow S :$} & \bl{$A, B, N_A, \{A, N_B\}_{K_{BS}}$}\\ -\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, N_B\}_{K_{BS}} \}_{K_{AS}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, N_B\}_{K_{BS}} $}\\ -\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\ -\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\ -\end{tabular} -\end{center}\bigskip\pause - -but nothing is for free: then you need to synchronise time and possibly become victim to -timing attacks - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Binding Attacks} - -with public-private keys it is important that the public key is \alert{bound} -to the right owner (verified by a certification authority \bl{$CA$}) +\frametitle{Man-in-the-Middle} -\begin{center} -\begin{tabular}{l} -\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\ -\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\ -\end{tabular} -\end{center}\bigskip - -\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$} -in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Binding Attacks} - -\begin{center} -\begin{tabular}{l} -\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\ -\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\ -\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ -\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\ -\end{tabular} -\end{center}\pause - -\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$} -(which happily decrypts them with its private key) - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -There are plenty of other protocols and attacks. This could go on ``forever''.\pause\bigskip - -We look here on one more kind of attacks that are because of a changing environment. - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] -\frametitle{Changing Environment Attacks} - -\begin{itemize} -\item all protocols rely on some assumptions about the environment -(e.g., cryptographic keys cannot be broken)\bigskip\pause -\end{itemize} - -\only<2>{ -\begin{itemize} -\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not -worthwhile -\end{itemize}} - -\only<3>{ -\begin{itemize} -\item when it got expensive, some people bought cheaper monthly tickets for a suburban -station and a nearby one, and one for the destination and a nearby one -\item a large investment later all barriers were automatic and tickets could record state -\end{itemize}} - -\only<4>{ -\begin{itemize} -\item but suddenly the environment changed: rail transport got privatised creating many -competing companies -potentially cheating each other -\item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots -\end{itemize}} - -\only<5>{ -\begin{itemize} -\item apart from bad outsiders (passengers), you also had bad insiders (rail companies) -\item chaos and litigation ensued -\end{itemize}} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -556,100 +140,11 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] - -A Man-in-the-middle attack in real life: - -\begin{itemize} -\item the card only says yes or no to the terminal if the PIN is correct -\item trick the card in thinking transaction is verified by signature -\item trick the terminal in thinking the transaction was verified by PIN -\end{itemize} - -\begin{minipage}{1.1\textwidth} -\begin{center} -\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png} -\includegraphics[scale=0.3]{pics/chipnpinflaw.png} -\end{center} -\end{minipage} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Problems with EMV} - -\begin{itemize} -\item it is a wrapper for many protocols -\item specification by consensus (resulted unmanageable complexity) -\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some -further parts are secret -\item other attacks have been found - -\item one solution might be to require always online verification of the PIN with the bank -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\frametitle{Facebook Privacy} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Problems with WEP (Wifi)} - -\begin{itemize} -\item a standard ratified in 1999 -\item the protocol was designed by a committee not including cryptographers -\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce -\item WEP did not allocate enough bits for the nonce -\item for authenticating packets it used CRC checksum which can be easily broken -\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip -\item encryption was turned of by default -\end{itemize} - \end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Protocols are Difficult} - -\begin{itemize} -\item even the systems designed by experts regularly fail\medskip -\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip -\item the one who can fix a system should also be liable for the losses\medskip -\item cryptography is often not {\bf the} answer\bigskip\bigskip -\end{itemize} - -logic is one way protocols are studied in academia -(you can use computers to search for attacks) - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Public-Key Infrastructure} - -\begin{itemize} -\item the idea is to have a certificate authority (CA) -\item you go to the CA to identify yourself -\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip -\item CA must be trusted by everybody -\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign -explicitly limits liability to \$100.) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ @@ -737,6 +232,330 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Privacy} + +\begin{minipage}{1.05\textwidth} +\begin{itemize} +\item we \alert{do} want that government data is made public (free maps for example) +\item we \alert{do not} want that medical data becomes public (similarly tax data, school +records, job offers)\bigskip +\item personal information can potentially lead to fraud +(identity theft) +\end{itemize}\pause + +{\bf ``The reality'':} +\only<2>{\begin{itemize} +\item London Health Programmes lost in June last year unencrypted details of more than 8 million people +(no names, but postcodes and details such as gender, age and ethnic origin) +\end{itemize}} +\only<3>{\begin{itemize} +\item also in June last year, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. +\end{itemize}} +\end{minipage} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Privacy and Big Data} + +Selected sources of ``Big Data'':\smallskip{} + +\begin{itemize} +\item Facebook +\begin{itemize} +\item 40+ Billion photos (100 PB) +\item 6 Billion messages daily (5 - 10 TB) +\item 900 Million users +\end{itemize} +\item Common Crawl +\begin{itemize} +\item covers 3.8 Billion webpages (2012 dataset) +\item 50 TB of data +\end{itemize} +\item Google +\begin{itemize} +\item 20 PB daily (2008) +\end{itemize} +\item Twitter +\begin{itemize} +\item 7 Million users in the UK +\item a company called Datasift is allowed to mine all tweets since 2010 +\item they charge 10k per month for other companies to target advertisement +\end{itemize} +\end{itemize}\pause + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Cookies\ldots} + +``We have published a new cookie policy. It explains what cookies are +and how we use them on our site. To learn more about cookies and +their benefits, please view our cookie policy.\medskip + +If you'd like to disable cookies on this device, please view our information +pages on 'How to manage cookies'. Please be aware that parts of the +site will not function correctly if you disable cookies. \medskip + +By closing this +message, you consent to our use of cookies on this device in accordance +with our cookie policy unless you have disabled them.'' + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Scare Tactics} + +The actual policy reads:\bigskip + +``As we explain in our Cookie Policy, cookies help you to get the most +out of our websites.\medskip + +If you do disable our cookies you may find that certain sections of our +website do not work. For example, you may have difficulties logging in +or viewing articles.'' + + + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Netflix Prize} + +Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip + +\begin{itemize} +\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm +\item dataset contained 10\% of all Netflix users (appr.~500K) +\item names were removed, but included numerical ratings as well as times of rating +\item some information was \alert{perturbed} (i.e., slightly modified) +\end{itemize} + +\hfill{\bf\alert{All OK?}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Re-identification Attack} + +Two researchers analysed the data: + +\begin{itemize} +\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the +records can be identified +\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause +\item they took 50 samples from IMDb (where people can reveal their identity) +\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{} + +\begin{itemize} +\item Birth data, postcode and gender (unique for\\ 87\% of the US population) +\item Preferences in movies (99\% of 500K for 8 ratings) +\end{itemize}\bigskip + +Therefore best practices / or even law (HIPAA, EU): + +\begin{itemize} +\item only year dates (age group for 90 years or over), +\item no postcodes (sector data is OK, similarly in the US)\\ +\textcolor{gray}{no names, addresses, account numbers, licence plates} +\item disclosure information needs to be retained for 5 years +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}<2>[c] +\frametitle{How to Safely Disclose Information?} + +\only<1>{ +\begin{itemize} +\item Assume you make a survey of 100 randomly chosen people. +\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the +Gangnam video on youtube.\bigskip + +\item What can you infer about the rest of the population? +\end{itemize}} +\only<2>{ +\begin{itemize} +\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause + +\item Not even releasing only aggregate information prevents re-identification attacks. +(GWAS was a public database of gene-frequency studies linked to diseases; +you only needed partial DNA information in order +to identify whether an individual was part of the study --- DB closed in 2008) +\end{itemize}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Differential Privacy} + +\begin{center} +User\;\;\;\; +\begin{tabular}{c} +tell me \bl{$f(x)$} $\Rightarrow$\\ +$\Leftarrow$ \bl{$f(x) + \text{noise}$} +\end{tabular} +\;\;\;\;\begin{tabular}{@{}c} +Database\\ +\bl{$x_1, \ldots, x_n$} +\end{tabular} +\end{center} + + +\begin{itemize} +\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to +individual entries \bl{$x_1, \ldots, x_n$}\\ +\item Intuition: whatever is learned from the dataset would be learned regardless of whether +\bl{$x_i$} participates\bigskip\pause + +\item Noised needed in order to prevent queries:\\ Christian's salary $=$ +\begin{center} +\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian +\end{center} +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Adding Noise} + +Adding noise is not as trivial as one would wish: + +\begin{itemize} +\item If I ask how many of three have seen the Gangnam video and get a result +as follows + +\begin{center} +\begin{tabular}{l|c} +Alice & yes\\ +Bob & no\\ +Charlie & yes\\ +\end{tabular} +\end{center} + +then I have to add a noise of \bl{$1$}. So answers would be in the +range of \bl{$1$} to \bl{$3$} + +\bigskip +\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots), +then one individual can change the dataset by \bl{$5$} +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@{}c@{}}Tor\end{tabular}} + +\begin{itemize} +\item initially developed by US Navy Labs, but then opened up to the world +\item network of proxy nodes +\item a Tor client establishes a ``random'' path to the destination server (you cannot trace back where the information came from)\bigskip\pause +\end{itemize} + +\only<2>{ +\begin{itemize} +\item malicious exit node attack: someone set up 5 Tor exit nodes and monitored the traffic: +\begin{itemize} +\item a number of logons and passwords used by embassies (Usbekistan `s1e7u0l7c', while +Tunesia `Tunesia' and India `1234') +\end{itemize} +\end{itemize}} +\only<3>{ +\begin{itemize} +\item bad apple attack: if you have one insecure application, your IP can be tracked through Tor +\begin{itemize} +\item background: 40\% of traffic on Tor is generated by BitTorrent +\end{itemize} +\end{itemize}} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@{}c@{}}Skype\end{tabular}} + +\begin{itemize} +\item Skype used to be known as a secure online communication (encryption cannot be disabled), +but \ldots\medskip + +\item it is impossible to verify whether crypto algorithms are correctly used, or whether there are backdoors.\bigskip + +\item recently someone found out that you can reset the password of somebody else's +account, only knowing their email address (needed to suspended the password reset feature temporarily) +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}} + +According to Ross Anderson: \bigskip +\begin{itemize} +\item Privacy in a big hospital is just about doable.\medskip +\item How do you enforce privacy in something as big as Google +or complex as Facebook? No body knows.\bigskip + +Similarly, big databases imposed by government +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \end{document}