Binary file handouts/ho01.pdf has changed
--- a/handouts/ho01.tex Tue Sep 23 10:31:03 2014 +0100
+++ b/handouts/ho01.tex Tue Sep 23 11:23:29 2014 +0100
@@ -38,13 +38,13 @@
mindset. This might be a mindset that you think is very foreign to you
(after all we are all good citizens and not ahck into things). I beg
to differ: You have this mindset already when in school you were
-thinking, at least hypothetically, in which ways you can cheat in an
+thinking, at least hypothetically, about in which ways you can cheat in an
exam (whether it is about hiding notes or looking over the shoulders
of your fellow pupils). Right? To defend a system, you need to have
this kind mindset and be able to think like an attacker. This will
include understanding techniques that can be used to compromise
security and privacy in systems. This will many times result in
-insights where well-intended security mechanism made a system actually
+insights where well-intended security mechanisms made a system actually
less secure.\smallskip
{\Large\bf Warning!} However, don’t be evil! Using those
@@ -58,19 +58,33 @@
tamper with any of King's systems. If you try out a technique,
always make doubly sure you are working in a safe environment
so that you cannot cause any harm, not even accidentally.
-Don't be evil. Be an ethical hacker.
+Don't be evil. Be an ethical hacker.\smallskip
-In this lecture I want to make you familiar with the security
-mindset and dispel the myth that encryption is the answer to
-security (it certainly is one answer, but by no means a
-sufficient one). This is actually an important thread going
+In this lecture I want to make you familiar with the security mindset
+and dispel the myth that encryption is the answer to all security
+problems (it is certainly often part of an answer, but almost always
+never a sufficient one). This is actually an important thread going
through the whole course: We will assume that encryption works
-perfectly, but still attack ``things''. By ``works perfectly''
-we mean that we will assume encryption is a black box and, for
-example, will not look at the underlying
-mathematics.\footnote{Though fascinating it might be.}
+perfectly, but still attack ``things''. By ``works perfectly'' we mean
+that we will assume encryption is a black box and, for example, will
+not look at the underlying mathematics and break the
+algorithms.\footnote{Though fascinating it might be.}
+For a secure system it seems four requirements need to come together:
+First a security policy (what is supposed to be achieved?); second a
+mechanism (cipher, access controls, tamper resistance etc); third the
+assurance we obtain from the mechanism (the amount of reliance we can
+put on the mechanism) and finally the incentives (the motive that the
+people guarding and maintaining the system have to do their job
+properly, and also the motive that the attackers have to try to defeat
+your policy). The last point is often overlooked, but plays an
+important role. Lets look at an example. The questions is whether
+the Chip-and-PIN system with credit cards is more secure than the older
+method of signing receipts at the till.
+
+
+
\end{document}
%%% Local Variables:
Binary file hws/hw01.pdf has changed
--- a/hws/hw01.tex Tue Sep 23 10:31:03 2014 +0100
+++ b/hws/hw01.tex Tue Sep 23 11:23:29 2014 +0100
@@ -1,6 +1,5 @@
\documentclass{article}
-\usepackage{charter}
-\usepackage{hyperref}
+\usepackage{../style}
\begin{document}
@@ -8,36 +7,38 @@
\begin{enumerate}
\item {\bf (Optional)} If you want to have a look at the code
- presented in the lectures, install Node.js available (for free) from
+ presented in the lectures, install \texttt{Node.js} available (for free) from
\begin{center}
\url{http://nodejs.org}
\end{center}
-It needs aslo the Node-packages: Express, Cookie-Parser, Body-Parser and
-Crypto.
+It needs aslo the Node-packages Express, Cookie-Parser, Body-Parser and
+Crypto. They can be easily installed using the Node package manager \texttt{npm}.
\item Practice thinking like an attacker. Assume the following situation:
-\begin{quote}\it
-Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip
+
+ \begin{quote}\it
+ Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip
+
+ \noindent
+ \begin{tabular}{@ {}l}
+ Write the first 100 digits of pi:\\
+ 3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
+ \end{tabular}
+ \end{quote}
\noindent
-\begin{tabular}{@ {}l}
-Write the first 100 digits of pi:\\
-3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
-\end{tabular}
-\end{quote}
-
-\noindent
-Think of ways how you can cheat in this exam?
+Think of ways how you can cheat in this exam? How would you defend
+against such cheats.
\item Explain what hashes and salts are. Describe how they can be used
for ensuring data integrity and storing password information.
\item What are good uses of cookies (that is browser cookies)?
-\item Why is making bank customer be liable for financial fraud a bad
-design choice for CC payments?
+\item Why is making bank customers liable for financial fraud a bad
+design choice for credit card payments?
\end{enumerate}
Binary file slides/slides01.pdf has changed
--- a/slides/slides01.tex Tue Sep 23 10:31:03 2014 +0100
+++ b/slides/slides01.tex Tue Sep 23 11:23:29 2014 +0100
@@ -572,7 +572,7 @@
\begin{frame}[c]
\frametitle{The Bad Guy Again}
-\begin{bubble}[10cm]
+\begin{bubble}[10.5cm]
\small
The anonymous hacker from earlier:\medskip\\ ``Try to use
`Verified-By-Visa' and `Mastercard-Securecode' as rarely as
@@ -836,7 +836,7 @@
\item read the cookie from client
\item if none is present, set \texttt{counter} to \textcolor{blue}{zero}
\item if cookie is present, extract \texttt{counter}
-\item if \texttt{counter} is greater or equal \textcolor{blue}{$5$}, \\
+\item if \texttt{counter} is greater or equal than \textcolor{blue}{$5$}, \\
print a valued customer message\\
otherwise just a normal message
\item increase \texttt{counter} by \textcolor{blue}{$1$} and store new cookie with client