added
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Mon, 30 Sep 2013 23:57:44 +0100
changeset 105 40c51038c9e4
parent 104 729b86eae005
child 106 9feafc9bbe9f
added
progs/Application0.scala
progs/C1.c
progs/C2.c
progs/C2a.c
progs/C3.c
progs/C4.c
slides/slides01.pdf
slides/slides01.tex
slides/slides02.pdf
slides/slides02.tex
slides/slides03.tex
slides/slides04.tex
--- a/progs/Application0.scala	Tue Sep 24 12:29:24 2013 +0100
+++ b/progs/Application0.scala	Mon Sep 30 23:57:44 2013 +0100
@@ -10,7 +10,7 @@
   // answering a GET request
   val index = Action { request =>
 
-    Ok("Hello world!")
+    Ok("<H1>Hello world!</H1>").as(HTML)
   }  
   
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/C1.c	Mon Sep 30 23:57:44 2013 +0100
@@ -0,0 +1,19 @@
+void foo (char *bar)
+{
+  float my_float = 10.5;    // in hex: \x41\x28\x00\x00
+  char  buffer[28];        
+
+  printf("my float value = %f\n", my_float);
+  strcpy(buffer, bar);  
+  printf("my float value = %f\n", my_float);
+}
+ 
+int main (int argc, char **argv)
+{
+  foo("my string is too long !!!!! ");
+  return 0;
+}
+
+
+
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/C2.c	Mon Sep 30 23:57:44 2013 +0100
@@ -0,0 +1,24 @@
+int match(char *s1, char *s2) {
+  while( *s1 != '\0' && *s2 != '\0' && *s1 == *s2 ){
+    s1++; s2++;
+  }
+  return( *s1 - *s2 );
+}
+
+void welcome() { printf("Welcome to the Machine!\n"); exit(0); }
+void goodbye() { printf("Invalid identity, exiting!\n"); exit(1); }
+
+main(){
+  char name[8];
+  char pw[8]; 
+
+  printf("login: "); 
+  get_line(name);
+  printf("password: "); 
+  get_line(pw);
+
+  if(match(name, pw) == 0)
+    welcome();
+  else
+    goodbye();
+}
\ No newline at end of file
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/C2a.c	Mon Sep 30 23:57:44 2013 +0100
@@ -0,0 +1,14 @@
+// Since gets() is insecure and produces lots of warnings, 
+// I use my own input function instead.
+char ch;
+int i;
+
+void get_line(char *dst) {
+  char buffer[8];
+  i = 0;
+  while ((ch = getchar()) != '\n') {
+    buffer[i++] = ch; 
+  }
+  buffer[i] = '\0';
+  strcpy(dst, buffer);
+}	
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/C3.c	Mon Sep 30 23:57:44 2013 +0100
@@ -0,0 +1,19 @@
+#include<stdio.h>
+#include<string.h>
+
+// simple program used for a bufferflow attack
+//
+// for installation notes see C0.c
+//
+// can be called with 
+//
+//   ./C3 `./args3`
+
+main(int argc, char **argv)
+{
+        char buffer[80];
+
+        strcpy(buffer, argv[1]);
+
+        return 1;
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/progs/C4.c	Mon Sep 30 23:57:44 2013 +0100
@@ -0,0 +1,15 @@
+#include<stdio.h>
+#include<string.h>
+
+// a program that just prints the argument
+// on the command line
+//
+// try and run it with %s
+
+
+main(int argc, char **argv)
+{
+        char *string = "This is a secret string\n";
+
+        printf(argv[1]);
+}
Binary file slides/slides01.pdf has changed
--- a/slides/slides01.tex	Tue Sep 24 12:29:24 2013 +0100
+++ b/slides/slides01.tex	Mon Sep 30 23:57:44 2013 +0100
@@ -19,8 +19,11 @@
 \usetikzlibrary{shadows}
 \usetikzlibrary{positioning}
 \usetikzlibrary{calc}
+\usepackage{upquote}
+\usetikzlibrary{plotmarks}
 \usepackage{graphicx} 
-\usepackage{upquote}
+\usepackage{pgfplots}
+
 
 \definecolor{javared}{rgb}{0.6,0,0} % for strings
 \definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
@@ -1298,40 +1301,6 @@
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{This Course is about  Satan's Computer}
-
-Ross Anderson and Roger Needham wrote:\bigskip
-
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\normalsize\color{darkgray}
-\begin{minipage}{10cm}\raggedright\small
-``In effect, our task is to program a computer which gives 
-answers which are subtly and maliciously wrong at the most 
-inconvenient possible moment\ldots{} we hope that the lessons 
-learned from programming Satan's computer may be helpful 
-in tackling the more common problem of programming Murphy's.''
-\end{minipage}};
-\end{tikzpicture}\\[30mm]
-
-\only<2>{
-\begin{textblock}{11}(2,12)
-\begin{tabular}{c}
-\includegraphics[scale=0.12]{pics/ariane.jpg}\\[-2mm]
-\footnotesize Murphy's computer
-\end{tabular}
-\begin{tabular}{c}
-\includegraphics[scale=0.15]{pics/mobile.jpg}\;
-\includegraphics[scale=0.06]{pics/pinsentry.jpg}\\[-2mm]
-\footnotesize Satan's computers
-\end{tabular}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
Binary file slides/slides02.pdf has changed
--- a/slides/slides02.tex	Tue Sep 24 12:29:24 2013 +0100
+++ b/slides/slides02.tex	Mon Sep 30 23:57:44 2013 +0100
@@ -1,6 +1,5 @@
 \documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
+\usepackage{beamerthemeplaincu}
 \usepackage[latin1]{inputenc}
 \usepackage{mathpartir}
 \usepackage[absolute,overlay]{textpos}
@@ -71,8 +70,13 @@
 	showstringspaces=false}
 
 % beamer stuff 
-\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}
+\renewcommand{\slidecaption}{APP 02, King's College London, 1 October 2013}
 
+%Bank vs Voting
+%http://www.parliament.vic.gov.au/images/stories/committees/emc/2010_Election/submissions/13_VTeague_EMC_Inquiry_No.6.pdf
+
+% first cyber attack
+%http://investigations.nbcnews.com/_news/2013/03/18/17314818-cyberattack-on-florida-election-is-first-known-case-in-us-experts-say
 
 \begin{document}
 
@@ -86,16 +90,12 @@
   \LARGE Privacy Policies (2)\\[-6mm] 
   \end{tabular}}\bigskip\bigskip\bigskip
 
-  %\begin{center}
-  %\includegraphics[scale=1.3]{pics/barrier.jpg}
-  %\end{center}
-
 \normalsize
   \begin{center}
   \begin{tabular}{ll}
   Email:  & christian.urban at kcl.ac.uk\\
-  Of$\!$fice: & S1.27 (1st floor Strand Building)\\
-  Slides: & KEATS (also home work is there)
+  Office: & S1.27 (1st floor Strand Building)\\
+  Slides: & KEATS (also homework is there)\\
   \end{tabular}
   \end{center}
 
@@ -103,94 +103,244 @@
 \end{frame}}
  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Homework\end{tabular}}
-
-
-\ldots{} I have a question about the homework.\\[3mm] 
-Is it required to submit the homework before\\ 
-the next lecture?\\[5mm]
-
-Thank you!\\
-Anonymous
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
+\frametitle{\begin{tabular}{c}This Course is about\\[-2mm]  ``Satan's Computer''\end{tabular}}
 
-\begin{center}
-\begin{tabular}[t]{c}
-\includegraphics[scale=1.2]{pics/barrier.jpg}\\
-future lectures
-\end{tabular}\;\;\;
-\onslide<2>{
-\begin{tabular}[t]{c}
-\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
-today
+Ross Anderson and Roger Needham wrote:\bigskip
+
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\normalsize\color{darkgray}
+\begin{minipage}{10cm}\raggedright\small
+``In effect, our task is to program a computer which gives 
+answers which are subtly and maliciously wrong at the most 
+inconvenient possible moment\ldots{} we hope that the lessons 
+learned from programming Satan's computer may be helpful 
+in tackling the more common problem of programming Murphy's.''
+\end{minipage}};
+\end{tikzpicture}\\[30mm]
+
+\only<2>{
+\begin{textblock}{11}(2,12)
+\begin{tabular}{c}
+\includegraphics[scale=0.12]{pics/ariane.jpg}\\[-2mm]
+\footnotesize Murphy's computer
 \end{tabular}
-}
-\end{center}
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/mobile.jpg}\;
+\includegraphics[scale=0.06]{pics/pinsentry.jpg}\\[-2mm]
+\footnotesize Satan's computers
+\end{tabular}
+\end{textblock}}
 
-  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\Large\begin{tabular}{c}User-Tracking Without Cookies\end{tabular}}
+
+Can you track a user {\bf without}:
+
+\begin{itemize}
+\item Cookies
+\item Javascript
+\item LocalStorage/SessionStorage/GlobalStorage
+\item Flash, Java or other plugins
+\item Your IP address or user agent string
+\item Any methods employed by Panopticlick\\
+\mbox{}\hfill $\rightarrow$ \textcolor{blue}{\url{https://panopticlick.eff.org/}}
+\end{itemize}
+
+Even when you disabled cookies entirely, have Javascript turned off and use a VPN service.\\\pause
+And numerous sites already use it (Google).
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Web-Protocol\end{tabular}}
+
+\only<1->{
+\begin{textblock}{1}(2,2)
+  \begin{tikzpicture}[scale=1.3]
+  \draw[white] (0,0) node (X) {\includegraphics[scale=0.12]{pics/firefox.jpg}};
+  \end{tikzpicture}
+\end{textblock}}
+
+\only<1->{
+\begin{textblock}{1}(11,2)
+  \begin{tikzpicture}[scale=1.3]
+  \draw[white] (0,0) node (X) {\includegraphics[scale=0.15]{pics/servers.png}};
+  \end{tikzpicture}
+\end{textblock}}
+
+\only<1->{
+\begin{textblock}{1}(5,2.5)
+  \begin{tikzpicture}[scale=1.3]
+  \draw[white] (0,0) node (X) {};
+  \draw[white] (3,0) node (Y) {};
+  \draw[red, ->, line width = 2mm] (X) -- (Y);
+  \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg}] at ($ (X)!.5!(Y) $) {};
+  \end{tikzpicture}
+\end{textblock}}
+
+\only<2->{
+\begin{textblock}{1}(5,6)
+  \begin{tikzpicture}[scale=1.3]
+  \draw[white] (0,0) node (X) {};
+  \draw[white] (3,0) node (Y) {};
+  \draw[red, <-, line width = 2mm] (X) -- (Y);
+  \node [inner sep=5pt,label=below:\textcolor{black}{\small ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
+   \node [inner sep=5pt,label=above:{\includegraphics[scale=0.15]{pics/tvtestscreen.jpg}}] at ($ (X)!.5!(Y) $) {};
+  \end{tikzpicture}
+\end{textblock}}
+
+\only<3->{
+\begin{textblock}{1}(4.2,11)
+  \begin{tikzpicture}[scale=1.3]
+  \draw[white] (0,0) node (X) {};
+  \draw[white] (3,0) node (Y) {};
+  \draw[red, ->, line width = 2mm] (X) -- (Y);
+  \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
+  \end{tikzpicture}
+\end{textblock}}
+
+\only<4->{
+\begin{textblock}{1}(4.2,13.9)
+  \begin{tikzpicture}[scale=1.3]
+  \draw[white] (0,0) node (X) {};
+  \draw[white] (3,0) node (Y) {};
+  \draw[red, <-, line width = 2mm] (X) -- (Y);
+  \node [inner sep=5pt,label=below:\textcolor{black}{\small HTTP/1.1 304 (Not Modified)}] at ($ (X)!.5!(Y) $) {};
+  \end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}
-
-\begin{textblock}{1}(1,3)
-\begin{tabular}{c}
-\includegraphics[scale=0.15]{pics/SmartWater}
+\frametitle{Today's Lecture}
+\begin{center}
+\begin{tabular}{cc}
+\large online banking  & \hspace{6mm}\large e-voting\\
+\textcolor{gray}{solved} & \hspace{6mm}\textcolor{gray}{unsolved}\\
 \end{tabular}
-\end{textblock}
+\end{center}
 
 
-\begin{textblock}{8.5}(7,3)
-\begin{itemize}
-\item seems helpful for preventing cable theft\medskip
-\item wouldn't be helpful to make your property safe, because of possible abuse\medskip
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  
 
-\item security is always a tradeoff
-\end{itemize}
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Voting as Security Problem\end{tabular}}
 
-\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
-
+What are the security requirements of a voting system?\bigskip
 
 \begin{itemize}
-\item IEEE is a standards organisation (not-for-profit) 
-\item many standards in CS are by IEEE\medskip
-\item 100k plain-text passwords were recorded in logs
-\item the logs were openly accessible on their FTP server
-\end{itemize}\bigskip
-
-\begin{flushright}\small
-\textcolor{gray}{\url{http://ieeelog.com}}
-\end{flushright}
+\item<2->Integrity 
+\item<3->Ballot Secrecy
+\item<5->Voter Authentication
+\item<6->Enfranchisement
+\item<7->Availability
+\end{itemize}
 
 \only<2>{
-\begin{textblock}{11}(3,2)
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item The outcome matches with the voters' intend.
+\item There might be gigantic sums at stake and need to be defended against.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<4>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item Nobody can find out how you voted.
+\item (Stronger) Even if you try, you cannot prove how you voted.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<5>{
+\begin{textblock}{5.5}(8,5)
 \begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] 
-{\normalsize\color{darkgray}
-\begin{minipage}{7.5cm}\raggedright\small
-\includegraphics[scale=0.6]{pics/IEEElog.jpg}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item Only authorised voters can vote up to the permitted number of votes.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<6>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item Authorised voters should have the opportunity to vote.
+\end{itemize}
+\end{minipage}
+\end{center}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\only<7>{
+\begin{textblock}{5.5}(8,5)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
+{\small
+\begin{minipage}{5cm}\raggedright
+\begin{center}
+\begin{minipage}{4.5cm}
+\begin{itemize}
+\item The voting system should accept all authorised votes and produce results in a timely manner.
+\end{itemize}
+\end{minipage}
+\end{center}
 \end{minipage}};
 \end{tikzpicture}
 \end{textblock}}
@@ -198,23 +348,202 @@
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Problems with Voting\end{tabular}}
+
+
+\begin{center}\large
+\begin{tabular}{rcl}
+Integrity & vs. & Ballot Secrecy\bigskip\\
+Authentication & vs. &Enfranchisement   
+\end{tabular}
+\end{center}\bigskip\bigskip\pause
+
+Further constraints:
+
+\begin{itemize}
+\item costs
+\item accessibility
+\item convenience
+\item intelligibility 
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Traditional Ballot Boxes\end{tabular}}
+
+
+\begin{center}
+\includegraphics[scale=2.5]{pics/ballotbox.jpg}
+\end{center}\pause\bigskip
+
+they need a ``protocol''
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
+
+
+\begin{itemize}
+\item The Netherlands between 1997 - 2006 had electronic voting machines\\
+\textcolor{gray}{(hacktivists had found: they can be hacked and also emitted radio signals revealing how you voted)}
+
+\item Germany had used them in pilot studies\\ 
+\textcolor{gray}{(in 2007 a law suit has reached the highest court and it rejected electronic voting
+on the grounds of not being understandable by the general public)}
+
+\item UK used optical scan voting systems in a few polls
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
+
+\mbox{}\\[-12mm]
+\begin{itemize}
+\item US used mechanical machines since the 30s, later punch cards, now DREs and 
+optical scan voting machines
+
+\item Estonia used in 2007 the Internet for national elections 
+\textcolor{gray}{(there were earlier pilot studies in other countries)}
+
+\item India uses e-voting devices  since at least 2003\\
+\textcolor{gray}{(``keep-it-simple'' machines produced by a government owned company)}
+
+\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected)
+\textcolor{gray}{(they found the tallying software was rigged, but they were able to tally manually)}
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}A Brief History of Voting\end{tabular}}
 
-\begin{flushright}\small
-\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
-\end{flushright}
 
 \begin{itemize}
-\item for online accounts passwords must be 6 digits
-\item you must cycle through 1M combinations (online)\pause\bigskip
+\item Athenians
+\begin{itemize}
+\item show of hands
+\item ballots on pieces of pottery
+\item different colours of stones
+\item ``facebook''-like authorisation 
+\end{itemize}\bigskip
+
+\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip
+
+
+\item French Revolution and the US Constitution got things ``started'' with 
+paper ballots (you first had to bring your own; later they were pre-printed by parties)
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
+
+Security policies involved with paper ballots:
+
+\begin{enumerate}
+\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing)
+\item you need to guard the ballot box during the poll until counting
+\item tallied by a team at the end of the poll (independent observers) 
+\end{enumerate}
+
+\begin{center}
+\includegraphics[scale=1.5]{pics/ballotbox.jpg}
+\end{center}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}}
+
+What can go wrong with paper ballots?
+
+\only<2>{
+\begin{center}
+\includegraphics[scale=0.8]{pics/tweet.jpg}\\
+\footnotesize William M.~Tweed, US Politician in 1860's\\
+``As long as I count the votes, what are you going to do about it?''
+\end{center}}
 
-\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
-\item wrote a script that cleared the cookie set after each guess\pause
-\item has been fixed now
+\only<3>{
+\medskip
+\begin{center}
+\begin{minipage}{10cm}
+{\bf Chain Voting Attack}
+\begin{enumerate}
+\item you obtain a blank ballot and fill it out as you want
+\item you give it to a voter outside the polling station
+\item voter receives a new blank ballot
+\item voter submits prefilled ballot
+\item voter gives blank ballot to you, you give money
+\item goto 1
+\end{enumerate}
+\end{minipage}
+\end{center}
+}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+\mode<presentation>{
+\begin{frame}[c]
+
+Which security requirements do paper ballots satisfy better than voice voting?\bigskip
+
+\begin{itemize}
+\item Integrity
+\item Enfranchisement
+\item Ballot secrecy
+\item Voter authentication
+\item Availability
+\end{itemize}
+
+\end{frame}}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Mechanical Voting Machines\end{tabular}}
+
+\begin{itemize}
+\item<1-> Lever Voting Machines (ca.~1930 - 1990)
+\only<1>{
+\begin{center}
+\includegraphics[scale=0.56]{pics/leavermachine.jpg}
+\end{center}
+}
+\item<2->Punch Cards (ca.~1950 - 2000)
+\only<2>{
+\begin{center}
+\includegraphics[scale=0.5]{pics/punchcard1.jpg}\;\;
+\includegraphics[scale=0.46]{pics/punchcard2.jpg}
+\end{center}
+}
 \end{itemize}
 
 
@@ -222,29 +551,51 @@
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}}
+
+\begin{center}
+\begin{tabular}{c}
+\includegraphics[scale=0.45]{pics/dre1.jpg}\; 
+\includegraphics[scale=0.40]{pics/dre2.jpg}\\\hline\\
+\includegraphics[scale=0.5]{pics/opticalscan.jpg} 
+\end{tabular}
+\end{center}
+
+\only<1->{
+\begin{textblock}{5.5}(1,4)
+DREs
+\end{textblock}}
+\only<1->{
+\begin{textblock}{5.5}(1,11)
+Optical Scan
+\end{textblock}}
+
+\only<2>{
+\begin{textblock}{5.5}(0.5,14.5)
+all are computers
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}}
+
+Direct-recording electronic voting machines\\ 
+(votes are recorded for example on memory cards)
 
-\begin{itemize}
-\item ``smashing the stack attacks'' or ``buffer overflow attacks''
-\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
-\begin{flushright}\small
-\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
-\end{flushright}
-\medskip
-\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+typically touchscreen machines
+
+usually no papertrail
+
 \begin{center}
-{\bf ``Smashing The Stack For Fun and Profit''}
-\end{center}\medskip
-
-\begin{flushright}
-\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
-\end{flushright} 
- 
-\end{itemize}
+\includegraphics[scale=0.56]{pics/dre1.jpg}
+\end{center}
 
 
 \end{frame}}
@@ -253,53 +604,104 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
+
+The work by J.~Alex Halderman:
 
 \begin{itemize}
-\item The basic problem is that library routines in C look as follows:
-\begin{center}
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
-\end{center}
-\item the resulting problems are often remotely exploitable 
-\item can be used to circumvents all access control
-(botnets for further attacks)
+\item acquired a machine from an anonymous source\medskip
+\item the source code running the machine was tried to be kept secret\medskip\pause
+
+\item first reversed-engineered the machine (extremely tedious)
+\item could completely reboot the machine and even install a virus that infects other Diebold machines
+\item obtained also the source code for other machines
 \end{itemize}
-  
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
+
+What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause
+
+A non-obvious problem:
+
+\begin{itemize}
+\item you can nowadays get old machines, which still store old polls
+
+\item the paper ballot box needed to be secured during the voting until counting;
+e-voting machines need to be secured during the entire life-time  
+\end{itemize}
+
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}}
 
-There are many variants:
+Conclusion:\\ Any electronic solution should have a paper trail.
 
-\begin{itemize}
-\item return-to-lib-C attacks
-\item heap-smashing attacks\\
-\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+\begin{center}
+\begin{tabular}{c}
+\includegraphics[scale=0.5]{pics/opticalscan.jpg} 
+\end{tabular}
+\end{center}\pause
 
-\item ``zero-days-attacks'' (new unknown vulnerability)
-\end{itemize}
-  
+You still have to solve problems about
+voter registration, voter authentification, guarding against tampering
+
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}}
+
+Their underlying engineering principle is ``keep-it-simple'':
+
+\begin{center}
+\begin{tabular}{c}
+\includegraphics[scale=1.05]{pics/indiaellection.jpg}\;\;
+\includegraphics[scale=0.40]{pics/india1.jpg}
+\end{tabular}
+\end{center}\medskip\pause
+
+Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible'' 
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Lessons Learned\end{tabular}}
+
+\begin{itemize}
+\item keep a paper trail and design your system to keep this secure\medskip
+\item make the software open source (avoid security-by-obscurity)\medskip
+\item have a simple design in order to minimise the attack surface
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
 
-\small
-\texttt{my\_float} is printed twice:\bigskip
+\begin{center}
+\includegraphics[scale=0.56]{pics/Voting1.png}
+\end{center}
 
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C1.c}}}
 
-  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
@@ -308,23 +710,10 @@
 \begin{frame}[c]
 
 \begin{center}
-\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
-\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
-\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
+\includegraphics[scale=0.56]{pics/Voting2.png}
 \end{center}
-  
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
 
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C2.c}}}
-
-  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
@@ -332,115 +721,23 @@
 \mode<presentation>{
 \begin{frame}[c]
 
-\small
-A programmer might be careful, but still introduce vulnerabilities:\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{C2a.c}}}
-
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+\begin{center}
+\includegraphics[scale=0.56]{pics/Voting3.png}
+\end{center}
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
 
-\begin{itemize}
-\item the idea is you store some code as part to the buffer
-\item you then override the return address to execute this payload\medskip
-\item normally you start a root-shell\pause
-\item difficulty is to guess the right place where to ``jump''
-\end{itemize}
-  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
-
-\begin{itemize}
-\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
 
 \begin{center}
-\texttt{xorl   \%eax, \%eax}
+\includegraphics[scale=0.56]{pics/Voting4.png}
 \end{center}
-\end{itemize}\bigskip\bigskip
-  
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{app5.c}}}
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
-
-\small
-\texttt{string} is nowhere used:\bigskip
-
-{\lstset{language=Java}\fontsize{8}{10}\selectfont%
-\texttt{\lstinputlisting{programs/C4.c}}}\bigskip
-
-this vulnerability can be used to read out the stack
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
-
-\begin{itemize}
-\item use safe library functions
-\item ensure stack data is not executable (can be defeated)
-\item address space randomisation (makes one-size-fits-all more difficult)
-\item choice of programming language (one of the selling points of Java)
-
-\end{itemize}
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
-
-\begin{itemize}
-\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
-\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
-\item Monitoring (detect attacks)\pause
-\item Privacy, confidentiality, anonymity (to protect secrets)\pause
-\item Authenticity (needed for access control)\pause
-\item Integrity (prevent unwanted modification or tampering)\pause
-\item Availability and reliability (reduce the risk of DoS attacks)
-\end{itemize}
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Homework\end{tabular}}
-
-\begin{itemize}
-\item Assume format string attacks allow you to read out the stack. What can you do
-	with this information?\bigskip
-
-\item Assume you can crash a program remotely. Why is this a problem?
-\end{itemize}
-  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
--- a/slides/slides03.tex	Tue Sep 24 12:29:24 2013 +0100
+++ b/slides/slides03.tex	Mon Sep 30 23:57:44 2013 +0100
@@ -1,6 +1,6 @@
 \documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
+\usepackage{beamerthemeplaincu}
+%%\usepackage[T1]{fontenc}
 \usepackage[latin1]{inputenc}
 \usepackage{mathpartir}
 \usepackage[absolute,overlay]{textpos}
@@ -71,7 +71,7 @@
 	showstringspaces=false}
 
 % beamer stuff 
-\renewcommand{\slidecaption}{APP 03, King's College London, 9 October 2012}
+\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012}
 
 
 \begin{document}
@@ -83,7 +83,7 @@
   \begin{tabular}{@ {}c@ {}}
   \\
   \LARGE Access Control and \\[-3mm] 
-  \LARGE Privacy Policies (3)\\[-6mm] 
+  \LARGE Privacy Policies (2)\\[-6mm] 
   \end{tabular}}\bigskip\bigskip\bigskip
 
   %\begin{center}
@@ -95,8 +95,7 @@
   \begin{tabular}{ll}
   Email:  & christian.urban at kcl.ac.uk\\
   Of$\!$fice: & S1.27 (1st floor Strand Building)\\
-  Slides: & KEATS (also home work is there)\\
-               & \alert{\bf (I have put a temporary link in there.)}\\
+  Slides: & KEATS (also home work is there)
   \end{tabular}
   \end{center}
 
@@ -107,64 +106,15 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
-one general defence mechanism is\\\alert{\bf defence in depth}
-\end{center}
-
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1-2>[c]
-\frametitle{Defence in Depth}
-
-\begin{itemize}
-\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
-\end{itemize}
-
-\only<2->{
-\begin{textblock}{11}(2,12)
-\small otherwise your ``added security'' can become the point of failure 
-\end{textblock}}
-  
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{PALs}
-
-\begin{itemize}
-\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
-\end{itemize}
+\ldots{} I have a question about the homework.\\[3mm] 
+Is it required to submit the homework before\\ 
+the next lecture?\\[5mm]
 
-\begin{center}
-\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
-\includegraphics[scale=0.25]{pics/nuclear2.jpg}
-\end{center}
-  
-  
-\onslide<3->{
-modern PALs also include a 2-person rule
-} 
- 
- \only<2->{
-\begin{textblock}{11}(3,2)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\begin{minipage}{8cm}
-US Air Force's Strategic Air Command worried that in times of need the 
-codes would not be available, so until 1977 quietly decided to set them 
-to 00000000\ldots
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
+Thank you!\\
+Anonymous
   
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
@@ -173,24 +123,165 @@
 \mode<presentation>{
 \begin{frame}[c]
 
-\begin{itemize}
-\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
-
-\item these weapons were armed with a bicycle key
-
 \begin{center}
-\begin{tabular}[b]{c}
-\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
-\small nuclear weapon keys
+\begin{tabular}[t]{c}
+\includegraphics[scale=1.2]{pics/barrier.jpg}\\
+future lectures
+\end{tabular}\;\;\;
+\onslide<2>{
+\begin{tabular}[t]{c}
+\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\
+today
+\end{tabular}
+}
+\end{center}
+
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}}
+
+\begin{textblock}{1}(1,3)
+\begin{tabular}{c}
+\includegraphics[scale=0.15]{pics/SmartWater}
 \end{tabular}
-\hspace{3mm}
-\begin{tabular}[b]{c}
-\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
-\small bicycle lock
-\end{tabular}
-\end{center}\bigskip\pause
+\end{textblock}
+
+
+\begin{textblock}{8.5}(7,3)
+\begin{itemize}
+\item seems helpful for preventing cable theft\medskip
+\item wouldn't be helpful to make your property safe, because of possible abuse\medskip
+
+\item security is always a tradeoff
+\end{itemize}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}}
+
+\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:}
+
+
+\begin{itemize}
+\item IEEE is a standards organisation (not-for-profit) 
+\item many standards in CS are by IEEE\medskip
+\item 100k plain-text passwords were recorded in logs
+\item the logs were openly accessible on their FTP server
+\end{itemize}\bigskip
+
+\begin{flushright}\small
+\textcolor{gray}{\url{http://ieeelog.com}}
+\end{flushright}
+
+\only<2>{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] 
+{\normalsize\color{darkgray}
+\begin{minipage}{7.5cm}\raggedright\small
+\includegraphics[scale=0.6]{pics/IEEElog.jpg}
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}}
+
+\begin{flushright}\small
+\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}}
+\end{flushright}
+
+\begin{itemize}
+\item for online accounts passwords must be 6 digits
+\item you must cycle through 1M combinations (online)\pause\bigskip
 
-\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
+\item he limited the attack on his own account to 1 guess per second, \alert{\bf and}
+\item wrote a script that cleared the cookie set after each guess\pause
+\item has been fixed now
+\end{itemize}
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}}
+
+\begin{itemize}
+\item ``smashing the stack attacks'' or ``buffer overflow attacks''
+\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows)
+\begin{flushright}\small
+\textcolor{gray}{\url{http://www.kb.cert.org/vuls}}
+\end{flushright}
+\medskip
+\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\
+\begin{center}
+{\bf ``Smashing The Stack For Fun and Profit''}
+\end{center}\medskip
+
+\begin{flushright}
+\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14}
+\end{flushright} 
+ 
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}The Problem\end{tabular}}
+
+\begin{itemize}
+\item The basic problem is that library routines in C look as follows:
+\begin{center}
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/app5.c}}}
+\end{center}
+\item the resulting problems are often remotely exploitable 
+\item can be used to circumvents all access control
+(botnets for further attacks)
+\end{itemize}
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Variants\end{tabular}}
+
+There are many variants:
+
+\begin{itemize}
+\item return-to-lib-C attacks
+\item heap-smashing attacks\\
+\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
+
+\item ``zero-days-attacks'' (new unknown vulnerability)
 \end{itemize}
   
 \end{frame}}
@@ -201,101 +292,87 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Access Control in Unix}
+
+\small
+\texttt{my\_float} is printed twice:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/C1.c}}}
+
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
 
-\begin{itemize}
-\item access control provided by the OS
-\item authenticate principals (login)
-\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
-\item roles get attached with privileges\bigskip\\%
-\hspace{8mm}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\begin{minipage}{8cm}
-\alert{principle of least privilege:}\\
-programs should only have as much privilege as they need 
-\end{minipage}};
-\end{tikzpicture}
-\end{itemize}
+\begin{center}
+\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;}
+\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;}
+\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;}
+\end{center}
+  
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/C2.c}}}
+
+  
 \end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
+
+\small
+A programmer might be careful, but still introduce vulnerabilities:\bigskip
 
-\begin{itemize}
-\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
-\end{itemize}
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/C2a.c}}}
 
-\begin{textblock}{1}(2.5,9.5)
-  \begin{tikzpicture}[scale=1]
   
-  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
-  \draw (4.7,1) node {Internet};
-  \draw (0.6,1.7) node {\footnotesize Interface};
-  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
-  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-  
-  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-
-  \draw[white] (1.7,1) node (X) {};
-  \draw[white] (3.7,1) node (Y) {};
-  \draw[red, <->, line width = 2mm] (X) -- (Y);
- 
-  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
-  \end{tikzpicture}
-\end{textblock}
-
 \end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Process Ownership}
-
-\begin{itemize}
-\item access control in Unix is very coarse
-\end{itemize}\bigskip\bigskip\bigskip
-
-\begin{center}
-\begin{tabular}{c}
-root\\
-\hline
-
-user$_1$ user$_2$ \ldots www, mail, lp
-\end{tabular}
-\end{center}\bigskip\bigskip\bigskip
-
-
-\textcolor{gray}{\small root has UID $=$ 0}\\\pause
-\textcolor{gray}{\small you also have groups that can share access to a file}\\
-\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Access Control in Unix (2)}
-
+\frametitle{\begin{tabular}{c}Payloads\end{tabular}}
 
 \begin{itemize}
-\item privileges are specified by file access permissions (``everything is a file'') 
-\item there are 9 (plus 2) bits that specify the permissions of a file
+\item the idea is you store some code as part to the buffer
+\item you then override the return address to execute this payload\medskip
+\item normally you start a root-shell\pause
+\item difficulty is to guess the right place where to ``jump''
+\end{itemize}
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}}
+
+\begin{itemize}
+\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
 
 \begin{center}
-\begin{tabular}{l}
-\texttt{\$ ls - la}\\
-\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
-\end{tabular}
+\texttt{xorl   \%eax, \%eax}
 \end{center}
-\end{itemize}
-
+\end{itemize}\bigskip\bigskip
+  
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/app5.c}}}
+  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
@@ -303,25 +380,50 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Login Process}
+\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}}
+
+\small
+\texttt{string} is nowhere used:\bigskip
+
+{\lstset{language=Java}\fontsize{8}{10}\selectfont%
+\texttt{\lstinputlisting{../progs/C4.c}}}\bigskip
 
+this vulnerability can be used to read out the stack
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}}
 
 \begin{itemize}
-\item login processes run under UID $=$ 0\medskip 
-\begin{center}
-\texttt{ps -axl | grep login}
-\end{center}\medskip
+\item use safe library functions
+\item ensure stack data is not executable (can be defeated)
+\item address space randomisation (makes one-size-fits-all more difficult)
+\item choice of programming language (one of the selling points of Java)
+
+\end{itemize}
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-\item after login, shells run under UID $=$ user (e.g.~501)\medskip
-\begin{center}
-\texttt{id cu}
-\end{center}\medskip\pause
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Security Goals\end{tabular}}
 
-\item non-root users are not allowed to change the UID --- would break 
-access control
-\item but needed for example for \texttt{passwd}
+\begin{itemize}
+\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause
+\item Recover from attacks (traceability and auditing of security-relevant actions)\pause
+\item Monitoring (detect attacks)\pause
+\item Privacy, confidentiality, anonymity (to protect secrets)\pause
+\item Authenticity (needed for access control)\pause
+\item Integrity (prevent unwanted modification or tampering)\pause
+\item Availability and reliability (reduce the risk of DoS attacks)
 \end{itemize}
-
+  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
@@ -330,390 +432,15 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Setuid and Setgid}
-
-The solution is that unix file permissions are 9 + \underline{2 Bits}:
-\alert{Setuid} and \alert{Setgid} Bits
-
-\begin{itemize}
-\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. 
-\item This enables users to create processes as root (or another user).\bigskip
-
-\item Essential for changing passwords, for example.
-\end{itemize}
-
-\begin{center}
-\texttt{chmod 4755 fobar\_file}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-  
-  \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
-  \draw (4.7,1) node {Internet};
-  \draw (0.6,1.7) node {\footnotesize Slave};
-  \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
-  \draw (0.6,1.7) node {\footnotesize Slave};
-  \draw (0.6,0.6) node {\footnotesize Slave};
-  \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
-  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-  
-  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-  \draw (-2.9,1.7) node {\footnotesize Monitor};
-
-  \draw[white] (1.7,1) node (X) {};
-  \draw[white] (3.7,1) node (Y) {};
-  \draw[red, <->, line width = 2mm] (X) -- (Y);
- 
-  \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
-  \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
-
-  \end{tikzpicture}
-\end{center}
-
-\begin{itemize}
-\item pre-authorisation slave 
-\item post-authorisation\bigskip
-\item 25\% codebase is privileged, 75\% is unprivileged
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Network Applications}
-
-ideally network application in Unix should be designed as follows:
-
-\begin{itemize}
-\item need two distinct processes
-\begin{itemize}
-\item one that listens to the network; has no privilege
-\item one that is privileged and listens to the latter only (but does not trust it)
- 
-\end{itemize}
-
-\item to implement this you need a parent process, which forks a child process
-\item this child process drops privileges and listens to hostile data\medskip
-
-\item after authentication the parent forks again and the new child becomes the user
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
-
-
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
-\end{itemize}
-
-\only<1>{
-\begin{textblock}{1}(3,3)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\begin{minipage}{8cm}
-Only failure makes us experts.
-	-- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
-
-There are thing's you just cannot solve on the programming side:\bigskip
-
-\begin{itemize}
-\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
-\begin{itemize}
-\item attacker:\\ 
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
-\item root:\\\texttt{rm /tmp/*/*}:
-\item attacker:\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
-
-Unix essentially can only distinguish between two security levels (root and non-root).
-
-\begin{itemize}
-\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause 
-
-\item Information flow: Bell --- La Padula model
-
-\begin{itemize}
-\item read: your own level and below
-\item write: your own level and above
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
-
-\begin{itemize}
-\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause
-
-\item Biba model is for data integrity  
+\frametitle{\begin{tabular}{c}Homework\end{tabular}}
 
 \begin{itemize}
-\item read: your own level and above
-\item write: your own level and below
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
-
-According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
-following view:
-
-\begin{center}
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\begin{minipage}{10.5cm}
-\small Access control does not matter. Computers are becoming single-purpose
-or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't 
-need much in the way of access control as there's nothing for operating system access controls
-to do; the job of separating users from each other is best left to application code. As for the PC
-on your desk, if all the software on it comes from a single source, then again there's no need 
-for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)} 
-\end{minipage}};
-\end{tikzpicture}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
-
-\begin{itemize}
-\item with access control we are back to 1970s\bigskip
-
-\only<1>{
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\begin{minipage}{10cm}
-\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
-\mbox{}\hfill--- Roger Needham
-\end{minipage}};
-\end{tikzpicture}}\pause
-
-\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
-is dead now\bigskip
-\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\ 
-(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
-
-\item electronic voting
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
-
-\begin{itemize}
-\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
-
-\item you as developer have to specify the resources an application needs
-\item the OS provides a sandbox where access is restricted to only these resources
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
-
-
-Security theatre is the practice of investing in countermeasures intended to provide the 
-\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
-
-\begin{itemize}
-\item for example, usual locks and strap seals are security theatre
-\end{itemize}
-
-\begin{center}
-\includegraphics[scale=0.45]{pics/seal.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+\item Assume format string attacks allow you to read out the stack. What can you do
+	with this information?\bigskip
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{minipage}{11cm}
-From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
-To: cl-security-research@lists.cam.ac.uk\\
-Subject: Tip off\\
-Date: Tue, 02 Oct 2012 13:12:50 +0100\\
-
-I received the following tip off, and have removed the sender's
-coordinates. I suspect it is one of many security vendors who
-don't even get the basics right; if you ever go to the RSA 
-conference, there are a thousand such firms in the hall, each
-with several eager but ignorant salesmen. A trying experience.\\
-
-Ross
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{minipage}{11cm}
-I'd like to anonymously tip you off about this\\
-product:\\
-
-{\small http://www.strongauth.com/products/key-appliance.html}\\
-
-It sounds really clever, doesn't it?\\
-\ldots\\
-
-Anyway, it occurred to me that you and your colleagues might have a
-field day discovering weaknesses in the appliance and their
-implementation of security.  However, whilst I'd be willing to help
-and/or comment privately, it'd have to be off the record ;-)
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}}
-
-{\bf What assets are you trying to protect?}\bigskip
-
-This question might seem basic, but a surprising number of people never ask it. The question involves understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems, and require different solutions.
-
-\only<2>{
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\begin{minipage}{10cm}
-\small You like to prevent: ``It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it.''
-\end{minipage}};
-\end{tikzpicture}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 2\end{tabular}}
-
-{\bf What are the risks to these assets?}\bigskip
-
-Here we consider the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it, and why.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 3\end{tabular}}
-
-{\bf How well does the security solution mitigate those risks?}\bigskip
-
-Another seemingly obvious question, but one that is frequently ignored. If the security solution doesnÕt solve the problem, it's no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 4\end{tabular}}
-
-{\bf What other risks does the security solution cause?}\bigskip
-
-This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 5\end{tabular}}
-
-{\bf What costs and trade-offs does the security solution impose?}\bigskip
-
-Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
-
+\item Assume you can crash a program remotely. Why is this a problem?
+\end{itemize}
+  
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
--- a/slides/slides04.tex	Tue Sep 24 12:29:24 2013 +0100
+++ b/slides/slides04.tex	Mon Sep 30 23:57:44 2013 +0100
@@ -1,6 +1,6 @@
 \documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
+\usepackage{beamerthemeplaincu}
+%\usepackage[T1]{fontenc}
 \usepackage[latin1]{inputenc}
 \usepackage{mathpartir}
 \usepackage[absolute,overlay]{textpos}
@@ -71,7 +71,7 @@
 	showstringspaces=false}
 
 % beamer stuff 
-\renewcommand{\slidecaption}{APP 04, King's College London, 16 October 2012}
+\renewcommand{\slidecaption}{APP 03, King's College London, 1 October 2013}
 
 
 \begin{document}
@@ -83,19 +83,15 @@
   \begin{tabular}{@ {}c@ {}}
   \\
   \LARGE Access Control and \\[-3mm] 
-  \LARGE Privacy Policies (4)\\[-6mm] 
+  \LARGE Privacy Policies (2)\\[-6mm] 
   \end{tabular}}\bigskip\bigskip\bigskip
 
-  %\begin{center}
-  %\includegraphics[scale=1.3]{pics/barrier.jpg}
-  %\end{center}
-
 \normalsize
   \begin{center}
   \begin{tabular}{ll}
   Email:  & christian.urban at kcl.ac.uk\\
   Of$\!$fice: & S1.27 (1st floor Strand Building)\\
-  Slides: & KEATS (also homework is there)\\
+  Slides: & KEATS (also home work is there)\\
   \end{tabular}
   \end{center}
 
@@ -106,28 +102,63 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Unix-Style Access Control}
-
-\begin{itemize}
-\item Q: ``I am using Windows. Why should I care?'' \\ A: In Windows you have similar AC:
 
 \begin{center}
-\begin{tabular}{l}
-administrators group\\ 
-\hspace{5mm}(has complete control over the machine)\\
-authenticated users\\
-server operators\\
-power users\\
-network configuration operators\\
-\end{tabular}
-\end{center}\medskip
+\includegraphics[scale=0.45]{pics/trainwreck.jpg}\\
+one general defence mechanism is\\\alert{\bf defence in depth}
+\end{center}
+
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<1-2>[c]
+\frametitle{Defence in Depth}
+
+\begin{itemize}
+\item \alt<1>{overlapping}{{\LARGE\bf overlapping}} systems designed to provide\\ security even if one of them fails.
+\end{itemize}
+
+\only<2->{
+\begin{textblock}{11}(2,12)
+\small otherwise your ``added security'' can become the point of failure 
+\end{textblock}}
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-\item Modern versions of Windows have more fine-grained AC than Unix; they do not have a setuid bit, but
-have \texttt{runas} (asks for a password).\pause
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{PALs}
+
+\begin{itemize}
+\item \alert{Permissive Action Links} prevent unauthorised use of nuclear weapons (so the theory)
+\end{itemize}
 
-\item OS-provided access control can \alert{\bf add} to your
-security.
-\end{itemize}
+\begin{center}
+\includegraphics[scale=0.25]{pics/nuclear1.jpg}\hspace{3mm}
+\includegraphics[scale=0.25]{pics/nuclear2.jpg}
+\end{center}
+  
+  
+\onslide<3->{
+modern PALs also include a 2-person rule
+} 
+ 
+ \only<2->{
+\begin{textblock}{11}(3,2)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\begin{minipage}{8cm}
+US Air Force's Strategic Air Command worried that in times of need the 
+codes would not be available, so until 1977 quietly decided to set them 
+to 00000000\ldots
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
 
   
 \end{frame}}
@@ -136,15 +167,69 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
+
+\begin{itemize}
+\item until 1998, Britain had nuclear weapons that could be launched from airplanes\bigskip\pause
+
+\item these weapons were armed with a bicycle key
+
+\begin{center}
+\begin{tabular}[b]{c}
+\includegraphics[scale=1.05]{pics/britkeys1.jpg}\\
+\small nuclear weapon keys
+\end{tabular}
+\hspace{3mm}
+\begin{tabular}[b]{c}
+\includegraphics[scale=0.35]{pics/britkeys2.jpg}\\
+\small bicycle lock
+\end{tabular}
+\end{center}\bigskip\pause
+
+\item the current Trident nuclear weapons can be launched from a submarine without any code being transmitted
+\end{itemize}
+  
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
 
 
-\begin{center}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix}
+
+\begin{itemize}
+\item access control provided by the OS
+\item authenticate principals (login)
+\item mediate access to files, ports, processes according to \alert{roles} (user ids)\\
+\item roles get attached with privileges\bigskip\\%
+\hspace{8mm}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\begin{minipage}{8cm}
+\alert{principle of least privilege:}\\
+programs should only have as much privilege as they need 
+\end{minipage}};
+\end{tikzpicture}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Access Control in Unix (2)}
+
+\begin{itemize}
+\item the idea is to restrict access to files and therefore lower the consequences of an attack\\[1cm]\mbox{}
+\end{itemize}
+
+\begin{textblock}{1}(2.5,9.5)
   \begin{tikzpicture}[scale=1]
   
   \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
   \draw (4.7,1) node {Internet};
-  \draw (-2.7,1.7) node {\footnotesize Application};
   \draw (0.6,1.7) node {\footnotesize Interface};
   \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
   \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
@@ -157,77 +242,200 @@
  
   \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
   \end{tikzpicture}
-\end{center}
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Process Ownership}
 
 \begin{itemize}
-\item the idea is make the attack surface smaller and 
-mitigate the consequences of an attack
-\end{itemize}
+\item access control in Unix is very coarse
+\end{itemize}\bigskip\bigskip\bigskip
+
+\begin{center}
+\begin{tabular}{c}
+root\\
+\hline
+
+user$_1$ user$_2$ \ldots www, mail, lp
+\end{tabular}
+\end{center}\bigskip\bigskip\bigskip
 
 
+\textcolor{gray}{\small root has UID $=$ 0}\\\pause
+\textcolor{gray}{\small you also have groups that can share access to a file}\\
+\textcolor{gray}{\small but it is difficult to exclude access selectively}\\
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Shared Access Control}
+\frametitle{Access Control in Unix (2)}
+
+
+\begin{itemize}
+\item privileges are specified by file access permissions (``everything is a file'') 
+\item there are 9 (plus 2) bits that specify the permissions of a file
 
 \begin{center}
-\includegraphics[scale=0.7]{pics/pointsplane.jpg}
+\begin{tabular}{l}
+\texttt{\$ ls - la}\\
+\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt}
+\end{tabular}
 \end{center}
-
-\begin{textblock}{11}(10.5,10.5)
-\small
-To take an action you\\[-1mm] 
-need at least either:
-\begin{itemize}
-\item 1 CEO\\[-5mm]
-\item 2 MDs, or\\[-5mm]
-\item 3 Ds
 \end{itemize}
-\end{textblock}
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{Lessons from Access Control}
+\frametitle{Login Process}
 
-Not just restricted to Unix:
 
 \begin{itemize}
-\item if you have too many roles (i.e.~too finegrained AC), then 
-	hierarchy is too complex\\
-	\textcolor{gray}{you invite situations like\ldots let's be root}\bigskip
+\item login processes run under UID $=$ 0\medskip 
+\begin{center}
+\texttt{ps -axl | grep login}
+\end{center}\medskip
 
-\item you can still abuse the system\ldots
+\item after login, shells run under UID $=$ user (e.g.~501)\medskip
+\begin{center}
+\texttt{id cu}
+\end{center}\medskip\pause
 
+\item non-root users are not allowed to change the UID --- would break 
+access control
+\item but needed for example for \texttt{passwd}
 \end{itemize}
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Setuid and Setgid}
+
+The solution is that unix file permissions are 9 + \underline{2 Bits}:
+\alert{Setuid} and \alert{Setgid} Bits
+
+\begin{itemize}
+\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. 
+\item This enables users to create processes as root (or another user).\bigskip
+
+\item Essential for changing passwords, for example.
+\end{itemize}
+
+\begin{center}
+\texttt{chmod 4755 fobar\_file}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
+\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}}
+
+\begin{center}
+\begin{tikzpicture}[scale=1]
+  
+  \draw[line width=1mm] (0, 1.1) rectangle (1.2,2);
+  \draw (4.7,1) node {Internet};
+  \draw (0.6,1.7) node {\footnotesize Slave};
+  \draw[line width=1mm] (0, 0) rectangle (1.2,0.9);
+  \draw (0.6,1.7) node {\footnotesize Slave};
+  \draw (0.6,0.6) node {\footnotesize Slave};
+  \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}};
+  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+  
+  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+  \draw (-2.9,1.7) node {\footnotesize Monitor};
 
-The idea is to trick a privileged person to do something on your behalf:
+  \draw[white] (1.7,1) node (X) {};
+  \draw[white] (3.7,1) node (Y) {};
+  \draw[red, <->, line width = 2mm] (X) -- (Y);
+ 
+  \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1);
+  \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9);
+
+  \end{tikzpicture}
+\end{center}
+
+\begin{itemize}
+\item pre-authorisation slave 
+\item post-authorisation\bigskip
+\item 25\% codebase is privileged, 75\% is unprivileged
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Network Applications}
+
+ideally network application in Unix should be designed as follows:
 
 \begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
+\item need two distinct processes
+\begin{itemize}
+\item one that listens to the network; has no privilege
+\item one that is privileged and listens to the latter only (but does not trust it)
+ 
+\end{itemize}
+
+\item to implement this you need a parent process, which forks a child process
+\item this child process drops privileges and listens to hostile data\medskip
+
+\item after authentication the parent forks again and the new child becomes the user
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws in Unix\end{tabular}}
 
-\footnotesize
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
+
+\begin{itemize}
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (automated with a shell script)}
+\end{itemize}
 
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
+\only<1>{
+\begin{textblock}{1}(3,3)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\begin{minipage}{8cm}
+Only failure makes us experts.
+	-- Theo de Raadt (OpenBSD, OpenSSH)
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
+
 
 
 \end{frame}}
@@ -236,33 +444,41 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Other Problems\end{tabular}}
+
+There are thing's you just cannot solve on the programming side:\bigskip
 
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\ 
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{\small records that \texttt{/tmp/a/passwd}}\\ 
-\hspace{2cm}\textcolor{gray}{\small should be deleted, but does not do it yet}\medskip\\
+\begin{itemize}
+\item for system maintenance you often have \texttt{cron}-jobs cleaning \texttt{/tmp}\medskip
+\begin{itemize}
+\item attacker:\\ 
+\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}
+\item root:\\\texttt{rm /tmp/*/*}:
+\item attacker:\\
+\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}
+\end{itemize}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to 
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes  the real passwd file
-\end{enumerate}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels\end{tabular}}
+
+Unix essentially can only distinguish between two security levels (root and non-root).
 
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\normalsize\color{darkgray}
-\begin{minipage}{9cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
+\begin{itemize}
+\item In military applications you often have many security levels (top-secret, secret, confidential, unclassified)\bigskip\pause 
+
+\item Information flow: Bell --- La Padula model
+
+\begin{itemize}
+\item read: your own level and below
+\item write: your own level and above
+\end{itemize}
+\end{itemize}
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
@@ -271,44 +487,18 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Schneier Analysis\end{tabular}}
-
-\textcolor{gray}{There is no absolutely secure system and security almost never comes for free.}
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Levels (2)\end{tabular}}
 
 \begin{itemize}
-\item What assets are you trying to protect?
-\item What are the risks to these assets?
-\item How well does the security solution mitigate those risks?
-\item What other risks does the security solution cause?
-\item What costs and trade-offs does the security solution impose?
-\end{itemize}
-
+\item Bell --- La Padula preserves data secrecy, but not data integrity\bigskip\pause
 
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Credit Cards\end{tabular}}
+\item Biba model is for data integrity  
 
-You might have the policy of not typing in your credit card online. Worthwhile or not?
 \begin{itemize}
-\item<2->What assets are you trying to protect?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}your credit card number\end{tabular}}
-\item<3->What are the risks to these assets?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-With credit cards you loose a fixed amount \pounds{50}. Amazon \pounds{50}. \end{tabular}}
-\item<4->How well does the security solution mitigate those risks?\\
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Well, hackers steal credit cards from databases. They usually do not attack you individually.\end{tabular}}
-\item<5->What other risks does the security solution cause?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright None (?)\end{tabular}}
-\item<6->What costs and trade-offs does the security solution impose?
-\only<6>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Internet shopping is convenient and sometimes cheaper.\end{tabular}}
-\item<7>[]{\bf\large No!}
-\end{itemize}\pause\pause
-
+\item read: your own level and above
+\item write: your own level and below
+\end{itemize}
+\end{itemize}
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
@@ -316,64 +506,23 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewalls\end{tabular}}
+\frametitle{\begin{tabular}{@ {}c@ {}}Access Control in 2000\end{tabular}}
+
+According to Ross Anderson (1st edition of his book), some senior Microsoft people held the
+following view:
 
 \begin{center}
-\includegraphics[scale=0.5]{pics/firewall.png}
-\end{center}
-
-A firewall is a piece of software that controls incoming and outgoing traffic according to some rules. 
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Firewalls\end{tabular}}
-
-\begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Whatever is behind the firewall 
-(credit cards, passwords, blueprints, \ldots)\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-With a small online shop you are already at risk. Pentagon, definitely.\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Well, at home so not much. Everywhere else, if properly configurated then it does.\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright There might be backdoors or bugs in the firewall,
-but generally they are secure. You choose to prevent certain traffic.\end{tabular}}
-\item<5->What costs and trade-offs does the security solution impose?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright 
-Minimal to modest. Firewalls are part of free software. You need a knowledgeable 
-person to set them up.\end{tabular}}
-\item<7>[]{\bf\large Yes!}
-\end{itemize}\pause\pause
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
-
-Google uses nowadays two-factor authentication. But it is an old(er)
-idea. It is used for example in Germany and Netherlands for online transactions.
-
-\begin{center}
-\includegraphics[scale=0.6]{pics/tan1.jpg}\hspace{5mm}
-\includegraphics[scale=0.2]{pics/tan2.jpg}
-\end{center}
-
-\pause
-Or nowadays by SMS (restricts the validity of the numbers) or with a secure generator
-
-\begin{center}
-\includegraphics[scale=0.08]{pics/pinsentry.jpg}
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\begin{minipage}{10.5cm}
+\small Access control does not matter. Computers are becoming single-purpose
+or single-user devices. Single-purpose devices, such as Web servers that deliver a single service, don't 
+need much in the way of access control as there's nothing for operating system access controls
+to do; the job of separating users from each other is best left to application code. As for the PC
+on your desk, if all the software on it comes from a single source, then again there's no need 
+for the operating system to provide separation. \hfill{}\textcolor{gray}{(in 2000)} 
+\end{minipage}};
+\end{tikzpicture}
 \end{center}
 
 \end{frame}}
@@ -383,287 +532,26 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Two-Factor Authentication\end{tabular}}
-
-\begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Your bank account.\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Nowadays pretty high risk.\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-It prevents problems when passwords are stolen. Man-in-the-middle attacks 
-still possible.\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Your mobile phone or credit card/pin might 
-be stolen. SIM card becomes more valuable.\end{tabular}}
-\item<5->What costs and trade-offs does the security solution impose?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright 
-Banks need to establish an infrastructure. For you it might be inconvenient.\end{tabular}}
-\item<7>[]{\bf\large Yes!}
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals\end{tabular}}
-
-According to Ross Anderson: ``\ldots is a tamper-indicating device 
-designed to leave non-erasable, unambiguous evidence of unauthorized 
-entry or tampering.''
-
-\begin{center}
-\includegraphics[scale=0.45]{pics/seal.jpg}
-\end{center}\mbox{}\\[-12mm]
-
-They also need some quite sophisticated policies (seal regiment).
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Security Seals (2)\end{tabular}}
-
-\begin{itemize}
-\item at the Argonne National Laboratory they tested 244 different security seals
-\begin{itemize}
-\item meantime to break the seals for a trained person: 100 s 
-\item including 19\% that were used for safeguard of nuclear material
-\end{itemize}\bigskip
-
-\item Andrew Appel defeated all security seals which were supposed to keep 
-voting machines safe
-\end{itemize}
-
-
-\only<2>{
-\begin{textblock}{11}(1,1)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
-{\normalsize
-\begin{minipage}{11cm}\raggedright\small
-\begin{center}
-\includegraphics[scale=0.25]{pics/appelseals.jpg}
-\end{center}
-\begin{center}
-\begin{minipage}{10.5cm}
-\begin{itemize}
-\item The tamper-indicating tape can be lifted using a heat gun.
-\item The security screw cap can be removed using a screwdriver, then the
-serial-numbered top can be replaced (undamaged) onto a fresh (unnumbered) base.
-\item The wire seal can be defeated using a \#4 wood screw.
-\item The plastic strap seal can be picked using a jeweler's screwdriver.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Example: Security Seals\end{tabular}}
-
-\begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Voting machines, doors.\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright Casual thieves, insider attacks.\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Needs a quite complicated security regiment.\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You might not notice tampering.\end{tabular}}
-\item<5->What costs and trade-offs does the security solution impose?
-\only<5>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright 
-The ``hardware'' is cheap, but indirect costs can be quite high.\end{tabular}}
-\item<7>[]{\bf\large No!} {\textcolor{gray}{Though in some areas they work: airports, swimming pools, \ldots}}
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ex: Security-by-Obscurity\end{tabular}}
-
-You might think it is a good idea to keep a security relevant algorithm or 
-software secret.
+\frametitle{\begin{tabular}{@ {}c@ {}}Research Problems\end{tabular}}
 
 \begin{itemize}
-\item<1->What assets are you trying to protect?\\
-\only<1>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}Source code, an algorithm and things that depend on it\end{tabular}}
-\item<2->What are the risks to these assets?\\
-\only<2>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Can be pretty high (Oystercards).\end{tabular}}
-\item<3->How well does the security solution mitigate those risks?\\
-\only<3>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright
-Not really. The source code can be reverse engineered, stolen, coerced \ldots{}\end{tabular}}
-\item<4->What other risks does the security solution cause?
-\only<4>{\begin{tabular}{@{\hspace{1cm}}p{9cm}}\raggedright You prevent
-scrutiny and independent advice. You also more likely than not to
-get it wrong.\end{tabular}}
-\item<5>[]{\bf\large No!}
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Voting as Security Problem\end{tabular}}
-
-What are the security requirements of a voting system?\bigskip
-
-\begin{itemize}
-\item<2->Integrity 
-\item<3->Ballot Secrecy
-\item<5->Voter Authentication
-\item<6->Enfranchisement
-\item<7->Availability
-\end{itemize}
+\item with access control we are back to 1970s\bigskip
 
-\only<2>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item The outcome matches with the voters' intend.
-\item There might be gigantic sums at stake and need to be defended against.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\only<4>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item Nobody can find out how you voted.
-\item (Stronger) Even if you try, you cannot prove how you voted.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\only<5>{
-\begin{textblock}{5.5}(8,5)
+\only<1>{
 \begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item Only authorised voters can vote up to the permitted number of votes.
-\end{itemize}
-\end{minipage}
-\end{center}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\begin{minipage}{10cm}
+\small Going all the way back to early time-sharing systems we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum.\\
+\mbox{}\hfill--- Roger Needham
 \end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\only<6>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item Authorised voters should have the opportunity to vote.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
+\end{tikzpicture}}\pause
 
-\only<7>{
-\begin{textblock}{5.5}(8,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] 
-{\small
-\begin{minipage}{5cm}\raggedright
-\begin{center}
-\begin{minipage}{4.5cm}
-\begin{itemize}
-\item The voting system should accept all authorised votes and produce results in a timely manner.
-\end{itemize}
-\end{minipage}
-\end{center}
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
-
+\item the largest research area in access control in 2000-07 has been ``Trusted Computing'', but thankfully it
+is dead now\bigskip
+\item a useful research area is to not just have robust access control, but also usable access control --- by programmers and users\\ 
+(one possible answer is operating system virtualisation, e.g.~Xen, VMWare)\medskip\pause
 
-\begin{center}
-\includegraphics[scale=2.5]{pics/ballotbox.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Problems with Voting\end{tabular}}
-
-
-\begin{center}\large
-\begin{tabular}{rcl}
-Integrity & vs. & Ballot Secrecy\bigskip\\
-Authentication & vs. &Enfranchisement   
-\end{tabular}
-\end{center}\bigskip\bigskip\pause
-
-Further constraints:
-
-\begin{itemize}
-\item costs
-\item accessibility
-\item convenience
-\item intelligibility 
+\item electronic voting
 \end{itemize}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
@@ -671,175 +559,27 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
-
+\frametitle{\begin{tabular}{@ {}c@ {}}Mobile OS\end{tabular}}
 
 \begin{itemize}
-\item The Netherlands between 1997 - 2006 had electronic voting machines\\
-\textcolor{gray}{(hacktivists had found: they can be hacked and also emitted radio signals revealing how you voted)}
-
-\item Germany had used them in pilot studies\\ 
-\textcolor{gray}{(in 2007 a law suit has reached the highest court and it rejected electronic voting
-on the grounds of not being understandable by the general public)}
-
-\item UK used optical scan voting systems in a few polls
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
-
-\mbox{}\\[-12mm]
-\begin{itemize}
-\item US used mechanical machines since the 30s, later punch cards, now DREs and 
-optical scan voting machines \textcolor{gray}{(fantastic ``ecosystem'' for study)}
-
-\item Estonia used in 2007 the Internet for national elections 
-\textcolor{gray}{(there were earlier pilot studies in other countries)}
+\item iOS and Android solve the defence-in-depth problem by \alert{sandboxing} applications\bigskip
 
-\item India uses e-voting devices  since at least 2003\\
-\textcolor{gray}{(``keep-it-simple'' machines produced by a government owned company)}
-
-\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected)
-\textcolor{gray}{(they found the tallying software was rigged, but they were able to tally manually)}
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}A Brief History of Voting\end{tabular}}
-
-
-\begin{itemize}
-\item Athenians
-\begin{itemize}
-\item show of hands
-\item ballots on pieces of pottery
-\item different colours of stones
-\item ``facebook''-like authorisation 
-\end{itemize}\bigskip
-
-\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip
-
-
-\item French Revolution and the US Constitution got things ``started'' with 
-paper ballots (you first had to bring your own; later they were pre-printed by parties)
+\item you as developer have to specify the resources an application needs
+\item the OS provides a sandbox where access is restricted to only these resources
 \end{itemize}
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
 
-Security policies involved with paper ballots:
-
-\begin{enumerate}
-\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing)
-\item you need to guard the ballot box during the poll until counting
-\item tallied by a team at the end of the poll (independent observers) 
-\end{enumerate}
-
-\begin{center}
-\includegraphics[scale=1.5]{pics/ballotbox.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}}
-
-What can go wrong with paper ballots?
-
-\only<2>{
-\begin{center}
-\includegraphics[scale=0.8]{pics/tweet.jpg}\\
-\footnotesize William M.~Tweed, US Politician in 1860's\\
-``As long as I count the votes, what are you going to do about it?''
-\end{center}}
-
-\only<3>{
-\medskip
-\begin{center}
-\begin{minipage}{10cm}
-{\bf Chain Voting Attack}
-\begin{enumerate}
-\item you obtain a blank ballot and fill it out as you want
-\item you give it to a voter outside the polling station
-\item voter receives a new blank ballot
-\item voter submits prefilled ballot
-\item voter gives blank ballot to you, you give money
-\item goto 1
-\end{enumerate}
-\end{minipage}
-\end{center}
-}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Mechanical Voting Machines\end{tabular}}
-
-\begin{itemize}
-\item<1-> Lever Voting Machines (ca.~1930 - 1990)
-\only<1>{
-\begin{center}
-\includegraphics[scale=0.56]{pics/leavermachine.jpg}
-\end{center}
-}
-\item<2->Punch Cards (ca.~1950 - 2000)
-\only<2>{
-\begin{center}
-\includegraphics[scale=0.5]{pics/punchcard1.jpg}\;\;
-\includegraphics[scale=0.46]{pics/punchcard2.jpg}
-\end{center}
-}
-\end{itemize}
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
 
 
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}}
-
-\begin{center}
-\begin{tabular}{c}
-\includegraphics[scale=0.45]{pics/dre1.jpg}\; 
-\includegraphics[scale=0.40]{pics/dre2.jpg}\\\hline\\
-\includegraphics[scale=0.5]{pics/opticalscan.jpg} 
-\end{tabular}
-\end{center}
-
-\only<1->{
-\begin{textblock}{5.5}(1,4)
-DREs
-\end{textblock}}
-\only<1->{
-\begin{textblock}{5.5}(1,11)
-Optical Scan
-\end{textblock}}
-
-\only<2>{
-\begin{textblock}{5.5}(0.5,14.5)
-all are computers
-\end{textblock}}
+Security theatre is the practice of investing in countermeasures intended to provide the 
+\underline{feeling} of improved security while doing little or nothing to actually achieve it.\hfill{}\textcolor{gray}{Bruce Schneier}
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
@@ -847,121 +587,14 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}}
-
-Direct-recording electronic voting machines\\ 
-(votes are recorded for example memory cards)
-
-typically touchscreen machines
-
-usually no papertrail (hard to add: ballot secrecy)
-
-\begin{center}
-\includegraphics[scale=0.56]{pics/dre1.jpg}
-\end{center}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
-
-The work by J.~Alex Halderman:
+\frametitle{\begin{tabular}{@ {}c@ {}}Security Theatre\end{tabular}}
 
 \begin{itemize}
-\item acquired a machine from an anonymous source\medskip
-\item the source code running the machine was tried to keep secret\medskip\pause
-
-\item first reversed-engineered the machine (extremely tedious)
-\item could completely reboot the machine and even install a virus that infects other Diebold machines
-\item obtained also the source code for other machines
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
-
-What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause
-
-A non-obvious problem:
-
-\begin{itemize}
-\item you can nowadays get old machines, which still store old polls
-
-\item the paper ballot box needed to be secured during the voting until counting;
-e-voting machines need to be secured during the entire life-time  
+\item for example, usual locks and strap seals are security theatre
 \end{itemize}
 
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}}
-
-Conclusion:\\ Any electronic solution should have a paper trail.
-
 \begin{center}
-\begin{tabular}{c}
-\includegraphics[scale=0.5]{pics/opticalscan.jpg} 
-\end{tabular}
-\end{center}\pause
-
-You still have to solve problems about
-Voter registration, voter authentification, guarding against tampering
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}}
-
-Their underlying engineering principle is ``keep-it-simple'':
-
-\begin{center}
-\begin{tabular}{c}
-\includegraphics[scale=1.05]{pics/indiaellection.jpg}\;\;
-\includegraphics[scale=0.40]{pics/india1.jpg}
-\end{tabular}
-\end{center}\medskip\pause
-
-Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible'' 
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Lessons to be Learned\end{tabular}}
-
-\begin{itemize}
-\item keep a paper trail and design your system to keep this secure\medskip
-\item make the software open source (avoid security-by-obscurity))\medskip
-\item have a simple design in order to minimise the attack surface
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting1.png}
+\includegraphics[scale=0.45]{pics/seal.jpg}
 \end{center}
 
 
@@ -972,10 +605,20 @@
 \mode<presentation>{
 \begin{frame}[c]
 
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting2.png}
-\end{center}
+\begin{minipage}{11cm}
+From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>\\
+To: cl-security-research@lists.cam.ac.uk\\
+Subject: Tip off\\
+Date: Tue, 02 Oct 2012 13:12:50 +0100\\
 
+I received the following tip off, and have removed the sender's
+coordinates. I suspect it is one of many security vendors who
+don't even get the basics right; if you ever go to the RSA 
+conference, there are a thousand such firms in the hall, each
+with several eager but ignorant salesmen. A trying experience.\\
+
+Ross
+\end{minipage}
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
@@ -984,10 +627,20 @@
 \mode<presentation>{
 \begin{frame}[c]
 
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting3.png}
-\end{center}
+\begin{minipage}{11cm}
+I'd like to anonymously tip you off about this\\
+product:\\
+
+{\small http://www.strongauth.com/products/key-appliance.html}\\
 
+It sounds really clever, doesn't it?\\
+\ldots\\
+
+Anyway, it occurred to me that you and your colleagues might have a
+field day discovering weaknesses in the appliance and their
+implementation of security.  However, whilst I'd be willing to help
+and/or comment privately, it'd have to be off the record ;-)
+\end{minipage}
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
@@ -995,11 +648,66 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \mode<presentation>{
 \begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 1\end{tabular}}
 
-\begin{center}
-\includegraphics[scale=0.56]{pics/Voting4.png}
-\end{center}
+{\bf What assets are you trying to protect?}\bigskip
+
+This question might seem basic, but a surprising number of people never ask it. The question involves understanding the scope of the problem. For example, securing an airplane, an airport, commercial aviation, the transportation system, and a nation against terrorism are all different security problems, and require different solutions.
+
+\only<2>{
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\begin{minipage}{10cm}
+\small You like to prevent: ``It would be terrible if this sort of attack ever happens; we need to do everything in our power to prevent it.''
+\end{minipage}};
+\end{tikzpicture}}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 2\end{tabular}}
+
+{\bf What are the risks to these assets?}\bigskip
+
+Here we consider the need for security. Answering it involves understanding what is being defended, what the consequences are if it is successfully attacked, who wants to attack it, how they might attack it, and why.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 3\end{tabular}}
+
+{\bf How well does the security solution mitigate those risks?}\bigskip
+
+Another seemingly obvious question, but one that is frequently ignored. If the security solution doesnÕt solve the problem, it's no good. This is not as simple as looking at the security solution and seeing how well it works. It involves looking at how the security solution interacts with everything around it, evaluating both its operation and its failures.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 4\end{tabular}}
+
+{\bf What other risks does the security solution cause?}\bigskip
+
+This question addresses what might be called the problem of unintended consequences. Security solutions have ripple effects, and most cause new security problems. The trick is to understand the new problems and make sure they are smaller than the old ones.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Schneier: Step 5\end{tabular}}
+
+{\bf What costs and trade-offs does the security solution impose?}\bigskip
+
+Every security system has costs and requires trade-offs. Most security costs money, sometimes substantial amounts; but other trade-offs may be more important, ranging from matters of convenience and comfort to issues involving basic freedoms like privacy. Understanding these trade-offs is essential.
 
 \end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%