Binary file hws/hw01.pdf has changed
Binary file hws/hw02.pdf has changed
--- a/hws/hw02.tex Fri Sep 30 19:55:35 2016 +0100
+++ b/hws/hw02.tex Tue Oct 04 13:44:05 2016 +0100
@@ -90,9 +90,10 @@
tallying. What can still go wrong with such a perfectly secure
voting system, which is prevented in traditional elections with
paper-based ballots?
+
+\item \POSTSCRIPT
\end{enumerate}
-
\end{document}
%%% Local Variables:
Binary file hws/hw03.pdf has changed
--- a/hws/hw03.tex Fri Sep 30 19:55:35 2016 +0100
+++ b/hws/hw03.tex Tue Oct 04 13:44:05 2016 +0100
@@ -25,6 +25,8 @@
\item Why does randomising the addresses from where programs
are run help defending against buffer overflow attacks?
+\item What is a format string attack?
+
\item Assume format string attacks allow you to read out the
stack. What can you do with this information? (Hint: Consider what
is stored in the stack.)
@@ -37,7 +39,9 @@
\item When filling the buffer that is attacked with a
payload (starting a shell), what is the purpose of
-padding the string at the beginning with NOP-instructions.
+padding the string at the beginning with NOP-instructions.
+
+\item \POSTSCRIPT
\end{enumerate}
\end{document}
Binary file hws/hw04.pdf has changed
Binary file hws/hw05.pdf has changed
Binary file hws/hw06.pdf has changed
Binary file hws/hw07.pdf has changed
Binary file hws/hw08.pdf has changed
Binary file hws/hw10.pdf has changed
Binary file hws/so04.pdf has changed
Binary file slides/slides01.pdf has changed
--- a/slides/slides01.tex Fri Sep 30 19:55:35 2016 +0100
+++ b/slides/slides01.tex Tue Oct 04 13:44:05 2016 +0100
@@ -925,7 +925,7 @@
\begin{itemize}
\item Do not send passwords in plain text.
-\item Security questions are tricky to get right.
+\item Security questions are tricky to get right (you cannot hash them).
\end{itemize}
\end{frame}
Binary file slides/slides02.pdf has changed
--- a/slides/slides02.tex Fri Sep 30 19:55:35 2016 +0100
+++ b/slides/slides02.tex Tue Oct 04 13:44:05 2016 +0100
@@ -116,125 +116,15 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[t]
-\frametitle{How to Salt?}
-
-\begin{center}\tt\small
-\begin{tabular}{lcl}
-1salt & $\Rightarrow$ & 8189effef4d4f7411f4153b13ff72546dd682c69\\
-2salt & $\Rightarrow$ & 1528375d5ceb7d71597053e6877cc570067a738f\\
-3salt & $\Rightarrow$ & d646e213d4f87e3971d9dd6d9f435840eb6a1c06\\
-4salt & $\Rightarrow$ & 5b9e85269e4461de0238a6bf463ed3f25778cbba\\
-\end{tabular}
-\end{center}
+\begin{frame}[c]
+\frametitle{Exam and Homework}
\begin{itemize}
-\item in Unix systems: \texttt{hash(salt + password)}, or even
-\texttt{hash$^{\texttt{1500}}$(salt + password)}\smallskip\pause
-\item Bruce Schneier in cases messages are long: \\
-instead of \texttt{m $\mapsto$ hash(m)},\\ use \texttt{m $\mapsto$ hash(hash(m) + m)}
+\item reminder\ldots KEATS
\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\Large\begin{tabular}{c}User-Tracking Without Cookies\end{tabular}}
-
-Can you track a user {\bf without}:
-
-\begin{itemize}
-\item Cookies
-\item JavaScript
-\item LocalStorage/SessionStorage/GlobalStorage
-\item Flash, Java or other plugins
-\item Your IP address or user agent string
-\item Any methods employed by Panopticlick\\
-\mbox{}\hfill $\rightarrow$ \textcolor{blue}{\url{https://panopticlick.eff.org/}}
-\end{itemize}
-
-Even when you disabled cookies entirely, have JavaScript turned off and use a VPN
-service, and also \ldots
\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}
-\frametitle{Verizon}
-\mbox{}\\[-23mm]\mbox{}
-
-\begin{center}
-\includegraphics[scale=0.21]{../pics/verizon.png}
-\end{center}
-\vfill\footnotesize
-\url{http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Web-Protocol}
-
-\only<1->{
-\begin{textblock}{1}(2,2)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {\includegraphics[scale=0.12]{../pics/firefox.jpg}};
- \end{tikzpicture}
-\end{textblock}}
-
-\only<1->{
-\begin{textblock}{1}(11,2)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {\includegraphics[scale=0.15]{../pics/servers.png}};
- \end{tikzpicture}
-\end{textblock}}
-
-\only<1->{
-\begin{textblock}{1}(5,2.5)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (3,0) node (Y) {};
- \draw[red, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}}
-
-\only<2->{
-\begin{textblock}{1}(5,6)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (3,0) node (Y) {};
- \draw[red, <-, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=below:\textcolor{black}{\small ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
- \node [inner sep=5pt,label=above:{\includegraphics[scale=0.15]{../pics/tvtestscreen.jpg}}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}}
-
-\only<3->{
-\begin{textblock}{1}(4.2,11)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (3,0) node (Y) {};
- \draw[red, ->, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}}
-
-\only<4->{
-\begin{textblock}{1}(4.2,13.9)
- \begin{tikzpicture}[scale=1.3]
- \draw[white] (0,0) node (X) {};
- \draw[white] (3,0) node (Y) {};
- \draw[red, <-, line width = 2mm] (X) -- (Y);
- \node [inner sep=5pt,label=below:\textcolor{black}{\small HTTP/1.1 304 (Not Modified)}] at ($ (X)!.5!(Y) $) {};
- \end{tikzpicture}
-\end{textblock}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
@@ -253,9 +143,11 @@
\begin{frame}[c]
\frametitle{E-Voting}
-\begin{bubble}[9cm]
+\begin{bubble}[10cm]
``Any electronic voting system should provide at least the same
-security, privacy and transparency as the system it replaces.''
+ security, privacy and transparency as the system it replaces.''\medskip\\
+
+ \small\hfill ---Australian Voting Commission
\end{bubble}
\end{frame}
@@ -421,9 +313,9 @@
\mbox{}\\[-12mm]
\begin{itemize}
\item US used mechanical machines since the 30s, later punch cards,
- now DREs and optical scan voting machines
+ until recently DREs and optical scan voting machines
-\item Estonia used in 2007 the Internet for national elections
+\item Estonia used in 2007, 2011 and 2015 the Internet for national elections
\textcolor{gray}{(there were earlier pilot studies in other
countries)}
@@ -444,7 +336,7 @@
\frametitle{E-Voting in Estonia}
\begin{itemize}
-\item worlds first general election that used internet voting (2007)
+\item worlds first general election that used internet voting (2007, 2011, 2015)
\item builds on the Estonian ID card (a smartcard like CC)
\item Internet voting can be used before the election (votes can be changed an
unlimited amount of times, last vote is tabulated, you can even change your
@@ -677,7 +569,7 @@
\begin{itemize}
\item acquired a machine from an anonymous source\medskip
-\item they try to keep secret the source code running the machine\medskip\pause
+\item they try to keep secret the source code running on the machine\medskip\pause
\item first reversed-engineered the machine (extremely tedious)
\item could completely reboot the machine and even install a virus that infects other Diebold machines
@@ -753,7 +645,7 @@
\item keep a paper trail and design your system to keep this secure\medskip
\item make the software open source (avoid security-by-obscurity)\medskip
\item have a simple design in order to minimise the attack surface
-\end{itemize}\pause
+\end{itemize}\pause\bigskip
But overall, in times of NSA/state sponsored cyber-crime, e-voting is
too hard with current technology.
@@ -876,7 +768,7 @@
\begin{column}<2>{.4\textwidth}
\centering
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
-next week
+next
\end{column}
\end{columns}
\end{center}
@@ -884,6 +776,129 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{How to Salt?}
+
+\begin{center}\tt\small
+\begin{tabular}{lcl}
+1salt & $\Rightarrow$ & 8189effef4d4f7411f4153b13ff72546dd682c69\\
+2salt & $\Rightarrow$ & 1528375d5ceb7d71597053e6877cc570067a738f\\
+3salt & $\Rightarrow$ & d646e213d4f87e3971d9dd6d9f435840eb6a1c06\\
+4salt & $\Rightarrow$ & 5b9e85269e4461de0238a6bf463ed3f25778cbba\\
+\end{tabular}
+\end{center}
+
+\begin{itemize}
+\item in Unix systems: \texttt{hash(salt + password)}, or even
+\texttt{hash$^{\texttt{1500}}$(salt + password)}\smallskip\pause
+\item Bruce Schneier in cases messages are long: \\
+instead of \texttt{m $\mapsto$ hash(m)},\\ use \texttt{m $\mapsto$ hash(hash(m) + m)}
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{\Large\begin{tabular}{c}User-Tracking Without Cookies\end{tabular}}
+
+Can you track a user {\bf without}:
+
+\begin{itemize}
+\item Cookies
+\item JavaScript
+\item LocalStorage/SessionStorage/GlobalStorage
+\item Flash, Java or other plugins
+\item Your IP address or user agent string
+\item Any methods employed by Panopticlick\\
+\mbox{}\hfill $\rightarrow$ \textcolor{blue}{\url{https://panopticlick.eff.org/}}
+\end{itemize}
+
+Even when you disabled cookies entirely, have JavaScript turned off and use a VPN
+service, and also \ldots
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}
+\frametitle{Verizon}
+\mbox{}\\[-23mm]\mbox{}
+
+\begin{center}
+\includegraphics[scale=0.21]{../pics/verizon.png}
+\end{center}
+\vfill\footnotesize
+\url{http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Web-Protocol}
+
+\only<1->{
+\begin{textblock}{1}(2,2)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {\includegraphics[scale=0.12]{../pics/firefox.jpg}};
+ \end{tikzpicture}
+\end{textblock}}
+
+\only<1->{
+\begin{textblock}{1}(11,2)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {\includegraphics[scale=0.15]{../pics/servers.png}};
+ \end{tikzpicture}
+\end{textblock}}
+
+\only<1->{
+\begin{textblock}{1}(5,2.5)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (3,0) node (Y) {};
+ \draw[red, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}}
+
+\only<2->{
+\begin{textblock}{1}(5,6)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (3,0) node (Y) {};
+ \draw[red, <-, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=below:\textcolor{black}{\small ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
+ \node [inner sep=5pt,label=above:{\includegraphics[scale=0.15]{../pics/tvtestscreen.jpg}}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}}
+
+\only<3->{
+\begin{textblock}{1}(4.2,11)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (3,0) node (Y) {};
+ \draw[red, ->, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}}
+
+\only<4->{
+\begin{textblock}{1}(4.2,13.9)
+ \begin{tikzpicture}[scale=1.3]
+ \draw[white] (0,0) node (X) {};
+ \draw[white] (3,0) node (Y) {};
+ \draw[red, <-, line width = 2mm] (X) -- (Y);
+ \node [inner sep=5pt,label=below:\textcolor{black}{\small HTTP/1.1 304 (Not Modified)}] at ($ (X)!.5!(Y) $) {};
+ \end{tikzpicture}
+\end{textblock}}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
\end{document}
%%% Local Variables:
--- a/style.sty Fri Sep 30 19:55:35 2016 +0100
+++ b/style.sty Tue Oct 04 13:44:05 2016 +0100
@@ -56,7 +56,7 @@
\end{center}
\noindent Solutions will only be accepted until
-30th December!}\bigskip}
+20th December!}\bigskip}
\newcommand{\POSTSCRIPT}{
{\bf (Optional)} This question is for you to provide