--- a/slides/slides07.tex Mon Nov 25 20:31:01 2013 +0000
+++ b/slides/slides07.tex Tue Nov 26 00:01:50 2013 +0000
@@ -726,366 +726,9 @@
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Privacy, Anonymity et al}
-
-Some terminology:
-
-\begin{itemize}
-\item \alert{secrecy} is the mechanism used to limit the number of
-principals with access to information (eg, cryptography or access controls)
-
-\item \alert{confidentiality} is the obligation to protect the secrets of other people
-or organizations (secrecy for the benefit of an organisation)
-
-\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret)
-
-\item \alert{privacy} is the ability or right to protect your personal secrets
-(secrecy for the benefit of an individual)
-
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy vs Anonymity}
-
-\begin{itemize}
-\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review)
-\end{itemize}\bigskip\bigskip\pause
-
-
-But privacy?\bigskip\bigskip
-
-``You have zero privacy anyway. Get over it.''\\
-\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\
-
-
-If you have nothing to hide, you have nothing to fear.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy}
-
-private data can be often used against me
-
-\begin{itemize}
-\item if my location data becomes public, thieves will switch off their phones and help themselves in my home
-\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages)
-\item my employer might not like my opinions\bigskip\pause
-
-\item one the other hand, Freedom-of-Information Act
-\item medical data should be private, but medical research needs data
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy Problems}
-
-\begin{itemize}
-\item Apple takes note of every dictation (send over the Internet to Apple)
-\item markets often only work, if data is restricted (to build trust)
-\item Social network can reveal data about you
-\item have you tried the collusion extension for FireFox?
-\item I do use Dropbox and store cards\bigskip
-\item next week: anonymising data
-\end{itemize}
-
-\begin{textblock}{5}(12,9.8)
-\includegraphics[scale=0.2]{pics/gattaca.jpg}\\
-\small Gattaca (1997)
-\end{textblock}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Privacy}
-
-\begin{minipage}{1.05\textwidth}
-\begin{itemize}
-\item we \alert{do} want that government data is made public (free maps for example)
-\item we \alert{do not} want that medical data becomes public (similarly tax data, school
-records, job offers)\bigskip
-\item personal information can potentially lead to fraud
-(identity theft)
-\end{itemize}\pause
-
-{\bf ``The reality'':}
-\only<2>{\begin{itemize}
-\item London Health Programmes lost in June last year unencrypted details of more than 8 million people
-(no names, but postcodes and details such as gender, age and ethnic origin)
-\end{itemize}}
-\only<3>{\begin{itemize}
-\item also in June last year, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
-\end{itemize}}
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Privacy and Big Data}
-
-Selected sources of ``Big Data'':\smallskip{}
-
-\begin{itemize}
-\item Facebook
-\begin{itemize}
-\item 40+ Billion photos (100 PB)
-\item 6 Billion messages daily (5 - 10 TB)
-\item 900 Million users
-\end{itemize}
-\item Common Crawl
-\begin{itemize}
-\item covers 3.8 Billion webpages (2012 dataset)
-\item 50 TB of data
-\end{itemize}
-\item Google
-\begin{itemize}
-\item 20 PB daily (2008)
-\end{itemize}
-\item Twitter
-\begin{itemize}
-\item 7 Million users in the UK
-\item a company called Datasift is allowed to mine all tweets since 2010
-\item they charge 10k per month for other companies to target advertisement
-\end{itemize}
-\end{itemize}\pause
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Cookies\ldots}
-
-``We have published a new cookie policy. It explains what cookies are
-and how we use them on our site. To learn more about cookies and
-their benefits, please view our cookie policy.\medskip
-
-If you'd like to disable cookies on this device, please view our information
-pages on 'How to manage cookies'. Please be aware that parts of the
-site will not function correctly if you disable cookies. \medskip
-
-By closing this
-message, you consent to our use of cookies on this device in accordance
-with our cookie policy unless you have disabled them.''
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Scare Tactics}
-
-The actual policy reads:\bigskip
-
-``As we explain in our Cookie Policy, cookies help you to get the most
-out of our websites.\medskip
-
-If you do disable our cookies you may find that certain sections of our
-website do not work. For example, you may have difficulties logging in
-or viewing articles.''
-
-
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Netflix Prize}
-
-Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip
-
-\begin{itemize}
-\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
-\item dataset contained 10\% of all Netflix users (appr.~500K)
-\item names were removed, but included numerical ratings as well as times of rating
-\item some information was \alert{perturbed} (i.e., slightly modified)
-\end{itemize}
-
-\hfill{\bf\alert{All OK?}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Re-identification Attack}
-
-Two researchers analysed the data:
-
-\begin{itemize}
-\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
-records can be identified
-\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
-\item they took 50 samples from IMDb (where people can reveal their identity)
-\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{}
-
-\begin{itemize}
-\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
-\item Preferences in movies (99\% of 500K for 8 ratings)
-\end{itemize}\bigskip
-
-Therefore best practices / or even law (HIPAA, EU):
-
-\begin{itemize}
-\item only year dates (age group for 90 years or over),
-\item no postcodes (sector data is OK, similarly in the US)\\
-\textcolor{gray}{no names, addresses, account numbers, licence plates}
-\item disclosure information needs to be retained for 5 years
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<2>[c]
-\frametitle{How to Safely Disclose Information?}
-
-\only<1>{
-\begin{itemize}
-\item Assume you make a survey of 100 randomly chosen people.
-\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
-Gangnam video on youtube.\bigskip
-
-\item What can you infer about the rest of the population?
-\end{itemize}}
-\only<2>{
-\begin{itemize}
-\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause
-
-\item Not even releasing only aggregate information prevents re-identification attacks.
-(GWAS was a public database of gene-frequency studies linked to diseases;
-you only needed partial DNA information in order
-to identify whether an individual was part of the study --- DB closed in 2008)
-\end{itemize}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Differential Privacy}
-
-\begin{center}
-User\;\;\;\;
-\begin{tabular}{c}
-tell me \bl{$f(x)$} $\Rightarrow$\\
-$\Leftarrow$ \bl{$f(x) + \text{noise}$}
-\end{tabular}
-\;\;\;\;\begin{tabular}{@{}c}
-Database\\
-\bl{$x_1, \ldots, x_n$}
-\end{tabular}
-\end{center}
-
-
-\begin{itemize}
-\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
-individual entries \bl{$x_1, \ldots, x_n$}\\
-\item Intuition: whatever is learned from the dataset would be learned regardless of whether
-\bl{$x_i$} participates\bigskip\pause
-
-\item Noised needed in order to prevent queries:\\ Christian's salary $=$
-\begin{center}
-\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian
-\end{center}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Adding Noise}
-
-Adding noise is not as trivial as one would wish:
-
-\begin{itemize}
-\item If I ask how many of three have seen the Gangnam video and get a result
-as follows
-
-\begin{center}
-\begin{tabular}{l|c}
-Alice & yes\\
-Bob & no\\
-Charlie & yes\\
-\end{tabular}
-\end{center}
-
-then I have to add a noise of \bl{$1$}. So answers would be in the
-range of \bl{$1$} to \bl{$3$}
-
-\bigskip
-\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots),
-then one individual can change the dataset by \bl{$5$}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}
-
-According to Ross Anderson: \bigskip
-\begin{itemize}
-\item Privacy in a big hospital is just about doable.\medskip
-\item How do you enforce privacy in something as big as Google
-or complex as Facebook? No body knows.\bigskip
-
-Similarly, big databases imposed by government
-\end{itemize}
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}
--- a/slides/slides08.tex Mon Nov 25 20:31:01 2013 +0000
+++ b/slides/slides08.tex Tue Nov 26 00:01:50 2013 +0000
@@ -1,8 +1,8 @@
\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
+\usepackage{beamerthemeplaincu}
+%\usepackage[T1]{fontenc}
+%\usepackage[latin1]{inputenc}
\usepackage{mathpartir}
\usepackage{isabelle}
\usepackage{isabellesym}
@@ -93,7 +93,7 @@
showstringspaces=false}
% beamer stuff
-\renewcommand{\slidecaption}{APP 08, King's College London, 20 November 2012}
+\renewcommand{\slidecaption}{APP 08, King's College London, 26 November 2013}
\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
\newcommand{\bl}[1]{\textcolor{blue}{#1}}
@@ -117,7 +117,7 @@
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Office: & S1.27 (1st floor Strand Building)\\
Slides: & KEATS (also homework is there)\\
\end{tabular}
\end{center}
@@ -126,429 +126,13 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Last Week}
-
-Andrew Secure RPC Protocol:
-\bl{$A$} and \bl{$B$} share a key private \bl{$K_{AB}$} and want to identify
-each other\bigskip
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[t]
- \frametitle{Protocols}
-
-\mbox{}
-
-\begin{tabular}{l}
-{\Large \bl{$A\;\text{sends}\; B : \ldots$}}\\
-\onslide<2->{\Large \bl{$B\;\text{sends}\; A : \ldots$}}\\
-\onslide<2->{\Large \;\;\;\;\;\bl{$:$}}\bigskip
-\end{tabular}
-
- \begin{itemize}
- \item by convention \bl{$A$}, \bl{$B$} are named principals \bl{Alice\ldots}\\
- but most likely they are programs, which just follow some instructions (they are more like roles)\bigskip
-\item<2-> indicates one ``protocol run'', or session, which specifies some
-order in the communication
-\item<2-> there can be several sessions in parallel (think of wifi routers)
-\end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Last Week}
-
-
-\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
-each other\bigskip
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Defeating Challenge-Response}
-
-\noindent
-A \alert{reflection attack}: an intruder \bl{$I$} impersonates \bl{$B$}.
-
-\begin{center}
-\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}}
-\begin{tabular}{@{}l@{}}
-\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\
-\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\
-\end{tabular}
-&
-\begin{tabular}{@{}l@{}}
-\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\
-\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\
-\end{tabular}
-\end{tabular}
-\end{center}\bigskip
-
-\onslide<7->{Sounds stupid: ``\ldots answering a question with a counter question''\medskip\\
-was originally developed at CMU for terminals to connect to
-workstations (e.g., file servers)}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Identify Friend or Foe}
-
-\begin{center}
-\onslide<3->{\mbox{}\hspace{3.4cm}\includegraphics[scale=0.55]{pics/MigInMiddle.jpg}}
-\end{center}
-
-\begin{textblock}{6}(0.3,2)
-\onslide<2->{
-198?: war between Angola (supported by Cuba)
-and Namibia (supported by SA)}
-\end{textblock}
-
-\begin{textblock}{3}(12.5,4.6)
- \onslide<3->{
- \begin{tikzpicture}
- \node at (0,0) [single arrow, fill=red,text=white, rotate=-50, shape border rotate=180]{``bystander''};
- \end{tikzpicture}}
- \end{textblock}
-
-\begin{textblock}{3}(10.9,10)
- \onslide<3->{
- \begin{tikzpicture}
- \node at (0,0) [single arrow, fill=red,text=white, rotate=-40, shape border rotate=180]{attacker};
- \end{tikzpicture}}
- \end{textblock}
-
-\only<4->{
-\begin{textblock}{6}(0.3,9)
-being outsmarted by Angola/Cuba
-ended SA involvement (?)
-\end{textblock}}
-\only<5->{
-\begin{textblock}{6}(0.3,13)
-IFF opened up a nice side-channel attack
-\end{textblock}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encryption to the Rescue?}
-
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : \{A, N_A\}_{K_{AB}}$}\hspace{1cm} encrypted\bigskip
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}\bigskip
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}\bigskip
- \end{itemize}\pause
-
-means you need to send separate ``Hello'' signals (bad), or worse
-share a single key between many entities
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Protocol Attacks}
-
-\begin{itemize}
-\item replay attacks
-\item reflection attacks
-\item man-in-the-middle attacks
-\item timing attacks
-\item parallel session attacks
-\item binding attacks (public key protocols)
-\item changing environment / changing assumptions\bigskip
-
-\item (social engineering attacks)
-\end{itemize}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Replay Attacks}
-
-Schroeder-Needham protocol: exchange of a symmetric key with a trusted 3rd-party \bl{$S$}:
-
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-at the end of the protocol both \bl{$A$} and \bl{$B$} should be in the possession of the secret key
-\bl{$K_{AB}$} and know that the other principal has the key
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Nonces}
-
-\begin{enumerate}
-\item I generate a nonce (random number) and send it to you encrypted with a key we share
-\item you increase it by one, encrypt it under a key I know and send
-it back to me
-\end{enumerate}
-
-
-I can infer:
-
-\begin{itemize}
-\item you must have received my message
-\item you could only have generated your answer after I send you my initial
-message
-\item if only you and me know the key, the message must have come from you
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow S :$} \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{N_B-1\}_{K_{AB}}$}\pause\\
-\hspace{5cm}compromise \bl{$K_{AB}$}\pause\\
-\bl{$A \rightarrow S :$} \bl{$A, B, N'_A$}\\
-\bl{$S \rightarrow A :$} \bl{$\{N'_A, B, K'_{AB},\{K'_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\pause\\
-\bl{$I(A) \rightarrow B :$} \bl{$\{K_{AB}, A\}_{K_{BS}} $}\hspace{0.5cm} replay of older run\pause\\
-\bl{$B \rightarrow I(A) :$} \bl{$\{N'_B\}_{K_{AB}}$}\\
-\bl{$I(A) \rightarrow B :$} \bl{$\{N'_B-1\}_{K_{AB}}$}\
-\end{tabular}
-\end{center}\pause
-
-\bl{$B$} believes it is following the correct protocol,
-intruder \bl{$I$} can form the correct response because it knows \bl{$K_{AB}$} and
-talks to \bl{$B$} masquerading as \bl{$A$}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\includegraphics[scale=0.5]{pics/dogs.jpg}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{Replay Attacks}
-
-Andrew Secure RPC protocol: exchanging a new key
-between \bl{$A$} and \bl{$B$}
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
-\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} \bl{$\{N_B+1\}_{K_{AB}}$}\\
-\bl{$B \rightarrow A :$} \bl{$\{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-Assume nonces are represented as bit-sequences of the same length as keys
-\begin{center}
-\begin{tabular}{@{}l@{}}
-\bl{$A \rightarrow B :$} \bl{$A, \{N_A\}_{K_{AB}}$}\\
-\bl{$B \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow I(B) :$} \bl{$\{N_B+1\}_{K_{AB}}$}\hspace{0.5mm}intercepts\\
-\bl{$I(B) \rightarrow A :$} \bl{$\{N_A+1, N_B\}_{K_{AB}}$}\hspace{0.5mm}resend 2nd msg\\
-\end{tabular}
-\end{center}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Time-Stamps}
-
-The Schroeder-Needham protocol can be fixed by including a time-stamp (e.g., in Kerberos):
-
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-but nothing is for free: then you need to synchronise time and possibly become a victim to
-timing attacks
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-It can also be fixed by including another nonce:
-
-\begin{center}
-\begin{tabular}{r@ {\hspace{1mm}}l}
-\bl{$A \rightarrow B :$} & \bl{$A$}\\
-\bl{$B \rightarrow A :$} & \bl{$\{A, N_B\}_{K_{BS}}$}\\
-\bl{$A \rightarrow S :$} & \bl{$A, B, N_A, \{A, N_B\}_{K_{BS}}$}\\
-\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A, N_B\}_{K_{BS}} \}_{K_{AS}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, N_B\}_{K_{BS}} $}\\
-\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
-\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}\bigskip\pause
-
-but nothing is for free: then you need to synchronise time and possibly become victim to
-timing attacks
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Binding Attacks}
-
-with public-private keys it is important that the public key is \alert{bound}
-to the right owner (verified by a certification authority \bl{$CA$})
+\frametitle{Man-in-the-Middle}
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow CA :$} \bl{$A, B, N_A$}\\
-\bl{$CA \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{B}\}_{K^{pub}_{A}}$}\\
-\end{tabular}
-\end{center}\bigskip
-
-\bl{$A$} knows \bl{$K^{priv}_A$} and can verify the message came from \bl{$CA$}
-in response to \bl{$A$}'s message and trusts \bl{$K^{pub}_{B}$} is \bl{$B$}'s public key
-
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Binding Attacks}
-
-\begin{center}
-\begin{tabular}{l}
-\bl{$A \rightarrow I(CA) :$} \bl{$A, B, N_A$}\\
-\bl{$I(A) \rightarrow CA :$} \bl{$A, I, N_A$}\\
-\bl{$CA \rightarrow I(A) :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
-\bl{$I(CA) \rightarrow A :$} \bl{$CA, \{CA, A, N_A, K^{pub}_{I}\}_{K^{pub}_{A}}$}\\
-\end{tabular}
-\end{center}\pause
-
-\bl{$A$} now encrypts messages for \bl{$B$} with the public key of \bl{$I$}
-(which happily decrypts them with its private key)
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-There are plenty of other protocols and attacks. This could go on ``forever''.\pause\bigskip
-
-We look here on one more kind of attacks that are because of a changing environment.
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-\frametitle{Changing Environment Attacks}
-
-\begin{itemize}
-\item all protocols rely on some assumptions about the environment
-(e.g., cryptographic keys cannot be broken)\bigskip\pause
-\end{itemize}
-
-\only<2>{
-\begin{itemize}
-\item in the ``good olden days'' (1960/70) rail transport was cheap, so fraud was not
-worthwhile
-\end{itemize}}
-
-\only<3>{
-\begin{itemize}
-\item when it got expensive, some people bought cheaper monthly tickets for a suburban
-station and a nearby one, and one for the destination and a nearby one
-\item a large investment later all barriers were automatic and tickets could record state
-\end{itemize}}
-
-\only<4>{
-\begin{itemize}
-\item but suddenly the environment changed: rail transport got privatised creating many
-competing companies
-potentially cheating each other
-\item revenue from monthly tickets was distributed according to a formula involving where the ticket was bought\ldots
-\end{itemize}}
-
-\only<5>{
-\begin{itemize}
-\item apart from bad outsiders (passengers), you also had bad insiders (rail companies)
-\item chaos and litigation ensued
-\end{itemize}}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -556,100 +140,11 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-
-A Man-in-the-middle attack in real life:
-
-\begin{itemize}
-\item the card only says yes or no to the terminal if the PIN is correct
-\item trick the card in thinking transaction is verified by signature
-\item trick the terminal in thinking the transaction was verified by PIN
-\end{itemize}
-
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
-\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
-\end{center}
-\end{minipage}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Problems with EMV}
-
-\begin{itemize}
-\item it is a wrapper for many protocols
-\item specification by consensus (resulted unmanageable complexity)
-\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
-further parts are secret
-\item other attacks have been found
-
-\item one solution might be to require always online verification of the PIN with the bank
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{Facebook Privacy}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Problems with WEP (Wifi)}
-
-\begin{itemize}
-\item a standard ratified in 1999
-\item the protocol was designed by a committee not including cryptographers
-\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
-\item WEP did not allocate enough bits for the nonce
-\item for authenticating packets it used CRC checksum which can be easily broken
-\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
-\item encryption was turned of by default
-\end{itemize}
-
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Protocols are Difficult}
-
-\begin{itemize}
-\item even the systems designed by experts regularly fail\medskip
-\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
-\item the one who can fix a system should also be liable for the losses\medskip
-\item cryptography is often not {\bf the} answer\bigskip\bigskip
-\end{itemize}
-
-logic is one way protocols are studied in academia
-(you can use computers to search for attacks)
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Public-Key Infrastructure}
-
-\begin{itemize}
-\item the idea is to have a certificate authority (CA)
-\item you go to the CA to identify yourself
-\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
-\item CA must be trusted by everybody
-\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
-explicitly limits liability to \$100.)
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
@@ -737,6 +232,330 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+
+\begin{minipage}{1.05\textwidth}
+\begin{itemize}
+\item we \alert{do} want that government data is made public (free maps for example)
+\item we \alert{do not} want that medical data becomes public (similarly tax data, school
+records, job offers)\bigskip
+\item personal information can potentially lead to fraud
+(identity theft)
+\end{itemize}\pause
+
+{\bf ``The reality'':}
+\only<2>{\begin{itemize}
+\item London Health Programmes lost in June last year unencrypted details of more than 8 million people
+(no names, but postcodes and details such as gender, age and ethnic origin)
+\end{itemize}}
+\only<3>{\begin{itemize}
+\item also in June last year, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
+\end{itemize}}
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Privacy and Big Data}
+
+Selected sources of ``Big Data'':\smallskip{}
+
+\begin{itemize}
+\item Facebook
+\begin{itemize}
+\item 40+ Billion photos (100 PB)
+\item 6 Billion messages daily (5 - 10 TB)
+\item 900 Million users
+\end{itemize}
+\item Common Crawl
+\begin{itemize}
+\item covers 3.8 Billion webpages (2012 dataset)
+\item 50 TB of data
+\end{itemize}
+\item Google
+\begin{itemize}
+\item 20 PB daily (2008)
+\end{itemize}
+\item Twitter
+\begin{itemize}
+\item 7 Million users in the UK
+\item a company called Datasift is allowed to mine all tweets since 2010
+\item they charge 10k per month for other companies to target advertisement
+\end{itemize}
+\end{itemize}\pause
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Cookies\ldots}
+
+``We have published a new cookie policy. It explains what cookies are
+and how we use them on our site. To learn more about cookies and
+their benefits, please view our cookie policy.\medskip
+
+If you'd like to disable cookies on this device, please view our information
+pages on 'How to manage cookies'. Please be aware that parts of the
+site will not function correctly if you disable cookies. \medskip
+
+By closing this
+message, you consent to our use of cookies on this device in accordance
+with our cookie policy unless you have disabled them.''
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Scare Tactics}
+
+The actual policy reads:\bigskip
+
+``As we explain in our Cookie Policy, cookies help you to get the most
+out of our websites.\medskip
+
+If you do disable our cookies you may find that certain sections of our
+website do not work. For example, you may have difficulties logging in
+or viewing articles.''
+
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Netflix Prize}
+
+Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip
+
+\begin{itemize}
+\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
+\item dataset contained 10\% of all Netflix users (appr.~500K)
+\item names were removed, but included numerical ratings as well as times of rating
+\item some information was \alert{perturbed} (i.e., slightly modified)
+\end{itemize}
+
+\hfill{\bf\alert{All OK?}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Re-identification Attack}
+
+Two researchers analysed the data:
+
+\begin{itemize}
+\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
+records can be identified
+\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
+\item they took 50 samples from IMDb (where people can reveal their identity)
+\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{}
+
+\begin{itemize}
+\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
+\item Preferences in movies (99\% of 500K for 8 ratings)
+\end{itemize}\bigskip
+
+Therefore best practices / or even law (HIPAA, EU):
+
+\begin{itemize}
+\item only year dates (age group for 90 years or over),
+\item no postcodes (sector data is OK, similarly in the US)\\
+\textcolor{gray}{no names, addresses, account numbers, licence plates}
+\item disclosure information needs to be retained for 5 years
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{How to Safely Disclose Information?}
+
+\only<1>{
+\begin{itemize}
+\item Assume you make a survey of 100 randomly chosen people.
+\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
+Gangnam video on youtube.\bigskip
+
+\item What can you infer about the rest of the population?
+\end{itemize}}
+\only<2>{
+\begin{itemize}
+\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause
+
+\item Not even releasing only aggregate information prevents re-identification attacks.
+(GWAS was a public database of gene-frequency studies linked to diseases;
+you only needed partial DNA information in order
+to identify whether an individual was part of the study --- DB closed in 2008)
+\end{itemize}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Differential Privacy}
+
+\begin{center}
+User\;\;\;\;
+\begin{tabular}{c}
+tell me \bl{$f(x)$} $\Rightarrow$\\
+$\Leftarrow$ \bl{$f(x) + \text{noise}$}
+\end{tabular}
+\;\;\;\;\begin{tabular}{@{}c}
+Database\\
+\bl{$x_1, \ldots, x_n$}
+\end{tabular}
+\end{center}
+
+
+\begin{itemize}
+\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
+individual entries \bl{$x_1, \ldots, x_n$}\\
+\item Intuition: whatever is learned from the dataset would be learned regardless of whether
+\bl{$x_i$} participates\bigskip\pause
+
+\item Noised needed in order to prevent queries:\\ Christian's salary $=$
+\begin{center}
+\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian
+\end{center}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Adding Noise}
+
+Adding noise is not as trivial as one would wish:
+
+\begin{itemize}
+\item If I ask how many of three have seen the Gangnam video and get a result
+as follows
+
+\begin{center}
+\begin{tabular}{l|c}
+Alice & yes\\
+Bob & no\\
+Charlie & yes\\
+\end{tabular}
+\end{center}
+
+then I have to add a noise of \bl{$1$}. So answers would be in the
+range of \bl{$1$} to \bl{$3$}
+
+\bigskip
+\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots),
+then one individual can change the dataset by \bl{$5$}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@{}c@{}}Tor\end{tabular}}
+
+\begin{itemize}
+\item initially developed by US Navy Labs, but then opened up to the world
+\item network of proxy nodes
+\item a Tor client establishes a ``random'' path to the destination server (you cannot trace back where the information came from)\bigskip\pause
+\end{itemize}
+
+\only<2>{
+\begin{itemize}
+\item malicious exit node attack: someone set up 5 Tor exit nodes and monitored the traffic:
+\begin{itemize}
+\item a number of logons and passwords used by embassies (Usbekistan `s1e7u0l7c', while
+Tunesia `Tunesia' and India `1234')
+\end{itemize}
+\end{itemize}}
+\only<3>{
+\begin{itemize}
+\item bad apple attack: if you have one insecure application, your IP can be tracked through Tor
+\begin{itemize}
+\item background: 40\% of traffic on Tor is generated by BitTorrent
+\end{itemize}
+\end{itemize}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@{}c@{}}Skype\end{tabular}}
+
+\begin{itemize}
+\item Skype used to be known as a secure online communication (encryption cannot be disabled),
+but \ldots\medskip
+
+\item it is impossible to verify whether crypto algorithms are correctly used, or whether there are backdoors.\bigskip
+
+\item recently someone found out that you can reset the password of somebody else's
+account, only knowing their email address (needed to suspended the password reset feature temporarily)
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}
+
+According to Ross Anderson: \bigskip
+\begin{itemize}
+\item Privacy in a big hospital is just about doable.\medskip
+\item How do you enforce privacy in something as big as Google
+or complex as Facebook? No body knows.\bigskip
+
+Similarly, big databases imposed by government
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
\end{document}