Student-led seminars

• have reasonable technical content
• be understood by the audience
• be accompanied by appropriate handouts (in an open, non-proprietary format format, for convenient linkage to the module pages)
• be interactive

Supervision arrangements

0. [Optional] Arrange a preliminary short meeting with your supervisor to get orientation about the topic and suggestions of references.  If you already have good ideas and knowledge of your topic, you don't need to have this meeting.
   
   
1. Arrange a meeting with your supervisor three weeks before your presentation. By the time of this meeting, you should have
1. decided how you are dividing the work between members of your group
2. started the reading and research
3. planned your presentation and drafted your handout at a high level.
   
   
2. Arrange a meeting with your supervisor one week before your presentation. By this time, you should have everything in near-final form. Your supervisor can help you with minor adjustments.

Assessment (50% on the seminar, 50% exam)

• presentation
• handouts
• depth of knowledge
• ability to answer questions
• management (= team mgt, prep for mtgs with sup)

Some suggested topics and references

1. Steganography and digital watermarking are about techniques used to hide messages inside a file whose apparent purpose is something else. For example, one can hide a message in the least significant bit of each 24-bit pixel of an image file, without having an appreciable effect on the quality of the image. This is useful for digitally watermarking an image, to later claim ownership. To be effective, steganography should be
   
   • Not easily identifiable or removable (the technique described for images is both identifiable and removable)
   • Robust to normal operations on the file (such as image resizing, or even printing out and scanning in again, or re-recording a watermarked audio file).
   Places to start your search include the information hiding homepage and the book Information hiding techniques for steganography and digital watermarking.
   
   
2. Spyware and Trojan horses.
   Spyware is apparently useful software whose real purpose is to spy on your activities and report back to its master, who may hit you with targeted junk popups or worse. Example: Aureate.
   
   • How widespread is this problem?
   • How can one check software and/or defend against spyware?
   • Does spyware affect any open-source software? How could one hide spyware in OSS?
     
     
3. Zero Knowledge proofs are used to prove something without giving out any information: the prover can convince the verifier that he knows some secret without revealing anything about the secret and without enabling the verifier to replicate the proof to someone else. Among othe uses, Zero Knowledge techniques can be used for user identification purposes.
   
   • http://www.tcs.hut.fi/~helger/crypto/link/zeroknowledge/
   • http://www-cse.ucsd.edu/users/bsy/ZKP.html
   • http://www.wisdom.weizmann.ac.il/~oded/zk-tut02.html
   
   
4. Digital cash.
   The principal means to do transactions on the web today is by credit card. The idea of digital cash is to create a digital version of "real" money, that preserves anonymity, cannot be spent more than once and that is hard to forge.
   http://www.wisdom.weizmann.ac.il/~naor/PAPERS/untrace_abs.html
   http://www.cs.berkeley.edu/~daw/cs276/l25.ps
   http://citeseer.nj.nec.com/chaum89untraceable.html (to get the paper, click on one of the links at the top right corner)
   
   
5. Electronic voting.
   It would be desirable to make use of new tecnologies to have new and more efficient voting methods and more and more governements are interested in this. But any electronic protocol for voting must support the typical requrements of a voting system, e.g. secrecy of votes, only authorised voters can vote and they can vote only once, etc. Voters should be able to verify that their vote was correctly registered and counted.
   http://www.edemocracy.gov.uk/
   http://www.eucybervote.org/
   http://www.thebell.net/papers/vote-req.pdf
   A critique of an implemented system, and the implementer's response (interesting)
   
   
6. Random number generation is an important topic for cryptography, for generating keys. But most naive ways of generating random numbers are flawed because they are not truly random. PGP/GPG use mouse and keyboard events to help randomise. In your presentation, explain the problems; try to identify how serious they really are; and explain approaches and solutions.
   

   Preparing your presentation
   

   You must prepare a handout, and this will be part of the continuous assessment. You should decide whether to do "slides" or to have a essay-type handout and work with the blackboard. Slides have the advantage of being pre-prepared material for your audience to look at, which can help stop them glaring at you! If you do use slides, be careful not to write too much on each slide. Your audience will not be able to read it.
   
   
   
   
7. SSL-TLS.
   The SSL protocol is used by browers to communicate with secure servers. It uses certificates and public key encryption.
   
   • Read the chapter in Garfinkel/Spafford's book
   • D. Wagner and B. Schneier, Analysis of the SSL 3.0 Protocol
   • An attack on SSL Vau02a   source2
     
   
   
8. CSS and DeCSS.
   CSS is the encryption system used on DVD players, and DeCSS program encoding the crack, written by a 16-year old Norwegian programmer called Jon Johansen who wrote DeCSS.
   David Touretzky's DeCSS web page includes a tutorial and other resources.
   
   
9. Human factors. Only half of computer security is about technology. The other half is the human. If  people choose their pet's name for their password, the system will be insecure. If banks don't use public key cryptography to sign their emails, their customers won't know if the emails are genuine or from fraudsters. Why don't they sign their emails? Why doesn't everyone? Why Johnny can't encrypt is an interesting article attempting to explain why people can't/don't want to use PGP. The problems here are the most difficult ones in computer security.
   
   
10. Biometrics. Saviour or niche-market?
    Classify the main approaches and their associated problems.
    
    
11. Programming language security. 
    
    • What features of Java make it more secure than (say) C?
    • Compile-time and run-time checks
    • Java security package
    • Java applet sandboxing
    • Buffer overflow vulnerability in C
    • Problems with CGI scripts, such as field entries which change the meaning of an SQL query
      
      
12. Microsoft passport and other single-signon systems. How do they work? What are the issues and problems?
    Microsoft passport: http:...
    Liberty Alliance alternative single sign-on system. Aimed at corporations rather than individuals, in contrast with MSPP.
    
    
13. Viruses and worms.
    This is a huge topic; you'll need to plan carefully.
    
    • Sobig technical details 1 2
      
    • . . .
    • SoCS gets 1078 attacks of Code Red worm in 9 days in August 2001 (its site runs Apache, so is invulnerable to IIS worms).
      
    • Viruses and worms not on linux - The Register article
      
      
14. Firewalls. 
    Classify main types against network layers: packet firewalls, application firewalls, etc. What languages do large firewall vendors such as Cisco provide, in order to help manage the huge complexity of rule tables?
    

    The content of your presentation
    

    Seminars should aim to
    

    • have reasonable technical content
    • be understood by the audience
    • be accompanied by appropriate handouts (in an open non-proprietary format, such as HTML,  for convenient linkage to the module pages)
    • be interactive

    
    
    
    
15. Security of Open-Source Software. 
    Why is OSS (such as the GNU/Linux operating system) much less vulnerable to attacks than MS Windows?
    Linux attacks increasing: http://msn.vnunet.com/News/1133518
    Linux viruses: http://www.claws-and-paws.com/virus/articles/linux_viruses.shtml
    
    
16. Differential cryptanalysis. is an approach to trying to break crypto systems such as DES, which has been quite successful. It is based on comparing the encryptions of two plaintexts which differ only slightly. This topic is quite complicated, but enjoyable if you liked getting to understand the details of the crypto algorithms.
    
    
17. Government control of crypto; the Clipper Chip. A few years ago the US government was bent on controlling crypto so that it could always decrypt messages sent by fraudsters, terrorists, enemy countries, etc. The Clipper chip was an effort at providing the government with escrowed keys. They banned export of crypto systems and software. Have they been defeated, and have they abandoned all their attempts at control? Or have they discovered an RSA exploit?
    
    
18. Holes in popular software.
    
    • Internet Explorer v > 4.0 allows web server to run arbitrary code on your system. Demonstration: http://www.cs.bham.ac.uk/~mer/hole.html launches MS Calculator, but could just as easily reformat your hard drive.
    • Win Media Player.
      http://msn.vnunet.com/News/1133109
      http://www.microsoft.com/technet/security/bulletin/ms02-032.asp
    • Winamp. http://online.securityfocus.com/bid/5170/discussion/
    
    
    
19. NESSUS is a very powerful open-source tool designed to identify the presence of known security holes.
    
    • Official site: www.nessus.org.
    • An intro by Security Focus
    
    
20. DDoS. 
    
    • http://grc.com/dos/grcdos.htm
      This one is a description of an actual attack, and how the victim traced the attack to a 13 year old, using IRC to coordinate the attacks. If you are running windows on any kind of internet connection, better make sure your machine is not infected with those bots...
    • http://www.caida.org/outreach/papers/backscatter/
      The second article use an ingenious method to actually count the number of DDoS happening at any time on the internet, and come up with worrying numbers. After reading the previous article, I(TS) think they might miss a lot of attacks (those originating from windows machines) ?
    
    
21. P2P security.
    "Another worm is targeting the Kazaa Peer-to-Peer filesharing network" http://msn.vnunet.com/News/1133129
    
    
22. Vulnerabilities on routers, switches, other hardware.
    Cisco using IIS software on its hardware, had to release firmware patch
    Known bugs with the Linksys cable/DSL routers (Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31) )
    Have a look here: http://www.governmentsecurity.org/exploits.php
    
    
23. Kerberos.
    
24. IPSec.
    
25. Buffer overflow attacks.
    
26. Intrusion detection systems.
    NIST special publication on Intrusion Detection Systems
    
27. SSH.