Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. See http://strataconf.com/strata2011/public/schedule/detail/17714 for an overview of the talk.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. Matthew Russell's "Unleashing Twitter Data for Fun and Insight" presentation from Strata 2011. See http://strataconf.com/strata2011/public/schedule/detail/17714 for an overview of the talk.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...apidays
Learning the OAuth Dance (Without Stepping on Anyone's Toes)
Anabella Spinelli, Former QA & Future Developer, Typeform
Apply to be a speaker here - https://apidays.typeform.com/to/J1snsg
2019 ITkonekt Stateless REST Security with MicroProfile JWTJean-Louis MONTEIRO
This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick fashion and move on to code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection.
I Know What Youll Do Next Summer - The Skills You Will Be Learning as a Domi...Grégory Engels
HTML5, CSS3, OpenSocial, OAuth, this are all new technologies that will be in the tool box of each Domino Developer. HTML5 was mentioned in every second slide during the App-Dev Keynote at the 2010 Lotusphere in Orlando. Reason enough to look at the buzzwords and start gathering experiences with this upcoming new technologies today.
We also will take a closer look at what was announced as “Project Vulcan”
B-sides Las Vegas - social network securityDamon Cortesi
A presentation I gave at the first b-sides Las Vegas security conference showing the security challenges we face going forward in the era of open-by-default social networking.
Ethereum Devcon1 Report (summary writing)Tomoaki Sato
Ethereum devcon1 in London, 27th November By Tomoaki Sato I have been to the conference, so I wrote this summary and doing presentation in Japan. The meetup name is "Smart Contract Japan". Some of the presentations are missing, or added.
Please refer these official sources also
Devcon
http://devcon.ethereum.org/
Devcon1 youtube presentations
https://www.youtube.com/user/ethereumproject
Devcon1 slides on reddit
https://www.reddit.com/r/ethereum/comments/3soym7/devcon_1_slides/
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
BotCommons: Metadata for Bots - Devoxx 2017Cisco DevNet
The lack of common practices around bot software make it to difficult to implement automated tooling for bots (such as discovery, versions transitioning, bot status) as well as inform end-users efficiently (such as bot commands, usage policy, feedback submission, point of contact for support).
The goal of the BotCommons project is to define some industry common practices to publish metadata for bots.
This BOF is about sharing current thoughts and drive the initiative further with developer communities and industry professionals.
https://cfp.devoxx.be/2017/talk/HHX-6365/BotCommons:_Metadata_for_Bots
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
APIdays Paris 2018 - Learning the OAuth Dance (Without Stepping on Anyone's T...apidays
Learning the OAuth Dance (Without Stepping on Anyone's Toes)
Anabella Spinelli, Former QA & Future Developer, Typeform
Apply to be a speaker here - https://apidays.typeform.com/to/J1snsg
2019 ITkonekt Stateless REST Security with MicroProfile JWTJean-Louis MONTEIRO
This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick fashion and move on to code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection.
I Know What Youll Do Next Summer - The Skills You Will Be Learning as a Domi...Grégory Engels
HTML5, CSS3, OpenSocial, OAuth, this are all new technologies that will be in the tool box of each Domino Developer. HTML5 was mentioned in every second slide during the App-Dev Keynote at the 2010 Lotusphere in Orlando. Reason enough to look at the buzzwords and start gathering experiences with this upcoming new technologies today.
We also will take a closer look at what was announced as “Project Vulcan”
B-sides Las Vegas - social network securityDamon Cortesi
A presentation I gave at the first b-sides Las Vegas security conference showing the security challenges we face going forward in the era of open-by-default social networking.
Ethereum Devcon1 Report (summary writing)Tomoaki Sato
Ethereum devcon1 in London, 27th November By Tomoaki Sato I have been to the conference, so I wrote this summary and doing presentation in Japan. The meetup name is "Smart Contract Japan". Some of the presentations are missing, or added.
Please refer these official sources also
Devcon
http://devcon.ethereum.org/
Devcon1 youtube presentations
https://www.youtube.com/user/ethereumproject
Devcon1 slides on reddit
https://www.reddit.com/r/ethereum/comments/3soym7/devcon_1_slides/
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
In this session, we will look at strategies to incorporate identity into cloud applications. Enterprise
identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this
upfront, rather than try to retrofit identity and access control at a later date.
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
BotCommons: Metadata for Bots - Devoxx 2017Cisco DevNet
The lack of common practices around bot software make it to difficult to implement automated tooling for bots (such as discovery, versions transitioning, bot status) as well as inform end-users efficiently (such as bot commands, usage policy, feedback submission, point of contact for support).
The goal of the BotCommons project is to define some industry common practices to publish metadata for bots.
This BOF is about sharing current thoughts and drive the initiative further with developer communities and industry professionals.
https://cfp.devoxx.be/2017/talk/HHX-6365/BotCommons:_Metadata_for_Bots
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and toplay online games. But have we ever properly considered thesecurity state of this scripting language? Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact ofJavaScript vulnerability exploitation to the enterprise: from stealing serverside data to infecting users with malware. Hackers are beginning to recognize this new playground and are quicklyadding JavaScript exploitation tools to their Web attack arsenal.
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot
1. Abusing
Twitter API
Nicolas Seriot
Application Security Forum - 2012
Western Switzerland
7-8 novembre 2012
Y-Parc / Yverdon-les-Bains
https://www.appsec-forum.ch
2.
3. Bio
• Cocoa developer
• HES Software Engineer
• MAS Eco. Crime Investigation
• Twitter user since July, 2008
• Father of a newborn
5. Tweets/day
now $8 billion valuation, 340M
top-10 most visited websites
140M
5000 1M 22 50 65
verified promo. Dick promo. no
accounts trending tweets Costolo tweets more
Twitter (celebrities) topics web CEO mobile RSS
launch
2006 2007 2008 2009 2010 2011 2012
Tweetie TweetDeck stricter ToS,
buyout buyout display guidelines
last OS X client update
v. 1.1
API
OAuth API v. 1.0
HTTP Basic Authentication
6. March 2013: Maximum Evilness
“We’re trying to limit certain use cases
that occupy the upper-right quadrant.”
https://dev.twitter.com/blog/changes-coming-to-twitter-api
7. • The author’s name and @username must be displayed to the right of the avatar.
• Reply, Retweet and Favorite Tweet actions must always be available.
• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.
• The Twitter logo or Follow button for the Tweet author must always be displayed.
• The Tweet timestamp must always be linked to the Tweet permalink.
• A timeline must not be rendered with non-Twitter content. e.g. from other networks.
https://dev.twitter.com/terms/display-requirements
8. • Max. 100’000 users per Twitter client app.
• “Twitter discourages development in this area”
https://dev.twitter.com/terms/api-terms
"Developers ask us if they should build
client apps that mimic or reproduce
the mainstream Twitter consumer client
experience. The answer is no."
"We need to move to a less
fragmented world, where every user
can experience Twitter in a
consistent way."
https://groups.google.com/forum/#!
msg/twitter-development-talk/
yCzVnHqHIWo/sC34r_ZyMLYJ
9. Developers ♥ Stupid Rules!
"Twitter obviously wants to make money by advertising in the stream.
This will be impossible if all of the mechanisms aren't implemented to spec
within a client. They need full control of how the information is
presented, and do not have the bandwidth to micromanage ads with third
parties to prevent fraud, poor presentation, etc,"
http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed-
facebook-walled-garden
10. Breaking the Rules
• OAuth authentication for every API request
• "We reserve the right to revoke your app"
https://dev.twitter.com/terms/api-terms
• Can a rogue client spoof the identity of a
regular client and use the API as it wants?
20. /usr/bin/gdb
$ gdb attach <PID of OS X accountsd>
(gdb) b -[OACredential consumerKey]
(gdb) finish
(gdb) po $rax
tXvOrlJDmLnTfiUqJ3Kuw
(gdb) b -[OACredential consumerSecret]
(gdb) finish
(gdb) po $rax
AWcB**************************************
21. /usr/bin/gdb
$ gdb attach <PID of iPhoneSimulator accountsd>
(gdb) b -[OACredential consumerKey]
(gdb) finish
(gdb) po (int*)$eax
WXZE9QillkIZpTANgLNT9g
(gdb) b -[OACredential consumerSecret]
(gdb) finish
(gdb) po (int*)$eax
Aau5**************************************
demo
26. OS X Twitter Credentials
Accounts.framework
@nst021
xxxxxx
27. can use OS X …or can use custom
consumer tokens… consumer tokens
STTwitterAPIWrapper
+ twitterAPIWith...
- getHomeTimeline
STTwitter
- postStatus
STTwitterOAuthProtocol
STTwitterOAuth
STOAuthOSX
STHTTPRequest
Accounts.framework
Social.framework
31. 1. Taking OAuth from web to Desktop was a
conceptual error. Consumer tokens simply
just cannot be kept secret on the Desktop.
2. Twitter cannot realistically revoke keys from
popular clients, especially from OS X / iOS.
3. xAuth brings nothing more that HTTP Digest
Authentication, and sends password in the
request token phase.
4. OAuth cannot reliably identify the client, and
additionally puts the users at risk.
OAuth Session Fixation Attack Demo
32.
33. 5. I have to conclude that the real grounds for
using OAuth is neither “security” nor spam
fighting but desire to control third-
party client applications to please big
media, consumers and advertisers.
6. Sadly for Twitter, ensuring that the requests
come from a certain client application is a
very hard problem, and I am not sure if it
can be solved.