Year end presentation for Cypris Chat English learning community in Second Life 2010. Presented by Mike McKay (aka Professor Merryman)
Presentations and data are made public to help further publicize the benefits of language learning in spatial voice enabled realistic virtual worlds. We recognize that there simply is no other better way to receive immediate exposure to the language and with so much fun. It being free, at Cypris Chat, makes this even better.
I did a Pecha Kucha in Second Life and then did a Pecha Kucha about doing a Pecha Kucha in Second Life in real life. That's a lot of Pecha Kuchas.
My approach was to describe a class project. Students are told they are world reporters and have to go somewhere in the world. When they return they will give us a presentation on w...hat they saw. In this particular assignment they need to tell us in 10 slides, each timed for 20 seconds, what they were thinking when they took the shot.
The next part of the presentation was showing how this could be done in a virtual world where students could share with other people from around the world. I described Cypris Chat and Cypris Society as well. It turned out to be quite entertaining I think.
Determining Your Community's Competitive Advantage For The Creative SectorEmily Robson
Michael Florio, from OMAFRA’s rural community development branch will provide an overview of a ‘new’ practical economic analysis tool being developed to help communities identify their competitive advantages in the creative/cultural sector. As part of this overview, Michael will explain, how the information can systematically be used by a community/region to inform the development of a local strategy/action plans to grow the creative/cultural sector in a community/region.
Wealth Creation through Creation of Intellectual Property Rights, By Vijay Pal Dalmia Advocate, IPR Lawyer Delhi High Court, Partner and Head IP & IT Laws Division, Vaish Associates Advocates
Presentation about learning English in the virtual world of Second Life. A proven way to help motivate learners and create immersive learning opportunities.
Virtual World Integration Steps for EFL in JapanMike McKay
A presentation I gave at JALT and ETJ about integrating virtual worlds into higher edcation language learning. A step by step approach. Mike McKay - Mukogawa Women's University
Year end presentation for Cypris Chat English learning community in Second Life 2010. Presented by Mike McKay (aka Professor Merryman)
Presentations and data are made public to help further publicize the benefits of language learning in spatial voice enabled realistic virtual worlds. We recognize that there simply is no other better way to receive immediate exposure to the language and with so much fun. It being free, at Cypris Chat, makes this even better.
I did a Pecha Kucha in Second Life and then did a Pecha Kucha about doing a Pecha Kucha in Second Life in real life. That's a lot of Pecha Kuchas.
My approach was to describe a class project. Students are told they are world reporters and have to go somewhere in the world. When they return they will give us a presentation on w...hat they saw. In this particular assignment they need to tell us in 10 slides, each timed for 20 seconds, what they were thinking when they took the shot.
The next part of the presentation was showing how this could be done in a virtual world where students could share with other people from around the world. I described Cypris Chat and Cypris Society as well. It turned out to be quite entertaining I think.
Determining Your Community's Competitive Advantage For The Creative SectorEmily Robson
Michael Florio, from OMAFRA’s rural community development branch will provide an overview of a ‘new’ practical economic analysis tool being developed to help communities identify their competitive advantages in the creative/cultural sector. As part of this overview, Michael will explain, how the information can systematically be used by a community/region to inform the development of a local strategy/action plans to grow the creative/cultural sector in a community/region.
Wealth Creation through Creation of Intellectual Property Rights, By Vijay Pal Dalmia Advocate, IPR Lawyer Delhi High Court, Partner and Head IP & IT Laws Division, Vaish Associates Advocates
Presentation about learning English in the virtual world of Second Life. A proven way to help motivate learners and create immersive learning opportunities.
Virtual World Integration Steps for EFL in JapanMike McKay
A presentation I gave at JALT and ETJ about integrating virtual worlds into higher edcation language learning. A step by step approach. Mike McKay - Mukogawa Women's University
20 начина да си убиеш блога, без да се усетишVeselin Nikolov
Презентацията е посветена на това да ви накара да се замислите, преди да "подобрите" нещо. Подобренията често имат фатални тъмни страни, които могат да загробят вашия блог или сайт.
14. Пароли и хешове
1. Пароли
Лоша идея: ...SET pass='$pass'
Лоша идея: md5( $pass )
Добра идея: crypt с добър алгоритъм,
случайна сол към всяка парола.
16. Пароли и хешове
2. Нещо предвидимо + md5 без сол
md5( $user . $password );
Rainbow tables
Google attacks (Tonimir - @kisasondi)
3. md5 по нещо предвидимо
md5( $user_id )
17. Пароли и хешове
4. Забравени debugs
error_log( print_r( $_POST ) )
wp_mail( ..., ..., print_r( $_POST ) )
Таблици с дебъг информация
33. XSS
Неправилна валидация на ID-та
2. Липса на ^ и $ в regexp
if ( ! preg_match( '/[a-z0-9_-]/i', $myfield ) )
return 'You are trying to hack me!';
// $myfield = '<script ...'
34. XSS
Същото с валидация на URL – script src
2. Липса на ^ и $ в RegExp
if ( preg_match ( '!https?://(www.)*good-host.com/js/!i',
$myjs)
http://dzver.com/bad.js?http://good-host.com/js/
if ( preg_match( '!^http://good-host.com!', $myjs )
http://good-host.com.dzver.com
35. XSS
Неправилна валидация на URL
3. Точката в RegExp е wildcard.
if ( preg_match ( '!^https?://(www.)*good-host.com/js/!i',
$myjs) ...
// $myjs = http://wwwwgoodhost.com/js
36. XSS
Неправилна валидация на URL
4. Позволен / в хост-а
if ( ! preg_match( '!^https?://[^.]+.whatever.com/.+$!i',
$url ) )
// $myjs = 'http://3254656436/or.whatever.com/evil.js'
// $myjs = '<script.../.whatever.com/'
37. XSS
Бонус - printf вместо sprintf / погрешен ред
echo htmlspecialchars( printf( $name ) )
38. XSS
Безопасно ли е това:
<script>
var a = '<?php echo $_POST['a']; ?>'
</script>
?
39. XSS + XSRF
Не е.
<form action=”http://good-host.com”>
<input name=a value=”'; alert(7)//”>
</form>
<script>
document.forms[0].submit()
</script>
42. XSRF
Nonces - cryptographic number used only once
В WordPress:
$nonce= wp_create_nonce( 'my-nonce' );
$url = “...&nonce=$nonce”
if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) )
wp_redirect()
43. XSRF
Понякога трябва да си имплементирате
nonces сами
generate_nonce( $id ) {
if ( empty( $_SESSION['nonces'][$id] ) )
$_SESSION['nonces'][$id] = md5( salt .
mktime() );
}
verify_nonce( $id, $nonce ) {
return !empty( $_SESSION['nonces'][$id] ) &&
$nonce == $_SESSION['nonces'][$id]
}
44. Eval, Extract и прочие
Специфики за PHP програмисти
● eval( “something_clever( {$_GET['a']}” )
● extract( $_GET['a'] )
● create_function( “return 7 == $_GET['a']” )
● ``, system, assert, include, preg_replace
● Много други.
http://stackoverflow.com/questions/3115559/exploitable-php-functions
45. Пример
$sql = sprintf( “UPDATE users SET password
= '%s' WHERE user_id = %d”,
$_POST['password'],
$_SESSION['user_id'] );
mysql_query( $sql );
46. SQL Injection
PREPARE
В WordPress имаме $wpdb->prepare
●