Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better.
We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web.
The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
Users hate picking and having to remember them. Developers hate dealing with and storing them. Why are we still using passwords again? Surely there is a better way to log into websites.
This talk will introduce the technology behind Persona and the BrowserID protocol. Mozilla intends to solve the password problem on the web with a federated cross-browser system that is intensely focused on user experience and privacy.
We may not be able to get rid of all passwords, after all, you probably don't want to be subjected to a fingerprint check before leaving a comment on someone's blog, but we can eliminate site-specific passwords and replace them with something better: a decentralized system that's under the control of users, not a for-profit gatekeeper.
It's just four easy steps to add it to your site from scratch and there are already plugins for Drupal, CakePHP, Joomla, SPIP, Symfony2, Wordpress and PHPMyBB.
Securing the Web without site-specific passwordsFrancois Marier
Identity systems on the Web are a bit of a mess. Surely in 2013, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority.
It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult.
This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new cross-browser federated identity solution from Mozilla.
It will cover:
- a discussion of the complexities and privacy-related concerns that existing identity solutions have
- how crypto is used in Persona to provide both authentication and privacy
- the Persona federation approach: fully distributed with fallbacks
- demos and actual code from sites that have implemented Persona
- the basics of the Persona API so that attendees can go out and easily support this technology on their own sites
Trying to convince users to pick unique (and strong) passwords for each website is a losing battle. What we're proposing is a standard, built into browsers, that leverages the new security features that email providers are now offering. A simple federated solution to eliminate site-specific passwords.
A few people like to say that passwords are dead, but the reality is far from it. First of all, we can't get rid of passwords entirely, because the alternatives all suck: physical tokens are easy to lose and retina scans are pretty creepy. What we should focus on is eliminating site-specific passwords.
Mozilla Persona was introduced at OSDC last year, but a number of new things have been added to it since. But more importantly, it's still the best shot we have at a decentralized web-wide identity system that works for average users and doesn't violate their privacy.
So I'm back to show you what's new and to talk about what organizations can gain from adding native support on their domain. It's time to solve the password problem on the web.
Passwords are a big problem on the Web. Users pick bad ones and re-use them all over the place, developers can’t seem to be able to secure them. We need something better, but almost all of the new login systems for the Web rely on centralised gate keepers. We can do better than this.
Persona is a new way of logging users in. It’s simple, decentralised and allows users to choose who can vouch for them. It’s also designed to provide meaningful privacy to all users regardless of their level of expertise.
This talk will highlight the main features of Persona and introduce the crypto behind its underlying protocol, BrowserID. It will also provide an overview of what organisations can do to support Persona natively on their domains.
The problem with passwords on the web and what to do about itFrancois Marier
Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. This is where Persona comes in.
Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. In this talk you we will see how Persona attempts to solve this issue.
Users hate picking and having to remember them. Developers hate dealing with and storing them. Why are we still using passwords again? Surely there is a better way to log into websites.
This talk will introduce the technology behind Persona and the BrowserID protocol. Mozilla intends to solve the password problem on the web with a federated cross-browser system that is intensely focused on user experience and privacy.
We may not be able to get rid of all passwords, after all, you probably don’t want to be subjected to a fingerprint check before leaving a comment on someone’s blog, but we can eliminate site-specific passwords and replace them with something better: a decentralized system that’s under the control of users, not a for-profit gatekeeper.
It’s just four easy steps to add it to your Ruby site/app from scratch and there are already plugins for Devise, Omniauth, Rails, Sinatra, and Warden.
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
In this session, we will review the basic Web authentication and point out security risks of these methods.
To address security issues of user authentication, we will introduce the concept of OTP authentication and how to integrate OTP authentication into your applications.
We also introduce WebAuthn which is a good way to strengthen application's security.
Even the LastPass Will be Stolen Deal with It!Martin Vigo
Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all.
LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data.
Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication.
We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
What I learned about IoT Security ... and why it's so hard!Christoph Engelbert
Smart devices taking over our living rooms, our bed rooms, and, in general, our life. It has never been more important to build secure devices, but most companies seem to fail, and they fail hard. We (only) build systems for farms and barns, and still, I wanted security for Cow-stumers.
Building a mostly secure system is fairly simple. There is a good set of low-hanging fruits. Building a really locked down system is tough, though. Much harder than expected. Here is what I learned.
Mobile Bitcoin Wallet Security - Andras MendikBitcoin Barcamp
In Andy's technical talk on Mobile Bitcoin Wallet Security: Security is everyone's responsibility, he gives a great overview on wallet storage and then deep dive on how encryption works as well as the gaps to be aware of.
While Andy works for Sophos, these thoughts are his own.
This was first presented at the Bitcoin Barcamp in Sydney on 15th March 2014. To view the full talk or find more presentations from Australia's first pop-up unConference on cryptocurrency innovation, go to www.bitcoinbarcamp.org
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns.
In this talk we will present results of hands-on vulnerability research of different components of AI infrastructure including NVIDIA DGX GPU servers, ML frameworks such as Pytorch, Keras and Tensorflow, data processing pipelines and specific applications, including Medical Imaging and face recognition powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
Christiaan F Beek, McAfee
Jay Rosenberg, Intezer Labs
The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk wiping attack from July 4 2009, have with WannaCry, one of the largest cyber-attacks in the history of the cyber-sphere?
We have conducted a comparative research over more than 10 years of malware and tools being used by North Korean adversaries. The results were intriguing and we will share our discoveries but also hunt tactics during our talk. We discovered new links between campaigns and were able to group malware families towards actor groups and discovere interesting patterns.
Security and Privacy settings for Firefox Power UsersFrancois Marier
Web browsers have a difficult job to do: they need to perform remote code execution from untrusted locations in the presence of user data. In other words, they need to display websites that people use to share their information.
There is a constant struggle between making the web more secure and breaking existing websites that rely on the historically lax defaults. We are working hard to raise the bar, but are also making powerful new features available to the Firefox power users.
This talk will examine some of the hidden or advanced settings and extensions that Firefox offers to users who are concerned about their security and privacy. With a little bit of context on the benefits and risks that some of these features provide, you should be able to make informed decisions and tweak your favorite "user agent".
https://www.linuxfestnorthwest.org/2017/sessions/security-and-privacy-settings-firefox-power-users
Getting Browsers to Improve the Security of Your WebappFrancois Marier
Most web developers have some knowledge of input sanitization and encryption, but what happens when you forget an edge case or when users are connected to a rogue access point?
Through the use of technologies like strict transport security, content security policy, sub-resource integrity, and the referrer policy, web developers can instruct browsers to add a second layer of defenses against the most common attacks.
More Related Content
Similar to Securing the Web without site-specific passwords
Users hate picking and having to remember them. Developers hate dealing with and storing them. Why are we still using passwords again? Surely there is a better way to log into websites.
This talk will introduce the technology behind Persona and the BrowserID protocol. Mozilla intends to solve the password problem on the web with a federated cross-browser system that is intensely focused on user experience and privacy.
We may not be able to get rid of all passwords, after all, you probably don't want to be subjected to a fingerprint check before leaving a comment on someone's blog, but we can eliminate site-specific passwords and replace them with something better: a decentralized system that's under the control of users, not a for-profit gatekeeper.
It's just four easy steps to add it to your site from scratch and there are already plugins for Drupal, CakePHP, Joomla, SPIP, Symfony2, Wordpress and PHPMyBB.
Securing the Web without site-specific passwordsFrancois Marier
Identity systems on the Web are a bit of a mess. Surely in 2013, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority.
It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult.
This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new cross-browser federated identity solution from Mozilla.
It will cover:
- a discussion of the complexities and privacy-related concerns that existing identity solutions have
- how crypto is used in Persona to provide both authentication and privacy
- the Persona federation approach: fully distributed with fallbacks
- demos and actual code from sites that have implemented Persona
- the basics of the Persona API so that attendees can go out and easily support this technology on their own sites
Trying to convince users to pick unique (and strong) passwords for each website is a losing battle. What we're proposing is a standard, built into browsers, that leverages the new security features that email providers are now offering. A simple federated solution to eliminate site-specific passwords.
A few people like to say that passwords are dead, but the reality is far from it. First of all, we can't get rid of passwords entirely, because the alternatives all suck: physical tokens are easy to lose and retina scans are pretty creepy. What we should focus on is eliminating site-specific passwords.
Mozilla Persona was introduced at OSDC last year, but a number of new things have been added to it since. But more importantly, it's still the best shot we have at a decentralized web-wide identity system that works for average users and doesn't violate their privacy.
So I'm back to show you what's new and to talk about what organizations can gain from adding native support on their domain. It's time to solve the password problem on the web.
Passwords are a big problem on the Web. Users pick bad ones and re-use them all over the place, developers can’t seem to be able to secure them. We need something better, but almost all of the new login systems for the Web rely on centralised gate keepers. We can do better than this.
Persona is a new way of logging users in. It’s simple, decentralised and allows users to choose who can vouch for them. It’s also designed to provide meaningful privacy to all users regardless of their level of expertise.
This talk will highlight the main features of Persona and introduce the crypto behind its underlying protocol, BrowserID. It will also provide an overview of what organisations can do to support Persona natively on their domains.
The problem with passwords on the web and what to do about itFrancois Marier
Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. This is where Persona comes in.
Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. In this talk you we will see how Persona attempts to solve this issue.
Users hate picking and having to remember them. Developers hate dealing with and storing them. Why are we still using passwords again? Surely there is a better way to log into websites.
This talk will introduce the technology behind Persona and the BrowserID protocol. Mozilla intends to solve the password problem on the web with a federated cross-browser system that is intensely focused on user experience and privacy.
We may not be able to get rid of all passwords, after all, you probably don’t want to be subjected to a fingerprint check before leaving a comment on someone’s blog, but we can eliminate site-specific passwords and replace them with something better: a decentralized system that’s under the control of users, not a for-profit gatekeeper.
It’s just four easy steps to add it to your Ruby site/app from scratch and there are already plugins for Devise, Omniauth, Rails, Sinatra, and Warden.
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
In this session, we will review the basic Web authentication and point out security risks of these methods.
To address security issues of user authentication, we will introduce the concept of OTP authentication and how to integrate OTP authentication into your applications.
We also introduce WebAuthn which is a good way to strengthen application's security.
Even the LastPass Will be Stolen Deal with It!Martin Vigo
Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all.
LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data.
Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication.
We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
What I learned about IoT Security ... and why it's so hard!Christoph Engelbert
Smart devices taking over our living rooms, our bed rooms, and, in general, our life. It has never been more important to build secure devices, but most companies seem to fail, and they fail hard. We (only) build systems for farms and barns, and still, I wanted security for Cow-stumers.
Building a mostly secure system is fairly simple. There is a good set of low-hanging fruits. Building a really locked down system is tough, though. Much harder than expected. Here is what I learned.
Mobile Bitcoin Wallet Security - Andras MendikBitcoin Barcamp
In Andy's technical talk on Mobile Bitcoin Wallet Security: Security is everyone's responsibility, he gives a great overview on wallet storage and then deep dive on how encryption works as well as the gaps to be aware of.
While Andy works for Sophos, these thoughts are his own.
This was first presented at the Bitcoin Barcamp in Sydney on 15th March 2014. To view the full talk or find more presentations from Australia's first pop-up unConference on cryptocurrency innovation, go to www.bitcoinbarcamp.org
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns.
In this talk we will present results of hands-on vulnerability research of different components of AI infrastructure including NVIDIA DGX GPU servers, ML frameworks such as Pytorch, Keras and Tensorflow, data processing pipelines and specific applications, including Medical Imaging and face recognition powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
Christiaan F Beek, McAfee
Jay Rosenberg, Intezer Labs
The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk wiping attack from July 4 2009, have with WannaCry, one of the largest cyber-attacks in the history of the cyber-sphere?
We have conducted a comparative research over more than 10 years of malware and tools being used by North Korean adversaries. The results were intriguing and we will share our discoveries but also hunt tactics during our talk. We discovered new links between campaigns and were able to group malware families towards actor groups and discovere interesting patterns.
Similar to Securing the Web without site-specific passwords (20)
Security and Privacy settings for Firefox Power UsersFrancois Marier
Web browsers have a difficult job to do: they need to perform remote code execution from untrusted locations in the presence of user data. In other words, they need to display websites that people use to share their information.
There is a constant struggle between making the web more secure and breaking existing websites that rely on the historically lax defaults. We are working hard to raise the bar, but are also making powerful new features available to the Firefox power users.
This talk will examine some of the hidden or advanced settings and extensions that Firefox offers to users who are concerned about their security and privacy. With a little bit of context on the benefits and risks that some of these features provide, you should be able to make informed decisions and tweak your favorite "user agent".
https://www.linuxfestnorthwest.org/2017/sessions/security-and-privacy-settings-firefox-power-users
Getting Browsers to Improve the Security of Your WebappFrancois Marier
Most web developers have some knowledge of input sanitization and encryption, but what happens when you forget an edge case or when users are connected to a rogue access point?
Through the use of technologies like strict transport security, content security policy, sub-resource integrity, and the referrer policy, web developers can instruct browsers to add a second layer of defenses against the most common attacks.
The Web can be a hostile place, full of deceptive and malicious sites trying to install software on your computer or steal your personal information. However, you have a friend on your side: your user agent (also called your web browser).
This talk will examine some of the hidden or advanced settings and extensions that Firefox offers to users who are concerned about their security and privacy. While we at Mozilla strive to bring these features to all of our users, the reality is that it's sometimes challenging to balance the need for maximum web compatibility and standards compliance with the desire to phase out harmful practices. With a little bit of context on the benefits and risks that some of these features provide, you should be able to make informed decisions and tweak your favorite user agent.
https://osem.seagl.org/conference/seagl2016/program/proposal/188
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up (e.g. Referrer Policy, Subresource Integrity).
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2016. In addition to that, the non-profit behind Firefox is experimenting with new ways to protect its users, building on Google's Safe Browsing technology to defend users against tracking.
This talk will introduce developers to the security features of the web platform they can use today and show end-users how they can harden their Firefox browser.
https://www.linuxfestnorthwest.org/2016/sessions/security-and-privacy-web-2016
Surveillance is a growing concern in Europe, and Mozilla believes that privacy and security should be treated as fundamental and not optional in the browsing experience. That's why Firefox has introduced new features for tracking protection and private browsing. Do not track is not only a way to navigate the web, it might also become part of a new privacy law in the EU. We will discuss how this has been implemented in the newest version of Firefox, next steps, and why it's important to have transparency and control in our online experiences.
https://fosdem.org/2016/schedule/event/mozilla_privacy_tracking_protection_firefox/
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.
https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
Supporting Debian machines for friends and familyFrancois Marier
Many Debian developers find themselves providing some form of technical support to friends and family. Achieving the mystical five nines is well beyond the means of an amateur sysadmin like myself, but giving my dad reliable boxes to use can be achieved without eating all of my free time.
This talk will draw on my experience supporting and maintaining my dad's Debian-based computers. I will briefly describe the hardware setup, introduce some useful packages and share some configuration hints. Areas of focus will include system updates, reliability, monitoring and security.
http://nz2015.mini.debconf.org/Programme/Francois/
Outsourcing your webapp maintenance to DebianFrancois Marier
Today's web applications often have a lot of external dependencies. Start off with a basic framework, sprinkle a couple of handy modules and finish with a generous serving of JavaScript front-end libraries.
What you end up is a gigantic mess of code from different sources which follow very different release schedules and policies. Language-specific package managers can automate much of the dependency resolution and package installation, but you're on your own in terms of integration and quality assurance. Also, the minute you start distributing someone else's code with your project, you become responsible for the security of that third-party code.
We moved away from statically-linked C/C++ programs a long time ago and now (mostly) live in a nicely-packaged shared library world. Can we leverage the power of Debian (i.e. the great work of the package maintainers and security team) to similarly reduce the burden of those who end up having to maintain our webapps?
This talk will examine the decision that the Libravatar project made to outsource much of its maintenance burden to Debian by using system packages for almost everything.
https://summit.debconf.org/debconf14/meeting/16/outsourcing-your-webapp-maintenance-to-debian/
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...Francois Marier
Websites that need to identify their users commonly use one of two methods: a username & password scheme that's hard to secure and creates a lot of pain for users, or a centralized proprietary service on which many of their users already have accounts. There must a better way. A cross-browser solution for authenticating users which feels like the Web and preserves the decentralized architecture necessary for an open network. We present Mozilla Persona.
Video recording: http://hemingway.softwarelivre.org/fisl14/high/41a/sala41a-high-201307051001.ogg
Persona est un système d'identité fédéré qui met l'emphase sur la protection de la vie privée et la convivialité tout en facilitant le travail des développeurs Web. Cette présentation a pour but d'introduire ce système et les éléments de cryptographies sur lesquels il repose ainsi que de donner un exemple concret de son utilisation dans une application Web.
Passwords suck, but centralized proprietary services are not the answerFrancois Marier
Passwords are a big problem online and a lot of websites have turned to centralized services to handle logins for them. It's a disturbing trend from a privacy/surveillance point of view, but from a software freedom point of view, it's also turning these proprietary services into core dependencies.
That's why Mozilla is building Persona, a new federated and cross-browser system which makes identity a standard part of the browser. It's simple, privacy-sensitive and entirely free software.
Building Persona: federated and privacy-sensitive identity for the Web (Open ...Francois Marier
This talk explores the challenges of the existing Web identity solutions and introduce the choices that were made during the development of Persona (formerly BrowserID), a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2...Francois Marier
This talk explores the challenges of the existing Web identity solutions and introduce the choices that were made during the development of Persona (formerly BrowserID), a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.
The Web beyond "usernames & passwords" (OSDC12)Francois Marier
Identity systems on the Web are a bit of a mess. Surely in 2012, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority with a privacy policy that can change at a whim.
It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult. It's a lot to ask of the millions of part-time developers out there that are building sites out of some quick HTML, a MySQL database and some PHP Code samples.
This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.
Persona: in your browsers, killing your passwordsFrancois Marier
Introduction to Persona, a new cross-browser login system for the web that's built entirely in Javascript. Powered by node.js on the backend, it pushes most of the crypto to the browser in order to create a secure and privacy-sensitive experience.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
131. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
132. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
133. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
134. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again