IRC log of dig on 2010-03-16
Timestamps are in UTC.
- 00:03:04 [oshani]
- oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
- 00:56:41 [mcherian]
- mcherian (Matt@31-33-137.wireless.csail.mit.edu) has joined #dig
- 02:03:08 [vinirusso]
- vinirusso (~Adium@187.37.83.181) has joined #dig
- 03:09:09 [oshani]
- oshani has quit (Quit: oshani)
- 04:00:23 [lkagal]
- lkagal (~lkagal@pool-98-110-160-220.bstnma.fios.verizon.net) has joined #dig
- 04:14:20 [mcherian]
- mcherian has quit ()
- 04:14:56 [lkagal]
- lkagal has quit (Quit: lkagal)
- 04:50:18 [vinirusso]
- vinirusso has quit (Quit: Leaving.)
- 06:01:41 [Yudai__]
- Yudai__ has quit (Remote host closed the connection)
- 07:50:35 [Yudai__]
- Yudai__ (~yudai@KD121108039092.ppp-bb.dion.ne.jp) has joined #dig
- 08:02:14 [Yudai__]
- Yudai__ has quit (Remote host closed the connection)
- 08:07:34 [danbri]
- danbri (~danbri@93-136-3-27.adsl.net.t-com.hr) has joined #dig
- 08:07:34 [danbri]
- danbri has quit (Changing host)
- 08:07:34 [danbri]
- danbri (~danbri@unaffiliated/danbri) has joined #dig
- 08:13:23 [Yudai__]
- Yudai__ (~yudai@KD121108039092.ppp-bb.dion.ne.jp) has joined #dig
- 08:13:56 [Yudai__]
- Yudai__ has quit (Remote host closed the connection)
- 08:15:47 [Yudai__]
- Yudai__ (~yudai@KD121108039092.ppp-bb.dion.ne.jp) has joined #dig
- 08:17:03 [Yudai__]
- Yudai__ has quit (Remote host closed the connection)
- 09:08:32 [danbri]
- danbri has quit (Remote host closed the connection)
- 10:43:49 [Yudai__]
- Yudai__ (~yudai@p78be59.kngwnt01.ap.so-net.ne.jp) has joined #dig
- 11:24:52 [danbri]
- danbri (~danbri@93-136-3-27.adsl.net.t-com.hr) has joined #dig
- 11:24:52 [danbri]
- danbri has quit (Changing host)
- 11:24:52 [danbri]
- danbri (~danbri@unaffiliated/danbri) has joined #dig
- 11:36:11 [RalphS]
- RalphS (~swick@30-7-139.wireless.csail.mit.edu) has joined #dig
- 12:17:58 [danbri]
- danbri has quit (Remote host closed the connection)
- 12:57:23 [lkagal]
- lkagal (~lkagal@pool-98-110-160-220.bstnma.fios.verizon.net) has joined #dig
- 13:18:08 [vinirusso]
- vinirusso (~Adium@189.62.74.176) has joined #dig
- 13:20:28 [vinirusso]
- vinirusso has left #dig
- 14:08:59 [oshani]
- oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
- 15:02:33 [Yudai__]
- Yudai__ has quit (Remote host closed the connection)
- 15:03:02 [Yudai__]
- Yudai__ (~yudai@p78be59.kngwnt01.ap.so-net.ne.jp) has joined #dig
- 15:06:23 [charles2]
- charles2 (~charles2@dhcp-18-111-52-197.dyn.mit.edu) has joined #dig
- 15:42:25 [lkagal]
- lkagal has quit (Quit: lkagal)
- 15:49:25 [charles2]
- charles2 has quit (Quit: charles2)
- 16:05:27 [mcherian]
- mcherian (Matt@dhcp-18-111-25-77.dyn.mit.edu) has joined #dig
- 16:18:30 [lkagal]
- lkagal (~lkagal@30-6-179.wireless.csail.mit.edu) has joined #dig
- 16:24:39 [mcherian]
- mcherian has quit (Ping timeout: 240 seconds)
- 16:38:23 [charles2]
- charles2 (~charles2@31-33-12.wireless.csail.mit.edu) has joined #dig
- 16:59:09 [timbl]
- timbl (~timbl@212.224.144.16) has joined #dig
- 17:27:54 [amy]
- Jim, Tuesday 4 May
- 17:28:47 [mcherian]
- mcherian (Matt@31-33-137.wireless.csail.mit.edu) has joined #dig
- 17:31:07 [amy]
- ok, changing now - Friday 23 April at 1:30pm
- 17:33:11 [amy]
- also being held, 6 May 3:30pm
- 19:48:40 [lkagal]
- pipian ?
- 19:49:10 [lkagal]
- Any examples for the new changes in cwmrete, I'm not able to get any of the old policies to run.
- 19:54:08 [danbri]
- danbri (~danbri@ip176-48-210-87.adsl2.static.versatel.nl) has joined #dig
- 19:54:08 [danbri]
- danbri has quit (Changing host)
- 19:54:08 [danbri]
- danbri (~danbri@unaffiliated/danbri) has joined #dig
- 20:00:08 [oshani]
- oshani has quit (Quit: oshani)
- 20:00:53 [oshani]
- oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
- 20:10:20 [oshani]
- ==========
- 20:10:32 [oshani]
- Talk on Web Security by Victor Costan
- 20:10:36 [oshani]
- ==========
- 20:10:39 [oshani]
- slides: http://6.470.scripts.mit.edu/lectures/security/html/all.html
- 20:10:44 [oshani]
- scribe: oshani
- 20:11:21 [oshani]
- Application vulnerabilities: bugs in the program code
- 20:11:28 [oshani]
- ... easier to check and fix
- 20:12:00 [oshani]
- Integration vulnerabilities: things that creep over time
- 20:13:13 [oshani]
- How to prevent and recover from attacks
- 20:13:25 [oshani]
- keep logs, encrypted backups
- 20:15:00 [oshani]
- How to avoid application vulnerabilities
- 20:15:41 [oshani]
- ... best practices (don't use passwords which are obvious, don't share passwords, etc)
- 20:18:31 [oshani]
- plaintext passwords are bad
- 20:19:24 [oshani]
- use POST instead GET
- 20:19:50 [oshani]
- don't send passwords back, thinking it'll improve useability
- 20:20:22 [RalphS]
- RalphS has quit (Quit: leaving ...)
- 20:22:22 [oshani]
- don't put the plaintext passwords in the database; add a salt (a random number) to the hash of the password; (essentially a different hashing algorithm)
- 20:22:37 [oshani]
- don't show passwords in the logs
- 20:22:54 [oshani]
- ... filter the logs
- 20:24:06 [oshani]
- Access Control: don't have obvious URLs
- 20:25:10 [oshani]
- Victor gives a personal example of a security breach that he had in the past
- 20:27:26 [oshani]
- Easy fix: have HTTP basic/digest authentication
- 20:27:51 [oshani]
- the next step is to have OpenID
- 20:31:14 [oshani]
- Hidden fields are bad because you can edit the amount for the value (even put negative values)
- 20:31:52 [oshani]
- Victor is showing a demo to illustrate that we should not trust cookies
- 20:33:16 [oshani]
- If you need to use cookies: sign the cookies!
- 20:33:27 [oshani]
- (slide 22)
- 20:36:59 [oshani]
- Shows another security flaw in a site where negative values can be input
- 20:37:01 [oshani]
- Fuming: this seems like an application flow
- 20:37:24 [oshani]
- Victor: Yes. These types of errors can be avoided by proper testing
- 20:37:52 [oshani]
- Next: Integration Vulnerabilities
- 20:39:46 [oshani]
- SQL injection (slide 26)
- 20:42:19 [oshani]
- Source code leak: has happened to FB
- 20:43:24 [oshani]
- Web Security Models
- 20:43:59 [oshani]
- ... to prevent XSS and CSRF
- 20:44:41 [oshani]
- can be prevented by enforcing the same origin principle
- 20:45:36 [oshani]
- but there are some holes in this which are widely exploited (for e.g. in mashups)
- 20:45:55 [oshani]
- slide 33
- 20:47:59 [oshani]
- How to create a CSRF attack
- 20:48:57 [oshani]
- ... slides (34-37)
- 20:49:18 [oshani]
- CSRF fix is to have a token posted with your request
- 20:50:07 [oshani]
- XSS is when a user visits a legitimate site and put some malicious content
- 20:50:43 [oshani]
- ... can happen if the site has lots of user-generated content
- 20:51:32 [oshani]
- How to prevent XSS: there are automated tools that try all possible cases to find a vulnerability
- 20:52:22 [oshani]
- ... shows an example where there's some code which will submit the user cookie jar to some remote server
- 20:54:53 [lkagal]
- lkagal has quit (Quit: lkagal)
- 20:56:57 [oshani]
- Leaking data via AJAX: a biggest example is myspace
- 21:02:06 [vinirusso1]
- vinirusso1 (~Adium@189.62.74.176) has joined #dig
- 21:04:19 [vinirusso1]
- vinirusso1 has left #dig
- 21:13:36 [lkagal]
- lkagal (~lkagal@30-6-179.wireless.csail.mit.edu) has joined #dig
- 21:19:19 [charles2]
- charles2 has quit (Quit: charles2)
- 22:12:38 [oshani]
- oshani has quit (Quit: oshani)
- 22:14:12 [oshani]
- oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
- 22:31:21 [Yudai__]
- Yudai__ has quit (Remote host closed the connection)
- 22:42:14 [mcherian]
- mcherian has quit (Ping timeout: 268 seconds)
- 22:44:45 [charles2]
- charles2 (~charles2@dhcp-18-111-52-197.dyn.mit.edu) has joined #dig
- 23:29:16 [oshani]
- oshani has quit (Quit: oshani)
- 23:36:56 [oshani]
- oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
- 23:37:12 [oshani]
- oshani has quit (Client Quit)
- 23:40:52 [mcherian]
- mcherian (Matt@31-33-137.wireless.csail.mit.edu) has joined #dig
- 23:45:45 [mcherian]
- mcherian has quit (Ping timeout: 268 seconds)
- 23:51:11 [lkagal]
- lkagal has quit (Quit: lkagal)
- 23:51:17 [charles2]
- charles2 has quit (Quit: charles2)