00:03:04 <oshani> oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
00:56:41 <mcherian> mcherian (Matt@31-33-137.wireless.csail.mit.edu) has joined #dig
02:03:08 <vinirusso> vinirusso (~Adium@187.37.83.181) has joined #dig
03:09:09 <oshani> oshani has quit (Quit: oshani)
04:00:23 <lkagal> lkagal (~lkagal@pool-98-110-160-220.bstnma.fios.verizon.net) has joined #dig
04:14:20 <mcherian> mcherian has quit ()
04:14:56 <lkagal> lkagal has quit (Quit: lkagal)
04:50:18 <vinirusso> vinirusso has quit (Quit: Leaving.)
06:01:41 <Yudai__> Yudai__ has quit (Remote host closed the connection)
07:50:35 <Yudai__> Yudai__ (~yudai@KD121108039092.ppp-bb.dion.ne.jp) has joined #dig
08:02:14 <Yudai__> Yudai__ has quit (Remote host closed the connection)
08:07:34 <danbri> danbri (~danbri@93-136-3-27.adsl.net.t-com.hr) has joined #dig
08:07:34 <danbri> danbri has quit (Changing host)
08:07:34 <danbri> danbri (~danbri@unaffiliated/danbri) has joined #dig
08:13:23 <Yudai__> Yudai__ (~yudai@KD121108039092.ppp-bb.dion.ne.jp) has joined #dig
08:13:56 <Yudai__> Yudai__ has quit (Remote host closed the connection)
08:15:47 <Yudai__> Yudai__ (~yudai@KD121108039092.ppp-bb.dion.ne.jp) has joined #dig
08:17:03 <Yudai__> Yudai__ has quit (Remote host closed the connection)
09:08:32 <danbri> danbri has quit (Remote host closed the connection)
10:43:49 <Yudai__> Yudai__ (~yudai@p78be59.kngwnt01.ap.so-net.ne.jp) has joined #dig
11:24:52 <danbri> danbri (~danbri@93-136-3-27.adsl.net.t-com.hr) has joined #dig
11:24:52 <danbri> danbri has quit (Changing host)
11:24:52 <danbri> danbri (~danbri@unaffiliated/danbri) has joined #dig
11:36:11 <RalphS> RalphS (~swick@30-7-139.wireless.csail.mit.edu) has joined #dig
12:17:58 <danbri> danbri has quit (Remote host closed the connection)
12:57:23 <lkagal> lkagal (~lkagal@pool-98-110-160-220.bstnma.fios.verizon.net) has joined #dig
13:18:08 <vinirusso> vinirusso (~Adium@189.62.74.176) has joined #dig
13:20:28 <vinirusso> vinirusso has left #dig
14:08:59 <oshani> oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
15:02:33 <Yudai__> Yudai__ has quit (Remote host closed the connection)
15:03:02 <Yudai__> Yudai__ (~yudai@p78be59.kngwnt01.ap.so-net.ne.jp) has joined #dig
15:06:23 <charles2> charles2 (~charles2@dhcp-18-111-52-197.dyn.mit.edu) has joined #dig
15:42:25 <lkagal> lkagal has quit (Quit: lkagal)
15:49:25 <charles2> charles2 has quit (Quit: charles2)
16:05:27 <mcherian> mcherian (Matt@dhcp-18-111-25-77.dyn.mit.edu) has joined #dig
16:18:30 <lkagal> lkagal (~lkagal@30-6-179.wireless.csail.mit.edu) has joined #dig
16:24:39 <mcherian> mcherian has quit (Ping timeout: 240 seconds)
16:38:23 <charles2> charles2 (~charles2@31-33-12.wireless.csail.mit.edu) has joined #dig
16:59:09 <timbl> timbl (~timbl@212.224.144.16) has joined #dig
17:27:54 <amy> Jim, Tuesday 4 May
17:28:47 <mcherian> mcherian (Matt@31-33-137.wireless.csail.mit.edu) has joined #dig
17:31:07 <amy> ok, changing now - Friday 23 April at 1:30pm
17:33:11 <amy> also being held, 6 May 3:30pm
19:48:40 <lkagal> pipian ?
19:49:10 <lkagal> Any examples for the new changes in cwmrete, I'm not able to get any of the old policies to run.
19:54:08 <danbri> danbri (~danbri@ip176-48-210-87.adsl2.static.versatel.nl) has joined #dig
19:54:08 <danbri> danbri has quit (Changing host)
19:54:08 <danbri> danbri (~danbri@unaffiliated/danbri) has joined #dig
20:00:08 <oshani> oshani has quit (Quit: oshani)
20:00:53 <oshani> oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
20:10:20 <oshani> ==========
20:10:32 <oshani> Talk on Web Security by Victor Costan
20:10:36 <oshani> ==========
20:10:39 <oshani> slides: http://6.470.scripts.mit.edu/lectures/security/html/all.html
20:10:44 <oshani> scribe: oshani
20:11:21 <oshani> Application vulnerabilities: bugs in the program code
20:11:28 <oshani> ... easier to check and fix
20:12:00 <oshani> Integration vulnerabilities: things that creep over time
20:13:13 <oshani> How to prevent and recover from attacks
20:13:25 <oshani> keep logs, encrypted backups
20:15:00 <oshani> How to avoid application vulnerabilities
20:15:41 <oshani> ... best practices (don't use passwords which are obvious, don't share passwords, etc)
20:18:31 <oshani> plaintext passwords are bad
20:19:24 <oshani> use POST instead GET
20:19:50 <oshani> don't send passwords back, thinking it'll improve useability
20:20:22 <RalphS> RalphS has quit (Quit: leaving ...)
20:22:22 <oshani> don't put the plaintext passwords in the database; add a salt (a random number) to the hash of the password; (essentially a different hashing algorithm)
20:22:37 <oshani> don't show passwords in the logs
20:22:54 <oshani> ... filter the logs
20:24:06 <oshani> Access Control: don't have obvious URLs
20:25:10 <oshani> Victor gives a personal example of a security breach that he had in the past
20:27:26 <oshani> Easy fix: have HTTP basic/digest authentication
20:27:51 <oshani> the next step is to have OpenID
20:31:14 <oshani> Hidden fields are bad because you can edit the amount for the value (even put negative values)
20:31:52 <oshani> Victor is showing a demo to illustrate that we should not trust cookies
20:33:16 <oshani> If you need to use cookies: sign the cookies!
20:33:27 <oshani> (slide 22)
20:36:59 <oshani> Shows another security flaw in a site where negative values can be input
20:37:01 <oshani> Fuming: this seems like an application flow
20:37:24 <oshani> Victor: Yes. These types of errors can be avoided by proper testing
20:37:52 <oshani> Next: Integration Vulnerabilities
20:39:46 <oshani> SQL injection (slide 26)
20:42:19 <oshani> Source code leak: has happened to FB
20:43:24 <oshani> Web Security Models
20:43:59 <oshani> ... to prevent XSS and CSRF
20:44:41 <oshani> can be prevented by enforcing the same origin principle
20:45:36 <oshani> but there are some holes in this which are widely exploited (for e.g. in mashups)
20:45:55 <oshani> slide 33
20:47:59 <oshani> How to create a CSRF attack
20:48:57 <oshani> ... slides (34-37)
20:49:18 <oshani> CSRF fix is to have a token posted with your request
20:50:07 <oshani> XSS is when a user visits a legitimate site and put some malicious content
20:50:43 <oshani> ... can happen if the site has lots of user-generated content
20:51:32 <oshani> How to prevent XSS: there are automated tools that try all possible cases to find a vulnerability
20:52:22 <oshani> ... shows an example where there's some code which will submit the user cookie jar to some remote server
20:54:53 <lkagal> lkagal has quit (Quit: lkagal)
20:56:57 <oshani> Leaking data via AJAX: a biggest example is myspace
21:02:06 <vinirusso1> vinirusso1 (~Adium@189.62.74.176) has joined #dig
21:04:19 <vinirusso1> vinirusso1 has left #dig
21:13:36 <lkagal> lkagal (~lkagal@30-6-179.wireless.csail.mit.edu) has joined #dig
21:19:19 <charles2> charles2 has quit (Quit: charles2)
22:12:38 <oshani> oshani has quit (Quit: oshani)
22:14:12 <oshani> oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
22:31:21 <Yudai__> Yudai__ has quit (Remote host closed the connection)
22:42:14 <mcherian> mcherian has quit (Ping timeout: 268 seconds)
22:44:45 <charles2> charles2 (~charles2@dhcp-18-111-52-197.dyn.mit.edu) has joined #dig
23:29:16 <oshani> oshani has quit (Quit: oshani)
23:36:56 <oshani> oshani (~oshani@31-35-166.wireless.csail.mit.edu) has joined #dig
23:37:12 <oshani> oshani has quit (Client Quit)
23:40:52 <mcherian> mcherian (Matt@31-33-137.wireless.csail.mit.edu) has joined #dig
23:45:45 <mcherian> mcherian has quit (Ping timeout: 268 seconds)
23:51:11 <lkagal> lkagal has quit (Quit: lkagal)
23:51:17 <charles2> charles2 has quit (Quit: charles2)