In the last few days, the question of encryption, and whether governments can and should force companies to reveal customers’ data, has become big news. Apple has announced that they will not make it possible for the US government to read the contents of a terrorist’s iPhone, even thought that might provide clues to the shooting in which they participated, and to others connected to that crime. But is it a wise idea to give government access to all of our data and our communications? What implications does this have for government, for technology, for privacy, and for democracy? In this talk, Ron Rivest describes these issues, and considers whether granting such access to governments is more or less secure.
Increasingly, Web sites want to be secure and encrypted. It doesn’t matter if you’re running a huge e-commerce site or just a lowly blog; the trend is clear, that having an HTTPS-encrypted site is a good thing to do. If that’s the case, then why don’t more people do it? Part of it is the cost — to have a secure site, you need to get a certificate from a (potentially expensive) certificate authority (CA). Let’s Encrypt is a new service that aims to make it easy and free to set up an HTTPS-powered site. In this talk, Josh Aas describes Let’s Encrypt — the motivations, the technology, and the issues remaining before HTTPS can be universally available.
Elections are a big deal in democratic countries — and people often wonder why they cannot yet vote on the Internet, or why voting cannot be more heavily computerized. But of course, there are many reasons for this, among them issues of security, verification, and privacy. Researchers have been thinking about these problems for quite some time, considering how we might be able to make electronic voting more secure, verifiable, and private than is current the case. In this talk, Vanessa Teague describes some of the technical challenges, and potential solutions, associated with electronic voting.
Security has always been an important consideration for Web developers. However, in the last few years, many sites have been pushing (or been pushed) to use only HTTPS (a secure version of HTTP) for their site. PCI regulations effectively require that a site only use HTTPS, and large sites such as Google and Facebook encourage (and sometimes demand) that a site refuse unencrypted HTTP requests. This means that many sites which could previously ignore the calls for HTTPS now need to use and install it. In this talk, Nick Sullivan introduces the ideas behind HTTPS, and walks new developers/administrators through the process of making an nginx-backed site HTTPS-compliant.
North Korea is generally thought to be the most isolated country on the planet. There is very little uncontrolled communication into and out of North Korea, and most countries have few or no ties to them. But North Korea, like all countries, needs computers, and those computers need an operating system. Enter “Red Star OS,” a Linux-based operating system used by North Korea, and written by their developers. In this talk, Florian Grunow and Niklaus Schiess look through a copy of Red Star OS, examining its features, including what makes it special (and different) from other Linux distributions.
How do you store your secrets? This is, by definition, a sensitive issue; you want to make it easy for the right people to access secrets, but it should also be hard for others to get those secrets. And by “the right people,” we increasingly mean “the right programs,” in an age of devops and automated deployment. Plus, you need to worry about revoking privileges, or expiring access after a short time. One project that attempts to handle these problems is Vault, an open-source project developed by Hashicorp. In this talk, Seth Vargo describes Vault, and the problems that it attempts to solve. He also describes how Vault can be integrated into a data center, and then used by applications and deployment systems.
Projects don’t always go right; that’s the nature of the world. But sometimes, projects go wrong for reasons that you could have predicted from the start. Which means that if you see these problems taking place, you should tell the people who are running the project, so as to avoid problems later on. What problems and issues are worth fighting about? In this talk, Heidi Waterhouse tells us what she thinks. If you’re on a software project, or (even better) you’re managing one, think about these things before you start … or, as she says, you’ll be doing the equivalent of trying to push chocolate chips into an already-baked cookie.
nginx is an increasingly popular HTTP server, in no small part because of its ability to scale massively. Because of its modular architecture, nginx is used not only on its own, but also with many third-party modules that add functionality to the core HTTP server. One module, Naxsi, provides administrators with the ability to filter (and reject) certain patterns of URLs, request headers, locations, and other suspect requests that might cause more harm than good. In this talk, Stepan Ilyin introduces naxsi and other nginx-based security techniques that, if used, can reduce the chances of someone taking down your Web application.
As Web applications grow, we often worry about identifying and fixing performance bottlenecks — and then scaling further, as our applications become even more popular than before. MasterCard, a major international provider of credit cards, has to deal with a set of applications that need to run very quickly, identify fraud quickly and easily, and be extremely fault tolerant. In this talk, Ted Boehm, who works at MasterCard, describes what they have done to create, test, and maintain systems that need to be so reliable and performant. Even if you are unlikely to create an application as large as MasterCard’s, you will likely learn about scaling (and what not to do) from this talk.