Category Archives: Security

[Video 449] Ron Rivest: Keys Under Doormats — Mandating Insecurity by Requiring Government Access to All Data and Communications

In the last few days, the question of encryption, and whether governments can and should force companies to reveal customers’ data, has become big news. Apple has announced that they will not make it possible for the US government to read the contents of a terrorist’s iPhone, even thought that might provide clues to the shooting in which they participated, and to others connected to that crime. But is it a wise idea to give government access to all of our data and our communications? What implications does this have for government, for technology, for privacy, and for democracy? In this talk, Ron Rivest describes these issues, and considers whether granting such access to governments is more or less secure.

[Video 443] Josh Aas: Let’s Encrypt — A Free, Automated, and Open CA

Increasingly, Web sites want to be secure and encrypted. It doesn’t matter if you’re running a huge e-commerce site or just a lowly blog; the trend is clear, that having an HTTPS-encrypted site is a good thing to do. If that’s the case, then why don’t more people do it? Part of it is the cost — to have a secure site, you need to get a certificate from a (potentially expensive) certificate authority (CA). Let’s Encrypt is a new service that aims to make it easy and free to set up an HTTPS-powered site. In this talk, Josh Aas describes Let’s Encrypt — the motivations, the technology, and the issues remaining before HTTPS can be universally available.

Time: 1:32

[Video 441] Vanessa Teague: Verification, Auditing, and Evidence — If We Didn’t Notice Anything Wrong…

Elections are a big deal in democratic countries — and people often wonder why they cannot yet vote on the Internet, or why voting cannot be more heavily computerized. But of course, there are many reasons for this, among them issues of security, verification, and privacy. Researchers have been thinking about these problems for quite some time, considering how we might be able to make electronic voting more secure, verifiable, and private than is current the case. In this talk, Vanessa Teague describes some of the technical challenges, and potential solutions, associated with electronic voting.

Time: 21m

[Video 439] Nick Sullivan: NGINX + https 101 — The Basics & Getting Started

Security has always been an important consideration for Web developers. However, in the last few years, many sites have been pushing (or been pushed) to use only HTTPS  (a secure version of HTTP) for their site. PCI regulations effectively require that a site only use HTTPS, and large sites such as Google and Facebook encourage (and sometimes demand) that a site refuse unencrypted HTTP requests.  This means that many sites which could previously ignore the calls for HTTPS now need to use and install it. In this talk, Nick Sullivan introduces the ideas behind HTTPS, and walks new developers/administrators through the process of making an nginx-backed site HTTPS-compliant.

Time: 36m

[Video 429] Florian Grunow & Niklaus Schiess: Lifting the Fog on Red Star OS

North Korea is generally thought to be the most isolated country on the planet. There is very little uncontrolled communication into and out of North Korea, and most countries have few or no ties to them. But North Korea, like all countries, needs computers, and those computers need an operating system. Enter “Red Star OS,” a Linux-based operating system used by North Korea, and written by their developers. In this talk, Florian Grunow and Niklaus Schiess look through a copy of Red Star OS, examining its features, including what makes it special (and different) from other Linux distributions.

[Video 407] Prasanna Kanagasabei: JS Security – A Pentesters Perspective

Web security is an important consideration for any application, but as JavaScript becomes an increasingly vital part of the Web, we need to consider the specifics of JavaScript.  One way to check the security of your applications is using “penetration testing,” also known as “pentesting.”  In this talk, Prasanna Kanagasabei describes his experiences as a pentester working with JavaScript, and describes the challenges and issues that he has had in trying to check JavaScript-based applications — and the things he wishes the engineers who had written those knew when writing the apps.

[Video 394] Seth Vargo: Introduction to Vault

How do you store your secrets? This is, by definition, a sensitive issue; you want to make it easy for the right people to access secrets, but it should also be hard for others to get those secrets. And by “the right people,” we increasingly mean “the right programs,” in an age of devops and automated deployment. Plus, you need to worry about revoking privileges, or expiring access after a short time. One project that attempts to handle these problems is Vault, an open-source project developed by Hashicorp. In this talk, Seth Vargo describes Vault, and the problems that it attempts to solve. He also describes how Vault can be integrated into a data center, and then used by applications and deployment systems.

[Video 375] Heidi Waterhouse: The Seven Righteous Fights

Projects don’t always go right; that’s the nature of the world.  But sometimes, projects go wrong for reasons that you could have predicted from the start. Which means that if you see these problems taking place, you should tell the people who are running the project, so as to avoid problems later on. What problems and issues are worth fighting about? In this talk, Heidi Waterhouse tells us what she thinks. If you’re on a software project, or (even better) you’re managing one, think about these things before you start … or, as she says, you’ll be doing the equivalent of trying to push chocolate chips into an already-baked cookie.

[Video 349] Stepan Ilyin: Making applications secure with NGINX

nginx is an increasingly popular HTTP server, in no small part because of its ability to scale massively. Because of its modular architecture, nginx is used not only on its own, but also with many third-party modules that add functionality to the core HTTP server. One module, Naxsi, provides administrators with the ability to filter (and reject) certain patterns of URLs, request headers, locations, and other suspect requests that might cause more harm than good. In this talk, Stepan Ilyin introduces naxsi and other nginx-based security techniques that, if used, can reduce the chances of someone taking down your Web application.

[Video 336] Ted Boehm: Performance Engineering At MasterCard

As Web applications grow, we often worry about identifying and fixing performance bottlenecks — and then scaling further, as our applications become even more popular than before. MasterCard, a major international provider of credit cards, has to deal with a set of applications that need to run very quickly, identify fraud quickly and easily, and be extremely fault tolerant. In this talk, Ted Boehm, who works at MasterCard, describes what they have done to create, test, and maintain systems that need to be so reliable and performant. Even if you are unlikely to create an application as large as MasterCard’s, you will likely learn about scaling (and what not to do) from this talk.