Why Browser Crypto is Bad
Speaker: Nadim Kobeissi
As we use the browser to handle more and more of our data, and as more of our data resides in the cloud, the browser should be doing all our encryption so that data stored in outside our computer is safe. Notice that https only prevents people from eavesdropping while the data is in transit, but in the cloud our data is stored in the clear.
- Random number problem – the default random number code generator (which is needed in key creation) is very bad.
Google’s Chrome browser helps to solve some of these problems:
- Random number generator in Chrome is much better.
- Chrome apps partially solve the code delivery problem. But there is still a problem with verifying the installed code.
In the future it would be great to have a standardized crypto library in the browser. This way we could guarantee data privacy for everyone.
Meanwhile, Cryptocat 2 is in the works – get the code from github and help!
When Botnets Attack
Speaker: Aditya Sood
“On the Internet some things are not what they say they are.”
This talk was a summary of research done by the speaker on various kinds of malware.
The basic kinds of browser malware falls into the following groups:
- Runs directly in browser (Class A)
- Communicates with browser via the plugin framework (Class B)
- Inserts itself between the O/S and the browser.
Typical way to insert malware into your computer is to break into some website, and then insert hidden iframes which then include URLs that cause downloads of bad software to your computer.
The speaker discussed examples of various forms of malware. Below is a list of interesting links from his presentation:
- Java Driveby Generator– article on how a framework is used to generate exploits.
- Java Array Exploit – gory details of a Java based exploit.
- Armorize Blog – interesting security blog.
Key Note – the Yes Men
Saturday’s keynote was delivered by the Yes Men. Yes Men are a small activist group that do silly things in public in order to bring important things to the fore front in media. They got started when after creation of a fake WTO website they were invited to a WTO conference. There they gave a talk on election reform – how officials should buy votes directly, without going through advertisers etc..
After that things got even sillier.
The Yes Men were joined by Vermin Supreme, who is running for President in 2012. He called on everyone to participate in the Thousand Meme March to happen during the Republican convention this year.
The talk ended by members of the audience suggesting memes for the march. Silliness reigned.
Privacy Tricks for Web Developers
Speaker: Micah Lee
This talk was given by a web developer who works for EFF. His talk consisted of suggestions on how to build websites, so that websites visitors are harder to track. He talked about number of tricks you can use to prevent other websites from gathering visitor information. Here is a sample:
- If you use Google web fonts, save the fonts on your server.
- Use plain links to point to social media sites – do not use the scripts they provide
- Load twitter feed on the server, not the client.
- Proxy AJAX requests to avoid sending data to third parties
- Let users opt in, otherwise provide basic html web site.
Another important thing to consider is not to store more than you need:
- Disable logging of IP addresses, or encrypt IP address so you can tell if one IP address is hitting the site too much (see cryptlog).
- Hide identifying information from PHP.
- Hided non-public information behind basic HTTP authentication
Deploy HTTPS correctly:
- Force users to use https.
- Make cookies secure (use “secure” and “httponly” flags)
Do not use FTP and Flash.
Weather Is Not Boring
Speaker: John Huntington
This was a talk on the weather data. National Weather Service gathers all weather data and disseminates it for free. The speaker explained how this data is collected and where it is available. You can start with NWS website.
The speaker was interested in tracking storms and mentioned Tom Warner – a guy who specialized in photographing and filming lightning at very high speeds. you can see a little video about this guy here.
Original Hackers in World War II
Speaker: George Keller
The speaker was a Navy veteran who worked in signal encryption while in the Navy. Recently he visited Bletchley Park and he talked about his visit there. It was nice to see the pictures of the museum that exists there – even though I know the details of the story.
Social Engineering Panel
As always this panel was a lot of fun. My favorite story was about a non-existent Austrian artist who was send to an international art show with a crew, but who never showed up. Of course his crew consisted of the actual artists whose works were displayed under this fake name.
This year the attempt at phone social hacking fell little short of hilarity.
3D Printers and Washington DC
Speaker: Micheal Weinberg
The speaker is the author of “It Will Be Awesome if We Don’t Screw Up”, talked about 3-D printers and how this potentially very disruptive technology will be received by the world. The question is whether intellectual property laws can be used to stop this technology from gaining wide spread use.
3-D printing is a generic technology for manufacturing objects – as generic as the computer.
The speaker was cautiously optimistic. One thing he mentioned that copyright laws do not apply to physical objects – physical object may be freely copied.
We need to make sure that the policy makers in Washington DC don’t change that.