Video thumbnail (Frame 0) Video thumbnail (Frame 1536) Video thumbnail (Frame 2835) Video thumbnail (Frame 4479) Video thumbnail (Frame 6188) Video thumbnail (Frame 8005) Video thumbnail (Frame 12374) Video thumbnail (Frame 13931) Video thumbnail (Frame 19243) Video thumbnail (Frame 23399) Video thumbnail (Frame 25626) Video thumbnail (Frame 27428) Video thumbnail (Frame 29043) Video thumbnail (Frame 31716) Video thumbnail (Frame 33330) Video thumbnail (Frame 35229) Video thumbnail (Frame 37041) Video thumbnail (Frame 40345) Video thumbnail (Frame 42773) Video thumbnail (Frame 43999) Video thumbnail (Frame 45823) Video thumbnail (Frame 49294) Video thumbnail (Frame 50608) Video thumbnail (Frame 54800) Video thumbnail (Frame 56605) Video thumbnail (Frame 60546) Video thumbnail (Frame 68184) Video thumbnail (Frame 69602) Video thumbnail (Frame 73731) Video thumbnail (Frame 84731) Video thumbnail (Frame 95431)
Video in TIB AV-Portal: Web-App-Encryption

Formal Metadata

Title of Series
Part Number
Number of Parts
CC Attribution - NonCommercial 2.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Web-App-Encryption Is your data secure by default? How Django can be used to make you sleep at night. This talk will detail the different threats a web application faces today and how different types of encryption can solve many of these problems. We will discuss the whole web-stack and show various technologies to deploy secure encryption. The main focus will be on using Django as a web-frontent in a highly distributed and load optimised environment. More than ever websites have to deploy encryption to protect their users. First it has to be defined what threats the data faces and how these can be mitigated. It is vital, that a lot of though is put into what is sensible for what use case. We will describe different strategies based on a little piece of software (written in Django) we use to showcase where encryption can happen (client-browser-server-cgi-database). We will back these steps up by real life examples, numbers and benchmarks we have collected from a productive environment. Finally we will discuss some problems that arise, when hosting is out of the house, your backups are encrypted, you have a fail-over distributed environment and you as a service provider can't see the data you are hosting. ······························ Speaker: Didi Hoffmann Event: FrOSCon 2014 by the Free and Open Source Software Conference (FrOSCon) e.V.
Keywords Free and Open Source Software Conference FrOSCon14
Mathematics Data management Freeware Projective plane Duality (mathematics) Open source Quicksort Ranking Code Open set Computer programming Product (business)
Vulnerability (computing) Scaling (geometry) Boom (sailing) Planning Stack (abstract data type) Information security Rule of inference Information security Resultant
Software Personal digital assistant Video game Energy level Information security Error message Computer programming Number
Server (computing) Computer file Virtual machine Code Theory Virtual machine Twitter Planning Code Frequency Mathematics Motherboard Natural number Business model Right angle Information security
Laptop Server (computing) Inheritance (object-oriented programming) Service (economics) Cellular automaton Multiplication sign Virtual machine Streaming media Price index Computer Uniform resource locator Natural number Internet service provider Video game Encryption Information security Default (computer science)
Laptop Group action Server (computing) Service (economics) Overhead (computing) Range (statistics) Virtual machine Public key certificate Web 2.0 Data management Read-only memory Different (Kate Ryan album) Kernel (computing) Encryption Configuration space Office suite Partition (number theory) Scripting language Public key certificate Inheritance (object-oriented programming) Server (computing) Software developer Database Configuration management RAID Frame problem Virtual machine Uniform resource locator Root Password Hard disk drive Right angle Encryption Remote procedure call Row (database) Address space
Point (geometry) Server (computing) Computer file Multiplication sign Virtual machine Maxima and minima Insertion loss Unicode IP address Machine vision Product (business) Web 2.0 Mathematics Hacker (term) Different (Kate Ryan album) Semiconductor memory Maize Process (computing) Information security Error message Area Scripting language Standard deviation Closed set Projective plane Median Instance (computer science) Type theory Inversion (music) Arithmetic mean Process (computing) Fluid statics Hypermedia Software Password Video game Website Formal verification Whiteboard Quicksort Table (information)
Slide rule Pulse (signal processing) Context awareness Service (economics) Computer file Multiplication sign Maxima and minima Disk read-and-write head Code Product (business) Web 2.0 Crash (computing) Root Manifold Software testing Maize Process (computing) Physical system Fingerprint Scripting language Uniqueness quantification Ordinary differential equation Data storage device Electronic mailing list Particle system Arithmetic mean Hypermedia Fluid statics Integrated development environment Configuration space Formal verification Summierbarkeit Figurate number Probability density function
Mathematics Overhead (computing) Service (economics) Computer file Hypermedia Patch (Unix) Boom (sailing) Quicksort Information security Protein Relief
Noise (electronics) Multiplication Dependent and independent variables Service (economics) Digitizing Direction (geometry) Student's t-test Configuration management Code Product (business) Data management Type theory Estimator Mathematics Process (computing) Configuration space Right angle Modul <Datentyp> Configuration space Endliche Modelltheorie
Source code Server (computing) Key (cryptography) Multiplication sign Physical law Source code Password Set (mathematics) Event horizon Product (business) Impulse response Goodness of fit Word Integrated development environment Personal digital assistant Right angle Information Key (cryptography) Information security Reading (process) Social class
Source code Key (cryptography) Computer file Database Line (geometry) Public-key cryptography Subject indexing Mathematics Software repository Repository (publishing) Personal digital assistant Right angle Process (computing) Quicksort Backup Condition number
Server (computing) Source code Tape drive Stress (mechanics) Virtual machine Database Data storage device Data transmission Theory Hypermedia Encryption Process (computing) Backup Booting
Backup Server (computing) Group action Service (economics) Multiplication sign Real number Virtual machine Drop (liquid) Student's t-test Public key certificate IP address Data transmission Revision control Direct numerical simulation Encryption Authorization Active contour model Cuboid Area Data storage device Arithmetic mean Process (computing) Software Right angle Booting
Laptop Digital filter Standard deviation State of matter Virtual machine Database Database Parameter (computer programming) Process (computing) Software Hash function Password Boom (sailing) Encryption Configuration space Website Right angle Information security Physical system
Rule of inference Functional (mathematics) Server (computing) Database Online help Database Function (mathematics) Code Variable (mathematics) Data management Process (computing) Error message Personal digital assistant Query language Reduction of order output Object (grammar) Endliche Modelltheorie Information security Spacetime
Functional (mathematics) Server (computing) Computer file Real number Execution unit Online help Open set Code Variable (mathematics) Web 2.0 Revision control Programmer (hardware) Web service Personal digital assistant Formal verification Query language Gastropod shell Information security Physical system Scripting language Rule of inference Dependent and independent variables Gradient Feedback Process (computing) Error message Query language Video game Right angle Quicksort
Discrete group Windows Registry Randomization Thread (computing) Set (mathematics) Rule of inference Theory Wave packet Authorization Energy level Software testing Selectivity (electronic) Endliche Modelltheorie Information security Error message Scripting language Email Standard deviation Matching (graph theory) Gender Moment (mathematics) Database Variable (mathematics) Regulärer Ausdruck <Textverarbeitung> Cognition Error message Query language Personal digital assistant Clef Resultant Row (database)
Key (cryptography) Virtual machine Database Database Computer programming Field (computer science) Pointer (computer programming) Befehlsprozessor Telecommunication Query language Encryption Selectivity (electronic) Integer Library (computing)
Server (computing) Overhead (computing) Service (economics) Virtual machine Client (computing) Parameter (computer programming) Field (computer science) Power (physics) Medical imaging Goodness of fit Semiconductor memory Encryption Energy level Endliche Modelltheorie Extension (kinesiology) Scripting language Source code Plug-in (computing) Service (economics) Gender Client (computing) Database Subject indexing Query language Personal digital assistant Encryption Quicksort Table (information) Resultant
Email Server (computing) Implementation Group action Injektivität Random number generation Java applet Direction (geometry) Multiplication sign Sheaf (mathematics) Directory service Web browser Client (computing) Disk read-and-write head Computer programming Number Web 2.0 Direct numerical simulation Goodness of fit Formal verification Encryption Website Descriptive statistics Plug-in (computing) Scripting language Injektivität Structural load Interactive television Planning Cryptography Process (computing) Befehlsprozessor Hash function Logic Hard disk drive Quicksort Resultant Library (computing)
Email Trail Email Group action Server (computing) Service (economics) Assembly language Divisor Multiplication sign Stress (mechanics) Virtual machine Mathematical analysis Code Graph coloring Product (business) Process (computing) Propagator Error message Different (Kate Ryan album) HTTP cookie Error message Family Task (computing) Physical system
Point (geometry) Pulse (signal processing) Group action Service (economics) Multiplication sign Source code Virtual machine Streaming media Client (computing) Disk read-and-write head Computer programming Programmer (hardware) Mathematics Different (Kate Ryan album) Encryption Best, worst and average case Information security Physical system Vulnerability (computing) Scripting language Multiplication Key (cryptography) Software developer Mathematical analysis Data storage device Shared memory Database Price index Cryptography Arithmetic mean Process (computing) In-System-Programmierung Software Repository (publishing) Password Right angle Local ring
Point (geometry) Web page Group action Divisor Token ring Multiplication sign Range (statistics) Virtual machine Protein Rule of inference Revision control Mathematics Internetworking Cylinder (geometry) Gastropod shell Authentication Standard deviation Logarithm Poisson-Klammer Projective plane Data storage device Line (geometry) Process (computing) Password Configuration space Normal (geometry) Right angle Pattern language Quicksort Video game console Freezing
in some places I saw in the previous talk to kind of not and then say coming from the same
project with a sentence according at about myself that many of them born in London and a lot of what the company is not in the and the sort of see of funny everybody in Berlin is studied in
England emergency program so I moved up the ranks to the dual project management I try to do some coding was with or trying to do most of my career and so anyway currently I'm working on a
new product that's called the work which is a document creation tool and so the talk held today date in the morning when the early afternoon with about how we do data management and another thing we did security and
so the current is that if you get it wrong it's very very very expensive and a lot of things happened because people don't have a plan of the just the other day I was like 150 million 10 dollars I mean just for a stupid error in that a scale that that's unbelievable actually right 100 uh
so what we did is when we started the company wouldn't have a lot of money had
but we've looked at Webster that
Our result that so how how can
what what rules can we solve deducts what rules can also see that we that we can extract and act on them accordingly the security is always a trade-off between you will never
have the perfect reduces the number 1 and work in the
worst case people come along and should and probably shot you
need you have to tell them any possible so is always a trade-off between how secure doesn't need to be and how secure can I make it and of course the government every aspect in Industry working in a company you don't spend all your there were no long every company that becomes then all you they would thing about security but I mean there are some companies of that do that but most companies that
most companies that the program is solid about security and the other is the much the worse case again so
also quite convinced that a lot of the errors come up normal day-to-day life can be resolved providing and the same with security I think if you think about what threats the Towards my software what do I have which is but which need security level of security does that data need I think we can mitigate quite a lot
of all these trends and what 1 valuable for a company is that the data is decoded major consoles we don't have to protect the code right you end of services many as follows the user uploads so that the need on of what's important for a company and if this sleek how frightening it is to your business model and
policy want to do that if that happens In this talk I will dissolve talk about some of the threats we defined at the beginning and how we challenge them always tried to mitigate of so 1st of all physical access fails if somebody have physical
access machine it is compromised this is that they can do do whatever they want with their by complaining use the devices they can play and he wants no because they can do whatever they want it's very very if not nature impossible to to secure machine the period of true intruders or attackers have physical and the solution there are some approaches and stuff but in theory you could change the main board change chip or whatever right so
basic make sure that your cells secure locations make sure you know where the server that from him here in nature you know you trust that's very important the trust that hosting provider that hosting provider manages Paul by and and see if you can get to the which actually will drop when Triton actually got physical access to myself but without indication of anything and we changed so a Mitchell where you have secured then try to monitor your service so they're very easy things just to solve the if someone tampered with device and some hosting providers offer like access but it is also see a video stream of yourself if you're having bank data of my people very sensitive data that might be something you want to think about maybe get the service and your indication and think about then always the beginning they might have access which was another half of the king that actually had the machine and the so for the galactose in general is fail so check out you have access to the machine so the 1st real threat is somebody
steals your heart like and this is happens quite a lot of times that so just with the computers and put of on and it's astonishing to see how many people don't include the hundreds of astonished by how the Committee wouldn't their laptops but imagine all my company secrets all my laptop and is in my bag and that will be will be so that I know that others can born at some stage of my life all my telephone exactly which I know these things going
about it and they have managed and then my old officer just open the door to about all laptops so if what would have happened if all our data would have been on a all other was never lucrative let's say somebody else will come in there and look at all of this is going to look at all our customer records that will so really you here he astonished if somebody doesn't include a lot of and I can only tell you my it's super using limits of super easy you even the the 2 clicks right so group your hard drives but even on your Service they performance on 2 0 so I did some benchmarking on this and we have a really really small performance overhead but looks on an excessive is a and sometimes you get some problems when you have to read when you have to rebuild the RAID array of something but it's a total trade off that everybody should take right it's so easy to get candidate and a pool of about a range this is something where you know you've lost all your data you be compromising and even that 6 so this is that exactly this is a typical trade off right so on some suppose we just increase the database partition so we just say OK if the machinery groups somewhat with a friend because we know so that the location is secured but I would non-Apple showed otherwise and think of everything but on service it's it's it's all trade-off thing have because a promise if you include everything even your group partition you want to read groups is very hard to add the password depths of remote B and C in which we do now on on the work who everything's encryptor and different machine reboots I go through the whole horrible BNC dating and the stupid possible so we we try not to have had that but uh their so the trade off that he was have to see what they did on to protect so clearly if you don't include groups anybody can come in and rewrite groups but if some people your hard drive you will be able to see old where some people actually encryptor database partition but don't encrypt swap partitions wouldn't that's 10 and so will the data we have so the 2nd so
can't aestivation deals of and this is like the Amiga super frame thing which happens a lot I mean if I look at all the SSH sports I get the onto my servers trying all these different passwords while you still around this is something that everybody should be able to really easily mitigate and so don't have accounts on your Service is a simple thing don't have user accounts on use of if of course if you're hosting if you SSH provided you should on a web server database there's no reason why should have user comes from that so why should XYZ to be able to go to that service use configuration management to the right could then there's fabric has so many this so that certainly configuration management scripts of no developer also all admin actually really needs access to of any more money and you certificates is easiest don't have also it's basically so a few years ago we did a few
thousand machines I think within 150 thousand shingles something and we have no passwords but everything was the same thing with those of the simple thing is is felt about which I would also recommend then we can if somebody gets SSH as user permissions of you can gain some security for randomizing memory and encrypting swap and stuff like that of but this only loss also always randomized memory anyway because your software use web server might have some error so you 1 like that and you disclose something happening but and yet visions and IP addresses this point the most easy thing to do doesn't mean you can't tell the network and what's was 1 of the most funny experience in my life was having a honeypot that would open up once in a while to these SSH things than a friend copy this idea but he production machine and it went all quiet right so didn't do a file redirect something to somebody publishing but really good tried to leave something my machine you don't need that just the possible 1 2 3 or something and then just track what people do in some areas the it's and and the problem they don't really know what they're doing had had 80 % of them are script kiddies just sort of there was this is the 1 of these 4 of there were exactly the changes that exactly that's the people now it's amazing it's not there they're very good at that time in these scripts are could extremely well adapt that they try the age motions in the trying to figure out which as they should have there's an error in it so I don't have 22 reported to open publicly except on so if you try to machines that people have that all and so that's exactly what it is that I have the everything busy I had a different SSH boards and everywhere would come into 22 I like a table just redirect now we going through the again we have like a close again especially like inversions takes a lot of these problems go away because you can just this is my soul private networking thing and even yes yes obviously at a body don't run it anywhere that's important that and the other than free instances are quote for had had that have had uh you get a consumer mother hacking had for the history instances of industrial stage so then we can
extract somebody uploads was falls and I see a lot of souls Django projects go to point I and it's sickening how many people don't and check stuff but just to the standard junga upload and accept this as being the perfect security which is not that it's it's a jungle out there that we can afford save somewhere doesn't take what is the check what type of what is it doesn't check for sites so obviously the have a different process serving your median static falls to actual balls
have an Apache ODE engine something busy have separated another thing which is really easy to do is verified uploaded files replied magical some other thing just through fingerprints on the 1st few bytes and unchecked is really what I'm expecting so so think of maximum fossilized this is like a classic just upload a fighting about fall and see if the sum all that very nice to to fill up 10 for example because what happens is that saves everything into 10 possible and just enough for and intended for another thing a lot of services offer you to the upload files so 1 of the best storage was uploading millions of false scripted and that's it check all permissions and access the best guess next underscore 1 what exactly is also used as script human figures in the Czech publisher this you see this a lot and a lot of the code reviews I don't know I do I see this but wrong I in I see people ch morning 7 7 7 on the web roots and because SQL like needs it's in the head uh yeah the basic did you the this list everything every time I read this slide all I I saw this being done wrong and every time you see this is owner of a story to tell you was a problem isn't so much anymore they use the horrible unique code things happening crash Django and the horrible things now it's not so much check farmland is a good idea so see is the following there's still this this becomes very interesting when you have the production environments of a multithreaded that's start writing different all systems and so is just a really simple thing how to check the that
test of P and is really a PDF it's as simple as that and like this you can verify is the opposite of all in please human Django really does that publishes the the whole form and of all the checks that is a French you'll have to configure Apache engines whatever so using just all this then this is to much but the see a user the counters over thousand years all because you know OK fault in the 5 megabytes you can calculate when you break even when you're going to have a problem and it's and you know 1 of those up so you can stop the the the the exact is still involves being uploaded which also services actually to the mean and trying a product they can develop manifolds as you want and just crashes exactly that somebody downloads files they should that this is another this is probably 1 of the from that comes from having your your uploads being different from the old also believes that the pulse of union of that's not everything a user uploads might be public I'm just protecting through of you the same disease that this is not enough because obviously your serving a fault so particles of the self aware of what it said so this 0 can be so out to the whole world member conceivable that make sense that a little bit confusing but that's all improve
if he did not and so this is private media package which is also a it is a lot of patching books have sold some of its it does it says OK I'm going to do all the false serving for you but I'm going to use a patch xn falls to actually then some the people which they it that this Apache service but has all the checking for using this you write the check proteins and like this you can guarantee that the static files of the media files more and he's obligated actually only seen by the user should be able to see it you some performance because obviously the the media all possible go to gender it will be checked and then China will hand after Patsy and the didn't but this is like like a relief in there and and 10 thousand requests and I didn't see any change in performance so I assume it's quite low overhead hello symmetrical Ajax is in
India as far as it goes gender a lot of things China brings out of the house that I have really nice don't want with Ajax anymore and I've got caught by the opinion about data to OK so if you use a if you have to use it to be really really careful don't for a lot of things are just not done for you anymore all this standard generated niceness that will come from the end is sort of emitted like escaping doesn't work properly but you can really
see wasn't multiple was really for all we've got this amazing mold you thing and that's request and response all you'd Ajax and the missile plant on top and the performance is not the best estimate of the noise in the most of it seems to be quite slow and is very difficult to get a right answer QI horrible codes there and I if you have to do digits needed in some other direction will be reading so friends and I don't think
it's so big but we still got enough right this is what happens if this is variable in the pantry when drinks so what we do is is we only include models really really need to worry careful what we include only when we start the service but we really really careful reconfigured again we only use configuration management to the so nobody is allowed to just SSH into the production and change something because it's easy which is a classic but it has to go through the whole vetting process which we have what we do the configuration and like this we tried to avoid student configurations and the 2 types
of today that's for most that's why I probably should not use gentry but use American law but it is also have used users new something that you pay for his busy I've had the experience with I've had very good experience with red Hat and stuff I know they're all going to have a very good packages embedded into the road class fixing packages I wouldn't know why you have production servers that end up in the Packers regularly especially SSH Apache I was counted right is 0 during their day exploits the talking hours 2 minutes you want to fix this because you're going to be 1 of the targets and if you haven't fixed until then your target so you rely on a small insisted that involve a 2 people speaking at that time FIL compromised so that if you really running production stuff dish out the money to get professional support only is was so we had this case we're running into that's why and actors because the zero-day exploit and since then we've been running event happens and also has
been amazing some can read source files which isn't that unlikely which happens quite a lot of people gain access and can reduce false false probably resource goes from not as big a problem as big of a problem if your source so a lot of companies rely on their source codes as being the business value that's quite horrible that makes but they say I've seen in settings the impulse words as the impulses being 1 2 3 4 secret keys being 1 2 3 4 it's not hard to solve get into the Earth's environment and not make it visible right away what I so last week
is OK and this is h he's Isola private it's as if all SSH key in the Repo because he was too lazy to sort out isn't home folder so could you give he had his private key in there he had to that so some
ongoing right into muscles falls that's of course I really really bad that can be sort of solved by using trip which is a really simple easy to but it's really nicely would never had a prominent some stuff and was this indexing and the forth this there is astonishing using I just don't get it when you on your directory and see what has changed and probably you know the father change anyway but is on the right and then only when checked get the repository again check your Commission again I've seen Reagan's happened because there were about conditions so can execute my this is probably like another really bad case what which is really easy the case is 1 summer use upwards of and you've written that just change the commission so you can't cognitive modify and he executed the center so you only read only every file that is uploaded by the user we get rid of a lot of problems as 1 line of work the so then so
you have to think about where sending my data and so somebody's writing your courage and that's really really bad but what what else can you do if you really can gain access to the database right so what we do is we disallowed in the on the database and we go even we say that the knowledge of the database so if so we can go ahead it is still read all the stuff in theory but you can modify our data so you can inject false data have we welcome the later which I cannot stress enough and obviously have source was region the someone can
modify media back this is like so that actually happens in in this story is they have this huge server and they backed up on this tape drives and like somebody kicked in the door took server and of course you protect but but I mean that there so that was encryption and everything on the machine but the drugs want this so the company and went bankrupt because of that the action and that they lost all their
business for that notify all their customers that never compromised and all the customers that so yeah about that may sound think about your house could use an extra process and a different user that is why the only storage which is really simple just like a drop box you push in there is somebody compromises you machine become compromise you back obviously using group storage on back and transmitted encrypted when I was a student we just put a halt in the network and what's in it for the network of the whole network and Westinghouse 10 geeks with amazing stuff that just seeing what everybody was doing so he's the right have been just get a lot of of blood in that and instantly see everything the just the so the typical thing is somebody brings up a machine in your network starts a DNS server your using some enough so that takes longer to respond and suddenly he's a backup machine right because the answers faster than the DNS yeah yes if I that if he goes with using encryption storage and transmission so yes yes that's another major version of the world that has very good at it as a base increment the back up and so on check and so so have a so have asserted certificate on your back so that and check that it's really the back-up so don't just push it to any IP address that you have is a machine because you can't rely Venus Dinas's is really unsecured just started in 7 network and you can take over promotion but never went back out so he had when you are acting as an area when you when you the cost of keeping a back is Newton nothing nowadays so why would you throw away something like this the next time someone in real traffic and then encoded using musician appears it's known
technology get signed so I know Nagel I know it's nuisance actually but people will expect and people don't trust a service if you don't have it and it it doesn't really help if you you can't you can't I mean certificate authorities that been hacked new certificates have been issued is I think it's worth it but just use ship yes sniffing the network here in this question how many people get their e-mail unencrypted uh just Paul I'm just saying that all unencrypted just encourage you
don't know where your traffic is going he just he doesn't mean enough people have that apples and the browsing websites and anybody can go in and see what's the network or you know you get proper this that everybody going so the the encryption technology the standard they work the NSA can crack but then as they will come and she kneecaps away right so we're not talking and they had security here we're talking the the average guy with a laptop sitting in a conference room doing networks that have of his love them to have a concealed in China that you very easy configuration setting falls below setting parameters to ensure this policy don't you could consider government of network and especially session so only can be your database so this is a
classical thing but once only hacks machine does select on the user database and states that by and then he adds a new user that has admin rights so he has and on the whole system all the normal steps you'll see in any compromising situation all get all the data you can all the possible hashes I deliberately didn't go into hostile passwords to if you don't know that you shouldn't be doing programming sorry if you if you don't have to apologize if you keep you posted something text leave getting a job I'm sorry you lost have I have to be honest with you if somebody say the text passwords just not builds don't know what's going on I have no advice for you here so we do
now if we do these really interesting process girl stuff with a lot of stuff is not very scalable not recognized and so we do these other things that we are right to delete methods and stuff that if somebody can execute them with a lot of to delete and the override the Bayside manager the movement to be like filter reduce objects and their policy in a compromising situation that doesn't really help because somebody can't just uncommon those functions of relying on can enter the code become restart the server so we solved got some security there the yeah so we did the model which is probably the worst idea thinking about it but anyway we just don't allow the database so this is just sold background for security reasons but said but I've been working on something that which is not finished yet which I hope
all finish at some stage and I love you input on this this is 1 of the reasons I guess process well that's what we do that's what we do say you have this space he had this process called a commission so this function
is just we added to make life harder and fullback programmers to get compact response because some of our system was covered in the routine work improving working so we added this script that there of but exactly so so the problem that you have that if somebody's managed to get into your python executable he can override all that's because what you can do you can just you can just put the super function here instead of that because you can just take the method of the right so if somebody so the 1st somebody comes in he mentions open Python shell in your browsers or in in the web service and and also audio coders in there and then he can always write everything so the security the that doesn't really help because any real threat scenarios 81 about programmer yes this helps but news sort of assume your code should be good or somebody is coming to your web server and you've got access to the executable files and then you can just write this to to 1 of the you really can array of have on the yes we close this idea you all it exactly so this would be the right thing to run into into the delete or you get all what we do is we also the filter and the and to get exactly and then you just sort of secure that everything that goes on top 1 was destroyed but anyway and then I can find anything
fold with was secured by the process go permission stuff is really hard and really easy to get wrong but I didn't know if I can find anybody reading units but was really really try to hire people and we couldn't because nobody really knew and I we conflicts in the code so what can you do yet new layer in between and I love you go this Republicans coding this basically and I don't know if it really hard for her to make sense but maybe because money is sort of your feedback after a few minutes so so they the work done is i've written the server then himself as process well that the verifies 11 credentials with the rules of and takes many policies queries and just the queries grades for
the 0 very simple when most of them you know so that there is high alert and queries from a test cases the global test are run and I know which test is there and I also have like some user behavior scripts that will extract from large data so I you how does a user react what diseases submit and then use this to get the train my my security model and then for now I have to tag variables mainly but having the future this script will learn automatically what's available what's not and so I write a a regex which says this is how it looks like and then as soon as and try to write about the fate of the train and then I put a big rejects treatment of the they basically and as soon as something doesn't match of registry I said OK I don't know this theory 108 and so when we deploy this will get you notifications already running on the shell and accrue to start stop there and I'll just that yes I can this looks good was then the and and it will learn this hopefully on ABC discrete training set and so forth so hopefully at some stage will have a complete rejects with all the queries we would expect from the set so many I want all of the knowledge I signed a trusts variable between 0 and 1 to each query this is really crude but ideally it you'd say OK this is my longing database queries that have trust all 0 . 2 you they can go modeling because I don't really care about that but my user database anyone agree on the trust level 1 would be 100 % is really trustworthy is specifically allowed in the rejects and it can also have hand-crafted rules so basically this is like the standard rule that's disallowed select start from users love this is not happening at about this and cognitive ability but selects from users where username that that that sounds like something no 1 would run so I say this is OK want want to add in the future is that can then specify this is only allowed to return 1 record because then that I could say that if evidence to record something's wrong or you're not allowed news is never actually uses never allowed to return more than 1 record if you just dedication right so everything unintelligible than 1 1 records that but currently I'm just pipe result the intended is really exists please go ahead human something sending e-mail tomorrow morning will but asleep moment yeah so
that you feedback on that what you think of lot to randomness then another thread something someone sees something you shouldn't gender is amazing in this respect I really liked and we just do decorators at required and we have to work and decorated check permissions that the user has to the owner I would you added authors and that's and this does all that checking for you and this is certainly the so from the experience for errors but
don't Procter get something and if it's empty just propagated through and for a 500 somebody at the end for the error as early as possible we have things happen within null values the next threat to national program and so what can we do database so let's say somebody had machine and others said the 1st thing he does is he does select style users right so what you want to do is what your database to included but you want the user to absence of k the database encryption so this is really nice
encryption library what was I don't know how to pronounce which is what we did is we overrode the debt to Python and get the body a base at all the communication dies out of the database and as long as the text field and a chart fields we don't encrypt integers is introduced by the key of the project and
like this if somebody's manages to do select databases you at least garbage for the text fields all text data in the future we want to rule this out on images to the problem with images is a city that that we don't have if you decryption image on the fly client so we had and we needed this use of we can afford and it was just it's really really hard to do properly and fast but the database it works value because Texas very small very condensed as fairly fast we've got some performance overhead obviously and he use some careers you shouldn't be doing anyway but like queries and stuff like that but know me these result in full table scan so in most cases they should be doing them anyway we should have an index of course is indexing I started writing included index but unintelligible so the new power is needed for this but I think it's worth it because the actual overhead we have is not what what's limiting us on the machines and gender extensions has something like this and a lot of influence Kanchenjunga extensions that we copied a lot at yeah so this is on the field level 2 so what what we write is models start encrypted text fields models topic at to chop you would it takes exactly same parameters inherits from those fields and everything we do is when we serialize the database being corrupted and when we it's again the result from the dead with with cryptic so only see you still got you all clean text in memory I sort of look at memory encryption and couldn't find anything good and that was performance opened these the along that respect but sort of assumed if somebody's hacked our memory that you got would work yeah with anyway uh then I think I'm hearing more and more now
the user's interests associated especially was always a thing coming up with this whole yeah services out again a lot of so I see a like I here we include everything client side and and you know that we only uploading encrypted stuff to the server and then so if we had a very interesting discussion of the balloon January stunters about this and that and then that to the trust the 7 giving the right script but they don't trust the in handing the data the
showed in the service of bad would just inject some JavaScript we just inject about key and then we still decryption so this is a discussion I find followed up like was deemed a handful of Korea that makes sense if these if the user doesn't trust you you shouldn't trust just because getting from you but because this all defines logic so I agree include encryption client-side JavaScript is really cool if we would get this is everywhere would be amazing as additional load on the servers would go down this is 1 you did not receive trusted our script so in a way we investigating right now is that we will have a plugin that comes from Mozilla whatever and that verifies a java script that comes from us and all just observing so even if we would inject some bad JavaScript the plug-in would allow and this acts critique if someone would have also risen interact bachelors script of applied to come up and say that this is not true that is we still hope to have a transparent way of doing it I don't will be doing this yes you yes so so this encryption and Johnson was really really slow so the 1st problem I ran into is true random numbers I didn't find any good implementation Java script of a random number generator everything I found that it's time to have have which is so that's the 1st thing the API will hopefully they talk about a true random number generator and then the problem with just but is that that's although in modern ships they have these really good convergence that's why hard disk encryption doesn't cost us anything that's why I was encryption stuff is really really fast because it was literature on the chips and they would just above the Theobald description libraries that runs on the main CPU and that's really slow because this city is not made for encryption so a exactly yes so the problem still stays yes you can include that even for the new JavaScript API stuff you can include that really nicely on the client but is still pushing it deserves interest so there's a lot of I think there's a lot of work to be done there maybe some offline joules good features here as well the next 1 all the interesting and they yes results on yes yes I read about that too but I don't any browser that supports it what you yeah yeah exactly so we sort of what's there but I read about and that's a very good idea actually to to develop 1 from see without approach is that updates within quite slow because I mean we rolled up to 3 times a day so we we have a very small number of and DNS has had the hype that accepted the need that that's so it is experiment was done this just so the direction we're going have not yet but it will hang around and we cannot I have and so the idea that the plan there so the plug-in busy with the planned other verifies was the head so what it does is it takes the whole head section under the and passionate of causing a but scripts someone the texts but we haven't done that yet but yeah so the idea is that if you have a job groups of souls and everybody consult generate the hash so in some way there's a plug-in actually displayed in sort of trust then I have a really nice solutions otherwise giant is amazing and all the possible
Scripting News at enabling its use it it's just such a good job at that never use the safe decorated basically you again a whole world of pain is just so nicely coming from from program web servers and c and just sitting our skull injection dealt with in this amazing you ahead injection all this stuff is just going and and then again
a personal story of the threat detection working perfectly but no 1 responding to the e-mails and actions happened a month ago but it was his job that was his job and also and so nobody and assembles happened was standing there the base to some ways on that so the so act and it was in in in in in so be sure that you
notice when you have that least this some papers some research done on this by the University of Oxford that if you know it is more important notice when a service being hacked and just destroy it but actually preventing acting I don't have do that but I sort of like the approach that sold monitor really hardcore yourself and if you notice anything with without so you just can but you just freeze a for analysis later but it's not the productions of so I can't stress this enough have a central long I've seen of many fishermen have a central I know people that have 30 40 servers huge service that don't have a central log e-mails are not enough I get a few hundred e-mails every day if that goes into spam I will never read have therefore lots so what we do is all our error messages go to too busy above tracking support tracking system so if someone thinks so as to take something that creates a tracking cookie they our tracking task and 1 of us has to follow up because otherwise it's open but it's the 1 that has to go back and say OK I've done this sold and we have modification propagation that if somebody has an acted task in 24 hours we know his balls which is incredibly effective had that you had a question of the yes yes so the idea is that you put new so as always he was doing it but I know I read the paper to musical notes I for us flaws in the eye and you got like you got what happens if the modifications wrong right just short of use every time it was of little picture of his family and somehow it's a different color encoding and you and I don't like the color encoding and the this session times out was not news experience you want right and I find it very hard so they did they froze a machine and they then analyze it later but I quite like that we get an e-mail all ticket and then we just go in and check right what was happening and we also see that it's a real factor which has happened so far all it is something we can expect that cannot unstalled modifications of yeah so if you ask me stuff and
check out the work have to the the
yes what do you think the so we put everything much less anyway because we've got multi I personally think book makes a lot worse because I know how programmers to system and I wouldn't trust but there are some programs that can do it without question but I've seen so the fabrics that scripts I've seen in my time when programmers to didn't ployment as promised hold them saying right it's always summons against programmers and I quite like just a point from a good tree and do the whole staging old school approach that book is very good if you have a lots of developers with different machines that deploy rapidly that I wouldn't I mean how does it contain security threats and respect it might contain in the docket but it also doesn't approach machine right so yeah but we we do that commercialization in it's yes but yeah yeah it's process isolation would we do a specialization But we do actually was physical machine and that is that has hampered so that I agree I mean prices isolation and I'm various sources has come to this because of a few years ago I had my Firefox emerge machine overcome was circulated of security holes in the books but I don't know why I mean precisely has been around for 30 40 years in and it hasn't really happened yet but I agree I haven't played around with over to much to to do that it we don't was legislation that's that's why can say which is just the beginning right that so we have a we do on the local machine because we have a crime job that has a nifty Python script and then we have a duty trucks that take all the locals in and the marginal that but we do that 2 times a day we have a bigger job that keep kicks in the locals because we have some historical analysis to going on there and for example we also do is we have user behaviors so imagine a timeline and you have clicks all actions on this timeline and so we do is use a bigger changes over time so that a user will become more proficient as long as you belong uses software but what what you can do is you can sort of see how advanced the users and then if he does something really weird at some stage because sociogenesis should be doing at the beginning and services go from using it with the head of household would have had have the average case we've got quite nervous and those of the girlfriend killer something using is account but a we do that do With these present classical MapReduce that we're looking at stratosphere and to do that was a stream processing which isn't ready yet I haven't found a really good real-time stream processes yet indicator of I we do really really slow real-time on the machine and if you just look at analysis when we stream it all to the master the yeah that's an interesting question that I don't know what you're not so the that we saw the keys on the client and he gives us basically something to decrypt that what we do now is we have a really locked down database that's all I'm going to say hey that had had so we still have all the keys in 1 central repository that just because we haven't had time turn to have a proper key distribution and so all no so select all users doesn't work now anyway but no it's it's a totally different system itself as it turns out the storage is something that would talk to mention how they but uh I know it's not 100 % secure because ideally would want to do is have the pulse would generate so the the the decryption but I have found a really nice way but it's only loses password all we have this sharing feature that many people can access and the document becomes incredibly complex if you want to do this key encryption like that and they look at another methyl something but I haven't figured this out here that that's enough for now because time is limited we just have really secure storage which is 100 which hopefully it secure then and he had stated that this is a modified cobras held out being basic so we had the 16 shot so roughly 20 machines from the point of it more and we use a CP if had that and then we do the analysis on the caveat and that the time I know there are lots of solutions of the and I know there's there's a lot of them are descended upon the supports of now what we do is we the SEP and then we does have meaning that reads as follows which works quite well because we just have a nexus ICP that he is open and we stream to the full so that you get William bunches of SSH being corrected being very fast we have the keys of educational last and we just we just train basically and and as such has been incredibly good so it works when it was a act and it works i we detect when essential comes down so we know when a machine is a hard problem he was 1st so has to be the wall was that what exactly of if you all these things there's lot the
all so busy just freezing right we have budgetisation just through the machine and put it somewhere safe and then analyse it not being liable that on this no you can't you can't edit this protein could you can modify the whole point of the problem can modify if the value on the right and on the internet knows nothing that the changes might have had yes of course is not perfect I agree it's a policy I just haven't had the time to optimize it with very small taking things that I have that the exponential growth which is horrible right out of the they will go to the that's fine have yeah yes but always 1 user to get in so OK so we no user that so what we have we have a normal user group is not by a search so we have a standard there but I don't actually know the password because a new creation I just set of mass random possible but that is has to and then can get rich and that's how we run the configuration that have you always need 1 use it again I wouldn't know away I mean what I've been thinking about using LDA 2 busy have 1 central user but we still manage but I don't see the big advantage yet that yes yes when I mean we have accounts we have w w data we have process grail both those users that have a shell didn't have a stage access it and so you still have that 1 user that we can get into it but a few people have specific to go into and I hope that people tend to stupid things happen the based on this 1 cylinder have Quebec the secure storage thing silos something sold has this really cool secure storage a container where community suppose would enable distributed in a secure way if you can the no no so actually think theUS although actually turn out so you'd actually you could get rid of your user he really wanted to give sort of get old master and configuration fall from the lost periodically but I wouldn't not have dared to do that had the so again physical access is that right because such as if it is exactly that happen a lot myself out of the machine but this project 1 of the project and I just went to the version machine of the console I rebooted the machine that single the demographic and over time all that is in brackets the best for me something I thought about it the dashboard all of your virtual machines is for the most important thing you've got to develop also does not hold in in uh because as soon as you can read the machine and you got the dashboard is compromised the so yes yes that will come to me I mean we've got that was you know about ready but the bullet will be up on my phone and I haven't gone that far the sh that going that that's what we call it's not so in the future will probably have the so this pamphlet The Paris to factor authentication rules have been around for years as well tested is that I mean this was 2007 we used elder was to factor authentication couples and it was perfectly I mean you just have to buy is quite expensive or sorry tokens and that will happen in sense he has happened when it's page that we bought thousands of them and everybody had a carry around it was horrible to to maintain and then news came and if they had like but yeah so that would be nice so getting to think of an additional X is any editing fine line think of just add the rule and the patterns that because of this 1 of the more and there is also 1 is a better in exactly the we just below ranges it is not a synchronized sieges and things of that of for me the future I think it was friends that it was going to have to act on the phone and it's going to phone in Inferno cause my friends online all the time but I haven't seen anything useful there was let's maybe the questions all comments nobody comment my genius idea of the self learning as the logarithm is a light this is almost hunch that have all the main point had at the uh cook the thank you for listening policy at the beginning who think that