we'd be surprised, to say the least. If you use online banking, this is a very real possibility. Banks, retailers, and health care use the same cookie-backed sessions that our web applications use to authenticate user requests. Today I'd like to present Session Armor, a protocol that I'm developing as part of my graduate studies that aims to protect against session hijacking

and provide robust replay prevention. So first, let's review the vulnerabilities of cookie-based sessions. One thing to note is that sessions are bearer tokens, which means they're static for the duration of a session, and they bear the burden of authenticating all requests. There's a number of opportunities to steal this token. First, if the client connection isn't encrypted when during authentication, then all bets are off.

This is why our login endpoints at least use HTTPS. If there's a cross-site scripting vulnerability on our site and we haven't set the HTTP only flag, then any injected JavaScript or a third-party JavaScript library could ship off session cookies to an attacker. Also, packet sniffing during a session, if traffic is unencrypted, also provides an opportunity

for the session token to be stolen. This is called sidejacking. And lastly, something that I haven't seen really mentioned before is rogue browser extensions. So you download a screenshot browser extension. It could be in the background, if it's given permission, shipping all of your session tokens off to an attacker.

So I was curious as to how many sites actually use these protections. So I developed a browser extension called SessionJack that deactivates the cookies for a given domain one at a time based on the protections that are being used. And if I was still logged in, it meant that the protection wasn't being used. And what I found was that about 30% of sites,

their session tokens are potentially vulnerable to cross-site scripting. 50% of sites, their session tokens are potentially vulnerable to sidejacking. And 99% of sites use cookies for their session tokens. I think that we can do better than cookies. This is why I'm developing the SessionArmor protocol.

The specification is still in flux, so I'm not gonna go through it in complete detail. First of all, the server creates an opaque token, which includes the real session ID. So this is a layer on top of our existing session tokens. It's symmetrically encrypted and sent to the client,

including an HMAC key that the client uses to authenticate subsequent requests. HMAC is a way to prove ownership of a key without revealing the key itself, and can also authenticate some associated data in the process. Your clients will use HMAC to authenticate their requests to the server. Once you have an HMAC,

you can implement two types of replay prevention. If there's a timestamp in the HMAC, when the server verifies the HMAC, it can reject stale requests. So this is time-based replay prevention. You can also have counter-based replay prevention, which incurs some additional server-side storage,

because the server has to maintain the current count, and I'd recommend in a bit vector so that you can have some out-of-order. You won't reject requests even if they're out-of-order, and this is absolute replay prevention, but requires you to have an additional cache of basically the counter that each of your clients

are using. I'd recommend something like Redis or whatever underlies your Django cache in order to implement that. So some of you may know that HMAC is nothing new. Having this kind of opaque token is nothing new, but I believe that my protocol has a few advantages. First of all, there's a setup phase to choose the HMAC algorithm

in case there's a vulnerability found. For example, SHA-1 is not allowed. It's only SHA-256 and above. You can configure the headers that are authenticated, like for example, if you have some cache control headers that your intermediate proxy might not be able to,

might not have the HMAC key in order to authenticate to your backend. There's optional custom header authentication. Counter-based replay prevention is optional, and it leverages an existing session infrastructure rather than replaces it. So it's a layer on top of your existing session tokens. Once the server authenticates the request,

it decrypts the opaque token and then just passes your session cookie down to Django so you don't have to modify your application code if you're using this. I have a very early proof of concept implementation as a Django middleware and as a Google Chrome extension up on my GitHub if you click repositories, and you can reach me on Twitter. I accept DMs at WK3AS.

Thank you. I'm new to this, sorry. My name is Justin Kratzis. I'm the director of technology at Narrative Content Group. Would the tech department of Narrative Content Group please stand up? Where are you? It's two people. We have a family of content sites such as mnn.com,

Mother Nature News Network, something like that, and we have treehugger.com as well. Hopefully nobody at my job will see this video. But anyway, we, in front of our content, Django-based content servers, we run PageSpeed over Nginx, which is fun,

until you have to upgrade it, and then it's terrible because you have to compile it. We have about 20 servers, give or take, across all the sites, and recently there was a security update for PageSpeed. I think it was back in February. At least that's when I caught wind of it.

I was not going to log in to 20 servers. I'm way too lazy for that. We use Ansible heavily to deploy our application, so we wrote an Ansible module for it. That is the readme for it, which is probably the best documentation for it now. The actual role is only about 100 lines of code. How many people use Ansible?

I might be talking to Ansible. And do those people also use PageFeed? All right, so nobody's gonna use this role. That's fantastic. But maybe somebody watching the video. This will help one person, I swear. So anyway, the problem with Nginx PageSpeed, if you're unaware, is that you have to compile it, which is, yeah, hopefully in the future

they'll have dynamic modules like Apache does. So anyway, we're able to, so the Nginx role does some cool stuff. If you're interested in Ansible at all, there's some cool features with this role, which is the reason. We have about 25 roles. I chose this one to talk about, not the Django one, which is a complete mess. This one has some cool features, which I'm gonna try to review.

So again, when you're compiling Nginx, you have to give it a bunch of build options, which you can specify with this Ansible dictionary that the cursor's kind of near right now. These are all configurable. You can extend it. You can change it, do whatever you need to do.

And you'll be able to install Nginx just by specifying the version you want and the Nginx version. So it'll compile Nginx and the PageSpeed module and this other thing called PSOL, which you need to get PageSpeed to work. What it does is it's actually gonna build out using the version numbers. It's gonna look to see if you have it already downloaded

and then if you have it downloaded, it'll try to install it. So with Ansible roles, I'm not sure if you all know, item potency is a very important thing. If you run a role twice, it shouldn't really do anything the second time. Everything's already configured. It shouldn't be re-downloading. It shouldn't be resetting configuration files or restarting servers if it hasn't actually done anything.

This role, thankfully, is item potent. So we have a lot of checks and stuff. I'm gonna try to navigate. Task file, main, hopefully it'll just, yes. So this is the actual Ansible role itself. You can tell it's, I don't know,

this could look Greek to people that don't, I'm actually Greek, so that's a little bit meta. This could look a little weird to people that, but anyway, it's basically the each, I guess a little tick mark on the left indicates a step in the build process. So you can see we download nginx, we unpack it, we configure it.

We do source stuff, we set variables and then we finally create the directory that you can actually put your nginx site configuration in. So that's really cool. One cool feature that I'm gonna do before I get out of here is what's known as the custom Jinja filter plugin. So Ansible uses Jinja as its templating engine.

I wrote a custom filter that turns those build, that build dictionary that I pointed out to you before, the build options dictionary, into the actual command line that the compilation step is gonna take. So that's how we make it extensible and easy to use. And I'm done, that's it.

Thank you, Dan. This is about antisocial authentication. So I'm Dan Davis, I'm from the National Library of Medicine. There are a number of us here and we're switching from Django to Django from a number of other languages, especially cold fusion. So, oops.

So what's the problem? I want to tell you how we integrate Django with NIH login, our corporate identity provider.

Most of the auth tutorials we see online are about user registration on the web, but most of the apps we implement only allow logins for corporate users, even if their public side is available on the web. So we want to implement single sign-on with this badge and we want to do it with common code

that can be used by multiple internal apps. So why is this hard? I mean, we may think that we can use, well, remote user middleware with some sort of Apache module. We may think that, oh, we'll just use the LDAP authentication. Well, we're supposed to use NIH login because we don't want our applications handling passwords,

even if they are SSL. And NIH login is antisocial auth, not only in the sense that we don't want to authenticate Google, even though it does technically support that, but because it's based on CA site minder, which means it is also based on SAML.

That would mean every application needs a certificate and key tied to that application. Getting the certificate and key can take like a month for totally non-technical reasons. Finally, we also want to see the same auth in our development environment so that our Selenium integration tests can handle pages that require authentication.

So our systems guys will want us to do this by installing CA site minder, and that makes controlling particular paths outside of slash admin something we have to do by committee. And our application may have rest paths and we may want only to protect updates

to our REST endpoints. Fortunately, our tooling team has already implemented a CAS server and they protect the login on that server with CA site minder, causing CAS to be what we need to integrate to. And CAS is friendly to developers.

You don't need a certificate for each app. It authenticates the URL. It's not quite as secure though. I mean, it's really authenticating just the URL, but that does mean that localhost 8000 can be okay because the regex says localhost is okay. So our system guys are used to this

and they would still like us to use an Apache module. This time, mod auth CAS. We don't want to go this way. We still want to customize what URLs are protected ourselves, and we still want to see the same thing in the development environment as in production. So we found that Django CAS NG,

the NG stands for next generation, supports all this. It can integrate with the central authentication service. It supports protecting an URL range such as slash admin through settings. It supports decorators such as login required.

And we've also enhanced Django CAS NG to add some extra security. We want some functions to work only within our subnet. We want to deploy our apps so that the admin side and the public side can be deployed together on the same application servers.

This is not what we've done with cold fusion and there was some pushback on this. But we want to make sure that admin users are only coming from our own subnet. So that includes a decorator, a middleware, and a context processor. And the context processor helps us to have our admin navigation in our web apps

so we can show that link only to users who should be allowed to use it. Thank you. I'm gonna hang out up there on floor G if there are any questions. Thanks. Thank you, Dan.

I want to talk to you about Django Girls and in particular something that we do. Every week we publish a story from a woman who uses Python and Django. So if you are a woman who uses Python and or Django,

well, you know what I mean. Or if you know a woman who does that. So I'm hoping that covers everyone in the room. If you are or know, this talk is for you. I want to hear your story. I want you to email me at storyatjangogirls.org.

So what is your Django story? Your Django story is an interview that's published weekly to our official Django Girls blog. It's blog.jangogirls.org. We try to publish a new story every week. I'm the one who publishes them. It's really exciting. All experience levels are welcome.

It doesn't matter if you're new to Python or you've been doing it for years, we still want to hear your story. And it is a great way to share what you're working on or care about with the community. So Anna Schneider talked about what time here. I interviewed her a couple months ago and now she's at DjangoCon. So it's great if you're trying to build your brand

or you want to share your story or what you care about. There are lots of opportunities to do that. So I just want to go ahead and put out, these are the questions that you would be asked. All the questions are optional. They're the questions that we came up with and that we think work, but you don't have to answer every one of them if you don't find it relevant or if you don't like it.

How did your story with code start? Tell us about that. What did you do before becoming a programmer? What do you love the most about coding? Why do you love Django? What cool projects are you working on? So pretty, pretty easy. This slide is not in the right place, but this is an example of a recent story we had.

We share an image if you're cool with that. I love this story. You should check it out, Anna's story. Here are the other questions. What in your life are you most proud of? You could say your kids. You could say your family. You could say your partner. You could say something you built. What are you curious about? What do you like doing in your free time?

One of my favorite parts about this interview series is this question. What advice do you have for newbies? I care a lot about code newbies. I care a lot about folks who are new to programming. And if you read our blogs in these interviews, this is where some of the best material comes from. It's usually what I use for our tweets. So love to hear that.

And if it applies to you, if you attended a Django Girls event, what did you get out of it? How did it change your life? And that's, you can come at that angle either as an attendee, a participant, or as a coach. So it doesn't matter. So I hope I have convinced you or made you think of somebody who you could talk to about sharing their story.

Please email me, story at jangogirls.org. We'd love to feature you, get you queued up to be published. Thanks so much. Thank you. I'm gonna give a content warning at the start. I'm gonna mention sexual assault, but just kind of in the reporting of it.

So last year, Kelsey Gilmore Innis gave a talk, I think it was called, at DjangoCon, I think it was called Making Django Really, Really Ridiculously Secure or something like that. And she mentioned, it was about a project called Callisto. Who here knows what Callisto is? Okay, good.

So for those of you who don't, Callisto is a tool right now that's used for reporting sexual assault on college campuses. It's designed to be kind of a more empowering reporting experience and it's trauma informed. And it's also designed to kind of facilitate

the identification of repeat assailants. And so it's based on this information escrow concept. So you can report, something happens to you, you can report the details of what happened to you, like when it's still fresh in your mind,

but then decide on your own time when and if you're gonna do anything with that report. So it belongs to you, it's encrypted, it's stored in this third party place where no one really, other than you, has any legal authority to access it. Even if they're subpoenaed by a court, it's all encrypted and you can only decrypt it. So they can't even get it that way.

And then you can decide if you wanna report that to an authority. But the really great thing is it has a matching feature where you can identify your assailant. Right now it's via a Facebook URL, since almost everyone has Facebook. And then say, if anyone else reports the same assailant,

then automatically report. So both of your reports at that moment will get reported to the proper authorities wherever it is. So it's used on college campuses, but it's a general, the system and the core reporting machinery

could be used in a variety of situations. It could be used in the workplace or in the military or any kind of place where we're reporting confidential information about something that's happened to you where that would be important, like this could be used. And so the reason I'm talking about this

is there's gonna be a sprint. I'm gonna organize a sprint on Thursday and Friday to make a, Calisto recently open sourced the kind of underlying escrow code and the encryption of reports and all that. And we're gonna work on making a generic Django app that kind of provides an example

of how you could implement that stuff in kind of a generic way, hopefully that other places could then use in their own kind of organizations. So if you're interested in working on that, then find me tomorrow morning. There's a channel in the DjangoCon Slack called Sprint Calisto.

So you can find us in there and once we figure out where we are tomorrow. And we could use basically, I can't imagine a skill that we couldn't use, like where there's gonna be documentation writing, front and back end development, design work. If anyone has any kind of experience

with trauma informed design, that would be super useful. But really, I think whatever you wanna, however you wanna help, I'm sure we can find a way for that to work. So, thank you. Thank you, Kevin. All right, so who here has heard of DjangoMakeConf? I work with you.

Nobody's heard of this. It is a library, it makes conferences. No, wait, it generates configuration files. So why would you wanna generate a configuration file? Some of you guys probably use Ansible and Chef.

You have this whole ecosystem made there. And it's always right the first time. I'm sure anybody who's used Chef, you get it right. But I've been using a lot of platform as a service stuff. It's really simple. And I need to get like one setting into my application. Who uses Heroku? Elastic Beanstalk?

Okay. I use Elastic Beanstalk, but I think all this stuff would work for Heroku too. And if anybody wants to help me make it work for Heroku, I'll cover that in the last slide. But basically, I wanted to use my Django settings file that I already have to just generate other files like a Docker file or something like that,

rather than having some whole other ecosystem. So I made this really complicated system that uses Django templates, which we already know and love and Django settings, which we already know and love to create other files. So I'm using like PyDanny's configuration. I use different settings files based on the tier I'm using.

And I just include a couple of extra settings in these files or use settings I've already got to make my templates work. So you might end up including AWS bucket names for deployment or role names or resource locations. And you might put these things in any files,

cron files, Docker files, whatever. This is an example of generating, as a template you would use to generate from your settings. And you can see it's taking like your credentials location, which is gonna be a link to AWS and like an Elastic Beanstalk role name in this case.

They don't use the bottom of this. I shortened it a lot. This isn't actually how AWS works. But it fits on one slide now. Anyway, but you just got a couple of things that are coming from your settings. And you could use that to deploy different credentials based on the tier you're in.

Hopefully you're not using the same credentials in prod and who knows. I also made a little helper to get settings from the environment into the template and it ends up working like a filter. So you have to load makeConf to get Environ, but you can then, like this is, Mikey built this, he's in the audience. And this uses Jenkins environment variables

to put a little footer in his site so he knows which, like did my code deploy? Is this the release I thought it was? And that's just getting environment variables. And to set it up, you use a map. There's two ways to do it, but this is sort of, you can just make a map

and you're saying, I wanna make a file called Docker file and I wanna make it from this template and it will have access to your settings and your environment. And that's just gonna generate a Docker file in the current directory. The other way to do it is with Elastic Beanstalk modules and I can imagine having Heroku modules also.

They're not published because they're all secret, top secret, and I made them at my job. But you can have modules for like different things, New Relic or HipChat, or if you use Sass and you need certain dependencies, I just have little modules that drop in and this lets you put them kind of in order in case one is needed before another one.

And you just run it with a management command. So I do this in my Jenkins build. Using the settings you wanna use, run make conf, generates files, it's magic. And I'm accepting pull requests, thank you.

Well, my name is Dan Dietz. I'm one of the partners at Bolt Effect, a Django web development agency in Greenville, South Carolina. Last year I gave a lightning talk on Fabric Bolt, which is a Django project we support that allows you to run Fabric deployments right from your browser.

So you can be a project manager, click a button and it goes. So it's really cool. And so that's up there for SEO reasons. We just added channels to that project. So Jared has a pending pull request. He's shaking his head right now. I had no idea I put his mug shot in there. So anyway, we're gonna get that pushed out.

So if you wanna see channels run in a real project, there you go. What I'm gonna talk about today though is things that I share with my students at the Iron Yard. I'm an instructor for the Iron Yard. We help people move into programming careers that are fulfilling. So non-programmers, we turn them into programmers. It's really awesome.

So there's research that suggests teaching the mechanism of how the brain grows when it's challenged increases performance. So you learn better if I tell you a little bit about how your brain works. One thing we need to know is learning is kind of like trekking across the Appalachian Trail,

not climbing Mount Everest. So we're talking about learning complex skills like programming. You're gonna do this over a lifetime. It's gonna take a long time. There are two things I wanna talk about real quick before we dive in, the comfort zone and the panic zone kind of look like this

where you basically have the comfort zone, no learning's happening. We have the learning zone where you're pushing yourself to learn something new and then you have the panic zone where you're freaking out, okay? What we wanna try to do is get as close to the panic zone as possible while staying in that learning zone to maximize what's happening. Now the reason for that is effortful learning

is longer lasting and more versatile. Learning is built on the shoulders of habits. So things that you do on a regular basis is how you're gonna learn. Be aware of cognitive bias. So we oftentimes think we know stuff when we don't so test yourself. Be aware of falsely perceived fluency. You could read something 10 times

and that doesn't mean you actually know something, right? So just rereading things a bunch of times maybe not be so helpful. Retrieval interrupts forgetting and strengthens retrieval pathways. So the way your brain works is you're connecting these neurons in your brain together through these pathways and as you try to retrieve information from your brain,

whether or not you get the right answer, it turns out that actually helps your learning. Now if you come up with the wrong answer, hopefully you've got the right answer close at hand. You don't wanna just have the wrong answer. That doesn't help but just the act of trying to retrieve helps you learn. Make retrieval harder with spaced repetition

and interleaving. Interleaving is this idea of having multiple topics. So I would suggest if you're trying to learn a little bit of advanced CSS, you go ahead and sprinkle in some SQL query stuff. So you're gonna interleave topics which helps you forget the CSS that you were just working on and then you come back and you retrieve that information

and that'll actually increase your learning. Try to solve problems before you're taught how. Learning styles are overrated. Always aim to extract principles and rules. So you wanna pull concepts out of things that you're learning so that you can apply them in a different context.

Elaborate on newly gained knowledge. So as you're bringing in new knowledge, you wanna kind of beef it up a little bit. This is a lot to read. I will post these slides. We'll have them write a blog post on bolteffect.com. Get those out to you. So if you wanna read all that.

Build a mind palace. Sounds completely weird but totally works. There's people that have memorized thousands of digits of pi. There's no limit to what your brain can actually store. We haven't at least found what that limit is. So you need to kind of work to store things in there in creative ways. It turns out that intellectual ability isn't fixed.

It's not like you're born with some amount of information that you can store and that's it. So mindset and learning actually changes your brain and let you soak some stuff in. Stay calm. So if you get into that panic zone, so you try and bite off a little bit more than you can chew, it actually causes your brain

to lose some of the plasticity there. And so you wanna, even if you're doing some challenging learning, stay calm. In review, here's all the things that we just learned about learning. Nice, huh? And that's it. Thanks very much. Okay, cool. Oops, I committed my secret key.

I'm gonna talk really fast. So let's say you have an idea for the best thing ever. You do Django MMPI start project best thing ever because of course you're gonna build the best thing ever in Django. You do get init because you are a responsible developer. You wanna put this in source control. Get add dot, get commit M, initial commit, get push origin master. This is not something you should do because what have you just done?

You have just committed your secret key to a probably open repository because you're probably using GitHub like most of the room. So you have made a huge mistake. Wait, have I made a huge mistake? What does the secret key actually get used for? The answer is yes, you have made a huge mistake. There should be no doubt about this. Here is a list of what the secret key is used for.

Signed cookies, secure sessions, password reset tokens. Shout out to Russell who pointed this one out to me yesterday and then I went and looked in the source code and yes, the password reset tokens are generated from the secret key. So that means if your secret key is public, someone can impersonate your users and potentially change their passwords. This is bad. What do you do?

I'm about to show a big block of code. It's for one reason. The slides will be posted. There's a link at the end so you don't need to understand this. Just kind of a point of view. You should be putting secret things in environment variables. Those environment variables can actually live in the environment or they can live in a separate file that you import but they should not live in source control. This big old block of code is so that you can do this

and this is how you should be accessing secret keys. If you have a static secret key in production, please use environment variables. Okay, so you've made this huge mistake. How do you get a new key so you can put it in an environment variable and not have your users be hacked? Two really easy ways. One is use this web tool. It will generate a 50 character Django secret key.

If you are super paranoid and don't want your secret key to ever even touch the internet, you could do this. This will prove a kind of alpha-manure-ish but it's included in the standard library in Django. Very easy to use. You might be asking yourself, okay, well if I change my secret key, what about my users? Will anything bad happen to them if I rotate my secret key? The worst that will happen

is that they will have to log in again because the session cookies will no longer be valid. However, them having to log in again is way better than their account getting hacked and them calling you in the middle of the night. There's an optional step which is you could not have a permanent key. If you have an auth mechanism like some of the ones that have been discussed earlier that doesn't rely on session keys and session cookies, then you don't need to have a permanent secret key

and it doesn't matter if you store it. So think about this but really investigate whether this is going to work for you. That is it. So I am giving a talk at 1.30 about more Django security issues. At 1.15 in here, I am going to try to run a very large game of Cat on Your Head.

It is a game that you can play sitting down in a conference center and is better with large groups of people. So 1.15, come back here and play some Cat on Your Head. That's the link to these slides if you want my block of how to get environment variables and I'm giving a talk at 1.30. I already said that and I'm done. Thank you. I am Haris Ibrahim Kavy and that's where I am from at Apollo Kerala

and I've flown like 23 hours in a flight to get to just this conference. So I'll be here for just this week. So thank you so much for having me. You too. Yeah, as I was telling everyone, the sun sets at like 8.30 p.m. over here. What's up with that?

Cool, so I'm here to talk about PyCon India which is happening on September 24 and 25. Last year we had it in Bangalore which is like the tech capital of India. Some people refer to it. This year we have shifted it towards the north which is the actual capital of India, New Delhi. And just to give you a few stats, the number of attendance for PyCon India last year was 1,137.

Those many people actually attend the conference and the ticket price for the conference is $25 which gives you two days of conference, three times a foot and to meet 1,000 people in two days which if you think it's cheap, people still bicker about it over India when we actually try to decide the price.

So yeah, there you go. That's how we name our tickets like late Python and regular Python and stuff. Just to share a few photos and stuff which we have done. I was actually the registration lead last year so that's our registration booth. I am there at the left if you can see me. And so this is like what the registration happens over there. And if you notice, we have a different queue

for just the letter, names that start with the letter S. Out of 1,100 people, we have 346 people just starting with the letter S. So we have a different queue for that altogether. So yeah, that's a swag packing session. All of us are there. It's like really funny times. And what is this?

Okay, a couple of photos and stuff. Oh yeah, that's the entire volunteering. There I am, there I am. That's one, that one. Whoa! That's the entire volunteer team. We are like 50 plus volunteers running this conference and it's been amazing so far. And I also am on a secret mission from Python India this year over here which you might know in a little bit.

I'll do it about it later. I think I've accomplished it but I'll let you know later. And yeah, a couple of photos again. That's the networking team setting things up. That's the sprints that we had on the first day. And yeah, that's literally how the conference looks like. It's full when you don't have a session going on. Yeah, and cool.

That's like the picture from last year. And also this year we had like 165 proposals submitted. The reviews are going on. The docs haven't been finalized yet. We also had like the Django girls workshop over there in Bangalore. I was one of the coaches. So the community is pretty interesting. There are Python local meetup groups in almost every state. Yeah, that's the Python Software Society of India

which actually runs all these things together. It's like an umbrella with all of that. And we also have this interesting thing called the Python Express which is like if you are an organization or an institution and want to contact Python workshops you just sign up over there. And the community people actually say we volunteer to come and teach over there. So it's like a middle layer

between people who want to learn and people who want to teach. So that's also there. Oh yeah, that's one of the workshops that I did under Python Express. And that's a shameless plug. That's my blog, Psychopaths. It's like whatever you can understand from that. And since I have like a multiple entry visa now

now that you guys have accepted me to the US, I'll be back. Thank you. Thank you.