.NET Rocks Live: Security Panel

Video thumbnail (Frame 0)
Video in TIB AV-Portal: .NET Rocks Live: Security Panel

Formal Metadata

Title
.NET Rocks Live: Security Panel
Title of Series
Author
License
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Identifiers
Publisher
Release Date
2016
Language
English

Content Metadata

Subject Area
Abstract
Join Carl and Richard from .NET Rocks as they talk to security luminaries about the challenge state of affairs in security breaches and what developers can do about it. Are there coding solutions to these security problems, or is it up to the operations folks to keep data safe? What is the correct response to a data breach, and what should you do if it’s your data that’s been stolen? Are we all doomed? Does security really matter anyway?
Axiom of choice Logical constant Torus Complex (psychology) Group action System administrator Source code Real-time operating system Open set Disk read-and-write head Information privacy Information technology consulting Software bug Mechanism design Different (Kate Ryan album) Atomic number Videoconferencing Office suite Physical system Exception handling God Rotation Programming paradigm Touchscreen Mapping Software developer Stress (mechanics) Maxima and minima Staff (military) Instance (computer science) Complete metric space Hand fan Data management Pattern language Text editor Quicksort Figurate number Writing Directed graph Web page Beat (acoustics) Connectivity (graph theory) Control flow Online help Student's t-test Rule of inference Element (mathematics) Latent heat Bridging (networking) Term (mathematics) Computer hardware Boundary value problem Lie group Contrast (vision) Router (computing) Computer-assisted translation Address space Metropolitan area network Computing platform Form (programming) Dot product Compass (drafting) Weight Uniqueness quantification Counting First-person shooter Line (geometry) System call Exploit (computer security) Word Software Query language Video game Backup Game theory Family Freezing Library (computing) Building State of matter Multiplication sign Direction (geometry) Combinational logic Sheaf (mathematics) Port scanner Coma Berenices Mereology Proper map Facebook Mathematics Coefficient of determination Bus (computing) Entropie <Informationstheorie> Cuboid Software framework Endliche Modelltheorie Prozesssimulation Scripting language Physicalism Cloud computing Thermal expansion Oscillation Social engineering (security) Self-organization Right angle Species Whiteboard Video game console Freeware Row (database) Ocean current Laptop Trail Server (computing) Implementation Mobile app Functional (mathematics) Vapor barrier Perfect group Pay television Link (knot theory) Divisor Parity (mathematics) Image resolution Electronic program guide Virtual machine .NET Framework Heat transfer Distance Field (computer science) Wave packet Revision control Workload Natural number Internetworking String (computer science) Operator (mathematics) Proxy server Plug-in (computing) Addition Graphics processing unit Validity (statistics) Consistency Forcing (mathematics) Cellular automaton Planning Database Logic Point cloud Pressure Routing Local ring Android (robot) Suite (music) Randomization Context awareness Execution unit Client (computing) Fault-tolerant system Neuroinformatik Fluid statics Roundness (object) Hypermedia Encryption Damping Hill differential equation Information security Social class Identity management Intelligent Network Enterprise architecture Gradient Sound effect Bit Lattice (order) Sequence Message passing Arithmetic mean Process (computing) Hash function Ring (mathematics) Order (biology) Spacetime Point (geometry) Sequel Motion capture Letterpress printing Streaming media Mass Number Product (business) Goodness of fit Profil (magazine) Hacker (term) Computer programming Energy level Traffic reporting Scaling (geometry) Information Key (cryptography) Chemical equation Neighbourhood (graph theory) Plastikkarte Limit (category theory) Cartesian coordinate system Vector potential Graphical user interface Personal digital assistant Web-Designer Statement (computer science) Musical ensemble Table (information) Window Webcam Transportation theory (mathematics) Length 1 (number) Set (mathematics) Insertion loss Web 2.0 Bit rate Synchronization Formal verification Data conversion Series (mathematics) Position operator Vulnerability (computing) Injektivität Graphics tablet Area Covering space Email Pattern recognition Algorithm Reflection (mathematics) Feedback Moment (mathematics) Fitness function Data storage device Entire function Degree (graph theory) Type theory Data mining Googol Website Procedural programming PRINCE2 Fundamental theorem of algebra Resultant Statistics Game controller Service (economics) Observational study Real number Data recovery Theory Twitter Power (physics) 2 (number) Touch typing Green's function Ideal (ethics) Software testing Task (computing) Module (mathematics) Noise (electronics) Dependent and independent variables Projective plane Analytic set Film editing Friction Password Blog Calculation Charge carrier Speech synthesis Object (grammar) Buffer overflow
the. now your voices are all going to get so much louder the field stands for pathetic audio is what the eye. a. dark record numbers all ok yeah i know feedback no crosstalk it's all pretty good yet almost like we know we're doing and i wouldn't be our first rodeo one minute to spare who are we don't know. one of the you know we're doing a gallon and we just like to put a lot of stuff all the tables kind of fun but to us so we're going to record on iraq's episode how many of you have ever heard a dot narok sepa so that was recorded in front of a live audience all our lives their hands. so you know your role is right that wouldn't what is it to make nice try so what i'm going to do with them in turn on this because i'm in a kind scream and did not want the that just going as i'm going to say i was loved star net rocks as best i can get and i want you dusk. raman stand up and beat the person next to. take off your clothes and set fire to the building i always made in the back i know when a bank so i want to hear. i completely to close on nobody wants to the big circular those ideas to i would like to what are you. we have pushed the red button ok here we go to. the oslo its start at rada. floyd call you sound great but the well on my voices will show up eventually maybe thank you for coming to the security panel at to n.b.c. oslo twenty sixteen am a good show. go so far. awesome i appreciate the fact that you guys are so outgoing. the analysts norwegians are very reality is you know india yet so richard buddy by doing good reached about the end of this said this sprint of shows for us it's been fun with we've done twelve shows he is the eleventh one yet were more to go more to go so so where were the in our way or no question. i'm very very excited to be doing this panel security panel but before we get talking to the tail panel on the gas we have a little business to do some first one is called better no framework role that music. are what have we learned so you're actually seeing how the sausages made. and we don't actually hear the music or according to ever see i ever hear s. actually say why that music really cool that's a lie and we add the music in later the so there we decide to sit here for a moment and then not and i'll say way and this is because at that point all our shows are added we have these amazing editors baby make a sound smart and so. but this will all be fixed so when you go back and listen to show just remember this conversation because it's never going to appear and already i'm almost ready because what i have to do and i'm using my phone were should be using p.c.'s but i've got a u.r.l. that i am now copying and pasting with my finger on my i phone which is as you. no the most fun part of computing. the senate so i can get to this link that have copied before and the way for it wait for it this is good tries going to love this in fact you probably wrote the story has its of security think that's probably as fall the first widely as well as this is show thirteen twenty say it's ok. said. art but we got our rights of this show thirteen twenty six of them if you go to the you know the pattern thirteen twenty six top pop dot me and he will bring you to this story us spies are building software to spot your suspicious behaviour in live video none a. it's true but i'm not a. i and everyone you guys just think in all you point for americans to the intelligence community is working on amping up people recognition power to spot in live videos shooters and potential terrorists before they have a chance to attack part of the problem with current video surveillance to. it makes his the difficulty of recognizing objects in people simultaneously in real time but deep intermodal video analytics or diva nice. the other. a research project out of the and going to put this in the air quotes office of the director of national intelligence. will attempt to automatically detect suspicious activities with the help of life video pouring in through multiple camera feeds i am no longer sunbathing in the needed now. we're all better off are lighter on the you know. this just walks that fine line between security and privacy i don't think you walk said it all i think its way over the way over the limit there is the line headway there they go was sprinting over the island so i you know that i always like to find a story when we talk to troyer other security people that just in the elicits emotion around. the privacy and security and that's a good one day you're looking for the they're doing what reaction shot dead ok right well anyway that's what i got out who's talking to us richer grab a common type of show twelve ninety five the one we did with one troy hunt yeah we talked about sequel injection ransom were in all other kinds of good things trading as usual job of scaring it's not out of us right. and david glass had this commentary said ogaden no not trying to ghana. that every time he's on dot iraq to make the panic in change all my passwords and my fans to seriously though i am stunned every time i see a season developer show complete lack of interest in making their application secure i could understand how you dems don't get it but still winds me up they seem to fit into one of these three camps. one all i just never thought about it that's baffling that the still happens today to it will never happen to me i just show the web lots of any app that they've ever worked on and the constant stream of port scans a log attempts usually bucks the mountain or three i just don't care the worst apathy is the hardest. this thing to fix why is it security not just taught at level one but made an integrated part of the process it's like giving a class a web development and not mentioning c.s.s. which in some ways the kindness but also know that. every student developer should be given more trust talks could have triggered a pair were ever wondered how i can read every one of these e-mails perfectly says. that would let me tell you the truth than my brother jay you and it's the shows and to fix it for me or is it a lovely j. and j's it wasn't just as there is just brandon granted and it benefits the branches. notes the east asia and yet the largest yet slurring show we have three editors the boat sometimes we need all thirty two make a sound smart are right they have of that and the console they have a dumb fainter and they turned it down the brightness not only of work. all right. i think you can't last. and we're going to added this in said you know yes going to be a quiet the. every student developer should be given some troy hunt talks to listen to me i'd have nothing to add to this i think that's absolutely true injury and definitely a problem david thank you so much for your comment dot rocks money is on its way you'd if you'd like a dog that rocks much right to comment on the website it done a rock star com or be any of our social media we publish every show to google plus and facebook and if you comment there we'll show. so was it your mouth and definitely followers on twitter he's at rich campbell i'm at karl franklin send this a tweet we printed mountain post them on the walls. but of the department of national intelligence said. the ira well i'm going to let our guests troy stephen in i'll introduce themselves starting with the mr and i'm trying to the guy in the the thing just the foot. you that guide fairly the scary won the of the strain security guy at of the colonial collection here. this kind of a colonial mobsters and in a. so for you know canadian that mr khan says i'll get an idea ok the. i'm still homes on the canadian old a firm uk emily developer for a combined but and i would say to someone put his eyes with joint great cool the scariest weather. i. now my name is not american and work with capture and i am one of our local irish norwegian imports here and i can come up here and got lost there would be called a cold. but i love you honey you ever hear the everything we can edit video right sherry were also because of their actual biosphere on the website done iraq's that comes you really find out how they are qualified to be here in the first place to. it was so security panel where we start when you think you know what's going on the united states and i'm glad i'm the only guy gal united states yet and i'm asking you guys what's wrong with my country actually can we do we have to answer that politically correct or no of course not child on the election and you just go from aids. to show from school the best interest. you try living next door to the guy as though i know i'm always lobbying scud missiles over the border but little of what i mean that they the breach culture i think people getting numb like to just not even reacting to it anymore it's become funny i think it's partly that the same way recording this at a time. with the last few weeks we've had things like my space three hundred sixty million recalled as the record every uk on either way i passed a billion records on the stage for an oven and live on them just time out for those who don't know he's talking about try as a database of e-mail addresses that you can look yourself up in d.c. if you've been hacked. it's called have i been toned p.w. the whole you'll a malodorous and probably doesn't have actually find i actually found mine in that from the adobe hack and i had to go change my past it yet isn't it. so have alion send us so we we passed a billion six a lot of aka the russian version of facebook which was about another ninety three million but that came after that was recently my space link the in that time low as they a fling the comb everyone's going what the full. can look up after a good heart. it but we had all these massive data breaches in the interesting thing is they're all from several years ago there were only twelve twenty third aims but they just surfacing now on and what way saying he is the sort of media bows way everyone wants to believe that everything is a database so that the news yesterday was it's true it has got thirty two million accounts had and that's all the headlines. and then the the chief security officer twitter's commences not this is all else it didn't come from he knew so now is sort of size it's almost like it's not just getting so used to bridge is just automatically shooting the worst in a bronze just losing their minds i have a you know not even checking that they're actually legit and you often fall into situation. more year the validation source know it will actually check stuff. is that a lot of people died and i guess that they're also parties that they that sort of incentivised if you like by the fact they're bridges are people that sold the dots of the right people is so security services that benefit from other people thinking that doctors at the so there's this to me sort of vested interest in wanting the to the lads die. out of breaches in his not in their interest to check an interesting one. now it's just evil all by itself was another level the well in this is another this is an audit aspect of dealing with security just the sort of got a situation with this bloody website of being in the no on top of every breach the few guys been responsible for systems have been breached if you've been on the other side of this we admit it. not likely not been of what for plenty of companies might simply them stations great and had some pretty ports cases what it on the the security so a but but haven't been punished for it with a nice public here is all of these username e-mails credit card numbers and so forth and we blame stephen on and not yet and i mean. as one company i've what folks whose name i'm not going to mention which i wouldn't be surprised if something did happen in the it's sort of inevitable yet and then he was fishing about the time delayed breaches is just this idea that they may have been hacked but right now somebody sitting on that date it may be trying to sell it without making a public means worth more while that's a known. because you know it's not like somebody leads a car behind saying hey i copied all your data. and it is there any evidence that stem data that stolen whether its accounts or you know banking the statements that are they use more for collateral you know or or prestige or whatever or do people actually buy them and then hack against those accounts and benefit you know actually. the mit other crimes with the data the of d.c. both things happening as much as well as about things the one aspect to this a fun really interesting is that there are a lot of people that that trade in data breaches the way you have tried in like facebook as reagan and a lot of the time and it is actually kids is like legally children you know my belief. fifteen sixteen sending his old that the kids and the guy high have got that this one you know you have that one can we do swapping to tried and so look like and what is why equity dealing with this stuff here and the other want to do stuff like look up friends lady of some of them want to sort of say any passwords i can crack was bragging rights to any your kid in you say your friend. and on the bus you know they have got all have linked in's databases passwords and all that stuff you know who you know i have here you have like a certain medal of honor among your script kitty friends that he is that an eye to eye. i got a second likely speaking it so that there's that but they also does well is that there is a commercial upside to having a british doctor with the camps that actually work in other places so we've sane in the wake of this news last couple days about there being some large amount of data that works for some number of twitter can a bunch of papers. said that high my count my twitter can has been broken into and there are people were posting things like porn it works and inevitably there is some degree monetize action they were it draws traffic and awareness of the sites and is theirs diffley really silly shady underbelly to that which does actually have a commercial incentives will like what with all the the. the firm breaches like if you got access to all these kind of pos words and music concerts and you can start seeing all the hash as you can start to draw conclusions of the type of security they're using and then start kind of maybe social engineering especially if you can find one the high profile accounts that you know they're not using to if a few get near a kind of c o c a so or even like no financial officer and you. news that then for advanced social engineering techniques social engineering being blackmailed like a shot that does exactly that there's a everything so your social engineering some was going to click a link fishing from some nigerian prince and but there's other things for example they'll say well try and insert something into computer warsaw and track i would like some of your personal information may be. train activate your webcam have been inappropriate moments or make put some data on your computer that we can use them to blackmail you to get it you to give us money because humans are the weakest part of every system it's usually where we do guess i'm the biggest and easy's preaches out of people are out of any system we just try and find a use what we prospered or we try and strong arm. the main somewhere and then take over because the lead time but like two hundred days between a person not let our system been breached and being found by the the kind of says security team if they don't have a proper kind of intrusions texas system in place was just shaking the facts here as if he dies the guys like a big head he's at twitter up interest and linked in a. once elect who allegedly he had a pos would have. the allegedly but we do know that he did have those three canseco the so other people take over them and tweet in message on his behalf so yet talk about high profile individuals that are the targets these sorts of things as was not with the thing with a linked in one once linked in breach kind of went public and the latest one like from for you. years ago the start looking for high profile accounts and then started kind of posting it was in the reporting as lincoln passwords what we're doing is the founder pos word for that person who's really didn't was the same when the reason for twitter and then they had unable to cross posting from twitter to link them so people were them can say oh you know there's there's islington the only professional networking all. a sudden it comes at this porn your l. from some see iowa no like some company has been how to get their that they had linked in as i know that your twitter because you didn't because we did lincoln and forced everyone to at resettled or possibly have to involve not break so public service announcement don't allow cross posting from twitter linked in to especially if you use the same. password maybe stays the same kinds of them on have had to let go by. and it is the other thing little these accounts i have got multistep verification don't write like as soon as you have to reuse pass rate or bad password that is you'll have your fallback position that's you'll defense you know you gotta have the little it's a missile the authentic better at so in the case is a big here in those other ones have always said that his didn't enable that and its they in all these big social made. accounts now so every time he say one of those i knew the so ago he missed something really fundamental well like how many people like don't use to agree on everything ninety nine percent figure that i use that as it was like checked again now that is actually also as i can remember whether was from link than it was one of the other big ones just recently wasn't my space was ok. the. one of the big one and i said that literally the statistics showed less than one percent of people actually enable multitude of patients while in part that would be that is an awful lot of bad to a fable mutations out there like it cripples using the product so even if you don't turn to fail when i arrive in norway i go to log in to twitter. and immediately get an e-mail for twitter going here you in norway which is not bad writing at least that's a useful thing but there was an interesting situation happened the other day richer you went to pay pal you ladin and he knows that he's from canada and yet the pay pal page after he lugged in was in norwegian. but a dusting later but the switch back to english said that that's to have a right there just off to use a papal there had also what seems like a cross that manages was going to say doing as she even be using passwords at all now that we have passed for managers and things which should be remembering the now i mean you don't need to remember the most an album. look with somebody use them it's just say it's just a question not getting emotional attachment to being out remembered well as or breaks down a pastor manager like the one or two uses you don't actually know what your past as i was laughing about as i was longing to paper also i have no idea why people pass what is it changes itself every thirty days rate like last past does that for me said. nobody beats me i don't know the pity is something fun your last pass password that would be uproar. at that and i started the issue when you talk about these kinds of tools are badly my last pass password is all about the entropy i'm already shirts in the letter earlier all above the end i love the end. i. i think it's a good idea to to to study some obscure poetry like some icelandic vegas' or something and then just take a poem right memorized spend the time to memorize and yet like five lines ninety five passwords that you can remember just number one two three four and five so you can create yourself little documents somewhere that says of this. site is one this site is due to know they'll get it wrong and it had little cerebral felt a little my mom she rings job because not all i'm going to pass for book for the house and i point out how also has of the possible she was because it was going to share password for my mom my dad and my brother hours i'd be put into business. i was not thought i was like i wasn't too sure of my mother told him he is the best social engineering the house but i'm sorry i don't take off your shoes like your password is fine. but which like a cup of tea what's your password but i she sends the this unlike and i have to hang up and she goes why is it because right now we just need to scream out a window for a little bit then i'll talk to get i said it's ok i just got to have a thing was one positive for and said here's a series of subscriptions that just. go not to use the chagos all race. point it was like introducing her that she was he's now got so used to it that she's now kind of going i don't want password nor do i care and on it but stand education part that we were missing that why he should i need to know any passwords at all and well and the big thing here is like ok great you memorize a set of past phrases many new log into. microsoft live id what's between eight and sixteen character and see i'm right so it's like a heron to be a crappy password no matter what you do but it could pass for eventually such he said that is something that only is going to affect that that the main in fairness as well like i six think it's a crappy and we should do another panel with barry and beat him up about how about a fan. i was sixteen random characters like generally reading characters i think it cracked it as a young man of entropy can get out of sixteen union has been no it's not too bad right but in the dough longer better yet the x k c d four cartoon is correct but it's its degrees or out so like hell hell i'm sure the baby may be minus not because he looked puzzled just so what. what's the right link as long as china exactly all for forty two i. twenty three is that you know to me like it's the that the math you can't love with the mathematics but once you get genuine randomness that the link doesn't have to be too much in order for the for the strength that to be pretty much what i don't understand his sites where you know you're supposed to take a password and then they have rules right and the rules are can't use special character. i can't use numbers can use the would select yes. so we are taking part are dropped table. the only other case in lower case letters another is their restricting the the strength of your password for what purpose i just don't understand business rules why are you know because you know bites cost money there. but because they're passing is a query string they don't want to open as a show but the and of course that's the funny thing for those that haven't might be thought through the bites cost money eichmann once he has shut this will come to link the new as yet the met have in the late so it goes away and the cost of getting breaches a little bit more than the cost of the bites in the first place in our but like that's the kind of bring that up now we've got it was new. european directive involved in the cold the journey to g.d.p. or protection. like because if you get breached it's a minimum of twenty thousand euro all the way up to four percent of your gross income by a few special character is a it but like you know i think we were time but to have a and the whole way of it it in for a break systems and for people to use the hold you x. security you. x. concept that is broken at times you know how we get this use an imposter box it doesn't tell you what we expect you to put in before you start so you start first off putting in a big password and of a sudden says no you have to have something different when you have this means that it becomes a nightmare i think that the us guys have been are now need to kind of come up the stage as well with the. of the security part of it and say well how you put this together how to make it simpler for users to understand me and our users of our systems to say pick something good let's guide you through it like we saw that the other little bar goes from orange or red all the way to green on your password strings their kind of common thing he said i got a question for richard actually it last passes when the guy like last. yet so last pass you have one mass password and then this thing controls and gets into all of your counts yet is there any time that you wish you hadn't used it like is a have you ever been on your phone in not been able to log into something because last past and work on your phone and last but so the only one thing look for the past her managers is it on all of your device wright added and last. that's pretty good about being on all devices but i'm still using a win ten phone because deep down i hate myself that i'm the last pass client is quite crappy very like it because nobody's working on it because we've got that phone right eye and so you want to buy an i phone nice. there is a clumsiness now when i when i need to log in to something and i have actually been in this situation where have to go to the last pass or app and there is a mechanism for copy password all you never see the password and you have to flip back and pasted into but the thing you want to use and so is klum word on android it sooner this area it is a day. as it is on on any p.c. where i mean chrome by i don't use edge because no plugins nine so is not in chrome with when i'm probably log into last pass what i assume is a using your password appears it's just filled in india but it's you know i never see the password just that just happens that this the friction goes away can be. the thing the other thing that that the democracy last passes the perfect tool like it's one that makes me happy this bunch of them and this free ones as well if you want to the care and feeding for them is that cleaning up your own mess so when the last pass every so often minds behavior still have a couple old passwords that are the sane on some old accounts can we go fix those. you know and and does it actually go to amazon paper or whatever and change your passwords for you some sites have set up a service now so that things like last pass will literally change your password for so you don't have to do anything because i hope that doesn't get hacked and. you're totally right and it's like but again get back to why do we use the cloud is in theory that the public cloud providers have the best people keeping that infrastructure running these password services have really extraordinarily talented security people working there is only so many those to go around i trust them when i trust myself to remember him. i've a take home the a number to say that is same way we feel about writing on servers you know but we think about the battles we've had keep the dot rock site running than in the old days were literate in our hardware and now it is in the cloud while it's still not perfect it's better much better so i don't think the password managers are perfect but that. but doubt better than kind media last pass good solution thing and only want to pick a product the only thing ever to what is one thing true in all these things is you must spend little time learning yet and getting used to it and how often seen how often you change your last pass password relatively rarely. is it because it's long and it's and you know sufficiently in tropical fish is not an big need to change that past and cool in the end we didn't talk about data breaches rate the issue here is the most common passwords are out in the wild or eight the big thing that comes from data breaches those passwords are now exposed to the world and so you really. don't want to use them again. yeah and of course everybody does i i have i'm not going to tell you how many but i have several passwords that i rotate and every once in awhile i take one out of rotation add a new one because i can only remember so much and and that's what i think most people don't even think most people do that i think those people have one password that's probably to. when characters that they use everywhere except requires that i'm late to use letters right rent and then the ones that doesn't like the number and yeah it's the consistency able to sites that drives me nuts in good times together says i can't use these and or even the length or i like how come the minimum link has always different and i think like a lot of workshops and aside the companies. you know what's the right minimum link and is a really funny patent everyone always ses six tennis was an even number was is anyone got like a minimum like it's an odd number and seven however great brute force rate tries was an odd number three five right i was just. this is the only luxury tried three times the normal akio wonderful a time certain number of accounts in my life that are perpetually locked out right i mess up my american express count almost every time one way or another and i walked out of it all time and i just don't care enough about him i would like to my telco for years and haven't got time carrying i just can't pick up my voicemail. i fear that the one he always find a site and about possible policy especially call for policies ones that make you change a positive force rotation the just and one that's exactly what you know you can sell on his own company does it give you any interest security you get the right to set in the number to the and i have had a credit card. that required additional past when he went to use it on line that we kick into their own life rain thing the ad enter in and you had and there was no password recovery so we could remember past because they had their own goofball rules have been didn't fit with any passwords for his use the pastor manager you had to change the password so you go to change the password to tell her to use that passwords you can recover the pastor we can tell me the. to use it again and that's awesome. hey richard a buddy guess what time is now i must be that happy time again had started to change my password to it's all about the entropy i'd like to add on that but it's actually time to give away sink fusion essential studio to one lucky member of the dot net rocks fan club with over. six hundred fifty controls sink fusions essential studios the most comprehensive suite of components of eyl for dot net and javascript in salmon yeah with world class diagrams maps and charts reduce the development time save some money get the best supporting the industry these are just a few of the reasons over eight hundred thousand people makes. confusion a part of their daily to have process in our individual developers even skinny he. but not to the point. i feel like locusts still owe your money ngo the human eye and now individual developers and small teams welsh in the i don't get sick people really success. and now individual developers and small teams can get access to every single control in sync fusions library for for for free. the community license also gives you access to sink fusions growing library of enterprise applications like dashboard platform and big data platform that can help make sense of complex data supporting updates are included two it's a ten k. value for free. check it out at sink fusion dot com all right body whose our winner today's winner is craig lecter road. i've got a class act was feeling the luckiest guy in the world right now hope you know listening with your friends a lunch. bankrate just one the sink fusion essential studio it's a big pile awesome for my friends over there if you don't know what we're doing here go to www dot narok start com click on the big get free stuff but an answer. oh no give free stuff button at answer few questions and join the dots rocks fan club we have thousands of members all over the world in every show we like to give away staff my sponsors in every december we give away five thousand dollar technology shopping spree to one lucky member of the dot rocks fan club picked at random but you've got to sign up to with. and and we ask our guests in every show if you had five thousand dollars to spend on technology today try and what would you buy their own say that was like a man missiles are and they would like to have full. but. no one of them little little more than five grand you can we pull every sources the end all get together you can ride it out around still deciding to look look kind of cool that's only i just have to question the well what would you do with the miss sila exactly what would you do well and that whatever it is only going to be one of the fact that they might be this new. and. a i r i. you have done said. stephen wants what would you do with five thousand dollars. i'm quite good got it was at minutes i don't really need any more technically just talking crazy talk. miss the so much so. but not so why wasn't the site is a now been working quite hard recently have to do the holiday with the kids i'm a gallery. failing that climate so we try. the general atomics and really want to answer that is added that's a drone you're going all out now that they carry its the missile carriers was more about halfway there. a choice in haiti clean the mess i was the last few miles away and how do you get into the us anyway i don't know so well into action by. now i hear there's a bottle of scotch that costs about five thousand dollars are you interested in that or something else. new york he was like it i o t bottle of scotch maybe but how would that counts and i would like one the whole is actually yeah. they were digital my thoughts and i think we just one of them is something all over the right so you have three thousand so there's two thousand left from theirs that is twelve thousand dollars will that play missile because they have missile in you can build a launch and. the second check in the retail price idea. now that two point three eight billion dollars. the woman on a that's the price not only four million for unit i. bargain were closer to be given a life full million completion we put our nation bucket the i can't think of a five thousand dollars gosh now there's a fifteen thousand had received the allen reflection we are probably were up there in january was fifteen that is the shackles in the stuff go for it was only a few hundred bucks or that's that's two hundred dollars can buy it but that's. the second edition get the first editions but more so you know the other key balls the antarctic mission yet on it has been from nineteen like and twelve and the idea yet as these are not all problems we went we found this. that were prescribed when we went to this bar in and they had reflection by the shot i think least three hundred seventy five dollars a shot in and i didn't try one know because there were no good outcomes right i'm going to like this that about fifteen thousand dollars got into big trouble yeah why didn't like a blue three certified lots of they don't want us. so most expensive as a planet there in order not to act. i know i somehow smaller the of it i now hear this news room he they're ok there you go i i i quickly without the my the masters of malt just to focus in on what's actually born which is expensive scotch and at twenty four thousand pounds for a bottle about being as that'll that alou on see the. in collection includes five bottles of delhi stars are well that's a deal may be going after the better getting more in our age how much as a pound these days any was a two one one point five to one dollar is someone the neighborhood yadlin park with sixty two twenty eight hundred pounds on leave it up i saw the nile still not interested in a hollow lens an ana thousand dollars bottle. of what was the one that was the gaffer can't that was a grand all there's a glum farkas forty noise was very ideals by couple of those that i was over but i hope for an hour and a welcome to scott to add money. an escalator quickly. i don't talk about passwords anymore i'm sad. i really want to talk about what developers thinking about security that this and actions they've written software already and they and their work on the next round of work items for the next print how weeks starting to talk about at least incorporating more security software so that we're no it's not our app that was breached. i think to know. toyota has said speaking particularly from statins my vested interest is as plausible fizzled education for developers is is really really cheap in terms of weight in spain you'll security money on their is there's a lot you can spend on that proximity security in a box and the big boxes with lots of blinking lights and thousands and thousands of dollars and i sort of. to one little thing as for one particular the apple one particular company that you educate people and they get to reply that ivan i've never again and i also get to apply at the time where it's that the cheapest to fix security which is when the writing it because we know that for any bugs and software security or business features all over four months the worst possible. time to have to make a change in the things will live in its it's already out there that sort of expansion costing so yes it's the majors getting these facts to sit there and and even just you with this guy three courses will do some training or something like that just the sort of scale up a little bit and it has a fundamental impact for very little money one fundamental thing everybody can do is use age. t.p.s. everywhere. i mean that that helps us a lot doesn't because we really can't trust our routers and the link you can trust the wife idea that i just was identified as life and help everybody scariest pineapple with the guy is one of things like this is scary culture is like building this into your team and getting it together so that. you start to think you know i as a developer have a responsibility for this data that if it ever gets out and gets it could ruin someone's life for now if you were actually doesn't know if it had if i did that we would know what kind of the good thing it all jokes aside like what i keep making. this kind of point don't make my job an easier because it's it's getting to the point where it's getting too simple for to do a lot of the hacks anymore because they researchers and we're all just looking for one mistake you're going to make and you're trying to build your security boundary around your applications and we just go out there is a little hole you forgot and that's it so think about what happens if. when this gets broken into and someone steals all your data in what would happen i'm so if you assume that ok we've got hashing on our sense of information about how she crossed the entire database we've got like at a level encryption we've got all this other kind of from techniques available that's grace and then look at going well. so i can but if someone breaks into can't get anything done and then what happens if how do we stop people getting and that's kind of the two parts it's not just like let's build a huge wall around everything that doesn't solve anything for americans and i've only. the f.a.a. believe me we believe a it. but i talk to the public generally skis of the world has just like i'm going to get it yet what happens now but nobody is exceptional of yet all the most do not like that woman touch your computer is just a paradigm actually how i know. this is great story about her you want to tell about it i don't yet know the story and the key she said she's a petite lawn polish girl with english accent she learn english from an english very soft spoken to are so it goes into an office it's going to hire for penn testing half hour early and ask yourself if you can get online to pick up to those who. is really nervous about the meeting and then by the time she estimated thirty minutes later she has every administrator password already such as let us begin his conversation with all of your passwords and he was also from there it was kind of a question of why should we hire you yes the i and many questions why shouldn't you you don't need to hire me you're done. so it but i just really knowledge this idea that is. the. a i'm not going dollars asked. i. you get it yet. it's always happen sentence could be certain knowledge this idea that penetration is going to happen it's just really you know they and i put my auntie had on here we talk about security in death as it sounds good but the reality is no walls on bridgeable and it's just how far they going to go after that data needs to be encrypted on the death. right so that even if it's taken it's like good luck you don't have the keys he should not be sitting in a textile marquees is this year the problem here with little choice troy demonstrated in one of his talks are on about like a house cat and how quickly you can do on commercial grade harder not even like you know kind of industrial stuff just generate an air conditioned to immigrate. however that you can just like straight on g.p.u. and how quick you can catch crack passwords based off just just run the brute force and its astonishing and you know there's no company specializing in supplying you would have a box of ten graphics cards that you can often just cracked three hundred fifty billion hashes the second and you know that's how quickly it will get. through certain times of hardship but what about throttling password attempts you know low only allowing certain number per second which is why should the site like a possible skied of asian function what are the main what you're talking about how is like in the in the app itself read that when you make major city request i c.p.s. request you can only make so many per second or. whatever my baby i guess in terms of possible hashing it's a question of what once the pasta and storage has been compromised in and someone's sequined check that suck that will pass woods and you've got the hash is you've got no more apt to do any throttling and so the savings point they were talking about things that pay the cave to weaken effectively increase the workload have had difficulty. it is to create the hash so that you can you can slow the whole process down you don't stop it but if rather than being out of the beautiful billion in the five calculations a second you can only do four thousand acres calculations a second what you just increase the password strength a thousand times i've read in and maybe just low last interesting for anybody trying to greater. you know if they actually wanted to work they would be data feeds the. the thing is it even takes you say twenty seconds of our password right but if it takes to twenty years death you know that that's the level of entry because the fact that they've got on the correct passionate its salt correctly and brings don't write a new kind of on until they get a faster computer that you yeah but does that that's the thing you're kind of your eyes you're up against the twelve week. and cracked more prosperous my i phone the aggregate my a computer at the rainbow so. and the roundabout so worked up and going to tell you that it's only when i talked to buy a new computer have to be the everything we've talked about so for speaks to i tease responsibility security for the developments exception on the days pass where. policy like this is stuff for the opposite guys i'm as a deadly to worry about the dave's a building the software which chooses the encryption although rather hashing function of many if fragments like you go out and use the iceberg and that membership provided from twenty twelve you have chosen a product which is now going to hatch the shot one and and soul is going to be pretty much useless they that means use the dave's who are going. choose how they get stored on this like he's choosing the active direct implementation and that sort of pressure but having but in the app its it's nice going to be the days all you choose to get under the social logan sort of thing that makes someone else's problem none was only develop as a point in that much effort into citing record level in question on personal information that's all right. if you don't story keys quickly so if you just as the sept forestall qaeda attacks father who will do that a sony of saying i'm also what the complicity that sharapova canada and hidden followed on zero five the opposite effect that protected no problem there is no lawyers working not regulated industry so finance healthcare so we need to start looking at things like. and hardware security modules will have to keep old heads still feeling like an operations set of tasks rate even when we talk about database storage as a whole i got a db a he's crazy right like these he's been beaten up by the in for sector enough and everything written to that drive into that machine every she now is encrypted and the dead has a lot of responsibility for. he's going to be called star procedures going right group today so years a here's a story for you if i can speak so here's a story for you a week at ap the next which in a consultancy we pay our developers and our consultants from usually by a c.h. and in order to do that we had to set up especially ch cat with our. franken they came out to the to the office and they told us everything and they came of the novel open in the on the locals in our say generator that was a you know battery operated little fobbed and every severini minute a different number alphanumeric number came up on the screen and they might have been twelve characters have. something like that in so when you go to the website to login you're supposed to put and the number that's on the screen. and so the the the preferred way to do this is the way to it flips because obviously the you don't get caught with the flip to put an end and there's this there's a secondary algorithm running the same out a rhythm on on the server that is matched to that key in so it will come up with the same number every minute and it can. you know that that is the way that you get in so there's never a password for say oh that's in addition to your regular password to log into the system so there's to have secured i thought that was really brilliant you know what some people do so this is the interesting thing we a good implementations like that and then people can stuff i'm upset his eye for example you. he see instances of people getting there are sites i can stick it to a board twenty a webcam at as bright and said that it doesn't matter where they are they can go and actually excess weight loss was a guy write a blog posting on later on way he even write the cut to i see are the token from the webcam so they did. one of the i pad isn't i didn't want to have been nice so is as good as we build some systems and there's always going to be so it was going to screw up where i have myself or service and. but that was their combination of that technology with maybe a near field are friday years and thing like that that can you know so long as they have in my pocket it reads the number from in you know can log me in the now that's kind of convenient as long as it secure of course we all know our friday's release. secure and it is. its job but if the developer. the developers and not the responsibility of kind of like a need to educate themselves enough to know what they're supposed to use to do it if they take the kind of basic imitations like choice at a new shot one they may not even know that this is bat that's another problem right know we start seeing out on me i'm hashemite passwords a great way to use an empty five. ok great story i'm using rot sixteen and what about seventy five at the site and this but the thing that they may not know and that's and that's another thing i said the education factor of kind of like ok why should i do this what should i be using and people like us are saying you should be doing this this is here's our cheat sheet for kind of avoiding. certain pitfalls just means you beyond level zero and level to up to one or two and then you start to be going to see the lice like this and get to figure out the ok yeah maybe i should be looking at this better you know i think there's the security culture building out into the concept that if this data stolen what will happen rather than just people to say no. i was to create a user in the database and i've managed to retrieve the use of the database of john my job well done you so we should be scaring or developers i like that a.o.l. they got to do is listen a choice that iraq's interviews and though the scared still he said if it doesn't but i greet you know but the put the fear of troy have to at and t.. it was the field julie the show's we've done recently speak about security besides you know terror with try. but i couldn't get out of the podcast nature which rarely drive. but the osce top ten young and aids and it kills be the number one is still single injection us hills me i could have talked yesterday i was like is that people want all my god are still the are you kidding me. it well and i totally get that is a whole bunch of legacy websites out there that are vulnerable and their tools that will help you find them fast. now and then healthy exploited but even faster but i would just hope we're not green fielding sequel inject area the way up the i cannot say why we as a blog posts that i show quite a bit from last year so you know took twenty fifth think where a guy has written at have to do. pos would reset in ice but it's a show up with with forms which is it's a bit unusual and twenty fifth game that he was what he's done and the whole thing is it's odd actually it's got one section of sequel card which is beautifully premier tries and what's right and the next section beneath that is just single injection of the throat and this is in each. the tory a new h one year old briton they it has a bunch of comments from all these people saying thank you is very useful so how many people living on a company that built the new stuff like that right now but it's still happen so low in the stuff of those less than three we like you know there's because the new deal will really like you know copy paste. the answers from stock overflow yes i thought i could let go cover like going to riley book but it's all really all really a fake book covers it's brilliant but like that's what a lot of people do you know exactly what the the security. i think noise and to live your project on time. i think that the thing is that people will just go this cold works i press and five the result that happens is what i expected to occur race does touch it don't understand that run away ship it should do and i think that's what we're starting to see a lot and you know the developers of were very. good at going here is a problem i've written some called the solve said problem but i haven't thought about who would actually use this and it's like trying to give them you know and my son like a knife for x. or something because you just go look at the wash. so that that's what happens i think that there's only more like that i like the model of physical keys like you keep your house you have a key to your car and this security model has worked pretty much for a long long time and the whole idea is that there's one thing that's unique that you keep on your person all the time and that's the only thing that's going to get you into. your house well i mean what are your laptop had a look in english and switch you know put in a key internet in then you can use it in all of the security flows from that. i was that i resent the idea of a really good joke your house was good to have windows and. iowa. yet again. and even the case thing i have some in the the idea now is that you go to iowa to the house right right because this is the beauty of a who want to carry around a key they say because he just woke up and you put your finger on the door now and hopefully it's you'll have to ask when you do it but we've always saying own abilities in these sorts of things like these that there's an identity. doorbell apparently made an instinctive doable and you'd ring the doorbell is a camera they have some way that the problem is that when you do about rang and he looked at the monitor to see who's ring it wasn't your house think it was really know. when you start to why these things in the many just doesn't take much to get a real wrong yeah i agree though we really we ran up against us today. and i want to say that. most will at the assets what's gone at a point and change my mind i'm going to say that it's a tough. here we did a show with the with kim carter we're talking to impose second he talked about the oscars out library and just building that his party test sequence that when you're building a website. you you're running through a set of security tested and one of the things is checking is straightforward simple injection vulnerabilities the things that the script keys would run to try and reach your site at least you're trying that yourself open if you've got to build server just like there's a town of sea life tools out there that you can just buy plug and. nick go for example just it to make don't dash h. and it's a program that will run through all the different vulnerabilities it knows and quickly scan as your application and you back a kind of a we found this we found this is your be laughing silly then there's more advanced tools like correct me which the full on web framework and if you're running windows tan with. the new kind of anniversary of the updates on it runs bash so you can run these like natively nearly now i'm just installed it and it generates a nice whether you i am and has like the feedback it gives you like at here is all the percentage of stuff we found the icy quite test of an excess test and can run these and in command line but also gives you back a nice kind of this is a book for for you. and you can discuss it or this is a false positive and and managers can see like ok your security tests are getting better and then you can start doing other kind of like and static and alice testing and other type of but nothing kind of fails are works better than the kind of the human to test the logic these are just test the common little bits stuff the wi-fi. a lot is like people were that i go and uncle trying to walk through the cold little differently. he has a death you recommend if you've got no baseliner do start from scratch some of these little tools straight out there free just not going into your application session you can be much quicker and running in the eighty's its toll on the fed policy council to foster kids and you can force here yes he did as a tinfoil hat yes. so it doesn't conduct an external test against your website right then it is your security reports of any vulnerabilities is one of those and accurate and is pushing to washington get is plugged into account for those women here. i asked so there is some every night and i just like some actual items here again at least have a sense it over and i think all of you want another has done a hack yourself first kind of session may the past two years on we should be should be part of our process developers is packed on your own site so that you know what vulnerabilities are actually apparent. them and some of the might be your responsibility for cobra seconds on the mighty operations but i'm going on and million are testing was just getting to know whether any other tools joy that you want to mention that to that we should be looking at for the analyzing our security situation and i think the mind come in and out have on tools of those are the us or knowledge talk at sizewell they should make to know and year. running in cali linux and its it i love this stuff is very cool of think one of the challenges is for a lot of developers particularly marks of developers working i spilt net way this is really foreign territory when at of interest many people here want to speed up colleagues and run online tools there's one guy had to be its. i. he's also danish bit weird about the end i think we have then establish the point is it is a it is a barrier to entry in this is what kind of like the teen full such clout play sort of stuff way you fictive leaders route your application through some sort of a proxy which looks for the sorts of things gives you a liar security and by no means. so i don't want to suggest he shouldn't go through and actually understand sickly action across as gripping a sort of thing that there needs to be low friction stuff that works in a fashion that developed as a comfortable with other was just things to believe something which are now the last words gentleman nile. when do i get my was going to ask even the. i think the and just study of the mean that the airport strike is not yet. the also suitable stress it's ok if i want to do a real car last words guys seriously don't make it like that we can walk up here and do really interesting talks because you have screwed up think that these guys that a business yes that i'm i'm you're the kind of like suggesting people try and do that and the for kind of like secure go secure data think. really kind of closely about you know what you are working with and what happens if it gets out in the wild who will be affected too scared by celsius exactly throwing a look at i think it's made a big things experienced a first hand so with the gang get that in. pros like courses for for me there was stuff like a key so first which which is really popular mine which is guys here is head of the sickly action like don do it just google for website and do it like to do it on the saw that i created a full body experience it firsthand because once you to plant the stuff is actually pretty cool and a lot of people get really involved in so to get in you. compassion for the same way that has escaped thing to say there is a big a chinese things to on a site that you won't knock on the time. i don't know why she might be living in a box for he doesn't do it on try say well as fun yeah i know that's the show guys let's give it up for our security pact. thanks to offer. you to use. but that's enough for the show but if you've got a minute maybe you could take some questions of anybody's going to going. that's and the left there. sir. so what. they are. all covered by the identity services. interesting i'm sure it would get is fun. and they never get hacked could happen so that the philippines election commission the coming months ago and they lost haas of the one hundred ten million people. i would die. because there are lots of backup snail. i think it is in one white is necessary because you got so many different government services which sort of need to get tied together to function effectively it another way it's unavoidable because this is someone as things you can say look i just don't want to give my information to the government is like that and you can and can't do that so at its it's happening and. think that balance it provides a bunch of a bunch of positive things but you just conahan not going to fill planes and kind of care contrast to the microsoft is asking us to due to use identity service from down here. i wouldn't you know who's more qualified theoretically but either way to the same issue you're going to put your identity responsibilities someone else to do. or. in the public clout good an existing now the question. as you head back your car is one of the premier league is why he's scared of his new wife i hear it is open why five so enjoys in the room. he's got a pineapple is not afraid he is it. about six or seven of these devices running around the conference right now so you know yet if you go to open wife i just assume everyone is listing so you know it's interesting stuff so just got a v.p.n. it's one of the plans on come to sit next to try. five hundred lost a if you haven't seen this before as always a wife upon it pulls up if you say my talks in the past two to say me use this but there's really super cool just google was a pineapple and it allows you to hijack people's was five which is cool that's one thing. it's a really good lesson about how you can't trust the transfer way as well as they are amazingly cool and there are only about one hundred dollars. runs off a battery pack that's currently face of species the their let's not mention the bench but they also what it does right idea so what does a rogue access points every time your device by pings out looks for a specific access point this device says wine glass so years then goes to good free why fight so your dog if you open up your phone and so on. to connect to know why five points this device will say i'm known your connect on a little now between me and the internet sites troy and he's a lovely australian man sometimes. he wouldn't ever fiddle with whatever i'm doing to go on on routes but it is that's the thing you can trust the transporter on the first time your phone connects what does it do because got it gets you google mail and facebook and whenever and connects to twitter and sees if there's anything to stop sending all those passwords out that's why all those services are now a cell and yet when is the at big. the way that made all of these sites go s.l. was because of these kinds of exploits in the real question is your mail server using a system. with the username and password sending clear text that is not like pop three is not secure that it's its tax to suggest taxed so you got it you just kind of all these to the these little devices you like you know that you can plug this thing and i know what it's like to football's up again as it's the size of the thing just sits your backpack it's like this tiny can be powered off. little phone charger and you know all the sudden i'm you can always spot with these things are on because all the sudden you see a lot of why five points you don't recognize and your home on a regular you see everyone why you see every wife i am to get funny looks going to freeze apple scares you as it's just an access point yet so he was laid just rid of it. it's kind of big for an access point like i've got one the you don't write that day they make them small that no one i do also have some rather noxious ones and the knowledge particular has some some big areas which yeah i've got to do as i rather suspect yeah but the nine decibels areas which are kind of like it's like for them as well as a half of them spot on a hot and of a sudden spike. and they're exceptionally powerful like you you plug in and i turn on a hotel in all the sudden my four floors are connected to you and was wondering what their home life is working. i. and was a funny story that's how i actually got to order of turns out when i was over in poland on this and one of the organizers from art of connected to my wife i points and decide to log into the art of database which was running over his g.p. at the time so using a possible for the order of database pops up to make a nice. and i'm not going on the agenda. so ladies and gentlemen if you ever want to figure out how to get to in the conference in oh and pineapples i think we've got to leave it there another round of applause.
Feedback