lecture: Securing FrOSCon

How one conference's talk proposal led to securing conferences across the globe


The vulnerable nature of the Web was found out to apply even to security and FOSS conferences, including FrOSCon.

(Note: this talk is not a Lisp talk, but being added to the program late, could not be placed elsewhere.)

After finding a basic yet very severe security issue in an OHM2013 conference organizing Web system, it was discovered that the issue in fact wasn't local to that conference: others were affected as well, including but not limited to FrOSCon. Moreover, while investigating the issue, other security issues were found, being a mix of Ruby programming choices/errors, insecure application defaults, and server configuration issues.

What followed was a journey into the world of Web security: HTTP sessions and its management, cookies, cookie sniffing possibilities, cookie manipulation and replaying, HTTPS failures, session hijacking and fixation scenarios, and the combined knowledge of the above: the potential of abusing lack of security, up to the point of trivially easy becoming admin, in several FOSS and even security conferences' Web systems.

This talk covers the aspects above, includes a practical demonstration of how anyone could've become admin, and elaborates on how things were fixed.

In addition, the talk includes some thoughts on security by design, source code forking and risks involved with it, and why the main vulnerability discussed in this talk might actually still survive on the Web.

This talk is a revised version of Sander's "Web security 101 (or: how to hack security conferences)" talk at the Chaos Computer Club SIGINT 2013 conference, which was later also shown at FOSSCON 2013 (USA).

The speaker kindly requests the audience not to make any recordings or pictures of the talk.