Archive

Archive for the ‘SuperMondays’ Category

Month of PHP bugs 2010

Following in the now well-established form of a ‘Month of X Bugs’ php-security.org has just opened it’s call for papers for a second month, to update and expand on it’s successful run month in 2007.

I’ll admit that I largely ignored the original Month of PHP Bugs (MOPB), at the time I had just made the decision to stop coding in PHP and try a more mature language. I had found PHP to be a very simple language to learn and code it, but as a result I also found it very simple to code very badly in as well. (and I’ve since found that a bad coder can code badly in any language, hence why I gave up the career path of developer).

However, this month’s SuperMondays event changed my perspective slightly. Lorna Jane gave a great presentation on using PHP to provide a web services architecture, at first glance looks like PHP has improved and matured significantly since I last used it. For those interested Lorna’s talk was recorded and is available here, and Lorna’s own take on the event can be found here.

So while I’m not in a position to contribute to the month’s releases, I will be paying closer attention to the resources released this time around. If you think you can contribute the organizers have posted a list of accepted topics:

Accepted Topics/Articles

  • New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities)
  • New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches)
  • Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
  • Explain a complicated vulnerability in/attack against a PHP widespread application [1]
  • Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
  • Explain how to attack encrypted PHP applications
  • Release of a new open source PHP security tool
  • Other topics related to PHP or PHP application security

[1] Articles about new vulnerabilities should mention possible fixes or mitigations.

And prizes are available for the best submissions:

# Prize
1. 1000 EUR + Syscan Ticket + CodeScan PHP License
2. 750 EUR + Syscan Ticket
3. 500 EUR + Syscan Ticket
4. 250 EUR + Syscan Ticket
5.-6. CodeScan PHP License
7.-16. Amazon Coupon of 65 USD/50 EUR

So what are you waiting for? Get contributing…

–Andrew Waite

Advertisements

SuperMondays – Barcamp style

2009/10/26 Comments off

This months SuperMondays was a deviation from the usual format; rather than speaker followed by Q&A the event was run in a similar format to Barcamp. This meant that there were several simultaneous conversations ongoing at any one time with attendees floating between discussions and chipping in as appropriate.

SuperMondays Logo

For my part the first talk I attended was on cloud computing, which regular readers will know is something I’ve spent some time looking at recently. General consensus was that cloud may be the future, but no one was willing to place their critical data in the cloud just yet.

Second up was a discussion on encryption. This discussion started slowly, whilst there were several people present, most had some interest in encryption and had wanted to learn more from those more knowledgeable. Basic outcome: encryption is something you want to be doing for critical data.

Third and final discussion I got to was a comparison of open vs closed source development. In all honesty I was expecting an argument, with plenty of MS bashing all around. The discussion was remarkably calm and impartial, with a general consensus of ‘both have their place depending on circumstances’.

Some of the other talks included web development frameworks, a demo of Google Wave and a discussion of requirements for new start-ups.

Overall I think the event worked well with some interesting discussions but I do think I prefer the more traditional format. At least from the talks I attended I don’t think those new to a topic would have walked away with any usable information, likewise the ‘knowledgeable’ attendees likely didn’t hear anything to change their opinions or beliefs.

There were some interesting announcements, including that which can’t be discussed (hint: if you want the inside scoop, some stuff gets announce at SuperMondays events before getting released in public domain, shhh!).

  • SuperChristmas has now been organised in partnership with other local networking groups, December 17th for all those in need of additional festivities.
  • North East Blog Directory: as part of SuperMondays the group is compiling a list of local technical blogs.
  • SuperMondays Google Groups: The Google Groups section for SuperMondays is starting to pick up pace. If you want to keep upto date with the group, suggest a topic of generally discuss the event sign up and join in.

That’s all for this month, as usual thanks for a good night and see you all at the next one.

Andrew Waite

Categories: SuperMondays

Review: Ecommerce, subversion & git @ SuperMondays

2009/09/04 Comments off

Tuesday night provided an interesting evening, and for more than just the somewhat non-geeky location at the Side Cinema. As usual I’ve been beaten to the punch for a review of the event; the offical review, and videos of the presentations can be found at supermondays.org.

David Coxon provided the opening presentation, discussing his project to create an ecommerce shop for the Baltic gallery. As I’d expected of David the talk was interesting, and given the time and budget available the outcome of the project is impressive. The full presentation can be seen here and slides here. David can provide a better insight into the project than I can, so I’ll just say nice work.

The second aspect of the night was a (surprisingly) lively debate on source control systems. Paul Callaghan started by outlining the problem with the ‘traditional’ method of version control with naming schemes for files and folders, before introducing a better system with the use of Git, a distributed version control system. Alex Kavanagh added an alternative solution, in the more commonplace Suberversion/SVN.

From what I could take from the discussions Subversion is more commonly favoured in the business world as it provides a centralised repository, allowing for better management (access control, backups etc.) but Git provides some (arguably) better features and is ‘cooler’ (apparently).

If you work on any project that creates a significant volume of code or documentation you should definitely consider a revision control system of some description. In my case I’m looking at Git for my next project, from Paul’s demo it seems like an easy learning curve into a new working paradigm.

Finally David Livingstone from the University of Northumbria’s School of Computing, Engineering and Information Sciences introduced the Raquel Database System. Raquel is being built as an alternative to existing database technologies, the developers are currently looking for additional testers and project members, if you have any interest in the project contact David at the university.

The night ended, as usual, at the bar. Again as usual this provided many interesting discussions with other group members, if you haven’t already been, or have been to a previous event but not recently, get yourself down to the next SuperMondays event.

Andrew Waite

Categories: SuperMondays

July SuperMondays Review

This months SuperMondays started of with the usual round of pre-event geek talk and networking. As a result I now definitely want to get myself down to Bletchley Park and I’m some-what gutted that I wasn’t aware of the Big Geek Day Out before it happened, sounds like those involved had a blast.

The event proper started off with an announcement from Mike at Orange Bus stating that they are currently hiring. If graphical work and web design is your thing give them a look.

The presentation proper was provided by John Colqulon, John introduced his project with Newcastle University aiming to provide aid to GPs and other medical practitioners to determine a patients risk to cardivascular problems. There are other applications that provide this level of support available, but this project goes one step further, by visualising the impact a mitigation and/or lifestyle change could have to that patients risk, using several underlying research models (who’s names I can’t remember, sorry)

I’ll admit that this wasn’t exactly my favourite of topics, but both John’s presentation and the debate raised in the questions section provided a good insight into the many different aspects that need to be considered to complete a complex IT system, from interface design to data protection issues. Although I personally struggle to understand the importance of using smiley faces to represent discrete mathematical figures, just not my field of expertise…

The second part to this month’s event was a first in SuperMondays history, no presentation just a group wide discussion of a selected topic, in this case encryption and ‘sharding’. Despite most people’s original understanding that isn’t a typo, sharding with a ‘d’. The concept is to break up meaningful files into smaller component parts (with each encrypted if the information warrents it) and scattering the shards to multiple locations. Theory is that if one location or server is compromised, the data it holds is useless without the other shards, or the blueprint information to rebuild the original file.

It certainly generated a lively discussion, with various weaknesses, trade-offs and mitigations being proposed and countered by differing group members, the wide array of different fields of expertise was within the attendees as different issues and factors where introduced from angles I had never considered. I enjoyed the format of the discussion and thought it worked well, although how well this was recieved if the topic was outside of your zone of interest and/or speciality I’m not sure. To counteract this it was proposed that it may be beneficial to move to a bar-camp type structure for similar setups to allow for multiple topics of discussion, allowing attendees to get involved in the topic that most interests them.

Rounding off the event was the announcement that Gavurin are also hiring (what credit crunch?), again if this is within your field and are looking for a new challange give them a look.

As usual, the event ended in the local pub for more highly geeky conversation over a drink, this time round I ended up in some interesting discussions on the legalities of accessing or operating an insecure wireless access point, support contracts for companies with (seriously) legacy systems and everyones ‘love’ of telco providers.

As I usually state, if you’re in the area and industry, and haven’t been to a SuperMondays gathering: Why Not? But it’s looking like this may get easier to attend, as SuperMondays is growing there are developments afoot to create an official not for profit organisation to take the group forward and to widen the location of events to across the North East, rather than just Newcastle itself.

See you all at the next event,

Andrew Waite

P.S. thanks to David Coxon who beat be to a review of the event, and made it easier to find some of the links I wanted.

Categories: SuperMondays

June SuperMondays Review

2009/07/14 Comments off

This review of June’s event is more than a little late, but it was still a great event. The format was different this time around, with an open podium. This produced some interesting and unexpected topics, the first being an introduction into the world of geocaching from Alastair McDonald.

Alastair’s talk caught me unawares as I was expecting a technical overview of maintaining geographically dispersed content and services for load-balancing and DR. Instead I was introduced to a world of following GPS co-ordinates to find hidden caches of goodies, in the real-world. Whilst the concept of geocaching was new to me, once aware of it’s presence it appears to be a very popular hobby, Twitter seems to be full of people all over the globe discussing success or failure of searching for various caches. I’m failing to fully do justice to Alastair’s presentation and geocaching as whole, so I’d advice watching the footage yourself (along with the rest of the talks).

Second up, was the Ecommerce Experiment. The team are setting up an ecommerce site in an unfamiliar market over the next three years, and are blogging and tweeting all there experiences, positive and negative, throughout the entire process. Their presentation was interesting enough, but I’ve been following their posts since and the material is always interesting and shows a side of online commerce normally kept behind closed doors.

Third was Mike Parker with a demo of Drupal, with the goal of ‘work less, surf more’. Web site creation isn’t exactly my forte (check www.infosanity.co.uk if you don’t believe me), but Drupal seems to be a very powerful framework, with plenty of real-world application.

Finally Ryan (@ethicalhack3r), discussed the latest release of DVWA. I won’t go into too much detail, as I’ve already reviewed DVWA previously. If your interested in this area of research, check the archive footage of Ryan’s talk.

Whilst the presentations were all good, but as usual the real value of SuperMondays is the networking opportunity and the discussions before and after. Which begs the question, if you’ve not been to the event why not? Next meeting is July 27th, and the topic is still up for debate, so get involved.

Andrew Waite

Categories: SuperMondays

May Supermondays Presentation – Video Evidence

2009/05/29 1 comment

I jumped the gun slightly when I said previously that there was no recording of my talk, the camera managed to catch the first 2+ minutes of the presentation. Just enough time for a brief overview of the intention behind honeypot systems. Direct Link.

The rest of the Super Mondays event was recorded more successfully. Check it out here for the official write-up and event videos. Well worth a look.

Andrew Waite

May SuperMondays Presentation: The Aftermath

2009/05/27 1 comment

I had a really enjoyable night at last night’s SuperMondays event.

Some of the innovative uses for technology on display from Newcastle University provided a great glimpse of where we could be heading in the future towards ubiquitous computing. Of special interest were the research being undertaken with surface computing, which seems to have taken centre stage of new technologies recently, although unfortunately the expected MS Surface device wasn’t available at the last minute.

I also liked the work being done by the Ambient Kitchen project. While the technology is still in it’s early stages it is easy to see how this technology could be a part of every day life. With the focus the group has on providing assistance and support to people with cognitive difficulties the fruits of the project could go a long way to genuinely improving people’s lives. It makes a nice change to see new technology being developed for a real, useful purpose rather than the usual, ‘we can, it’s cool, why not’ approach to some tech development.

Linked with these new technologies Patrick Oliver and Jayne Wallace demo’d and talked about some of their work with developing cultural and meaningful technologies. One example was a twinned pair of necklaces which allowed the wearers to communicate some acts of distance, for example holding one pendant would cause the other to vibrate. As wireless communications become more pervasive I can envision similar technologies becoming more subtle and common place. Despite my initial perception of the topic as being ‘arty’ and not really that useful, I enjoyed the presentation and can see some valid and quite exciting uses for this technology in the future.

The event finished with a change of pace, with me presenting about my experience with using honeypot systems and hopefully convincing others that the system are valid additions to any network, and are good fun in the process. From my perspective I feel that the presentation went well, although I blew through the material a bit rapidly. I was genuinely relieved and thrilled with the amount of questions and discussion that was generated at the end of my presentation.

Unfortunately I believe that there isn’t a recording of this presentation, as is customary with SuperMondays talks, as the video camera decided to flatten it’s battery just before I started. As a compromise I’ve posted my slide-deck from the presentation. Hopefully people may find this useful, I’m always open to questions or discussions so please let me know your thoughts.

Bottom line from all this? SuperMondays is a blast, if you’re in the area and haven’t been along yet, why not? I’m definitely going to make more of an effort to ensure I’m available for future events, see you all there next time.
Andrew Waite

Categories: Nepenthes, SuperMondays, VMware