We’ll be doing a PGP Keysigning Session at ApacheCon. If you would like to participate, check out http://wiki.apache.org/apachecon/PgpKeySigning and make sure to mail me your public key before the end of today, Wednesday.
November 4, 2009
November 3, 2009
My ApacheCon US 2009 Wishlist
- Get Apache HTTP Server building again on Gump (which involves losing the dependency on the Apache Portable Runtime Utility library, which was folded into APR proper)
- Get @pgollucci what he needs on clarus.apache.org, and work on the future of that box
- Talk about Apache 2.4, and what is still needed to get that out the door. Then, maybe start talking about figuring out what 3.0 is going to be like
- Prepare for the Keysigning — which may mean creating a new PGP key
- Prepare for my presentation on Thursday
- Do some httpd hacking. Perhaps pull in the ECC patch that has been sitting in Bugzilla
Comments Off
August 18, 2009
Web Hacking Incident Database Report
The The Web Hacking Incidents Database 2009: Bi-Annual Report is out. If I recall correctly, the first report Breach did, in 2007, did not mention any bi-annualness. Also, the eventual landing page has as HTML title “<title>The Web Hacking Incidents Database 2008: Annual Report</title>”. Is it possible that they simply didn’t get their act together last year and retroactively declared the report bi-annual?
I went in through the link above, gave up my e-mail, phone number and name of my first born, and downloaded the report. This will probably land me another copy of every marketing e-mail Breach sends out (guess how I learned of this report?), and a phone call from some poor guy in a cube who has to make 75 phone calls a day for a living. Oops, guess I put down a fax number. Sorry dude, hope your headset isn’t too loud.
Anyway, after you go though the lead generation form you land here and can follow a direct link to the PDF. This is fairly standard practice, but from a security company I would expect that they would make some more effort to not inadvertedly expose the goods.
I will give this report a read, and probably discuss it in my upcoming talk at ApacheCon US 2009. Oh, they just extended the early bird registration deadline… without changing their own website to tell you about it. Register now and experience the mayhem.
Comments Off
November 18, 2008
Hardening Apache Presentation Book List
At the end of my Hardening Enterprise Apache Installations Against Attacks presentation at ApacheCon US 2008 I had a slide of interesting reading material. Here are the books on the list, and links to some of the articles: (more…)
Comments Off
November 5, 2008
Security Roadmap for ApacheCon US 2008
At the end of my conference presentations, I usually put a Conference Roadmap slide. This slide shows sessions at the conference that are related to mine, and that attendees may find worth while to check out. For my Hardening Enterprise Apache Installations session this coming Thursday, I would suggest the following related conference content:
- Training: Web Application Security Bootcamp by Christian Wenz
- Thursday, 9AM: Hardening Enterprise Apache Installations Against Attacks by yours truly
- Thursday, 10AM: Web Intrusion Detection with ModSecurity by Ivan Ristic
- Thursday, 2PM: (In)secure Ajax and Web 2.0 Web Sites by Christian Wenz
- Thursday, 3PM: Geronimo Security, now and in the future by David Jencks
- Thursday, 4:30PM: Securing Apache Tomcat for your Environment by Mark Thomas
- Thursday, 5:30PM: Securing Communications with your Apache HTTP Server by Lars Eilebrecht
Besides the training (which happened on Monday), this means that you can pretty much stay in the same room all Thursday and catch all the Security-related talks. In addition, of course, this track will be streamed live for a modest fee, so you can watch from the comfort of your own office if you find yourself unable to make it to ApacheCon this year.
Celebrating Obama Victory
This is the Next Generation Brass Band in New Orleans, celebrating Barack Obama’s presidential election victory on the corner of Bourbon Street in New Orleans.
This was more fun than all the Bourbon Street craziness combined.
Comments Off
November 4, 2008
SQL Considered Harmful
According to the Web Hacking Incidents Database 2007 Annual Report, SQL Injection is still the most common attack vector for security breaches on websites. Consider the following cartoon:
Why is it that our websites almost universally use a data access language whose statements can be completely subverted by the parameters fed into the queries? The problem is that (more…)
November 3, 2008
ApacheCon New Orleans, day 1
Flew into New Orleans late last night for ApacheCon US 2008. The taxi booth at the airport actually has a flat rate posted: $28 for travel to Downtown or the French Quarter. Our cabbie charged us $30, which is close enough. We went for coffee and beignets at Cafe Du Monde, which is part of New Orleans, The Ride. Beignets are like donuts, except with more powdered sugar and slightly undercooked which may not be intentional.
November 1, 2008
ApacheCon Jack-o-Lantern
Last night we made an ApacheCon US 2008 Jack-o-Lantern! It projects “ApacheCon 2008” on the wall behind it if there is enough light inside: a Mini-Maglite did the trick, with the lens taken off to make for a nice point source and a crisp image.
Meanwhile, I’ve been working on the slide deck for this week’s presentation at the conference. I think it’s shaping up pretty nicely, although I’m going to have to put a ton of content in the handout. There is simply too much to talk about. However, by putting some of the technical details in the paper handout, I can keep the slides themselves cleaner and improve the flow of the story.
Comments Off
October 12, 2008
SF Chronicle Special on New Orleans
With ApacheCon US 2008 fast approaching, a weekend special on New Orleans in the San Francisco Chronicle might be of interest. Note that the conference is organizing its own volunteer day on the Saturday after, in cooperation with one of the organizations listed in the Chronicle article.
