OSCON Wrapup
Original post provide by Chris ShiflettAnother OSCON has come and gone. It was a very busy week filled with talks, work, social events, and everything in between. (Sleep is optional and not recommended.)
The OmniTI family (Message Systems included) was well represented with a number of speakers and talks:
- Chris Shiflett
- Experience-Driven Development: Designers and Developers Working in Harmony
- Security 2.0: Emerging Trends in Web Application Security
- David Gray
- How I Learned to Love Revision Control
- Luke Welling
- PHP Taint Tool: It Ain’t a Parser
- Mike Hillyer
- How to be Normal: A Guide for Developers
- Robert Treat
- Pro PostgreSQL
- Theo Schlossnagle
- Full-Stack Introspection Crash Course
- Wez Furlong
- Hot Chocolate: Creating Cocoa Apps with PHP
- PDO: PHP Data Objects
- PHP Extension Writing
Experience-Driven Development is a talk I gave with Jon Tan, and we explored ways designers and developers can collaborate better to create a better user experience, and thereby create a better web site. The talk was rough around the edges, but we have received a number of positive reviews so far, and it has sparked some interesting discussions. My own thoughts on the matter aren’t too solidified yet, because I’m better at identifying problems than coming up with solutions. 
The sheer volume of horrible web sites is proof that industry standard practices suck.
I had planned to give Security 2.0 for the last time at this conference, but I received more positive feedback than I think I ever have. I was very pleased to note that more than half of the audience (which was a pretty large audience in the main auditorium) was at least somewhat familiar with CSRF already. (This was a first.) Perhaps I should just refine the talk to focus less on explaining what XSS and CSRF are and more on the interesting exploits that combine them with other technologies such as Ajax and Flash.
Luke’s talk was about a security tool we’ve been developing at OmniTI as part of our web application security practice. It’s called SNAP, and we plan to open source it soon. Garrett Serack of Microsoft attended the talk and explains it in a little more detail, and I hope to post more about SNAP soon.
I dined at Mint during 3 of my 6 evenings in Portland. Delicious. I also made my way to Doug Fir and Vault, both of which are popular among OSCON regulars.
I used Twitter throughout the conference, and it looks like searching for shiflett+oscon finds most of my relevant updates, if you’re interested.
I hear OSCON is coming to San Francisco next year. Be there.
Posted Thu, 31 Jul 2008 21:56:04 GMT in Chris Shiflett’s Blog 
Slow Cool Ain't Cool
Asynchronous JavaScript and XML (AJAX) combine proven technologies including JavaScript, Extensible Markup Language (XML), dynamic HTML (DHTML), Cascading Style Sheets (CSS), and the Document Object Model (DOM) to enable the delivery of interactive Web applications. AJAX-based Web applications no longer have to reprocess and resend the entire Web page to the end user’s browser every time anything changes on the page.read more
Java & Rich Internet Applications: Sun Launches JavaFX SDK Preview Release
Designed to “deliver content across all the screens of your life,” Sun's rival to Adobe's Flash/Flex - JavaFX - today releases a preview release of the JavaFX SDK, focusing on the RIA workflow. Sun's aim is to help the world's six million Java developers to create RIAs.
Citizens Spy On Big Brother
An anonymous reader writes "Citizens of the world are striking back at 24/7 state surveillance by pulling out their cameraphones and filming inept officials, deadly healthcare lapses and thuggish cops. So-called Sous-veillance is seeing more and more people posting damning footage of official misdemenours to sites such as YouTube to shame them into action." I wonder what happens if you inform a cop that you are recording him when he pulls you over.Read more of this story at Slashdot.
Qumranet's Solid ICE Anchors Effective Hosted Desktop Virtualization
Qumranet announced a report published by analyst firm Ovum. The report, "Qumranet's Solid ICE Anchors Effective Hosted Desktop Virtualization," provides an overview of desktop virtualization as well as opportunities and challenges for Qumranet in this space. read more
Misconfiguration Named Number One Security Risk To Virtualization Environments
According to the survey report, "Is Virtualization Under Control: Current Opinions on Security and Controls for Virtual Servers in Production Environments," virtualization has clearly gained a lasting foothold. However, who shoulders the responsibility for ensuring that security and controls are implemented across virtual infrastructure is open for debate, varying greatly between functional groups.
More Articles:
Laptops With Certain NVidia Chips Failing
Various laptop models from multiple manufacturers (Apple, Dell, HP, Lenovo, and others) are affected. NVidia blames it on bad chip packaging causing thermal failure. BIOS updates that turn the laptop fan on more frequently or permanently have been released by Dell and HP.
Image_jpg
Package: image_jpg Summary: Manipulate JPEG images Groups: Graphics Author: Logan Bailey Description: This class can be used to manipulate images. It can load JPEG images from files or remote URL. The class perform several image manipulation operations like adding borders and resize images.
Sun Microsystems Lance Son Pack AMP
Sun microsystems vient d'annoncer la disponibilité de son pack AMP pour systèmes d'exploitation Solaris et Linux. Ce pack est constitué du serveur HTTP Apache, du système de gestion de base de données MySQL et du langage PHP (et PERL). Le pack est disponible en téléchargement sur le site de Sun.
Apple Patches Kaminsky DNS Vulnerability
'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.Read more of this story at Slashdot.
Creating A Security Test Evironment?
In theory that sounds like a great idea — but how should we test apps to make sure they are secure? We have tools to scan internal websites, and we use MBSA for our Windows servers. However, I'm turning to Slashdot to ask what are the best methods for creating a test environment where I can analyze apps for security vulnerabilities.