Sparkle security

*
Accepted Session
Long Form
Beginner
Scheduled: Tuesday, June 21, 2016 from 10:00 – 11:45am in B201

Excerpt

"Agent Sparkle, you have been recruited as a security expert to use your skills to protect the kingdom of Project Rainbow. You might not feel qualified yet, but Project Rainbow has great faith in your ability to learn." Web security is perhaps one of most fun types of computer security to master: exploits can be constructed quickly and without many tools. But sadly, while there are many tutorials, they simply don't have enough rainbows and sparkles and the practice exploits tend to focus on the basics without flourishes. Project Sparkle is a set of "training missions" designed to make learning web security more kid-friendly, but we think the audience of Open Source Bridge will also enjoy exploiting the web to add more rainbows and sparkles!

Description

“Agent Sparkle, you have been recruited as a security expert to use your skills to protect the kingdom of Project Rainbow. You might not feel qualified yet, but Project Rainbow has great faith in your ability to learn.”

Web security is perhaps one of most fun types of computer security to master: exploits can be constructed quickly and without many tools. But sadly, while there are many tutorials, they simply don’t have enough rainbows and sparkles and the practice exploits tend to focus on the basics without flourishes.

These tutorials were developed as part of the ChickTech Code For Good Hackathon. Since security is such an important part of modern computer science, and ChickTech is one of many organizations that teaches computer science to girls, we wanted to make sure that they had security tutorials that would be cute and fun.

The first few tutorials are up at https://github.com/terriko/sparklesecurity already, and by the time of open source bridge we hope to have a few more available.

These tutorials were tested by visiting children, parents, educators and other developers taking part in the hackathon. Educators in particular loved that they were simple enough to run even for non-security experts. Girls loved that their exploits made huge, visible changes to web pages. Developers loved that they introduced complex topics in a very approachable way.

In this workshop, participants will find themselves working as secret agents for the mysterious “Project Rainbow” — an organization dedicated to making the world more colorful and sparkling, starting with the web. The workshop will alternate between hands-on tutorials of the style shown above and short (5-10 minute) talks about security concepts associated with each “mission.” Attendees will learn web exploitation techniques and use them to change web pages, communicate with other agents, and at the same time, learn fundamentals of computer security within a playful environment. This workshop will cover some basic penetration testing on the web (acting as a bad guy to better understand the security of a system), operational security, input validation, code injection, authentication, common mistakes, and better defenses.

The idea behind the “Sparkle Security” project is that web security fundamentals are much easier to learn than other security exploits. Unlike some older types of security exploit that require hours of painstaking experimentation, web security exploits can sometimes be done in a few minutes, and they can be made even more fun for beginners by leveraging web design techniques to make the exploits visible and thematic. This makes the material approachable, memorable, and more fun than the traditional security teachings of hex editors and command lines interfaces.

Tags

security, web

Speaking experience

I've given talks as a teacher, as an academic researcher, as an industry security expert, as a human being, to all manner of audiences. In the past year, I've talked at Grace Hopper (a panel entitled "Securing Open Source Software"), twice at Open Source Bridge ("Bringing Security to Your Open Source Project" and "Internet of Things Militia: Paramilitary Training for your IoT devices") and at a private conference ("Skynet is Open Source: How automated software repair can use mutations to fix your bugs and possibly destroy mankind")

Links to slides, videos, and a longer lists of my talks can be found here: http://terri.toybox.ca/speaking/

This is a new tutorial that has not been given before, although the early materials are already online and we have submitted it to a conference later in 2016.

I'm hoping to have the two colleagues who are core contributors to Sparkle Security come to help with this, but I've left their names off the application because I haven't confirmed their availability yet.

Speaker

  • Biography

    Terri has a PhD in horribleness, assuming we agree that web security is kind of horrible. She stopped working on skynet (err, automated program repair and artificial intelligence) before robots from the future came to kill her and then she got a job in open source, which at least sounds safer. Now, she gets paid to break things and tell people they’re wrong while working towards more secure open source and open web standards. She doesn’t get paid for her work on GNU Mailman or running Google Summer of Code for the Python Software Foundation, but she does those things too.

    Sessions

      • Title: Taking no for an answer
      • Track: Culture
      • Room: B202/203
      • Time: 1:302:15pm
      • Excerpt:

        Open source (like many fields) rewards people who are confident and even a bit pushy. So we give talks encouraging folk to get over imposter syndrome, lean in, say yes to more things. But self-improvement shouldn’t focus only on our most vulnerable members, but also our most powerful. So let’s talk not about saying yes, but about hearing no. Learning to take no for an answer can transform efforts such as security, diversity and mentoring where we have few experts or volunteers and great need. Let’s talk about accepting “defeat” with grace, and how to take “no” for an answer while still moving forwards.

      • Speakers: Terri Oda
      • Title: Sparkle security
      • Track: Practice
      • Room: B201
      • Time: 10:0011:45am
      • Excerpt:

        “Agent Sparkle, you have been recruited as a security expert to use your skills to protect the kingdom of Project Rainbow. You might not feel qualified yet, but Project Rainbow has great faith in your ability to learn.” Web security is perhaps one of most fun types of computer security to master: exploits can be constructed quickly and without many tools. But sadly, while there are many tutorials, they simply don’t have enough rainbows and sparkles and the practice exploits tend to focus on the basics without flourishes. Project Sparkle is a set of “training missions” designed to make learning web security more kid-friendly, but we think the audience of Open Source Bridge will also enjoy exploiting the web to add more rainbows and sparkles!

      • Speakers: Terri Oda

Leave a private comment to organizers about this proposal