Access Denied: Keeping yourself off an attacker’s radar

Paul Gilzow (wpDirAuth, Presentation)

Locking down recon to reduce ability to detect (fingerprint) what’s running.

https://builtwith.com/ualr.edu
https://wpscan.org/

Counter measures

Use apache mod_authz

File protection

  • protect wp-content (no reason for php files to be able to be directly executed in wp-content, implicitly deny everything and whitelist things that are allowed—things that need to be downloaded as web assets for the browser)
  • protect wp-includes (deny everything except wp-tinymce
  • protect wp-admin (lock to ip ranges? except for admin-ajax.php?)
  • protect the root directory (lock wp-login.php to ip ranges, block xmlrpc, readme, license)

User protection

  • disable the redirect from ?author=# to pretty permalinks
  • remove permalink from author profile page output
  • remove user-specific class
  • modify WordPress’s overly informative error messages to force a default error message
  • USE SSO for your auth instead of local accounts!

[IDEA] use git to roll through a history of commits to incrementally show changes for a presentation

Google[x]: Building a Moonshot Factory

Moonshots are seemingly impossible and yet impossibly-important ideas that through science and technology can be brought to reality. Google[x] is a moonshot factory full of optimists who are focused on changing the world by seeking out massive unsolved problems that — when solved — will profoundly and positively alter the way we live. You may have heard of self-driving cars and Google Glass, but here we’ll give a glimpse of the ethos, style, and people behind Google[x].

Then, from 4-6pm, come to our “Solve for X” exploration session at Bat Bar to engage in pushing forward moonshots — radical technology-based proposals for solving global problems (register at goo.gl/m0R4n and join the community at SolveforX.com).

Continue reading “Google[x]: Building a Moonshot Factory”

Why Designers Should Care About Measuring Success

“How do you know this design is better?”
This question stumbles even the most seasoned designers. Businesses are recognizing the importance of design and the competitive advantage that taking a design-led approach offers. Designers are moving up the corporate ranks and we’re now beginning to see titles like “Design Strategist,” “Design Director” and “Chief Design Officer” take hold within organizations. As designers, the decisions that we are now making carry much more weight and inherently, more risk, to the companies we serve.
This presentation proposes 3 questions that designers can ask to tease out measurement of success early in our creative processes. It will explore methods to develop concrete measurements that will enable designers to make faster decisions, create better alignment with traditional business metrics (e.g. Online conversion rate, sales per square inch), and have more courage to push creative boundaries in our work.

Continue reading “Why Designers Should Care About Measuring Success”

Building a better UX resume

The dreaded résumé. How can one love something meant to condense and cram a person’s life and career into a handful of pages? We as job hunters hate them because they never seem to sufficiently convey what we do or how we do it, and it’s usually the first impression any potential employer gets of us. Employers have a love/hate relationship with them because they do, at first, provide an apparently good abstraction of a potential hire, but it’s a thin veneer that quickly rubs away when they come face to face with an individual that barely seems to match up with that first impression.

A couple of years ago I experimented with treating my résumé as a UX project, applying user-centric principles and methodologies on myself in the hopes of landing a better job. In this session I’ll go over the process that led me to my design, discuss ‘user’ reaction to the design, and outline some ideas that can help everybody build a better résumé, UX or otherwise.

Continue reading “Building a better UX resume”

OAuth 2.0: Identity and data access

OAuth 2 is the latest version of the OAuth standard– unlocking authorized access to user data from dozens of different APIs like YouTube, Google Apps and Facebook in a way that’s easier than ever for developers. OAuth 2 can now be used via OpenID Connect to allow users to easily login and sign up with apps faster, with less developer effort.

This session will cover how web and mobile applications can take advantage of this technology to improve the experience and security of user accounts.

Continue reading “OAuth 2.0: Identity and data access”