Discover and read the best of Twitter Threads about #usesec19

Most recents (6)

Last in this session at #usesec19: "The Web's Identity Crisis: Understanding the Effectiveness of Website Identity Indicators" by Christopher Thompson, Martin Shelton, Emily Stark, Maximilian Walker, Emily Schechter, and Adrienne Porter Felt, Google
[ delay while they try to make the slides not trigger a seizure for anybody. ow. ]
This talk is about the problems we face in explaining website identity to users.

The principal form of website identity is like

Also show extra information through Extended Validation certs, like show cert is associated with a legal entity
Read 19 tweets
Next up at #usesec19: "Protecting accounts from credential stuffing with password breach alerting", Kurt Thomas speaking

Want to test this technology live? Download the Google password check extension from the Chrome store
Billions of credentials have become widely available. This makes trivial for attackers to access user accounts.

How do you protect the long-tail of sites across the web? Attackers have access to billions of usernames of passwords. User don't have resources to address this.
Bridging the knowledge gap, like "have I been pwned" site.
* But may not be accurate because only uses username.
* Privacy risk, even if sharing only SHA-1 hash of password -- what if the site is an attacker?
Read 21 tweets
Next up at #usesec19 is Passwords: "Birthday, Name and Bifacial-security: Understanding Passwords of Chinese Web Users" by Ding Wang and Ping Wang, Peking University; Debiao He, Wuhan University; Yuan Tian, University of Virginia
Turns out that the passwords of Chinese users are really different than English-speaking user passwords, which means that we may need different protection mechanisms.

Passwords are influenced by one's native language. Unfortunately most studies are performed in English.
Used 9 password datasets from high-profile sites which were breached (6 Chinese, 3 English) across different types of sites (gaming, dev forum)
Read 20 tweets
I'm in the invited talk track for #usesec19 with the first talk being "Baby Steps towards the Precipice: How the Web Became a Scary Place and How We Can Fix It"
(wow you can become a staff engineer before 35. new goals for me I guess)
one of the challenges of google is that it is one of the largest web platforms in the world, which, with a diversity of tech stacks and languages and microservices, means there's thousands of web vulns of varying severities filed every day.
Read 62 tweets
Next up at #usesec19: Yueqi Chen will speak about "Toward the Detection of Inconsistencies in Public Security Vulnerability Reports"
Challenges Faced by Security Operations Engineer:
1. Keep an eye on new vulns that affect their systems
2. Patch vulnerable software as soon as possible
So you check NVD, CVE, other databases like Exploit Database, Security Focus, Red Hat bugnzilla...
Read 15 tweets
The first talk is @johnwilander, a @webkit engineer at @Apple who will talk about privacy by default on the web. #usesec19
@johnwilander @webkit @Apple This talk will go through specific privacy issues. Agenda:
- Cross-site tracking
- How we are preventing it in Safari
- The way forward for the web platform
@johnwilander @webkit @Apple 60-70% of your browsing history is outside your control, and can be reconstructed using tracker data. It can be manipulated and handed over by anyone.

A visual consequence of ad is retargeted ads: ads that follow you around the web after you've shown interest in a product.
Read 40 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!