CyberX Tampa 2022 takes place next Tuesday, October 25, from 5:30 p.m. to 8:00 p.m. at TheIncLab in Ybor City, and I’ll be there! It’ll be an evening of all things cybersecurity-related with some of Tampa Bay’s largest companies, CISOs, and tech leaders!
Are you free next Tuesday, October 18th from 9:00 a.m. to noon, for an event you can attend either in person or online? If so, perhaps you might want to catch my talk at the upcoming InfraGard Tampa Bay Members Alliance meeting. It’s titled The Secret History of Login!
Here’s the description:
If you’re reading this, the chances are very good that you’ve logged into a system or resumed a session where you logged in earlier. It’s a common enough occurrence that most of us don’t think about it unless we’re in a hurry or if we can’t remember our username/password combination.
Logging in is new enough that there are still many people alive who knew the world before usernames and passwords, yet old enough that it’s developed some problems that will take time and effort to solve. This talk will tell the strange story of how login grew from a last-minute hack to become part of our daily experience. Along the way, you’ll get an overview of some of the ways it’s been implemented, the popular software movement it inspired, how it inspired both a software movement and a whole new category of crime, and some best guesses about its future.
What is InfraGard Tampa Bay Members Alliance?
First of all, they’re affiliated with the FBI! As their About page states:
Our mission is to mitigate criminal and terrorist threats, risks and losses for the purpose of protecting our region’s critical infrastructure and the American people. Founded in 2004, the Tampa Bay chapter has established itself as a leader nationwide, setting the highest standards for programs, training and education. For the last decade, we have proudly contributed to the safety and security of Tampa Bay via an all-threats, all-hazards approach. At the national level, the InfraGard National Members Alliance was founded in 1996 and now comprises over 80 regional chapters, each linked to an FBI Field Office.
InfraGard’s success can be attributed to the unprecedented communication, collaboration and coordination it has forged at the epicenter of America’s most critical resources. Our membership is comprised of individuals that represent private businesses; local, state and federal law enforcement agencies; academic institutions; first responders and more.
All members are vetted by the FBI and pass comprehensive background checks prior to being accepted to InfraGard. The trust inherent in those who have successfully passed these checks is unmatched in any other public-private partnership in the country, making InfraGard a unique and highly successful solution to engaging the private sector in the protection of our nation’s critical infrastructure.
What’s happening at this meeting?
There’s a lot going on at this meeting — in fact, I’m not the only speaker at this one! Here’s the agenda:
Time
Item
9:00 a.m.
Welcome and speaker/topic introductions by Ebony Vaz
9:05 a.m.
Opening remarks by Michael Ritchie, President
9:15 a.m.
Speaker 1: Kate Whitaker, Director of Cyber Outreach, Cyber Florida
10:00 a.m.
Break
10:15 a.m.
Speaker 2: Joey deVilla, Senior Developer Advocate, Okta — The Secret History of Login
11:00 a.m.
Break
11:15 a.m.
Speaker 3: Billy Sasser, Supervisory Protective Security Advisor (SPSA) CISA Region 4 — CISA’s Physical and Cyber Security Resources
12:00 p.m.
Closing remarks by Michael Ritchie, President
You can attend in person or online!
They’re streaming this event, so you have the option of attending online if you can’t make it to the in-person event. Here are the registration details:
The folks at Computer Coach Training Center (for whom I just finished teaching a Python course) helped put this event together, and it’s your chance to meet people from Cyber Florida as well as other local people in cybersecurity (hint: I work for the Auth0 arm of Okta, which just so happens to be in that industry).
Do you write apps in React Native? Do you want to add authentication — that is, login and logout — to those apps? If so, these articles are for you!
If you’re writing an Android app in React Native and you need users to log in and log out, don’t roll your own authentication! Use Auth0 instead. You’ll get full-featured authentication and have more time to concentrate on your app’s full functionality.
There’s also an iOS-specific version of this article: Get Started with Auth0 Authentication in React Native iOS Apps. Just like the Android version, this article walks you through the process of making an iOS app that lets users log in with an app-specific username/password combination or a Google account.
As the Russian invasion of Ukraine continues, you’re increasingly likely to hear the name “Bellingcat”. It’s the name of an independent group of researchers, investigators, and citizen journalists who practice open source intelligence (OSINT). Here’s a quick primer about Bellingcat and open source intelligence, plus a whole lot of videos about Bellingcat’s work and their reporting on aggression by Russia’s government and armed forces.
Bellingcat’s origins
Bellingcat get their name from Aesop’s fable, Belling the Cat. In the fable, the youngest of a group of mice who were terrorized by a cat suggests that they put a bell on the cat, which would act as an early warning system. While the suggestion was warmly received, one of the elder mice brought up a serious challenge to the plan: “Who will bell the cat?”
Eliot Higgins founded Bellingcat in 2012 after being laid off from an administrative job. He started doing independent research on the civil war in Syria by collecting and analyzing publicly available photos and footage, and cross-referencing them with reports. Since then, he’s grown the organization, who’ve gone on to apply their open source intelligence skills to stories including:
Open source intelligence, often referred to as OSINT, is a term meaning any information that can be gathered from freely-available, publicly-available sources. It’s most often used to referred to information gathered online — the kind that anyone with an internet connection would be able to access. This information could be available free of charge, or it could be acquired for a fee (e.g. a subscription to a news organization, data source, or API).
It also applies to non-online/non-digital information from books, newspapers, magazines, academic journals and papers, FOIA requests and their equivalents, and so on.
It could be in text form, but it also applies to video, photographs, sound recordings, data files, and databases.
Giancarlo Fiorella, a senior Bellingcat investigator based in Toronto, makes it clear that OSINT is not “hacking” (as in accessing computer systems or information illegally), stealing, or spying. It’s about gathering data and doing the research.
Bellingcat contribute to the Russia-Ukraine monitor map
Click the image to visit the map page.
You may have read about the Russia-Ukraine Monitor Map on my personal blog, but if you haven’t, it’s a a public resource for mapping, documenting, and verifying significant incidents that happen in the Russian invasion of Ukraine. Bellingcat are a primary contributor of information to this resource.
Videos about Bellingcat
Here’s a collection of YouTube videos on Bellingcat for those of you who’d like to know more about them or about OSINT.
Insights from Bellingcat on Russia’s Ukraine Ambitions (March 2, 2022 – Reuters Institute)
This is a Zoom interview with Christo Grozev, Bellingcat’s lead Russia investigator.
Fact-checkers on the front line of Russian propaganda machine (February 25, 2022 – CBC)
Inept Info-Wars: Bellingcat’s Eliot Higgins on Putin’s Problems with Reality (February 24, 2022 – Foreign Press Association USA)
Open-source Intelligence (OSINT) by Giancarlo Fiorella, Investigator and Trainer at Bellingcat (December 2021 – Asian College of Journalism)
This features a presentation by senior Bellingcat investigator Giancarlo Fiorella about Bellingcat, open source investigations and how they’re conducted. He goes into detail about investigating the Mahbere Dego massacres and the ethical issues and challenges in open source research.
We Are Bellingcat: An Intelligence Agency for the People (May 2021 – Talks at Google)
Tired of writing the login part of your application? Would you rather work what your API actually does rather than work on securing it? Want to know what identity, authorization, and authentication are, and how you can use them to create applications that give your users great, secure experiences?
Then you’ll want to attend Okta’s and Auth0’s virtual developer day, Auth for All, which happens on Tuesday, August 24! The theme will be “Build the future of identity with us,” and it’ll be a day of celebrating developers around the world while learning how identity empowers builders of all kinds to innovate.
And in case you were wondering…
The agenda
When
Session
1:00 p.m. EDT / 10:00 a.m. PDT
Platform + Chat Room Opens
1:30 p.m. EDT to 2:15 p.m. EDT / 10:30 a.m. PDT to 11:15 a.m. PDT
Opening Keynote: Build the Future of Identity with Us
In today’s keynote, we’ll kick off Developer Day by celebrating developers like you building for the web, mobile, cloud infrastructure, and everywhere else code runs around the world. Then, lifelong hacker and security expert Alyssa Miller will share updates from the world of cyber security that will help you build your apps and infrastructure with
2:30 a.m. EDT to 3:00 p.m. EDT / 11:30 p.m. PDT to 12:00 p.m. PDT
Traveling Through a Secure API in Python
In this talk, we will see how you can use Python and Auth0 together to build your very own “Where Have I Been” map! I will walk you through all the steps we will need starting from scratch. From building the first API endpoints, protecting the endpoints that create new markers, all the data manipulation, and even deployment!
2:30 a.m. EDT to 3:00 p.m. EDT / 11:30 p.m. PDT to 12:00 p.m. PDT
Auth for IOT: Securing Your Smart Home
Have you moved into a new house and want to automate all the things? Sounds pretty cool, right? Just one tiny concern: how secure is it to use “smart home” devices? Should you create your own software to control your blinds? What about hacking your cameras? The world of IoT (Internet of Things) has so many options to choose from but very little guidance about how secure they are, and how you as a developer can prevent unauthorized access. In this session, we will go over what you can do with existing platforms like Alexa and roll your own DIY projects to lock down who can use them – YOU.
2:30 a.m. EDT to 3:00 p.m. EDT / 11:30 p.m. PDT to 12:00 p.m. PDT
OAuth: Past, Present, and Future
OAuth is the foundation of most of modern online security, used everywhere from signing in to mobile apps to protecting your bank accounts. Despite its ubiquity, there are still many misconceptions about OAuth and OpenID Connect in the wild.
In this session you’ll learn about the background and original motivations that drove the creation of OAuth, how OAuth and OpenID Connect are used today to provide secure online experiences, as well as the latest developments and future work within the OAuth and OpenID Connect communities.
This session will cover the many new RFCs that have been published since the original draft of OAuth 2.0, which both add and remove functionality from the core spec. These include OAuth 2.0 for Native Apps, Proof Key for Code Exchange, OAuth 2.0 Security Best Current Practice, as well as some in-progress and experimental drafts such as JWT Access Tokens, Rich Authorization Requests, and various Proof of Possession techniques. This session will cover the current status of this ongoing work and what you need to know to be prepared for the future.
3:15 p.m. 3:15 p.m. EDT to 3:45 p.m. EDT / 12:15 p.m. PDT to 12:45 p.m. PDT
Authenticating Your Next(js) Jamstack App
3:15 p.m. EDT to 3:45 p.m. EDT / 12:15 p.m. PDT to 12:45 p.m. PDT
Inclusive Digital Identity and Web Monetization for Earning Online
Digital IDs controlled by the users enables users to seamlessly onboard to any web app or platform. With Web Monetization, users can earn freely and spend freely from their digital Identity connected wallets. This talk with highlight two open standards, the Verifiable Credential Standard and the Web Monetization Standard and show how developers can build with them today.
3:15 p.m. EDT to 3:45 p.m. EDT / 12:15 p.m. PDT to 12:45 p.m. PDT
Seamlessly Integrate Identity Into Your APIs with Okta and Kong
Learn how to implement powerful new authentication and authorization scenarios with Kong and Okta. In this demo-heavy session, we will show you how to do sophisticated API access and API management flows with OIDC and OAuth – including how to plug in Identity into your CI/CD pipelines.
4:00 p.m. EDT to 4:30 p.m. EDT / 1:00 p.m. PDT to 1:30 p.m. PDT
Shift-Left DevOps for Your APIs with Okta and JFrog
With Okta and JFrog, strengthen your shift-left DevSecOps strategy by validating the security of your application’s REST API endpoints before you release to production and to your customers. Learn how you can use Okta and JFrog to automate the validation of your authentication and authorization policies for your REST APIs.
4:00 p.m. EDT to 4:30 p.m. EDT / 1:00 p.m. PDT to 1:30 p.m. PDT
OAuth for Game and XR Developers
Gaming and XR technology represent a wild west for identity security. The industry itself is one of the most highly targeted and breach prone in all of tech, yet security is commonly prioritized last. Often user experience is emphasised over security and best practice standards are not always a perfect fit for some target platforms such as consoles or headsets. With constantly increasing demand for interconnected experiences in gaming, growing reliance on cloud based backend solutions, and the increased collection of player data occurring as players become the product, security has become paramount for game developers. In this talk, we will deep dive into how game and XR developers can balance experience and security using the security best practice standard OAuth. We will discuss the basics of OAuth, designing experiences for different target platforms, and using a player’s authorization to interact with other cloud based backend solutions. This session is intended for game/XR developers, or developers who are interested in game/XR development, and assumes a basic level of development knowledge with related engines and tech. Existing experience with identity security best practices and OAuth are not required.
4:00 p.m. EDT to 4:30 p.m. EDT / 1:00 p.m. PDT to 1:30 p.m. PDT
Securing Authorization In Your Web Apps
4:45 p.m. EDT to 5:15 p.m. EDT / 1:45 p.m. PDT to 2:15 p.m. PDT
