Changes

2012 talks proposals

1,427 bytes added, 14:20, 17 October 2011
no edit summary
[http://www.tinkerpop.com/ TinkerPop] is an open source software development group focusing on technologies in the [http://en.wikipedia.org/wiki/Graph_database graph database] space.
This talk will provide a general introduction to the TinkerPop Graph Stack and the [https://github.com/tinkerpop/gremlin/wiki/Defining-a-Property-Graph property graph model] is uses. The introduction will include code examples and explanations of the property graph models used by the [http://socialarchive.iath.virginia.edu/ Social Networks in Archival Context] project and show how the historical social graph is exposed as a JSON/REST API implemented by a TinkerPop [https://github.com/tinkerpop/rexster rexster] [https://github.com/tinkerpop/rexster-kibbles Kibble] that contains the application's graph theory logic. Other graph database applications possible with TinkerPop such as RDF support, and citation analysis will also be discussed.
 
 
== Security in Mind ==
* Erin Germ, United States Naval Academy, Nimitz Library, germ@usna.edu
 
I would like to talk about security of library software.
 
Over the Summer, I discovered a critical vulnerability in a vendor’s software that (verified) allowed me to assume any user’s identity for that site, (verified) switch to any user, and to (unverified, meaning I didn’t not perform this as I didn’t want to “hack” another library’s site) assume the role of any user for any other library who used this particular vendor's software.
 
Within a 3 hour period, I discovered a 2 vulnerabilities: 1) minor one allowing me to access any backups from any library site, and 2) a critical vulnerability. From start to finish, the examination, discovery in the vulnerability, and execution of a working exploit was done in less than 2 hours. The vulnerability was a result of poor cookie implementation. The exploit itself revolved around modifying the cookie, and then altering the browser’s permissions by assuming the role of another user.
 
I do not intend on stating which vendor it was, but I will show how I was able to perform this. If needed, I can do further research and “investigation” into other vendor's software to see what I can “find”.
 
''If selected, I will contact the vendor to inform them that I will present about this at C4L2012. I do not intend on releasing the name of the vendor.''
1
edit