canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Conferences/DerbyCon2011: Difference between revisions
Jump to navigation
Jump to search
Security/Conferences/DerbyCon2011 (view source)
Revision as of 15:45, 4 October 2011
, 4 October 2011→Kevin Johnson & Tom Eston: Desktop Betrayal: Exploiting clients through the Features They Demand
No edit summary |
|||
| Line 61: | Line 61: | ||
== Kevin Johnson & Tom Eston: Desktop Betrayal: Exploiting clients through the Features They Demand == | == Kevin Johnson & Tom Eston: Desktop Betrayal: Exploiting clients through the Features They Demand == | ||
This turned out to be one of the best talks for me. Kevin and Tom showed several examples of how new features in software, especially in HTML5, might be used to compromise users. | |||
One of my favorites really throws back to HD Moores talk. They showed a hypothetical attack where HTML5 audio could be used to attack a user via content. The page would load both an audio listener and audio channel to control a computer without the users knowledge. So the audio output would be above or below human hearing range but still detected by the laptop microphone. Thus the listener could then accept commands and execute them outside the users control. | |||
I talked to both of them after their session and they were very interested in what we were doing with audio, video, full screen etc and how these new features pose risks to users. We also have a chat about rapid release, the LTR proposal, silent updates and add-on compat. I exchanged contact info with Kevin and I think we may want to approach him about some of his thoughts on these newer features. | |||
= Louisville Infosec = | = Louisville Infosec = | ||