Here are my notes from a 5 minute lightning talk that I gave at the Open Source Developers Conference in Canberra last week. It went down pretty well, and it was a lot of fun giving it. It was targeted at web developers, and titled “The Internet is trying to kill you”.



Hi, my name is David. I work for a web hosting company called Anchor Systems as a sysadmin, and like all sysadmins I’ve been avoiding actual sysadmin work as much as possible, and have been writing some web apps.

So people writing web apps, Hey!

The internet hates you.

Now I’m just trying to get across one simple point, and that is that there are people on the internet who want to set your shiny new web app on fire just to see it burn. Maybe they want to do it for the lolz. Maybe they want attention. Maybe they want your data. Maybe they’re just plain bored. They want it all to end in fire.

And you’re next.

You don’t have to be big. You don’t have to be popular. Earlier this afternoon I spun up a clean VM on a free IP address that had never been used before, ever. Nothing even pointing to it in DNS. People were hitting port 80 and 443 in less than a minute. This is a fact of life: This is background noise.

I don’t want you to feel safe and comfortable when you’re writing web applications. I want you to be thinking like a card-carrying member of the tin-foil hat brigade. Because this is the way that you don’t end up on the front page of The Australian’s IT section.

Here are some things that you are hopefully already thinking about:

Forms

The data’s fine. I check it all in javascript!

It’s okay. I pass the metadata in an <input type=”hidden”> where it can’t be seen

Okay, if you’re thinking this, put down the laptop now.

Talk to the person next to you. Read a couple of books.

NEVER. EVER. trust the browser.

Don’t even assume that your HTTP requests are even coming from

web browsers. We learned that the hard way 20 years ago,

DoS attacks

Hahaha. Why do I have to care? Ping floods aren’t my problem

That SELECT you’re doing on your front page that takes half a second?

Try 10,000 connections a second. Try 100,000.

Don’t just think about your front page. Think all your pages. Think

pages that process form submissions. Think stuff that doesn’t cache

well. Start thinking about what happens when someone is trying to bring down your site just by looking at it or posting data to it.

How about SQL injection attacks? Noone’s going to bother, right?

Yes. Yes they are. They’ve automated it. They’re doing that stuff literally in their sleep. Then they’ve packaged it up and given it to a thousand of their friends that don’t even know what SQL is.

Check your data. Check it again. Get into the mindset that anything that comes from the outside world is malicious, and the malicious person is smarter than you are.

Okay, just quickly some other things:

Never assume that no-one is sniffing your network

Never assume the system you’re running on hasn’t been broken into

Never assume that people using your site are rational.In the time you can say “Why would they DO that?!”, they’re already doing it.

Always assume attackers are smarter than you are, have more resources, and much more experience than you do.

Be paranoid. Wear a tinfoil hat. Have fun.