[KGC2014] 두 마리 토끼를 잡기 위한 C++ - C# 혼합 멀티플랫폼 게임 아키텍처 설계Sungkyun Kim
이미 많은 개발자들이 C#의 장점을 누리고 있으나, 본 PT에서는 높은 성능과 생산성을 동시에 달성하기 위해 C/C++로 개발된 native 게임 코드에 스크립트 언어로서 C#을 통합 할 수 있는 방법을 제시한다. 이를 위해 오픈소스 .Net 프레임웍인 Mono의 사용방법과 모바일 플랫폼에서의 특이사항들을 자세히 설명한다.
또한, C/C++언어에 C#을 비롯한 다양한 스크립트 언어를 효율적으로 혼합하여 게임을 구현할 수 있는 아키텍처를 제시한다. clang과 reflection을 이용하여 서로 다른 언어 간 인터페이스 노출을 자동화하고, 게임 내 오브젝트의 생명주기를 자동으로 관리할 수 있는 기법에 대해 설명한다.
서버 개발자가 바라 본 Functional Reactive Programming with RxJava - SpringCamp2015NAVER / MusicPlatform
youtube : https://youtu.be/E_Bgv9upahI
비동기 이벤트 기반의 라이브러리로만 생각 했던 RxJava가 지금 이 시대 프로그래머에게 닥쳐 올 커다란 메시지라는 사실을 알게 된 지금. 현장에서 직접 느낀 RxJava의 본질인 Function Reactive Programming(FRP)에 대해 우리가 잘 아는 Java 이야기로 풀어 보고 ReactiveX(RxJava) 개발을 위한 서버 환경에 대한 이해와 SpringFramework, Netty에서의 RxJava를 어떻게 이용 하고 개발 했는지 공유 하고자 합니다.
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
Exploiting A Callback For Same Origin Policy Bypass.
SOME - "Same Origin Method Execution" is a new technique that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to "SOME", the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction.
Threat Hunting for Command and Control ActivitySqrrl
Sqrrl's Security Technologist Josh Liburdi provides an overview of how to detect C2 through a combination of automated detection and hunting.
Watch the presentation with audio here: http://info.sqrrl.com/threat-hunting-for-command-and-control-activity
AI 연구자를 위한 클린코드 - GDG DevFest Seoul 2019Kenneth Ceyer
올바른 코드 작성을 고민하는 연구자들을 위하여 - 클린코드는 여러분의 코드를 복잡한 패턴으로 구현하여 시간을 잡아먹는, 겉만 화려한 장식이 아닙니다. 모델을 구현하고, 또 그것을 테스트 할 때 이것이 정말 올바른 코드인지 궁금하셨나요? 이 세션에서는 연구 모델을 작성할 때 발견할 수 있는, 빈번한 코드 악취(Code smell)들과, 그것들을 어떻게 없앨 수 있을지에 대해서 알아봅니다. 코드에 영혼을 불어넣고, 그 어떤 코드라도 부끄럽지 않게 구현할 수 있는 연구자들이 되어봅시다!
[KGC2014] 두 마리 토끼를 잡기 위한 C++ - C# 혼합 멀티플랫폼 게임 아키텍처 설계Sungkyun Kim
이미 많은 개발자들이 C#의 장점을 누리고 있으나, 본 PT에서는 높은 성능과 생산성을 동시에 달성하기 위해 C/C++로 개발된 native 게임 코드에 스크립트 언어로서 C#을 통합 할 수 있는 방법을 제시한다. 이를 위해 오픈소스 .Net 프레임웍인 Mono의 사용방법과 모바일 플랫폼에서의 특이사항들을 자세히 설명한다.
또한, C/C++언어에 C#을 비롯한 다양한 스크립트 언어를 효율적으로 혼합하여 게임을 구현할 수 있는 아키텍처를 제시한다. clang과 reflection을 이용하여 서로 다른 언어 간 인터페이스 노출을 자동화하고, 게임 내 오브젝트의 생명주기를 자동으로 관리할 수 있는 기법에 대해 설명한다.
서버 개발자가 바라 본 Functional Reactive Programming with RxJava - SpringCamp2015NAVER / MusicPlatform
youtube : https://youtu.be/E_Bgv9upahI
비동기 이벤트 기반의 라이브러리로만 생각 했던 RxJava가 지금 이 시대 프로그래머에게 닥쳐 올 커다란 메시지라는 사실을 알게 된 지금. 현장에서 직접 느낀 RxJava의 본질인 Function Reactive Programming(FRP)에 대해 우리가 잘 아는 Java 이야기로 풀어 보고 ReactiveX(RxJava) 개발을 위한 서버 환경에 대한 이해와 SpringFramework, Netty에서의 RxJava를 어떻게 이용 하고 개발 했는지 공유 하고자 합니다.
Same Origin Method Execution (BlackHat EU2014)Ben Hayak
Exploiting A Callback For Same Origin Policy Bypass.
SOME - "Same Origin Method Execution" is a new technique that abuses callback endpoints in order to perform a limitless number of unintended actions on a website on behalf of users, by assembling a malicious set of timed frames and/or windows. Despite the similarity to click-jacking, this attack is not UI related nor it is confined in terms of user interaction, browser brand, HTTP X-FRAME-OPTIONS/Other response headers or a particular webpage, in fact, when a webpage found vulnerable to "SOME", the entire domain becomes vulnerable. During this talk, I intend to demonstrate how JSONP opens a backdoor, even in the most protected domains, to a very powerful attack that can cause severe damage without any user-interaction.
Threat Hunting for Command and Control ActivitySqrrl
Sqrrl's Security Technologist Josh Liburdi provides an overview of how to detect C2 through a combination of automated detection and hunting.
Watch the presentation with audio here: http://info.sqrrl.com/threat-hunting-for-command-and-control-activity
AI 연구자를 위한 클린코드 - GDG DevFest Seoul 2019Kenneth Ceyer
올바른 코드 작성을 고민하는 연구자들을 위하여 - 클린코드는 여러분의 코드를 복잡한 패턴으로 구현하여 시간을 잡아먹는, 겉만 화려한 장식이 아닙니다. 모델을 구현하고, 또 그것을 테스트 할 때 이것이 정말 올바른 코드인지 궁금하셨나요? 이 세션에서는 연구 모델을 작성할 때 발견할 수 있는, 빈번한 코드 악취(Code smell)들과, 그것들을 어떻게 없앨 수 있을지에 대해서 알아봅니다. 코드에 영혼을 불어넣고, 그 어떤 코드라도 부끄럽지 않게 구현할 수 있는 연구자들이 되어봅시다!
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
Workshop 101: Concebendo produtos de forma ágil (e divertida) - Scrum Gathe...Diana Corrêa, CSPO / CSM
Possibilidades de Workshop para que você - Product Owner, Gerente de Produto ou Empreendedor - possa conceber o seu produto de maneira ágil e colaborativa, desde a modelagem de negócio até a montagem do MVP e Releases futuras.
Esta apresentação é parte de um workshop de 1h50min realizado no Scrum Gathering Rio 2015.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
(Demo code and video available at http://fsharpforfunandprofit.com/cap/)
We all want to produce modular and robust code that is easy to test and refactor, and we have design principles such as SOLID that help us do that.
In this talk I'll look at a very different approach to design using "capabilities" and the principle of least authority. I'll show how using these design techniques throughout your core domain (and not just at your API boundary) also leads to well-designed and modular code.
I'll demonstrate how to design and use a capability based approach, how capabilities can be quickly combined and restricted easily, and how capabilities are a natural fit with a REST API that uses HATEAOS.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go. Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
As attacker tactics, techniques and procedures evolve, so must the defenses and strategy used to defend against them. Traditional red teaming presents an opportunity to find gaps in security, but leaves more valuable information unabsorbed. Results and methodologies used in red team assessments can drive protections in place use by blue teams and a larger program and vice versa.
(Source: RSA USA 2016-San Francisco)
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
[2013 CodeEngn Conference 09] Park.Sam - 게임 해킹툴의 변칙적 공격 기법 분석GangSeok Lee
2013 CodeEngn Conference 09
게임 보안 제품의 보안성이 강화됨에 따라 해킹툴의 공격 기법 또한 다양해 지고 있다. 몇 몇 해킹툴은 게임에 접근하기 위해 OS의 디버깅 메커니즘 악용한다거나 시스템 프로세스로 위장하게 되는데 이와 같은 몇가지 변칙적인 기법에 대해 알아보고자 한다.
http://codeengn.com/conference/09
http://codeengn.com/conference/archive
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
Workshop 101: Concebendo produtos de forma ágil (e divertida) - Scrum Gathe...Diana Corrêa, CSPO / CSM
Possibilidades de Workshop para que você - Product Owner, Gerente de Produto ou Empreendedor - possa conceber o seu produto de maneira ágil e colaborativa, desde a modelagem de negócio até a montagem do MVP e Releases futuras.
Esta apresentação é parte de um workshop de 1h50min realizado no Scrum Gathering Rio 2015.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
(Demo code and video available at http://fsharpforfunandprofit.com/cap/)
We all want to produce modular and robust code that is easy to test and refactor, and we have design principles such as SOLID that help us do that.
In this talk I'll look at a very different approach to design using "capabilities" and the principle of least authority. I'll show how using these design techniques throughout your core domain (and not just at your API boundary) also leads to well-designed and modular code.
I'll demonstrate how to design and use a capability based approach, how capabilities can be quickly combined and restricted easily, and how capabilities are a natural fit with a REST API that uses HATEAOS.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go. Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
As attacker tactics, techniques and procedures evolve, so must the defenses and strategy used to defend against them. Traditional red teaming presents an opportunity to find gaps in security, but leaves more valuable information unabsorbed. Results and methodologies used in red team assessments can drive protections in place use by blue teams and a larger program and vice versa.
(Source: RSA USA 2016-San Francisco)
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
[2013 CodeEngn Conference 09] Park.Sam - 게임 해킹툴의 변칙적 공격 기법 분석GangSeok Lee
2013 CodeEngn Conference 09
게임 보안 제품의 보안성이 강화됨에 따라 해킹툴의 공격 기법 또한 다양해 지고 있다. 몇 몇 해킹툴은 게임에 접근하기 위해 OS의 디버깅 메커니즘 악용한다거나 시스템 프로세스로 위장하게 되는데 이와 같은 몇가지 변칙적인 기법에 대해 알아보고자 한다.
http://codeengn.com/conference/09
http://codeengn.com/conference/archive
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
6. Browser Support
目前支援的主流瀏覽器有
- Chrome:42+ 才能與 Service Worker 合用
- Firefox:22+
- Safari:6+
- Opera:25+
- Edge
Can I use Web Notifications:由於不是每個 feature 都已被瀏覽器實作,所
以使用前要先查詢支援度。