Prepared and presented for the LD4 Wikidata Affinity Group, https://www.wikidata.org/wiki/Wikidata:WikiProject_LD4_Wikidata_Affinity_Group September 21, 2021
Prepared and presented for the LD4 Wikidata Affinity Group, https://www.wikidata.org/wiki/Wikidata:WikiProject_LD4_Wikidata_Affinity_Group September 21, 2021
The core Search frameworks in Liferay 7 have been significantly retooled to benefit not only from Liferay's new modular architecture, but also from one of the most innovative players in the market: Elasticsearch, which replaces Lucene as the default search engine in Portal. This session will cover topics like clustering and scalability, unveil improvements (both Elasticsearch and Solr) like aggregations, filters, geolocation, "more like this" and other new query types, and also hot new features for the Enterprise like out-of-the-box Marvel cluster monitoring and Shield security.
André "Arbo" Oliveira joined Liferay in early 2014 as a senior engineer and leads the Search Infrastructure team. He's been writing code for a living for 22 years, 14 of them as a Java developer and architect. Ever since discovering Elasticsearch, he's vowed never to write another SQL WHERE clause again.
I used these slides in the context of a cultural heritage presentation so the examples are relevant to that community. For example the choice of CIDOC CRM is obvious in that community.
Introduction to linked open data, RDF: the Resource Description Framework, Tools to convert data to RDF, Tools for linking/reconciliation/resolution, Storing and maintaining the data, BBC and Linked Data
Audio available: https://www.liferay.com/web/events-symposium-north-america/recap
Liferay makes it easy to integrate your application with powerful search engines. However, it may be hard to diagnose why your most important content isn't showing up the way you need it to. This session will recap the key concepts for indexing and querying with Liferay Search, and present a number of techniques to guarantee your documents will be found with best possible relevance.
André de Oliveira joined Liferay in early 2014 as a senior engineer and leads the Search Infrastructure team. He's been a Java developer and architect for the last 15 years. Ever since discovering Elasticsearch, he's vowed never to write another SQL WHERE clause again.
Mathematics & Computer Science Seminar
Emory University
October 2, 2009
Martin Klein & Michael L. Nelson
Department of Computer Science
Old Dominion University
Norfolk VA
Talk at the 2nd Summer Workshop of the Center for Semantic Web Research (January 16, 2016, Santiago, Chile) about the construction of Yahoo's Knowledge Graph and associated research challenges.
The core Search frameworks in Liferay 7 have been significantly retooled to benefit not only from Liferay's new modular architecture, but also from one of the most innovative players in the market: Elasticsearch, which replaces Lucene as the default search engine in Portal. This session will cover topics like clustering and scalability, unveil improvements (both Elasticsearch and Solr) like aggregations, filters, geolocation, "more like this" and other new query types, and also hot new features for the Enterprise like out-of-the-box Marvel cluster monitoring and Shield security.
André "Arbo" Oliveira joined Liferay in early 2014 as a senior engineer and leads the Search Infrastructure team. He's been writing code for a living for 22 years, 14 of them as a Java developer and architect. Ever since discovering Elasticsearch, he's vowed never to write another SQL WHERE clause again.
I used these slides in the context of a cultural heritage presentation so the examples are relevant to that community. For example the choice of CIDOC CRM is obvious in that community.
Introduction to linked open data, RDF: the Resource Description Framework, Tools to convert data to RDF, Tools for linking/reconciliation/resolution, Storing and maintaining the data, BBC and Linked Data
Audio available: https://www.liferay.com/web/events-symposium-north-america/recap
Liferay makes it easy to integrate your application with powerful search engines. However, it may be hard to diagnose why your most important content isn't showing up the way you need it to. This session will recap the key concepts for indexing and querying with Liferay Search, and present a number of techniques to guarantee your documents will be found with best possible relevance.
André de Oliveira joined Liferay in early 2014 as a senior engineer and leads the Search Infrastructure team. He's been a Java developer and architect for the last 15 years. Ever since discovering Elasticsearch, he's vowed never to write another SQL WHERE clause again.
Mathematics & Computer Science Seminar
Emory University
October 2, 2009
Martin Klein & Michael L. Nelson
Department of Computer Science
Old Dominion University
Norfolk VA
Talk at the 2nd Summer Workshop of the Center for Semantic Web Research (January 16, 2016, Santiago, Chile) about the construction of Yahoo's Knowledge Graph and associated research challenges.
How TCP/IP attacks can be applied in satellite communications. Interesting example on how to achieve anonymous Internet connection using DVB and some tricks. Presented in
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
How OSINT will play an important role in the future, helping to predict, prevent and react against incidents that threaten the Global security.
The presentation will delve into the tools and techniques that enable OSINT practitioners to measure the Global security signals conveyed by the Internet. Multiple facets of information dissemination, collection, analysis and interpretation will be examined, with a focus on the security dimension of the information.
Finding A Company's BreakPoint
The goal of this talk is to help educate those who are new or learning penetration testing and hacking techniques. We tend to see the same mindset applied when we speak to those new to pentesting “Scan something with Nessus to find the vulnerability, and then exploit it…Right?”. This is very far from reality when we talk about pentesting or even real world attacks. In this talk we will cover five (5) techniques that we find to be highly effective at establishing an initial foothold into the target network including: phishing, multicast protocol poisoning, SMBrelay attacks, account compromise and web application vulnerabilities.
Also watch this talk: https://www.youtube.com/watch?v=-G0v1y-Vaoo&t=1337s
Application and Website Security -- Fundamental EditionDaniel Owens
This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is considered technical, but does not require a working knowledge of the languages discussed.
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
A talk on top 10 Security Vulnerabilities based on OWASP Top Ten Project: https://www.owasp.org/index.php/OWASP_Top_Ten_Project. The presentation is available under Creative Commons Attribution-ShareAlike 2.5 Generic License: https://creativecommons.org/licenses/by-sa/2.5/.
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.
Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.
This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.
These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?
The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?
Are we able to determine?
* Supported HTTP Request Methods.
* Current Service Pack.
* Patch Levels.
* Configuarations.
* If an Apache Server suffers from a "chunked" vulnerability.
Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.
Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.
Prerequisites:
General understanding of Web Server technology and HTTP.
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs.
But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.
In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy!
Topics Covered:
1. Security Concerns for Modern Web Apps
2. Cookies, The Right Way
3. Session ID Problems
4. Token Authentication to the rescue!
5. Angular Examples
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
How world-class product teams are winning in the AI era by CEO and Founder, P...
2011 and still bruteforcing - OWASP Spain
1. 2010: and still bruteforcing
OWASP Webslayer
Christian Martorella
July 18th 2010
Barcelona
2. Who am I
Manager Auditoria
CISSP, CISA, CISM, OPST, OPSA,CEH
OWASP WebSlayer Project Leader
FIST Conference, Presidente
Edge-Security.com
3. Brute force attack
Is a method to determine an unknown value by
using an automated process to try a large
number of possible values.
4.
5.
6.
7. What can be bruteforced?
Credentials (HTML Forms and HTTP)
Session identifiers (session id’s)
Predictable resource location (directories and files)
Variable values
Cookies
WebServices methods (rest)
9. How?
Dictionary attack
Search attack (all possible combinations of a
character set and a given length)
Rule based search attack (use rules to generate
candidates)
10. Why 2010 and still bruteforcing?
In 2007 Gunter Ollmann proposed a series of
countermeasures to stop automated attack tools.
18. Workarounds
Diagonal scanning (different username/password
each round)
Horizontal scanning (different usernames for
common passwords)
Three dimension ( Horizontal,Vertical or Diagonal +
Distributing source IP)
Four dimensions ( Horizontal, Vertical or Diagonal +
time delay)
21. 2010...
Access Any Users Photo Albums
http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c
aid=-3 (-3 for every public profile album)
id=0123456789
l=? (all we know is its 5 characters from the 0123456789abcdef range)
22. 2010...
•The 500 worst passwords list
•Alyssa banned passwords list
•Cain’s list of passwords
•Conficker’s list
•The English dictionary
•Faithwriters banned passwords list
•Hak5’s list
•Hotmail’s banned passwords list
•Myspace’s banned passwords list
•PHPbb’s compromised list
•RockYou’s compromised list
•Twitter’s banned passwords list
26. Tools
Automated scanning tools are designed to take full
advantage of the state-less nature of the HTTP
protocol and insecure development techniques.
28. Webslayer
The main objective is to provide to the security tester
a tool to perform highly customized brute force
attacks on web applications, and a useful results
analysis interface. It was designed thinking in the
professional tester.
30. Webslayer
Predictable credentials (HTML Forms and HTTP)
Predictable sessions identifier (cookies,hidden fields, url)
Predictable resource location (directories and files)
Variables values and ranges
Cookies
WebServices methods
Traversals, Injections, Overflows, etc
31. Webslayer
Encodings: 15 encodings supported
Authentication: supports Ntml and Basic (known or guess)
Multiple payloads: you can use 2 payloads in different parts
Proxy support (authentication supported)
Multithreads
Multiple filters for improving the performance and for producing cleaner
results
32. Webslayer
Predictable resource location: Recursion, common extensions, non standard
code detection, (Huge collection of dictionaries)
Advanced payload generation
Live filters
Session saving/restoring
Integrated browser (webKit)
Full page screenshot
33. Resource location prediction
Based on the idea of Dirb (Darkraver)
Custom dictionaries of know resources or common passwords
Servers: Tomcat,Websphere,Weblogic,Vignette,etc
Common words: common (950), big (3500), spanish
CGIs (vulnerabilities)
Webservices
Injections (SQL, XSS, XML,Traversals)
34.
35.
36.
37.
38. Payload Generation
Payload generator:
Usernames
Credit Card numbers
Permutations
Character blocks
Ranges
Files
Pattern creator and regular expression (encoders)
42. Advanced uses
Sweep an entire range with a common dictionary
HTTP://192.168.1.FUZZ/FUZ2Z
FUZZ: RANGE [1-254]
FUZ2Z: common.txt
43. Advanced uses
Scanning through proxies
me ----> Server w/proxy ---->LAN
wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ
-x set proxy
--hc is used to hide the XXX error code from the results, as machines w/o webserver
will fail the request.
44. Future features
Time delay between request
Multiple proxies (distribute attack)
Diagonal scanning (mix dictionaries)