The document discusses Java serialization and its flaws. It begins by explaining common uses of serialization and how easy it is to implement. However, it notes that the built-in design has security issues, as serialization data can contain sensitive object details. It also explains that serialization is exploited in attacks and discusses how to mitigate risks from Java and alternative serialization formats.
Troubleshooting tips and tricks for Oracle Database Oct 2020Sandesh Rao
This talk presents 15 different tips and tricks using tools to better troubleshoot and debug problems with Database , Oracle RAC and Oracle Clusterware , ASM and how to get the right pieces of data with the least of commands which today most people do manually. This session will cover tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , oratop for pinpointing performance issues and many others to make one feel like a rockstar DBA.
Troubleshooting tips and tricks for Oracle Database Oct 2020Sandesh Rao
This talk presents 15 different tips and tricks using tools to better troubleshoot and debug problems with Database , Oracle RAC and Oracle Clusterware , ASM and how to get the right pieces of data with the least of commands which today most people do manually. This session will cover tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , oratop for pinpointing performance issues and many others to make one feel like a rockstar DBA.
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
This session will focus on 19 troubleshooting tips and tricks for DBAs covering tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , oratop for pinpointing performance issues and many others to make one feel like a rockstar DBA
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Sandesh Rao
DBA's always have a bunch of scripts to do their daily tasks. How to find that stuck session, how to find who is consuming the most resources, how do I take a stack of multiple processes? This session will focus on troubleshooting tips and tricks for DBA's covering tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , Oratop for pinpointing performance issues and many other native Database features like short stacks, system state summaries, quickly spot hangs across RAC clusters among some of them to make your jobs a lot more efficient and make you look good to your bosses !!
"With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.
Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target."
(Source: Black Hat USA 2016, Las Vegas)
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEhPROIDEA
If vendors need to expose serial interface to “modern” IP world, they often use ready-made solution like Lantronix. You can find different vendors to use these devices as part of different embedded systems – from alarms to legacy SCADA systems. If you find such devices on the Internet or LAN, the most imporant part is to check if 77FEh is enabled. We will cover already known stuff with 77FEh, but also new interesting findings in owning such devices.
New tool to exploit all of this will be presented as well as counter-measures.
Behavioral modeling of sequential logic modules: Latches, Flip Flops, counters and shift registers applications
Synchronous Sequential Circuits: Analysis and synthesis of synchronous sequential circuits: Mealy and Moore FSM models for completely and incompletely specified circuits, State Minimization-Partitioning Minimization Procedure, sequence detector with verilog HDL modeling Design of a Modulo-8 Counter using the Sequential Circuit Approach and its verilog implementation. One-Hot Encoding
Enumerating cycles in bipartite graph using matrix approachUsatyuk Vasiliy
Describe method to enumerate shortest cyclesin bipartite graph. Consider example and provide implementation of this method (https://yadi.sk/d/nMza892Y3PVR3U). Show way to improve under structured graphs
Getting started with LLVM using Swift / Алексей Денисов (Blacklane)Ontico
Некоторое время назад компания Apple опубликовала исходные коды языка Swift. С тех пор LLVM получил еще более широкую популярность в среде мобильных разработчиков. Тем не менее, не все понимают роль LLVM в процессе компиляции, и не все осознают мощь этого фреймворка.
Цель моего доклада — рассказать о том, как использовать LLVM в связке с языком Swift и показать, что это не "rocket science".
В своем докладе я расскажу о том:
- что такое LLVM и какова его роль в процессе компиляции.
- что происходит с программой на пути от исходного код в код машинный
- какие есть практические применения у LLVM в контексте разработки прикладных приложений
- как можно начать использовать LLVM без боли уже сейчас
В качестве заключения предоставлю список теоретических и практических материалов для дальнейшего изучения.
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
Maven Central hits 1 Trillion downloads, Cyber bad guys make $6 Trillion, Governments respond and of course AI. What happened this year and what does it mean for 2024? A look at what Sonatype discovered in preparing the 9th State of the Software Supply Chain Report and what it could mean for developers in the future.
2024 is going to be difficult for all of us: find out how, why and just what you need to do next!
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
For all in IT—Developer, QA, DevOps, or SecOps—the future is driven by two game-changers: the ascent of Generative AI and heightened governmental scrutiny of software. Similar to the industrial revolution’s upheaval, their influence will revolutionise and reinvent the technology we use and our relationship with it. We’ll unpack how these factors redefine our tech practices today and tomorrow. Prepare for role evolution, new opportunities, and shifts, including the evolving dynamic with open source. Join this deep dive to discern the real ramifications.
More Related Content
Similar to A Modern Fairy Tale: Java Serialization
Troubleshooting Tips and Tricks for Database 19c ILOUG Feb 2020Sandesh Rao
This session will focus on 19 troubleshooting tips and tricks for DBAs covering tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , oratop for pinpointing performance issues and many others to make one feel like a rockstar DBA
Troubleshooting Tips and Tricks for Database 19c - Sangam 2019Sandesh Rao
DBA's always have a bunch of scripts to do their daily tasks. How to find that stuck session, how to find who is consuming the most resources, how do I take a stack of multiple processes? This session will focus on troubleshooting tips and tricks for DBA's covering tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , Oratop for pinpointing performance issues and many other native Database features like short stacks, system state summaries, quickly spot hangs across RAC clusters among some of them to make your jobs a lot more efficient and make you look good to your bosses !!
"With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.
Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target."
(Source: Black Hat USA 2016, Las Vegas)
CONFidence 2014: Vlatko Kosturjak: Exploring treasures of 77FEhPROIDEA
If vendors need to expose serial interface to “modern” IP world, they often use ready-made solution like Lantronix. You can find different vendors to use these devices as part of different embedded systems – from alarms to legacy SCADA systems. If you find such devices on the Internet or LAN, the most imporant part is to check if 77FEh is enabled. We will cover already known stuff with 77FEh, but also new interesting findings in owning such devices.
New tool to exploit all of this will be presented as well as counter-measures.
Behavioral modeling of sequential logic modules: Latches, Flip Flops, counters and shift registers applications
Synchronous Sequential Circuits: Analysis and synthesis of synchronous sequential circuits: Mealy and Moore FSM models for completely and incompletely specified circuits, State Minimization-Partitioning Minimization Procedure, sequence detector with verilog HDL modeling Design of a Modulo-8 Counter using the Sequential Circuit Approach and its verilog implementation. One-Hot Encoding
Enumerating cycles in bipartite graph using matrix approachUsatyuk Vasiliy
Describe method to enumerate shortest cyclesin bipartite graph. Consider example and provide implementation of this method (https://yadi.sk/d/nMza892Y3PVR3U). Show way to improve under structured graphs
Getting started with LLVM using Swift / Алексей Денисов (Blacklane)Ontico
Некоторое время назад компания Apple опубликовала исходные коды языка Swift. С тех пор LLVM получил еще более широкую популярность в среде мобильных разработчиков. Тем не менее, не все понимают роль LLVM в процессе компиляции, и не все осознают мощь этого фреймворка.
Цель моего доклада — рассказать о том, как использовать LLVM в связке с языком Swift и показать, что это не "rocket science".
В своем докладе я расскажу о том:
- что такое LLVM и какова его роль в процессе компиляции.
- что происходит с программой на пути от исходного код в код машинный
- какие есть практические применения у LLVM в контексте разработки прикладных приложений
- как можно начать использовать LLVM без боли уже сейчас
В качестве заключения предоставлю список теоретических и практических материалов для дальнейшего изучения.
Similar to A Modern Fairy Tale: Java Serialization (20)
Key Takeaways for Java Developers from the State of the Software Supply Chain...Steve Poole
Maven Central hits 1 Trillion downloads, Cyber bad guys make $6 Trillion, Governments respond and of course AI. What happened this year and what does it mean for 2024? A look at what Sonatype discovered in preparing the 9th State of the Software Supply Chain Report and what it could mean for developers in the future.
2024 is going to be difficult for all of us: find out how, why and just what you need to do next!
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole
For all in IT—Developer, QA, DevOps, or SecOps—the future is driven by two game-changers: the ascent of Generative AI and heightened governmental scrutiny of software. Similar to the industrial revolution’s upheaval, their influence will revolutionise and reinvent the technology we use and our relationship with it. We’ll unpack how these factors redefine our tech practices today and tomorrow. Prepare for role evolution, new opportunities, and shifts, including the evolving dynamic with open source. Join this deep dive to discern the real ramifications.
Maven Central++ What's happening at the core of the Java supply chainSteve Poole
In the Java world Maven Central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Times are changing and so is Maven Central.
As cyberattacks grow the defences at Maven Central have grown too and now we're on the offence. Learn how Maven Central is working with the Linux Foundation and others to add features and services that will keep the Java community safer, more informed and better prepared.
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
Over the last ten years we’ve seen cybercrime accelerate beyond all comprehension, We’ve seen the growing and relentless impact it has on our society and our economies. It’s taken a long time for the world to act but finally we’re coming together to resist this uniquely 21st century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session we’ll brief you on the state of the situation and what you can do to be more prepared. We’ll look at the bad guys and how they operate, we’ll examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
A new hope for 2023? What developers must learn nextSteve Poole
Over the last ten years, we’ve seen cybercrime accelerate beyond all comprehension and the growing and relentless impact it has on our society and economies. It’s taken a long time for the world to act, but finally, we’re coming together to resist this uniquely 21st-century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session, we’ll brief you on the state of the situation and what you can do to be more prepared.: we’ll look at the bad guys and how they operate, examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
Three-card Monte, Find the Lady - the game goes by many names but at its core is a simple scam. You think you're in control but you're not: it's a game you can't win, and if you do it's only temporary to give you false confidence.
Software delivery is rapidly becoming a shell game: bad actors trying to force you to use compromised components, bad actors trying to take over your build processes and insert malware. Bad actors subverting your processes while give you false confidence that everything is ok.
This session introduces you to an active defence you can start to use now.
In this talk we’ll explain how the SBOM or Software Bill of Materials is emerging as the base for new tools and new thinking about producing software.
We’ll explain what an SBOM is , how it provides significant protection against software delivery attacks and what tools exist today for you to use.
We’ll walk through from source code to deployment and examine where the bad guys can get in and what SBOM related defences exist.
Learning how the shell game is played reduces the risk. Avoiding the game altogether is the wiser choice. SBOMs may just be the way to do that.
Superman or Ironman - can everyone be a 10x developer?Steve Poole
It’s all about productivity or maybe it’s all about delivering value. Or creating secure applications, dealing with changing directions.
Whatever it it we often feel that we’re lacking - that it’s hard enough to be any sort of developer. That even 1x is often a challenge
In this talk we’re going to examine how to think more clearly about being a Java developer:, help you understand the tools and approaches that can offer practical insight into how you work now as well as providing guidance on alternatives that just might give you the powered armour you need.
A mix of tools, proven processes, new techniques and lessons learnt the hard way make up a session designed to help you understand that being a 10x developer isn’t about having super powers - it’s about using the powers you already have in wiser, more considered ways.
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central and what the philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central, explain why Sonatype,( who are the stewards of Maven Central), provide such a critical service and what our philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Steve Poole
A small but vital step on a long road was made last year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Log4Shell - Armageddon or Opportunity.pptxSteve Poole
It’s said that everyone remembers where they were when a momentous event occurs. Where were you on the 10 December 2021 or did the most comprehensively dangerous Java vulnerability pass you by?
Don’t be fooled into thinking it’s all over. Even by mid year the number of vulnerable servers will still be high because organisations still fail assess their vulnerability state correctly.
In this session I’ll cover, in detail, the actual mechanics of the vulnerability and demo a simple attack. I’ll take you through why this vulnerability can be as bad as it gets and explain what the options are to protect you application and how to assess if you’re still at risk.
It’s not all bad news. The Log4Shell wake up call shows us that we’re not paying the right sort of attention to security across the board but we can learn to do better. I’ll end the talk with explaining why security really matters, what developers can do improve their understanding of security principles in general and cover some of the practical next steps that are available.
Log4Shell is changing our world - let’s make sure its for the right reasons. Opportunity is knocking on your door.
Want to make some money? A little bitcoin on the side? In this session we’ll take you through a few of the ways that Ransomware works. Probably one of the fastest growing forms of cybercrime - we’ll explore the motivations (it’s not all about money) how a typical attack occurs , how your actions and inactions help make the problem worse and generally educate you on the ransomware-as-a-service business that could easily be coming to a server near you. Take the time to see how your CI/CD pipelines can be vulnerable and what you can do to make your application safer and your data more secure.
Some say ransomware is simply a cost of doing business - whether thats true or not ransomware is not going away any time soon This talk will help you get up to speed and started on your journey of improving your defences.
Game Over or Game Changing? Why Software Development May Never be the same againSteve Poole
A small but vital step on a long road was made this year. The President of the USA signed an executive order towards improving the situation on cybersecurity. In this session you’ll learn more about what was ordered and how it’s the beginning of a significant change in how software will be developed, delivered and secured in the future – not just in the USA but world wide too. The need to have a vastly improved software supply chain to counter the challenges of cyber attacks is well understood and many tools already exist. Learn more about the tooling landscape, what’s on the horizon and how presidential orders, the software industry and application development are coming together to take even bigger steps towards safeguarding the future.
Agile Islands 2020 - Dashboards and CultureSteve Poole
This talk examines how what you share will define you. The act of monitoring and dashboarding can have a profound effect, good or bad - on the attitudes and culture of the teams involved. With supporting case studies this session will show how you to help make any team more effective
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Steve Poole
Much of the adoption of Agile and DevOps tools and processes focus on the benefits to delivering high quality code on an industrial scale. Although we all recognise that good visual representations of progress and status are critical, it may not be obvious that the act of visualisation can have a profound effect on the attitudes and culture of the teams involved. The right sort of data and appropriate dash-boarding can improve the morale and effectiveness of all the teams involved. The wrong sort of can have the opposite effect.
This talk examines how what you share will define you. Through real examples and a live demo, the speaker will show you how to design status and trend displays that will make your teams more effective without overloading them. The talk will also include case studies with various types of teams to highlight how you can apply this thinking to help make any group more effective.
Beyond the Pi: What’s Next for the Hacker in All of Us?Steve Poole
Being a geek can be a tough life. Once you’ve got those LEDs blinking or that robot car moving around, the fun can be over. So what else is there to play with? What other exciting ideas are out there? For the geek at heart, this session showcases some of the new and newish tech that’s available for you to play with.
From AR to VR, from mind control to autonomous drones, we have a lot of everything, and some of it will even be on display. Whether it’s tech you can wear or tech that swims, we’ve got the insight. Bring your mind, and let us refuel your imagination.
Drooling optional.
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...Steve Poole
Slides for https://skillsmatter.com/meetups/10901-java-in-the-21st-century-are-you-thinking-far-enough-ahead .
Java 9 arrives, JEE goes to Eclipse, IBM open sources Liberty & J9. Much is happening but so much more is to come. See how new hardware & software are powering Java to a life far removed from that originally envisioned
It is all change in the Java arena. Java 9 ships with the long awaited modularity support. Oracle's contribution of Java EE to the Eclipse Foundation and to top it all, IBM announces both Open Liberty (based on its flagship application server ) and OpenJ9 it’s enterprise proven Java Virtual Machine. In this talk you’ll certainly learn about these exciting changes that are happening to the Java ecosystem but you also learn much more about the real future of Java. See how new hardware technologies, new software approaches and new ideas are powering Java towards a life far removed from that envisioned at its inception. It’s time to look up and see how you will need to change how you think: Whether it’s driven by AI or Quantum Computers the problems of tomorrow demand new approaches and new thinking. Are you ready?
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process.
This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Understanding Nidhi Software Pricing: A Quick Guide 🌟
Choosing the right software is vital for Nidhi companies to streamline operations. Our latest presentation covers Nidhi software pricing, key factors, costs, and negotiation tips.
📊 What You’ll Learn:
Key factors influencing Nidhi software price
Understanding the true cost beyond the initial price
Tips for negotiating the best deal
Affordable and customizable pricing options with Vector Nidhi Software
🔗 Learn more at: www.vectornidhisoftware.com/software-for-nidhi-company/
#NidhiSoftwarePrice #NidhiSoftware #VectorNidhi
2. Steve Poole
Developer Advocate, IBM
JVM Developer
Open Source Advocate
DevOps Practitioner (whatever that means!)
Driving Change
3. A Modern Fairy Tale:
Java Serialization
• Why we still need serialization and
where we use it.
• How the built-in design is flawed
• How it is being exploited and used
against us.
• How to work against the dark arts
rallied against us
• How even the alternative forms of
Java serialization can still be open to
attack.
8. Java Serialization is easy to use
implementsjava.io.Serializable;
You just have to opt in….
9. Java Serialization is easy to use
FileOutputStream fos=new FileOutputStream(output);
ObjectOutputStream oos=new ObjectOutputStream(fos);
oos.writeObject(m);
FileInputStream fis=new FileInputStream(input);
ObjectInputStream ois=new ObjectInputStream(fis);
Thing t=(Thing) ois.readObject();
Then its easy to save and restore objs
10. If you don’t opt-in
java.io.NotSerializableException:
atjava.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
atjava.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
11. Java Serialization is a useful and
relatively easy to use technology
There might just be
some side effects
12. Example
OC1 example=newOC1();
oos.writeObject(example);
public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
13. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC>
14. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION>
15. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT>
16. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
17. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
<UTF8-ClassName>
18. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
<UTF8-ClassName><serial-version-id>
19. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
<UTF8-ClassName><serial-version-id><flags>
20. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
<UTF8-ClassName><serial-version-id><flags><field count>
21. public class OC1 implements Serializable {
private String hello="hello";
}
0000000 ac ed 00 05 73 72 00 15 6f 63 31 2e 73 65 72 69 | ....sr..oc1.seri
0000010 61 6c 69 73 61 74 69 6f 6e 2e 4f 43 31 ab 5a a9 | alisation.OC1.Z.
0000020 59 37 9f 03 ef 02 00 01 4c 00 05 68 65 6c 6c 6f | Y7......L..hello
0000030 74 00 12 4c 6a 61 76 61 2f 6c 61 6e 67 2f 53 74 | t..Ljava/lang/St
0000040 72 69 6e 67 3b 78 70 74 00 05 68 65 6c 6c 6f | ring;xpt..hello
<STREAM_MAGIC><STREAM_VERSION><TC_OBJECT><TC_CLASSDESC>
<UTF8-ClassName><serial-version-id><flags><field count><field type(Object)>
26. Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef
flags 0x02
field count 0x0001
field type ‘L’
UTF8-FieldName ‘hello’
Class Name ‘java.lang.String’
flags 0x787074
UTF8-String value ‘hello’
27. Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef
flags 0x02
field count 0x0001
field type ‘L’
UTF8-FieldName ‘hello’
Class Name ‘java.lang.String’
flags 0x787074
UTF8-String value ‘hello’
A check that you’re talking
about the same class
28. Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef
flags 0x02
field count 0x0001
field type ‘L’
UTF8-FieldName ‘hello’
Class Name ‘java.lang.String’
flags 0x787074
UTF8-String value ‘hello’
The actual contents of the
instance are self-defining
30. Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef
flags 0x02
field count 0x0001
field type ‘I’
UTF8-FieldName ‘hello’
Class Name ‘java.lang.Number’
flags 0x787074
Integer value 0x0001
What happens if I do this?
32. Are we safe from
changes to the
serialization
stream then?
33. public class OC1 {
private String hello="hello";
}
Element Value
field name hello
field type L
class name java.lang.String
value hello
public class OC1 {
private Objecthello="hello";
}
Element Value
field name hello
field type L
class name java.lang.Object
value hello
34. public class OC1 {
private Objecthello="hello";
}
Element Value
field name hello
field type L
class name java.lang.Object
value hello
Element Value
field name hello
field type [
class name java.lang.Array
value 1,2,3,4
Element Value
field name hello
field type [
class name HashMap
value A=1,B=2
Element Value
field name hello
field type L
class name Any class name
value Any value
36. public class Foo {
static {
System.out.println("static initaliser called");
}
public Foo() {
System.out.println("object constructor called");
}
}
What happens we run “new Foo()”
37. public class Foo {
static {
System.out.println("static initalizer called");
}
public Foo() {
System.out.println("object constructor called");
}
}
static initalizer called
object constructor called
38. Element Value
field type ‘L’
UTF8-FieldName ‘hello’
Class Name ‘org.random.Foo’
What happens if we do this in our serialized form?
public class OC1 {
private String hello="hello";
}
39. public class Foo implements Serializable{
static {
System.out.println("static initaliser called");
}
public Foo() {
System.out.println("object constructor called");
}
}
What gets called - A,B, Both or Neither?
A
B
40. What gets called - A,B, Both or Neither?
static initaliser called
“Exception in thread "main"
java.lang.ClassCastException: cannot assign
instance of org.random.Foo to field
oc1.serialisation.OC1.hello of type
java.lang.String in instance of
oc1.serialisation.OC1”
output
exception
41. Java Deserialization can be used to execute code
even if it eventually fails
That’s still useful to the bad guys.
42. We’ve just learnt that constructors do not get
called during deserialization
public class Foo implements Serializable{
private int data[];
public Foo() {
data=new int[] {1,2,3,4};
}
public int size() {
return data.length;
}
What happens here?
43. Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef
flags 0x02
field count 0x0001
field type ‘[’
UTF8-FieldName ‘data’
Element Type I
Element Count 0x04
Values 1,2,3,4
Valid stream
44. We’ve just learnt that constructors do not get
called during deserialization
public class Foo implements Serializable{
private int data[];
public Foo() {
data=new int[] {1,2,3,4};
}
public int size() {
return data.length;
}
The answer is 4?
45. What happens if I do this?
Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef
flags 0x02
field type null
UTF8-FieldName ‘data’
46. We’ve just learnt that constructors do not get
called during deserialization
public class Foo implements Serializable{
private int data[];
public Foo() {
data=new int[] {1,2,3,4};
}
public int size() {
return data.length;
}
Code here never
Gets called
47. We’ve just learnt that constructors do not get
called during deserialization
public class Foo implements Serializable{
private int data[];
public Foo() {
data=new int[] {1,2,3,4};
}
public int size() {
return data.length;
}
So NPE!
48. And its not just “implements Serializable”
instances that are at risk
50. ”new SubClass()”. Deserialise SubClass
in Parentclass init
in foo class init
in Parentconstructor
in Parentclass init
in SubClass class init
in Parentconstructor
in SubClass constructor
58. Classes can ‘opt-in’ to deserialization and
take more control
public class Log implements Serializable{
private File logfile;
private transient FileOutputStream los;
private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {
in.defaultReadObject();
los=new FileOutputStream(logfile);
}
}
59. But that can still be used against them
public class Log implements Serializable{
private File logfile;
private transient FileOutputStream los;
private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {
in.defaultReadObject();
los=new FileOutputStream(logfile);
}
}
Element Value
field name logfile
value /etc/passwd
60. Other ways to reduce exposure
private final void readObject(ObjectInputStream in) throws
java.io.IOException
{
throw new java.io.IOException("forbidden");
}
Opt out of being deserialized (add to every class!)
61. Other ways to reduce exposure
// reject deserialisation of any class belonging to untrustedmodule,
// and of any array with more than 500 items in it
jdk.serialFilter=!untrustedmodule/.**;maxarray=500
// white-list classes from package com.myorg.trusted,
// but not necessarily from its subpackages.
jdk.serialFilter=com.myorg.trusted.*
Implement class filtering
62. Other ways to reduce exposure
Implement your own ObjectInputSteam.
63. Other ways to reduce exposure
Use modularity to reduce available classes
Attackers can only call
code available on your system
64. Other ways to reduce exposure
Create a deliberate data transfer model
public final class Packet implements Serializable{
String name;
int size;
List<ChildPacket> kids;
}
Complicated
data structures
converter
65. Other ways to reduce exposure
And maybe stop using native serialization at all
{
"name" : "foobar" ,
"size" : 1 ,
"kids" : [ { } , {} ]
}
Complicated
data structures
converter
68. The self-defining design of Java Serialization is
open to exploitation.
It’s all about running the code you already
have. Just not how you expected
Or changing your data to invalid but useful
values
How do the bad guys do this?
71. Element Value
STREAM_MAGIC 0xacdc
STREAM_VERSION 0x0005
TC_OBJECT 0x73
TC_CLASSDESC 0x72
UTF8-ClassName oc1.serialisation.OC1
serial-version-id 0xab5aa959379f03ef
flags 0x02
field count 0x0001
field type ‘[’
UTF8-FieldName ‘data’
Element Type I
Element Count MAX_INT
Values
84. Impressive amount of tools and collateral out
there – but does it really matter?
How much risk are we taking by ignoring the
problem?
85. In 2016 Cybercrime was
estimated to be worth
450 Billion Dollars
@spoole167
Cybercrime is the most profitable type of crime
In 2016 The illicit drug trade
was estimated to be worth
435 Billion Dollars
@spoole167
86. Cybercrime is the most profitable type of crime
• Guess which one has the least risk to the criminal ?
• Guess which is growing the fastest ?
• Guess which one is the hardest to prosecute ?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?
• Guess which one is predicted to reach 6000 Billion Dollars by 2021?
@spoole167
88. That’s about $600 for every
person on the planet
In the US it’s about $8000
each
@spoole167
89. Don’t agree?
“The bad guys prey on the weak, vulnerable and ignorant”
That’s you
@spoole167
90. Ever googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”
@spoole167
91. TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
X509Certificate[] certs, String authType) {
}
public boolean isClientTrusted( X509Certificate[] cert) {
return true;
}
public boolean isServerTrusted( X509Certificate[] cert) {
return true;
}
}}
Ever written
something
like this?
@spoole167
93. We’ve all done something like that
We do it all the time
@spoole167
94. We’ve all done something like that
We do it all the time
The whole world does it
How bad can it be?
@spoole167
95. We’ve all done something like that
We do it all the time
The whole world does it
Github search “implements TrustManager” ….
@spoole167
96. We’ve found 72,609 code results
AlwaysValidTrustManager
TrustAllServersWrappingTrustManager
A very friendly, accepting trust
manager factory. Allows anything
through. all kind of certificates are
accepted and trusted.
A very trusting trust manager that
accepts anything
// Install the all-trusting trust
manager
OverTrustingTrustProvider
AllTrustingSecurityManagerPlugin.java
AcceptingTrustManagerFactory.java
AllTrustingCertHttpRequester.java
99. Today Java serialization use is widespread.
Java Persistence
API (JPA)
Remote EJB
Remote Method
Invocation (RMI)
Java
Management
Extensions (JMX)
Contexts and
Dependency
Injection (CDI)
HTTP cookies
HTML Forms
REST Services
101. Reality
• As developers we all need to wake up to our
responsibilities to design and code secure software.
• The bad guys exploit our ignorance and lack of
attention
102. Games & Drinks on Us
Please join our IBM Java devs on
Wednesday after the community
keynote for some drinks and video
games!
Coin-Op Game Room
508 4th St
7:30pm drinks
8:00pm light food, and
quarters for games
Here
There
Ibm.biz/javaparty