apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
WT* is JWT?
Maciej Treder, Senior Software Development Engineer at Akami Technologies
Bitcoin has brought about a true revolution in how we think about money. In one fell stroke it solved the main problems that afflicted previous attempts at a truly digital currency: distributed consensus, double spending, and external attacks. Perhaps more importantly, it provided the first working version of a blockchain or distributed ledger. However, despite their relative simplicity, the underlying concepts on which these technologies are built are not well known and often obscured by hype and technical jargon.
Since the days of Bitcoin’s founding, many other crypto-currencies have been proposed and released. This tutorial will introduce these technologies in an intuitive way for data scientists, explaining their driving algorithms, motivations, and data structures.
Browser hijacking malware uses various techniques to modify users' browser settings and inject malicious code or modify webpage content without permission. Examples provided include SilentBanker, Sinowal, and Wnspoem which employ real-time HTML injection, configuration files, and HTTP forwarding to target banking websites, steal login credentials and other private data, and spread further. The malware can install browser helper objects, modify registry settings, and hijack common API calls to achieve their aims.
How does cryptography work? by Jeroen OomsAjay Ohri
This document provides a conceptual introduction to cryptographic methods. It explains that cryptography works by using the XOR operator and one-time pads or stream ciphers to encrypt messages. With one-time pads, a message is XOR'd with random data and can only be decrypted by someone with the pad. Stream ciphers generate pseudo-random streams from a key and nonce to encrypt messages. Public-key encryption uses Diffie-Hellman key exchange to allow parties to establish a shared secret to encrypt messages.
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery through encryption but notes cryptography is not a silver bullet and vulnerabilities still exist. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, and securely storing passwords through hashing rather than encryption. It strongly recommends using existing libraries rather than implementing cryptography directly due to the complexity and risk of bugs.
Even the LastPass Will be Stolen Deal with It!Martin Vigo
Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all.
LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data.
Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication.
We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.
MongoDB World 2019: Using Client Side Encryption in MongoDB 4.2 LinkMongoDB
The document describes how client-side encryption works in MongoDB. It explains that the client encrypts data before sending it to MongoDB using encrypted data keys stored in a key vault collection. It also covers how JSON schemas can specify encryption rules for fields using properties like keyId, algorithm, and bsonType. The schemas help ensure data is encrypted as intended before being inserted or updated.
Repository of Presentation:
https://github.com/ArturSkowronski/naivechain-java
Presented:
Bielsko-Biała Java User Group (Bielsko-Biała JUG), Kraków, 22.02.2018 (https://www.meetup.com/pl-PL/Bielsko-Biala-JUG/events/247764157/)
Biorąc pod uwagę szalone skoki (i spadki) wszelkich kryptowalut, Blockchain jest na językach wszystkich developerów. Jednocześnie ilość mitów, klechd i legend jakimi obrósł osiągnęła już rozmiary które warto nieco uporządkować. W ramach tej prezentacji postaram się rozwiać niektóre z nich, a dodatkowo pokazać Blockchain od strony stricte programistycznej - w ramach sesji Live Codingu zaimplementujemy uproszczony, ale kompletny wariant Blockchaina, zbliżony do tego znanego z Bitcoina. Wszystko to używając naszej ulubionej Javy. Dodatkowo, postaram się wskazać jej wady i zalety i wytłumaczyć, dlaczego jak grzyby po deszczu zewsząd wyrastają alternatywne implementacje mające być lekiem na całe zło (i dlaczego zwykle nie są). Mam nadzieje uczynić całość interaktywną - jeżeli ktoś ma jakieś pytania będę się starał na nie odpowiedzieć podczas prezentacji. Moim celem jest żeby każdy wyszedł z lepszą świadomością tego czym Blockchain jest, a co nawet najważniejsze - czym z pewnością Blockchain nie jest. ___
Artur to developer z serduchem rozdartym między JVM (całościowo) i nowoczesnym JavaScript - przy czym. z bardziej dojrzałymi planami matrymonialnymi związanymi z tą pierwszą platformą.
Nie może się powstrzymać przed testowaniem nowych technologii, nawet jeśli czasem wybuchają mu w twarz w wyniku nadużycia w projektach szpachli i taśmy klejącej.
Obecnie członek zespołu VirtusLab realizujący projekty dla Tesco Technology.
Część Dynamicznego Duetu którego lepszą połową jest pluszowa foka (ᵔᴥᵔ).
Hacker News vs. Slashdot—Reputation Systems in Crowdsourced Technology NewsChristoph Matthies
Comparing the reputation systems of Slashdot (slashdot.org) and Hacker News (news.ycombinator.com), highligting details and presenting possible changes.
Christoph Matthies (@chrima0), Robert Lehmann (@rlehmann)
Bitcoin has brought about a true revolution in how we think about money. In one fell stroke it solved the main problems that afflicted previous attempts at a truly digital currency: distributed consensus, double spending, and external attacks. Perhaps more importantly, it provided the first working version of a blockchain or distributed ledger. However, despite their relative simplicity, the underlying concepts on which these technologies are built are not well known and often obscured by hype and technical jargon.
Since the days of Bitcoin’s founding, many other crypto-currencies have been proposed and released. This tutorial will introduce these technologies in an intuitive way for data scientists, explaining their driving algorithms, motivations, and data structures.
Browser hijacking malware uses various techniques to modify users' browser settings and inject malicious code or modify webpage content without permission. Examples provided include SilentBanker, Sinowal, and Wnspoem which employ real-time HTML injection, configuration files, and HTTP forwarding to target banking websites, steal login credentials and other private data, and spread further. The malware can install browser helper objects, modify registry settings, and hijack common API calls to achieve their aims.
How does cryptography work? by Jeroen OomsAjay Ohri
This document provides a conceptual introduction to cryptographic methods. It explains that cryptography works by using the XOR operator and one-time pads or stream ciphers to encrypt messages. With one-time pads, a message is XOR'd with random data and can only be decrypted by someone with the pad. Stream ciphers generate pseudo-random streams from a key and nonce to encrypt messages. Public-key encryption uses Diffie-Hellman key exchange to allow parties to establish a shared secret to encrypt messages.
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery through encryption but notes cryptography is not a silver bullet and vulnerabilities still exist. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, and securely storing passwords through hashing rather than encryption. It strongly recommends using existing libraries rather than implementing cryptography directly due to the complexity and risk of bugs.
Even the LastPass Will be Stolen Deal with It!Martin Vigo
Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all.
LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data.
Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication.
We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.
MongoDB World 2019: Using Client Side Encryption in MongoDB 4.2 LinkMongoDB
The document describes how client-side encryption works in MongoDB. It explains that the client encrypts data before sending it to MongoDB using encrypted data keys stored in a key vault collection. It also covers how JSON schemas can specify encryption rules for fields using properties like keyId, algorithm, and bsonType. The schemas help ensure data is encrypted as intended before being inserted or updated.
Repository of Presentation:
https://github.com/ArturSkowronski/naivechain-java
Presented:
Bielsko-Biała Java User Group (Bielsko-Biała JUG), Kraków, 22.02.2018 (https://www.meetup.com/pl-PL/Bielsko-Biala-JUG/events/247764157/)
Biorąc pod uwagę szalone skoki (i spadki) wszelkich kryptowalut, Blockchain jest na językach wszystkich developerów. Jednocześnie ilość mitów, klechd i legend jakimi obrósł osiągnęła już rozmiary które warto nieco uporządkować. W ramach tej prezentacji postaram się rozwiać niektóre z nich, a dodatkowo pokazać Blockchain od strony stricte programistycznej - w ramach sesji Live Codingu zaimplementujemy uproszczony, ale kompletny wariant Blockchaina, zbliżony do tego znanego z Bitcoina. Wszystko to używając naszej ulubionej Javy. Dodatkowo, postaram się wskazać jej wady i zalety i wytłumaczyć, dlaczego jak grzyby po deszczu zewsząd wyrastają alternatywne implementacje mające być lekiem na całe zło (i dlaczego zwykle nie są). Mam nadzieje uczynić całość interaktywną - jeżeli ktoś ma jakieś pytania będę się starał na nie odpowiedzieć podczas prezentacji. Moim celem jest żeby każdy wyszedł z lepszą świadomością tego czym Blockchain jest, a co nawet najważniejsze - czym z pewnością Blockchain nie jest. ___
Artur to developer z serduchem rozdartym między JVM (całościowo) i nowoczesnym JavaScript - przy czym. z bardziej dojrzałymi planami matrymonialnymi związanymi z tą pierwszą platformą.
Nie może się powstrzymać przed testowaniem nowych technologii, nawet jeśli czasem wybuchają mu w twarz w wyniku nadużycia w projektach szpachli i taśmy klejącej.
Obecnie członek zespołu VirtusLab realizujący projekty dla Tesco Technology.
Część Dynamicznego Duetu którego lepszą połową jest pluszowa foka (ᵔᴥᵔ).
Hacker News vs. Slashdot—Reputation Systems in Crowdsourced Technology NewsChristoph Matthies
Comparing the reputation systems of Slashdot (slashdot.org) and Hacker News (news.ycombinator.com), highligting details and presenting possible changes.
Christoph Matthies (@chrima0), Robert Lehmann (@rlehmann)
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017BookNet Canada
This document provides an overview of the basic tools and techniques used for digital rights management (DRM), including symmetric and asymmetric encryption, hashing, digital signatures, and certificates. It explains how ciphers, hashes, public/private key pairs, and certificates work and are used together to provide authentication, integrity, and non-repudiation for securing digital content and communications. Specific examples are given to illustrate symmetric encryption, digital signatures, and the certificate signing request process.
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery without cryptography being a "silver bullet" solution. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, authentication, and password storage best practices like hashing passwords instead of encrypting them. The key messages are that cryptography is very difficult to implement securely and developers should rely on expert libraries or hire an expert instead of rolling their own solutions.
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB
This document discusses MongoDB's new client-side field level encryption capabilities in version 4.2. It describes how client-side encryption works, including encrypting and decrypting data before it is sent to or retrieved from the database. It also covers key management and the use of JSON schemas to define which fields should be encrypted.
The slower the stronger a story of password hash migrationOWASP
Did you know that a single modern GPU is able to compute almost 20 billion MD5 hashes in a second? That’s why we need SLOW hashing algorithms!
This talk is a case study of a successful migration of www.ocado.com customer password hashes. I will not only show you the “why”, “what” and “how”, but also what was problematic, what went wrong and how we dealt with it.
I will talk about slow hashing algorithms - such as Argon2, PBKDF2, BCrypt or SCrypt - and compare them to other popular hashing algorithms - like MD5 or SHA1. Next, I will tell you a story of hashes which took about 80 ms to compute - not slow enough, fairly easy to crack. I will show you what our password hashing code looks like and I will guide you through our migration plan, describing in detail how we executed it, and what problems we encountered on the way.
GraphTalk Stockholm - Fraud Detection with GraphsNeo4j
This document summarizes a presentation on fraud analysis with Neo4j. It discusses using graph databases and queries to analyze credit card fraud and detect fraudulent patterns in transaction data and referral programs. Examples are provided of Cypher queries to identify potentially fraudulent activity, such as transactions originating from high-risk terminals or complex referral fraud schemes. The benefits of using a graph database for this type of analysis are discussed.
MongoDB .local London 2019: Using Client Side Encryption in MongoDB 4.2Lisa Roth, PMP
Encryption is not a new concept to MongoDB. Encryption may occur in-transit (with TLS) and at-rest (with the encrypted storage engine). But MongoDB 4.2 introduces support for Client Side Encryption, ensuring the most sensitive data is encrypted before ever leaving the client application. Even full access to your MongoDB servers is not enough to decrypt this data. And better yet, Client Side Encryption can be enabled at the "flick of a switch".
This session covers using Client Side Encryption in your applications. This includes the necessary setup, how to encrypt data without sacrificing queryability, and what trade-offs to expect.
GraphTalk Helsinki - Fraud Analysis with Neo4jNeo4j
This document summarizes a presentation on fraud analysis with Neo4j. It discusses using graph databases and queries to analyze credit card fraud and detect fraudulent patterns in a referral program. Examples are provided of Cypher queries to identify terminals where fraud originated, predict future targets of fraud, and uncover complex referral fraud schemes. The key benefits of graph thinking and native graph databases for fraud analysis are emphasized.
This document summarizes and compares various Ruby driver and ORM libraries for MongoDB, including Mongoid, MongoMapper, Mongomatic, and MongoODM. It discusses their features like querying syntax, associations, embedded documents, validation, and ActiveModel integration. It also provides code examples for creating and querying documents using these different libraries.
The document discusses token-based authorization and JSON web tokens (JWTs). It provides an overview of token-based authorization, including its advantages over cookie-based authorization. JWTs are described as a specification for tokens that contain encoded JSON claims in a compact URL-safe string. The document also covers OAuth2, describing its authorization grant types and flows at a high level.
Using JSON Web Tokens for REST Authentication Mediacurrent
This session will provide an introduction to JSON Web Tokens (JWT) (https://jwt.io/introduction/), advantages over other authentication methods, and how to use it to authenticate requests to Drupal REST resources. After this session, attendees will have a better understanding of how JWTs work and will be able to set up and use JWT for authenticating REST requests in Drupal.
DEFCON 23 - Eijah - crypto for hackersFelipe Prado
This document provides an introduction to cryptography concepts and algorithms. It defines common crypto terminology like encryption, hashing, and key derivation. It then demonstrates examples of symmetric ciphers like AES, cryptographic hashes like MD5 and SHA256, HMAC to provide integrity to hashes, and key agreement schemes like Diffie-Hellman. The examples are shown using C++ code snippets from crypto libraries like Crypto++ to encrypt, hash, derive keys from passwords, and perform key exchange between two parties. The document aims to educate readers on fundamental crypto concepts and their usage through code examples.
This document provides an overview of blockchain fundamentals and related concepts through a presentation given by Bruno Lowagie at JavaOne 2018. The presentation covers topics such as bits and bytes, hashing, encryption, digital signatures, and distributed ledger technology. It defines these concepts, provides examples, and discusses their applications, particularly in relation to blockchain. The goal is to explain the underlying theory behind blockchain in an accessible manner.
Prof Willy Susilo presented a seminar titled "Blockchain and its Applications" as part of the SMART Seminar Series on 20th September 2018.
More information: https://news.eis.uow.edu.au/event/blockchain-and-its-applications/
Keep updated with future events: http://www.uoweis.co/events/category/smart-infrastructure-facility/
This document provides an overview of cryptography fundamentals including:
- Symmetric and asymmetric cryptography principles like encryption with keys and digital signatures.
- The use of random numbers, prime numbers, and algorithms in cryptography.
- Basic security properties like authentication, privacy and integrity.
- Digital signatures, envelopes, and certificates that combine cryptographic methods for authentication and privacy.
- How cryptography standards and export controls balance security and policy concerns.
This document provides definitions and explanations of key concepts in information security and cryptography. It discusses symmetric and asymmetric cryptographic techniques such as stream ciphers, block ciphers, digital signatures, hash functions, and the use of random numbers for security applications. It also covers concepts like confidentiality, integrity, availability, cryptanalysis, plain text, cipher text, and the differences between symmetric and public key cryptography.
Blockchain, cryptography and tokens — NYC Bar presentationPaperchain
Concise version of presentation delivered at the NYC Bar Association.
Overview of blockchains, how cryptography works on blockchains and the difference between cryptocurrencies and tokens.
This document provides an overview of cryptography concepts including:
- Homework 1 is due on 1/18 and project 1 is due the next day
- It reviews classical ciphers, modern symmetric ciphers like DES, and basic cryptography terminology
- It describes the Feistel cipher structure used in DES, the DES algorithm details like key scheduling and rounds, and strengths and weaknesses of DES versus alternatives like AES and triple DES
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
Krzysztof Kotowicz gave a talk at Hack in Paris in June 2014 about lessons learned from trusting JavaScript cryptography. He discussed the history of skepticism around JS crypto due to language weaknesses like implicit type coercion and lack of exceptions. He then analyzed real-world vulnerabilities in JS crypto libraries like Cryptocat that exploited these issues, as well as web-specific issues like cross-site scripting. Finally, he argued that while the JS language has flaws, developers can still implement crypto securely through practices like strict mode, type checking, and defense-in-depth against web vulnerabilities.
What is a decentralised application? - Devoxx Morocco 2018Wajug
A decentralized application (DApp) is an application that runs on a decentralized peer-to-peer network rather than a central server. The document discusses the evolution of blockchain technology from Bitcoin to Ethereum, which allows for more complex decentralized applications through smart contracts and a Turing-complete programming language. It also covers key concepts like mining, consensus algorithms, and how DApps interact with smart contracts on the Ethereum blockchain through web3.js.
What is a decentralised application ? - Les Jeudis du LibreWajug
A decentralized application (DApp) is an application that runs on a decentralized network like Ethereum rather than being hosted and controlled by a single company. A DApp uses blockchain technology and smart contracts to allow peer-to-peer transactions and decisions without an intermediary. Ethereum allows developers to create DApps with Turing-complete smart contracts that can automate processes and disintermediate industries like banking, insurance, and more. DApps are accessed through a web interface or mobile app and interact with smart contracts deployed on the Ethereum blockchain.
Beyond Good & Evil: The nuts and bolts of DRM - Dave Cramer - ebookcraft 2017BookNet Canada
This document provides an overview of the basic tools and techniques used for digital rights management (DRM), including symmetric and asymmetric encryption, hashing, digital signatures, and certificates. It explains how ciphers, hashes, public/private key pairs, and certificates work and are used together to provide authentication, integrity, and non-repudiation for securing digital content and communications. Specific examples are given to illustrate symmetric encryption, digital signatures, and the certificate signing request process.
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
This document provides an overview of cryptography concepts for PHP developers. It discusses keeping data secure from viewing, tampering and forgery without cryptography being a "silver bullet" solution. The document covers random number generation, symmetric and asymmetric encryption, hashing, common ciphers and modes, authentication, and password storage best practices like hashing passwords instead of encrypting them. The key messages are that cryptography is very difficult to implement securely and developers should rely on expert libraries or hire an expert instead of rolling their own solutions.
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB
This document discusses MongoDB's new client-side field level encryption capabilities in version 4.2. It describes how client-side encryption works, including encrypting and decrypting data before it is sent to or retrieved from the database. It also covers key management and the use of JSON schemas to define which fields should be encrypted.
The slower the stronger a story of password hash migrationOWASP
Did you know that a single modern GPU is able to compute almost 20 billion MD5 hashes in a second? That’s why we need SLOW hashing algorithms!
This talk is a case study of a successful migration of www.ocado.com customer password hashes. I will not only show you the “why”, “what” and “how”, but also what was problematic, what went wrong and how we dealt with it.
I will talk about slow hashing algorithms - such as Argon2, PBKDF2, BCrypt or SCrypt - and compare them to other popular hashing algorithms - like MD5 or SHA1. Next, I will tell you a story of hashes which took about 80 ms to compute - not slow enough, fairly easy to crack. I will show you what our password hashing code looks like and I will guide you through our migration plan, describing in detail how we executed it, and what problems we encountered on the way.
GraphTalk Stockholm - Fraud Detection with GraphsNeo4j
This document summarizes a presentation on fraud analysis with Neo4j. It discusses using graph databases and queries to analyze credit card fraud and detect fraudulent patterns in transaction data and referral programs. Examples are provided of Cypher queries to identify potentially fraudulent activity, such as transactions originating from high-risk terminals or complex referral fraud schemes. The benefits of using a graph database for this type of analysis are discussed.
MongoDB .local London 2019: Using Client Side Encryption in MongoDB 4.2Lisa Roth, PMP
Encryption is not a new concept to MongoDB. Encryption may occur in-transit (with TLS) and at-rest (with the encrypted storage engine). But MongoDB 4.2 introduces support for Client Side Encryption, ensuring the most sensitive data is encrypted before ever leaving the client application. Even full access to your MongoDB servers is not enough to decrypt this data. And better yet, Client Side Encryption can be enabled at the "flick of a switch".
This session covers using Client Side Encryption in your applications. This includes the necessary setup, how to encrypt data without sacrificing queryability, and what trade-offs to expect.
GraphTalk Helsinki - Fraud Analysis with Neo4jNeo4j
This document summarizes a presentation on fraud analysis with Neo4j. It discusses using graph databases and queries to analyze credit card fraud and detect fraudulent patterns in a referral program. Examples are provided of Cypher queries to identify terminals where fraud originated, predict future targets of fraud, and uncover complex referral fraud schemes. The key benefits of graph thinking and native graph databases for fraud analysis are emphasized.
This document summarizes and compares various Ruby driver and ORM libraries for MongoDB, including Mongoid, MongoMapper, Mongomatic, and MongoODM. It discusses their features like querying syntax, associations, embedded documents, validation, and ActiveModel integration. It also provides code examples for creating and querying documents using these different libraries.
The document discusses token-based authorization and JSON web tokens (JWTs). It provides an overview of token-based authorization, including its advantages over cookie-based authorization. JWTs are described as a specification for tokens that contain encoded JSON claims in a compact URL-safe string. The document also covers OAuth2, describing its authorization grant types and flows at a high level.
Using JSON Web Tokens for REST Authentication Mediacurrent
This session will provide an introduction to JSON Web Tokens (JWT) (https://jwt.io/introduction/), advantages over other authentication methods, and how to use it to authenticate requests to Drupal REST resources. After this session, attendees will have a better understanding of how JWTs work and will be able to set up and use JWT for authenticating REST requests in Drupal.
DEFCON 23 - Eijah - crypto for hackersFelipe Prado
This document provides an introduction to cryptography concepts and algorithms. It defines common crypto terminology like encryption, hashing, and key derivation. It then demonstrates examples of symmetric ciphers like AES, cryptographic hashes like MD5 and SHA256, HMAC to provide integrity to hashes, and key agreement schemes like Diffie-Hellman. The examples are shown using C++ code snippets from crypto libraries like Crypto++ to encrypt, hash, derive keys from passwords, and perform key exchange between two parties. The document aims to educate readers on fundamental crypto concepts and their usage through code examples.
This document provides an overview of blockchain fundamentals and related concepts through a presentation given by Bruno Lowagie at JavaOne 2018. The presentation covers topics such as bits and bytes, hashing, encryption, digital signatures, and distributed ledger technology. It defines these concepts, provides examples, and discusses their applications, particularly in relation to blockchain. The goal is to explain the underlying theory behind blockchain in an accessible manner.
Prof Willy Susilo presented a seminar titled "Blockchain and its Applications" as part of the SMART Seminar Series on 20th September 2018.
More information: https://news.eis.uow.edu.au/event/blockchain-and-its-applications/
Keep updated with future events: http://www.uoweis.co/events/category/smart-infrastructure-facility/
This document provides an overview of cryptography fundamentals including:
- Symmetric and asymmetric cryptography principles like encryption with keys and digital signatures.
- The use of random numbers, prime numbers, and algorithms in cryptography.
- Basic security properties like authentication, privacy and integrity.
- Digital signatures, envelopes, and certificates that combine cryptographic methods for authentication and privacy.
- How cryptography standards and export controls balance security and policy concerns.
This document provides definitions and explanations of key concepts in information security and cryptography. It discusses symmetric and asymmetric cryptographic techniques such as stream ciphers, block ciphers, digital signatures, hash functions, and the use of random numbers for security applications. It also covers concepts like confidentiality, integrity, availability, cryptanalysis, plain text, cipher text, and the differences between symmetric and public key cryptography.
Blockchain, cryptography and tokens — NYC Bar presentationPaperchain
Concise version of presentation delivered at the NYC Bar Association.
Overview of blockchains, how cryptography works on blockchains and the difference between cryptocurrencies and tokens.
This document provides an overview of cryptography concepts including:
- Homework 1 is due on 1/18 and project 1 is due the next day
- It reviews classical ciphers, modern symmetric ciphers like DES, and basic cryptography terminology
- It describes the Feistel cipher structure used in DES, the DES algorithm details like key scheduling and rounds, and strengths and weaknesses of DES versus alternatives like AES and triple DES
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
Krzysztof Kotowicz gave a talk at Hack in Paris in June 2014 about lessons learned from trusting JavaScript cryptography. He discussed the history of skepticism around JS crypto due to language weaknesses like implicit type coercion and lack of exceptions. He then analyzed real-world vulnerabilities in JS crypto libraries like Cryptocat that exploited these issues, as well as web-specific issues like cross-site scripting. Finally, he argued that while the JS language has flaws, developers can still implement crypto securely through practices like strict mode, type checking, and defense-in-depth against web vulnerabilities.
What is a decentralised application? - Devoxx Morocco 2018Wajug
A decentralized application (DApp) is an application that runs on a decentralized peer-to-peer network rather than a central server. The document discusses the evolution of blockchain technology from Bitcoin to Ethereum, which allows for more complex decentralized applications through smart contracts and a Turing-complete programming language. It also covers key concepts like mining, consensus algorithms, and how DApps interact with smart contracts on the Ethereum blockchain through web3.js.
What is a decentralised application ? - Les Jeudis du LibreWajug
A decentralized application (DApp) is an application that runs on a decentralized network like Ethereum rather than being hosted and controlled by a single company. A DApp uses blockchain technology and smart contracts to allow peer-to-peer transactions and decisions without an intermediary. Ethereum allows developers to create DApps with Turing-complete smart contracts that can automate processes and disintermediate industries like banking, insurance, and more. DApps are accessed through a web interface or mobile app and interact with smart contracts deployed on the Ethereum blockchain.
Blockchain By Code examples - Devoxx Poland 2018Mario Romano
The world is about to split between centralizers and decentralizers. Which side are you gonna pick? How to choose it? Well, the first step is to understand what is the technology at the base of this separation and because most likely you speak code like me, what best way is to understand it than using code examples?
Many people think that this technology will change the internet and our life, bringing us the web 3.0, a new web more democratic where you will not need to give up to your privacy or security in order to get services. Is it really going to happen? We will see...but better be ready in case.
Roy Wasse is a Dutch JUG leader and co-founder of OpenValue who is interested in technological change. The document discusses various cryptographic techniques including the one-time pad encryption method, stream ciphers, hashing versus encryption, block ciphers, asymmetric encryption using elliptic curves, quantum key distribution, and various applications like mixing services and onion routing for anonymity. It also touches on concepts like commitment schemes, zero-knowledge proofs, scriptless transactions in Mimblewimble, and using digital signatures to unlock content.
201803 Blockchains, Cryptocurrencies & Tokens - NYC Bar Association Presentat...Paperchain
Presented at the NYC Bar Association, an overview of the technologies that make up blockchain technology and why those technologies have implications with existing legal frameworks.
Bitcoin is a cryptocurrency and digital payment system invented by Satoshi Nakamoto that allows for peer-to-peer transactions without an intermediary. Transactions are verified by network nodes and recorded on the blockchain, which is an ordered, back-linked list of transaction blocks. The blockchain uses a Merkle tree to efficiently summarize transactions in each block with a digital fingerprint. Bitcoin addresses are generated from a public key hash derived through elliptic curve cryptography from a private key. Hierarchical deterministic wallets allow private keys to be deterministically derived from a seed to back up and restore wallets. Transactions consist of inputs spending outputs from previous transactions and new outputs sending coins to addresses, with scripts defining spending conditions.
A Deep Dive into the Interplay of Cryptographic Schemes and Algorithms powering the state of the art security models in Blockchain as manifested by the legendary Cryptocurrency Scheme Bitcoin. Presented in the IT Audit and Cybersecurity Conclave Organised by ISACA and Red Team Hacker Academy in Kochi, Kerala.
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...Dace Barone
He will give an introduction talk about Blockchain technology technical aspects like cryptography, protocols, APIs and scripting with focus on explaining how Bitcoin and other blockchain works and what they consist of.
Yurijs is a Chief Technical Officer at Paybis, blogger at coinside.ru , blockchain enthusiast since 2011.
The document provides an overview of cryptocurrencies and digital currencies. It discusses why crypto is important for information security, IP protection, and protection against ransomware. It then outlines a plan to cover Bitcoin and its history, characters, mechanisms, blockchain, symmetric and asymmetric crypto algorithms, breaking crypto difficulties, and comparisons to other digital currencies like Litecoin. Practical exercises on wallets, transfers, and exchanges are also mentioned. Additional advanced topics like SegWit, zero-knowledge proofs, and homomorphic encryption are included as bonuses.
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...apidays
Sustainable IT and API Performance - How to Bring Them Together
Merja Kajava, Founder - Aavista Oy
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...apidays
Keynote 1: APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines, ShortSea
Vesa Vähämaa, Head of Group IT, Software at Finnlines Plc
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...apidays
From Chaos to Calm: Navigating Emerging API Security Challenges
Eli Arkush, Principal Solutions Engineer, API Security at Akamai
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - What is next now that your organization created a (si...apidays
What is next now that your organization created a (significant) set of APIs?
Rogier van Boxtel, Director, Pre Sales Consulting - Axway
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...apidays
There’s no AI without API, but what does this mean for Security?
Timo Rüppell, VP of Product - FireTail.io
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...apidays
Security Vulnerabilities in your APIs
Lukáš Ďurovský, Staff Software Engineer at Thermo Fisher Scientific
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...apidays
Data, API’s and Banks, with AI on top
Sergio Giraldo, IT Lead - ING
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...apidays
Data Ecosystems Driving the Green Transition
Olli Kilpeläinen, VP - Data Platform & Ecosystem at Betolar
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...apidays
Bridging the Gap Between Backend and Frontend API Testing with K6
Ayush Goyal, Senior Software Engineer - Grafana Labs
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaangoapidays
API Compliance by Design
Marjukka Niinioja, APItalista & Founding Partner - Osaango
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...apidays
ABLOY goes API economy – Transformation story
Hanna Sillanpää Head of Digital Solutions PU - Abloy
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuploapidays
The subtle art of API rate limiting
Josh Twist, Co-founder & CEO at Zuplo
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...apidays
ESTful API Patterns and Practices
Mike Amundsen, Author of "Design and Build Great APIs", API Strategist & Advisor at amundsen.com, Inc.
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adamsapidays
Putting AI into API Security
Corey Ball, Author and Sr. Manager Pentest at Moss Adams
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Prototype-first - A modern API development workflow b...apidays
Prototype-first - A modern API development workflow
Tom Akehurst, CTO and Co-Founder at WireMock
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...apidays
Post-Quantum API Security: Preparing your APIs for Q-day
Francois Lascelles, Distinguished Engineer at Broadcom and CTO at Layer7
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...apidays
Increase your productivity with no-code GraphQL mocking
Hugo Guerrero, Chief Software Architect, APIs & Integration Developer Advocate at Red Hat
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danoneapidays
Driving API & EDA Success: Comparing CoE & C4E Models for Organizational Enablement
Marcelo Caponi, Global Product Manager - API & Integration at Danone
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...apidays
Build a terrible API for people you hate
Jim Bennett, Principal Developer Advocate at liblab
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...apidays
API Secret Tokens Exposed: Insights from Analyzing 1 Million Domains
Tristan Kalos, Co-founder and CEO at Escape
Antoine Carossio, Co-Founder & CTO at Escape
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
8. Symmetric cipher
a b c d e f g h i j k l m
1 2 3 4 5 6 7 8 9 10 11 12 13
n o p r s t u v w x y z _
14 15 16 17 18 19 20 21 22 23 24 25 26
I like you
9 26 12 9 11 5 26 24 15 20
10. Asymmetric cipher
• Private key - used to decrypt the message
• Public key - used to encrypt the message
• Keys are generated using the one-way function
f(p,q) = p*q where p & q are primes
• Keys can be used interchangeably
11. RSA key
• Select p & q primes
• Calculate n = p*q
• Calculate φ = (p-1)*(q-1)
• Choose such e, relatively prime to φ
gcd(φ,e) == 1
• Compute such d, that
(ed-1) modφ=0
• Private key = (n,e)
• Public key = (n,d)
p=11 q=3
n = 11*3 = 33
φ = (11-1)*(3-1) = 20
e = 3
d=7
(ed-1) mod φ = 0
(3d-1) mod 20 = 0
3d-1 = 20n
d = (20n + 1)/3
d = (20*1+1)/3
d = 21/3
public key = (n, e) = (33, 3)
private key = (n, d) = (33, 7)
13. Asymmetric cipher
c = m^e mod n public key = (n, e) = (33, 3)
private key = (n, d) = (33, 7)
a b c d e f g h i j k l m
m 2 3 4 5 6 7 8 9 10 11 12 13 14
c 8 27 31 26 18 13 17 3 10 11 12 19 5
n o p r s t u v w x y z _
m 15 16 17 18 19 20 21 22 23 24 25 26 27
c 9 4 29 24 28 14 21 22 23 30 16 20 15
I like you
10 15 19 10 12 18 15 16 4 21
m’ = c^d mod n
15. Breaking the RSA
• Compromising public key gives an attacker the modulus n
• Key sizes - 1024 to 4096 bit (from 2^1024 to 2^4096)
• p:
109337661836325758176115170347306682871557999846322234541387456711212734562876700082908433028755212749702453145932
22946129064538358581018615539828479146469
• q:
109106169673491102317237340786149226453370608821417489682098342251389760111799933942998101597369044685540217082898
24396553412180514827996444845438176099727
• 1024 bit modulus:
119294134840169509055527211331255649644606569661527638012067481954943056851150333806315957037715620297305000118628
770846689969112892212245457118060574995989517080042105263427376322274266393116193517839570773505632231596681121927
337473973220312512599061231322250945506260066557538238517575390621262940383913963
16. Signing
• Write the message
• Hash the message
• Encrypt hash with your private key
• Combine message with hash
• Encrypt message+hash with their public key
• I like you
• f1d049f7b893bf8601c66045b801d590
• xxx-yyy-zzz
• I like you.xxx-yyy-zzz
• aaa-bbb-ccc
17. Verifying
• Receive the message
• Decrypt using your private key
• Get original message & encrypted hash
• Hash the original message
• Decrypt received hash using their public key
• Compare hashes
• aaa-bbb-ccc
• I like you.xxx-yyy-zzz
• f1d049f7b893bf8601c66045b801d590
• xxx-yyy-zzz ->
f1d049f7b893bf8601c66045b801d590
21. Signing
• Create a message
• Hash the message
• Encrypt hash with private key
• Combine message and encrypted hash
• From tomorrow everyone in the kingdom must use his left
hand to open the door.
• F03CF2EF5AFCE429DB88051746F3864B
• Vf2Lx/jOUNLoXawCw4disZhrFfqcoNRGDvpG+SbxUX0=
• {
“message”: “From tomorrow everyone in the kingdom must use his
left hand to open door.”
“signature”: “Vf2Lx/jOUNLoXawCw4disZhrFfqcoNRGDvpG+SbxUX0=”
}
22. Verifying
• Get the message
• Hash the message
• Decrypt the signature
• Compare hash with decrypted signature
• {
“message”: “From tomorrow everyone in the kingdom must use his left
hand to open door.”
“signature”: “Vf2Lx/jOUNLoXawCw4disZhrFfqcoNRGDvpG+SbxUX0=”
}
• F03CF2EF5AFCE429DB88051746F3864B
• Vf2Lx/jOUNLoXawCw4disZhrFfqcoNRGDvpG+SbxUX0=
• F03CF2EF5AFCE429DB88051746F3864B
26. So.. What the **** is JWT?
• JWT does not exist itself
• Signed JWT is called JWS (JSON Web Signature)
• Encrypted JWT is called JWE (JSON Web Encryption)
JWT
JWSJWE
27. Registered claims
{
"alg":"HS256",
"typ":"JWT"
}
{
"iss": "authorization-service",
"sub": "myself",
"aud": "someone",
"iat": 1594655553034,
"nbf": 1594655553134,
"exp": 1594655553234,
"jti": 12345
}
Algorithm used for signing
Token type
Issuer
Subject (the user)
Audience (recipient)
Issued at (time at which token was issued)
Not before (time before which token is not valid)
Expires (time after which token is not valid)
Unique identifier
28. Custom claims
{
“alg":"RS512",
"typ":"JWT"
}
{
"name": "Maciej",
"surname": "Treder",
"privileges": ["booking_reschedule"],
"exp": 1594655553234
}
• Public claims - defined at will by those
using JWTs. To avoid collisions should
be defend in the IANA JSON Web Token
Registry
• Private claims - custom claims create to
share information between parties that
agree on using them
40. Further reading
• JSON web token validation
https://learn.akamai.com/en-us/webhelp/api-gateway/api-gateway-user-guide/
GUID-682D1D3F-4CF2-46F2-B16B-5E0E1E991218.html
• Protecting JavaScript Microservices on Node.js with JSON Web
Tokens and Twilio Authy
https://www.twilio.com/blog/protecting-javascript-microservices-node-js-json-web-tokens-twilio-
authy
44. JWKS
• What if my key get compromised?
• What if want to rotate keys?
• What if I want to invalidate someones access?
• JSON Web Key Set
• A repository of keys (public, private, symmetric)
52. Data Security
• JWS payload is encoded not encrypted
• Never store sensitive data (ie. credit card numbers) in JWS token
• If you want to store sensitive data choose JWE
53. Unsigned JWT
• JWT doesn’t need to be signed
• Do not rely only on the header when you’re validating the token
• “alg”: “none”
54. Error Responses
• Pay attention to what you are providing in
the error response
• https://github.com/jwt-dotnet/jwt/issues/
61
55. Weak Key
• HS256 (HMAC-SHA256)
• Token is signed applying the SHA256 twice
• When attacker obtains a signed token, he can “easily” retrieve the key (ie. by using the HashCat)
• According to documentation, use key which has at least same size as the hash output (256 bit for
HS256)
56. Decoding != Verifying
• Decoding is enough only for denying access (lack of required claim)
• Always verify signature if you want grant someone access
• Read library documentation, often verifying process is available as a separate method
57. “Time” attack
• Applies when signature is verified byte-after-byte
• Once bytes doesn’t match then access is denied
• Attacker may observe the response time and generate next bytes of the signature
58. jku
• Always verify the URL provided as a jku claim
{
"alg":"HS256",
"typ":"JWT",
"kid":"12",
"jku":"https://attacker.com/.well-known/jwks.json"
}
{
"privileges": ["change_gate"]
}
60. Summary
• JWT is often confused with JWS which is one of it’s implementations
• It’s a way of stateless data exchange
• JWS is built of JOSE header, payload and signature
• It’s a good place too keep not-sensitive data, which value should be verified
• Always follow given algorithm best practices (i.e. pass-phrase/key size)
• JWE is a good choice if you want to keep data encrypted
61. Resources
• JWT.IO
https://jwt.io
• JSON web token validation
https://learn.akamai.com/en-us/webhelp/api-gateway/api-gateway-user-guide/
GUID-682D1D3F-4CF2-46F2-B16B-5E0E1E991218.html
• Verify JWT With JSON Web Key Set (JWKS) In API Gateway
https://blogs.akamai.com/2019/10/verify-jwt-with-json-web-key-set-jwks-in-api-gateway.html
• RFC 7519 - JSON Web Token
https://tools.ietf.org/html/rfc7519
62. Resources
• Building JavaScript Microservices with Node.js
https://www.twilio.com/blog/building-javascript-microservices-node-js
• Implementing Eureka and Zuul for Service Discovery and Dynamic Routing in JavaScript
Microservices Running on Node.js
https://www.twilio.com/blog/eureka-zuul-service-discovery-dynamic-routing-javascript-microservices-node-js
• Scaling Node.js JavaScript Microservices on Shared MongoDB Atlas Cloud Persistence
Layers
https://www.twilio.com/blog/scale-node-js-javascript-microservices-shared-mongodb-atlas
• Protecting JavaScript Microservices on Node.js with JSON Web Tokens and Twilio Authy
https://www.twilio.com/blog/protecting-javascript-microservices-node-js-json-web-tokens-twilio-authy