One day I stumbled upon a web app testing environment that used client side Javascript to perform authentication.
It was very simple to break into because it hashed the password using a very simple checksum algorithm.
I created this presentation to share my thoughts on what I found.
Border Patrol - Count, throttle, kick & ban in perlDavid Morel
Presentation of the Schedule::AdaptiveThrottler perl module, under its original name. Made for the Portuguese Perl Workshop in Porto in 2010. The module is available on https://metacpan.org/pod/Schedule::AdaptiveThrottler and https://github.com/dmorel/Schedule-AdaptiveThrottler
Random facts around basic principles of web application security. Sometimes slight improvements to our code may reduce even 80% of possible attacks against web-applications. Why not doing so ?
Border Patrol - Count, throttle, kick & ban in perlDavid Morel
Presentation of the Schedule::AdaptiveThrottler perl module, under its original name. Made for the Portuguese Perl Workshop in Porto in 2010. The module is available on https://metacpan.org/pod/Schedule::AdaptiveThrottler and https://github.com/dmorel/Schedule-AdaptiveThrottler
Random facts around basic principles of web application security. Sometimes slight improvements to our code may reduce even 80% of possible attacks against web-applications. Why not doing so ?
Data Integrity Techniques: Aviation Best Practices for CRC & Checksum Error D...Philip Koopman
Author: Prof. Philip Koopman, Carnegie Mellon University
Abstract:
This talk includes both a tutorial and explanation of research results on the proper use of Cyclic Redundancy codes (CRCs) and checksums in an aviation context. More than 50 years since the invention of the CRC, the proper use of these error detection codes is still hampered by a combination of misleading folklore, sub-optimality of standard approaches, general inaccessibility of research results, and the occasional typographical error in key reference materials. However, recent work has been able to exhaustively explore the CRC design space and identify optimal selection criteria based on key system characteristics. This talk will covers the following areas: checksum and CRC theory with an emphasis on intuitive understanding rather than heavy math; why using a standard or widely used CRC can be suboptimal (or worse); how to pick a good checksum/CRC; the key parameters that affect the error detection capability of a checksum/CRC; CRC pitfalls illustrated via examples from Controller Area Network and ARINC-825; an example CRC selection process for achieving a required level of functional criticality; and a “seven deadly sins” list for CRC/checksum use. Some key research findings that are discussed include: a well-chosen CRC is usually dramatically better than a checksum for relatively little additional computational cost; you can usually do a lot better than “standard” CRC (especially CRC-32); Hamming Distance at the target payload length is the predominant selection criterion of interest; and it is important to avoid bit encoding approaches that undermine CRC effectiveness.
Bio:
Dr. Philip Koopman is a professor at Carnegie Mellon University, with research interests in the areas of software robustness, embedded networking, dependable embedded computer systems, and autonomous vehicle safety. Previously, he was a US Navy submarine officer, an embedded CPU architect for Harris Semiconductor, and an embedded system researcher at United Technologies. In addition to a variety of academic publications and two dozen patents, he has authored the book Better Embedded System Software based on lessons learned from more than a hundred design reviews of industry software. He has affiliations with both the Carnegie Mellon Electrical & Computer Engineering Department (ECE) and the National Robotics Engineering Center (NREC). He is a senior member of IEEE, senior member of the ACM, and a member of IFIP WG 10.4 on Dependable Computing and Fault Tolerance.
Introduction to homomorphic encryption, encryption which allows computations on ciphertext. An overview of key aspects and the ideas that allow these schemes to work is given, as well as examples of how to apply it.
Christoph Matthies (@chrisma0), Hubert Hesse (@hubx), Robert Lehmann (@rlehmann)
JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
In this talk, we'll cover the costs and risks of a data breach, plus the dangers of insider threat and shared database credentials
We'll also discuss what you can do about it. We'll cover the pros, cons, and lingering risks of secrets managers (the “secret zero” problem) plus review a new approach: passwordless database authentication.
Data Integrity Techniques: Aviation Best Practices for CRC & Checksum Error D...Philip Koopman
Author: Prof. Philip Koopman, Carnegie Mellon University
Abstract:
This talk includes both a tutorial and explanation of research results on the proper use of Cyclic Redundancy codes (CRCs) and checksums in an aviation context. More than 50 years since the invention of the CRC, the proper use of these error detection codes is still hampered by a combination of misleading folklore, sub-optimality of standard approaches, general inaccessibility of research results, and the occasional typographical error in key reference materials. However, recent work has been able to exhaustively explore the CRC design space and identify optimal selection criteria based on key system characteristics. This talk will covers the following areas: checksum and CRC theory with an emphasis on intuitive understanding rather than heavy math; why using a standard or widely used CRC can be suboptimal (or worse); how to pick a good checksum/CRC; the key parameters that affect the error detection capability of a checksum/CRC; CRC pitfalls illustrated via examples from Controller Area Network and ARINC-825; an example CRC selection process for achieving a required level of functional criticality; and a “seven deadly sins” list for CRC/checksum use. Some key research findings that are discussed include: a well-chosen CRC is usually dramatically better than a checksum for relatively little additional computational cost; you can usually do a lot better than “standard” CRC (especially CRC-32); Hamming Distance at the target payload length is the predominant selection criterion of interest; and it is important to avoid bit encoding approaches that undermine CRC effectiveness.
Bio:
Dr. Philip Koopman is a professor at Carnegie Mellon University, with research interests in the areas of software robustness, embedded networking, dependable embedded computer systems, and autonomous vehicle safety. Previously, he was a US Navy submarine officer, an embedded CPU architect for Harris Semiconductor, and an embedded system researcher at United Technologies. In addition to a variety of academic publications and two dozen patents, he has authored the book Better Embedded System Software based on lessons learned from more than a hundred design reviews of industry software. He has affiliations with both the Carnegie Mellon Electrical & Computer Engineering Department (ECE) and the National Robotics Engineering Center (NREC). He is a senior member of IEEE, senior member of the ACM, and a member of IFIP WG 10.4 on Dependable Computing and Fault Tolerance.
Introduction to homomorphic encryption, encryption which allows computations on ciphertext. An overview of key aspects and the ideas that allow these schemes to work is given, as well as examples of how to apply it.
Christoph Matthies (@chrisma0), Hubert Hesse (@hubx), Robert Lehmann (@rlehmann)
JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
In this talk, we'll cover the costs and risks of a data breach, plus the dangers of insider threat and shared database credentials
We'll also discuss what you can do about it. We'll cover the pros, cons, and lingering risks of secrets managers (the “secret zero” problem) plus review a new approach: passwordless database authentication.
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
What We Talk About When We Talk About Unit TestingKevlin Henney
Presented at ACCU (23rd April 2015)
These days unit testing is considered sexy for programmers. Who'd have thought it? But there is a lot more to effective programmer testing than the fashionable donning of a unit-testing framework: writing Good Unit Tests (GUTs) involves (a lot) more than knowledge of assertion syntax.
Testing represents a form of communication and, as such, it offers multiple levels and forms of feedback, not just basic defect detection. Effective unit testing requires an understanding of what forms of feedback and communication are offered by tests, and what styles encourage or discourage such qualities.
What styles of test partitioning are common, and yet scale poorly, are uncohesive and are ineffective at properly expressing the behaviour of a class or component? What styles, tricks and tips can be used to make tests more specification-like and scalable to large codebases? How do we choose between scenario-based and property-based test cases?
This presentation explains parameterized tests, theory tests, and generative testing. It also explains single mode faults and double mode faults and shows how to reduce the number of test cases when there's an combinatorial explosion. Lot's of JUnit examples.
If you don’t test it, how do you know it works? Over the past few years, we have been compelled to write unit and integration tests for our applications--code that validates code--and it is these tests that change a one-off tool into a well-architected, robust, business-ready application. Yet, every new framework requires a new testing framework, so in this session, we will discuss testing frameworks for node.js. You will walk away with a solid understanding of how to write tests against your node.js applications and modules, leading to confidence that your work is business-ready.
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
6. “checksums are often used to verify data integrity, but
should not be relied upon to also verify data authenticity"
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
7. “It is infeasible to find two different messages
with the same [cryptographic] hash”
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
8. It should be feasible to find two different messages
with the same checksum.
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
10. function
jesChecksum(str)
{
…
for
(i
=
0;
i
<
(str.length);
i++)
{
tmp
=
str.charCodeAt(i)
*
primes[i];
rtn
=
rtn
+
tmp;
}
…
}
The simplicity of this algorithm makes it very easy to solve.
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
11. Thanks to Unicode:
Solve 2x + 3y = 9887 over integers
One such solution is “Ŏఁ”
Ŏఁ = String.fromCharCode(334, 3073);
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
12. Using the right tool for the job
requires you to understand the tools available
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
13. Don’t roll your own security either
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing
14. And definitely don’t do security client side in Javascript
What’s
so Bad?
The
Enemy
Breaking
Bad
Closing