As the air gap between our daily lives and the Internet continues to shrink the security of our personal data and devices grows in importance. We are facing the daily threat of putting 2000s era computers bolted to toasters online while expecting them to defend against 2017 capable attackers. This talk will explore the continuing trend of IoT, discuss how we’ve been here before, and layout strategies for keeping pace with attackers in the future. This talk will focus on enumerating this risk, discuss the challenges involved, and explore solutions.
First, we will examine this history of how we got here, and what it means to say “security is a snapshot in time.” We then introduce the idea of shared ken – the range of one’s knowledge or sight – and how it impacts security. Third, we discuss the influence of data as code, the meta game, and secrecy as a way of mastering impact and ken.
This talk will allow attendees to walk away with
A holistic view of the history of computer security and how it impacts them today
The importance of extending the range of collective vision to reduce blind spots
Practical advice for BSiders to grow their mindset and improve their impact
Adam is a founding partner and Chief Executive Officer at Deja vu Security. He is dedicated to the leadership and relentless innovation in Deja’s products and services. Previously he has lead teams conducting application and hardware penetration tests for the Fortune 500 technology firms. Adam is a contributing author to multiple security books, benchmarks, tools, and DARPA research projects. Adam holds a degree in Computer Science and a Masters from Carnegie Mellon University in Information Networking.
Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.
Welcome to The Security Influencer's Channel. In this episode, Jeff Williams interviews Andrew Hay of Open DNS. They discuss bad credential management and the recent eBay breach, thinking with the mind of an attacker, firewalls, security in the cloud, and fast-moving agile and DevOps life cycles in the software development life cycle (SDLC).
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
The panel discussion focused on improving global cybersecurity and mitigating risks for enterprises. Key points discussed included:
- Continuous monitoring of user behavior and access controls is essential to detect attackers who have been on networks for months undetected. Rigorous detection, containment, and response processes are needed.
- Executive support and cross-departmental incident response processes are required to quickly address security issues.
- The growth of IoT devices introduces new risks if basic security practices from IT are not applied. A new architectural approach is needed for IoT security.
- Increased public-private collaboration and information sharing is important but will not be solved by government alone. Industry can lead through sector-specific partnerships and alliances
The document describes how to steal Gmail credentials using social engineering and the Social Engineering Toolkit (SET). It involves tricking a victim into entering their login credentials on a spoofed Gmail login page hosted on the attacker's machine. The attacker first sets up Kali Linux in a virtual machine and launches SET. They then change the victim's Gmail bookmark to point to the attacker's IP address hosting the fake login page. When the victim tries to access Gmail, they enter their credentials which are stolen by SET. The document warns readers to be vigilant against these kind of social engineering attacks.
Windows FE (Forensic Environment) allows forensic examiners to boot an evidence machine to Windows instead of Linux or other operating systems. This allows examiners to use their familiar Windows-based forensic tools rather than needing to learn Linux applications. Windows FE is based on Windows PE (Preinstallation Environment) but is designed for forensic analysis, where Windows PE is for system preparation and installation. Booting to Windows FE preserves evidence better than hardware write blocking and allows examiners to efficiently image, triage, and examine evidence machines using their preferred Windows software tools.
Security Differently - DevSecOps Days Austin 2019Aaron Rinehart
The document discusses the concept of "security differently", which focuses on relying on people's expertise and insights rather than a compliance-based approach to security. It argues that current security practices often view people as the problem rather than the solution. Security differently aims to halt the over-bureaucratization of security work and instead ask people what they need while focusing on competency and common sense. The document also notes that complex systems are inherently difficult to secure and that outages and breaches will continue without rethinking traditional security approaches.
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
The speed and scale of complex system operations within cloud-driven architectures make them extremely difficult for humans to mentally model their behavior. This often results in unpredictable and catastrophic outcomes that become costly when unexpected security incidents occur. There is a need to realign the actual state of operational security measures in order to maintain an acceptable level of confidence that our security actually works when we need it to.
As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Chaos Engineering allows us to proactively expose the failures, build resilient systems, and develop an "Applied Security" model to minimize the impact of failures.
Chaos Engineering allows for security teams to proactively experiment and derive new information about underlying factors that were previously unknown. This is done by developing live fire exercises that can be measured, managed, and automated. Contrary to Red/Purple Team exercises, chaos engineering does not use threat actor or adversarial tactics, techniques and procedures. As far as we know it Chaos Engineering is the only proactive mechanism for detecting availability and security incidents before they happen. We proactively introduce turbulent conditions, faults, and failures into our systems to determine the conditions by which our security will fail before it actually does.
In this session we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
ICTON 2019 France Keynote Presentation
Only 50 years ago network design was dominated by well defined, characterised, and understood services, but the launch of mobile services in the 1980s brought that era of certainty and stability to a rapid close. Not only where mobile users different in their habits, they discovered TXT! At almost the same time the internet and dial-up modems were introduced, and these compounded the situation further. Since that time network designers have been largely guessing as to what services they should accommodate and when.
The real culprits of chaos here are accelerating technologies and the new services they engender. For example: Facebook did not exist 15 years ago; WhatsApp 10 years ago; Snapchat 8 Years ago; whilst Video/Audio downloading and streaming were not mainstream just 3 years ago. And waiting in the wings we have the IoT and AI services. Needless to say most networks and network designers will continue to be wrong footed by the pace of change!
Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.
Welcome to The Security Influencer's Channel. In this episode, Jeff Williams interviews Andrew Hay of Open DNS. They discuss bad credential management and the recent eBay breach, thinking with the mind of an attacker, firewalls, security in the cloud, and fast-moving agile and DevOps life cycles in the software development life cycle (SDLC).
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
The panel discussion focused on improving global cybersecurity and mitigating risks for enterprises. Key points discussed included:
- Continuous monitoring of user behavior and access controls is essential to detect attackers who have been on networks for months undetected. Rigorous detection, containment, and response processes are needed.
- Executive support and cross-departmental incident response processes are required to quickly address security issues.
- The growth of IoT devices introduces new risks if basic security practices from IT are not applied. A new architectural approach is needed for IoT security.
- Increased public-private collaboration and information sharing is important but will not be solved by government alone. Industry can lead through sector-specific partnerships and alliances
The document describes how to steal Gmail credentials using social engineering and the Social Engineering Toolkit (SET). It involves tricking a victim into entering their login credentials on a spoofed Gmail login page hosted on the attacker's machine. The attacker first sets up Kali Linux in a virtual machine and launches SET. They then change the victim's Gmail bookmark to point to the attacker's IP address hosting the fake login page. When the victim tries to access Gmail, they enter their credentials which are stolen by SET. The document warns readers to be vigilant against these kind of social engineering attacks.
Windows FE (Forensic Environment) allows forensic examiners to boot an evidence machine to Windows instead of Linux or other operating systems. This allows examiners to use their familiar Windows-based forensic tools rather than needing to learn Linux applications. Windows FE is based on Windows PE (Preinstallation Environment) but is designed for forensic analysis, where Windows PE is for system preparation and installation. Booting to Windows FE preserves evidence better than hardware write blocking and allows examiners to efficiently image, triage, and examine evidence machines using their preferred Windows software tools.
Security Differently - DevSecOps Days Austin 2019Aaron Rinehart
The document discusses the concept of "security differently", which focuses on relying on people's expertise and insights rather than a compliance-based approach to security. It argues that current security practices often view people as the problem rather than the solution. Security differently aims to halt the over-bureaucratization of security work and instead ask people what they need while focusing on competency and common sense. The document also notes that complex systems are inherently difficult to secure and that outages and breaches will continue without rethinking traditional security approaches.
ADDO - Navigating the DevSecOps App-ocalypse 2020 Aaron Rinehart
The speed and scale of complex system operations within cloud-driven architectures make them extremely difficult for humans to mentally model their behavior. This often results in unpredictable and catastrophic outcomes that become costly when unexpected security incidents occur. There is a need to realign the actual state of operational security measures in order to maintain an acceptable level of confidence that our security actually works when we need it to.
As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Chaos Engineering allows us to proactively expose the failures, build resilient systems, and develop an "Applied Security" model to minimize the impact of failures.
Chaos Engineering allows for security teams to proactively experiment and derive new information about underlying factors that were previously unknown. This is done by developing live fire exercises that can be measured, managed, and automated. Contrary to Red/Purple Team exercises, chaos engineering does not use threat actor or adversarial tactics, techniques and procedures. As far as we know it Chaos Engineering is the only proactive mechanism for detecting availability and security incidents before they happen. We proactively introduce turbulent conditions, faults, and failures into our systems to determine the conditions by which our security will fail before it actually does.
In this session we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
ICTON 2019 France Keynote Presentation
Only 50 years ago network design was dominated by well defined, characterised, and understood services, but the launch of mobile services in the 1980s brought that era of certainty and stability to a rapid close. Not only where mobile users different in their habits, they discovered TXT! At almost the same time the internet and dial-up modems were introduced, and these compounded the situation further. Since that time network designers have been largely guessing as to what services they should accommodate and when.
The real culprits of chaos here are accelerating technologies and the new services they engender. For example: Facebook did not exist 15 years ago; WhatsApp 10 years ago; Snapchat 8 Years ago; whilst Video/Audio downloading and streaming were not mainstream just 3 years ago. And waiting in the wings we have the IoT and AI services. Needless to say most networks and network designers will continue to be wrong footed by the pace of change!
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
This document discusses network security and how attacks have evolved over time. It argues that while firewalls and antivirus software are important, social engineering is the most effective hacking tool as it tricks users into unknowingly compromising security. A strong defense requires educating all users to be wary of potential threats like malicious emails and to serve as the last line of defense through safe password practices and avoiding suspicious file attachments or links. The best protection combines technical security measures with an engaged, informed "cyber militia" of users.
Slides from my DevOpsExpo London talk "From oops to NoOps".
They tell you in these conferences that DevOps is not about tools, but about culture. And they are partially right. I am going to tell you that it’s not only about culture or tools but also abstractions.
It is a lot about how you see software and its value. About our mental model of what software is: how it runs, evolves, and interacts with the other facets of an enterprise.
We used to view software as code. As a state of code. Now we think about software as change, as a flow. A dynamic system where people, machines, and processes interact continuously.
At Platform.sh we spend a bunch of time asking ourselves not “How do you build?” - or even “How do you build consistently?” - but rather “What does it mean to consistently build in a world where change is good?” A world that lets you push security fixes into production as soon as they’re available because you don’t want to be an Equifax but you do want stability.
In this presentation, I will go over what we think software is and why having the right ideas about software will help you get your culture right and your tooling aligned, as well as gain in productivity, and general happiness and well-being.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.
This document discusses making security easier and more practical. It argues that security needs to move beyond just being possible to actually being practical. It highlights several challenges, including that human factors are important but often overlooked. It proposes some solutions like making encryption and secure protocols the default instead of optional, and using cloud infrastructure to improve isolation and make compromises more survivable. The overall message is that the security community needs to come together to actually fix issues and make real improvements instead of just discussing theoretical possibilities.
The document provides an introduction to web 2.0 security from JP Bourget, who has experience in computer security, network security management, and security consulting. It discusses what constitutes web 2.0 technologies like social networks and web apps, and how they impact privacy and trust online. It then outlines 10 best practices for securing personal data on web 2.0 platforms, which include knowing what data you have, how third parties use it, maintaining strong passwords, keeping devices updated, and having backups of important files. Physical security of devices and wireless networks are also addressed.
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
This document discusses operational security (OPSEC) best practices for security researchers. It begins by defining OPSEC and noting its importance for protecting sensitive work from adversaries. It then outlines various adversary threats, including common cybercriminals, organized groups, government agencies, and massive surveillance capabilities. The document provides guidance on implementing OPSEC at both individual and group levels, including compartmentalizing information, training others, and being careful about digital identities and tools. Key recommendations include encrypting all communications and data, using secure email, chat and phones, avoiding metadata leaks, and maintaining high OPSEC standards even internally. The overall message is that while OPSEC is difficult, researchers should start applying basic practices to protect their work and avoid becoming
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Vlad Styran
The document discusses how to properly invest in software security. It argues that fully securing software is impossible and unnecessary, and that the optimal approach is to find and fix bugs through practices like threat modeling, developer training, security testing, and bug bounties. The key is to train developers to write code that minimizes bugs and to have skilled hackers find and help remediate any issues.
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
This document summarizes the key points from a Silicon Valley VC's perspective on security opportunities and challenges. It notes that the security landscape is increasingly complex, with state-sponsored attacks and advanced tools being used by attackers. Most enterprises do not treat security as a core part of their culture. There are many opportunities for startups in security analytics, behavioral monitoring, encryption, and translating technical security data into actionable intelligence for companies. However, the document also notes that startups themselves often have very poor security practices. It provides examples of weak security postures commonly seen in startups. The document argues that improving security should be a priority for startups in order to protect their valuable assets and avoid losing funding or having their work stolen.
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
Hacking risks exist due to vulnerabilities in systems used by carbon-based lifeforms and software programmed by humans. Social engineering techniques that exploit human psychology remain effective means of tricking people into compromising security. Common tools are readily available to help hackers access networks and devices. Major motivations for malicious cyber activity include financial gain from cybercrime and political/ideological goals of hacktivists and nation states. Overall, humans and the software they create continue to be the weakest links that enable a variety of actors to engage in hacking activities.
First episode of the podcast at the Crossroads of Project SAFE. It's all about the first truly grass-roots internet with Secure Access For Everyone--the SAFE Network.
This is an approximate transcript of the first episode.
Check out www.safecrossroads.net for this episode and lots more stuff.
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
The Internet is on fire, and every connected device and user is at risk. How did we get here? By not seeing the dangers ahead, by being lazy and by not understanding the threats we are facing and the consequences of failing at building secure and robust infrastructure. This needs to change, and you need to contribute.
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
An interactive look at what security research means today and how we got to zero days, bug bounties, and hoodie hackers in the news. What particular skills or talents are most essential to be effective as a security researcher, and how much can we learn from the new digital anthropologist in waiting.
The article discusses Intel abandoning its "tick-tock" model of alternating new process nodes and architectures. It notes Intel will now focus on lengthening the time it uses 14nm and 10nm nodes, optimizing products for each node through architectural improvements rather than major new architectures. This signals an end to the predictable cadence Intel followed for a decade. The article also discusses how other chip makers like AMD, ARM and Nvidia improved performance and efficiency through architectural changes on the same nodes.
Webinar Security: Apps of Steel transcriptionService2Media
The document summarizes the key challenges around mobile app security from a webinar on creating secure apps. It highlights issues like insecure operating systems, networks that can't be trusted, malware, and how developers are responsible for protecting users' data despite these challenges. The presenter asks how developers can create "apps of steel" that are securely designed without massive effort. The response covers mitigation strategies like secure development processes, multi-factor authentication, threat modeling, and key management.
Lecture about network and host security to NII studentsAkiumi Hasegawa
The document discusses securing IT environments and provides an overview of key topics in IT security. It begins with an anecdote from the author about receiving an email on New Year's Eve 1999 regarding attacks originating from their university network. The document then covers agendas items like keywords in security including CIA and AAA. Current security trends from the Ministry of Internal Affairs and Communication are examined, along with malware trends and the top 10 security threats. The document concludes with remarks on how to avoid malware infections through software updates, anti-malware software, firewalls, and safe email practices.
The document discusses the threats posed by government surveillance programs and provides recommendations for improving encryption and security. It summarizes the capabilities of programs like TEMPORA, BULLRUN, and QUANTUM that enable mass surveillance. It then provides an overview of cryptography basics like TLS, certificates, and cipher suites. Finally, it outlines responses to surveillance like improvements to encryption protocols and recommendations for system administrators to adopt TLS and keep software up-to-date.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
More Related Content
Similar to Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
This document discusses network security and how attacks have evolved over time. It argues that while firewalls and antivirus software are important, social engineering is the most effective hacking tool as it tricks users into unknowingly compromising security. A strong defense requires educating all users to be wary of potential threats like malicious emails and to serve as the last line of defense through safe password practices and avoiding suspicious file attachments or links. The best protection combines technical security measures with an engaged, informed "cyber militia" of users.
Slides from my DevOpsExpo London talk "From oops to NoOps".
They tell you in these conferences that DevOps is not about tools, but about culture. And they are partially right. I am going to tell you that it’s not only about culture or tools but also abstractions.
It is a lot about how you see software and its value. About our mental model of what software is: how it runs, evolves, and interacts with the other facets of an enterprise.
We used to view software as code. As a state of code. Now we think about software as change, as a flow. A dynamic system where people, machines, and processes interact continuously.
At Platform.sh we spend a bunch of time asking ourselves not “How do you build?” - or even “How do you build consistently?” - but rather “What does it mean to consistently build in a world where change is good?” A world that lets you push security fixes into production as soon as they’re available because you don’t want to be an Equifax but you do want stability.
In this presentation, I will go over what we think software is and why having the right ideas about software will help you get your culture right and your tooling aligned, as well as gain in productivity, and general happiness and well-being.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.
This document discusses making security easier and more practical. It argues that security needs to move beyond just being possible to actually being practical. It highlights several challenges, including that human factors are important but often overlooked. It proposes some solutions like making encryption and secure protocols the default instead of optional, and using cloud infrastructure to improve isolation and make compromises more survivable. The overall message is that the security community needs to come together to actually fix issues and make real improvements instead of just discussing theoretical possibilities.
The document provides an introduction to web 2.0 security from JP Bourget, who has experience in computer security, network security management, and security consulting. It discusses what constitutes web 2.0 technologies like social networks and web apps, and how they impact privacy and trust online. It then outlines 10 best practices for securing personal data on web 2.0 platforms, which include knowing what data you have, how third parties use it, maintaining strong passwords, keeping devices updated, and having backups of important files. Physical security of devices and wireless networks are also addressed.
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
This document discusses operational security (OPSEC) best practices for security researchers. It begins by defining OPSEC and noting its importance for protecting sensitive work from adversaries. It then outlines various adversary threats, including common cybercriminals, organized groups, government agencies, and massive surveillance capabilities. The document provides guidance on implementing OPSEC at both individual and group levels, including compartmentalizing information, training others, and being careful about digital identities and tools. Key recommendations include encrypting all communications and data, using secure email, chat and phones, avoiding metadata leaks, and maintaining high OPSEC standards even internally. The overall message is that while OPSEC is difficult, researchers should start applying basic practices to protect their work and avoid becoming
Human is an amateur; the monkey is an expert. How to stop trying to secure yo...Vlad Styran
The document discusses how to properly invest in software security. It argues that fully securing software is impossible and unnecessary, and that the optimal approach is to find and fix bugs through practices like threat modeling, developer training, security testing, and bug bounties. The key is to train developers to write code that minimizes bugs and to have skilled hackers find and help remediate any issues.
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
This document summarizes the key points from a Silicon Valley VC's perspective on security opportunities and challenges. It notes that the security landscape is increasingly complex, with state-sponsored attacks and advanced tools being used by attackers. Most enterprises do not treat security as a core part of their culture. There are many opportunities for startups in security analytics, behavioral monitoring, encryption, and translating technical security data into actionable intelligence for companies. However, the document also notes that startups themselves often have very poor security practices. It provides examples of weak security postures commonly seen in startups. The document argues that improving security should be a priority for startups in order to protect their valuable assets and avoid losing funding or having their work stolen.
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
Hacking risks exist due to vulnerabilities in systems used by carbon-based lifeforms and software programmed by humans. Social engineering techniques that exploit human psychology remain effective means of tricking people into compromising security. Common tools are readily available to help hackers access networks and devices. Major motivations for malicious cyber activity include financial gain from cybercrime and political/ideological goals of hacktivists and nation states. Overall, humans and the software they create continue to be the weakest links that enable a variety of actors to engage in hacking activities.
First episode of the podcast at the Crossroads of Project SAFE. It's all about the first truly grass-roots internet with Secure Access For Everyone--the SAFE Network.
This is an approximate transcript of the first episode.
Check out www.safecrossroads.net for this episode and lots more stuff.
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
The Internet is on fire, and every connected device and user is at risk. How did we get here? By not seeing the dangers ahead, by being lazy and by not understanding the threats we are facing and the consequences of failing at building secure and robust infrastructure. This needs to change, and you need to contribute.
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityEnergySec
An interactive look at what security research means today and how we got to zero days, bug bounties, and hoodie hackers in the news. What particular skills or talents are most essential to be effective as a security researcher, and how much can we learn from the new digital anthropologist in waiting.
The article discusses Intel abandoning its "tick-tock" model of alternating new process nodes and architectures. It notes Intel will now focus on lengthening the time it uses 14nm and 10nm nodes, optimizing products for each node through architectural improvements rather than major new architectures. This signals an end to the predictable cadence Intel followed for a decade. The article also discusses how other chip makers like AMD, ARM and Nvidia improved performance and efficiency through architectural changes on the same nodes.
Webinar Security: Apps of Steel transcriptionService2Media
The document summarizes the key challenges around mobile app security from a webinar on creating secure apps. It highlights issues like insecure operating systems, networks that can't be trusted, malware, and how developers are responsible for protecting users' data despite these challenges. The presenter asks how developers can create "apps of steel" that are securely designed without massive effort. The response covers mitigation strategies like secure development processes, multi-factor authentication, threat modeling, and key management.
Lecture about network and host security to NII studentsAkiumi Hasegawa
The document discusses securing IT environments and provides an overview of key topics in IT security. It begins with an anecdote from the author about receiving an email on New Year's Eve 1999 regarding attacks originating from their university network. The document then covers agendas items like keywords in security including CIA and AAA. Current security trends from the Ministry of Internal Affairs and Communication are examined, along with malware trends and the top 10 security threats. The document concludes with remarks on how to avoid malware infections through software updates, anti-malware software, firewalls, and safe email practices.
The document discusses the threats posed by government surveillance programs and provides recommendations for improving encryption and security. It summarizes the capabilities of programs like TEMPORA, BULLRUN, and QUANTUM that enable mass surveillance. It then provides an overview of cryptography basics like TLS, certificates, and cipher suites. Finally, it outlines responses to surveillance like improvements to encryption protocols and recommendations for system administrators to adopt TLS and keep software up-to-date.
Similar to Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017 (20)
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX 2017
1. SECURITY IS A SNAPSHOT IN TIME -
SO HOW DO WE KEEP UP?
Adam Cecchetti
Deja vu Security
2. Hello!
Adam Cecchetti
Deja vu Security : Founder, CEO
Peach Tech : Co-Founder, Chairman
CMU : M.S. Information Networking
3. Deja vu Security
Seattle based operating since 2010
100s of App and Hardware assessments
Web, IoT, Cryptocurrency, Infrastructure, etc
Training of developers, engineers, and teams to
better understand modern threats.
7. Deja vu. Deja vu. Deja vu. Deja vu.
Networks
Applications
Web
Cloud
Internet of Things (IoT)
“The tubes are on fire!”
“The desktop is on fire!”
“The world is on fire!”
“The sky is on fire!”
“Your pants are on fire!”
8. The Problem is Big
The first step to recovery is the hardest.
Awareness is good, but it doesn’t cure cancer.
Security issues must be found they can’t be created.
Inherited, passed down the software genepool.
Plentiful, defense helps but we kick over more rocks.
Random, the future is asymmetrically secured.
Polymorphic, the tools we use to build systems are
security issues.
We are going to have to start thinking differently.
10. Tick, Tock.
Data movement is a cadence to how we’ve built things.
Echoes, the ghosts of usage models past.
We leave data and code everywhere users go.
User data replicates every decade or so.
t
Centralized
Distributed
70’s 90’s 2010 2030
80’s 00’s 2020
Mainframe Web/Email Cloud Internet of Me
PC Social Networks IoT
11. Security is a Snapshot in Time
Security is a snapshot in time.
Tomorrow is a new day full of drama on Twitter!
Today is a great day to deprecate a system.
Move user data to a safer and better place.
Hackers are unstoppable in 1995.
The closer the temporal snapshot to 1995 the better for hackers.
The person building the system decides the snapshot that is
taken.
Protocols from 1995
Libraries from 2006
Binaries from 2014
A Linux build from 2016
12. 199X
No memory defense (NX, ASLR, StackCookies,etc)
No patching system or focus on security patches
Little to no security awareness
Default passwords, services, attack surface
Closer the clock is to 1995 the stronger the hackers
17. Computers are Awesome!
They don’t LET you do anything.
They DO anything!
And only things you tell them
CPU: AMMA that’s about Machine code to Microcode
Good luck with the rest! That’s not what I do!
General computation is good however it means:
No reliability, no availability, no security.
This includes anything we build.
Complexity leads to side effects and exploitation is
programing with side effects.
19. We Are at an Odd Juncture
Mobile is eating all markets just like the PC did.
User habits are changing, again.
Web ate the rest of the world.
User data flows in new directions
And lingers in the eddies.
And for those of us left that still care about general
computation we have to run unknown kernel and
firmware exploits to program our phones.
21. “Stop Putting Things on the Internet”
You might as well tell water to stop being wet.
It is free to put another computer on the Internet
Putting a Pentium Pro
in anything is free
In 4 years putting an
iPhone 1 in everything
is free. Why?
Inverse of Moore’s law
24. Free Pentium Pro for Every Dishwasher
$0.00
$200.00
$400.00
$600.00
$800.00
$1,000.00
$1,200.00
1995
1997
1998
2000
2001
2003
2004
2006
2007
2009
2010
2012
2013
2015
2016
2018
2019
2021
2022
Inverse of Moore's Law
Putting a $1000 Pentium from 1995 in a dishwasher is free, today and every day in the future.
25. Everything is an iPhone in the near future.
$0
$100
$200
$300
$400
$500
$600
2007 2009 2010 2012 2013 2015 2016 2018 2019 2021 2022
iPhone
Adding a 1st Gen iPhone worth of transistors to everything: $4 in 2018, free in 2022
Phrased another way adding Wifi, GSM, Bluetooth, GPU, CPU, storage, & sound to
everything is free in 2022.
26. The Internet Finally Showed Up!
The amount of air gap between our lives and the
Internet is shrinking daily.
Soon it will be gone. Good Riddance! Plug me in!
Unless you have decided to live in a cave.
And in another tick tock there’s still a chance it will have IP
enabled bat guano.
Technology is awesome!
In 5 years my self driving car will live stream.
Localized live traffic video broadcasting and viewing is
going to be a thing.
There are going to be people sitting in traffic watching
other people sit in traffic around the world.
28. Be Still My Beating Heart
The Internet of Me is coming soon
I can’t wait until my heart has an IP address
And firmware updates
And an app store to monetize!
Cardio Trainer+ 4.0
Now with Twitter Integration!
Cardio Trainer+ 4.0.1
Pushed a patch as some users were excessively twitching while
Tweeting.
Move fast and break things is not what I want for IP
addressable organs.
29. Everybody Bugs
Bugs happen.
They happen to the best.
They happen to the worst.
Imperfection is the proof of life and existence.
Mistakes are proof you actually did something.
Keep building a better future one mistake at a time
31. Start with Details
“The buffer can overflow causing a corruption of
the pointer which in turn is referenced by the vtable
to cause code to jump to a known location as a
result of ASLR being not compiled into a supporting
DLL”
“The password is P@ssw0rd!”
“User A can access the details of User B”
34. Helping People Understand w/Impact
The user’s bank account can be drained.
One person cares.
The company can no longer perform transactions.
The entire company cares.
The car performs a J-turn at 60 mph during rush hour
1 news cycle.
The planes crashes
2 news cycles, 4 if they can’t find the plane.
The pacemaker stops and kills the user.
2 Federal Agencies + n pacemaker users care.
The power plant explodes.
People care until the lights come back on.
37. Ken
Ken /ken/ noun
“one's range of knowledge or sight”
“know”
How far you see.
How wide or narrow are you focused.
How much you understand.
How far someone else can see, focus, and understand.
42. Ken
Their Ken: I need to move 14,000 planes a day
with 300 people in them each or the global
economy stops.
My Ken: Planes can move in ways you don’t intend if
you connect them to the Internet, might even crash.
Their Ken: Customers don’t like to crash.
My Ken: Less planes move if they crash.
Our Ken: Lets make new planes that are easier to
move and safer.
43.
44. Ken
Accepting WE > I
Knowing the range of my knowledge and vision
enables me to spend our time better.
Knowing how to better understand the range of
another’s vision helps us get to shared impact faster.
Then we can start sharing details.
46. Test for Echo
You have lost if:
All you are hearing is your own words come back.
Things you already know.
Shared exchange of ken is shared extension.
In turn it is shared vulnerability.
Sustained echo is at best rapid construction of a
chamber.
On a more than decade time scale it is slow death.
47. Details: Our Three Wins
Firewalls
Encryption
Two Factor Authentication
48. Impact: Three Extensions of Ken
Firewalls
I don’t want to run Ethernet cable in my house.
Wifi + Firewall = Win!
Encryption
I can’t make it to the bank or store today.
I need to work from home.
Commerce from home + encrypted tunnel = Win!
Two Factor Authentication
I don’t want to re-grind my character.
World of Warcraft = Win!
49. Ken: When Have We Won?
We’ve won the same way everyone else has.
When we’ve made someone’s life better they
adopted a technology.
It happened to be more secure because we spent years
working on the details.
If we want to get pedantic we used Trojan horses to
backdoor security into people’s lives.
Applying security to a shift in user behavior.
This is better!
We defined that part of being better was more secure!
50. Ken: The users
Want to do the thing and will always want to do the
thing.
Help the user keep doing the thing they want to do.
51. So how do we keep up?
Details
Impact
Ken
53. Bug: #1 Data as Code
What do Cross Site Scripting, SQL Injection, and
Buffer Overflows all have in common?
They are all data being interpreted as code.
Any place that user or machine controlled data is being
used, interpreted, parsed; a security issue awaits.
This is big enough to master that you can spend
multiple lifetimes right here.
We’ve actually started to make steps towards fixing
this problem in some places.
54. Bug: #2 Gamers are Going to Game
Logical Issues require someone to game the system
Must try and understand all the unexpected behavior
of the logic of the system.
Few good ways of automated testing here
The Meta Game
Attackers will continue to go for the weakest link
Hint: It’s in 1995
Unless the time vs. reward scenario is high
or the motivation vs. reward scenario is super high
55. Bug: #3 The Secret Isn’t Secret
Password1!
Upper Lower, Numeric, Special!
Secure by most IT and Web policy!
“ Or ‘1’=‘1’; --
Upper, Lower, Numeric, Special!
No key words!
16 characters!
Secure!
If not bad word jumbles then bits generated by a
machine given back to a machine!
56. Bug:#4 The thing is in the wrong place
What is this?
Wait, why why is this here?
This shouldn’t be here!
OMG WHY IS THIS HERE
System, person, information in the wrong place.
Sensitive data management
Asset management
Physical Pen Tests
Etc
57. To Master Impact
See the system as a graph of lists sorted by time.
Know what matters in the system.
Use the details to break the system.
When the system will not break change the game.
61. To Master Ken
Know yourself and share ideas and creations.
Ask to know and understand others.
Use impacts to connect yourself to others faster.
Seek the patterns that allow you to extend your vision
and knowledge.
Use details to demonstrate impacts
Never start with details
62. To Master Ken
In cooperation:
Use your ken to help others see what they cannot.
Ask to be shown what you cannot see.
In conflict:
Find the blind spots.
Where someone is blind they cannot defend.
64. Ken: Test for Echo
Step out of the echo chamber from time to time.
Find people who have problems in different
industries you’ll never have.
Listen to them.
See how much you can share, but more importantly
see what comes back when you do.
65. So How To Keep Up?
Understand what Snapshot you need to take (Ken)
and how often you need to take it. (Impact) Then
start to secure it by building tomorrow (Details).
Let the past go when you can.
Pull out the oldest versions when you can
Build a better tomorrow and ask people to help you
convince others to adopt it.
Ask yourself do you want to keep clawing away
from 1995 or start building a better 2020?
66. Takeaways
Security is a snapshot in time
That snapshot is part ken, impact, and details.
Building a better tomorrow can build a more secure
tomorrow.
Building a better tomorrow requires more than
details and impact.
It requires understanding of your own ken to start.
I hope this talk has extended yours.