La Web 2.0 se refiere a la evolución de aplicaciones tradicionales a aplicaciones web enfocadas en el usuario que fomentan la colaboración y reemplazan aplicaciones de escritorio. Algunos principios clave incluyen que la web es la plataforma, la información impulsa Internet, y la innovación surge de características distribuidas. Tecnologías como XHTML, hojas de estilo, sindicación de contenido, y redes sociales son importantes. Blogs, wikis, videos, presentaciones y plataformas educativas son
Partnering with Students to Develop Mobile LearningTamara Pearce
Partnering with Students to Develop Mobile Learning
Tamara Pearce from QUT Law School worked with a team of 5 third-year IT students to develop a mobile learning module for its large first-year law cohorts. The project aimed to contextualize legal studies through an augmented reality walking tour of landmarks near campus. Students developed tools to create a Blackboard module with videos, questions, and tasks at each landmark. While the project was not fully completed due to time constraints, it provided students real work experience and the law school a low-cost learning resource. Future projects aim to partner with students to develop more innovative augmented reality resources for legal education.
El documento habla sobre los tipos y características del liderazgo. Define el liderazgo como dirigir hacia una meta común influyendo a otros. Describe las características de un líder positivo como habilidad para conducir equipos, tener visión del futuro y buscar el bien común. Explica que en un mundo cambiante las empresas deben adaptarse rápido y que el liderazgo se gana a través de la autoridad moral más que el poder. Distingue entre liderazgos positivo, negativo y situacional.
Enforcing IPRs: a European concise guide for luxury and fashion businesses - ...Annabelle Gauberti
Some advice to fashion and luxury businesses, from a barrister and solicitors practising in England & Wales and France, as well as a lawyer practising in Germany, specialising in intellectual property, on the practical steps to take in order to enforce one’s IPRs in France, Germany and the UK. -
Annabelle Gauberti, ialci President and Founding Partner, Crefovi
El documento describe los elementos fundamentales del fenómeno de la comunicación, incluyendo la fuente o mensaje, el emisor, los medios de comunicación, y el receptor. La fuente es la información que el emisor envía al receptor a través de un canal o medio. El emisor es quien envía el mensaje de manera escrita, hablada o por señas. Los medios de comunicación son los instrumentos por los cuales se realiza el proceso de comunicación. El receptor es la persona que recibe e interpreta el mensaje enviado por el emisor.
El Renacimiento marcó el paso de la Edad Media al mundo moderno, resaltando el ser humano y el mundo natural. Carlos V heredó un vasto imperio pero tuvo que ceder territorios alemanes. La arquitectura renacentista se volvió al mundo clásico con elementos como columnas y cúpulas. Miguel Ángel y Rafael crearon obras maestras que mostraban figuras humanas en la naturaleza de forma realista usando la perspectiva.
La Web 2.0 se refiere a la evolución de aplicaciones tradicionales a aplicaciones web enfocadas en el usuario que fomentan la colaboración y reemplazan aplicaciones de escritorio. Algunos principios clave incluyen que la web es la plataforma, la información impulsa Internet, y la innovación surge de características distribuidas. Tecnologías como XHTML, hojas de estilo, sindicación de contenido, y redes sociales son importantes. Blogs, wikis, videos, presentaciones y plataformas educativas son
Partnering with Students to Develop Mobile LearningTamara Pearce
Partnering with Students to Develop Mobile Learning
Tamara Pearce from QUT Law School worked with a team of 5 third-year IT students to develop a mobile learning module for its large first-year law cohorts. The project aimed to contextualize legal studies through an augmented reality walking tour of landmarks near campus. Students developed tools to create a Blackboard module with videos, questions, and tasks at each landmark. While the project was not fully completed due to time constraints, it provided students real work experience and the law school a low-cost learning resource. Future projects aim to partner with students to develop more innovative augmented reality resources for legal education.
El documento habla sobre los tipos y características del liderazgo. Define el liderazgo como dirigir hacia una meta común influyendo a otros. Describe las características de un líder positivo como habilidad para conducir equipos, tener visión del futuro y buscar el bien común. Explica que en un mundo cambiante las empresas deben adaptarse rápido y que el liderazgo se gana a través de la autoridad moral más que el poder. Distingue entre liderazgos positivo, negativo y situacional.
Enforcing IPRs: a European concise guide for luxury and fashion businesses - ...Annabelle Gauberti
Some advice to fashion and luxury businesses, from a barrister and solicitors practising in England & Wales and France, as well as a lawyer practising in Germany, specialising in intellectual property, on the practical steps to take in order to enforce one’s IPRs in France, Germany and the UK. -
Annabelle Gauberti, ialci President and Founding Partner, Crefovi
El documento describe los elementos fundamentales del fenómeno de la comunicación, incluyendo la fuente o mensaje, el emisor, los medios de comunicación, y el receptor. La fuente es la información que el emisor envía al receptor a través de un canal o medio. El emisor es quien envía el mensaje de manera escrita, hablada o por señas. Los medios de comunicación son los instrumentos por los cuales se realiza el proceso de comunicación. El receptor es la persona que recibe e interpreta el mensaje enviado por el emisor.
El Renacimiento marcó el paso de la Edad Media al mundo moderno, resaltando el ser humano y el mundo natural. Carlos V heredó un vasto imperio pero tuvo que ceder territorios alemanes. La arquitectura renacentista se volvió al mundo clásico con elementos como columnas y cúpulas. Miguel Ángel y Rafael crearon obras maestras que mostraban figuras humanas en la naturaleza de forma realista usando la perspectiva.
This slide presentation accompanies the various reports and proposals about QUT Carseldine. The State Government Community Forum proposed that QUT Carseldine, a university campus located in Brisbane's northern suburbs, be repurposed as a social enterprise and social innovation hub. The slide presentation scopes the context and highlights the diversity and dynamism of the social enterprise sector in the Greater Brisbane region.
La religión maya se basaba en varios dioses y estaba estrechamente vinculada con la naturaleza y los complejos sistemas de calendarios mayas. Creían en una vida después de la muerte y realizaban sacrificios humanos como ofrendas a los dioses. Sus principales dioses creadores intentaron en varias ocasiones crear al hombre a partir de diferentes materiales hasta lograrlo usando maíz.
El documento presenta una discusión sobre los movimientos sociales y las diferentes teorías para analizarlos. Brevemente, aborda las perspectivas estructural-funcionalista, marxista y weberiana, así como los enfoques racionalistas y de oportunidad política. También examina el papel de la identidad colectiva y los significados en la acción de los movimientos desde una óptica constructivista. Finalmente, resalta la importancia de comprender la relación sujeto-estructura y de analizar los movimientos a partir de sus discursos y prá
El documento presenta una serie de acertijos sobre diferentes profesiones y oficios, incluyendo un peluquero, maestro, bombero, pintor, carpintero, zapatero, veterinario, doctor y actor. Cada acertijo describe brevemente las tareas y herramientas asociadas con la profesión.
This document discusses Content Security Policy (CSP) and strategies for implementing it effectively. It begins with an introduction to CSP and its goals of mitigating risk, reducing privileges, and detecting exploitation. It then covers common CSP policies, mistakes that can undermine security, and ways attacks can bypass CSP restrictions. The document proposes using strict nonce-based CSP with the 'unsafe-dynamic' feature to more easily deploy CSP without whitelists. It concludes with success stories of this approach and a call for feedback on CSP strategies.
1) Foucault sugiere analizar las relaciones de poder a través del antagonismo de estrategias y formas de resistencia en lugar de analizar el poder desde su racionalidad interna.
2) Propone tres tipos de luchas: las que se oponen a la dominación, las que denuncian la explotación, y las que combaten todo aquello que somete al individuo.
3) Explica que el poder no es violencia ni consentimiento, sino una estructura total de acciones que actúan sobre las acciones de otros sujetos.
El documento habla sobre cómo las perlas se forman cuando una ostra cubre un grano de arena u otra sustancia extraña con capas de nácar como una forma de protegerse y curar la herida, produciendo así una perla. También sugiere que cuando las personas son lastimadas emocionalmente por otros, deberían "producir una perla" cubriendo esas heridas con capas de amor en lugar de alimentar sentimientos negativos que impiden sanar.
Uganda photo souvenir maps - safari souvenirs, client gifts, lodge and hotel wall decoration, expat leaving presents. Personalised and handmade. Diary of a Muzungu Uganda travel blog www.DiaryofaMuzungu.com copyright 2016. 10% sales to Uganda Conservation Foundation
PROCESOS DE FABRICACIÓN DE PIEZAS METÁLICAS Y HERRAMIENTAS DE MANO Y DE TRAZADOHeidiYasmir
A continuación se presentan los procesos utilizados en la fabricación de piezas metálicas, así como las diferentes herramientas de mano y de trazado que se utilizan para ello
El documento discute la importancia del diálogo y la pregunta en la enseñanza. Argumenta que la verdad no la posee ningún profesor, sino que se encuentra en el proceso de diálogo. También señala que la creatividad es una capacidad intrínseca en los seres humanos, pero que la escuela actual tiende a suprimirla y castigarla en lugar de fomentarla.
El documento describe las culturas organizacionales de dos empresas venezolanas, Cigarrera Bigott y Cervecería Polar. Detalla sus misiones, valores, estructuras organizativas, mecanismos de comunicación, procesos de toma de decisiones, desarrollo del talento humano, uso de tecnología y estrategias de mercadeo.
Caso práctico: cómo aterrizar un proyecto de customer experience y social me...BOIRON España
El documento describe una campaña de marketing de 360 grados llevada a cabo por Laboratorios BOIRON para promover un medicamento homeopático para problemas de voz. La campaña incluyó la creación de un sitio web, un concurso de voces, talleres, entrega de premios y uso de medios propios, pagados y ganados. El objetivo era aumentar las ventas del medicamento e incrementar la notoriedad de la marca BOIRON. Los resultados incluyeron un crecimiento del 11% en las ventas del medicamento y aprendizajes que se aplicaron a campañas poster
El documento habla sobre dos formatos de archivos de audio, MP3 y MIDI. MP3 es el formato más usado porque se puede reproducir en todos los dispositivos, mientras que MIDI no es un archivo de audio propiamente dicho.
A new static analysis tool for C++ code CppCat was presented just recently. You probably heard a lot about the previous product (PVS-Studio) by the same authors. I was pretty doubtful about it then: on the one hand, static analysis is definitely a must-have methodology - things go better with than without it; on the other hand, PVS-Studio may scare users off with its hugeness, an enterprise-like character and the price, of course. I could imagine a project team of 50 developers buying it but wasn't sure about single developers or small teams of 5 developers. I remember suggesting to the PVS-Studio authors deploying "PVS as a cloud service" and sell access to it by time. But they chose to go their own way and created an abridged version at a relatively small price (which any company or even a single developer can afford).
Monitoring a program that monitors computer networksPVS-Studio
The document discusses several types of errors found using static analysis on the NetXMS open source project codebase. It describes 4 examples of 64-bit errors where pointers are incorrectly cast to 32-bit types. It also mentions errors handling unsigned types like sockets, half-cleared buffers due to misunderstanding string sizes, copy-paste errors, uninitialized variables, null pointer dereferences, and incorrect variable type usage with variadic functions. The author encourages the NetXMS developers to use the static analysis tool to find and address these kinds of issues in their code.
Explore the importance of matching escape functions properly. Learn more about how this impacts cross site scripting. Examples in EJS and JavaScript.
NOTE: There are animated gifs that add some fun. You'll get all the meat viewing online. Download it if you want to see the GIFs.
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...Andrey Karpov
About a week ago, I published the "Three Interviews About Static Code Analyzers" article at Habrahabr.
This article presents opinions of three experienced programmers from the companies Acronis,
AlternativaPlatform and Echelon Company concerning software development methodologies as well as
some of their ideas about using static code analyzers.
Since the article was sponsored by the OOO "Program Verification Systems" company, developer of the
PVS-Studio static analyzer, I asked Andrey Karpov (CTO) to answer some questions too. In particular, I
asked him to comment upon the most interesting aspects and ideas of all the three interviews and say a
few words for colleagues and readers, too. Here's what we've got - one more interesting interview.
The document discusses common mistakes made by data processing professionals and provides examples and advice. It argues that underestimating complexity is a major issue and that seemingly "small changes" often have unintended consequences if not thought through carefully. The document advocates considering all implications and edge cases for any change. It also stresses the importance of proper error handling, security practices, and questioning assumptions rather than blindly following "best practices".
This document provides an overview of JavaScript concepts and best practices. It discusses objects as hashes, functions as first-class objects, loose typing, closures, prototypes, JSON, cross-domain AJAX, testing with Jasmine, CoffeeScript, libraries like jQuery, global scope issues, regular expressions, XSS, hoisting, and other JavaScript quirks. It also provides resources for further learning JavaScript.
Javascript is actually called ECMAScript. The document provides an overview of JavaScript including how it interacts with the DOM in the browser, using JavaScript in web pages, syntax, control structures like loops and conditionals, objects as hashes, functions as first-class objects, loose typing, closures, prototypes, JSON, cross-domain AJAX, libraries like jQuery, and resources for learning more. The global scope in JavaScript is discussed and the importance of using var is emphasized to avoid polluting the global namespace.
This slide presentation accompanies the various reports and proposals about QUT Carseldine. The State Government Community Forum proposed that QUT Carseldine, a university campus located in Brisbane's northern suburbs, be repurposed as a social enterprise and social innovation hub. The slide presentation scopes the context and highlights the diversity and dynamism of the social enterprise sector in the Greater Brisbane region.
La religión maya se basaba en varios dioses y estaba estrechamente vinculada con la naturaleza y los complejos sistemas de calendarios mayas. Creían en una vida después de la muerte y realizaban sacrificios humanos como ofrendas a los dioses. Sus principales dioses creadores intentaron en varias ocasiones crear al hombre a partir de diferentes materiales hasta lograrlo usando maíz.
El documento presenta una discusión sobre los movimientos sociales y las diferentes teorías para analizarlos. Brevemente, aborda las perspectivas estructural-funcionalista, marxista y weberiana, así como los enfoques racionalistas y de oportunidad política. También examina el papel de la identidad colectiva y los significados en la acción de los movimientos desde una óptica constructivista. Finalmente, resalta la importancia de comprender la relación sujeto-estructura y de analizar los movimientos a partir de sus discursos y prá
El documento presenta una serie de acertijos sobre diferentes profesiones y oficios, incluyendo un peluquero, maestro, bombero, pintor, carpintero, zapatero, veterinario, doctor y actor. Cada acertijo describe brevemente las tareas y herramientas asociadas con la profesión.
This document discusses Content Security Policy (CSP) and strategies for implementing it effectively. It begins with an introduction to CSP and its goals of mitigating risk, reducing privileges, and detecting exploitation. It then covers common CSP policies, mistakes that can undermine security, and ways attacks can bypass CSP restrictions. The document proposes using strict nonce-based CSP with the 'unsafe-dynamic' feature to more easily deploy CSP without whitelists. It concludes with success stories of this approach and a call for feedback on CSP strategies.
1) Foucault sugiere analizar las relaciones de poder a través del antagonismo de estrategias y formas de resistencia en lugar de analizar el poder desde su racionalidad interna.
2) Propone tres tipos de luchas: las que se oponen a la dominación, las que denuncian la explotación, y las que combaten todo aquello que somete al individuo.
3) Explica que el poder no es violencia ni consentimiento, sino una estructura total de acciones que actúan sobre las acciones de otros sujetos.
El documento habla sobre cómo las perlas se forman cuando una ostra cubre un grano de arena u otra sustancia extraña con capas de nácar como una forma de protegerse y curar la herida, produciendo así una perla. También sugiere que cuando las personas son lastimadas emocionalmente por otros, deberían "producir una perla" cubriendo esas heridas con capas de amor en lugar de alimentar sentimientos negativos que impiden sanar.
Uganda photo souvenir maps - safari souvenirs, client gifts, lodge and hotel wall decoration, expat leaving presents. Personalised and handmade. Diary of a Muzungu Uganda travel blog www.DiaryofaMuzungu.com copyright 2016. 10% sales to Uganda Conservation Foundation
PROCESOS DE FABRICACIÓN DE PIEZAS METÁLICAS Y HERRAMIENTAS DE MANO Y DE TRAZADOHeidiYasmir
A continuación se presentan los procesos utilizados en la fabricación de piezas metálicas, así como las diferentes herramientas de mano y de trazado que se utilizan para ello
El documento discute la importancia del diálogo y la pregunta en la enseñanza. Argumenta que la verdad no la posee ningún profesor, sino que se encuentra en el proceso de diálogo. También señala que la creatividad es una capacidad intrínseca en los seres humanos, pero que la escuela actual tiende a suprimirla y castigarla en lugar de fomentarla.
El documento describe las culturas organizacionales de dos empresas venezolanas, Cigarrera Bigott y Cervecería Polar. Detalla sus misiones, valores, estructuras organizativas, mecanismos de comunicación, procesos de toma de decisiones, desarrollo del talento humano, uso de tecnología y estrategias de mercadeo.
Caso práctico: cómo aterrizar un proyecto de customer experience y social me...BOIRON España
El documento describe una campaña de marketing de 360 grados llevada a cabo por Laboratorios BOIRON para promover un medicamento homeopático para problemas de voz. La campaña incluyó la creación de un sitio web, un concurso de voces, talleres, entrega de premios y uso de medios propios, pagados y ganados. El objetivo era aumentar las ventas del medicamento e incrementar la notoriedad de la marca BOIRON. Los resultados incluyeron un crecimiento del 11% en las ventas del medicamento y aprendizajes que se aplicaron a campañas poster
El documento habla sobre dos formatos de archivos de audio, MP3 y MIDI. MP3 es el formato más usado porque se puede reproducir en todos los dispositivos, mientras que MIDI no es un archivo de audio propiamente dicho.
A new static analysis tool for C++ code CppCat was presented just recently. You probably heard a lot about the previous product (PVS-Studio) by the same authors. I was pretty doubtful about it then: on the one hand, static analysis is definitely a must-have methodology - things go better with than without it; on the other hand, PVS-Studio may scare users off with its hugeness, an enterprise-like character and the price, of course. I could imagine a project team of 50 developers buying it but wasn't sure about single developers or small teams of 5 developers. I remember suggesting to the PVS-Studio authors deploying "PVS as a cloud service" and sell access to it by time. But they chose to go their own way and created an abridged version at a relatively small price (which any company or even a single developer can afford).
Monitoring a program that monitors computer networksPVS-Studio
The document discusses several types of errors found using static analysis on the NetXMS open source project codebase. It describes 4 examples of 64-bit errors where pointers are incorrectly cast to 32-bit types. It also mentions errors handling unsigned types like sockets, half-cleared buffers due to misunderstanding string sizes, copy-paste errors, uninitialized variables, null pointer dereferences, and incorrect variable type usage with variadic functions. The author encourages the NetXMS developers to use the static analysis tool to find and address these kinds of issues in their code.
Explore the importance of matching escape functions properly. Learn more about how this impacts cross site scripting. Examples in EJS and JavaScript.
NOTE: There are animated gifs that add some fun. You'll get all the meat viewing online. Download it if you want to see the GIFs.
A Bonus to the "Three Interviews About Static Analyzers" Article, or Intervie...Andrey Karpov
About a week ago, I published the "Three Interviews About Static Code Analyzers" article at Habrahabr.
This article presents opinions of three experienced programmers from the companies Acronis,
AlternativaPlatform and Echelon Company concerning software development methodologies as well as
some of their ideas about using static code analyzers.
Since the article was sponsored by the OOO "Program Verification Systems" company, developer of the
PVS-Studio static analyzer, I asked Andrey Karpov (CTO) to answer some questions too. In particular, I
asked him to comment upon the most interesting aspects and ideas of all the three interviews and say a
few words for colleagues and readers, too. Here's what we've got - one more interesting interview.
The document discusses common mistakes made by data processing professionals and provides examples and advice. It argues that underestimating complexity is a major issue and that seemingly "small changes" often have unintended consequences if not thought through carefully. The document advocates considering all implications and edge cases for any change. It also stresses the importance of proper error handling, security practices, and questioning assumptions rather than blindly following "best practices".
This document provides an overview of JavaScript concepts and best practices. It discusses objects as hashes, functions as first-class objects, loose typing, closures, prototypes, JSON, cross-domain AJAX, testing with Jasmine, CoffeeScript, libraries like jQuery, global scope issues, regular expressions, XSS, hoisting, and other JavaScript quirks. It also provides resources for further learning JavaScript.
Javascript is actually called ECMAScript. The document provides an overview of JavaScript including how it interacts with the DOM in the browser, using JavaScript in web pages, syntax, control structures like loops and conditionals, objects as hashes, functions as first-class objects, loose typing, closures, prototypes, JSON, cross-domain AJAX, libraries like jQuery, and resources for learning more. The global scope in JavaScript is discussed and the importance of using var is emphasized to avoid polluting the global namespace.
How to find 56 potential vulnerabilities in FreeBSD code in one eveningPVS-Studio
It's high time to recheck FreeBSD project and to show that even in such serious and qualitative projects PVS-Studio easily finds errors. This time I decided to take a look at the analysis process in terms of detecting potential vulnerabilities. PVS-Studio has always been able to identify defects that could potentially be used for a hacker attack. However, we haven't focused on this aspect of the analyzer and described the errors as typos, consequences of sloppy Copy-Paste and so on, but have never classified them according to CWE, for example. Nowadays it is very popular to speak about security and vulnerabilities that's why I will try to broaden at the perception of our analyzer. PVS-Studio helps not only to search for bugs, but it is also a tool that improves the code security.
This document discusses best practices for writing unit tests. It emphasizes that unit tests should be easy to understand, trustworthy, and robust. A good unit test only fails if a bug is introduced or requirements change. The document provides examples of well-written unit tests and discusses how to avoid common problems like fragile tests. It stresses the importance of testing only specified functionality, using isolation frameworks to mock dependencies, and not putting test logic in the test. Overall, the document promotes writing "clean tests" to avoid brittle tests and minimize maintenance overhead.
I often hear in various interpretations the phrase: "The given examples show not the code incorrect from the viewpoint of porting to x64 systems, but the code incorrect in itself". I would like to discuss and theorize a bit on this point in the blog. Please, take this note with a bit of humor.
Design patterns - The Good, the Bad, and the Anti-PatternBarry O Sullivan
The slides from my talk on design patterns, and when good design patterns turn bad. I go through various patterns I've seen abused (by myself as well as others) and I offer advice on how to avoid these mistakes. Design patterns are a tool, use the right one for the job,
This afternoon I gave a very short introduction to computer programming at Trade School (tradeschool.ourgoods.org). I used JavaScript to illustrate the process of learning how to program, mainly because there's nothing to install and it has many practical uses.
The document summarizes the analysis of the Chromium web browser source code using the PVS-Studio static analysis tool. PVS-Studio found few errors in the 460 MB of Chromium code, demonstrating its high quality. Some errors that were found include incorrect array size calculations, meaningless checks, and potential security issues. While some errors were also found in Chromium's libraries and tests, the overall low error density shows the quality of Chromium's code.
Good has won this time. To be more exact, source codes of the Chromium project have won. Chromium is one of the best projects we have checked with PVS-Studio.
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Developers provide a build intended to fix two critical bugs, but testing finds issues. One critical bug remains unfixed, and three new minor bugs were introduced. Due to time pressure, full testing is not completed and an untested build is reluctantly released, missing known issues. The following day, problems are likely to arise from the rushed release made on a Friday.
The document discusses conducting timing attacks against the Internet of Things. It begins with an overview of timing attacks and how they work by exploiting small differences in processing times. String comparison timing attacks are highlighted, where the processing time of comparing strings character-by-character can reveal information. Statistical analysis of precise timing data collected from a network can be used to infer secrets like passwords over many trials. The talk demonstrates a proof-of-concept timing attack against a Philips Hue light system to recover an API access token one character at a time. Specialized hardware and careful experimental setup is required to achieve the necessary nanosecond-level timing precision.
Good has won this time. To be more exact, source codes of the Chromium project have won. Chromium is one of the best projects we have checked with PVS-Studio.
The document analyzes the source code of the Godot game engine using the PVS-Studio static code analyzer. It finds and discusses several types of errors identified by the analyzer, including duplicated comparisons, array overruns due to enum/array mismatches, incorrect data type checks, typos causing logic errors or infinite loops, and unsafe pointer usage. The analysis aims to both introduce readers to the Godot project and help its developers fix bugs and improve code quality.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
2. First a Disclaimer…
• It isn’t my fault if in your exploration you intentionally or inadvertly
do something BAD to your system.
• I will try to give enough info to suggest good search terms for
independent exploration if this interests you. I am not trying to create
any sort of definitive guide or suggesting this is a best or even good
way to accomplish a task.
• You wouldn’t use a circular saw without knowing how it works. Using
shell commands and executing JavaScript from the address bar of
your browser is a lot like playing with power tools. You probably will
not lose a thumb but there is a likelihood of pain nonetheless.
3. Spam
Everybody gets it, some is obvious, some a little
more sneaky and occasionally an email with actual
value ends up caught in the email client’s spam net.
The screen grab is from MS Outlook, which will
show you just the text... Not the html. NO CLICKING
LINKS!
My example has lots of signs it is garbage and
should be set to e-oblivion:
• Do you really think that is a google team addy?
• This is Not the format I give out for my email
(gmail allows mixed caps and dots, like
sT.eve.pOte so I can see who sells me out)
• Delayed email at some blog URL? C’mon. (This
is the URL I will use for an example)
• No opt out? Not even one with a malicious
addy behind it? They aren’t even trying…(an
opt out is required by US law and legit
businesses using mass mailings will always have
a means to tell them to stop)
4. cURL, short version and a headstart
curl -L -v -A "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML,
like Gecko) Chrome/24.0.1312.52 Safari/537.17“ http://somewhere.com
The switches
-L follow redirect (if response sends you immediately elsewhere. There are
legitimate uses like url shorteners like goo.gl and bit.ly, but these are also good
places to hide bad things too.)
-v verbose (I always like verbose output…in this case there is more info about the
connects, disconnects and redirects)
-A user agent string to send (cURL pretends to be a browser by sending a browser’s
info. Example uses pretty common string info to make it an attractive target.)
5. Here we go…
• Verbose text followed by the html of what you would see in your
browser if you had clicked the link…
6. …after some gibberish
Most of what was returned was probably a “Markov string”, basically
random-esque text with grammatical rules to fool ISP’s and others (like
spam filters and web crawlers) into believing the target is legit. When
an email slips by your filter with total nonsense in the body it is
probably a Markov string and very hard to catch because each email
can be made with unique content and including highly relevant
individual words.
7. …the part we are really after
• JavaScript at the bottom…it is at the bottom so the rest of the page
will load before potential errors or things that might catch malicious
scripts
• Mileage may vary. This example creates a string from ASCII character
codes that have been shifted by -73 places. (I will break that down
better later). Base 64 encoding is another common technique I have
encountered often (there are legit business reasons to encode strings,
I will show you how to check them too).
8. Magic Happens Here…
• I find JavaScript to be pretty Human
Readable, but for this example I cheated
with Excel…
• I needed the ASCII numbers -73
• Then ran the String.fromCharCode in a browser address bar (don’t do
this at home, not everything is harmless)
• javascript:alert(String.fromCharCode(119,105,110,100,111,119,46,116,111,112,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,39,104,116,116,112,58,47,47,115,109
,97,114,116,112,105,108,108,115,118,97,108,117,101,46,114,117,39,59));
• If you can write JavaScipt you can
neuter the function like this…
rather than returning the malicious
command it alerts with its text.
9. Oh, good…another scary link
• Here is the output of our example
using the chrome browser’s address bar
• This JavaScript command redirects your
browser to the link inside.
• Anecdotally most of the time this is abusing google analytics by
creating false hits…opens a couple valid pages, closes and moves on.
• Every so often there is something nastier, tracking cookies (mild) or
some more virulent web-herpes.
• Drop this URL into cURL and repeat if you dare.
10. A last tidbit or…
d2luZG93LnRvcC5sb2NhdGlvbi5ocmVmPSdodHRwczovL3NvbWVldmlsYmFzdGFyZC5jb20n
…for short
• Base 64 encoding has honest upstanding uses
• JavaScript has built in functions to encode (window.btoa())and
decode (window.atob())
• I use them to send secret messages ;-)
• They can also hide malicious intent
11. Links for the curious
• cURL man page - http://curl.haxx.se/docs/manpage.html
• Opt out/Spam laws - https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business
• Markov strings - https://en.wikipedia.org/wiki/Markov_algorithm
• atob – https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/atob
• JavaScript from the address bar - http://www.wikihow.com/Have-Fun-With-Your-Address-Bar-on-Your-Browser
• Base 64 encoding - https://www.base64decode.org
• Me, especially if you are looking for a full stack ‘white hat’ - https://www.linkedin.com/in/steve-pote-61b02b103