The document discusses using Vagrant and cloud platforms like GCP to develop and deploy applications from development to production. It introduces Vagrant as a tool for setting up and managing development environments and shows how to use Vagrant with FreeBSD. It then demonstrates provisioning a FreeBSD VM on GCP and discusses identity and access management on the cloud platform. The document aims to provide an overview of using Vagrant for development and cloud platforms like GCP for production deployments.
What we Learned Implementing Puppet at BackstopPuppet
"What We Learned Implementing Puppet at Backstop" by Bill Weiss at Puppet Camp Chicago 2013. Learn about upcoming Puppet Camps at http://puppetlabs.com/community/puppet-camp/
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
This document discusses using Rex to easily install and configure a Hadoop cluster. It begins by introducing Rex and its capabilities. Various preparation steps are described, such as installing Rex, generating SSH keys, and creating user accounts. Tasks are then defined using Rex to install software like Java, download Hadoop source files, configure hosts files, and more. The goals are to automate the entire Hadoop setup process and eliminate manual configuration using Rex's simple yet powerful scripting abilities.
Distributed Developer Workflows using GitSusan Potter
This meetup I will be walking the audience through how to setup, configure and maintain distributed development workflows using Git (the distributed VCS developers either love or hate). Much of the workflows suggested here will be applicable to other dVCSes like Mercurial, Darcs and Bazaar.
Lights, Camera, Docker: Streaming Video at DramaFeverbridgetkromhout
Bridget Kromhout gave a presentation on how her company DramaFever uses Docker for streaming video. They run Docker in production and have seen peak loads of tens of thousands of requests per second. They use Docker, AWS, and other technologies to build and deploy images automatically and scale their infrastructure elastically. Bridget discussed challenges they faced with Docker and solutions like changing the storage driver and registry configuration to address issues with builds and image pulls failing.
Puppet getting started will show the different components used in puppet environments, starting with facter and puppet to different webinterfaces like puppet enterprise console and foreman. It will also cover an exemplary design for scaling the puppet master and for development livecycle of modules. Furthermore an example for design of modules will be given.
The document describes the author's experience deploying and configuring Varnish caching at Opera over many years. Some key points discussed include:
- Initial deployment in 2009 caching static assets for My Opera, which grew to serve 15% of requests
- Troubleshooting issues like session mixing and unauthorized access
- Implementing caching for dynamic pages like the front page while respecting cookies and languages
- Decentralizing caching to multiple data centers for lower latency globally
- Generating and caching thumbnails on-the-fly to handle frequent design changes
- Developing a more generic "shields-up" configuration to cache unpopular content securely
- Ongoing work caching APIs and content on other
How we use Varnish at Opera Software, from the beginning (2009) to now.
Presentation hold for the 5th Varnish Users Group meeting (VUG5) held in Paris on March 22nd 2012.
The document discusses using Vagrant and cloud platforms like GCP to develop and deploy applications from development to production. It introduces Vagrant as a tool for setting up and managing development environments and shows how to use Vagrant with FreeBSD. It then demonstrates provisioning a FreeBSD VM on GCP and discusses identity and access management on the cloud platform. The document aims to provide an overview of using Vagrant for development and cloud platforms like GCP for production deployments.
What we Learned Implementing Puppet at BackstopPuppet
"What We Learned Implementing Puppet at Backstop" by Bill Weiss at Puppet Camp Chicago 2013. Learn about upcoming Puppet Camps at http://puppetlabs.com/community/puppet-camp/
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
This document discusses using Rex to easily install and configure a Hadoop cluster. It begins by introducing Rex and its capabilities. Various preparation steps are described, such as installing Rex, generating SSH keys, and creating user accounts. Tasks are then defined using Rex to install software like Java, download Hadoop source files, configure hosts files, and more. The goals are to automate the entire Hadoop setup process and eliminate manual configuration using Rex's simple yet powerful scripting abilities.
Distributed Developer Workflows using GitSusan Potter
This meetup I will be walking the audience through how to setup, configure and maintain distributed development workflows using Git (the distributed VCS developers either love or hate). Much of the workflows suggested here will be applicable to other dVCSes like Mercurial, Darcs and Bazaar.
Lights, Camera, Docker: Streaming Video at DramaFeverbridgetkromhout
Bridget Kromhout gave a presentation on how her company DramaFever uses Docker for streaming video. They run Docker in production and have seen peak loads of tens of thousands of requests per second. They use Docker, AWS, and other technologies to build and deploy images automatically and scale their infrastructure elastically. Bridget discussed challenges they faced with Docker and solutions like changing the storage driver and registry configuration to address issues with builds and image pulls failing.
Puppet getting started will show the different components used in puppet environments, starting with facter and puppet to different webinterfaces like puppet enterprise console and foreman. It will also cover an exemplary design for scaling the puppet master and for development livecycle of modules. Furthermore an example for design of modules will be given.
The document describes the author's experience deploying and configuring Varnish caching at Opera over many years. Some key points discussed include:
- Initial deployment in 2009 caching static assets for My Opera, which grew to serve 15% of requests
- Troubleshooting issues like session mixing and unauthorized access
- Implementing caching for dynamic pages like the front page while respecting cookies and languages
- Decentralizing caching to multiple data centers for lower latency globally
- Generating and caching thumbnails on-the-fly to handle frequent design changes
- Developing a more generic "shields-up" configuration to cache unpopular content securely
- Ongoing work caching APIs and content on other
How we use Varnish at Opera Software, from the beginning (2009) to now.
Presentation hold for the 5th Varnish Users Group meeting (VUG5) held in Paris on March 22nd 2012.
This document provides an introduction to using Ansible in a top-down approach. It discusses using Ansible to provision infrastructure including load balancers, application servers, and databases. It covers using ad-hoc commands and playbooks to configure systems. Playbooks can target groups of hosts, apply roles to automate common tasks, and allow variables to customize configurations. Selective execution allows running only certain parts of a playbook. Overall the document demonstrates how Ansible can be used to deploy and manage infrastructure and applications in a centralized, automated way.
This document summarizes a talk about using the version control system Bazaar for freelance work. It discusses the problems with current version naming conventions like index.version080912fb.inc. It provides an overview of Bazaar and how it allows more flexibility in file submission compared to other systems. It also outlines the topics that will be covered, including an overview of popular version control systems, how Bazaar can tie together multiple projects and computers, and the basics of setting up a Bazaar system.
Manage and Deploy your sites with DrushAmazee Labs
Drush is not only awesome for managing your local Drupal site, with site aliases you can manage Drupal sites on remote servers without logging in via SSH!
With Drush Deploy you even can deploy sites on multiple servers fully automated with one tool we all aready know: Drush, no other additional library like Capistrano needed!
In this Session we will present how to setup Drush to work with remote sites, what is possible and what we use in our daily business.
Then we will dig deeper into Drush Deploy: how it works, what it does and show how to set it up to deploy a drupal site on multiple servers with a single command, with automated backups, database updates, cache clears and even rollback functionalities.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
The document discusses mining Ruby gems for vulnerabilities. It describes how the author downloaded Ruby gems from an online repository, examined the code for vulnerabilities like command injection and exposed credentials, documented findings, and sought to automate and crowdsource the process. Issues encountered included a large number of false positives and lack of response from gem authors. The author proposes expanding the approach to other programming languages and libraries.
Sprockets is an easy solution to managing large JavaScript codebases by letting you structure it, bundle it with related assets, and consolidate it as one single file, with pre-baked command-line tooling, CGI front and Rails plugin. It's a framework-agnostic open-source solution that makes for great serving performance while helping you structure and manage your codebase better.
This document discusses Docker and provides an introduction and overview. It introduces Docker concepts like Dockerfiles, commands, linking containers, volumes, port mapping and registries. It also discusses tools that can be used with Docker like Fig, Baseimage, Boot2Docker and Flynn. The document provides examples of Dockerfiles, commands and how to build, run, link and manage containers.
This document discusses various software exploits, both old and new. It begins with background on the author and terminology used. Several specific past exploits are described in detail, including vulnerabilities in IRIX Midikeys from 1999, Sawmill from 2000, and Solaris catman from 2000. Exploit code examples are provided. More recent exploits discussed include a race condition in Centrify from 2012, command injection in an FTP server from 2013, SQL injection in WordPress software from 2015, and remote file inclusion in another WordPress plugin from 2015. The document concludes by soliciting any questions.
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
The document summarizes the speaker's process of attempting to discover cross-site scripting (XSS) vulnerabilities in WordPress plugins. He downloaded over 42,000 plugins and used scripts to scan them for potential XSS issues. This yielded around 1,300 potential vulnerabilities, which he tried to verify automatically using PhantomJS. However, due to issues like WordPress sanitization of GET/POST variables, he was only able to verify a small fraction. He learned that fully testing vulnerabilities requires reproducing the full environment. While the effort found some real issues, he realized more careful research and validation was needed.
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
В лекции речь пойдет о том, как команда исследователей обнаружила и эксплуатировала уязвимости различных систем конфигурационного управления в ходе пентестов. Авторы представят различные инструменты распределенного управления конфигурациями, например Apache ZooKeeper, HashiCorp Consul и Serf, CoreOS Etcd; расскажут о способах создания отпечатков этих систем, а также о том, как использовать в своих целях типичные ошибки в конфигурации для увеличения площади атак.
This document provides best practices for using Ansible including:
- Break projects into common basics, specific configurations, non-standard software, and ad-hoc scripts.
- Reduce scope so each piece works within its own domain without touching unrelated areas.
- Name things properly to increase understandability.
- Use Ansible lint to catch errors and improve code quality.
- Use shell and command modules carefully and ensure idempotency or ability to detect changes.
- Maintain staging environments that closely mimic production to test changes.
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesSeth Miller
Database Administrators running databases on Linux spend a vast majority of their time in the command line interface. Changing environment settings, moving through directories, typing out and executing lengthy commands, and manipulating files requires valuable keystrokes and time. The rule of thumb for an efficient DBA should be that any command executed more than once per day should be reduced to four characters or less. This presentation reviews techniques to dramatically reduce the amount of time Database Administrators spend typing commands by using shell features and scripting to do the work for them.
Embedded software development using BDDItamar Hassin
This presentation makes the case for BDD in general and focuses on its use within embedded software development. Using the Cucumber gem, I will demonstrate how to use feature files in the context of working with embedded hardware projects, and explain how to extend the framework using the Wire protocol to allow integration tests to run in-situ, which greatly enhances testing coverage compared to PC-based testing using emulators.
I also cover the notion of a SpecFlow gateway, with which one can achieve end-to-end testing with a variety of devices as an orchestration mechanism for broader tests.
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
This talks' focus lays on a popular containerization tool called Kubernetes. Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a 'purple team' talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell.
Puppet Conf 2012 - Managing Network Devices with PuppetNan Liu
This document discusses managing network devices with Puppet. It covers using the Puppet Proxy Agent to retrieve device plugins and catalogs from the Puppet Master and apply device resources. It also demonstrates defining resources like F5 pools and members in Puppet manifests and using Puppet to compose network services across devices. The document explores issues around exporting dynamic resources from devices and querying the Puppet catalog and database.
Testing your infrastructure with litmusBram Vogelaar
We have been able to test our puppet modules using rspec-puppet and
serverspec for a while now and the quality of our code is improving because
of it. This talk will introduce the new kid on the block litmus. This talk will show you how
to use litmus to test puppet modules and how to convert your existing modules to make use of litmus.
->Introduction
->>What is Ansible?
->>Ansible history
->Basic concepts
->>Inventory
->>Playbook
->>Role
->>Module
->>Plugin
->Diving into Ansible roles
->>Getting started
->>Create a role
->>Roles under the hood
->>How to use roles?
This document discusses best practices for using Ansible for automation and configuration management. It recommends writing reusable roles with atomic and well-parameterized configuration, keeping roles in separate Git repositories, and using defaults instead of variables where possible. It also presents three patterns for using Ansible: a single playbook with hierarchical variables, configuration encoders to support multiple file formats, and using an Android repo script to manage multiple environments and versions of roles continuously.
A talk on how system engineers and administrators, the people who maintain the infrastructure of the internet and who write a lot of code without (usually) having any training in software engineering practices, can improve their tools. Originally given at NYCBug in June 2009.
This document provides an introduction to using Ansible in a top-down approach. It discusses using Ansible to provision infrastructure including load balancers, application servers, and databases. It covers using ad-hoc commands and playbooks to configure systems. Playbooks can target groups of hosts, apply roles to automate common tasks, and allow variables to customize configurations. Selective execution allows running only certain parts of a playbook. Overall the document demonstrates how Ansible can be used to deploy and manage infrastructure and applications in a centralized, automated way.
This document summarizes a talk about using the version control system Bazaar for freelance work. It discusses the problems with current version naming conventions like index.version080912fb.inc. It provides an overview of Bazaar and how it allows more flexibility in file submission compared to other systems. It also outlines the topics that will be covered, including an overview of popular version control systems, how Bazaar can tie together multiple projects and computers, and the basics of setting up a Bazaar system.
Manage and Deploy your sites with DrushAmazee Labs
Drush is not only awesome for managing your local Drupal site, with site aliases you can manage Drupal sites on remote servers without logging in via SSH!
With Drush Deploy you even can deploy sites on multiple servers fully automated with one tool we all aready know: Drush, no other additional library like Capistrano needed!
In this Session we will present how to setup Drush to work with remote sites, what is possible and what we use in our daily business.
Then we will dig deeper into Drush Deploy: how it works, what it does and show how to set it up to deploy a drupal site on multiple servers with a single command, with automated backups, database updates, cache clears and even rollback functionalities.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
The document discusses mining Ruby gems for vulnerabilities. It describes how the author downloaded Ruby gems from an online repository, examined the code for vulnerabilities like command injection and exposed credentials, documented findings, and sought to automate and crowdsource the process. Issues encountered included a large number of false positives and lack of response from gem authors. The author proposes expanding the approach to other programming languages and libraries.
Sprockets is an easy solution to managing large JavaScript codebases by letting you structure it, bundle it with related assets, and consolidate it as one single file, with pre-baked command-line tooling, CGI front and Rails plugin. It's a framework-agnostic open-source solution that makes for great serving performance while helping you structure and manage your codebase better.
This document discusses Docker and provides an introduction and overview. It introduces Docker concepts like Dockerfiles, commands, linking containers, volumes, port mapping and registries. It also discusses tools that can be used with Docker like Fig, Baseimage, Boot2Docker and Flynn. The document provides examples of Dockerfiles, commands and how to build, run, link and manage containers.
This document discusses various software exploits, both old and new. It begins with background on the author and terminology used. Several specific past exploits are described in detail, including vulnerabilities in IRIX Midikeys from 1999, Sawmill from 2000, and Solaris catman from 2000. Exploit code examples are provided. More recent exploits discussed include a race condition in Centrify from 2012, command injection in an FTP server from 2013, SQL injection in WordPress software from 2015, and remote file inclusion in another WordPress plugin from 2015. The document concludes by soliciting any questions.
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
The document summarizes the speaker's process of attempting to discover cross-site scripting (XSS) vulnerabilities in WordPress plugins. He downloaded over 42,000 plugins and used scripts to scan them for potential XSS issues. This yielded around 1,300 potential vulnerabilities, which he tried to verify automatically using PhantomJS. However, due to issues like WordPress sanitization of GET/POST variables, he was only able to verify a small fraction. He learned that fully testing vulnerabilities requires reproducing the full environment. While the effort found some real issues, he realized more careful research and validation was needed.
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
В лекции речь пойдет о том, как команда исследователей обнаружила и эксплуатировала уязвимости различных систем конфигурационного управления в ходе пентестов. Авторы представят различные инструменты распределенного управления конфигурациями, например Apache ZooKeeper, HashiCorp Consul и Serf, CoreOS Etcd; расскажут о способах создания отпечатков этих систем, а также о том, как использовать в своих целях типичные ошибки в конфигурации для увеличения площади атак.
This document provides best practices for using Ansible including:
- Break projects into common basics, specific configurations, non-standard software, and ad-hoc scripts.
- Reduce scope so each piece works within its own domain without touching unrelated areas.
- Name things properly to increase understandability.
- Use Ansible lint to catch errors and improve code quality.
- Use shell and command modules carefully and ensure idempotency or ability to detect changes.
- Maintain staging environments that closely mimic production to test changes.
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesSeth Miller
Database Administrators running databases on Linux spend a vast majority of their time in the command line interface. Changing environment settings, moving through directories, typing out and executing lengthy commands, and manipulating files requires valuable keystrokes and time. The rule of thumb for an efficient DBA should be that any command executed more than once per day should be reduced to four characters or less. This presentation reviews techniques to dramatically reduce the amount of time Database Administrators spend typing commands by using shell features and scripting to do the work for them.
Embedded software development using BDDItamar Hassin
This presentation makes the case for BDD in general and focuses on its use within embedded software development. Using the Cucumber gem, I will demonstrate how to use feature files in the context of working with embedded hardware projects, and explain how to extend the framework using the Wire protocol to allow integration tests to run in-situ, which greatly enhances testing coverage compared to PC-based testing using emulators.
I also cover the notion of a SpecFlow gateway, with which one can achieve end-to-end testing with a variety of devices as an orchestration mechanism for broader tests.
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
This talks' focus lays on a popular containerization tool called Kubernetes. Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a 'purple team' talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell.
Puppet Conf 2012 - Managing Network Devices with PuppetNan Liu
This document discusses managing network devices with Puppet. It covers using the Puppet Proxy Agent to retrieve device plugins and catalogs from the Puppet Master and apply device resources. It also demonstrates defining resources like F5 pools and members in Puppet manifests and using Puppet to compose network services across devices. The document explores issues around exporting dynamic resources from devices and querying the Puppet catalog and database.
Testing your infrastructure with litmusBram Vogelaar
We have been able to test our puppet modules using rspec-puppet and
serverspec for a while now and the quality of our code is improving because
of it. This talk will introduce the new kid on the block litmus. This talk will show you how
to use litmus to test puppet modules and how to convert your existing modules to make use of litmus.
->Introduction
->>What is Ansible?
->>Ansible history
->Basic concepts
->>Inventory
->>Playbook
->>Role
->>Module
->>Plugin
->Diving into Ansible roles
->>Getting started
->>Create a role
->>Roles under the hood
->>How to use roles?
This document discusses best practices for using Ansible for automation and configuration management. It recommends writing reusable roles with atomic and well-parameterized configuration, keeping roles in separate Git repositories, and using defaults instead of variables where possible. It also presents three patterns for using Ansible: a single playbook with hierarchical variables, configuration encoders to support multiple file formats, and using an Android repo script to manage multiple environments and versions of roles continuously.
A talk on how system engineers and administrators, the people who maintain the infrastructure of the internet and who write a lot of code without (usually) having any training in software engineering practices, can improve their tools. Originally given at NYCBug in June 2009.
Safely Drinking from the Data WaterhoseJan Schaumann
An ingite talk given at DataGotham 2012 about how we extract security related events and alerts from our logs. I repeated the same talk at DevOpsDays NYC 2013.
A Choose Your Own Adventure for Devs, Ops, and other Humans
Given at ConFoo Vancouver 2016.
Write-up will be posted at https://www.netmeister.org/blog/opsec101.html
Python Pants Build System for Large CodebasesAngad Singh
This talk is geared towards Infrastructure and system engineers who are interested in learning about structuring a large monorepo codebase, consisting of multiple micro services that share many dependencies. This talk will introduce Pants as a build system for such large monolithic codebase and how it ties with today’s container ecosystem principles.
https://pycon.sg/schedule/presentation/73/
This is an excerpt from my talk "Startup DNA" (http://www.slideshare.net/brikis98/startup-dna) that just focuses on the "Speed Wins" concept. For more info, check out my book "Hello, Startup: A Programmer's Guide to Building Products, Technologies, and Teams" at http://www.hello-startup.net.
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
'Always wear underwear' and other practical advice for Computer Science students.
A transcript of the talk is available at www.netmeister.org/blog/semper-ubi-sub-ubi.html
A guide to hiring based on my book, "Hello, Startup". Learn who to hire, where to find them, how to interview them, and how to make an offer they can't refuse.
Recording: https://www.youtube.com/watch?v=jaSmYLymc0U
Book: http://www.hello-startup.net
To go faster in a car, you need not only a powerful engine, but also safety mechanisms like brakes, air bags, and seat belts. This is a talk about the safety mechanisms that allow you to build software faster. It's based on the book "Hello, Startup" (http://www.hello-startup.net/). You can find the video of the talk here: https://www.youtube.com/watch?v=4fKm6ImKml8
Video: https://www.youtube.com/watch?v=b6yLwvNSDck
Here's the showdown you've been waiting for: Node.js vs Play Framework. Both are popular open source web frameworks that are built for developer productivity, asynchronous I/O, and the real time web. But which one is easier to learn, test, deploy, debug, and scale? Should you pick Javascript or Scala? The Google v8 engine or the JVM? NPM or Ivy? Grunt or SBT? Two frameworks enter, one framework leaves.
This is the English version of the presentation. For the version with Japanese subtitles, see http://www.slideshare.net/brikis98/nodejs-vs-play-framework-with-japanese-subtitles
This talk is a very quick intro to Docker, Terraform, and Amazon's EC2 Container Service (ECS). In just 15 minutes, you'll see how to take two apps (a Rails frontend and a Sinatra backend), package them as Docker containers, run them using Amazon ECS, and to define all of the infrastructure-as-code using Terraform.
Startup DNA: the formula behind successful startups in Silicon Valley (update...Yevgeniy Brikman
[Updated May 5, 2017] "Successful startups are all alike; every unsuccessful startup is unsuccessful in its own way." These are my personal observations on a few traits that make startups successful. You can find a video of the talk at https://www.youtube.com/watch?v=z_D9oXCK2lM and the book at http://www.hello-startup.net/.
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
This is a talk about managing your software and infrastructure-as-code that walks through a real-world example of deploying microservices on AWS using Docker, Terraform, and ECS.
Every startup begins with an idea. This is a talk on how to come up with startup ideas and how to use validation to pick the ones worth working on. It's based on the book "Hello, Startup" (http://www.hello-startup.net/). You can find the video of the talk here: https://www.youtube.com/watch?v=GkmiE8d_5Pw
Talk given to BCN sudoers on 2013-11-05. Introduction to the ansible configuration management tool. Great to automate reproducible installations and setup.
Webinar: Automate IBM Connections Installations and morepanagenda
IBM Connections pink is based on Conductor for Containers, which provides a collection of tools to work with Docker containers and Kubernetes. To manage containers in large environments, lots of DevOps are using Ansible (an agentless software to automate administration tasks).
So why not use these tools to prepare your Connections operating system, like creating users, adding security settings or install all necessary packages to deploy DB2, Installation Manager, and WebSphere Application Server? Or use one of the available roles or tasks to automate even the installation of WebSphere, create cell and profiles …
In this session, you get the basics of Ansible and some hands-on to start the learning journey into ‘cloud’ based software management.
This document provides instructions for installing the Nginx web server from source on Linux. It describes downloading the source code, verifying the signature, compiling it with make, and installing. It also covers configuring Nginx's directories and files, updating to a new version, and configuring a Yum repository to install via package manager.
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
This document discusses identifying and exploiting vulnerabilities in consumer routers. It provides examples of analyzing firmware from various router models, including the (--E)-LINK DIR-120 and DIR-300, to gain unauthorized access. Methods discussed include reverse engineering firmware, exploiting services like telnet that are exposed without authentication, and modifying the read-only filesystem. The document also talks about using these compromised routers as bots for botnets performing activities like DDoS attacks, cryptocurrency mining, and spam/phishing campaigns. It provides examples of real botnets like Psyb0t that have exploited routers.
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
Encrypting data at rest is a must-have for any modern SaaS company. And if you run your software stack on Linux, LUKS/dm-crypt [1] is the usual go-to solution. However, as the storage becomes faster, the IO latency, introduced by dm-crypt becomes rather noticeable, especially on IO intensive workloads.
At first glance it may seem natural, because data encryption is considered an expensive operation. But most modern hardware (specifically x86 and arm64) platforms have hardware optimisations to make encryption fast and less CPU intensive. Nevertheless, even on such hardware transparent disk encryption performs quite poorly.
A massive attack was revealed that exploited the Shellshock vulnerability in QNAP NAS devices. The attackers deployed a payload that patched the vulnerability, armed the devices for DDOS attacks, and installed a scanner to search for more vulnerable devices. Over 500 compromised devices were detected. The payload installed a backdoor that could control the armed devices for DDOS attacks through IRC commands.
Jaime Piña, @variadico, Software Engineer at Apcera
Microservice issues are networking issues. Fixing code in your app is easy, but the hard part of using microservices is the networking. How do you actually know if you're sending what you think you are? Why does this request fail in my app, but not when I use curl? Is this service very slow or is it up at all?
This talk will help demystify some common problems you might experience while building out your collection of microservices. Once you can find the issue, it becomes way easier to fix.
Yahoo!'s Frontend Seminar, Dec 2007. I gave this as an introduction to the command line for frontend developers. It's basically unix 101, covering topics like passwordless ssh, shell scripting, and basic unix foundations.
Copying files between linux machines using scp and ssh without linux user pas...Ravi Kumar Lanke
This document provides instructions for copying files between Linux machines using scp and ssh without passwords. It describes generating an SSH key pair on both machines, copying the public key to the authorized_keys file on the destination server. It then explains how to use the scp command along with the private key to copy files from the source server to a destination directory on the destination server. It also provides a cron job example to automatically copy files from the source server to the destination server every two minutes.
An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
Approach to find critical vulnerabilitiesAshish Kunwar
The document discusses an approach to finding critical vulnerabilities through reconnaissance techniques like port scanning, content discovery, and searching for unprotected assets. It provides 4 examples of vulnerabilities found, including taking over an unauthenticated Elastic search, leaking Kibana credentials, exploiting SSRF to achieve remote code execution via Ghostscript, and cracking an IKE hash to access a vulnerable VPN. The presentation aims to demonstrate methods for vulnerability research and responsible disclosure of issues found.
Basic presentation of cryptography mechanismsMarian Marinov
This document summarizes Marian Marinov's presentation on cryptography. It discusses password cracking using John the Ripper, analyzing languages using frequency analysis to crack codes like the Enigma machine. It also covers chosen plaintext/ciphertext attacks, known plaintext attacks, and how these were used to crack protocols like SSL. Common attacks on SSL like BEAST, CRIME, and POODLE are outlined. Finally, cracking WiFi passwords using tools like Aircrack-ng is briefly discussed.
I’ve been keeping a collection of Linux commands that are particularly useful; some are from websites I’ve visited, others from experience
I hope you find these are useful as I have. I’ll periodically add to the list, so check back occasionally.
Fast & Furious: Speed in the Opera browserAndreas Bovens
From its early days, Opera has focused on providing its users with a snappy browsing experience on a wide range of hardware and OSes. In this talk, I look at the latest versions of Opera for desktop, Opera Mobile and Opera Mini and explore how they make web pages super fast.
http://velocityconf.com/velocityeu/public/schedule/detail/22183
Building a Docker v1.12 Swarm cluster on ARMTeam Hypriot
This document discusses building a Docker Swarm cluster on Raspberry Pi nodes using HypriotOS. It provides instructions for setting up the necessary hardware including Raspberry Pis, a switch and power supplies. It then outlines the steps to flash the HypriotOS SD card image, configure the nodes using docker-machine, and initialize a Docker Swarm manager and join worker nodes to create a 4 node cluster. Finally, it demonstrates running demo Docker services and scaling them across the Swarm.
The Razors Edge - Cutting your TLS BaggageJan Schaumann
A talk on effecting change across a large organization, given at O'Reilly Security 2017.
Write-up will be posted at https://www.netmeister.org/blog/razors-edge.html
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
Slides from an Ignite Talk given at O'Reilly Security NYC, 2016-10-31. Talk details will be posted at https://www.netmeister.org/blog/crazy-like-a-fox.html
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
The document discusses ethical obligations in internet operations and data stewardship. It notes that companies are stewards of users' data and are obligated to act in the public interest. Various codes of ethics from different organizations emphasize prioritizing public safety, health and welfare.
The document discusses PGP (Pretty Good Privacy) and how it can be used to securely communicate and store secrets. It explains that PGP uses public-key cryptography to provide confidentiality, integrity, and authenticity. It also discusses how to generate a PGP key pair, and the importance of revoking keys if they are compromised or the user no longer needs them.
The document discusses useless uses of common Unix/Linux utilities like cat, grep, and *. It provides examples of cases where these utilities are used redundantly or ineffectively, and suggests better alternatives without the unnecessary steps. Specifically, it explains how cat is often redundant when feeding files into other commands directly, how grep can be replaced by simpler tools like awk and sed in many cases, and how using * wildcards without good reason leads to inefficient scripts. The overall message is to simplify commands and remove unnecessary processing to write clearer and more efficient shell scripts.
A presentation on how changes in Daylight Saving Time were handled at Yahoo!. Originally given at BayLISA in May 2007. Slides are available here:
netmeister.org/misc/dst_yahoo.pdf
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
"Scaling RAG Applications to serve millions of users", Kevin GoedeckeFwdays
How we managed to grow and scale a RAG application from zero to thousands of users in 7 months. Lessons from technical challenges around managing high load for LLMs, RAGs and Vector databases.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
8. It all began some time in January of 2007...
Yahoo! Presentation; Confidential 11/19/12
9. Initial Problem Statement
“Hey, we need to know which hosts can’t deal with the
new Daylight Saving Time.”
Headless Host Scanning -- @jschauma 9 11/19/12
23. Problem Refinement
“Run this set of arbitrary commands on our hosts.
Yes, on all of them.”
Headless Host Scanning -- @jschauma 23 11/19/12
24. Wait a second – all hosts?
$ wtf host
wtf: I don't know what host means!
$
§ a computer connected to a network
§ a virtual machine
§ a container
§ jails, zones, ...
§ chroot
Headless Host Scanning -- @jschauma 24 11/19/12
25. Sturgeon's Law (1st adage)
"Hosts" on the network
"Hosts" in asset database "Hosts" in DNS
Yahoo! Presentation; Confidential 11/19/12
36. SSH Complications: assword prompts
Key Authentication
to the rescue?
§ private keys need to be present on all hosts connecting to targets
§ you need to provide passphrase for private keys at scan start
Enter passphrase for /home/${USER}/.ssh/id_rsa:
Enter passphrase for /home/${USER}/.ssh/id_dsa:
Enter passphrase for /home/${USER}/.ssh/scankey:
Yahoo! Presentation; Confidential 11/19/12
44. Miscellaneous Scalability Issues
§ doing hostname lookups for each connection is expensive
§ use IP addresses
§ parsing known_hosts with several 100K entries is expensive
§ use UserKnownHostsFile=/dev/null
§ use GlobalKnownHostsFile=/dev/null
§ hosts change ssh keys "frequently"
§ we need StrictHostKeyChecking=no :-(
§ collecting even only a few lines from every single host can fill up your
disk quickly
§ ssh connections can hang "indefinitely" (=> tkill(1) cron scheduled
killing of processes)
Headless Host Scanning -- @jschauma 44 11/19/12
46. Scanmaster Scripts
§ checkhosts(1)
§ run given script on all hosts in input via ssh(1) (in background)
§ scanhosts(1)
§ invoke checkhosts(1) against split input (again in background)
§ defaults to 150 invocations of checkhosts(1) in parallel
§ scanslave(1)
§ starts ssh-agent(1) and adds keys
§ adds tkill(1) crontab
§ invoke scanhosts(1) against split input
§ scanmaster(1)
§ splits input into number of scanslaves chunks
§ ssh to each scanslave and kicks off scanslave(1) in screen session
§ aggregates and post-processes results
Headless Host Scanning -- @jschauma 46 11/19/12
48. "Every item on the menu at Taco Bell is just
a different configuration of roughly eight
ingredients. With this simple periodic table
of meat and produce, the company pulled
down $1.9 billion last year."
http://teddziuba.com/2010/10/taco-bell-programming.html
Headless Host Scanning -- @jschauma 48 11/19/12
49. Miscellaneous Security Issues
§ ssh-agent exposes our keys to target hosts
§ use ForwardAgent=no, ClearAllForwardings=yes
§ ssh-agent on scanslaves exposes our privkeys to anybody with
super-user privileges on the scanslaves
§ use a scan-only key with from= and various no- restrictions
§ password injector will respond to anything asking for your assword
§ uhm... don't use password auth?
§ use of a "real" user is stupid
Headless Host Scanning -- @jschauma 49 11/19/12
50. Going topless. T.O.P.L.E.S.S.
Headless User Requirement #1:
§ selective access (via ssh keys)
Headless User Requirement #2:
§ a restricted shell
Headless User Requirement #3:
§ an un-restricted shell
Headless User Requirement #2 and #3:
§ allow arbitrary commands, provided they
were sanctioned by somebody we trust
Headless Host Scanning -- @jschauma 50 11/19/12
52. Windows PowerShell ExecutionPolicy
§ Restricted
§ No scripts can be run. Windows PowerShell
can be used only in interactive mode.
§ Unrestricted
§ No restrictions; all Windows PowerShell scripts
can be run.
§ RemoteSigned
§ Downloaded scripts must be signed by a trusted publisher before
they can be run.
§ AllSigned
§ Only scripts signed by a trusted publisher can be run.
Headless Host Scanning -- @jschauma 52 11/19/12
53. The (TacoBell) Sigsh
NAME
sigsh -- a signature verifying shell
SYNOPSIS
sigsh [-c certs] [-x] [-p prog]
DESCRIPTION
sigsh is a non-interactive, signature requiring and verifying
command interpreter. More accurately, it is a signature
verification wrapper around a given shell. It reads input in
PKCS#7 format from standard in, verifies the signature and, if
the signature matches, pipes the decoded input into the command
interpreter.
Headless Host Scanning -- @jschauma 53 11/19/12
58. The (TacoBell) Sigsh
EXAMPLES
The following examples illustrate possible usage of this tool.
To execute the commands in the file 'script.bash':
openssl smime -sign -nodetach -signer mycert.pem
-inkey mykey.pem -in script.bash -outform pem | sigsh
To execute the perl code contained in the signed PKCS#7 file 'code.pem':
sigsh -p /usr/bin/perl <code.pem
Headless Host Scanning -- @jschauma 58 11/19/12
60. The Good
§ private cert need not be present on scanslave hosts
§ signing party need not be executing party
§ if you grant passwordless sudo to the headless user, you can do *
§ certs can expire => we have builtin time-bomb powers!
§ multiple people can have signing-power independent of each other
§ we can scan over XXXK "hosts" in approximately 15 minutes
§ we have the flexibility to collect all sorts of interesting data
Headless Host Scanning -- @jschauma 60 11/19/12
62. The Bad
§ this is still a TacoBell sigsh, not a powershell
§ we have not solved the ssh-key access problem
(though a leaked ssh-key cannot allow arbitrary command
execution, only execution of previously approved commands)
§ multiple people can have signing-power independent of each other
Headless Host Scanning -- @jschauma 62 11/19/12
63. Life Lessons: Pareto's Principle
The "trivial many"
The "vital few"
Headless Host Scanning -- @jschauma 63 11/19/12
64. Life Lessons: Milton Friedman was right.
There's nothing so permanent as
a temporary government program
solution.
Yahoo! Presentation; Confidential 11/19/12
65. The Ugly
§ Only ~80% of our hosts have sigsh => we need to combine headless
with "headful" scans. Thus, we currently:
§ scan headlessly (80%, in <15 minutes)
§ scan with regular user and dedicated scankey (11%)
§ scan with regular user and password, twice (7%)
§ scan with regular user and old password
§ scan with regular user and older password
§ scan with regular user and even older password
§ We still (have to) trust the binaries on the remote host.
§ no veriexec, TPE, ...
Headless Host Scanning -- @jschauma 65 11/19/12
66. Life Lessons
§ Pen testing can't solve everything.
§ Size matters.
§ "Nothing is always absolutely so." (Sturgeon's Law)
› "90% of everything is crud." (2nd adage; freebie)
§ Causality (Duh!)
§ Mmm, mmm TacoBell!
§ 80% of the effects come from 20% of the causes. (Pareto Principle)
§ There's nothing so permanent as a temporary solution.
§ The worst form of on-demand data collection except all the others that
have been tried.
Headless Host Scanning -- @jschauma 66 11/19/12