SlideShare a Scribd company logo

HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research

Download as PPT, PDF
Anthony Lai
Anthony Lai

It targets to inspire CS fellows as they may not realize why algorithms, theories and skills are critical, I will brief about hacking and security, correlate their learnt skills and knowledge domain, hopefully, it helps them to find out their research interest in security area.

Technology
1 of 45
Computer Science, Hacking and Research: For fun and profit @CompSci Festival, HKUST Anthony LAI Valkyrie-X Security Research Group VXRL
Welcome, who am I? Computer Science graduate in 1998. Not in {Dean List, First Honor} Currently work on security research, penetration test, attack analysis and incident response Speaking at DEFCON, HITCON, Blackhat...etc. Found VXRL, which is a non-profit making security research organization; Invited by OGCIO to be a member of information Security advisory member.
Why do I set up this talk? With the past 15 years after graduation, I wanna:  Inspire you guys  Clear your misunderstanding over Computer Science  Convey ideas that faculty and your fellows cannot give you Basically, I believe it is my duty to do it.
Agenda Computer Science - Important and Useful Algorithm - Other “kungfu”? Computer Security and Hacking - Fun? Profit? Security Research - Why is it critical and interesting?
Part 1: Computer Science (10 minutes)
Computer Science Why do we need computer science? Computer science teaches you programming only? Why do we need algorithm? Why do you need to learn about it? Top useful algorithm: http://www.quora.com/Computer-Science/What-are-some-of-the-most-ingenious-algorithms-in-computer-science
Most Important Algorithm: http://www.koutschan.de/misc/algorithms.php
From MSR
Other Kungfu? Protocols Programming Database Operating System Fundamental Networking Software Engineering and Design Cryptography Pattern Recognition Data mining Discrete Maths Statistics
Once you learn them all What are their usage in security? For example, Pattern recognition Data mining Search algorithm
Security Area For example 1. Encryption 2. Server Logs and Network Packets - Identify threats and attack - Identify network attack 3. Malicious Code and Executable (Malware)
Part 2: Hacking (30 minutes)
Security and Hacking You need to understand various technical disciplines:  Operating System  Networking  Cryptography  Memory  Binary structure  Protocols Be ethical, don't make offense
18 CTF (Capture The Flag for Fun and Profit)
19 What is CTF game? You need to get the key for points Challenges include crypto, network, forensics, binary/reverse engineering/exploitation, web hack and miscellaneous. Top teams could enter final round of contest DEFCON, Plaid CTF, Codegate, Secuinside are famous CTFs in the planet and we join every year.
20 Why do we enjoy to play? Challenges are practical Need your knowledge Need your skills Understanding vulnerabilities Thinking like an attacker Train you up to manipulate proper tools
21 HITCON CTF 2013
22 Our rank? Any rewards? 4th prize in HITCON CTF 2013 (19-20 July, Taipei)
23 Our world ranking
24 Sample Question (1) Please read the following code, how can you solve it?
25 Sample Question (1) Please read the following code, how can you solve it?
26 Question 1 There are a couple of things to note: We must do the operations in reverse order since this is the inverse function. The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
27 Okay, let us do some hack (10-15 minutes :)  www.overthewire.org  Please click “Natas”  It is a module to practice your Web hack.  You could do it in group, I got prize for top 3 fellows.  However, you need to understand: − HTTP protocol − Web Application − Common vulnerabilities of Web Application (Please refer to OWASP Top 10 from www.owasp.org)
29 Pickle object serialization
30 Serialization
31 A Vulnerable Django https://github.com/OrangeTW/Vulnerable-Django/
32 If the key leaks We could generate our own cookie and sign it over.
33 We even could include command execution 1. Generate and sign the new cookie with command execution 2. Replace the original cookie with our generated one.
34 Pwned :) (Simply input Guest, type in some text in box and submit)
35 More than that, we could get the key from the server to change our command to read file instead ...
36 CTF fun and profit The fun is to practice our security and “kungfu” The profit is to earning knowledge, building trust and friendship. Sometimes, we could get reward :)
Part 3: Research (10 minutes)
Research Research is not limited to academia only As UG, or even you don't enroll PhD program at this moment, you could even start it. Someone do the research for career, some may do the research for “homework”, but I do it for “passion” and community.
My Research http://scholar.google.com.hk/citations? user=YcjzoFkAAAAJ&hl=en
Research Objectives:  Current problem  Issue/Industry driven  Practical  Impact and Improvement  Novelty or/and incremental efforts
Security and Hacking Conference  http://en.wikipedia.org/wiki/Computer_security_conference  Realize the problems in both academia and industry.  Top Academic security conference (focus on practicality) − Usenix (https://www.usenix.org/)  Reviewers and panelists come from both academic and industry sectors.
Security and Hacking Conference  Industry Conference − DEFCON (www.defcon.org) − Blackhat (www.blackhat.com) − AVTokyo (www.avtokyo.org) − Hack In Taiwan (www.hitcon.org) − POC (http://www.powerofcommunity.net/) − XCON (xcon.xfocus.net)
Cheer up!  I try to correlate computer science, security/hacking and research together in the past 50 minutes.  Remember to position yourself as a scientist.  Reading others' paper (for example: Usenix)  Pick your strength and favorite.  Research could internationalize your capability and talents.  Enjoy computer science, hacking and research. :-)
Our VX Research  Malware and Target Attack  Web Hacking  Forensics  Cryptography and Password  Reverse Engineering, Exploitation and Software Security  Secret mission and operation :-)
Attack Map
Thank you for your listening  https://www.facebook.com/darkfloyd2  darkfloyd[at]vxrl.org

Recommended

Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF Training
Heba Hamdy Farahat
 
Leonid Yuriev - TopGun
Leonid Yuriev - TopGunLeonid Yuriev - TopGun
Leonid Yuriev - TopGunDefconRussia
 
Technology support for active learning pedagogies jan 2012
Technology support for active learning pedagogies jan 2012Technology support for active learning pedagogies jan 2012
Technology support for active learning pedagogies jan 2012Nick Noakes
 
Target attack (hkust gold edition)(public version)
Target attack (hkust gold edition)(public version)Target attack (hkust gold edition)(public version)
Target attack (hkust gold edition)(public version)Anthony Lai
 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
NECST Lab @ Politecnico di Milano
 
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
Angela Baxter
 
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
Brooke Lord
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
YashSomalkar
 

Recommended

Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF Training
Heba Hamdy Farahat
 
Leonid Yuriev - TopGun
Leonid Yuriev - TopGunLeonid Yuriev - TopGun
Leonid Yuriev - TopGunDefconRussia
 
Technology support for active learning pedagogies jan 2012
Technology support for active learning pedagogies jan 2012Technology support for active learning pedagogies jan 2012
Technology support for active learning pedagogies jan 2012Nick Noakes
 
Target attack (hkust gold edition)(public version)
Target attack (hkust gold edition)(public version)Target attack (hkust gold edition)(public version)
Target attack (hkust gold edition)(public version)Anthony Lai
 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
NECST Lab @ Politecnico di Milano
 
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
Angela Baxter
 
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
😊 Good Closing Paragraph. What Are The Best Ways To Start A Conclusion .pdf
Brooke Lord
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
YashSomalkar
 
Ncc hackers session 4
Ncc hackers session 4Ncc hackers session 4
Ncc hackers session 4
Jemma Davis
 
A Beginner’s Guide to Capture the flag (CTF) Hacking
A Beginner’s Guide to Capture the flag (CTF) HackingA Beginner’s Guide to Capture the flag (CTF) Hacking
A Beginner’s Guide to Capture the flag (CTF) Hacking
infosec train
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
Kelly Shortridge
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptx
YashSomalkar
 
Session 1 AI literacy What is AI and how do we use it (video).pptx
Session 1 AI literacy What is AI and how do we use it (video).pptxSession 1 AI literacy What is AI and how do we use it (video).pptx
Session 1 AI literacy What is AI and how do we use it (video).pptx
jameshodgkinson9
 
How To Become an Ethical Hacker?
How To Become an Ethical Hacker?How To Become an Ethical Hacker?
How To Become an Ethical Hacker?
Srashti Jain
 
Emotional Support for "48 hours of failure"
Emotional Support for "48 hours of failure"Emotional Support for "48 hours of failure"
Emotional Support for "48 hours of failure"
GDSC UofT Mississauga
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
Introduction of CTF and CGC
Introduction of CTF and CGCIntroduction of CTF and CGC
Introduction of CTF and CGC
Kir Chou
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
Rwik Kumar Dutta
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
Wail Hassan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
Koenig Solutions Ltd.
 
Making PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptxMaking PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptx
Adam Englander
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?
Christopher Grayson
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
Jorge Orchilles
 
UKSG - Just Do IT Yourself
UKSG - Just Do IT YourselfUKSG - Just Do IT Yourself
UKSG - Just Do IT YourselfTony Hirst
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
Kachkad Narender
 
Deep Learning & Patents - Challenges for Research & Analysis
Deep Learning & Patents - Challenges for Research & AnalysisDeep Learning & Patents - Challenges for Research & Analysis
Deep Learning & Patents - Challenges for Research & Analysis
IntellectPeritus Services
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 

More Related Content

Similar to HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research

Ncc hackers session 4
Ncc hackers session 4Ncc hackers session 4
Ncc hackers session 4
Jemma Davis
 
A Beginner’s Guide to Capture the flag (CTF) Hacking
A Beginner’s Guide to Capture the flag (CTF) HackingA Beginner’s Guide to Capture the flag (CTF) Hacking
A Beginner’s Guide to Capture the flag (CTF) Hacking
infosec train
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
Kelly Shortridge
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptx
YashSomalkar
 
Session 1 AI literacy What is AI and how do we use it (video).pptx
Session 1 AI literacy What is AI and how do we use it (video).pptxSession 1 AI literacy What is AI and how do we use it (video).pptx
Session 1 AI literacy What is AI and how do we use it (video).pptx
jameshodgkinson9
 
How To Become an Ethical Hacker?
How To Become an Ethical Hacker?How To Become an Ethical Hacker?
How To Become an Ethical Hacker?
Srashti Jain
 
Emotional Support for "48 hours of failure"
Emotional Support for "48 hours of failure"Emotional Support for "48 hours of failure"
Emotional Support for "48 hours of failure"
GDSC UofT Mississauga
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
Introduction of CTF and CGC
Introduction of CTF and CGCIntroduction of CTF and CGC
Introduction of CTF and CGC
Kir Chou
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
Rwik Kumar Dutta
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
Wail Hassan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
Koenig Solutions Ltd.
 
Making PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptxMaking PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptx
Adam Englander
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?
Christopher Grayson
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
Jorge Orchilles
 
UKSG - Just Do IT Yourself
UKSG - Just Do IT YourselfUKSG - Just Do IT Yourself
UKSG - Just Do IT YourselfTony Hirst
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
Kachkad Narender
 
Deep Learning & Patents - Challenges for Research & Analysis
Deep Learning & Patents - Challenges for Research & AnalysisDeep Learning & Patents - Challenges for Research & Analysis
Deep Learning & Patents - Challenges for Research & Analysis
IntellectPeritus Services
 

Similar to HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research (20)

Ncc hackers session 4
Ncc hackers session 4Ncc hackers session 4
Ncc hackers session 4
 
A Beginner’s Guide to Capture the flag (CTF) Hacking
A Beginner’s Guide to Capture the flag (CTF) HackingA Beginner’s Guide to Capture the flag (CTF) Hacking
A Beginner’s Guide to Capture the flag (CTF) Hacking
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptx
 
Session 1 AI literacy What is AI and how do we use it (video).pptx
Session 1 AI literacy What is AI and how do we use it (video).pptxSession 1 AI literacy What is AI and how do we use it (video).pptx
Session 1 AI literacy What is AI and how do we use it (video).pptx
 
How To Become an Ethical Hacker?
How To Become an Ethical Hacker?How To Become an Ethical Hacker?
How To Become an Ethical Hacker?
 
Emotional Support for "48 hours of failure"
Emotional Support for "48 hours of failure"Emotional Support for "48 hours of failure"
Emotional Support for "48 hours of failure"
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Introduction of CTF and CGC
Introduction of CTF and CGCIntroduction of CTF and CGC
Introduction of CTF and CGC
 
Ethical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its ProspectsEthical Hacking, Its relevance and Its Prospects
Ethical Hacking, Its relevance and Its Prospects
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
 
Making PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptxMaking PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptx
 
So You Want to be a Hacker?
So You Want to be a Hacker?So You Want to be a Hacker?
So You Want to be a Hacker?
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
UKSG - Just Do IT Yourself
UKSG - Just Do IT YourselfUKSG - Just Do IT Yourself
UKSG - Just Do IT Yourself
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
 
Deep Learning & Patents - Challenges for Research & Analysis
Deep Learning & Patents - Challenges for Research & AnalysisDeep Learning & Patents - Challenges for Research & Analysis
Deep Learning & Patents - Challenges for Research & Analysis
 

Recently uploaded

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 

Recently uploaded (20)

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 

HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research

  • 1. Computer Science, Hacking and Research: For fun and profit @CompSci Festival, HKUST Anthony LAI Valkyrie-X Security Research Group VXRL
  • 2. Welcome, who am I? Computer Science graduate in 1998. Not in {Dean List, First Honor} Currently work on security research, penetration test, attack analysis and incident response Speaking at DEFCON, HITCON, Blackhat...etc. Found VXRL, which is a non-profit making security research organization; Invited by OGCIO to be a member of information Security advisory member.
  • 3. Why do I set up this talk? With the past 15 years after graduation, I wanna:  Inspire you guys  Clear your misunderstanding over Computer Science  Convey ideas that faculty and your fellows cannot give you Basically, I believe it is my duty to do it.
  • 4. Agenda Computer Science - Important and Useful Algorithm - Other “kungfu”? Computer Security and Hacking - Fun? Profit? Security Research - Why is it critical and interesting?
  • 5. Part 1: Computer Science (10 minutes)
  • 6. Computer Science Why do we need computer science? Computer science teaches you programming only? Why do we need algorithm? Why do you need to learn about it? Top useful algorithm: http://www.quora.com/Computer-Science/What-are-some-of-the-most-ingenious-algorithms-in-computer-science
  • 8.
  • 9.
  • 11.
  • 12.
  • 13. Other Kungfu? Protocols Programming Database Operating System Fundamental Networking Software Engineering and Design Cryptography Pattern Recognition Data mining Discrete Maths Statistics
  • 14. Once you learn them all What are their usage in security? For example, Pattern recognition Data mining Search algorithm
  • 15. Security Area For example 1. Encryption 2. Server Logs and Network Packets - Identify threats and attack - Identify network attack 3. Malicious Code and Executable (Malware)
  • 17. Security and Hacking You need to understand various technical disciplines:  Operating System  Networking  Cryptography  Memory  Binary structure  Protocols Be ethical, don't make offense
  • 18. 18 CTF (Capture The Flag for Fun and Profit)
  • 19. 19 What is CTF game? You need to get the key for points Challenges include crypto, network, forensics, binary/reverse engineering/exploitation, web hack and miscellaneous. Top teams could enter final round of contest DEFCON, Plaid CTF, Codegate, Secuinside are famous CTFs in the planet and we join every year.
  • 20. 20 Why do we enjoy to play? Challenges are practical Need your knowledge Need your skills Understanding vulnerabilities Thinking like an attacker Train you up to manipulate proper tools
  • 22. 22 Our rank? Any rewards? 4th prize in HITCON CTF 2013 (19-20 July, Taipei)
  • 24. 24 Sample Question (1) Please read the following code, how can you solve it?
  • 25. 25 Sample Question (1) Please read the following code, how can you solve it?
  • 26. 26 Question 1 There are a couple of things to note: We must do the operations in reverse order since this is the inverse function. The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
  • 27. 27 Okay, let us do some hack (10-15 minutes :)  www.overthewire.org  Please click “Natas”  It is a module to practice your Web hack.  You could do it in group, I got prize for top 3 fellows.  However, you need to understand: − HTTP protocol − Web Application − Common vulnerabilities of Web Application (Please refer to OWASP Top 10 from www.owasp.org)
  • 31. 32 If the key leaks We could generate our own cookie and sign it over.
  • 32. 33 We even could include command execution 1. Generate and sign the new cookie with command execution 2. Replace the original cookie with our generated one.
  • 33. 34 Pwned :) (Simply input Guest, type in some text in box and submit)
  • 34. 35 More than that, we could get the key from the server to change our command to read file instead ...
  • 35. 36 CTF fun and profit The fun is to practice our security and “kungfu” The profit is to earning knowledge, building trust and friendship. Sometimes, we could get reward :)
  • 37. Research Research is not limited to academia only As UG, or even you don't enroll PhD program at this moment, you could even start it. Someone do the research for career, some may do the research for “homework”, but I do it for “passion” and community.
  • 40. Security and Hacking Conference  http://en.wikipedia.org/wiki/Computer_security_conference  Realize the problems in both academia and industry.  Top Academic security conference (focus on practicality) − Usenix (https://www.usenix.org/)  Reviewers and panelists come from both academic and industry sectors.
  • 41. Security and Hacking Conference  Industry Conference − DEFCON (www.defcon.org) − Blackhat (www.blackhat.com) − AVTokyo (www.avtokyo.org) − Hack In Taiwan (www.hitcon.org) − POC (http://www.powerofcommunity.net/) − XCON (xcon.xfocus.net)
  • 42. Cheer up!  I try to correlate computer science, security/hacking and research together in the past 50 minutes.  Remember to position yourself as a scientist.  Reading others' paper (for example: Usenix)  Pick your strength and favorite.  Research could internationalize your capability and talents.  Enjoy computer science, hacking and research. :-)
  • 43. Our VX Research  Malware and Target Attack  Web Hacking  Forensics  Cryptography and Password  Reverse Engineering, Exploitation and Software Security  Secret mission and operation :-)
  • 45. Thank you for your listening  https://www.facebook.com/darkfloyd2  darkfloyd[at]vxrl.org