My talk on Stegosploit at 44CON 2015:
Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots.
For details on Stegosploit, please visit http://stegosploit.info/
Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim's doorstep.
Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like "Javascript chameleons", "shortened exploits", "exploitation by painting" and other creative techniques.
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
"A good exploit is one that is delivered in style". Stegosploit explores the art of creative exploit delivery using only JPG/PNG images. This is my talk at Hack In The Box 2015 Amsterdam, demonstrating how to steganographically encode exploits into JPG and PNG images and automatically trigger them when loaded in a browser.
This talk is put together with bits and pieces of my research in advanced exploit delivery mechanisms. What you see on your browser may not always be a pretty picture. In this talk, we explore how images can be used as active exploits. By shifting evil payloads to images, it is possible to defeat even the most sophisticated systems of threat detection. We shall see how exploits can be encoded in image pixels, executing Javascript through images, and lastly how vector images are being used in browser heap memory manipulation.
My presentation at NoSuchCon 2013, Paris. What do you get if you combine art with an exploit? "Deadly Pixels" is the fine art (pun intended) of packaging exploits. The result is a pretty picture with not-so-pretty after effects.
Download PDF - http://www.nosuchcon.com/talks/D1_05_Saumil_Deadly_Pixels.pdf
My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.
This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively.
Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim's doorstep.
Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like "Javascript chameleons", "shortened exploits", "exploitation by painting" and other creative techniques.
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
"A good exploit is one that is delivered in style". Stegosploit explores the art of creative exploit delivery using only JPG/PNG images. This is my talk at Hack In The Box 2015 Amsterdam, demonstrating how to steganographically encode exploits into JPG and PNG images and automatically trigger them when loaded in a browser.
This talk is put together with bits and pieces of my research in advanced exploit delivery mechanisms. What you see on your browser may not always be a pretty picture. In this talk, we explore how images can be used as active exploits. By shifting evil payloads to images, it is possible to defeat even the most sophisticated systems of threat detection. We shall see how exploits can be encoded in image pixels, executing Javascript through images, and lastly how vector images are being used in browser heap memory manipulation.
My presentation at NoSuchCon 2013, Paris. What do you get if you combine art with an exploit? "Deadly Pixels" is the fine art (pun intended) of packaging exploits. The result is a pretty picture with not-so-pretty after effects.
Download PDF - http://www.nosuchcon.com/talks/D1_05_Saumil_Deadly_Pixels.pdf
My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
I started my company, Net-Square, 12 years ago. This talk is a collection of 13 thoughts and observations from the past 12 years - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively. This talk is not a rant, not a venting session and certainly not a criticism of sorts as many infosec talks have now become.
This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Full paper - http://stegosploit.info/
TL;DR: Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots.
I first put together the core tools of Stegosploit in October 2014 at the Level2.LU hackerspace in Luxembourg. This year, Stegosploit comes full circle, with an updated toolkit and a new IMAJS technique presented at Hack.LU 2015.
Full paper available at http://stegosploit.info/
"Today’s attacks succeed because the defense is reactive". It is time to transition defense from being reactive to proactive. This is a keynote level talk, which discusses my seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
This talk is about designing a Deep Learning model pipeline for OCR (Text Segmentation and Text Extraction) using Tensorflow, targeting domain specific information extraction
[CSSDevConf] Adaptive Images in Responsive Web Design 2014Christopher Schmitt
The web doesn't stop at the desktop anymore. Our image assets need to do more than look good in one context. In this talk, I look at how images like JPEG, GIFs, SVG, Icons, Unicode, and more can be used in a multi-device environment.
This presentation was given at the jQuery conference 2010 in Mountain View and featured the first public premiere of a sneak peek video of our upcoming JavaScript game engine.
The video preview can be found here: http://youtu.be/Ol3qQ4CEUTo
Enjoy and follow me at @pbakaus on Twitter!
Accelerating Real Time Video Analytics on a Heterogenous CPU + FPGA PlatformDatabricks
The current uptrend in faster computational power has led to a more mature eco-system for image processing and video analytics. By using deep neural networks for image recognition and object detection we can achieve better than human accuracies. Industrial sectors led by retail and finance want to take advantage of these latest developments in real-time analysis of video content for fraud detection, surveillance and many other applications.
There are a couple of challenges involved in the real word implementation of a video analytics solution:
1) Most video analytics use-cases are effective only when response times are in milliseconds. Requirement of performing at very low latencies gives rise to a need for software and hardware acceleration
2) Such solutions will need wide-spread deployment and are expected to have low TCO. To address these two key challenges we propose a video analytics solution leveraging Spark Structured Streaming + DL framework (like Intel’s Analytics-Zoo & Tensorflow) built on a heterogenous CPU + FPGA hardware platform.
The proposed solution provides >3x acceleration in performance to a video analytics pipeline when compared to a CPU only implementation while requiring zero code change on the application side as well as achieving more than 2x decrease in TCO. Our video analytics pipeline includes ingestion of video stream + H.264 decode to image frames + image transformation + image inferencing, that uses a deep neural network. FPGA based solution offloads the entire pipeline computation to the FPGA while CPU only solution implements the pipeline using OpenCV + Spark Structured Streaming + Intel’s Analytics-Zoo DL library.
Key Take aways:
1. Optimizing performance of Spark Streaming + DL pipeline
2. Acceleration of video analytics pipeline using FPGA to deliver high throughput at low latency and reduced TCO.
3. Performance data for benchmarking CPU and CPU + FPGA based solution.
iOS 8 and iPhone 6 for web developers and designersZhi Zhong
iOS 8 is finally here while the new iPhone 6 and iPhone 6 plus will appear in a few days. New APIs appears on scene, as well as new challenges to support the new screen sizes. I’ve been playing with the final version and here you have my findings.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick.
Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we’ll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We’ll top it off with a demonstration of SLOTSCREAMER, an inexpensive device that’s part of the NSA Playset which we’ve configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.
Andreas Zeitler (Vuframe): Virtual & Augmented Business: How to Discover and ...AugmentedWorldExpo
A talk from the Work Track at AWE USA 2017 - the largest conference for AR+VR in Santa Clara, California May 31- June 2, 2017.
Andreas Zeitler (Vuframe): Virtual & Augmented Business: How to Discover and Leverage Immersive DataYou Already Own.
A good, practical and user-friendly Augmented or Virtual Reality application can provide clear return on investment for many businesses. Adopting software-driven solutions while the hardware in the market matures will give you a competitive edge while others are still catching up. However, there's still a major roadblock: where do you get data in the formats required for AR & VR? Realtime 3D, 360 Media, Point Cloud Data are neither cheap nor easy to come by – especially when it needs to be highly optimized to run on portable devices with limited battery life and performance. This workshop will illustrate how data which already exists in a lot of businesses can be leveraged in the age of Augmented and Virtual Reality. We will uncover which data sources already exist in your company and how you can deploy them as part of a cutting-edge virtual tool – within days, not weeks or months.
http://AugmentedWorldExpo.com
Presented at SCREENS 2013 in Toronto.
Details at fitc.ca/screens
In this talk, Digiflare lead iOS developer Justin Howlett will discuss the impact of performance on User Experience. Justin will discuss easy to implement platform agnostic techniques, technologies and libraries to improve your user experience through performance. Although most techniques and technologies are platform agnostic many of the case studies and examples will be presented in native Objective-C for iOS.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
Full paper - http://stegosploit.info/
TL;DR: Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots.
I first put together the core tools of Stegosploit in October 2014 at the Level2.LU hackerspace in Luxembourg. This year, Stegosploit comes full circle, with an updated toolkit and a new IMAJS technique presented at Hack.LU 2015.
Full paper available at http://stegosploit.info/
"Today’s attacks succeed because the defense is reactive". It is time to transition defense from being reactive to proactive. This is a keynote level talk, which discusses my seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
This talk is about designing a Deep Learning model pipeline for OCR (Text Segmentation and Text Extraction) using Tensorflow, targeting domain specific information extraction
[CSSDevConf] Adaptive Images in Responsive Web Design 2014Christopher Schmitt
The web doesn't stop at the desktop anymore. Our image assets need to do more than look good in one context. In this talk, I look at how images like JPEG, GIFs, SVG, Icons, Unicode, and more can be used in a multi-device environment.
This presentation was given at the jQuery conference 2010 in Mountain View and featured the first public premiere of a sneak peek video of our upcoming JavaScript game engine.
The video preview can be found here: http://youtu.be/Ol3qQ4CEUTo
Enjoy and follow me at @pbakaus on Twitter!
Accelerating Real Time Video Analytics on a Heterogenous CPU + FPGA PlatformDatabricks
The current uptrend in faster computational power has led to a more mature eco-system for image processing and video analytics. By using deep neural networks for image recognition and object detection we can achieve better than human accuracies. Industrial sectors led by retail and finance want to take advantage of these latest developments in real-time analysis of video content for fraud detection, surveillance and many other applications.
There are a couple of challenges involved in the real word implementation of a video analytics solution:
1) Most video analytics use-cases are effective only when response times are in milliseconds. Requirement of performing at very low latencies gives rise to a need for software and hardware acceleration
2) Such solutions will need wide-spread deployment and are expected to have low TCO. To address these two key challenges we propose a video analytics solution leveraging Spark Structured Streaming + DL framework (like Intel’s Analytics-Zoo & Tensorflow) built on a heterogenous CPU + FPGA hardware platform.
The proposed solution provides >3x acceleration in performance to a video analytics pipeline when compared to a CPU only implementation while requiring zero code change on the application side as well as achieving more than 2x decrease in TCO. Our video analytics pipeline includes ingestion of video stream + H.264 decode to image frames + image transformation + image inferencing, that uses a deep neural network. FPGA based solution offloads the entire pipeline computation to the FPGA while CPU only solution implements the pipeline using OpenCV + Spark Structured Streaming + Intel’s Analytics-Zoo DL library.
Key Take aways:
1. Optimizing performance of Spark Streaming + DL pipeline
2. Acceleration of video analytics pipeline using FPGA to deliver high throughput at low latency and reduced TCO.
3. Performance data for benchmarking CPU and CPU + FPGA based solution.
iOS 8 and iPhone 6 for web developers and designersZhi Zhong
iOS 8 is finally here while the new iPhone 6 and iPhone 6 plus will appear in a few days. New APIs appears on scene, as well as new challenges to support the new screen sizes. I’ve been playing with the final version and here you have my findings.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick.
Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we’ll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We’ll top it off with a demonstration of SLOTSCREAMER, an inexpensive device that’s part of the NSA Playset which we’ve configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.
Andreas Zeitler (Vuframe): Virtual & Augmented Business: How to Discover and ...AugmentedWorldExpo
A talk from the Work Track at AWE USA 2017 - the largest conference for AR+VR in Santa Clara, California May 31- June 2, 2017.
Andreas Zeitler (Vuframe): Virtual & Augmented Business: How to Discover and Leverage Immersive DataYou Already Own.
A good, practical and user-friendly Augmented or Virtual Reality application can provide clear return on investment for many businesses. Adopting software-driven solutions while the hardware in the market matures will give you a competitive edge while others are still catching up. However, there's still a major roadblock: where do you get data in the formats required for AR & VR? Realtime 3D, 360 Media, Point Cloud Data are neither cheap nor easy to come by – especially when it needs to be highly optimized to run on portable devices with limited battery life and performance. This workshop will illustrate how data which already exists in a lot of businesses can be leveraged in the age of Augmented and Virtual Reality. We will uncover which data sources already exist in your company and how you can deploy them as part of a cutting-edge virtual tool – within days, not weeks or months.
http://AugmentedWorldExpo.com
Presented at SCREENS 2013 in Toronto.
Details at fitc.ca/screens
In this talk, Digiflare lead iOS developer Justin Howlett will discuss the impact of performance on User Experience. Justin will discuss easy to implement platform agnostic techniques, technologies and libraries to improve your user experience through performance. Although most techniques and technologies are platform agnostic many of the case studies and examples will be presented in native Objective-C for iOS.
Devices that consume the web are being created at a never-before heard of rate. They’re getting smaller, lighter, faster, sharper, and sexier. Life is awesome right? But what about us web designers?
Let’s talk about how to get the best possible ratio of speed vs awesome, and what techniques to use for fast and stunning visual experiences.
Talk given at The Rich Web Experience 2008. Check out blog for more demos, and sample code.
I hate images. Not pictures or icons, mind you, but user interface graphics. I think that small gradient PNGs that web developers set to repeat are the spacer gifs of today. Images are hard to change, and slower to download.
Earlier research has discussed two related technologies, namely (1) multisource content aggregation method and its browser implementation and (2) interactive visualizations of performance in data centers. This research is both the connection between the two and the next step for both. HTML5 Workers are an ideal tool for distributing the processing load across multiple cores -- most modern hardware including smartphones is multicore. However, Workers by design cannot access the DOM of the page directly. This paper discusses a method that circumvents this problem by having each Worker generate base64 URLs with image data in PNG format. This way, the main processing load is transferred to Workers while the main thread only replaces the base64 URLs, thus producing animated visualizations. The technology is intended for data center performance visualizations, where each Worker receives streamed data via individual WebSockets.
For over two decades, working as an cybersecurity entrepreneur, researcher and instructor, I have heard over and over again that attacks and defense are two sides of the same coin. But what does it really mean in application? What happens when sophisticated attacks collide with sophisticated defenses? Who wins?
This is talk is aimed at a wide audience in cybersecurity – from the strategists to the practitioners. We will discuss Evolution, Attacks, Defense and PEBKAC. What factors shall affect the posture of trustworthiness and safety in the digital world in the next two years to come depend largely on the road we have followed over the past two decades. This talk looks above and beyond, albeit optimistically, about realigning some of the conventional approaches, slowly but strategically shifting mindsets of stakeholders and consumers alike, to bring about a more proactive approach to security.
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
The EMUX IoT Firmware Emulation Framework currently provides near native userland emulation for ARM and MIPS IoT devices. EMUX is actively used Saumil's popular ARM IoT Exploit Laboratory training for over 5 years.
The Debugging with EMUX workshop shall be in two parts:
Part 1 (30 minutes) - Setting up EMUX in 7 minutes - A tour of EMUX internals - EMUX utilities - Tracing userland processes within EMUX
Part 2 (90 minutes) - Debugging an ARM IoT target in EMUX - Debugging a MIPS IoT Target in EMUX - Crash dump analysis
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
After 4 years, ARMX is changing its call sign. EMUX now features both ARM and MIPS device emulation, in a unified framework! Join us as we unveil EMUX and take you into the inner workings of emulating both ARM and MIPS IoT devices. We will be releasing a new Docker image featuring a MIPS CTF challenge to test your MIPS exploit development skills.
Slides from my workshop at Ringzer0's December 2021 Workshop Advent Calendar.
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
A webinar on what it takes to conduct an effective webinar! Understand how to prepare your story for an invisible audience, keep them engaged and anticipate "in-flight turbulence". Enjoy!
The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.
The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.
The Road To Defendable Systems - Emirates NBDSaumil Shah
"Attack is a technical problem, defense is a political problem". For several years, cyber security has been misjudged as risk reduction. On one hand, business applications and architectures are growing rapidly. On the other hand, the cyber security organisation is struggling to be able to defend them in today's rapidly evolving threat landscape.
This talk explores the gap in thought between the owner and the defender of today's business applications and what needs to be done to bridge it. We shall present proactive steps and measures to overcome the last hurdle in building defendable systems.
Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge
Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge
My talk on creating ARM/Thumb Polyglot shellcode for obfuscation, signature evasion and downright novelty of approach! Presented at Hack in the Box Amsterdam 2019
Slides from my lectures on Photography As An Art Form. Follow me on facebook at https://www.facebook.com/my.spectral.lines and on Instagram at @therealsaumil.
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
8. net-square
Stegosploit is...
not a 0-day attack with a cute logo
not exploit code hidden in EXIF
not a PHP/ASP webshell
not a new XSS vector
Stegosploit lets you deliver existing
BROWSER EXPLOITS using pictures.
15. net-square
Hacking with pictures, in style!
• Network traffic - ONLY image files.
• Exploit hidden in pixels.
– no visible aberration or distortion.
• Image auto runs upon load.
– decoder code bundled WITH the image.
• Exploit automatically decoded and
triggered.
• ...all with 1 image.
17. net-square
Hiding an Exploit in an Image
• Simple steganography techniques.
• Encode exploit code bitstream into
lesser significant bits of RGB values.
• Spread the pixels around e.g. 4x4 grid.
19. net-square
kevin.jpg
Bit layer 7 (MSB) Bit layer 6
Bit layer 5 Bit layer 4
Bit layer 3 Bit layer 2
Bit layer 1 Bit layer 0 (LSB)
Image separated
into Bit Layers
22. net-square
Encoding data at
bit layer 2
Encoded pixels visible in
certain parts when bit
layer 2 is filtered and
equalized
Final encoded image shows no perceptible
visual aberration or distortion.
23. net-square
Encoding on JPG
• JPG – lossy compression.
• Pixels may be approximated to their
nearest neighbours.
• Overcoming lossy compression by
ITERATIVE ENCODING.
• Can't go too deep down the bit layers.
• IE's JPG encoder is terrible!
• Browser specific JPG quirks.
24. net-square
Encoding on PNG
• Lossless compression.
• Can encode at bit layer 0.
– minimum visual distortion.
• Independent of browser library
implementation.
• Single pass encoding.
• JPG is still more popular than PNG!
38. net-square
PNG Secret Sauce - FourCC
PNG Header 89 50 4E 47 0D 0A 1A 0A
IHDR IHDRlength chunk data CRC
IDATlength pixel data CRCIDAT chunk
IDATlength pixel data CRCIDAT chunk
IDATlength pixel data CRCIDAT chunk
IEND0 CRCIEND chunk
www.fourcc.org
39. net-square
PNG Secret Sauce - FourCC
PNG Header 89 50 4E 47 0D 0A 1A 0A
IHDR IHDRlength chunk data CRC
tEXtlength html !-- CRC
tEXtlength _ random chars ...
CRC
... random chars ...
-- decoder HTML and script goes here ..
script type=text/undefined/*...
extra tEXt chunk
extra tEXt chunk
IDATlength pixel data CRCIDAT chunk
IDATlength pixel data CRCIDAT chunk
IDATlength pixel data CRCIDAT chunk
IEND0 CRCIEND chunk
Inspiration: http://daeken.com/superpacking-js-demos
48. net-square
Exploit code
encoded in image.
EVIL
GET /lolcat.png
200 OK
Expires: 6 months
I'M IN UR BASE
Decoder script references image
from cache.
SAFE
GET /lolcat.png
Load from cache
....KILLING UR DOODZ
AUG 2015 DEC 2015
ATTACK TIMELINE
50. net-square
Conclusions - Offensive
• Lot of possibilities!
• Weird containers, weird encoding, weird
obfuscation.
• Image attacks emerging in the wild.
• CANVAS + CORS = spread the payloads.
• Not limited to just browsers.
51. net-square
Conclusions - Defensive
• DFIR nightmare.
– how far back does your window of
inspection go?
• Can't rely on extensions, file headers,
MIME types or magic numbers.
• Wake up call to browser-wallahs.
• Quick fix – re-encode all images!