Docker and .NET Core - Best Friends Forever - Michael Newton - Codemotion Rom...Codemotion
The .NET languages have always been top notch in design, with a wide ranging standard library and support for all your enterprise needs. But for those of us with experience in the world outside Windows, the operational side of things was unbelievably painful. Now, with .NET Core that's starting to change. Here we'll work through the process of taking a .NET library and building a CI pipeline from reproducible container based builds through to minimal deployment artifacts.
A Recovering Java Developer Learns to GoMatt Stine
As presented at OSCON 2014.
The Go programming language has emerged as a favorite tool of DevOps and cloud practitioners alike. In many ways, Go is more famous for what it doesn’t include than what it does, and co-author Rob Pike has said that Go represents a “less is more” approach to language design.
The Cloud Foundry engineering teams have steadily increased their use of Go for building components, starting with the Router, and progressing through Loggregator, the CLI, and more recently the Health Manager. As a “recovering-Java-developer-turned-DevOps-junkie” focused on helping our customers and community succeed with Cloud Foundry, it became very clear to me that I needed to add Go to my knowledge portfolio.
This talk will introduce Go and its distinctives to Java developers looking to add Go to their toolkits. We’ll cover Go vs. Java in terms of:
* type systems
* modularity
* programming idioms
* object-oriented constructs
* concurrency
Docker and .NET Core - Best Friends Forever - Michael Newton - Codemotion Rom...Codemotion
The .NET languages have always been top notch in design, with a wide ranging standard library and support for all your enterprise needs. But for those of us with experience in the world outside Windows, the operational side of things was unbelievably painful. Now, with .NET Core that's starting to change. Here we'll work through the process of taking a .NET library and building a CI pipeline from reproducible container based builds through to minimal deployment artifacts.
A Recovering Java Developer Learns to GoMatt Stine
As presented at OSCON 2014.
The Go programming language has emerged as a favorite tool of DevOps and cloud practitioners alike. In many ways, Go is more famous for what it doesn’t include than what it does, and co-author Rob Pike has said that Go represents a “less is more” approach to language design.
The Cloud Foundry engineering teams have steadily increased their use of Go for building components, starting with the Router, and progressing through Loggregator, the CLI, and more recently the Health Manager. As a “recovering-Java-developer-turned-DevOps-junkie” focused on helping our customers and community succeed with Cloud Foundry, it became very clear to me that I needed to add Go to my knowledge portfolio.
This talk will introduce Go and its distinctives to Java developers looking to add Go to their toolkits. We’ll cover Go vs. Java in terms of:
* type systems
* modularity
* programming idioms
* object-oriented constructs
* concurrency
How to Dockerize, Automate the Build and Deployment Process for Flutter?9 series
During our webinar, one of the students asks as a lot of stuff regarding the deployment process of Docker. And we thought let’s write some articles about it. Read our report today.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
This is the slide deck I gave when presenting at FSU's AITP Meeting. The goal was to give a high level description of what Pen Testing/Red Teaming is and what the job entails.
We are manufacturers and exporters of electronic and telecommunication equipment like GSM GPRS modem, industrial RF modules etc. These find wide application in telecommunications and mobile industries.
How to Dockerize, Automate the Build and Deployment Process for Flutter?9 series
During our webinar, one of the students asks as a lot of stuff regarding the deployment process of Docker. And we thought let’s write some articles about it. Read our report today.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
This is the slide deck I gave when presenting at FSU's AITP Meeting. The goal was to give a high level description of what Pen Testing/Red Teaming is and what the job entails.
We are manufacturers and exporters of electronic and telecommunication equipment like GSM GPRS modem, industrial RF modules etc. These find wide application in telecommunications and mobile industries.
Linux commonly connotes with open-source zealots and a small PC market
share, not blockbuster video games. However, the arrival of Steam on
the platform might change the outlook quite dramatically, and Linux
support may soon become a must-have feature for your game. Setting the
open-source ideology aside, this lecture is an overview of the
technical challenges a game developer may face while porting their
game to this platform, along with solutions.
Presented at Troopers 2016.
When Infosec and Digipres share interests...
TL;DR
- Attack surface with file formats is too big.
- Specs are useless (just a nice ‘guide’), not representing reality.
- We can’t deprecate formats because we can’t preserve and we can’t define how they really work
- We need open good libraries to simplify landscape, and create a corpus to express the reality of file format, which gives us real “documentation”.
- Then we can preserve and deprecate older format, which reduces attack surface.
- From then on, we can focus on making the present more secure.
- We don't need new formats: reality will diverge from the specs anyway - we need 'alive' (up to date, traceable) specs.
Docker and Go: why did we decide to write Docker in Go?Jérôme Petazzoni
Docker is currently one of the most popular Go projects. After a (quick) Docker intro, we will discuss why we picked Go, and how it turned out for us.
We tried to list all the drawbacks and minor inconveniences that we met while developing Docker; not to complain about Go, but to give the audience an idea of what to expect. Depending on your project, those drawbacks could be minor inconveniences or showstoppers; we thought you would want to know about them to help you to make the right choice!
Simplifying training deep and serving learning models with big data in python...Holden Karau
More Serious Business Kitty Description:
While some deep learning systems have promised to not require any kind of data preparation or cleaning, in practice many folks find that effectively training their models requires some amount of data preparation and often we spend more time on our data preparation than anything else. This talk will examine tools for data preparation that can be used at scale on "big-data" and then how to use their results on-line at serving time (where we hopefully no longer require a cluster to predict every new user).
Less Serious Business Kitty Description:
Deep Learning, in addition to being a world class tool for detecting the presence of cats, requires large amounts of data for training. As much vendors may say "no data prep required", they are all lying*. This talk will look tools to build a deep learning pipeline with feature prep on top of existing big data technologies without rewriting your code for serving.
Traditionally feature prep done in a big data system, like Spark, Flink, or Beam, would have to be rewritting for the on-line serving component. This is about as much fun as when we have to rewrite our sample Python code into Java, as for some reason that's what a lot companies associate with "production." Come for the deep learning buzz-words, stay for the how to perform on-line serving without writing Java code.
*All vendors are optimists when it comes to their own products, including the vendors who pay Holden and Gris but they pay us so its ok.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
Powering Tensorflow with big data using Apache Beam, Flink, and Spark - OSCON...Holden Karau
TensorFlow is all kinds of fancy, from helping startups raising their series A in Silicon Valley to detecting if something is a cat. However, when things start to get “real,” you may find yourself no longer just dealing with mnist.csv but instead needing do large-scale data prep as well as training.
Holden Karau details how to use TensorFlow in conjunction with Apache Spark, Flink, and Beam to create a full machine learning pipeline—including the annoying feature engineering and data prep components that we like to pretend don’t exist. Holden also explains why these feature prep stages need to be integrated into the serving layer. She concludes by examining changing industry trends, like Apache Arrow, and how they impact cross-language development for things like deep learning. Even if you’re not trying to raise a round of funding in Silicon Valley, this talk will give you tools to do interesting machine learning problems at scale.
Drupal Day 2011 - Features: una vita feliceDrupalDay
Talk di Daniele Piaggesi & Luca Corbo
Il modulo Features per Drupal 7, permette al developer di costruire singole funzionalità riusabili in molteplici situazioni, oltre a disaccoppiare definitivamente la fase configurativa del CMS con la sua base dati.
In questa sessione vedremo velocemente dei casi d'uso del sistema di ""featuring"" di Drupal, quando usarle e con quali accortezze. E perchè questa funzionalità rende Drupal un CMS decisamente più duttile e maturo della sua concorrenza.
"Technical challenges"? More like horrors!
Let's explore first the technical debt of old file formats,
with the evolution of the "MP3" format.
Then we go through more recent forms of file format abuses and tools:
polyglots, polymocks, and crypto-polyglots.
Last, an overview of recent collisions and other forms of art with MD5.
They say that with file formats, "specs are enough".
Should we laugh, cry or run away screaming?
Presented at Digital Preservation Coalition's CyberSec & DigiPres event.
You are *not* an idiot ~ or maybe we're all idiots.
Keynote at NorthSec 2021.
Talking about school, failure, success, diploma, impostor syndrom, manipulators, burn out, suicide, and how to deal with them.
The talk delivery was more personal, the slides are kept generic.
The recording is available @ https://youtu.be/Iu70J49bPlE?t=20869 (starts at 5:47:49)
Demystifying hash collisions.
Pass the Salt, 1st July 2019.
video @ https://passthesalt.ubicast.tv/videos/kill-md5-demystifying-hash-collisions/
Hack.Lu, 22 October 2019.
video @ https://www.youtube.com/watch?v=JXazRQ0APpI
Beyond your studies ~ You studied X at Y. now what?
HackPra, July 2018
A student's life ago, the author somehow managed to graduate.
On the way, he made a lot of mistakes -- and he still does.
A few people since called him 'successful', but LOL, if only they knew....
And now, the author will do another (big!) mistake:
instead of hiding in shame as he probably should,
he'll share his mistakes with anyone bored enough to attend,
in the hope that he's the last person to ever look that dumb to commit such mistakes.
If you're a genius and you know what to do in life, please skip this. Seriously.
If, like the author at the time, you wonder WTF is going on with graduation, professional work and life, then hopefully you learn a few things. Maybe.
Btw the author is 42 (WTF - old!).
Maybe that will help to provide a few answers.
AKA "How people can create better video games via hacks"
Presented at Hack.Lu's Cryptoparty4kids 2015
Fallback slides: this was actually presented with videos and sound
video https://www.youtube.com/watch?v=vg7LPcFUxg8
audio / HD video download http://media.ccc.de/browse/congress/2014/31c3_-_5997_-_en_-_saal_6_-_201412282030_-_preserving_arcade_games_-_ange_albertini.html
complete animated presentation + extras (~1Gb):
https://archive.org/details/arcade31c3
more infos @ https://code.google.com/p/corkami/wiki/Arcade
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
6. our problem
● is related to virus (malwares)
● they use many file formats
● it's critical to identify them reliably
○ and to tell whether corrupted or well-formed
7. standard infection chain
the most common chain:
1. a web page, in HTML format
a. launching an applet
2. an evil applet, in CLASS format
a. exploiting a Java vulnerability
b. dropping an executable
3. a malicious executable, in Portable
Executable format
(a vast majority of malwares
rely on an executable)
8. another classic chain
● open a PDF document
○ with an exploit inside
■ dropping or downloading a PE executable
● get a malicious executable on your machine
9. the challenge
it might look obvious:
● tell whether it's a PDF, a PE, a JAVA, an
HTML...
● typical formats are clearly defined
○ Magic signature enforced at offset 0
10. reality
some formats have no header at all
● Command File (DOS 16 bits)
● Master Boot record
some formats don't need to start at offset 0
● Archives (Zips, Rars...)
● HTML
○ but text-only?
some formats accept a large controllable block
early in their header
● Portable Executable
● PICT image
11. How did this start?
a real-life problem:
1. a (malicious) HTML page
2. started with 'MZ' (the signature of PE)
3. just scanned as a PE!
a. wow, this PE is highly corrupted :)
b. it must be clean :p
?
MZ
12. polyglots in the wild
GIFAR = GIF + JAR
● an uploaded image
○ an avatar in a forum
● with a malicious JAVA appended as JAR
hosted on the server!
● bypass same domain policy
● now useable via its JAVA=EVIL payload
+ =
13. let's get started
PE, the executable format of windows
● it's central to windows malware
● it enforces a magic signature at offset 0
○ game over for other formats?
14. ● starts with a compulsory header
● made of sub-headers
overview
23. PDF trick 1
put a small executable within 1024 bytes
(just concatenate)
24. trick 2
1. start a fake PDF + object in a PE header
2. finish fake object at the end the PE
3. end fake object
4. put PDF real structure
works with real-life example!
(PE data might contain PDF keywords)
25. JAR = ZIP + Class
just enforced at the very end of the file
28. Structure
1. start
○ PE Signature
■ %PDF + fake obj start
■ HTML comment start
2. next
○ PE (next)
○ HTML
○ PDF (next)
3. bottom
○ ZIP
29. it’s time for a real example!
an inception demo!
wait, what?
30. we’re already in the demo!
the live version file is simultaneously:
● the PDF slides themselves
● a PDF viewer executable
○ ie, the file is loading itself
● the PoCs in a ZIP
● an HTML readme
○ with JavaScript mario
31. so, it works
but it lacks something
● not artistic enough
● not advanced enough
let's build a 'well representative' (=nasty) PoC
32. the PE specs
● Official MS specs = big joke
○ 'the gentle guide for beginners'
○ barely describes standard PEs
41. there is a so-called standard
and the reality of existing parsers
looking at: Adobe, MuPDF, Chrome
● 3 different files
○ working each on a specific viewer
○ failing on the other 2
42.
43. let's look inside
● MuPDF
○ no %PDF sig required
■ a PDF without a PDF sig ? WTF ?!?!
○ no trailer keyword required either
● Chrome
○ integer overflows: -4294967275 = 21
○ trailer in a comment
■ it can actually be almost ANYWHERE
■ even inside another object
● Adobe
○ looks almost sane compare to the other 2
44.
45. Chrome insanity++
(thx to Jonas Magazinius)
● a single object
● no 'trailer'
● inline stream
● brackets are not even closed
● * are required - it just checks for minimum
space
47. PDF.JS
● very strict
○ 'too' strict / naive ?
○ I don't want to be their QA ;)
● requires a lot of information usually ignored
○ xref
○ /Length %PDF-1.1
1 0 obj
<<
% /Type /Catalog
...
>>
endobj
2 0 obj
<<
/Type /Pages
...
>>
endobj
3 0 obj
<<
/Type /Page
/Resources <<
/Font <<
/F1 <<
/Type /Font
/Subtype /Type1
...
>>
>>
>>
>>
endobj
4 0 obj
<< /Length 47>>
stream
...
xref
0 1
0000000000 65535 f
0000000010 00000 n
...
48. let's play further
combine 3 documents in a single file
● it's actually 3 set of 'independant' objects
● objects are parsed
○ but not used
49. alternate reality demo
the live slide-deck contains 2 PDF
● bogus one under Chrome
● real one under MuPDF (Sumatra, Linux...)
● rejected under Acrobat
○ because of the PE signature (see later)
DEMO
50. final PoC
● combine most previously mentioned tricks
● many fails on many tools
● total control of the structure
○ the PDF 'ends' in the Java class
56. like washing powders
security tools are selected:
● speed
● {files} → {[clean/detected]}
file types not taken into consideration
57. type confusion
make the tool believe it's another type, which
will fool the engine
engine with checksum caching will be fooled:
1. scanned as HTML, clean
2. reused as PE but malicious
58.
59. engine exhaustion
rankings in magazines are based on scanning
time
→ scanning per file must stop arbitrarily
→ waste scanning cycle by adding extra
formats
60. Weaknesses
● evasion
○ filters → exfiltration
○ same origin policy
○ detection
■ ex: clean PE but malicious PDF/HTML/...
■ exhaust checks
■ pretend to be corrupt
● DoS
62. Conclusion
● type confusion is bad
○ succinct docs too
○ lazy softwares as well
● go beyond the specs
○ Adobe: good
● suggestions
○ more extensions checks
○ isolate downloaded files
○ enforce magic signature at offset 0
66. Valid image as JavaScript
Highlighted by Saumil Shah
● abusing header and parsers laxisms
● turn a field into /*
● close comment after the picture data