Presented at Troopers 2016.
When Infosec and Digipres share interests...
TL;DR
- Attack surface with file formats is too big.
- Specs are useless (just a nice ‘guide’), not representing reality.
- We can’t deprecate formats because we can’t preserve and we can’t define how they really work
- We need open good libraries to simplify landscape, and create a corpus to express the reality of file format, which gives us real “documentation”.
- Then we can preserve and deprecate older format, which reduces attack surface.
- From then on, we can focus on making the present more secure.
- We don't need new formats: reality will diverge from the specs anyway - we need 'alive' (up to date, traceable) specs.
Presented at Troopers 2016.
When Infosec and Digipres share interests...
TL;DR
- Attack surface with file formats is too big.
- Specs are useless (just a nice ‘guide’), not representing reality.
- We can’t deprecate formats because we can’t preserve and we can’t define how they really work
- We need open good libraries to simplify landscape, and create a corpus to express the reality of file format, which gives us real “documentation”.
- Then we can preserve and deprecate older format, which reduces attack surface.
- From then on, we can focus on making the present more secure.
- We don't need new formats: reality will diverge from the specs anyway - we need 'alive' (up to date, traceable) specs.
Getting the basics right when starting to contribute patches to open source. The patches don't have to be perfect, but you should tuck your shirt in and use neat handwriting to get in the door.
Everyone have their own reasons to love or hate a programming language.
After talking about simplicity and other 7 traits of Go in the last meetup, we'll follow up with more.
---
Presented at the Golang Brno meetup #2, on June 16th, 2016.
Everyone have their own reasons to love or hate a programming language. In this opinionated talk I'll share what makes Go special for me, and what I miss the most whenever I get to write code in a different language.
Expect to hear not only about features but why they matter, and how they make Go unique and special.
---
Presented at the Golang Brno meetup #1, on May 17th, 2016.
It is the slides for COSCUP[1] 2013 Hands-on[2], "Learning Python from Data".
It aims for using examples to show the world of Python. Hope it will help you with learning Python.
[1] COSCUP: http://coscup.org/
[2] COSCUP Hands-on: http://registrano.com/events/coscup-2013-hands-on-mosky
Intro to Python Workshop San Diego, CA (January 19, 2013)Kendall
These slides were presented at the Intro to Python Workshop in San Diego, California on January 19, 2013. This workshop was for absolute beginners in Python, and builds from the ground up. There were two projectors used in the presentation, one for showing these slides and one with a command-line Python prompt to show the execution of example code throughout the presentation.
The presenters were David Neiss and Kendall Chuang of the San Diego Python Users Group.
Getting the basics right when starting to contribute patches to open source. The patches don't have to be perfect, but you should tuck your shirt in and use neat handwriting to get in the door.
Everyone have their own reasons to love or hate a programming language.
After talking about simplicity and other 7 traits of Go in the last meetup, we'll follow up with more.
---
Presented at the Golang Brno meetup #2, on June 16th, 2016.
Everyone have their own reasons to love or hate a programming language. In this opinionated talk I'll share what makes Go special for me, and what I miss the most whenever I get to write code in a different language.
Expect to hear not only about features but why they matter, and how they make Go unique and special.
---
Presented at the Golang Brno meetup #1, on May 17th, 2016.
It is the slides for COSCUP[1] 2013 Hands-on[2], "Learning Python from Data".
It aims for using examples to show the world of Python. Hope it will help you with learning Python.
[1] COSCUP: http://coscup.org/
[2] COSCUP Hands-on: http://registrano.com/events/coscup-2013-hands-on-mosky
Intro to Python Workshop San Diego, CA (January 19, 2013)Kendall
These slides were presented at the Intro to Python Workshop in San Diego, California on January 19, 2013. This workshop was for absolute beginners in Python, and builds from the ground up. There were two projectors used in the presentation, one for showing these slides and one with a command-line Python prompt to show the execution of example code throughout the presentation.
The presenters were David Neiss and Kendall Chuang of the San Diego Python Users Group.
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Area41
As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration.
Ange Albertini: Reverse Engineer, author of Corkami
Gynvael Coldwind: His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Captain of Dragon Sector CTF team :) Currently working as an Information Security Engineer at Google.
File Polyglottery; or This Proof of Concept is Also a Picture of CatsEvan Sultanik
Evan Sultanik's BSides Philly 2017 talk on File Polyglots. Watch the video, here: https://www.youtube.com/watch?v=fdKPnsWp9ho
A polyglot is a file that can be interpreted as multiple different filetypes depending on how it is parsed. While polyglots serve the noble purpose of being a nifty parlor trick, they also have much more nefarious uses, e.g., hiding malicious printer firmware inside a document that subverts a printer when printed, or a document that displays completely different content depending on which viewer opens it. This talk does a deep dive into the technical details of how to create such special files, using examples from some of the recent issues of the International Journal of PoC||GTFO. Learn how we made a PDF that is also a valid NES ROM that, when emulated, displays the MD5 sum of the PDF. Learn how we created a PDF that is also a valid PostScript document that, when printed to a PostScript printer, produces a completely different document. Oh, and the PostScript also prints your /etc/passwd file, for good measure. Learn how to create a PDF that is also a valid Git repository containing its own LaTeX source code and a copy of itself. And many more!
What every C++ programmer should know about modern compilers (w/ comments, AC...Sławomir Zborowski
YT: https://www.youtube.com/watch?v=nfDTTxH5DsI
Many C++ programmers (especially beginners) either underestimate or don't actually know the power of modern C++ compilers. In the presentation I discuss architecture of modern compilers, how big they are and features (including recently emerged ones) that everyone should be aware of. I also cover tooling and ecosystem that has grown around compilers.
JavaScript is great, but let's face it, being stuck with just JavaScript in the browser is no fun.
Why not write and run Ruby in the browser, on the client, and on the server as part of your next web application?
Flink and NiFi, Two Stars in the Apache Big Data ConstellationMatthew Ring
Presented to the Chicago Apache Flink Meetup, Jan. 19, 2016
Goal: To provide a non-exhaustive but interesting demonstration of Apache NiFi and Apache Flink working together. Included a demo of NiFi and Flink together to simulate a simplified trading ecosystem of Brokers and Day Traders, with streaming market data, orders, executions and P/L results.
A lecture given at MIT in Boston about the benefits and technicalities of open web standards for Video and Audio. Lots of examples how to manipulate live video using CSS3 and Canvas.
JS Fest 2019. Ryan Dahl. Deno, a new way to JavaScriptJSFestUA
From async-await to ArrayBuffers, the JavaScript language has changes significantly in the decade since Node.js was designed. Deno takes advantage of these developments and incorporate lessons learned in the development of Node to provide a new JavaScript platform built on V8 and Rust. This talk will teach the audience how to get started with Deno.
"Technical challenges"? More like horrors!
Let's explore first the technical debt of old file formats,
with the evolution of the "MP3" format.
Then we go through more recent forms of file format abuses and tools:
polyglots, polymocks, and crypto-polyglots.
Last, an overview of recent collisions and other forms of art with MD5.
They say that with file formats, "specs are enough".
Should we laugh, cry or run away screaming?
Presented at Digital Preservation Coalition's CyberSec & DigiPres event.
You are *not* an idiot ~ or maybe we're all idiots.
Keynote at NorthSec 2021.
Talking about school, failure, success, diploma, impostor syndrom, manipulators, burn out, suicide, and how to deal with them.
The talk delivery was more personal, the slides are kept generic.
The recording is available @ https://youtu.be/Iu70J49bPlE?t=20869 (starts at 5:47:49)
Demystifying hash collisions.
Pass the Salt, 1st July 2019.
video @ https://passthesalt.ubicast.tv/videos/kill-md5-demystifying-hash-collisions/
Hack.Lu, 22 October 2019.
video @ https://www.youtube.com/watch?v=JXazRQ0APpI
Beyond your studies ~ You studied X at Y. now what?
HackPra, July 2018
A student's life ago, the author somehow managed to graduate.
On the way, he made a lot of mistakes -- and he still does.
A few people since called him 'successful', but LOL, if only they knew....
And now, the author will do another (big!) mistake:
instead of hiding in shame as he probably should,
he'll share his mistakes with anyone bored enough to attend,
in the hope that he's the last person to ever look that dumb to commit such mistakes.
If you're a genius and you know what to do in life, please skip this. Seriously.
If, like the author at the time, you wonder WTF is going on with graduation, professional work and life, then hopefully you learn a few things. Maybe.
Btw the author is 42 (WTF - old!).
Maybe that will help to provide a few answers.
AKA "How people can create better video games via hacks"
Presented at Hack.Lu's Cryptoparty4kids 2015
Fallback slides: this was actually presented with videos and sound
video https://www.youtube.com/watch?v=vg7LPcFUxg8
audio / HD video download http://media.ccc.de/browse/congress/2014/31c3_-_5997_-_en_-_saal_6_-_201412282030_-_preserving_arcade_games_-_ange_albertini.html
complete animated presentation + extras (~1Gb):
https://archive.org/details/arcade31c3
more infos @ https://code.google.com/p/corkami/wiki/Arcade
by Axelle Apvrille & Ange Albertini
presented at BlackHat Europe 2014, in Amsterdam
PoC: https://github.com/cryptax/angeapk
AngeCryption: http://corkami.googlecode.com/svn/trunk/src/angecryption/
If the four 32-bit constants of SHA-1 can be modified, then exploitable collisions can be constructed. No need to panic, this doesn’t affect the original SHA-1. However, vendors and customers of products with custom cryptography will be interested.
for more information, check http://malicioussha1.github.io/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
1. PDF:
Myths vs Facts
a Digital Preservation Coalition online event
Preserving Documents Forever: When is a PDF not a PDF?
Ange Albertini
Oxford University, 15th July 2015
3. Disclaimer:
this is my first digipres event
I come here with a very different perspective:
I might sound pessimistic (or provocative/killjoy)…
Give me hope, give me peace on earth ;)
I might be entirely wrong - please let me know!
4. I used to think:
“PDF is perfect”
Complex documents,
yet uniform rendering on any system
(no wonder it’s omnipresent)
⇒ I believed the myth...
14. the slides for my talk at 44Con
are distributed as a file that is
simultaneously
a PDF and a PE (a PDF viewer)
so that the slides can view themselves
(oh, and it’s also HTML + Java)...
PDF slides
PDF viewer
15. ...and it’s also schizophrenic (PDF documents appear different with different readers)
19. What you see is not always what you print - when you use Layers [Optional Content Groups]!
Fun fact: you can’t change the printing output with Adobe Reader ;)
20. JPEG + ZIP + PDF Chimera (3 headers but only 1 image data)
31. … and others
Bootable quine in assembly,
2 switchable PDFs via ROT13,
hash collisions,
GameBoy + Sega Master System...
32. You get the idea...
The worst case for preservation?
I explore corner cases, before attackers do it
33. How is it possible?
● signature offset not enforced
● stream object (containing anything)
● comments can contain binary data
● appended data
● objects tolerated between XREF and startxref
and a few specific abuses (some are fixed now)
35. ...and I wasn’t disappointed :)
Postscript Derived Failure
Practically Destructive File
Paper Dimensions Fixed
Polyglot (Definition|Deployment|Delivery) Framework
Posterity Depends on Forensics
Please Don't Fail / Again
Proven Dysfunctional Format
POC||GTFO Demonstration Format
Penile Dysfunction Format
Postscript Didn't Fit
Pants-Down Format
Pathetic & Dangerous Format
Posthoc Depression Format
Proprietary Document Fee
Public Domain Farce
Penetrate Dodgy Firewall
Pretty Demented Format
Payload Deployment File
Perpetually Disagreeable Format
Potential Disaster Forever
Perversely Designed Format
PDF is a Disaster for the Future
Preservation Dooming Format
Preserving Document Forever
37. A miracle?
Fonts are embedded in the document
Rendering is following complex rules
(overly-complex, from a security standpoint)
38. An open format?
ISO $pec$ = 200$
These specs only cover the main part :(
They are unclear - no formal guarantee :(
http://www.iso.org/iso/catalogue_detail.htm?csnumber=51502
39. A strict format ?
No reader completely enforces the specs
⇒ recovery mode (sometimes ‘explicit’)
signature, stream length, XREF…
40. Many possible malformations handled specifically by each reader (high level)...
standard structure
(each object should be distinct)
non-standard but tolerated structure
(inlined objects)
41. Many possible abuses
signature endobj /Count
text
operators
/Font font use xref /Resources trailer
Adobe
Reader
MuPDF
PDF.js
PDFium
Poppler
… different readers have different tolerances ...
follows the specs
corruption tolerated
absence tolerated
42. ...so a PDF specifically crafted for one reader, may fail with all other readers.
43. A uniform format?
Many free readers, but…
● Many (useful) features only available in Adobe
Reader:
forms, signature, layers…
(it’s Adobe’s business model)
● Other readers just aim to support “standard”
PDFs
45. A consistent format?
Adobe Reader is closing security issues.
This is good, but...
⇒ Some features are not supported anymore
⇒ Potential lack of backward compatibility
46. It’s a complex patchwork!
JPGs are stored entirely as-is, but PNG have to be converted to raw
Forms as XML
PostScript Transfer function
Web (Flash, JavaScript...)
3D objects
47. A coherent format?
- text + line comments, yet binary
- unusual whitespace, binary also in comments
- different escaping
- read forward+no separator and object reference
- hex as nibbles and odd-numbered
- bottom up but also possibly top down (who wins?)
- corrupted ZLIB still tolerated
- image compression for non-images
49. After all...
...Flash is being killed for security reasons,
after becoming progressively redundant.
PDF could be converted to something else.
50. PDF & preservation
● JPG + OCR’ed text = simple
...so simple that we wouldn’t need PDF ?
other PDFs = complex (Adobe-dependent)
Is PDF/A the solution? more $pec$
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=38920
51. “Backward compatibility”
...is a beautiful utopia!
And it leads to saying
“we've always done it this way"
even after several generations :(
53. Brace yourself...
PDF 2.0 is coming!
It’s not improving stability and preservability
Will Adobe adhere to it ? Since it’s distinct now…
*https://www.youtube.com/watch?v=wGmcTf-uMrE
55. Conclusion
● PDF is very useful - omnipresent for a reason
● it’s still involved in computer security
○ recent complete takeover of Windows 8.1 by @j00ru
● it’s quite a monster
○ I’m merely scratching the surface
○ its specs were messy from the beginning
● it’s far from perfect
○ “if only Adobe Reader was open”
*https://www.youtube.com/watch?v=FVBSvjYQgq8
56. ACK
Paul Wheatley
@doegox @pdfkunfoo @newsoft
@internot @insertscript @avlidienbrunn
@foxgrrl @chrisjohnriley @travisgoodspeed
and everybody for the PDF suggestions :)