ManageIQ currently runs on Ruby on Rails 3. Aaron "tenderlove" Patterson presents his effort to migrate to RoR 4, which entails some changes in the code to take advantage of the latest advances in RoR.
For more on ManageIQ, see http://manageiq.org/
Here's a presentation I did for the Japanese Perl Association on April 21st, 2009.
It covers 10 aspects of Catalyst that may not be documented or discussed as much as they could be, that are very useful.
ManageIQ currently runs on Ruby on Rails 3. Aaron "tenderlove" Patterson presents his effort to migrate to RoR 4, which entails some changes in the code to take advantage of the latest advances in RoR.
For more on ManageIQ, see http://manageiq.org/
Here's a presentation I did for the Japanese Perl Association on April 21st, 2009.
It covers 10 aspects of Catalyst that may not be documented or discussed as much as they could be, that are very useful.
Terraform is an Infrastructure as Code tool for declaratively building and maintaining complex infrastructures on one or more cloud providers/services. But Terraform also supports over 80 non-infrastructure providers! In this demo-driven talk, will dive into the internals of Terraform and see how it works. We will show how Terraform can be used for non-infrastructure use cases by showing examples. We’ll also take a look at on how you can extend Terraform to manage anything with an API.
Diving into HHVM Extensions (php[tek] 2016)James Titcumb
HHVM is quickly gaining popularity, and it is a pretty exciting time for PHP runtimes. Have you ever wondered what is going on beneath this slick, super-speedy engine? I wondered that myself, so I dived into the internals of HHVM, discovering a treasure trove of awesome stuff. In this talk, I will show you how HHVM works and how it all pieces together through a guided tour of the codebase. I will also show you a couple of ways to write your own incredible HHVM extensions.
Zen: Building Maintainable Catalyst ApplicationsJay Shirley
After several years of building Catalyst applications, I've established a list of techniques that greatly increase maintainability.
Subtle points that are easy to understand, and easy to implement, that will help please your users and make your life easier.
This is the story of a company that had 10s of customers and were facing severe scaling issues. They approached us. They had a good product predicting a few hundred customers within 6 months. VCs went to them. Infrastructure scaling was the only unknown; funding for software-defined data centers. We introduced Terraform for infrastructure creation, Chef for OS hardening, and then Packer for supporting AWS as well as VSphere. Then, after a few more weeks, when there was a need for faster response from the data center, we went into Serf to immediately trigger chef-clients and then to Consul for service monitoring.
Want to describe this journey.
Finally, we did the same exact thing in at a Fortune 500 customer to replace 15 year-old scripts. We will also cover sleek ways of dealing with provisioning in different Availability Zones across various AWS regions with Terraform.
No dark magic - Byte code engineering in the real worldtcurdt
ften byte code engineering is perceived as "black magic" and considered too low level. This session will not bore you with all the details of the JVM specification but provide you with a practical overview of how this byte code "swizzling" can be used in the real world instead. Several projects have sucessfully leveraged this technique to achieve some amazing things (e.g. AOP). This session will go through some of these examples and try to outline the differences between the two major libraries (BCEL and ASM). Maybe your next project can then benefit from some of this "magic".
Many projects use at least some of them - the Jakarta Commons libraries. Small reusable libraries simplifying the day-to-day work of thousands of java programmers. But over time the jakarta commons project has grown and the number of components makes it harder and harder to keep track. This session will try to give an overview of the components available and how the Jakarta Commons community is organized.
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
Hace aproximadamente 1 año empezó radare2, un desarrollo paralelo a radare, orientado a ofrecer una API genérica y simple para C, Vala, Genie, python, perl y ruby con el fin de mantener el mínimo de código y presentar un acceso genérico a backends de debugging, formato de fichero, arquitectura, etc.
El framework facilita el uso de plugins o scripting para usar diversos backends de ensamblar/desensamblar, analizar cabeceras, emular, depurar, analizar código, buscar patrones, secuencias binarias entre otras.
Diseñado para ser portable entre múltiples arquitecturas y sistemas operativos, entre ellos, Linux, BSD, Solaris, Windows, x86-32/64, ARM, PowerPC y MIPS.
En la charla se presentará el conjunto de librerías y ejemplos prácticos de uso de esta herramienta.
When high performance on a web application is a hard requirement Varnish can be of rescue. But does it’s name, the high-performance HTTP accelerator, really bring what you expect? What are the caveats, pitfalls and problems you introduce when developing your application when the released version is only able to run when there is a Varnish in front? This session will give you some answers, tips and tricks to aid in application design, development with PHP and solutions when there is no Varnish in front of your application.
Responsible Disclosure Program: Why and HowShahee Mirza
Responsible disclosure is not new in global ICT. It is a different form of ethical hacking and vulnerability disclosure. This slides will discuss on walkthrough of a Responsible disclosure Program and Policy.
Terraform is an Infrastructure as Code tool for declaratively building and maintaining complex infrastructures on one or more cloud providers/services. But Terraform also supports over 80 non-infrastructure providers! In this demo-driven talk, will dive into the internals of Terraform and see how it works. We will show how Terraform can be used for non-infrastructure use cases by showing examples. We’ll also take a look at on how you can extend Terraform to manage anything with an API.
Diving into HHVM Extensions (php[tek] 2016)James Titcumb
HHVM is quickly gaining popularity, and it is a pretty exciting time for PHP runtimes. Have you ever wondered what is going on beneath this slick, super-speedy engine? I wondered that myself, so I dived into the internals of HHVM, discovering a treasure trove of awesome stuff. In this talk, I will show you how HHVM works and how it all pieces together through a guided tour of the codebase. I will also show you a couple of ways to write your own incredible HHVM extensions.
Zen: Building Maintainable Catalyst ApplicationsJay Shirley
After several years of building Catalyst applications, I've established a list of techniques that greatly increase maintainability.
Subtle points that are easy to understand, and easy to implement, that will help please your users and make your life easier.
This is the story of a company that had 10s of customers and were facing severe scaling issues. They approached us. They had a good product predicting a few hundred customers within 6 months. VCs went to them. Infrastructure scaling was the only unknown; funding for software-defined data centers. We introduced Terraform for infrastructure creation, Chef for OS hardening, and then Packer for supporting AWS as well as VSphere. Then, after a few more weeks, when there was a need for faster response from the data center, we went into Serf to immediately trigger chef-clients and then to Consul for service monitoring.
Want to describe this journey.
Finally, we did the same exact thing in at a Fortune 500 customer to replace 15 year-old scripts. We will also cover sleek ways of dealing with provisioning in different Availability Zones across various AWS regions with Terraform.
No dark magic - Byte code engineering in the real worldtcurdt
ften byte code engineering is perceived as "black magic" and considered too low level. This session will not bore you with all the details of the JVM specification but provide you with a practical overview of how this byte code "swizzling" can be used in the real world instead. Several projects have sucessfully leveraged this technique to achieve some amazing things (e.g. AOP). This session will go through some of these examples and try to outline the differences between the two major libraries (BCEL and ASM). Maybe your next project can then benefit from some of this "magic".
Many projects use at least some of them - the Jakarta Commons libraries. Small reusable libraries simplifying the day-to-day work of thousands of java programmers. But over time the jakarta commons project has grown and the number of components makes it harder and harder to keep track. This session will try to give an overview of the components available and how the Jakarta Commons community is organized.
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
Hace aproximadamente 1 año empezó radare2, un desarrollo paralelo a radare, orientado a ofrecer una API genérica y simple para C, Vala, Genie, python, perl y ruby con el fin de mantener el mínimo de código y presentar un acceso genérico a backends de debugging, formato de fichero, arquitectura, etc.
El framework facilita el uso de plugins o scripting para usar diversos backends de ensamblar/desensamblar, analizar cabeceras, emular, depurar, analizar código, buscar patrones, secuencias binarias entre otras.
Diseñado para ser portable entre múltiples arquitecturas y sistemas operativos, entre ellos, Linux, BSD, Solaris, Windows, x86-32/64, ARM, PowerPC y MIPS.
En la charla se presentará el conjunto de librerías y ejemplos prácticos de uso de esta herramienta.
When high performance on a web application is a hard requirement Varnish can be of rescue. But does it’s name, the high-performance HTTP accelerator, really bring what you expect? What are the caveats, pitfalls and problems you introduce when developing your application when the released version is only able to run when there is a Varnish in front? This session will give you some answers, tips and tricks to aid in application design, development with PHP and solutions when there is no Varnish in front of your application.
Responsible Disclosure Program: Why and HowShahee Mirza
Responsible disclosure is not new in global ICT. It is a different form of ethical hacking and vulnerability disclosure. This slides will discuss on walkthrough of a Responsible disclosure Program and Policy.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
Video: https://www.youtube.com/watch?v=VE-w-AsfcGk
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2014,Digital world 2014
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in IUT CTF G3t R00t
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
Just like drinking is not a game in Finland; neither is browser bug hunting - it’s serious business! Browser bugs have been supporting Atte Kettunen (@attekett) traditional Finnish way of living since late 2011 and he’s going to tell you all about how he has been living the dream browser bug hunting - focusing on one of the most secure browser around, Google Chrome!
He’ll tell you a tale of his experiences with bounty programs and how those have evolved since he started way back (vendors can show the love too!) and how he’s managed to survive in the harsh environment of browser bug hunting. He’ll impart some important bug hunting social skills by showing you how and how NOT to step on the others guys toes - very competitive cottage industry is browser bug hunting. ;)
Atte is also going to share with you how and why he selected his current target feature *(still full of bugs!), how he built his fuzzer-module(s) and the results produced. We’ll all walk a mile in a bug hunters shoes together and take a peek at the tool sets, as well as the infrastructures that are used to find browser bugs by individuals and vendors!
This project was completed in order to gain hands-on experience in smashing the stack by exploiting vulnerabilities in a given binary.
The project involved designing exploits and eggs(payload) for various vulnerabilities that may exist in a given binary and execute the exploits to perform privilege escalation.
This project is meant for education purpose only.
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
2012 CodeEngn Conference 06
Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.
http://codeengn.com/conference/06
Node has revolutionized modern runtimes. Their async by default strategy boasts 3x the throughput of Java. And yet, the language runs 5x slower than C++ (when JS is interpreted).
This talk is an advanced intro into the world of Node where we take a closer look under the hood. What's the event loop? Why are there multiple compilers for JS in Node/V8? How many threads are actually used in Node and for what purpose? We'll answer these questions and more as we go over libuv, v8, the node core library, npm, and more.
If you're developing with Node, want to start, or are just curious about how it works, please check it out!
Keep hearing about Plack and PSGI, and not really sure what they're for, and why they're popular? Maybe you're using Plack at work, and you're still copying-and-pasting `builder` lines in to your code without really knowing what's going on? What's the relationship between Plack, PSGI, and CGI? Plack from first principles works up from how CGI works, the evolution that PSGI represents, and how Plack provides a user-friendly layer on top of that.
Automate Payload Generation for a Given Binary and Perform AttackAbhishek BV
Important Note: This project is for education purpose only.
The project was completed in order to gain hands-on experience in secure programming in C language and also to understand buffer overflow vulnerabilities that arise due to bad programming practices.
In the second phase of the project, exploit scripts were written in python to exploit these vulnerabilities and consequently gain Root/ Admin privileges.
This automated tool traverses any given binary and identifies vulnerabilities that could be exploited. Also, it generates a payload to exploit the binary.
See project Automate Payload Generation for a Given Binary and Perform an Attack.
various tricks for remote linux exploits by Seok-Ha Lee (wh1ant)CODE BLUE
Modern operating systems include hardened security mechanisms to block exploit attempts. ASLR and NX (DEP) are two examples of the mechanisms that are widely implemented for the sake of security. However, there exists ways to bypass such protections by leveraging advanced exploitation techniques. It becomes harder to achieve code execution when the exploitation originates from a remote location, such as when the attack originates from a client, targeting server daemons. In such cases it is harder to find out the context information of target systems and, therefore, harder to achieve code execution. Knowledge on the memory layout of the targeted process is a crucial piece of the puzzle in developing an exploit, but it is harder to figure out when the exploit attempt is performed remotely. Recently, there have been techniques to leverage information disclosure (memory leak) vulnerabilities to figure out where specific library modules are loaded in the memory layout space, and such classes of vulnerabilities have been proven to be useful to bypass ASLR. However, there is also a different way of figuring out the memory layout of a process running in a remote environment. This method involves probing for valid addresses in target remote process. In a Linux environment, forked child processes will inherit already randomized memory layout from the parent process. Thus every client connection made to server daemons will share the same memory layout. The memory layout randomization is only done during the startup of the parent service process, and not randomized again when it is forking a child process to handle client connections. Due to the inheritance of child processes, it is possible to figure out a small piece of different information from every connection, and these pieces can be assembled later to get the idea of a big picture of the target process's remote memory layout. Probing to see if a given address is a valid memory address in context of the target remote process and assembling such information together, an attacker can figure out where the libc library is loaded on the memory, thus allowing exploits to succeed further in code execution. One might call it brute force, but with a smart brute forcing strategy, the number of minimal required attempts are significantly reduced to less than 10 in usual cases. In this talk, we will be talking about how it is possible to probe for memory layout space utilizing a piece of code to put the target in a blocked state, and to achieve stable code execution in remote exploit attempt scenarios using such information, as well as other tricks that are often used in remote exploit development in the Linux environment.
http://codeblue.jp/en-speaker.html#SeokHaLee
Given at zendcon 2008 - my very first conference talk. And I did it way too fast. A lot of the information about these extensions is surprisingly relevant.
This presentation goes over basic exploitation techniques. Topics include:
- Introduction to x86 paradigms used exploited by these techniques
- Stack overflows including the classic stack smashing attack
- Ret2libc
- Format string exploits
- Heap overflows and metadata corruption attacks
Similar to Sending a for ahuh. win32 exploit development old school (20)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Sending a for ahuh. win32 exploit development old school
1. Sending A for Ahuh.
Win32 Exploit development old school
2. The OWASP Foundation
http://www.owasp.org
Nahidul Kibria
Co-Leader, OWASP Bangladesh,
Principal Software Engineer,
Orbitax Bangladesh Ltd.
Writing code for fun and food. And a
security enthusiastic
@nahidupa
3. Sending A for Ahuh.
Win32 Exploit development old school
WTHell this
guy talking
about?
15. X86 Registers
• EIP - Address of next instruction
• ESP - Address for the top of the stack
• EBP - Stack Base Address
• EAX/ECX/EDX - Holds variables and data
for the application
51. Find jmp to esp
We can control the EIP and ESP
Little Endian: Little and big endian refers
to those bytes that are the most
significant. In a little-endian system, the
least significant byte is stored first. x86
uses a little-endian architecture.
58. Step by step exploit
• Step 1 – Crashing the application:
• Step 2 – Determine the offsets:
• Step 3 – The pain begins, finding an
instruction that will take us back to the
stack:
• Step 4 – Writing venetian shellcode.
• Step 5-Putting it all together
68. Data Execution Prevention (DEP)
DEP was introduced in Windows XP Service Pack 2.
Basic idea is
Prevent an application or service from executing code from a
non-executable memory(-NX) region.
69. DEP is two types
hardware-enforced DEP for CPUs that can mark memory
pages as nonexecutable,
and software-enforced DEP with a limited prevention for
CPUs that do not have hardware support.
70. DEP can be bypass by “Return to libc”
Reference: http://www.infosecwriters.com/text_resources/pdf/return-to-libc.pdf
We still overwrite the return address with one of a
function in libc, pass it the correct arguments and have that execute for us.
Since these functions do not reside on the stack, we can bypass the stack
protection and execute code.