Telling a story

•

0 likes•8 views

Meeting C++ "Patricia tells us how to engage with the audience by telling a story." Video: https://youtu.be/gxOFKAMbu1I?si=SmvN4CaDH1zKPOpN

TurtleSec
@pati_gallardo 1
Turtle
Sec
@pati_gallardo

TurtleSec
@pati_gallardo 2
Telling a Story
Meeting C++ 2022
Patricia Aas
Turtle
Sec

TurtleSec
@pati_gallardo 3
Patricia Aas - Trainer & Consultant
C++ Programmer, Application Security
Currently : TurtleSec
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science
Pronouns: she/they Turtle
Sec

TurtleSec
@pati_gallardo 4
The difference between
having a point
and telling a story

TurtleSec
@pati_gallardo 5
Using a metaphor to
create language

TurtleSec
@pati_gallardo 6
Trying to Learn C#
Turtle
Sec
@pati_gallardo
In this talk I tried to take the words used to
describe natural languages and use them to
describe programming languages.

TurtleSec
@pati_gallardo 7
Frokost Frokost
?
Norwegian
Danish
Lunch
Drift in Meaning
Same Origin and Form
Breakfast
Not Same Meaning!

TurtleSec
@pati_gallardo 8
List List
?
Java
C#
ArrayList/
Vector
Not Same Meaning!
Same Origin and Form
Linked List?
Drift in Meaning

$TurtleSec @pati_gallardo 9 1. namespace PackageName { 2. public class ClassName { 3. // Class definition 4. } 5. } [C++] Namespaces Recognition Language C# More like C++ modules really? Drift in Meaning$

TurtleSec
@pati_gallardo 10
Illustrating time by using
popular culture

TurtleSec
@pati_gallardo 11
Turtle
Sec
@pati_gallardo
Classic Vulnerabilities
In this talk I tried to use popular culture to
remind people of their lives at certain points in
time, to illustrate how long ago something was.

TurtleSec
@pati_gallardo 12
TurtleSec
@pati_gallardo 12
2000
2022
Zoomers: Taylor Swift was 11
Boomers: Y2K
Systems
Programming
Binary
Exploitation

TurtleSec
@pati_gallardo 13
@pati_gallardo 13
2002
TurtleSec
Dilemm Nelly f . Kelly Rowlan

TurtleSec
@pati_gallardo 14
Using constrast to the
familiar to shake belief
system

TurtleSec
@pati_gallardo 15
Turtle
Sec
@pati_gallardo
Deconstructing Privilege
In this talk I tried to evoke memories in the
audience of their own lives and then contrast
that memory with another reality.

TurtleSec
@pati_gallardo 16
@pati_gallardo
Going To The Hairdresser

TurtleSec
@pati_gallardo 17
@pati_gallardo
Planning Vacation

TurtleSec
@pati_gallardo 18
The difference between
having a point
and telling a story,
is trying to ﬁgure out
how to tell you
what I'm trying to say.

TurtleSec
@pati_gallardo 19
Questions?
Photos from pixabay.com
Patricia Aas, TurtleSec
Turtle
Sec

TurtleSec
@pati_gallardo 20
Turtle
Sec
@pati_gallardo

Making software products can be fraught with conflicts, where people in different roles may feel sabotaged by others. In this talk I present a model for thinking about the problems we solve and how we solve them, and using that I hope to convince you that team excellence comes from our differences, rather than in spite of them. Hopefully you'll walk away with a deeper understanding of that colleague that never writes tests, or the one that constantly complains that all you do is "make bugs".

Dependency Management in C++ (NDC TechTown 2021)

Patricia Aas

Introduction to Memory Exploitation (Meeting C++ 2021)

Patricia Aas

Classic Vulnerabilities (MUCplusplus2022).pdf

Patricia Aas

Classic Vulnerabilities (ACCU Keynote 2022)

Patricia Aas

Introduction to Memory Exploitation (CppEurope 2021)

Patricia Aas

A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020. We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.

Trying to build an Open Source browser in 2020

Patricia Aas

DevSecOps for Developers, How To Start (ETC 2020)

Patricia Aas

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture? Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.

The Anatomy of an Exploit (NDC TechTown 2019)

Patricia Aas

This document provides an overview of an exploit development process. It begins by discussing how exploits program the "weird machine" of vulnerable programs through memory manipulation. It then walks through developing a stack buffer overflow exploit against a vulnerable C program. Various compiler protections like stack canaries and ASLR are bypassed. The document generates a pattern to find the offset and writes an exploit program to automate writing an exploit string to trigger the vulnerability and redirect execution.

Elections: Trust and Critical Infrastructure (NDC TechTown 2019)

Patricia Aas

Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society. We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?

The Anatomy of an Exploit (NDC TechTown 2019))

Patricia Aas

Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.

Elections, Trust and Critical Infrastructure (NDC TechTown)

Patricia Aas

Survival Tips for Women in Tech (JavaZone 2019)

Patricia Aas

Being the only woman on your team can be hard. Many times it’s difficult to know what is only your experience and what is common. In this talk we’ll go through 24 tips (and a few bonus tips) based on well over a decade of experience being the only woman in several teams. If you’re a woman hopefully you’ll walk out with some ideas you can put to work right away, if you’re a man hopefully you’ll walk out with a new perspective and start noticing things in your day-to-day that you didn’t notice before. https://patricia.no/2018/09/06/survival_tips_for_women_in_tech.html

Embedded Ethics (EuroBSDcon 2019)

Patricia Aas

Patricia Aas is a C++ programmer and security expert who currently works for TurtleSec. She is concerned about issues like election security, privacy, and the lack of oversight and regulation in the technology industry. She believes technology has introduced fragility to important systems like democracy. However, most people do not understand the implications of technological issues and journalists struggle to explain the problems to the general public. This leaves the industry unregulated and unable to have meaningful public debates around ethics and social impacts.

Chromium Sandbox on Linux (NDC Security 2019)

Patricia Aas

Keynote: Deconstructing Privilege (C++ on Sea 2019)

Patricia Aas

Can you describe a situation that caused you to realize you were privileged? I have asked many people that question now, and what I have learned is that privilege is an Unconscious Incompetence. Being privileged is a non-event. When we become conscious of it we realize that our privileged experience is not applicable to less privileged people. What happens to them does not happen to us. Only when we become Consciously Incompetent do we realize the need to listen. We need to learn. In this talk I hope to make you realize that we all have privilege and to start a journey through self reflection to becoming Consciously Incompetent. I hope also to give some indicators and patterns that you can look for in your daily lives to recognize and maybe even to correct imbalances you see.

The Anatomy of an Exploit (CPPP 2019)

Patricia Aas

Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.

Make it Fixable (NDC Copenhagen 2018)

Patricia Aas

The document summarizes Patricia Aas' talk on making software secure and fixable. It discusses common security issues such as being unable to roll out fixes, lack of control over dependencies, teams leaving without documentation, bugs in code, and pressure from management to implement insecure features. It provides recommendations to address each issue, such as maintaining version control, auditing dependencies, bringing work back in-house, rigorous testing and reviews, and protecting developers and users. The document also covers designing security notifications and interfaces with a focus on usability over detailed technical explanations.

Trying to learn C# (NDC Oslo 2019)

Patricia Aas

The document discusses various programming language concepts and how they are implemented in C# compared to other languages like C++. It provides code examples of concepts like namespaces, operator overloading, optional arguments, structs, properties, and delegates in C# and compares them to their implementation in C++ or other languages. It emphasizes finding the similarities between languages but also pointing out differences or potential "false friends" where the implementation or semantics have drifted from the original.

Why Is Election Security So Hard? (Paranoia 2019)

Patricia Aas

The Anatomy of an Exploit

Patricia Aas

Reading Other Peoples Code (NDC Copenhagen 2019)

Patricia Aas

Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models? In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully, you will walk away with a plan on how to approach a new code base. But even more, I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.

6 DevSecOps Hacks (femtech 2019)

Patricia Aas

C++ The Principles of Most Surprise

Patricia Aas

RESUME BUILDER APPLICATION Project for students

KAMESHS29

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Recently uploaded

RESUME BUILDER APPLICATION Project for students

KAMESHS29

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

20 Comprehensive Checklist of Designing and Developing a Website

Pixlogix Infotech

Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.

Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...

Zilliz

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/ Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit. In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing. van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Speck&Tech

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

Recently uploaded (20)

RESUME BUILDER APPLICATION Project for students

Uni Systems Copilot event_05062024_C.Vlachos.pdf

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

20240607 QFM018 Elixir Reading List May 2024

Securing your Kubernetes cluster_ a step-by-step guide to success !

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Removing Uninteresting Bytes in Software Fuzzing

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Monitoring Java Application Security with JDK Tools and JFR Events

20 Comprehensive Checklist of Designing and Developing a Website

Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...

“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Essentials of Automations: The Art of Triggers and Actions in FME

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

How to Get CNIC Information System with Paksim Ga.pptx

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

Telling a story

1. TurtleSec @pati_gallardo 1 Turtle Sec @pati_gallardo

2. TurtleSec @pati_gallardo 2 Telling a Story Meeting C++ 2022 Patricia Aas Turtle Sec

3. TurtleSec @pati_gallardo 3 Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec

4. TurtleSec @pati_gallardo 4 The difference between having a point and telling a story

5. TurtleSec @pati_gallardo 5 Using a metaphor to create language

6. TurtleSec @pati_gallardo 6 Trying to Learn C# Turtle Sec @pati_gallardo In this talk I tried to take the words used to describe natural languages and use them to describe programming languages.

7. TurtleSec @pati_gallardo 7 Frokost Frokost ? Norwegian Danish Lunch Drift in Meaning Same Origin and Form Breakfast Not Same Meaning!

8. TurtleSec @pati_gallardo 8 List List ? Java C# ArrayList/ Vector Not Same Meaning! Same Origin and Form Linked List? Drift in Meaning

9. TurtleSec @pati_gallardo 9 1. namespace PackageName { 2. public class ClassName { 3. // Class definition 4. } 5. } [C++] Namespaces Recognition Language C# More like C++ modules really? Drift in Meaning

10. TurtleSec @pati_gallardo 10 Illustrating time by using popular culture

11. TurtleSec @pati_gallardo 11 Turtle Sec @pati_gallardo Classic Vulnerabilities In this talk I tried to use popular culture to remind people of their lives at certain points in time, to illustrate how long ago something was.

12. TurtleSec @pati_gallardo 12 TurtleSec @pati_gallardo 12 2000 2022 Zoomers: Taylor Swift was 11 Boomers: Y2K Systems Programming Binary Exploitation

13. TurtleSec @pati_gallardo 13 @pati_gallardo 13 2002 TurtleSec Dilemm Nelly f . Kelly Rowlan

14. TurtleSec @pati_gallardo 14 Using constrast to the familiar to shake belief system

15. TurtleSec @pati_gallardo 15 Turtle Sec @pati_gallardo Deconstructing Privilege In this talk I tried to evoke memories in the audience of their own lives and then contrast that memory with another reality.

16. TurtleSec @pati_gallardo 16 @pati_gallardo Going To The Hairdresser

17. TurtleSec @pati_gallardo 17 @pati_gallardo Planning Vacation

18. TurtleSec @pati_gallardo 18 The difference between having a point and telling a story, is trying to ﬁgure out how to tell you what I'm trying to say.

19. TurtleSec @pati_gallardo 19 Questions? Photos from pixabay.com Patricia Aas, TurtleSec Turtle Sec

20. TurtleSec @pati_gallardo 20 Turtle Sec @pati_gallardo

Telling a story

Recommended

Recommended

More Related Content

More from Patricia Aas

More from Patricia Aas (20)

Recently uploaded

Recently uploaded (20)

Telling a story