This document provides an overview of using the bash shell as a productivity tool. It discusses using the terminal, basic bash usage including redirection, pipes, configuration files, keyboard shortcuts, history, and tab completion. Useful utilities like sed, awk, find, grep and scripting basics are covered. Tools for developers like Homebrew, Git, Xcode, and Cocoapods are also summarized. The document aims to help users "unleash their inner console cowboy" and do more work directly from the command line.
This document provides an introduction and overview of Node.js. It discusses that Node.js is asynchronous and event-driven, uses non-blocking I/O, and is well-suited for data-intensive real-time applications that run across distributed devices. It also provides instructions on getting started with Node.js, including installing it, basic usage like importing modules and writing files, how to create a simple web server, working with event-driven libraries, and popular Node.js projects like Express and Socket.IO.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
The document discusses mining Ruby gems for vulnerabilities. It describes how the author downloaded Ruby gems from an online repository, examined the code for vulnerabilities like command injection and exposed credentials, documented findings, and sought to automate and crowdsource the process. Issues encountered included a large number of false positives and lack of response from gem authors. The author proposes expanding the approach to other programming languages and libraries.
The document provides an overview of building a web application from start to launch using Ruby on Rails. It covers installing Rails, setting up models and database tables, creating views with ERB templates, writing controller code, and testing the application with Cucumber features and RSpec tests. The document concludes with instructions for deploying the application to Heroku.
This document discusses various software exploits, both old and new. It begins with background on the author and terminology used. Several specific past exploits are described in detail, including vulnerabilities in IRIX Midikeys from 1999, Sawmill from 2000, and Solaris catman from 2000. Exploit code examples are provided. More recent exploits discussed include a race condition in Centrify from 2012, command injection in an FTP server from 2013, SQL injection in WordPress software from 2015, and remote file inclusion in another WordPress plugin from 2015. The document concludes by soliciting any questions.
The document discusses exploring interesting Java features and how they are compiled and executed by the Java Virtual Machine (JVM). It begins with an introduction and overview of the topics that will be covered, including looking at Java bytecode, compiler logs, and generated native code. Examples of simple "Hello World" and math programs are provided and their compilation steps are examined at the bytecode, logging and native code levels to demonstrate how Java code is handled by the JVM.
Twisted is an event-driven networking engine written in Python. It provides tools for developing asynchronous network applications and services. Some key features of Twisted include an asynchronous reactor framework, support for deferreds/promises, common network protocols and services implemented, and application framework for building services.
This document provides an overview of using the bash shell as a productivity tool. It discusses using the terminal, basic bash usage including redirection, pipes, configuration files, keyboard shortcuts, history, and tab completion. Useful utilities like sed, awk, find, grep and scripting basics are covered. Tools for developers like Homebrew, Git, Xcode, and Cocoapods are also summarized. The document aims to help users "unleash their inner console cowboy" and do more work directly from the command line.
This document provides an introduction and overview of Node.js. It discusses that Node.js is asynchronous and event-driven, uses non-blocking I/O, and is well-suited for data-intensive real-time applications that run across distributed devices. It also provides instructions on getting started with Node.js, including installing it, basic usage like importing modules and writing files, how to create a simple web server, working with event-driven libraries, and popular Node.js projects like Express and Socket.IO.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
The document discusses mining Ruby gems for vulnerabilities. It describes how the author downloaded Ruby gems from an online repository, examined the code for vulnerabilities like command injection and exposed credentials, documented findings, and sought to automate and crowdsource the process. Issues encountered included a large number of false positives and lack of response from gem authors. The author proposes expanding the approach to other programming languages and libraries.
The document provides an overview of building a web application from start to launch using Ruby on Rails. It covers installing Rails, setting up models and database tables, creating views with ERB templates, writing controller code, and testing the application with Cucumber features and RSpec tests. The document concludes with instructions for deploying the application to Heroku.
This document discusses various software exploits, both old and new. It begins with background on the author and terminology used. Several specific past exploits are described in detail, including vulnerabilities in IRIX Midikeys from 1999, Sawmill from 2000, and Solaris catman from 2000. Exploit code examples are provided. More recent exploits discussed include a race condition in Centrify from 2012, command injection in an FTP server from 2013, SQL injection in WordPress software from 2015, and remote file inclusion in another WordPress plugin from 2015. The document concludes by soliciting any questions.
The document discusses exploring interesting Java features and how they are compiled and executed by the Java Virtual Machine (JVM). It begins with an introduction and overview of the topics that will be covered, including looking at Java bytecode, compiler logs, and generated native code. Examples of simple "Hello World" and math programs are provided and their compilation steps are examined at the bytecode, logging and native code levels to demonstrate how Java code is handled by the JVM.
Twisted is an event-driven networking engine written in Python. It provides tools for developing asynchronous network applications and services. Some key features of Twisted include an asynchronous reactor framework, support for deferreds/promises, common network protocols and services implemented, and application framework for building services.
- Ideato uses Ansible to provision and configure 50+ VMs across development, staging, and production environments. This allows developers easy configuration of their environments and saves sysadmins time on maintenance tasks.
- Ansible roles provide a painless way to perform rolling updates across environments similarly to Puppet modules. Learning YAML is easier than Ruby DSLs for configuring nodes.
- A demo was shown using Ansible to deploy an Elasticsearch cluster on AWS across multiple availability zones for high availability. Tasks included launching EC2 instances, configuring the cluster, and inserting sample data.
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
The document summarizes the speaker's process of attempting to discover cross-site scripting (XSS) vulnerabilities in WordPress plugins. He downloaded over 42,000 plugins and used scripts to scan them for potential XSS issues. This yielded around 1,300 potential vulnerabilities, which he tried to verify automatically using PhantomJS. However, due to issues like WordPress sanitization of GET/POST variables, he was only able to verify a small fraction. He learned that fully testing vulnerabilities requires reproducing the full environment. While the effort found some real issues, he realized more careful research and validation was needed.
This document discusses how to build and use SQLCipher, an SQLite extension that provides encryption of database files. It describes compiling SQLCipher and OpenSSL from source, configuring an Xcode project to include the libraries, setting an encryption key for databases, and provides links for further information.
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBram Vogelaar
The document discusses using Packer, Puppet, Vagrant, Terraform, and Consul to automate infrastructure provisioning in the cloud. Packer is used to build machine images with Puppet provisioning. Vagrant then uses these images to bootstrap VMs. Terraform models infrastructure in code and provisions resources like virtual machines. Consul provides service discovery and coordination.
One of the most important benefits of automated testing is to ensure a fast and safe code refactoring to evolve our system architecture. The main problem is how to write tests that are easy to write, easy to follow and not time consuming during development nor execution time. In this session, we are going to explore some powerful Java testing libraries that will help you write better (unit) tests focusing on the main Unicorns architecture challenges such as validating microservices endpoints, remote calls to other microservices or just asynchronous/reactive code.
Fast as C: How to Write Really Terrible JavaCharles Nutter
For years we’ve been told that the JVM’s amazing optimizers can take your running code and make it “fast” or “as fast as C++” or “as fast as C”…or sometimes “faster than C”. And yet we don’t often see this happen in practice, due in large part to (good and bad) development patterns that have taken hold in the Java world.
In this talk, we’ll explore the main reasons why Java code rarely runs as fast as C or C++ and how you can write really bad Java code that the JVM will do a better job of optimizing. We’ll take some popular microbenchmarks and burn them to the ground, monitoring JIT logs and assembly dumps along the way.
Puppet is a tool that allows users to declaratively configure systems. It provides abstraction through defined resources like packages and files, ensures configurations are idempotent, and converges systems to the desired state declaratively rather than imperatively through scripts. Puppet code is organized into reusable modules and managed through version control. Modules should include tests, be validated with tools like puppet-lint, and tested in automated environments like Travis CI to ensure high quality.
Whether you call yourself a system administrator, developer, or DevOps sprint mediator, life is too short for sloppy shell scripts! In this talk, we look at how to improve them to stand the test of time. Michael will share how to create a good foundation for your scripts, so they run more reliable now and in the future. Your (future) colleagues might love you for it.
Focus areas of this presentation include error handling, security, style, and best practices. Also, it will cover (many) mistakes made by Michael over the last 20 years.
Ansible can be used to summarize documents in 3 sentences or less:
1) The document provides tips and tricks for using Ansible for tasks like automation, orchestration, and distributed batch execution across multiple hosts.
2) It also demonstrates how Ansible can be used for auditing changes to files and system configuration over time through plugins, callbacks, and other extensions.
3) Additionally, the document shows how Ansible can be customized and expanded through techniques like abstracting packages and configurations, creating custom modules, and executing tasks in a more programmatic way.
This document provides an overview of upcoming technologies beyond the Java Virtual Machine (JVM). It begins with introductions and then discusses several topics:
- There are many open-source JVMs beyond Oracle's HotSpot such as JamVM, Maxine, and JikesRVM.
- Reasons for using the JVM include its large standard library and ease of portability compared to alternative virtual machines. However, startup time can be slow.
- Techniques for improving JVM startup time are discussed, such as saving JIT-compiled code and using the Drip tool to pre-initialize JVMs.
- Native interoperability is explored through the Java Native Interface (JNI
Getting started with DataStax .NET Driver for CassandraLuke Tillman
Video of this presentation from Cassandra Day Seattle is here: https://www.youtube.com/watch?v=sbs6YExxYqc&index=6&list=PLqcm6qE9lgKIgRKG0d-NEvYw9qYOztbci
So you’ve grabbed the latest 2.0 version of the DataStax C# driver from NuGet. Now what? In this talk, Luke will walk you through some of the basics of the C# driver--how to bootstrap the driver and connect to a cluster, execute CQL, and retrieve the results. Wondering what the difference between a PreparedStatement and a SimpleStatement is? Not sure what the appropriate lifetime is for a Cluster or a Session object? What about ADO.NET and LINQ support? We’ll cover this and more, so that you can get on with building applications on top of Cassandra. Even if you’re not a C# developer (or think that C# is the handiwork of the devil), many of the concepts we’ll cover will help you get started with the other DataStax drivers as well (Python, Java, and C++).
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobElixir Club
This document provides an overview of useful commands and features in IEx, Elixir's interactive shell:
1. It describes how to start IEx with "iex" or "iex -S mix" to start in a project context.
2. It explains the Ctrl-C, Ctrl-G, and Ctrl-\ commands for interrupting, switching jobs, and exiting IEx.
3. It notes that the .iex.exs file can be used to configure the IEx shell on start up.
4. It lists some IEx helpers like h, v, IEx.pry, r, and respawn for getting help, viewing history, debugging,
Understanding bytecode and what bytecode is likely to be generated by a Java compiler helps the Java programmer in the same way that knowledge of assembler helps the C or C++ programmer. Java bytecode is the form of instructions that Java virtual machine executes. This knowledge is crucial when debugging and doing performance and memory usage tuning. The presenter will share his knowledge on what bytecode means for your platform and how to create compiler while using some awesome tools.
https://www.youtube.com/watch?v=VNmtmz3mJN4&
Deep dive into InjectionTDD - how to perform iOS unit tests realtime, without rebuilding entire Xcode project.
The document discusses evasion techniques used by malware to avoid detection from antivirus scanners. It provides a brief history of techniques like process hollowing and code injection methods. It then summarizes how antivirus scanners work by intercepting processes like file opening and memory mapping. The document also discusses how NTFS transactions on Windows allow for file operations to occur transactionally.
Integrating icinga2 and the HashiCorp suiteBram Vogelaar
This document discusses integrating various HashiCorp tools like Packer, Vagrant, Terraform, Consul, and Vault with Icinga monitoring. Packer is used to build machine images while Vagrant provisions virtual machines. Terraform models infrastructure as code and can integrate with Icinga to provision hosts, checks, and notifications. Consul provides service discovery and can trigger Icinga config deployment. Vault manages secrets and certificates that could be used for authentication in Icinga. The presenter demonstrates using these tools together for infrastructure as code and monitoring workflows.
This document discusses using Packer to build Windows images. It provides an overview of the Packer build process and components. It then details the specific steps and configuration for building a Windows 2012 R2 image within VirtualBox, including defining the builder, provisioning the image, and post-processing to package it as a Vagrant box. It concludes with some tips and additional resources for building Windows images with Packer.
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
The object header contains metadata such as the identity hash, mark, and klass. Hexdumping the memory of a simple object before and after getting the identity hash shows the hash being written to the header. On 64-bit JVMs, the header is 8 bytes, containing unused space, hash, and mark fields. On 32-bit JVMs, the header is 4 bytes, with the hash overwriting unused space after being set.
Web developers constantly look for the latest and greatest ways to hone their craft, but changes come fast. From jQuery to Angular to Ember to React, CoffeeScript to TypeScript, it seems there is always something new. But ES6 is something different. With ES6 we are seeing the evolution of core JavaScript. It includes syntactic improvements and great new features never before seen in client-side code. Linters and transpilers for ES6 are readily available and easy to use. There is no need to wait; learn how to leverage the power of "the new JavaScript" in your applications, today!
Ansible for beginners...?
This presentation shows Ansible can not only Provisioning but also orchestration like capistrano or fabric.
Module is super easy to create by not only Python like shell, Ruby and so on.
This document discusses social media analytics and its importance for businesses. It provides interesting statistics about social media usage and defines social media analytics as using traditional business data and social media data to make business decisions. Some benefits of social media analytics include gaining a competitive advantage, learning from customers, and enhancing products and services. The document also outlines key concepts for measuring engagement on social media like funnels, engagement tracking, and visitor retention. It concludes by listing several tools that can be used for social media analytics.
AbsolutData and Alteryx surveyed industry thought leaders to gather insight into how organizations use Customer Analytics, including adoption levels, goals, usage, and relative maturity.
And the survey revealed:
3 focus areas that benefit the most from Customer Analytics
3 biggest challenges that inhibit analytic decision making
3 critical changes that will drive improvements in 2013 and beyond
Based on the results of the survey, AbsolutData and Alteryx will now be holding a webinar on 16th July 2013 at “5:30pm CST” to provide more information on how your peers use data to predict customer behavior, and drive measurable improvements in sales, customer retention, and loyalty.
- Ideato uses Ansible to provision and configure 50+ VMs across development, staging, and production environments. This allows developers easy configuration of their environments and saves sysadmins time on maintenance tasks.
- Ansible roles provide a painless way to perform rolling updates across environments similarly to Puppet modules. Learning YAML is easier than Ruby DSLs for configuring nodes.
- A demo was shown using Ansible to deploy an Elasticsearch cluster on AWS across multiple availability zones for high availability. Tasks included launching EC2 instances, configuring the cluster, and inserting sample data.
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
The document summarizes the speaker's process of attempting to discover cross-site scripting (XSS) vulnerabilities in WordPress plugins. He downloaded over 42,000 plugins and used scripts to scan them for potential XSS issues. This yielded around 1,300 potential vulnerabilities, which he tried to verify automatically using PhantomJS. However, due to issues like WordPress sanitization of GET/POST variables, he was only able to verify a small fraction. He learned that fully testing vulnerabilities requires reproducing the full environment. While the effort found some real issues, he realized more careful research and validation was needed.
This document discusses how to build and use SQLCipher, an SQLite extension that provides encryption of database files. It describes compiling SQLCipher and OpenSSL from source, configuring an Xcode project to include the libraries, setting an encryption key for databases, and provides links for further information.
Bootstrap your Cloud Infrastructure using puppet and hashicorp stackBram Vogelaar
The document discusses using Packer, Puppet, Vagrant, Terraform, and Consul to automate infrastructure provisioning in the cloud. Packer is used to build machine images with Puppet provisioning. Vagrant then uses these images to bootstrap VMs. Terraform models infrastructure in code and provisions resources like virtual machines. Consul provides service discovery and coordination.
One of the most important benefits of automated testing is to ensure a fast and safe code refactoring to evolve our system architecture. The main problem is how to write tests that are easy to write, easy to follow and not time consuming during development nor execution time. In this session, we are going to explore some powerful Java testing libraries that will help you write better (unit) tests focusing on the main Unicorns architecture challenges such as validating microservices endpoints, remote calls to other microservices or just asynchronous/reactive code.
Fast as C: How to Write Really Terrible JavaCharles Nutter
For years we’ve been told that the JVM’s amazing optimizers can take your running code and make it “fast” or “as fast as C++” or “as fast as C”…or sometimes “faster than C”. And yet we don’t often see this happen in practice, due in large part to (good and bad) development patterns that have taken hold in the Java world.
In this talk, we’ll explore the main reasons why Java code rarely runs as fast as C or C++ and how you can write really bad Java code that the JVM will do a better job of optimizing. We’ll take some popular microbenchmarks and burn them to the ground, monitoring JIT logs and assembly dumps along the way.
Puppet is a tool that allows users to declaratively configure systems. It provides abstraction through defined resources like packages and files, ensures configurations are idempotent, and converges systems to the desired state declaratively rather than imperatively through scripts. Puppet code is organized into reusable modules and managed through version control. Modules should include tests, be validated with tools like puppet-lint, and tested in automated environments like Travis CI to ensure high quality.
Whether you call yourself a system administrator, developer, or DevOps sprint mediator, life is too short for sloppy shell scripts! In this talk, we look at how to improve them to stand the test of time. Michael will share how to create a good foundation for your scripts, so they run more reliable now and in the future. Your (future) colleagues might love you for it.
Focus areas of this presentation include error handling, security, style, and best practices. Also, it will cover (many) mistakes made by Michael over the last 20 years.
Ansible can be used to summarize documents in 3 sentences or less:
1) The document provides tips and tricks for using Ansible for tasks like automation, orchestration, and distributed batch execution across multiple hosts.
2) It also demonstrates how Ansible can be used for auditing changes to files and system configuration over time through plugins, callbacks, and other extensions.
3) Additionally, the document shows how Ansible can be customized and expanded through techniques like abstracting packages and configurations, creating custom modules, and executing tasks in a more programmatic way.
This document provides an overview of upcoming technologies beyond the Java Virtual Machine (JVM). It begins with introductions and then discusses several topics:
- There are many open-source JVMs beyond Oracle's HotSpot such as JamVM, Maxine, and JikesRVM.
- Reasons for using the JVM include its large standard library and ease of portability compared to alternative virtual machines. However, startup time can be slow.
- Techniques for improving JVM startup time are discussed, such as saving JIT-compiled code and using the Drip tool to pre-initialize JVMs.
- Native interoperability is explored through the Java Native Interface (JNI
Getting started with DataStax .NET Driver for CassandraLuke Tillman
Video of this presentation from Cassandra Day Seattle is here: https://www.youtube.com/watch?v=sbs6YExxYqc&index=6&list=PLqcm6qE9lgKIgRKG0d-NEvYw9qYOztbci
So you’ve grabbed the latest 2.0 version of the DataStax C# driver from NuGet. Now what? In this talk, Luke will walk you through some of the basics of the C# driver--how to bootstrap the driver and connect to a cluster, execute CQL, and retrieve the results. Wondering what the difference between a PreparedStatement and a SimpleStatement is? Not sure what the appropriate lifetime is for a Cluster or a Session object? What about ADO.NET and LINQ support? We’ll cover this and more, so that you can get on with building applications on top of Cassandra. Even if you’re not a C# developer (or think that C# is the handiwork of the devil), many of the concepts we’ll cover will help you get started with the other DataStax drivers as well (Python, Java, and C++).
Alex Troush - IEx Cheat Sheet. Guide to Win with IEx on your Day to Day JobElixir Club
This document provides an overview of useful commands and features in IEx, Elixir's interactive shell:
1. It describes how to start IEx with "iex" or "iex -S mix" to start in a project context.
2. It explains the Ctrl-C, Ctrl-G, and Ctrl-\ commands for interrupting, switching jobs, and exiting IEx.
3. It notes that the .iex.exs file can be used to configure the IEx shell on start up.
4. It lists some IEx helpers like h, v, IEx.pry, r, and respawn for getting help, viewing history, debugging,
Understanding bytecode and what bytecode is likely to be generated by a Java compiler helps the Java programmer in the same way that knowledge of assembler helps the C or C++ programmer. Java bytecode is the form of instructions that Java virtual machine executes. This knowledge is crucial when debugging and doing performance and memory usage tuning. The presenter will share his knowledge on what bytecode means for your platform and how to create compiler while using some awesome tools.
https://www.youtube.com/watch?v=VNmtmz3mJN4&
Deep dive into InjectionTDD - how to perform iOS unit tests realtime, without rebuilding entire Xcode project.
The document discusses evasion techniques used by malware to avoid detection from antivirus scanners. It provides a brief history of techniques like process hollowing and code injection methods. It then summarizes how antivirus scanners work by intercepting processes like file opening and memory mapping. The document also discusses how NTFS transactions on Windows allow for file operations to occur transactionally.
Integrating icinga2 and the HashiCorp suiteBram Vogelaar
This document discusses integrating various HashiCorp tools like Packer, Vagrant, Terraform, Consul, and Vault with Icinga monitoring. Packer is used to build machine images while Vagrant provisions virtual machines. Terraform models infrastructure as code and can integrate with Icinga to provision hosts, checks, and notifications. Consul provides service discovery and can trigger Icinga config deployment. Vault manages secrets and certificates that could be used for authentication in Icinga. The presenter demonstrates using these tools together for infrastructure as code and monitoring workflows.
This document discusses using Packer to build Windows images. It provides an overview of the Packer build process and components. It then details the specific steps and configuration for building a Windows 2012 R2 image within VirtualBox, including defining the builder, provisioning the image, and post-processing to package it as a Vagrant box. It concludes with some tips and additional resources for building Windows images with Packer.
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
The object header contains metadata such as the identity hash, mark, and klass. Hexdumping the memory of a simple object before and after getting the identity hash shows the hash being written to the header. On 64-bit JVMs, the header is 8 bytes, containing unused space, hash, and mark fields. On 32-bit JVMs, the header is 4 bytes, with the hash overwriting unused space after being set.
Web developers constantly look for the latest and greatest ways to hone their craft, but changes come fast. From jQuery to Angular to Ember to React, CoffeeScript to TypeScript, it seems there is always something new. But ES6 is something different. With ES6 we are seeing the evolution of core JavaScript. It includes syntactic improvements and great new features never before seen in client-side code. Linters and transpilers for ES6 are readily available and easy to use. There is no need to wait; learn how to leverage the power of "the new JavaScript" in your applications, today!
Ansible for beginners...?
This presentation shows Ansible can not only Provisioning but also orchestration like capistrano or fabric.
Module is super easy to create by not only Python like shell, Ruby and so on.
This document discusses social media analytics and its importance for businesses. It provides interesting statistics about social media usage and defines social media analytics as using traditional business data and social media data to make business decisions. Some benefits of social media analytics include gaining a competitive advantage, learning from customers, and enhancing products and services. The document also outlines key concepts for measuring engagement on social media like funnels, engagement tracking, and visitor retention. It concludes by listing several tools that can be used for social media analytics.
AbsolutData and Alteryx surveyed industry thought leaders to gather insight into how organizations use Customer Analytics, including adoption levels, goals, usage, and relative maturity.
And the survey revealed:
3 focus areas that benefit the most from Customer Analytics
3 biggest challenges that inhibit analytic decision making
3 critical changes that will drive improvements in 2013 and beyond
Based on the results of the survey, AbsolutData and Alteryx will now be holding a webinar on 16th July 2013 at “5:30pm CST” to provide more information on how your peers use data to predict customer behavior, and drive measurable improvements in sales, customer retention, and loyalty.
This document discusses several key aspects of e-contracts, including:
1. Online contract formation requires inclusion of important terms like remedies, payment methods, and privacy policies. Acceptance can occur through click-wrap or browse-wrap agreements.
2. E-signatures are legally valid under the Uniform Electronic Transactions Act and E-SIGN Act at both the state and federal level.
3. Partnering agreements between buyers and sellers outline protocols for electronic ordering and inventory management.
4. The UETA aims to remove barriers to e-commerce by defining e-signatures and establishing rules for electronic transactions and errors.
The BCG matrix is a portfolio planning model that classifies a company's business units into four categories based on their market share and market growth rate: stars, question marks, cash cows, and dogs. Stars are market leaders that generate cash but also require heavy investment. Question marks have potential but also absorb cash. Cash cows are mature business units in stable industries that generate cash with little investment. Dogs are cash traps in declining industries. The matrix helps identify how to allocate resources for maximum growth and profitability by screening opportunities and considering investment needs. However, it only considers two dimensions and high market share does not guarantee profits.
This document outlines the history and development of the BCG growth-share matrix, a tool created by the Boston Consulting Group in the 1970s to analyze business opportunities and competitive ability. It describes the key components of the matrix, including market share, market growth rate, and how products move through the product lifecycle. The matrix sorts products into four categories - stars, question marks, cash cows, and dogs - based on their market share and growth rate. It provides recommendations for resource allocation and investment for products in each category. While simple, the BCG matrix gives a quick way to evaluate opportunities and make strategic resource decisions.
The BCG Matrix is a portfolio analysis tool developed by the Boston Consulting Group in the 1970s to help corporations analyze their business units, or Strategic Business Units (SBUs). It uses a 2x2 matrix, with relative market share on the x-axis and market growth rate on the y-axis, to categorize SBUs into four groups: Stars, Cash Cows, Question Marks, and Dogs. The document provides details on the emergence, components, applications, advantages, and limitations of the BCG Matrix model for analyzing corporate portfolios.
Self-service data analytics enables business users to access and analyze corporate data without needing expertise in data analysis, business intelligence, or data mining. It provides an easy-to-use platform for users to prepare, blend, and analyze data using a repeatable workflow and then deploy and share analytics. The benefits of self-service data analytics include faster time to insights, no need for upfront data modeling, a user interface designed for non-technical users, and the ability to connect to more data sources.
Embedded business intelligence involves integrating self-service BI tools directly into commonly used business applications. This allows for enhanced user experience with visualization, real-time analytics and interactive reporting directly within applications. Embedded BI aims to make business
The document appears to be a template for a presentation on the BCG matrix. The BCG matrix is a tool used to analyze business units or product lines based on their relative market share and growth rate. The template includes placeholder text and graphics to help a presenter customize the presentation for their specific company and products. It provides guidance on formatting slides with sections for strengths, weaknesses, opportunities, threats, product portfolio analysis, and recommendations.
Presentation from Mini UPA Boston 2011.
Analysis of online activity (analytics) has growing attention in the work of user experience design. How do we know when our findings are actionable answers and when they serve as refined questions begging for further exploration through qualitative user research? Can you really learn about your users through analytics?
This presentation will demystify web analytics, addressing common misconceptions. Through tips and examples of tactical applications of free tools and web analytics data in a ‘UX friendly’ context, this session will show that analytics can be an efficient tool for gaining rapid insight into user behavior and improving the value of our designs. We will explore ways to recognize findings that demand further investigation.
Business analytics is the practice of iterative statistical analysis of a company's data to support data-driven decision making. It has evolved from early uses of basic graphs and spreadsheets to track sales trends and predict outcomes, to modern applications that gain insights from large volumes of historical data using descriptive analytics and predict customer behavior using predictive analytics to inform real-time decisions. Common business analytics tools include SPSS for statistical analysis and Microsoft Excel for calculations, graphs, and pivot tables.
CIO’s are gearing up to unlock their Big Data value to gain actionable insights and fuel the Digital Transformation journey. Here are some facts that illustrate how Big Data is getting bigger.
This document presents the Boston Consulting Group (BCG) matrix for analyzing a company's product portfolio. The matrix categorizes products as Stars, Cash Cows, Question Marks, or Dogs based on their relative market share and market growth. It then provides recommendations for each category: Stars should focus on increasing market share; Cash Cows should maximize cash flow; Question Marks require assessing growth potential and investing or withdrawing; Dogs should be divested or concentrated on profitable niches. Several issues with only using the BCG matrix are also noted, such as other factors influencing profitability beyond just market share and cash flow.
The document discusses the Boston Consulting Group (BCG) Matrix, which classifies businesses into four categories based on their relative market share and market growth rate. The four categories are stars, question marks, cash cows, and dogs. Stars have high market share and growth, while cash cows have high share but low growth. Question marks and dogs have low relative market share, with question marks in a high growth market and dogs in a low growth market. The BCG Matrix helps companies assess their product portfolios and allocate resources efficiently.
The document discusses the lean analytics cycle of metrics, hypothesis, experiment, and act. It provides examples of how Hello Bar used this process to improve their installation rate. They found a low installation rate in metrics, hypothesized that more options would increase installations, tested this in an experiment, and achieved a 40% increase. Through dozens of experiments, their rate increased by 89%. The document encourages analyzing metrics to find opportunities, forming hypotheses through research, rigorously testing hypotheses, and making data-driven decisions.
The document discusses the Boston Consulting Group (BCG) Matrix, which classifies business units into four categories based on their relative market share and market growth rate: Question Marks, Stars, Cash Cows, and Dogs. Question Marks have high growth but low market share, requiring high investment. Stars have high growth and market share but also require heavy investment. Cash Cows have low growth but high market share, generating cash with little investment. Dogs have low growth and market share and are cash traps. The BCG Matrix helps assess a product portfolio, cash demands, resource allocation, and divestment decisions.
The document provides an overview of iOS development basics including the iOS ecosystem, development tools like Xcode and Instruments, Objective-C language syntax, UI elements, memory management, and connecting to network resources. It covers setting up an iOS developer account, provisioning profiles, and submitting apps to the App Store. Key classes for networking like NSURL, NSURLRequest, and NSURLConnection are introduced along with using delegates and data sources. Parsing JSON and XML is also briefly discussed.
This document provides an overview of mobile development and the iOS ecosystem. It discusses that mobile apps require UI optimization and a mission statement. It also covers Xcode, Objective-C, memory management, UIKit, MapKit, and annotations for displaying locations on maps. The document recommends designing mobile apps differently than desktop apps and following Apple's human interface guidelines.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
On the Edge Systems Administration with GolangChris McEniry
This document describes a tutorial on systems administration topics using the Go programming language. It provides an overview of the schedule and topics to be covered, including Go language features like interfaces, files, web servers, TLS, HTTP/2, JSON, package management, one-liners, cross-compilation, metrics, containers, and SSH. It also lists some prerequisites and expectations around the example code provided, noting that errors will be panicked and the code is for demonstration purposes only and not meant for production use. The document is intended to serve as an agenda and introduction to the tutorial content.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
The potential problem with caching in update_homepage is that deleting the cache key after updating the page could lead to a race condition or stampede.
Since the homepage is being hit 1000/sec, between the time the cache key is deleted and a new value is set, many requests could hit the database simultaneously to refetch the page, overwhelming it.
It would be better to set a new value for the cache key instead of deleting it, to avoid this potential issue.
Daniel Greenfeld gave a presentation titled "Intro to Python". The presentation introduced Python and covered 21 cool things that can be done with Python, including running Python anywhere, learning Python quickly, introspecting Python objects, working with strings, lists, generators, sets and dictionaries. The presentation emphasized Python's simplicity, readability, extensibility and how it can be used for a wide variety of tasks.
This document discusses why every tester should learn Ruby. It notes that testers often use scripting languages like VBScript, SQABasic, RobotJ, and VU to automate tests, but that Ruby is a better alternative being a simple yet powerful object-oriented and dynamic programming language. Ruby has a high testing culture in its community and is used for test automation with frameworks like Selenium and Watir for web testing, JRuby for GUI testing with Java libraries, and can interface with databases using Ruby-PLSQL-Spec for testing Oracle PL/SQL code. The document provides examples of test scripts in Ruby and argues that Ruby allows tests to serve as executable specifications.
Build your own embedded linux distributions by yocto projectYen-Chin Lee
The document discusses the Yocto Project, an open-source collaboration project that provides templates, tools, and methods for creating custom Linux-based systems for embedded products. It provides an overview of the key components of Yocto including Poky, BitBake, and metadata. It also summarizes how to get started with Yocto including downloading Poky, setting up the build environment, and building a minimal image that can be run in QEMU for testing purposes.
Paver is a Python build tool that provides tasks for common build operations like installing dependencies, running tests, building documentation, and more. It aims to be simple for basic tasks but support more complex workflows. Paver embraces existing Python tools like distutils, setuptools, and virtualenv. It allows defining tasks and options in a pavement.py file and running tasks with a single command line. Paver also supports features like auto-discovery of Django apps and integration with tools like Fabric.
This document discusses container security and analyzes potential vulnerabilities in Docker containers. It describes how containers may not fully isolate processes and how an attacker could escape a container to access the host machine via avenues like privileged containers, kernel exploits, or Docker socket access. It provides examples of container breakouts using these methods and emphasizes the importance of security features like seccomp, AppArmor, cgroups to restrict containers. The document encourages readers to apply security best practices like the Docker Bench tool to harden containers.
Daniel Greenfeld gave a presentation titled "Intro to Python" where he demonstrated 21 cool things that can be done with Python. These included running Python anywhere, learning it quickly, introspecting objects to see their attributes and methods, performing string operations, formatting strings, basic math operations, and working with lists. The presentation emphasized Python's simplicity, readability, and extensive standard library and ecosystem.
Louis Nyffenegger discovered a SQL injection vulnerability in ActiveRecord, the ORM used in Ruby on Rails applications. He demonstrated how to exploit it locally by creating two states (true/false) based on the response time of SQL queries with sleep commands. This allowed him to extract data bit-by-bit to retrieve the database version. He then explained how to modify the exploit to send HTTP requests to a remote vulnerable application by properly encoding the injected SQL.
This document outlines an iOS development lecture on practical iOS development topics including using maps and location services, system dialogs for contacts, photos, email and SMS, social networks APIs, threading with NSThread, GCD and NSOperation, and best practices for singletons. Key classes and methods are described for adding maps, determining user location, geocoding, contacts pickers, photo pickers, mail/SMS composers, Twitter and Facebook SDKs, threads, operations, and thread-safe singletons.
This document discusses different approaches for profiling Java applications without using third-party tools. It begins by explaining the benefits of a do-it-yourself approach such as avoiding reliability and compliance concerns with tools. Various profiling types are then covered, including CPU profiling using wall clock time and calls, sampling, and memory profiling using JVM options. Bytecode manipulation is also presented as a method using ASM to add profiling code without changing sources. The document emphasizes learning the Java Virtual Machine and using its built-in capabilities for profiling purposes.
This document provides instructions for creating a kernel module that makes a pseudo-file in the Linux /proc filesystem. It explains how to write a module that uses the create_proc_read_entry() and remove_proc_entry() functions to register a proc file that displays the value of the jiffies kernel variable. Sample code is provided for a minimal module template and a non-trivial example module that creates a /proc/jiffies file to read jiffies.
Javascript done right - Open Web Camp IIIDirk Ginader
The document discusses what makes for "good" JavaScript from a developer perspective. It argues that good JavaScript should be understandable, reusable, extensible, optimized, secure, internationalized, optional, and accessible. It provides examples and recommendations for each of these qualities, such as using clear naming and documentation to improve understandability, writing code in a modular and structured way to improve reusability, and using frameworks to avoid reinventing patterns. It also discusses performance optimizations like reducing DOM reflows and different techniques for modifying the DOM efficiently.
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
Web Information Extraction for the Database Research DomainMichael Genkin
A presentation describing my final project for an engineering degree at the Hebrew University of Jerusalem - a system for extracting information from web sites into instances of an XML schema, utilizing machine learning, structural analysis of documents and a divide & conquer strategy.
Summarizing short stories (without spoiling the fun)Michael Genkin
The story is set in a proletariat restaurant in New York City run by a man named Bogle. There are two waitresses, the beautiful and charming Aileen, who attracts many male customers and regulars, and Tildy, who admires Aileen but hopes to find her own admirer someday. One day, a customer named Seeders kisses Tildy in public, changing her perception of herself. However, she later discovers Seeders' affection was due to intoxication, disappointing Tildy and leaving her feeling like the "Sleeping Beauty" who will never find love.
Post-PC: Geolocation & Maps in the Android EcosystemMichael Genkin
The document discusses various mapping and geo-location services that can be used for mobile applications, including Google Maps, Bing Maps, OpenStreetMap, Waze, and others. It covers the key features of each service, things to consider like licensing and coverage, and how to integrate location services and display maps in a mobile app. Privacy concerns around geo-location data are also briefly mentioned.
NELL uses coupled semi-supervised learning algorithms to populate an ontology by extracting facts from the web at a large scale. It employs techniques like coupled pattern learning and coupled structural extraction to learn textual patterns and extract instances in a mutually reinforcing manner while enforcing constraints. The extracted facts and patterns are promoted across different extractors to populate the ontology with the goal of learning continuously from web-scale data.
Presentation of a volunteering project where computer savvy middle school gifted students collect old computer software, fix it, and donate the refurbished computer to people from though socio-economical background. Presented in 2006. Hebrew
Presentation of a volunteering project where computer savvy middle school gifted students collect old computer software, fix it, and donate the refurbished computer to people from though socio-economical background. Presented in 2005. Hebrew
Presentation of a volunteering project where computer savvy middle school gifted students collect old computer software, fix it, and donate the refurbished computer to people from though socio-economical background. Presented in 2005. Second Edition. Hebrew
Presentation of a volunteering project where computer savvy middle school gifted students collect old computer software, fix it, and donate the refurbished computer to people from though socio-economical background. Presented in 2004. Hebrew
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
2. >>> dir(self)
• Michael Genkin
• A computer engineer
• A researcher
• A jack of many trades
• And a master of some
• Prefers Python [2.7] to
your favorite
programming language
since 2008.
• Isn’t afraid of the
bytecode.
3. Outline
• Sandboxes – how & why?
• A bit of Python
• Code execution
• __builtins__
• Python Sandbox – HowTo & Examples
• Blacklisting
• Whitelisting
• Modifying __builtins__
• If time allows
• CPython implementation details
• Code objects
4. What’s a Sandbox?
“A security mechanism for separating running programs. It is often used
to execute untested code, or untrusted programs from unverified third
parties, suppliers, untrusted users and untrusted websites.
The sandbox typically provides a tightly controlled set of resources for
guest programs to run in…” [Wikipedia]
5. Why a Sandbox?
• UNTRUSTED CODE? Why we’d ever want to
execute untrusted code?
• Learning platform
• A certain challenge site
• Development environment as a Service
6. How to Sandbox?
OS Level
• Linux seccomp
• PyPy Sandboxing
Language Level/In-Process*
• PySandbox
• rexec
Don’t use those examples @Home/Production
8. Code Execution in Python
• How does one execute untrusted code?
• Or simply dynamically generated code…
• A few ways…
• exec(file) – compile & execute a statement (or a file).
• eval – compile & execute an expression.
• if you really need eval – try using ast.literal_eval()
• os.exec* – create & execute a new shell
• subprocess...
• pickle – a minefield
• Don’t do this at home..!
• Really. Don’t. Ever.
9. Shit Can Happen…
• Resource exhaustion – DoS
• Information disclosure
• Server takeover
10. Tools of Chaos
• file/open
• Though we might need those…
• eval/exec(file)
• exit/quit
• pickle/os/subprocess
• We might need those as well
13. An Optimal [Python] Sandbox
class Sandbox(object):
def __make_secure(self, unsafecode):
""" Black Magic """
return safecode
def execute(self, code):
exec self.__make_secure(code)
if __name__ == '__main__':
s = Sandbox()
s.execute("print 'Hello World!'") # Hello World!
s.execute("*bad stuff*") # RuntimeException
• How does this *black magic* really looks like?
14. Blacklisting __builtins__
def __make_secure(self, unsafecode):
keyword_blacklist = ["file", "quit", "eval", "exec",
"execfile", "exit"]
for keyword in keyword_blacklist:
if keyword in unsafecode:
raise ValueError("Blacklisted")
return unsafecode
15. Circumventing a Blacklist
• The problem with blacklist is that they’re always
incomplete…
• What isn’t in the blacklist?
s.execute("""
__builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*)
""")
• Lesson learned…
• If we can get a reference to
something – we can
invoke it.
16. Whitelisting __builtins__
import sys
def __make_secure(self, unsafecode):
# Blacklisting code
main = sys.modules["__main__"].__dict__
orig_builtins = main["__builtins__"].__dict__
builtins_whitelist = set((
'ArithmeticError', 'AssertionError', 'AttributeError', ... # Exceptions
'False', 'None', 'True', ... # Constants
'basestring', 'bytearray', 'bytes', 'complex', 'dict', ... # Types
'__import__', 'abs', 'all', 'any', 'apply', 'bin', 'bool', ... # Functions
# Block: eval, execfile, file, quit, exit, reload, etc.
))
for builtin in orig_builtins.keys():
if builtin not in builtins_whitelist:
del orig_builtins[builtin]
return unsafecode # No way to do bad stuff now...
s.execute('__builtins__.__dict__["ZXZhbA==".decode("base64")](*bad stuff*)') # NameError
17. I brought This Little Something…
• The whitelist insures we don’t have anything useful
in scope…
• But, can we bring more stuff into the scope?
s.execute("""
import os
os.exec("python -c '*something bad*'")
""")
• Lesson learned…
• Whitelisting __builtins__
isn’t enough if the attacker can
just import stuff
18. Whitelisting Imports
• Ever wondered how do Python imports work?
importer = __builtins__.__dict__.get('__import__')
os = importer('os')
• And how to roll your own?
20. I Know I Left This Somewhere…
• What do we have left?
• Do we have anything useful left?
• We have some types… let’s check them out
• If we have a class – why not have a metaclass as
well?
• PEP 0253 - __bases__ & __subclasses__()
22. If We Have a Reference…
s.execute("""
__builtins__.__dict__['__import__'] =
().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__']
import os
os.exec("python -c '*something bad*'")
""")
23.
24. Questions Time!
How many interactive Python interpreters were
harmed while preparing this talk?