Mining. Ethereum. Smart Contracts. Gas. Solidity. DAO. These words had no or a different meaning 5 years ago. But now these are the foundations of something exciting and powerful. But with great power comes great responsibility. Designing and implementing Smart Contracts are like encryption protocols. Everyone can come up with one which looks secure from the developer’s perspective, but only a few can design and implement one which is really safe.
But how can one hack Smart Contracts? In order to understand this, I will explain the meaning of all of these words in the Ethereum world from the ground-ups with real life analogies. Once the basic building blocks are explained, I will guide you into the world of hacking Smart Contracts. After attending this presentation, everyone will understand how a recursive call can burn 250M USD on the DAO and how developers can create a parallel universe where this never happened. Reinit? Multi-signature wallets? The Parity hack? All of this is simple once the basics are founded.
Warning: case studies from recent real-life hacks and live interaction with Smart Contracts are included. And Cryptokitties. Meow.
1. What is Contract ?
2. What is Smart Contract
3. Why We need Smart Contract ?
4. How blockcain help us to build smart contract ?
5. How safe bockchain is?
6. Which all features are adopte from blockchain and what all problems are solved by it?
Smart contract development top considerationsDevelopcoins
Smart contract development has a prosperous future. A leading smart contract development company Developcoins, We can hope that in due time smart contract development & smart contract audit solutions will be a part of every business bringing service, quality, and customer satisfaction to the highest standards. https://www.developcoins.com/smart-contract-development
The best smart contract platforms in 2021OliviaJune1
The smart contract has become a game-changer in the industry. Contract delivery and payout have both changed dramatically as a result. Only Ethereum was once considered to be the only platform for creating smart contracts
Presentation about the state of smart contract technologies.
These slides where presented at:
- BlockchainUA in Kiev, 14/09/18
- Bitcoin and Blockchain meetup in London, 28/11/18
- BlockchainEdu meetup in Rome, 12/12/18
There are many cryptocurrencies out there; in fact, as of April 2021, there were over 9,500 cryptocurrencies in circulation listed on the Coinmarketcap. This number is expected to increase in the future as people’s interest in cryptocurrencies keeps rising. Although you might have heard about cryptocurrencies and known how it works, it’s possible you still don’t know what cryptocurrency actually is, or what means. The fields of cryptocurrency and the blockchain technology that drives cryptocurrencies can be a bit confusing. So, what is cryptocurrency? This article uses relatable terminology to explain in detail what cryptocurrency is, and the science of cryptography that decentralizes and drives cryptocurrencies, and makes them secure.
1. What is Contract ?
2. What is Smart Contract
3. Why We need Smart Contract ?
4. How blockcain help us to build smart contract ?
5. How safe bockchain is?
6. Which all features are adopte from blockchain and what all problems are solved by it?
Smart contract development top considerationsDevelopcoins
Smart contract development has a prosperous future. A leading smart contract development company Developcoins, We can hope that in due time smart contract development & smart contract audit solutions will be a part of every business bringing service, quality, and customer satisfaction to the highest standards. https://www.developcoins.com/smart-contract-development
The best smart contract platforms in 2021OliviaJune1
The smart contract has become a game-changer in the industry. Contract delivery and payout have both changed dramatically as a result. Only Ethereum was once considered to be the only platform for creating smart contracts
Presentation about the state of smart contract technologies.
These slides where presented at:
- BlockchainUA in Kiev, 14/09/18
- Bitcoin and Blockchain meetup in London, 28/11/18
- BlockchainEdu meetup in Rome, 12/12/18
There are many cryptocurrencies out there; in fact, as of April 2021, there were over 9,500 cryptocurrencies in circulation listed on the Coinmarketcap. This number is expected to increase in the future as people’s interest in cryptocurrencies keeps rising. Although you might have heard about cryptocurrencies and known how it works, it’s possible you still don’t know what cryptocurrency actually is, or what means. The fields of cryptocurrency and the blockchain technology that drives cryptocurrencies can be a bit confusing. So, what is cryptocurrency? This article uses relatable terminology to explain in detail what cryptocurrency is, and the science of cryptography that decentralizes and drives cryptocurrencies, and makes them secure.
Blockchain And Cryptocurrency : How Blockchain And Cryptocurrency Relate To E...Blockchain Council
Blockchain Council is a renowned platform providing all the certification and Blockchain courses that will help you make an established career in this field.
Discussed about the Blockchain and how it works
Also the advantages of Blockchain over centralized system and some drawbacks are also mentioned.
Discussion on bitcoin and Cryptocurrency
Creating our own cryptocurrency for startups.
Snapshots are attached.
Easier way to understand the Smart Contract Technology. A simplest explanation of Smart Contract. The technology behind the Blockchain, which is making the Blockchain enthusiast crazy. It is the same technology which has made it possible to implement Blockchain for almost anything.
With the recent crypto bubble engulfing the world, you would have come across two prominent words: Blockchain and Cryptocurrency. Well, when it comes to origin and development then cryptocurrency marks the growth of Blockchain technology.
Contracts Across Coins - Smart Contracts for Bitcoin, Ripple and the altcoinsRipple Labs
Held at Coin Congress in San Francisco on Thursday, July 24th, 2014.
Codius is a set of tools for building smart contracts that work with any blockchain and even work with any other service connected to the Internet.
A 20 slider on the basics of Blockchain (the animations make it look longer).
An attempt to introduce what a blockchain is and how transactions work under the hood without getting too technical.
Hands-on introduction to blockchain technologies.
First, basic concepts as peer-to-peer networks, mining and distributed consens are introduced basd on the Bitcoin protocol. Next smart contracts are discussed for the Ethereum protocol and demonstrated using a local/private blockchain.
The session concludes with a live demo of the interaction of a Java based classical business application with a smart contract running in the Ethereum network.
The goal of the session is to provide a meaningful background of blockchain technologies in genral and to enable developers to start exploring Ethereum and smart contracts within a few hours.
The proposed development setup is oriented towards Java developers and contains Docker images for the Geth and TestRPC Ethereum clients that can be run locally. To access Ethereum from Java the web3j Java library is used. The business application that integrates with the smart contracts is built with the Eclipse Scout framework.
Slides have been created by @ZimMatthias for the JUG Switzerland session on May 22, 2017 https://www.jug.ch/html/events/2017/blockchain_ethereum.html
Block chain and Bitcoin. A blockchain is a data structure that makes it possible to create a digital ledger of transactions and share it among a distributed network of computers.
CryptoCurrency is one of the hottest ways to make money right now!
You cannot escape hearing about Bitcoin and all the other CryptoCurrencies and how people are making tons of money buying, holding, and selling CryptoCurrency.
Would you like to join an exclusive group of people in the know of the hottest new market almost nobody knows? You can, with this Cryptocurrency Secrets eBook.
How Blockchain Is Different From Cryptocurrency?Endive Software
Yes, there are some differences, but at the core Blockchain and Cryptocurrency are interconnected. Bitcoin (Cryptocurrency) is the first and most successful application of Blockchain. Initially, they were used interchangeably, but with advancement, some differences can be noticed.
What is a Cryptocurrency?
What is the Blockchain?
Why the Blockchain now?
Lets Sum this Blockchain!
Why the “Blockchain” is next IT revolution you have not heard of..
Lets talk about Careers in the Blockchain!
Blockchain concept and technology. How this is becoming the next trend after the Bitcoin, expanding to a myriad of solutions. Smart contracts might be using a public distributed, and encrypted platform to support data persistence.
Smart Contracts are a central component to next-generation blockchain platforms. Blockchain technology is much broader than just bitcoin. The sustained levels of robust security achieved by public cryptocurrencies have demonstrated to the world that this new wave of blockchain technologies can provide efficiencies and intangible technological benefits very similar to what the internet has done.
Blockchains are a very powerful technology, capable of going much further than only "simple" financial transaction; a technology capable of performing complex operations, capable of understanding much more than just how many bitcoins one currently has in his digital wallet.
This is where the idea of Smart Contracts come in. Smart Contracts are in the process of becoming a cornerstone for enterprise blockchain applications and will likely become one of the pillars of blockchain technology.
In this presentation, we will explore what a smart contract is, how it works, and how it is being used.
Blockchain. Everyone talks about it, but how does it really work?
This talk covers the fundamentals and discusses real world examples of how blockchain is being used to transform healthcare, real estate, humanitarian aid, governance and other domains.
See the original talk at: https://www.facebook.com/thekasbahhub/videos/1875008969491362/
An Introduction to Bitcoin, Blockchain and CryptocurrencyAmarpreet Singh
Heard that bitcoin value doubled again? or new cryptocurrency IPO’s are taking over the stock market! Well, cryptocurrency is just the tip of the iceberg. Blockchain technology is a lot more than just cryptocurrency and can revolutionize almost everything which surrounds us. This presentation will help you grab a quick introduction to Bitcoin, Blockchain and Cryptocurrency
BlockChain basics for the non-technical banker covering what's happening, what the opportunities are, and the problems we all face. Covers BitCoin and Ethereum with brief mentions made of Ripple and the HyperLedger project.
Blockchain And Cryptocurrency : How Blockchain And Cryptocurrency Relate To E...Blockchain Council
Blockchain Council is a renowned platform providing all the certification and Blockchain courses that will help you make an established career in this field.
Discussed about the Blockchain and how it works
Also the advantages of Blockchain over centralized system and some drawbacks are also mentioned.
Discussion on bitcoin and Cryptocurrency
Creating our own cryptocurrency for startups.
Snapshots are attached.
Easier way to understand the Smart Contract Technology. A simplest explanation of Smart Contract. The technology behind the Blockchain, which is making the Blockchain enthusiast crazy. It is the same technology which has made it possible to implement Blockchain for almost anything.
With the recent crypto bubble engulfing the world, you would have come across two prominent words: Blockchain and Cryptocurrency. Well, when it comes to origin and development then cryptocurrency marks the growth of Blockchain technology.
Contracts Across Coins - Smart Contracts for Bitcoin, Ripple and the altcoinsRipple Labs
Held at Coin Congress in San Francisco on Thursday, July 24th, 2014.
Codius is a set of tools for building smart contracts that work with any blockchain and even work with any other service connected to the Internet.
A 20 slider on the basics of Blockchain (the animations make it look longer).
An attempt to introduce what a blockchain is and how transactions work under the hood without getting too technical.
Hands-on introduction to blockchain technologies.
First, basic concepts as peer-to-peer networks, mining and distributed consens are introduced basd on the Bitcoin protocol. Next smart contracts are discussed for the Ethereum protocol and demonstrated using a local/private blockchain.
The session concludes with a live demo of the interaction of a Java based classical business application with a smart contract running in the Ethereum network.
The goal of the session is to provide a meaningful background of blockchain technologies in genral and to enable developers to start exploring Ethereum and smart contracts within a few hours.
The proposed development setup is oriented towards Java developers and contains Docker images for the Geth and TestRPC Ethereum clients that can be run locally. To access Ethereum from Java the web3j Java library is used. The business application that integrates with the smart contracts is built with the Eclipse Scout framework.
Slides have been created by @ZimMatthias for the JUG Switzerland session on May 22, 2017 https://www.jug.ch/html/events/2017/blockchain_ethereum.html
Block chain and Bitcoin. A blockchain is a data structure that makes it possible to create a digital ledger of transactions and share it among a distributed network of computers.
CryptoCurrency is one of the hottest ways to make money right now!
You cannot escape hearing about Bitcoin and all the other CryptoCurrencies and how people are making tons of money buying, holding, and selling CryptoCurrency.
Would you like to join an exclusive group of people in the know of the hottest new market almost nobody knows? You can, with this Cryptocurrency Secrets eBook.
How Blockchain Is Different From Cryptocurrency?Endive Software
Yes, there are some differences, but at the core Blockchain and Cryptocurrency are interconnected. Bitcoin (Cryptocurrency) is the first and most successful application of Blockchain. Initially, they were used interchangeably, but with advancement, some differences can be noticed.
What is a Cryptocurrency?
What is the Blockchain?
Why the Blockchain now?
Lets Sum this Blockchain!
Why the “Blockchain” is next IT revolution you have not heard of..
Lets talk about Careers in the Blockchain!
Blockchain concept and technology. How this is becoming the next trend after the Bitcoin, expanding to a myriad of solutions. Smart contracts might be using a public distributed, and encrypted platform to support data persistence.
Smart Contracts are a central component to next-generation blockchain platforms. Blockchain technology is much broader than just bitcoin. The sustained levels of robust security achieved by public cryptocurrencies have demonstrated to the world that this new wave of blockchain technologies can provide efficiencies and intangible technological benefits very similar to what the internet has done.
Blockchains are a very powerful technology, capable of going much further than only "simple" financial transaction; a technology capable of performing complex operations, capable of understanding much more than just how many bitcoins one currently has in his digital wallet.
This is where the idea of Smart Contracts come in. Smart Contracts are in the process of becoming a cornerstone for enterprise blockchain applications and will likely become one of the pillars of blockchain technology.
In this presentation, we will explore what a smart contract is, how it works, and how it is being used.
Blockchain. Everyone talks about it, but how does it really work?
This talk covers the fundamentals and discusses real world examples of how blockchain is being used to transform healthcare, real estate, humanitarian aid, governance and other domains.
See the original talk at: https://www.facebook.com/thekasbahhub/videos/1875008969491362/
An Introduction to Bitcoin, Blockchain and CryptocurrencyAmarpreet Singh
Heard that bitcoin value doubled again? or new cryptocurrency IPO’s are taking over the stock market! Well, cryptocurrency is just the tip of the iceberg. Blockchain technology is a lot more than just cryptocurrency and can revolutionize almost everything which surrounds us. This presentation will help you grab a quick introduction to Bitcoin, Blockchain and Cryptocurrency
BlockChain basics for the non-technical banker covering what's happening, what the opportunities are, and the problems we all face. Covers BitCoin and Ethereum with brief mentions made of Ripple and the HyperLedger project.
The JavaScript toolset for development on EthereumGreeceJS
Ethereum is the new global shared computing resource. Find out how to develop dapps on the Ethereum blockchain by using the Truffle Framework and web3.js.
Smart contract honeypots for profit (and fun) - bhaPolySwarm
Ethereum smart contracts have bugs: a lot of them. So many, in fact, that attackers have flocked to exploit them, but occasionally they lose money themselves. Malicious contracts that look vulnerable but are exploitative are a rising trend, and this talk will discuss how they work and what they do.
Stefano Maestri - Blockchain and smart contracts, what they are and why you s...Codemotion
After a brief introduction on what is blockchain technology and how it works under the wood, focusing on Ethereum the next generation blockchain implementation. We will focus on the concept of smart contract introducing it through a simple case study and its standard implementation in ethereum. We will code it using Solidity language deploying and testing it in a live demo on Ethereum test network.
Przemek Nowakowski: Blockchain to niewątpliwie jedna z najciekawszych i najbardziej kontrowersyjnych technologii ostatnich lat. Ale jak to ugryźć? I czy w ogóle jest sens ulegać hajpowi? W prezentacji omówimy blockchain – od podstaw po najprostszą implementację, zastanowimy się nad jego użytecznością oraz sprawdzimy, jakie narzędzia mamy do dyspozycji, jeśli zdecydujemy się go wykorzystać.
This is a presentation is an introduction to the blockchain. It defines, what is the blockchain and shows how JavaScript developers can create blockchain applications.
Welcome to the world of cryptocurrencies, the next step in the evolution of the means of value exchange. This is
the part where many authors would veer off into the fascinating history of money. Though that is or at least can
be interesting, it’s ultimately a side note — and one that, frankly, isn’t going to make you any richer.
Instead, this book will begin with and focus on what you need to know to participate in and potentially profit
from this white-hot frontier investment space. With that in mind, we’re not going to begin at the beginning and
regale you with tales of humankind’s early currencies or some such; instead, we’re going to take the leap off the
high board and start to teach you right away about the now and the newest computer-based currencies
Zsombor Kovács - Cheaters for Everything from Minesweeper to Mobile Banking ...hacktivity
In my opinion, cheating acceptable - it merely means expanding the frame of an application to the point, which is beyond what the creators of the application have ever imagined. In this talk, we explore how the popular instumentalisation framework Frida can be used to hack applications from games to mobile banking applications.
Vincent Ruijter - ~Securing~ Attacking Kuberneteshacktivity
This talks' focus lays on a popular containerization tool called Kubernetes. Common implementations of Kubernetes are not secure by default and a lot of information about hardening is not known to the public. Since version 1.7 the security level has increased and common security misconfigurations have been mitigated. During this talk it will be demonstrated what happens if these mitigations are not applied and how to abuse them. The talk will be about both securing and attacking the platform and could be considered a 'purple team' talk. Multiple live demos are planned, most of them ending in a guest-to-host escape and a root shell.
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and offers the capability to the users to take care of only those things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP, RDP or SSH then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 12km on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunnelling. It will be show how to tunnel data over a Windows jumpbox utilising RDP (including the dirty low level "secrets") or how to exfiltrate data over ICMP from barely secured networks. We have simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
Adobe Experience Manager (AEM) is an enterprise-grade CMS. It’s used by high-profile companies like Linkedin, Apple, Mastercard, Western Union, Cisco, General Motors, and others. AEM is built on top of the Apache Sling, Apache Felix and Apache Jackrabbit Oak projects. In the talk, the author will share unique methodology on how to approach AEM weabpps in pentests or bug bounty programs. Misconfiguration issues, as well as product vulnerabilities, will be covered in the talk, including newly discovered vulnerabilities for which Adobe PSIRT assigned CVE ids. The author will share automation tool for discovering vulnerabilities and misconfigurations discussed in the talk.
Gabrial Cirlig & Stefan Tanase - Smart Car Forensics and Vehicle Weaponizationhacktivity
As “smart” is becoming the new standard for everything, malicious threat actors are quick to capitalize on the insecurity of IoT devices. Hackers compromising your network and spying on you is not something new in the world of personal computers, but definitely an emerging threat in the world of personal cars.
Csongor Tamás - Examples of Locality Sensitive Hashing & their Usage for Malw...hacktivity
Several tools has been proposed for malware classification and similarity detection of binary malware samples, however none of them can solve all issues. In my presentation, I'll cover the problematics of Locality Sensitive Hashes and provide some experimental information about the comparison of different LSH algorithms. SSDEEPS's base algorithm, spamsum was originally designed for spam email detection. Although it discoveres some similarity between binaries, it basically needs large equal pieces of the byte code. This only happens rarely and can easily be altered. One of the contenders, TLSH (TrendMicro Locality Sensitive Hash) is a more stable similarity matching process. I'm going to present the results of the comparison on a smaller size samples set (~30k samples). Using LSHs is easy and doesn't require huge computational resources so after the process was deemed useful and effective it was extended to a large malware database of multiple hundreds of terabytes of samples. The experiments focus on ransomware sample classification, so I'm also going to present some details related to hunting for fresh unknown malware samples of known groups.
Matthias Deeg - Bypassing an Enterprise-Grade Biometric Face Authentication S...hacktivity
Biometric authentication systems have long, checkered history in IT security and are regarded as a highly controversial technology. Many manufacturers and users love them because of their usability and the personal touch they give to human-computer interaction when it comes to an often annoying but necessary task like user authentication. Other people hate them because of data privacy and security concerns. Despite all the controversy, biometric authentication systems are still here and they seem to stay.
In fall 2017, SySS GmbH started a research project concerning the enterprise-grade face authentication system Microsoft Windows Hello Face Authentication based on near infrared technology.
In our talk, we will present the results of our research project concerning the enterprise-grade face authentication system Windows Hello Face Authentication by Microsoft based on near infrared and visible light and will demonstrate how different versions of it can be bypassed by rather simple means.
Gergely Biczók - Interdependent Privacy & the Psychology of Likeshacktivity
The Facebook/Cambridge Analytica case headlined technical news the whole Spring of 2018. This case is not the first (and certainly not the last) that demonstrates privacy issues with Facebook and the ecosystem around it; yet, it gained notoriety because of its scale and alleged direct effect on the outcome of the US presidential election. In this talk we look behind the scenes and under the hood and analyze the IT, economic, psychological and legal background necessary to understand the full impact of the Cambridge Analytica case. We touch upon the underlying economic theory on externalities that defines interdependent privacy and sets the scene at a high level; the permission system of the Facebook API that enabled the collection of personal data at scale; the breakthrough psychology research that enabled the use of these data to influence political elections; and the legal impact through the lens of the GDPR.
Paolo Stagno - A Drone Tale: All Your Drones Belong To Ushacktivity
In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.
A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.
Jack S (linkcabin) - Becoming The Quiz Master: Thanks RE.hacktivity
linkcabin aims to discuss the journey of reverse engineering a pub quiz machine, to a point of emulation. By reverse engineering the software, lessons have been learnt in implementation of security, limits in 'security by obscurity' software solutions and how complex actual machines which involve betting are. After reverse engineering parts of the machine, and coming from a threat intelligence background, it becomes clear how similar software and malware developers minds really are for functionality.
While still developing software for an archaic operating system, much like critical infrastructure around the world, it becomes hard to balance both security and functionality.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
2. Whoami?
Zombie Browser Toolkit
https://github.com/Z6543/ZombieBrowserPack
HWFW Bypass tool
Similar stuff was used in PacketRedirect in Danderspritz FlewAvenue by EQGRP
https://github.com/MRGEffitas/hwfwbypass
Malware Analysis Sandbox Tester tool
https://github.com/MRGEffitas/Sandbox_tester
Played with crappy IoT devices – my RCE exploit code running on ~600 000 IP cameras via Persirai
https://jumpespjump.blogspot.hu/2015/09/how-i-hacked-my-ip-camera-and-found.html
https://jumpespjump.blogspot.hu/2015/08/how-to-secure-your-home-against.html
Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances
Implemented by Angler and Nuclear exploit kit developers
https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/
2
3. Questions
Hands up if you know something about blockchain
Hands up if you have ever tried to explain Bitcoin to your
parents/colleagues/kids
Hands up if it ended: “it is complicated”
Hands up if you have ever interacted with a Smart Contract
4. Why am I talking about this?
ITSEC folks laugh about Blockchain a lot
They believe it is
not happening
not important
not working
Bad news: it is happening!
Trust me, this is an important topic
I will calculate losses in Lamborghinis – 200K USD
5. So who am I to talk about this topic?
I don’t give advice
on investing/
selling/ HODLing
cryptocurrencies
6. Main idea of cryptocurrencies
Let’s go with metaphors on this topic
Math is hard (at least for me it is true)
Let’s form a group where we solve
mathematical challenges MINING
Everyone can easily check if someone solved
the hard math challenge
When someone solves a math challenge, they
receive moneZ (my imaginary cryptocurrency)
7. Transactions
If Bunny wants to send moneZ to Piggie,
everyone will know and has to know about
all details of the transaction
In fact, everyone knows how much
moneZ everyone has because it is public
knowledge
Sidenote: ETHEREUM different
8. Blockchain
The last not yet processed moneZ are collected in a transaction together
The bundle of transactions is included as additional parts to the math
challenge to be solved blocks
Including the transactions in the math challenges will cost moneZ for the
initiator transaction fee
A long paper trail is created where every blocks are recorded blockchain
9. How can newcomers get moneZ - Bitcoin, etc.?
They can start to solve new math challenges
Before that they should get a copy of the long paper trail -
blockchain
By solving math challenges and including the transactions, they
get the transaction fee
Or they can ask someone to send them moneZ
In exchange they can give something - real money, Alpaca
socks
10. What is a wallet
The wallet holds all the moneZ you previously
received
Whenever you send moneZ from your wallet to
someone else's wallet, you sign the transaction
with your signature, which is impossible to
counterfeit
Transactions are irreversible and final*
Everyone will know you transferred the money,
you can’t draw back
11. Why is this interesting?
You don’t have to be in the same room to do the math challenges
You can do all the stuff through the Internet
You don’t even have to know who the others are (pseudo-anonimity)
12.
13. Smart Contracts
Assume you have a basic understanding of
cryptocurrencies in general
Let’s take a deep dive into Smart Contracts
Bitcoin is also capable of doing Smart
Contracts
Ethereum YAC (Yet Another
Cryptocurrency) was designed for Smart Contracts
14. Smart Contracts
You want to sign and get a countersign of the
contract
carve the contract into stone
contracts carved into the stone
cannot be modified
In the smart contract world, the stone is the
blockchain
it is powered by the time and
energy spent on solved math
challenges
Code is universal
15. What is gas?
Smart contract is code which can be executed by
anyone who solves the math challenges for
moneZ - mines the cryptocurrencies
Similarly to moneZ transaction fees, you have to
pay moneZ to get the smart contract code
executed by everyone
The more complex the smart contract code is, the
more moneZ you have to pay
This is called gas in Ethereum
17. Ethereum Virtual Machine
Bytecode: it is not a machine code, thus you need a VM to execute it
Solidity: compile JavaScript-like code into EVM bytecode
Source code can be published - creates trust
Solidity source code compiles into the same bytecode (reproducible)
At least with the same parameters and same compiler version
18. JavaScript developers today
Solidity (smart contract language) looks similar to
JavaScript
You need web3.js based frontend - this is JS
Many smart contract coders have JavaScript background
JavaScript: You must move fast and break things
With Ethereum Smart Contracts, this approach is not
“profitable” …
Solidity: Deploy once, be hacked anytime
19.
20.
21. Since August 2018 the latest Metamask has been
showing the hex data to be sent
Kittie ID in hex
Identifier for the Bid function (MethodID) –
keccak256(“bid(uint256)”)[:4]
59 zeroes because the
world needs 2ˆ256 Kitties
26. The DAO: Recursive call + race condition
June 18th, 2016
Attacker transfers Ether worth $250 million from DAO
That is 1250 Lamborghinis
Reentrancy at the splitDAO function
27. The DAO hack
You can interrupt the bank teller while
he is giving you money
The bank teller only updates your
balance at the end
28. The DAO hack …
// INSECURE --- this is not DAO code, but similar so it is easy to understand
function withdrawBalance() public { // 1st line
uint amountToWithdraw = userBalances[msg.sender]; // 2nd line
require(msg.sender.call.value(amountToWithdraw)()); // 3rd line. At this point, the caller's code is
executed, and can call withdrawBalance again
userBalances[msg.sender] = 0; // 4th line
}
29.
30. The solution?
Rewrite the past and pretend it didn’t happen
Attacker got away with his ETH Classic
worth $67.4 million – 337 Lambos
33. Shared vulnerable library + reinit - 2017 July 20
$31M stolen – 155 Lambos
A lot more was in danger, but good guys were faster
Lot of shared libraries exists in the blockchain
Save gas
Contracts now share the same vulnerabilities
Parity multi-signature wallets
34. Teh code
NON LIBRARY CODE
function() payable { // someone called a function we don’t have?
if (msg.value > 0) // some ether is sent
...
else if (msg.data.length > 0) //ether is not sent, but some data is
_walletLibrary.delegatecall(msg.data); //let’s check if we can execute this code via shared
library
}
● If the method name is not defined on this contract…
● And there’s no ether being sent in the transaction…
● And there is some data in the message payload…
for whatever method that calls DELEGATECALL, it will call the same method on the contract you're
delegating to, but using the context of the current contract
35. Teh library codez
function initWallet(address[] _owners, uint _required, uint _daylimit) {
//the shared library has initWallet and it is public !
initDaylimit(_daylimit);
initMultiowned(_owners, _required);
}
initWallet is not in the non-library code, but is called in the shared library
36. So some random guys don’t know how to code
Smart Contracts …
37. Fixing the Parity bug
Parity fixed previous bug
and introduced a new one
Library contract was not initialized properly. That allowed anyone to turn the library
contract into a multi-sig wallet
38. The next Parity hack
November 2017 - $300M lost – 1500 Lambos
@devops199 “accidentally” called initWallet()
method to own the library
@devops199 “accidentally” called kill() method
to self-destruct it
It was planned to be fixed – forking EIP-999. Community voted no
39. Intro to integer underflow
Underflow
If there are (unsigned integer
8) 3 people on the bus, and
four of them took of the bus,
how many people are still on
the bus?
255
40. Intro to integer overflow
Overflow
If there are (unsigned integer 8)
255 people on the bus, and the bus
is totally full, and one guy hops on
the bus, how many people are on
the bus?
41. Proof of Weak Hands
https://medium.com/@optimumregret/the-surreal-madness-
of-ethereums-pyramid-schemes-da705fe7d92e
USD 2M lost
unsigned integer underflow withdrawal
Use Safemath!
https://etherscan.io/tx/0x233107922bed72a4ea7c75a83ecf58dae4
b744384e2b3feacd28903a17b864e0
42. Conclusion
Blockchain, Ethereum, Smart Contracts are here to hack
Writing secure Smart Contracts is hard
Ethereum is still in beta
Hacking Smart Contracts is possible, fun, but probably illegal
Hacking your own smart contract is probably not illegal
Hacking in test blockchain is not illegal
45. References
Nick Szabo: The idea of smart contracts 1997 https://perma.cc/V6AZ-7V8W
https://www.reddit.com/r/explainlikeimfive/comments/12knie/eli5_bitcoins/?st=IZW0ENOG&sh=d566a3ee
https://medium.freecodecamp.org/smart-contracts-for-dummies-a1ba1e0b9575
https://www.reddit.com/r/explainlikeimfive/comments/4lz9t4/eli5_ethereum/
http://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
https://github.com/b-mueller/smashing-smart-contracts/blob/master/smashing-smart-contracts-1of1.pdf
https://medium.freecodecamp.org/a-hacker-stole-31m-of-ether-how-it-happened-and-what-it-means-for-ethereum-
9e5dc29e33ce
https://www.stateofthedapps.com/
Cryptozombies.io - best tutorial
Latest hype and scams: https://boards.4chan.org/biz/
It’s like the bank teller won’t change your balance until he gives you all the money you have requested.
“Can I withdraw $500? Wait, before that, can I withdraw $500?”
The smart contract was designed only to check you have $500 at the beginning, once, and allow themselves to be interrupted.
5 people would summon Captain Planet who would save the world