OpenWest Conference 2014
OpenWest Conference 2014
OpenWest 2014 | Hardware • Standards • Source - http://www.openwest.org/
- OpenWest Conference 2014
- Utah Open Source
- Thursday, May 8, 2014 at 8:00 AM - Saturday, May 10, 2014 at 5:00 PM (MDT)
- Orem, UT
Go
Ken Thompson - Unix
Gopher - GopherCon 2014
Utah Go Users Group - www.utahgophers.com
- Tues. May 13 @ 6:30pm
The Go Programming Language Specification - The Go Programming Language - http://golang.org/ref/spec
Justifications:
- C++ too complex
- compilation too slow
- programming to difficult
- easy over safety and efficiency
Comapnies:
- PayPal
- Github
- MongoDB
- Canonical
- Mozilla
- Stack Overflow
- Puppet Labs
Twitter: #golang
Prediction: Will become dominant language for LaaS and PaaS in 24 months
Go is...
- Compiled
- Strongly typed
- Statically typed
- Garbage collected
- Similar to C syntax
- Capable of statically verified duck typing (via interfaces)
- Open Source
Hello World:
pakcage main
import "fmt"
func main() {
fmt.Println("Hello World")
}
Note: Semi colons are optional.
Variables:
pakcage main
import "fmt"
func main() {
var i, j int = 1, 2
k := 3
c, python, java := true, false, "no!"
fmt.Println(i, j, k, c, python, java)
}
When variables are first initialized, they are always set to their "zero" value. There isn't a null value?
Comments:
// comments use C's syntax /* multi line comment */
Functions:
pakcage main
import "fmt"
func add(x int, y int) int {
return x + y
}
func main() {
fmt.Println(...??
}
Types:
- bool
- string
- int, int32, ...
- uint, uint8, ...
- byte
- rune alias for int32
- float32
- complex64
Type conversions - no implicit conversions (have to manually cast)
Looping - Go only has 'for'
for i := 0; i < MAX ; i++ { ... }
While:
for ; sum < 1000; { sum += sum }
for sum < 1000 { sum += sum }
If/Else
if x < 0 { ... }
else if x > 0 { ... }
else { ... }
Don't fear Go pointers
type Coordinate struct {
X int
Y int
Z int
name string
}
func GCP() *Coordinate {
return &Coordinate{1, 2, 3, "foo"}
}
func main() {
var cp *Coorindate = getCCP()
fmt.Println(cp)
fmt.Printf("%T\n", cp)
...
}
Slices
Range
var pow = []int{1, 2, 3}
func main() {
for i, v := range pow {
fmt.Printf("%d: %d\n", i, v)
}
}
for _, v := range pow { ... }
// underscore is special
Maps
Access is marked public/private by the first letter of the member. Public is capital. Private is lowercase.
Structs in Go - instead of classes in Object Oriented Programming
type House struct { }
func (h House) GetHouseName() string { } //method defined outside of struct, but works on House
Interfaces are super important in Go.
type noiser interface{
GetNoise() string
}
type Cow struct{} // empty structs
type Fox struct{}
func (f Fox) GetNoise() string { ... }
No assertions?
jQuery
jQuery Introduction - https://joind.in/user/main
Expectations from lecture: Should know what a selector is and have some exposure.
jQuery Philosophy
- "Write less, do more"
- Message Sending
- Chainability
- Normalize Browsers
DHTML before Ajax was coined
Terminology:
- jQuery object
- the result of $(selector) - the $() is jQuery the function
- acts like an array of DOM objects (not a true Javascript array) - can check length
- zero or more DOM objects
- command - methods of the jQuery object
- $(sel).method();
- utility methods - methods of $ or jQyery (like Ajax stuff)
- $.method();
- $.ajax()
- selector - like css selector with more stuff
- #id or .class or div or :focus or ...
- chaining - calling multiple methods in a row
- $(sel).method1().method2();
- helps avoiding a lot of temporary variables
- helps performance
Overloaded Commands
- many commands GET and SET (getters and setters depending on overload)
- text, html, css, prop, val, attr, and more
var elems = $(sel);
elems.val(elems.val() + " append me"); // val being used as both getter and setter here
elems.width("Sin");
elems.prop("disabled", true);
- Getters don't chain, first elem
.text()/.html() .css() .width(),.height() .attr()/.val() .prop()/.data() .hasClass()
- toggle with overloads
.toggle([bool])
.fadeToggle([bool])
.toggleClass('class-name',[bool])
.animate({outlineWidth:'toggle'})
- command chaining
- most commands return a jquery object
$(sel)
.css(cssProperty, cssvalue)
.addClass(className1)
.text(message)
.parent()
.toggleClass(className2)
- Advanced chaning with ".end()". Used with 'find', 'filter', 'appendTo', etc...
Tricky Bits:
.html() & .text()
- similar but crucially different
- .html() incorrectly used in place of .text(). Example: (cross site scripting hack)
function(untrustedStr) {
$('#title').html(untrustedStr);
}
- .html() takes properly encoded html source
.prop() vs .attr()
- due to old usage, that haven't known better
- use .prop() for everything
- .attr() usually the wrong choice! (it used to be all that we had)
- use .attr() to modify html src
- .prop() usually the right choice
- use to modify DOM properties, especially checked and disabled
- .attr() and .prop() have friends
- .prop() has current value, and .attr() has html source value
Modern Event API
- stop using .bind() and .unbind()
- bind, unbind, delegate, live, click, load, submit, etc - old fashioned deprecated
- replaced with .on() and .off() and .one() - best practices
$(sel).on('click', function);
$sel).off('click');
- .trigger() and .triggerHandler()
Delegated Events
$(sel).on('click',sel,function);
- replaces .delegate() & .live()
- faster, smaller, better
- reduces code complexity
Terminate Events
- return false; - from event handlers unless you need events to bubble up to element ancestors or want the default behavior
- preventDefault() - browser functionality
- stopPropagation() - ancestors
- returning false does both
Poor: many inline styles - Better: classes & style sheets - Example:
$(sel).css(selected ?
{
color: "red",
backgroundColor: "black"
} : {
color: "black",
backgroundColor: "white"
);
$(sel).toggleClass("selected",selected);
Switch from Python to Go
by Brian G. Merrell
--
Compile first:
go help
test.go:
package main
import "fmt"
func main() {
fmt.Println("test")
}
go build -o test test.go
To just run the script:
go run test.go
--
Justifications:
- C++ too complex
- compilation too slow
- programming to difficult
- programmers choosing easy over safety and efficiency
--
Python bad because:
- actually quite complex
- runtime errors
- performance
- doesn't scale
--
Go has:
- concurrency is a breeze
- no exceptions
- no type hierarchies
- no classes
Go good because:
- small language (fit all in your head, have read the spec)
- compile time checks (fast)
- fast enough for even more things
- benefits at little cost
- dynamic feel with compiled performance
- rich standard library
- libraries are all written in Go
- great bundled tooling
- seems to scale well
- cross compiling in Go is simple
- Go syntax is very light and simple
--
Hello World Web server:
package main
import (
"fmt"
"net/http"
)
func main() {
http.HandleFunc("/", Hello")
http.ListenAndServer("kicakhost:800", nil)
}
func Hello(w http.ResponseWrite, r *http.Request....
???
--
Don't like about Go:
- Naked return statements (optional)
x,yz, =1,2,3 return
- scoping rules specific case
- not faster than java
- new vs &T{} vs make
- len("foo") vs "foo".Len() - but keeps lanuage simple
- Name "Go" is ungoogable / hastagable (use golang) *** MOST ANNOYING ***
- No dynamic linking in Go - makes binaries huge
- two compilers - may work with gccgo, just not with google's gc compiler
- no dlopen in Go
Python vs Go
- Interpreted vs Compiled
- Strongly typed vs Strongly typed
- Dynamically typed vs statically typed
- Garabage collected
- Unique syntax vs Similar to C
- Open Source
- Python Foundation vs Google
- more platforms vs fewer platforms
- 1991 vs
- ???
Go does not have:
- Classes
- Exceptions
- Assertions
- Templates / generics (for now)
- Operator overloading
Zen of Python
>>> import this
Go does not have:
- decorators
- static methods
- class methods
- properties
- iterators
- generators
- exceptions
- meta classes
- class decorators
- multiple inheritance
- list comprehensions
- ternary operator (expression?true:false)
--
Errors should never pass silently - sure beats runtime error
package main
import (
"fmt"
"net/url"
)
func main() {
u := url.Parse("http://foo.org/index%.html") // notice bad '%'
/* fix
u, err := url.Parse("http://foo.org")
if err != nil {
fmt.Println("got error")
}
*/
fmt.Println(u.Host)
}
Zero Values
Encapsulation - capitalized names are exported
Slices vs Lists
Arrays
Slicing syntax is very similar to python
Maps, Dicts and Sets
Duck typing - Go uses interfaces to solve
Exception handling - uses interfaces and type assertions to check
Calling C code from Go
go get - similar to pip
Unit testing and Code coverage
go test ./... go test -cover ./...
Other tools (included)
http://play.golang.org
CSS3
Interactive Periodic Table - http://codepen.io/nemophrost/pen/EkImb
by Alma Madsen
Bitcoin
Summary - better to just horde bitcoins then to mine them
Tor
Dark Side of the Intenret
Danny Howerton (metacortex)
Look at Troll slide
- ice berg - level 0 web - common web - everything
Tor - the onion router
Tor Project - https://www.torproject.org
Darknet
Watch "House of Cards" - Tor
firefox plugins:
- tor option
- no script
- https everything
TAILS - live distro
Tor hidden services:
- .onion as TLD
- turns tor into darknet
- torproject.org/docs/hidden-services.html?
- hidden wiki
- tor find
- tor search
- grams - google rip off
- reddit/r/onions
- word of mouth
- the pirate bay
Market Places
- reddit.com/r/DarkNetMarkets
- Silk Road 2
- Andromeda
Buy
- Bitcoin
- money in escrow
- ship to PO Box
Bitcoin:
- crypto currency
- relies on PKI
Attacks:
- correlation attacks
- own entry and exit nodes
- browser exploits
- btc not fully annonymouse
- use tumbling service
Stay up to date:
- blog.torproject.org
OpSec:
- Don't reuse identities or password
Shameless self promotion - hacker group "801 labs"
ipchicken.com
Chrome Dev Tools
Does performacne matter
- motion
- limits of human perceptibility - 5ms
- 60Hz frame rate - 16ms
Human perceived response times:
- 100ms - immediate
- 300ms - fast
- 1200ms - laggy
Got bored... Jumping to agile class
Agile
by Hala Saleh, Dir. Product Management, Rentlr
Agile Manifesto - http://agilemanifesto.org
- Individuals and interactions - over processes and tools
- Working software - over comprehensive documentation
- Customer collaboration - over contract negotiation
- Responding to change - over following a plan
Agile Principles - 12 principles - http://agilemanifesto.org/principles.html
- Collaboration
- Continuous feedback and improvements
- Self-organizing teams
- Simplicity
- Retrospectives
- Frequent and Continuous delivery
- Inspect-adapt cycle
- Sustainable pace
- Timeboxing
- ??
Agile development - iterative and incremental approach to developing software that incorporates continuous feedback loops, adaptability and collaboration
But agile is not only for software
Ready to work?
- Step 1: Identify the Problem
- Step 2: Is Agile the Answer? Is your culture compatible? Start with processes and implement incremental changes.
- book "Becoming Agile in an Imprefect World" by Smith and Sidky
Conclusion:
- Agile can't make you a better executive (it is not a silver bullet)
- Learn it, Live it, Do it
- Learn from others
- Cultivate a tolerance for Failing Fast
Beehive Startups
TOUCHXPAY
Pay with your finger print
Questions:
- security -
On site - Point of Sale (POS) device
Revenue:
- about 1% per transaction - credit card processing
Obstacles:
- PCI Credit Card Processing
Founds:
- David Coronado
- Cameron Moon
Suggestions:
- Look for a strategic partnership that could provide PCI
COPILOT
Social marketing platform to build audiences though video content
Reviews for Studios?
Founders:
- Aarpon Ellsworth
Need an iOS developer
Help pilot videos
Google Fiber
Google Access - Google Fiber
Kansas City (initial), Austin TX, Provo UT
Symmetrical Gig
Check out the story of Chattanoga, TN that did it on their own, and the benefits that came about.
Big Data
Applications:
- MongoDB
- Hadoop
- Cassandra
Problems with Big Data:
- Variety of Data (messy)
- Geo Spacial
"I haven't failed, I found 8000 ways that didn't work" -- Edison
Lua
Script up your application with Lua
- Ryan Erickson
- http://www.untestedhacks.com
- Works at Control4
Home automation - http://ericksonfamily.com/
The Programming Language Lua - http://www.lua.org/
Lua: getting started - http://www.lua.org/start.html
Installation:
yum install lua
curl -R -O http://www.lua.org/ftp/lua-5.2.3.tar.gz tar zxf lua-5.2.3.tar.gz cd lua-5.2.3 make linux test
History:
- lua.org
- created in 1993 at PUC-RIO
- Predecessors: DEL and Sol (merged to Lua)
- Lua is Portuguese for Moon, not an acronym (play on words from Sol)
Focus:
- Simplicity for non-programmer audience
- Portability
- Designed to be easily embedded, extended
- Clean ANSI C code
- Garbage Collected
Why:
- Size (tiny) < 100kb DLL/LIB
- Runs on mobile / embedded devices
- Performance - interpreted faster than Pyuthon, Ruby, Perl, PHP
- Need faster? LuaJIT
- LuaJIT is C++ / Java 6 territory (luajit.org)
Momentum:
- Used a lot in games
- Adobe Lightroom and Photoshop
- First interpreted lanugage allowed on iOS
- Angry Birds / World of Warcraft
- Control4 uses
Safety:
- Code runs in sandbox
- Embedder chooses which modules to expose
- Host application can provide APIs / primitives to Lua engine
Lanuage:
- Dynamically typed
- Whitespace not significant
- spaces, linebreaks, tabs, what you like
- Semicolons not required, and discouraged
- single line comments
- variables are global by default, 'local' keyword
Types:
- number, string, boolean, nil, table, function, userdata
- numbers are double by default
- can represent floats and integers
- no i++, i+=2. use i =i +1
Strings:
- single/double quote
- backslash to escape
- string concatenation uses '..' (not +)
nil:
- empty value
- evaluates to false
- frees item for garbage collection
tables:
- lua's single data structure
- simultaneous array and hashmap
a = {"apple", "banana"}
b = {lua = "cool", java = "sucks"}
c = a
print(c[3], b.fred, b.["java"], a.grape)
# orange 3 sucks nul
- arrays in Lua are 1 based
Comments:
-- this is a comment --[[ this is a multi line comment ]]
Functions:
- first class objects
function add(a, b) print(a + b) end multiply = function(a, b) print(a * b) end plus = add plus(3,5)
Control:
if ... then ... elseif ... else ... End
do
print("one")
end
for i = 1, 10 do print(i) end
for k, v in pairs({"}} ???
C Programmer Hangups
- no curly braces - uses begin... end
- No +=, ++
- Not equals is "~="
- Not is "not"
- arrays start at 1
- #array is not always right (if empty items in the middle)
C interface API
- set of functions allow C to interact with Lua
- functions to read/write lua global variables
- functions to call lua functions
- functions to register c functions to call within lua
- stack based parameter passing
Book:
- "Programming in Lua" - http://lua.org/pil
Reference PDF:
Demo:
-- comment
print("test" .. os.date())
function rirc(user, message)
local no_err, errmsg = pcall(parseIRC, user, message)
if (no_error == false) then SendIRC("ryan", errmsg) end
end
function parseIRC(user, message)
message = message:gsub("%s", "") -- trim white space
if (message == "|reload") then
if (user == "ryan") then
dofile("default.lua")
end
end
if (message == "|echo") then
SendIRC(user, "hello")
end
if (message:find("|giflet") ~= nil) then
local figstr = message:sub(8)
local sd = io.popen("figlet " .. figstr)
while(line) do
SendIRC(user, line)
end
sd:close()
end
end
Linux Performance Tools
Ed Felt - DBA/Developer at LDS Church
Keep it simple ... at least at first
No Mockumentation - Document well, even over document
Recommended course - Linux Foundation - Linux Performance Tools (LF426)
Track changes as you test
Human memory sucks - keep personal notes (journaling)
Keep focused on one variable at a time (Exception: fix it now emergency fire!) - most of us think linearly
Examples:
- ngrep to troubleshoot Segmentation Fault that doesn't make it to the logs
- actime0=0 # NFS (?kill it/keep it?)
Stress testing is NOT baselining/profiling or even troubleshooting
/proc - TLDP describes it as "window" in to kernel and processes
PIDS:
- /proc/PID/cmdline
- /proc/PID/cwd
- /proc/PID/environ
- /proc/PID/exe
- ps
CPU:
- /proc/cpuinfo
- top
Memory:
- /proc/meminfo
- free
Netstat:
- /proc/net/netstat
- netstat
Logs:
- /var/log/messages
- /var/log/[application]
Write your own:
- BASH
- Perl
- Python
Tools:
- hdparm -tT /dev/....
- top
- sar (sysstat)
- collectl
- mlmon
Other tools:
- watch
- tail
- strace
- iostat
- vmstat
- nmon
- iptraf
- lsof
- htop
Cargo Cult Security
by Derrick Isaacson
Cargo Cult Security 2014_01_18 - http://www.slideshare.net/DerrickIsaacson/cargo-cult-security-20140118
https://github.com/disaacson/cargo-cult-security
Zimmerman telegraph - mexico german war
Cphertext, plain text
Symmetric Key Cryptography (Private-key Cryptograph)
Blowfish, twofish, serpent, aes (rijndael) cast5, rc4, 3des, idea
Ctrypto Primitives & Goals - https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=6325
Crytpo Primitives Hash MAC Symmetric Key Asymmetric Key Digital Digital Salted Hash HMAC Crypto Crypto Signature Certificates Security Goals -------------------------------------------------------------------------------------------------------------------- Data Integrity XXX XXX XXX Data Authentication XXX XXX XXX Non-Repudiation XXX XXX Confidentiality XXX XXX* Trust XXX
- Public key can be used to encrypt data that can only be decrypted with private key
Love HMACs
Cargo Cult Programming - Ritualistic inclusion of code or pattersn that are unnecessary for the task at hand.
Anti-pattern: authentication
- using encryption for authentication is bad. Use HMAC instead
- don't use symmetric key alone, as flipping a bit will just bump IDs to the next
- Use HMAC
Anti-pattern: Integrity
- Symmetric key is only good for confidentiality
- HMAC good for Data Integrity and Data Authentication
Anti-pattern: Encryption Modes
- Electronic Codebook (ECB) mode encryption
- can do bit mapping (think picture) hack to get an idea of contained data
- Cipher Block Chaining (CBC) mode encryption
- avoids the patterns found among blocks of ECB
Anti-pattern: Initialization Vector
- Avoid same data being encrypted repeatedly looking the same
- Cipher-block chaining prevents patterns within messages
- Correct IV prevents patterns across messages
Anti-pattern: Random Values
- Finding linear congruential seed
Anti-pattern: Psuedo-random Session IDs
- really only ~20 bits of entropy
- HMACs and secure random
- do not use sessions - use HMACs seriously
No Cargo Cult Security:
- Identify true security goal.
- Find correct crypto primitive.
- Spend some time to learn about it.
- Write as little of your own crypto code as possible.
Unleash Raspberry Pi
"Unleash the Raspberry Pi Through Physical Computing"
by Kevin Sidwar
"Conference speakers anre't the community eleite, they are just people who build stuff and like tto talk about it. Anyone can do it." -- Tweet
Skill Share - http://skl.sh/1boHmFo
- 3 hours of videos and lessons
Physical Computing - interacting digitally with the analog world.
Internet of Things is a subset of Physical Computing.
Why the Pi? Huge ecosystem and a ton of resources online.
Buy them through "newark" for $35 without the $5 markup elsewhere (although you get hit with shipping)
The voltages are safer than licking a 9V battery.
Requires very little EE knowledge
SPI - communicating with other devices like other micro controllers
I2C - Inter-Integrated Circuit
Serial
Cool projects:
- RFID reader
Keep pins straight: (keep track of the pins, don't fry your Pi)
- Rasberry Leaf - good printout to keep track of pin outs
- Pi cobbler is another good way
- Verify twice, connect once
- Pins are 3.3V not 5V!
- Use isolated jumper wires (don't short out the pins)
- Don't touch header while powered on
GPIO - General Input / Output
Write:
import RPi.GPIO as GPIO GPIO.setmode(GPIO.BOARD) GPIO.setup(12, GPIO.OUT) (OUT/HIGH/LOW) GPIO.cleanup()
Read:
...
I2C:
import smbus i2c = smbus.smbus?? temp = bus.read_word_data(0x48, 0)
SPI Code example
...
Twython - twitter python clinet
Twilio - send/receive text/phone
http://twitter.com/PiHomeMonitor
Source code for this presentation - http://github.com/sidwarkd/openwest_demo
Python Pandas
Python Data Analysis Library — pandas: Python Data Analysis Library - http://pandas.pydata.org/
NumPy — http://www.numpy.org/ - NumPy is the fundamental package for scientific computing with Python.
SciPy - http://www.scipy.org/ - SciPy (pronounced “Sigh Pie”) is a Python-based ecosystem of open-source software for mathematics, science, and engineering
Pandas - http://pandas.pydata.org/ - Python Data Analysis Library - pandas is an open source, BSD-licensed library providing high-performance, easy-to-use data structures and data analysis tools for the Python programming language.
Matt Harrison - http://hairysun.com
- co-chair Utah Python.
Impetus - if this were a perl class it would be about regexes. Panda is the weapon of choice for dealing with tabular data in Python.
Pandas is "A nosql in-memory db using Python, that has SQL-like constructs" - Matt's view
- note adopts many numpy-isms that may not appear pure Python
Based off of data framing (tabular data) stolen from 'R'. Data frame is similar to a table in SQL.
Panda is best for small to medium data, not "Big Data".
Not really good from ETL perspective - star schema
- Extract Transform Load - take data from one system to another
- Data warehousing
Data Structures:
- Series (1D)
- TimeSeries (1D) - special Series
- DataFrame (2D)
- Panel (3D) - like stacked DataFrames
Series:
# python version
ser = {
'index':[0,1,2],
'data':[.5,.6,.7],
'name':'growth',
}
# pandas version import pandas as pd ser = pd.Series([.5,.6,.7], name='growth')
Behaves like NumPy array:
ser[1] ser.mean()
Boolean Array
ser > ser.median() a False b False c True
Filtering:
ser[ser > ser.median()]
DataFrames - Tables with columns as Series
# python version, but not a true Pandas DataFrame
df = {
'index':[0,1,2],
cols = [
{ 'name':'growth',
'data':[.5,.6,1.2] },
{ 'name':'Name',
'data':["paul","george", "ringo"] },
]
}
# pandas version
df = pd.DataFrame({
'growth':[.5,.7,1.2],
'Name':['paul','geroge','ringo'] }
Import DataFrame from: rows (list of dicts), columns (dicts of lists), csv file ***, slurp up a NumPy ndarray directly
Two Axes:
- axes 0 - index
- axes 1 - columns
df.axes[0] or df.index df.axes[1] or df.columns
Examine:
df.columns df.describe() df.to_string() df.test1 # or df['test1'] -- makes magic attribute for you df.test1.median() df.test1.corr(df.test2) # correlation - if data goes in same direction 1, no would be 0 and opposite would be -1
Tweaking Data
- note: pandas objects are generally immutable
- add row
df = pd.concat()
- add column
df['test3'] = 0 #note: df.test3 = 3 does not work!
- add column with function
def name_grade(val): .. df['test4'] = df.fname.apply(name_grade)
- remove column
t3 = df.pop('test3') # or del df['test3'] # note: del df.test3 does not work!
- rename column
Fill - statistics ignore NaN, so if you want a zero can use this.
Install Pandas: (what worked for me)
# yum install pip install pandas
Pivoting - Pivot Tables
print pd.pivot_table(..rules..)
Serialization
- dump to CSV, etc
Plotting
- box plot, etc...
Clipping
GPS example.
Introduction to Hacking
Surface Areas of Attack:
- Network
- Operating system
- Software
- Users
- Hardware
Pen Testers
Do you really trust your own computer? Have you read ever line of source code? Traced every circuit?
CVE - database of vulnerabilities
Exploit Development Resources:
Tools:
- Kali Linux OS - http://www.kali.org/
Metasploit:
Privilege Escalation - process of acquiring system rights of another target user
Passive Attacking - ease dropping packet sniffing
- man in the middle
- ssl strip
- wireshark
- dsniff
Denial of Service (DoS)
Social Engneering Tool Kit
- https://www.trustedsec.com/downloads/social-engineer-toolkit/
- installed on Kali
- Capture facebook credentials and other stuff??
OWASP
Web Attacks
- The Open Web Application Security Project (OWASP) Top 10
- https://www.owasp.org/index.php/Top10
SQL Injection attacks
Broken Authentications and Session Management
Cross-Site Request Forgery (CSRF)
- easily to fight against - just include a random number for each request that the user has to respond with
Booting a Linux System
by Mike Lovell
Slides - http://baldr.dev-zero.net
Boot Process: Platform Init - Bootloader - Kernel Init - Init
Platform Init:
- Firmware boot
- BIOS (Award, AMI, Phoenix, Coreboot on Chromebooks)
- UEFI
- Low level hardware initialization
- Pass control from BIOS to bootloader:
- Find boot loader through MBR or GPT
- Preboot eXecution Envrionment (PXE)
Bootloader:
- Grub, Lilo, Syslinux, uBoot, iPXE
- Loads and execute kernel
Kernel Init:
- reinitialize hardware with OS drivers
- load kernel modules
- initrd (old) / initramfs (newer)
- mount root
Init:
- First process the kernel runs
- Kernel Process PID 1
- Responsible for starting all other applications
- Traditionally been sysvinit, now upstart/systemd/openrc
-
UEFI
- (Unified) Extensible Firmware Interface
- Most implementations based on the Open Source reference implementation, Tianocore
- GPT
- Supports GPT and larger than 2TB boot drives
- EFI System Partition Table
- Default application at EFI\Boot\bootx64.efi
- Secure Boot
- Not DRM
Hacking the Moon
by Brian G. Merrell
Source and Slides - https://github.com/bgmerrell
Cool kit - Spark Fun Inventors Kit
arduino.cc
Slides -
Noise sensor
Infrared - not as simple as it appears
- Pro: cheap, widespread
- Con: many protocols, confusing, line-of-sight, libraries hard to find
Decode signal - IRremote library
put it on a PCB
- board layout (using Eagle)
- Generate gerber files (de factor standard used by PCB industry)
- Send to DrkPCB, BatchPCB (3 boards, $5-$10, 2+ weeks)
- Remember to add ways to program the microcontroller (FTDI Serial USB, storage)
Fermented Foods
Fermented foods your bishop won't get antsy about
- Joshua Tolley and Karlyn Tolley
"Ever wonder where ketchup, salsa, and soda come from? Probably not, but you should. Their modern form conceals their origins, but those foods and many others descend from ancient fermented creations, foods where microbial growth was encouraged. These ancient foods surpass their newer replacements in many ways: they taste better, require fewer chemicals and less energy to produce, store easily, and restore health. Come learn about historic fermented foods, how to make them, and why you'd want to."
Blog - thebacktwenty.blogspot.com
Why fermented food?
- disease fighting
- nutrition
Process:
- something to ferment
- means micro-organims are consuming or transforming
- starter like soure dough starter
Sourdough
- Easy to make
- Mix flour with water. Wait.
- Use same kind of flour all the time
- Feed it regularly
- Use non-chlorinated water where possible
- Keep it warm
- Always let it breath
Use Kamoot - hybridization of the hard wheats is bad (increase gluten content to make a pretty loaf of bread)
Use glass as it doesn't leach and it is easy to clean
Tips and Tricks
- Keep things clean - more important with long term storage
- Use non-chlorinated water. Chlorine is there to kill fermenting.
- Use right amount of salt
- Use whey with more sugary ferments
- Keep ferments separate, or they will cross-contaminate
- Finding reliable source of raw milk will change your life
Daniel's coworker recommend http://www.breadtopia.com/make-your-own-sourdough-starter/
Fermented beverages are good - kefir, ginger ale, kombucha (non alcoholic)
Kombucha - Originally from Russia, kombucha is a fermented, sweetened tea. The fermentation removes much of the caffein, carbonates and acidulates the liquid, and produces several beneficial compounds. Black tea with refined suagar works best; herbal teas can slow or stop the fermentation, and less refined sugars contribute off-flavors.