Search Results

Search found 6734 results on 270 pages for 'fiscal year'.

Page 97/270 | < Previous Page | 93 94 95 96 97 98 99 100 101 102 103 104  | Next Page >

  • Is there a way to tell Drupal not to cache a specific page?

    - by TechplexEngineer
    I have a custom php page that processes a feed of images and makes albums out of it. However whenever i add pictures to my feed, the Drupal page doesn't change until I clear the caches. Is there a way to tell Drupal not to cache that specific page? Thanks, Blake Edit: Drupal v6.15 Not exactly sure what you mean oswald, team2648.com/media is hte page. I used the php interpreter module. Here is the php code: <?php //////// CODE by Pikori Web Designs - pikori.org /////////// //////// Please do not remove this title, /////////// //////// feel free to modify or copy this software /////////// $feedURL = 'http://picasaweb.google.com/data/feed/base/user/Techplex.Engineer?alt=rss&kind=album&hl=en_US'; $photoNodeNum = 4; $galleryTitle = 'Breakaway Pictures'; $year = '2011'; ?> <?php /////////////// DO NOT EDIT ANYTHING BELOW THIS LINE ////////////////// $album = $_GET['album']; if($album != ""){ //GENERATE PICTURES $feedURL= "http://".$album."&kind=photo&hl=en_US"; $feedURL = str_replace("entry","feed",$feedURL); $sxml = simplexml_load_file($feedURL); $column = 0; $pix_count = count($sxml->channel->item); //print '<h2>'.$sxml->channel->title.'</h2>'; print '<table cellspacing="0" cellpadding="0" style="font-size:10pt" width="100%"><tr>'; for($i = 0; $i < $pix_count; $i++) { print '<td align="center">'; $entry = $sxml->channel->item[$i]; $picture_url = $entry->enclosure['url']; $time = $entry->pubDate; $time_ln = strlen($time)-14; $time = substr($time,0,$time_ln); $description = $entry->description; $tn_beg = strpos($description, "src="); $tn_end = strpos($description, "alt="); $tn_length = $tn_end - $tn_beg; $tn = substr($description, $tn_beg, $tn_length); $tn_small = str_replace("s288","s128",$tn); $picture_url = $tn; $picture_beg = strpos($picture_url,"http:"); $picture_len = strlen($picture_url)-7; $picture_url = substr($tn, $picture_beg, $picture_len); $picture_url = str_replace("s288","s640",$picture_url); print '<a rel="lightbox[group]" href="'.$picture_url.'">'; print '<img '.$tn_small.' style="border:1px solid #02293a"><br>'; print '</a></td> '; if($column == 4){ print '</tr><tr>'; $column = 0;} else $column++; } print '</table>'; print '<br><center><a href="media">Return to album</a></center>'; } else { //GENERATE ALBUMS $sxml = simplexml_load_file($feedURL); $column = 0; $album_count = count($sxml->channel->item); //print '<h2>'.$galleryTitle.'</h2>'; print '<table cellspacing="0" cellpadding="0" style="font-size:10pt" width="100%"><tr>'; for($i = 0; $i < $album_count; $i++) { $entry = $sxml->channel->item[$i]; $time = $entry->pubDate; $time_ln = strlen($time)-14; $time = substr($time,0,$time_ln); $description = $entry->description; $tn_beg = strpos($description, "src="); $tn_end = strpos($description, "alt="); $tn_length = $tn_end - $tn_beg; $tn = substr($description, $tn_beg, $tn_length); $albumrss = $entry->guid; $albumrsscount = strlen($albumrss) - 7; $albumrss = substr($albumrss, 7, $albumrsscount); $search = strstr($time, $year); if($search != FALSE || $year == ''){ print '<td valign="top">'; print '<a href="/node/'.$photoNodeNum.'?album='.$albumrss.'">'; print '<center><img '.$tn.' style="border:3px double #cccccc"><br>'; print $entry->title.'<br>'.$time.'</center>'; print '</a><br></td> '; if($column == 3){ print '</tr><tr>'; $column = 0; } else { $column++; } } } print '</table>'; } ?>

    Read the article

  • Nodes set of the same type with if-test. Make it less.

    - by Kalinin
    How to make the code more beautiful (compact)? <xsl:template match="part"> <table class="part"> <xsl:if test="name != ''"> <tr> <td>????????</td><td><xsl:value-of select="name"/></td> </tr> </xsl:if> <xsl:if test="model != ''"> <tr> <td>??????</td><td><xsl:value-of select="model"/></td> </tr> </xsl:if> <xsl:if test="year != ''"> <tr> <td>???</td><td><xsl:value-of select="year"/></td> </tr> </xsl:if> <xsl:if test="glass_type != ''"> <tr> <td>???</td><td><xsl:value-of select="glass_type"/></td> </tr> </xsl:if> <xsl:if test="scancode != ''"> <tr> <td>???????</td><td><xsl:value-of select="scancode"/></td> </tr> </xsl:if> <xsl:if test="eurocode != ''"> <tr> <td>???????</td><td><xsl:value-of select="eurocode"/></td> </tr> </xsl:if> <xsl:if test="coment != ''"> <tr> <td>???????????</td><td><xsl:value-of select="coment"/></td> </tr> </xsl:if> <xsl:if test="glass_size != ''"> <tr> <td>??????</td><td><xsl:value-of select="glass_size"/></td> </tr> </xsl:if> <xsl:if test="vendor != ''"> <tr> <td>?????????????</td><td><xsl:value-of select="vendor"/></td> </tr> </xsl:if> <xsl:if test="trademark != ''"> <tr> <td>???????? ?????</td><td><xsl:value-of select="trademark"/></td> </tr> </xsl:if> <xsl:if test="fprice != ''"> <tr> <td>????</td><td><xsl:value-of select="fprice"/></td> </tr> </xsl:if> </table> </xsl:template> Update: i wrote: <my:translations xmlns:my="my:my"> <w e="name" r="????????"/> <w e="model" r="??????"/> <w e="year" r="???"/> <w e="glass_type" r="???"/> <w e="scancode" r="???????"/> <w e="eurocode" r="???????"/> <w e="comment" r="???????????"/> <w e="glass_size" r="??????"/> <w e="vendor" r="?????????????"/> <w e="trademark" r="???????? ?????"/> <w e="fprice" r="????"/> </my:translations> <xsl:value-of select="//w/@r"/> And have no result from this code. Is it normal? And how can i get new element w?

    Read the article

  • How to know whether to create a general system or to hack a solution

    - by Andy K
    I'm new to coding , learning it since last year actually. One of my worst habits is the following: Often I'm trying to create a solution that is too big , too complex and doesn't achieve what needs to be achieved, when a hacky kludge can make the fit. One last example was the following (see paste bin link below) http://pastebin.com/WzR3zsLn After explaining my issue, one nice person at stackoverflow came with this solution instead http://stackoverflow.com/questions/25304170/update-a-field-by-removing-quarter-or-removing-month When should I keep my code simple and when should I create a 'big', general solution? I feel stupid sometimes for building something so big, so awkward, just to solve a simple problem. It did not occur to me that there would be an easier solution. Any tips are welcomed. Best

    Read the article

  • LLBLGen Pro v3.0 with Entity Framework v4.0 (12m video)

    Today I recorded a video in which I illustrate some of the database-first functionality available in LLBLGen Pro v3.0. LLBLGen Pro v3.0 also supports model-first functionality, which I hope to illustrate in an upcoming video. LLBLGen Pro v3.0 is currently in beta and is scheduled to RTM some time in May 2010. It supports the following frameworks out of the box, with more scheduled to follow in the coming year: LLBLGen Pro RTL (our own o/r mapper framework), Linq to Sql, NHibernate and Entity Framework...Did you know that DotNetSlackers also publishes .net articles written by top known .net Authors? We already have over 80 articles in several categories including Silverlight. Take a look: here.

    Read the article

  • Code for Waterglen Horse Farms application? [migrated]

    - by user73459
    I am having trouble with the solution to the Waterglens Horse Farms application in the Visual Basic 2010 Reloaded book. The problem reads: Each year Sabrina Cantrell, owner of waterglen horse farms enters four of her horses in five local horse races. She uses the table shown below to keep track of her horses in 5 local races. in the table , a 1 shows that the horse won a race, a 2 shows 2nd place, a 3 is 3rd place , and a 0 the horse didn't finish in the top 3. More details in these 2 images: http://imgur.com/a/YTNEX Here is what I have tried so far: Dim racescores(,) As Integer = {{0, 1, 0, 3, 2}, {1, 0, 2, 0, 0}, {0, 3, 0, 1, 0}, {3, 2, 1, 0, 0}} Dim subscript As Integer = 0 Dim noplace As Integer = 0 If horse1RadioButton.Checked Then Do While subscript < racescores(3, 4) If racescores(0, subscript) = 0 Then noplace = noplace + 1 End If subscript = subscript + 1 Loop noPlaceDisplayLabel.Text = noplace End If

    Read the article

  • SQL SERVER – Beginning SQL Server: One Step at a Time – SQL Server Magazine

    - by pinaldave
    I am glad to announce that along with SQLAuthority.com, I will be blogging on the prominent site of SQL Server Magazine. My very first blog post there is already live; read here: Beginning SQL Server: One Step at a Time. My association with SQL Server Magazine has been quite long, I have written nearly 7 to 8 SQL Server articles for the print magazine and it has been a great experience. I used to stay in the United States at that time. I moved back to India for good, and during this process, I had put everything on hold for a while. Just like many things, “temporary” things become “permanent” – coming back to SQLMag was on hold for long time. Well, this New Year, things have changed – once again, I am back with my online presence at SQLMag.com. Everybody is a beginner at every task or activity at some point of his/her life: spelling words for the first time; learning how to drive for the first time, etc. No one is perfect at the start of any task, but every human is different. As time passes, we all develop our interests and begin to study our subject of interest. Most of us dream to get a job in the area of our study – however things change as time passes. I recently read somewhere online (I could not find the link again while writing this one) that all the successful people in various areas have never studied in the area in which they are successful. After going through a formal learning process of what we love, we refuse to stop learning, and we finally stop changing career and focus areas. We move, we dare and we progress. IT field is similar to our life. New IT professionals come to this field every day. There are two types of beginners – a) those who are associated with IT field but not familiar with other technologies, and b) those who are absolutely new to the IT field. Learning a new technology is always exciting and overwhelming for enthusiasts. I am working with database (in particular) for SQL Server for more than 7 years but I am still overwhelmed with so many things to learn. I continue to learn and I do not think that I should ever stop doing so. Just like everybody, I want to be in the race and get ahead in learning the technology. For the same, I am always looking for good guidance. I always try to find a good article, blog or book chapter, which can teach me what I really want to learn at this stage in my career and can be immensely helpful. Quite often, I prefer to read the material where the author does not judge me or assume my understanding. I like to read new concepts like a child, who takes his/her first steps of learning without any prior knowledge. Keeping my personal philosophy and preference in mind, I will be blogging on SQL Server Magazine site. I will be blogging on the beginners stuff. I will be blogging for them, who really want to start and make a mark in this area. I will be blogging for all those who have an extreme passion for learning. I am happy that this is a good start for this year. One of my resolutions is to help every beginner. It is totally possible that in future they all will grow and find the same article quite ‘easy‘ – well when that happens, it indicates the success of the article and material! Well, I encourage everybody to read my SQL Server Magazine blog – I will be blogging there frequently on various topics. To begin, we will be talking about performance tuning, and I assure that I will not shy away from other multiple areas. Read my SQL Server Magazine Blog: Beginning SQL Server: One Step at a Time I think the title says it all. Do leave your comments and feedback to indicate your preference of subject and interest. I am going to continue writing on subject, and the aim is of course to help grow in this field. Reference : Pinal Dave (http://blog.SQLAuthority.com) Filed under: Pinal Dave, PostADay, SQL, SQL Authority, SQL Optimization, SQL Performance, SQL Query, SQL Server, SQL Tips and Tricks, SQLAuthority News, T SQL, Technology

    Read the article

  • Google’s April Fools Day Prank– Google Maps For Nintendo Entertainment System(NES)

    - by Gopinath
    Google is a funny organization and they celebrate most of events we love, in a geeky way. On the occasion of April Fool’s day 2012, Google released 8 bit Google Maps for Nintendo Entertainment System(NES). Here is the screen grab of Buckingham Palace, on 8 bit Google Maps. For those who are not aware of NES,  it is XBox of 1980’s.  NES is considered one of the most influential video game systems ever produced. Released in 1983, NES conquered millions of gamers heart and had a long lasting impact of 20 years. In the year of 2003, Nintendo finally stopped production of NES. Check out the embedded Google’s launch video of 8 Bit Google Maps for NES If you interested to take a tour the 8 bit Google Maps, go to Google Maps and click on the quest button available on right top corner. The guys at techi.com has a good collection of screen grabs taken from 8 Bit Google Maps, check it out here.

    Read the article

  • Two python distributions, sudo picking the wrong one

    - by DHK
    I'm back to Linux after an over 10 year abstinence (fool me thinks). And a little rusty in the sys admin department. I'm faced with an issue with my python distribution. I'm using Python 2.7, but based on the Anaconda flavour. I followed the standard guidance but recently I discovered an issue that I'm not sure how to fix. Under sudo, the standard Python as comes with Ubuntu is provided. Under my user account python points to the Anaconda version: dhk@localhost:~/home/$which python /opt/anaconda/bin/python dhk@localhost:~/home/$sudo which python /usr/bin/python This is an issue as using sudo pip [anything] usually acts on the wrong directory, yet I cannot use it without sudo.

    Read the article

  • Discoverer 11g 11.1.1.2 Certified with EBS 12 on Five New Platforms

    - by Steven Chan
    Oracle Fusion Middleware 11g Release 1 includes Oracle Discoverer.  Discoverer is an ad-hoc query, reporting, analysis, and Web-publishing tool that allows end-users to work directly with Oracle E-Business Suite OLTP data.We certified Discoverer 11gR1 11.1.1.2 with the E-Business Suite Release 11i and 12 on Linux earlier this year.  Our Applications Platforms Group has just released five additional platform certifications for Discoverer 11.1.1.2 for Oracle E-Business Suite Release 12 (12.0.x and 12.1.x).Certified EBS 12 PlatformsLinux x86-64 (Oracle Enterprise Linux 4, 5) Linux x86-64 (RHEL 4, 5) Linux x86-64 (SLES 10) Oracle Solaris on SPARC (64-bit) (Solaris 9, 10) HP-UX Itanium (11.23, 11.31) HP-UX PA-RISC (64-bit) (11.23, 11.31) IBM AIX on Power Systems (64-bit) (5.3, 6.1) Microsoft Windows Server (32-bit) (2003, 2008)

    Read the article

  • 15 Oracle customers are 'Winners' at Progressive Mfgs 100 Awards

    - by [email protected]
    This year, 15 Oracle customers will receive awards at the Managing Automation's PM100 Event  for their outstanding accomplishments in a number of supply chain applications innovation categories. The event will be held at the Breakers Hotel in Palm Beach Fl from May 3-6, 2010. Award winners include: Arvin Meritor, Ball Aerospace, US Dept. of Treasury/Engraving, Doosan Infracore, Freescale Semi, Ingersoll-Rand, JDS Uniphase, L&L Products, Masco Builders, Mercury Marine Sanmina-SCI, Siemens Water TEch, US Concrete, VirTex Assy Services. Details of the event and Oracle's sponsorship can be found at: http://www.managingautomation.com/awards/ or contact Stephen Slade at [email protected]      

    Read the article

  • Stephen Forte visits IDEP Foundation Recipient of our post-tsunami .NET Charity Auction

    Earlier this week I got an email from Stephen Forte saying he was in Bali and would love to meet the folks from IDEP Foundation. IDEP is an Indonesian NGO for which Stephen and I coordinated a charity auction 5 years ago and raised $10,000. We raised another chunk of money in a repeat auction in June of that year as well. I sent an email to my dear friend Petra, a Canadian ex-pat, who runs IDEP. I met Petra through Keith Pleas who had connections to IDEP and was looking for help for them after...Did you know that DotNetSlackers also publishes .net articles written by top known .net Authors? We already have over 80 articles in several categories including Silverlight. Take a look: here.

    Read the article

  • SQLAuthority News – Uncut and Unedited Video Interview of Pinal Dave

    - by pinaldave
    Earlier this year Lohith (@kashyapa) from Bangalore took my ‘Uncut and Unedited’ video interview. It was really fun to answer his questions as it was very different from regular interview. He asked few personal details few technical details and made me show few secrets. I think if you want to see me Uncut and Unedited I urge you to watch the video. He has previously interviewed few celebrities as well. I think I am the only one in the list who is not celebrity. Reference: Pinal Dave (http://blog.SQLAuthority.com) Filed under: About Me, Pinal Dave, PostADay, SQL, SQL Authority, SQL Query, SQL Server, SQL Tips and Tricks, T SQL, Technology

    Read the article

  • Toorcon 15 (2013)

    - by danx
    The Toorcon gang (senior staff): h1kari (founder), nfiltr8, and Geo Introduction to Toorcon 15 (2013) A Tale of One Software Bypass of MS Windows 8 Secure Boot Breaching SSL, One Byte at a Time Running at 99%: Surviving an Application DoS Security Response in the Age of Mass Customized Attacks x86 Rewriting: Defeating RoP and other Shinanighans Clowntown Express: interesting bugs and running a bug bounty program Active Fingerprinting of Encrypted VPNs Making Attacks Go Backwards Mask Your Checksums—The Gorry Details Adventures with weird machines thirty years after "Reflections on Trusting Trust" Introduction to Toorcon 15 (2013) Toorcon 15 is the 15th annual security conference held in San Diego. I've attended about a third of them and blogged about previous conferences I attended here starting in 2003. As always, I've only summarized the talks I attended and interested me enough to write about them. Be aware that I may have misrepresented the speaker's remarks and that they are not my remarks or opinion, or those of my employer, so don't quote me or them. Those seeking further details may contact the speakers directly or use The Google. For some talks, I have a URL for further information. A Tale of One Software Bypass of MS Windows 8 Secure Boot Andrew Furtak and Oleksandr Bazhaniuk Yuri Bulygin, Oleksandr ("Alex") Bazhaniuk, and (not present) Andrew Furtak Yuri and Alex talked about UEFI and Bootkits and bypassing MS Windows 8 Secure Boot, with vendor recommendations. They previously gave this talk at the BlackHat 2013 conference. MS Windows 8 Secure Boot Overview UEFI (Unified Extensible Firmware Interface) is interface between hardware and OS. UEFI is processor and architecture independent. Malware can replace bootloader (bootx64.efi, bootmgfw.efi). Once replaced can modify kernel. Trivial to replace bootloader. Today many legacy bootkits—UEFI replaces them most of them. MS Windows 8 Secure Boot verifies everything you load, either through signatures or hashes. UEFI firmware relies on secure update (with signed update). You would think Secure Boot would rely on ROM (such as used for phones0, but you can't do that for PCs—PCs use writable memory with signatures DXE core verifies the UEFI boat loader(s) OS Loader (winload.efi, winresume.efi) verifies the OS kernel A chain of trust is established with a root key (Platform Key, PK), which is a cert belonging to the platform vendor. Key Exchange Keys (KEKs) verify an "authorized" database (db), and "forbidden" database (dbx). X.509 certs with SHA-1/SHA-256 hashes. Keys are stored in non-volatile (NV) flash-based NVRAM. Boot Services (BS) allow adding/deleting keys (can't be accessed once OS starts—which uses Run-Time (RT)). Root cert uses RSA-2048 public keys and PKCS#7 format signatures. SecureBoot — enable disable image signature checks SetupMode — update keys, self-signed keys, and secure boot variables CustomMode — allows updating keys Secure Boot policy settings are: always execute, never execute, allow execute on security violation, defer execute on security violation, deny execute on security violation, query user on security violation Attacking MS Windows 8 Secure Boot Secure Boot does NOT protect from physical access. Can disable from console. Each BIOS vendor implements Secure Boot differently. There are several platform and BIOS vendors. It becomes a "zoo" of implementations—which can be taken advantage of. Secure Boot is secure only when all vendors implement it correctly. Allow only UEFI firmware signed updates protect UEFI firmware from direct modification in flash memory protect FW update components program SPI controller securely protect secure boot policy settings in nvram protect runtime api disable compatibility support module which allows unsigned legacy Can corrupt the Platform Key (PK) EFI root certificate variable in SPI flash. If PK is not found, FW enters setup mode wich secure boot turned off. Can also exploit TPM in a similar manner. One is not supposed to be able to directly modify the PK in SPI flash from the OS though. But they found a bug that they can exploit from User Mode (undisclosed) and demoed the exploit. It loaded and ran their own bootkit. The exploit requires a reboot. Multiple vendors are vulnerable. They will disclose this exploit to vendors in the future. Recommendations: allow only signed updates protect UEFI fw in ROM protect EFI variable store in ROM Breaching SSL, One Byte at a Time Yoel Gluck and Angelo Prado Angelo Prado and Yoel Gluck, Salesforce.com CRIME is software that performs a "compression oracle attack." This is possible because the SSL protocol doesn't hide length, and because SSL compresses the header. CRIME requests with every possible character and measures the ciphertext length. Look for the plaintext which compresses the most and looks for the cookie one byte-at-a-time. SSL Compression uses LZ77 to reduce redundancy. Huffman coding replaces common byte sequences with shorter codes. US CERT thinks the SSL compression problem is fixed, but it isn't. They convinced CERT that it wasn't fixed and they issued a CVE. BREACH, breachattrack.com BREACH exploits the SSL response body (Accept-Encoding response, Content-Encoding). It takes advantage of the fact that the response is not compressed. BREACH uses gzip and needs fairly "stable" pages that are static for ~30 seconds. It needs attacker-supplied content (say from a web form or added to a URL parameter). BREACH listens to a session's requests and responses, then inserts extra requests and responses. Eventually, BREACH guesses a session's secret key. Can use compression to guess contents one byte at-a-time. For example, "Supersecret SupersecreX" (a wrong guess) compresses 10 bytes, and "Supersecret Supersecret" (a correct guess) compresses 11 bytes, so it can find each character by guessing every character. To start the guess, BREACH needs at least three known initial characters in the response sequence. Compression length then "leaks" information. Some roadblocks include no winners (all guesses wrong) or too many winners (multiple possibilities that compress the same). The solutions include: lookahead (guess 2 or 3 characters at-a-time instead of 1 character). Expensive rollback to last known conflict check compression ratio can brute-force first 3 "bootstrap" characters, if needed (expensive) block ciphers hide exact plain text length. Solution is to align response in advance to block size Mitigations length: use variable padding secrets: dynamic CSRF tokens per request secret: change over time separate secret to input-less servlets Future work eiter understand DEFLATE/GZIP HTTPS extensions Running at 99%: Surviving an Application DoS Ryan Huber Ryan Huber, Risk I/O Ryan first discussed various ways to do a denial of service (DoS) attack against web services. One usual method is to find a slow web page and do several wgets. Or download large files. Apache is not well suited at handling a large number of connections, but one can put something in front of it Can use Apache alternatives, such as nginx How to identify malicious hosts short, sudden web requests user-agent is obvious (curl, python) same url requested repeatedly no web page referer (not normal) hidden links. hide a link and see if a bot gets it restricted access if not your geo IP (unless the website is global) missing common headers in request regular timing first seen IP at beginning of attack count requests per hosts (usually a very large number) Use of captcha can mitigate attacks, but you'll lose a lot of genuine users. Bouncer, goo.gl/c2vyEc and www.github.com/rawdigits/Bouncer Bouncer is software written by Ryan in netflow. Bouncer has a small, unobtrusive footprint and detects DoS attempts. It closes blacklisted sockets immediately (not nice about it, no proper close connection). Aggregator collects requests and controls your web proxies. Need NTP on the front end web servers for clean data for use by bouncer. Bouncer is also useful for a popularity storm ("Slashdotting") and scraper storms. Future features: gzip collection data, documentation, consumer library, multitask, logging destroyed connections. Takeaways: DoS mitigation is easier with a complete picture Bouncer designed to make it easier to detect and defend DoS—not a complete cure Security Response in the Age of Mass Customized Attacks Peleus Uhley and Karthik Raman Peleus Uhley and Karthik Raman, Adobe ASSET, blogs.adobe.com/asset/ Peleus and Karthik talked about response to mass-customized exploits. Attackers behave much like a business. "Mass customization" refers to concept discussed in the book Future Perfect by Stan Davis of Harvard Business School. Mass customization is differentiating a product for an individual customer, but at a mass production price. For example, the same individual with a debit card receives basically the same customized ATM experience around the world. Or designing your own PC from commodity parts. Exploit kits are another example of mass customization. The kits support multiple browsers and plugins, allows new modules. Exploit kits are cheap and customizable. Organized gangs use exploit kits. A group at Berkeley looked at 77,000 malicious websites (Grier et al., "Manufacturing Compromise: The Emergence of Exploit-as-a-Service", 2012). They found 10,000 distinct binaries among them, but derived from only a dozen or so exploit kits. Characteristics of Mass Malware: potent, resilient, relatively low cost Technical characteristics: multiple OS, multipe payloads, multiple scenarios, multiple languages, obfuscation Response time for 0-day exploits has gone down from ~40 days 5 years ago to about ~10 days now. So the drive with malware is towards mass customized exploits, to avoid detection There's plenty of evicence that exploit development has Project Manager bureaucracy. They infer from the malware edicts to: support all versions of reader support all versions of windows support all versions of flash support all browsers write large complex, difficult to main code (8750 lines of JavaScript for example Exploits have "loose coupling" of multipe versions of software (adobe), OS, and browser. This allows specific attacks against specific versions of multiple pieces of software. Also allows exploits of more obscure software/OS/browsers and obscure versions. Gave examples of exploits that exploited 2, 3, 6, or 14 separate bugs. However, these complete exploits are more likely to be buggy or fragile in themselves and easier to defeat. Future research includes normalizing malware and Javascript. Conclusion: The coming trend is that mass-malware with mass zero-day attacks will result in mass customization of attacks. x86 Rewriting: Defeating RoP and other Shinanighans Richard Wartell Richard Wartell The attack vector we are addressing here is: First some malware causes a buffer overflow. The malware has no program access, but input access and buffer overflow code onto stack Later the stack became non-executable. The workaround malware used was to write a bogus return address to the stack jumping to malware Later came ASLR (Address Space Layout Randomization) to randomize memory layout and make addresses non-deterministic. The workaround malware used was to jump t existing code segments in the program that can be used in bad ways "RoP" is Return-oriented Programming attacks. RoP attacks use your own code and write return address on stack to (existing) expoitable code found in program ("gadgets"). Pinkie Pie was paid $60K last year for a RoP attack. One solution is using anti-RoP compilers that compile source code with NO return instructions. ASLR does not randomize address space, just "gadgets". IPR/ILR ("Instruction Location Randomization") randomizes each instruction with a virtual machine. Richard's goal was to randomize a binary with no source code access. He created "STIR" (Self-Transofrming Instruction Relocation). STIR disassembles binary and operates on "basic blocks" of code. The STIR disassembler is conservative in what to disassemble. Each basic block is moved to a random location in memory. Next, STIR writes new code sections with copies of "basic blocks" of code in randomized locations. The old code is copied and rewritten with jumps to new code. the original code sections in the file is marked non-executible. STIR has better entropy than ASLR in location of code. Makes brute force attacks much harder. STIR runs on MS Windows (PEM) and Linux (ELF). It eliminated 99.96% or more "gadgets" (i.e., moved the address). Overhead usually 5-10% on MS Windows, about 1.5-4% on Linux (but some code actually runs faster!). The unique thing about STIR is it requires no source access and the modified binary fully works! Current work is to rewrite code to enforce security policies. For example, don't create a *.{exe,msi,bat} file. Or don't connect to the network after reading from the disk. Clowntown Express: interesting bugs and running a bug bounty program Collin Greene Collin Greene, Facebook Collin talked about Facebook's bug bounty program. Background at FB: FB has good security frameworks, such as security teams, external audits, and cc'ing on diffs. But there's lots of "deep, dark, forgotten" parts of legacy FB code. Collin gave several examples of bountied bugs. Some bounty submissions were on software purchased from a third-party (but bounty claimers don't know and don't care). We use security questions, as does everyone else, but they are basically insecure (often easily discoverable). Collin didn't expect many bugs from the bounty program, but they ended getting 20+ good bugs in first 24 hours and good submissions continue to come in. Bug bounties bring people in with different perspectives, and are paid only for success. Bug bounty is a better use of a fixed amount of time and money versus just code review or static code analysis. The Bounty program started July 2011 and paid out $1.5 million to date. 14% of the submissions have been high priority problems that needed to be fixed immediately. The best bugs come from a small % of submitters (as with everything else)—the top paid submitters are paid 6 figures a year. Spammers like to backstab competitors. The youngest sumitter was 13. Some submitters have been hired. Bug bounties also allows to see bugs that were missed by tools or reviews, allowing improvement in the process. Bug bounties might not work for traditional software companies where the product has release cycle or is not on Internet. Active Fingerprinting of Encrypted VPNs Anna Shubina Anna Shubina, Dartmouth Institute for Security, Technology, and Society (I missed the start of her talk because another track went overtime. But I have the DVD of the talk, so I'll expand later) IPsec leaves fingerprints. Using netcat, one can easily visually distinguish various crypto chaining modes just from packet timing on a chart (example, DES-CBC versus AES-CBC) One can tell a lot about VPNs just from ping roundtrips (such as what router is used) Delayed packets are not informative about a network, especially if far away from the network More needed to explore about how TCP works in real life with respect to timing Making Attacks Go Backwards Fuzzynop FuzzyNop, Mandiant This talk is not about threat attribution (finding who), product solutions, politics, or sales pitches. But who are making these malware threats? It's not a single person or group—they have diverse skill levels. There's a lot of fat-fingered fumblers out there. Always look for low-hanging fruit first: "hiding" malware in the temp, recycle, or root directories creation of unnamed scheduled tasks obvious names of files and syscalls ("ClearEventLog") uncleared event logs. Clearing event log in itself, and time of clearing, is a red flag and good first clue to look for on a suspect system Reverse engineering is hard. Disassembler use takes practice and skill. A popular tool is IDA Pro, but it takes multiple interactive iterations to get a clean disassembly. Key loggers are used a lot in targeted attacks. They are typically custom code or built in a backdoor. A big tip-off is that non-printable characters need to be printed out (such as "[Ctrl]" "[RightShift]") or time stamp printf strings. Look for these in files. Presence is not proof they are used. Absence is not proof they are not used. Java exploits. Can parse jar file with idxparser.py and decomile Java file. Java typially used to target tech companies. Backdoors are the main persistence mechanism (provided externally) for malware. Also malware typically needs command and control. Application of Artificial Intelligence in Ad-Hoc Static Code Analysis John Ashaman John Ashaman, Security Innovation Initially John tried to analyze open source files with open source static analysis tools, but these showed thousands of false positives. Also tried using grep, but tis fails to find anything even mildly complex. So next John decided to write his own tool. His approach was to first generate a call graph then analyze the graph. However, the problem is that making a call graph is really hard. For example, one problem is "evil" coding techniques, such as passing function pointer. First the tool generated an Abstract Syntax Tree (AST) with the nodes created from method declarations and edges created from method use. Then the tool generated a control flow graph with the goal to find a path through the AST (a maze) from source to sink. The algorithm is to look at adjacent nodes to see if any are "scary" (a vulnerability), using heuristics for search order. The tool, called "Scat" (Static Code Analysis Tool), currently looks for C# vulnerabilities and some simple PHP. Later, he plans to add more PHP, then JSP and Java. For more information see his posts in Security Innovation blog and NRefactory on GitHub. Mask Your Checksums—The Gorry Details Eric (XlogicX) Davisson Eric (XlogicX) Davisson Sometimes in emailing or posting TCP/IP packets to analyze problems, you may want to mask the IP address. But to do this correctly, you need to mask the checksum too, or you'll leak information about the IP. Problem reports found in stackoverflow.com, sans.org, and pastebin.org are usually not masked, but a few companies do care. If only the IP is masked, the IP may be guessed from checksum (that is, it leaks data). Other parts of packet may leak more data about the IP. TCP and IP checksums both refer to the same data, so can get more bits of information out of using both checksums than just using one checksum. Also, one can usually determine the OS from the TTL field and ports in a packet header. If we get hundreds of possible results (16x each masked nibble that is unknown), one can do other things to narrow the results, such as look at packet contents for domain or geo information. With hundreds of results, can import as CSV format into a spreadsheet. Can corelate with geo data and see where each possibility is located. Eric then demoed a real email report with a masked IP packet attached. Was able to find the exact IP address, given the geo and university of the sender. Point is if you're going to mask a packet, do it right. Eric wouldn't usually bother, but do it correctly if at all, to not create a false impression of security. Adventures with weird machines thirty years after "Reflections on Trusting Trust" Sergey Bratus Sergey Bratus, Dartmouth College (and Julian Bangert and Rebecca Shapiro, not present) "Reflections on Trusting Trust" refers to Ken Thompson's classic 1984 paper. "You can't trust code that you did not totally create yourself." There's invisible links in the chain-of-trust, such as "well-installed microcode bugs" or in the compiler, and other planted bugs. Thompson showed how a compiler can introduce and propagate bugs in unmodified source. But suppose if there's no bugs and you trust the author, can you trust the code? Hell No! There's too many factors—it's Babylonian in nature. Why not? Well, Input is not well-defined/recognized (code's assumptions about "checked" input will be violated (bug/vunerabiliy). For example, HTML is recursive, but Regex checking is not recursive. Input well-formed but so complex there's no telling what it does For example, ELF file parsing is complex and has multiple ways of parsing. Input is seen differently by different pieces of program or toolchain Any Input is a program input executes on input handlers (drives state changes & transitions) only a well-defined execution model can be trusted (regex/DFA, PDA, CFG) Input handler either is a "recognizer" for the inputs as a well-defined language (see langsec.org) or it's a "virtual machine" for inputs to drive into pwn-age ELF ABI (UNIX/Linux executible file format) case study. Problems can arise from these steps (without planting bugs): compiler linker loader ld.so/rtld relocator DWARF (debugger info) exceptions The problem is you can't really automatically analyze code (it's the "halting problem" and undecidable). Only solution is to freeze code and sign it. But you can't freeze everything! Can't freeze ASLR or loading—must have tables and metadata. Any sufficiently complex input data is the same as VM byte code Example, ELF relocation entries + dynamic symbols == a Turing Complete Machine (TM). @bxsays created a Turing machine in Linux from relocation data (not code) in an ELF file. For more information, see Rebecca "bx" Shapiro's presentation from last year's Toorcon, "Programming Weird Machines with ELF Metadata" @bxsays did same thing with Mach-O bytecode Or a DWARF exception handling data .eh_frame + glibc == Turning Machine X86 MMU (IDT, GDT, TSS): used address translation to create a Turning Machine. Page handler reads and writes (on page fault) memory. Uses a page table, which can be used as Turning Machine byte code. Example on Github using this TM that will fly a glider across the screen Next Sergey talked about "Parser Differentials". That having one input format, but two parsers, will create confusion and opportunity for exploitation. For example, CSRs are parsed during creation by cert requestor and again by another parser at the CA. Another example is ELF—several parsers in OS tool chain, which are all different. Can have two different Program Headers (PHDRs) because ld.so parses multiple PHDRs. The second PHDR can completely transform the executable. This is described in paper in the first issue of International Journal of PoC. Conclusions trusting computers not only about bugs! Bugs are part of a problem, but no by far all of it complex data formats means bugs no "chain of trust" in Babylon! (that is, with parser differentials) we need to squeeze complexity out of data until data stops being "code equivalent" Further information See and langsec.org. USENIX WOOT 2013 (Workshop on Offensive Technologies) for "weird machines" papers and videos.

    Read the article

  • “Unplugged” LIDNUG online talk with me on Monday (April 16th)

    - by ScottGu
    This coming Monday (April 16th) I’m doing another online LIDNUG session.  The talk will be from 10am to 11:30am (Pacific Time).  I do these talks a few times a year and they tend to be pretty fun.  Attendees can ask any questions they want to me, and listen to me answer them live via LiveMeeting.  We usually end up having some really good discussions on a wide variety of topics.  Any topic or question is fair game. You can learn more and register to attend the online event for free here. I’ll update this post with a download link to a recorded audio version of the talk after the event is over. Hope to get a chance to chat with some of you there! Scott P.S. In addition to blogging, I am also now using Twitter for quick updates and to share links. Follow me at: twitter.com/scottgu

    Read the article

  • Trailer for ‘The Dark Knight Rises’ Done in LEGO [Video]

    - by Asian Angel
    Are you ready for the release of ‘The Dark Knight Rises’ later this year? Then prepare to indulge in an awesome combination of LEGO and Batman with this video trailer created by YouTube user ParanickFilmz. Here is the original version of the trailer for those of you who are curious and want to compare the two to each other… The Dark Knight Rises Trailer 2: IN LEGO [via Neatorama] How to Own Your Own Website (Even If You Can’t Build One) Pt 2 How to Own Your Own Website (Even If You Can’t Build One) Pt 1 What’s the Difference Between Sleep and Hibernate in Windows?

    Read the article

  • Where to publish articles about open source?

    - by Lukas Eder
    I've been developing a free, open source Java database abstraction project (jOOQ) and I have released first stable releases from November 2010 onwards. Feedback has been quite good and constructive, and I am very motivated to continue my work. In the mean time, to get more attention and feedback, I have published articles on http://java.dzone.com/ http://www.theserverside.com/ http://www.infoq.com/ (they didn't publish my article, though) These are some sample articles so you know the type of article I want to publish: http://java.dzone.com/announcements/simple-and-intuitive-approach http://java.dzone.com/articles/2011-great-year-stored What other resources would you recommend? Where else should I publish, knowing that I want to reach Java/SQL developers and architects / technology decision makers I can publish in English, German, French I think that my project is suitable for both beginners and pro's (in Java and SQL, or programming in general)

    Read the article

  • iOS App Ideas for a graduation project

    - by kramer
    I'm a CS student (BSc. degree) and it's my senior year so I'll need to do a mandatory graduation project. A friend and I just realized we are about to miss the project proposal submission deadline so we went out there researching... One of the professors (our future-project-supervisor) recommended us to team up and submit a single project with strong roots, as our only chance to fit-in this semester's quota. (we were already pretty late to consult him and most supervisors are almost at their full-quota). Anyway, his research area mainly focuses on image processing, virtual reality, computer vision/graphics so he went ahead and recommended us to find some project ideas that would work as an iPhone app. Thing is, we have no development experience on Macs but have plenty of Java, C#, C and Ruby experience... I am looking for interesting iPhone app ideas that would be appropriate as a graduation project. Go ahead and fire away your ideas and comments, they are much appreciated.

    Read the article

  • Itautec Accelerates Profitable High Tech Customer Service

    - by charles.knapp
    Itautec is a Brazilian-based global high technology products and services firm with strong performance in the global market of banking and commercial automation, with more than 2,300 global clients. It recently deployed Siebel CRM for sales, customer support, and field service. In the first year of use, Siebel CRM enabled a 30% growth in services revenue. Siebel CRM also reduced support costs. "Oracle's Siebel CRM has minimized costs and made our customer service more agile," said Adriano Rodrigues da Silva, IT Manager. "Before deployment, 95% of our customer service contacts were made by phone. Siebel CRM made it possible to expand' choices, so that now 55% of our customers contact our helpdesk through the newer communications channels." Read more here about Itautec's success, and learn more here about how Siebel CRM can help your firm to grow customer service revenues, improve service levels, and reduce costs.

    Read the article

  • SQL Server - MVP 2010

    - by JustinL
    I was very happy to receive an email last week to confirm I would receive the MVP Award for SQL Server for 2010 - very exciting news ! I missed the first FedEx delivery, however this weekend they were able to successfully deliver the package from Microsoft and it began to feel very real as I opened the box to find the MVP glass-ware! Since leaving Microsoft, the past couple of years have been incredibly challenging, exciting and satisfying.  The MVP Award is really special, the SQL community has a fantastic, international base with many successful events, leaders and contributors providing an impressive network both online and in-person. I'm really excited about the year ahead - starting this week with SQL Bits in London, followed by PASS EMEA in Germany next week and at the London PASS user group meeting on Monday 26th April. Regards,   Justin Langford - Coeo Ltd

    Read the article

  • Unity 3D game idea for a fun and teaching game

    - by rasheeda
    I have been brainstorming for months now on writing a unity 3D game for my final year computer science project. I have been learning unity for sometime now but comming up with a concept is quite difficult than i thought. The game has to be really fun and also educational, one that the school and community can benefit from. I am thinking about a third person game. where the player runs round in an enviroment, picks up coins and earn points. This alone wouldn't earn me points and I have been trying to find new ideas of my own and all over the net but to no avail. Hopefully you guys can help me out with an idea, and how to make the lecturers appreciate the game and also make kids wanna play play it for a reason. Thanks.

    Read the article

  • The “AfterDark” reception is back!

    - by rituchhibber
    This year, the OPN Exchange “AfterDark” Reception is moving to new heights! Join us on the 5th floor of the Metreon building in San Francisco for this exclusive ‘VIP’ event. The reception will be held from 7:30 p.m. – 10 p.m. on Sunday, September 30th. Enjoy the smooth sounds of Macy Gray over a cocktail, as you network the night away and watch the 2012 live Music Festival performances from above! Best of all, this event is exclusive and free to all Oracle PartnerNetwork Exchange attendees! So come mix and mingle with us as we kick-off Oracle OpenWorld 2012 with great conversation and music! See You After Dark! The OPN Communications Team

    Read the article

  • Pyro Jam Can Is a DIY Mini Ruben’s Tube

    - by Jason Fitzpatrick
    Earlier this year we showed you how to make a full-size Ruben’s Tube; now make a tiny single-column fire speaker with the Pyro Jam Can. Instructables’ user Patrick needed a simple device to enter into an Instuctables contest centered on fire-themed projects. His contribution, seen in the video above, is a single-column Ruben’s Tube (for the unfamiliar, a Ruben’s Tube is a device through which sound and flammable gas are passed; the resulting flame is modulated by the frequency of the sound). If your next party wouldn’t be the same without a sound system that pumps bass beats and fire, you know where to get started. The Pyro Jam Can [via Hack A Day] Use Amazon’s Barcode Scanner to Easily Buy Anything from Your Phone How To Migrate Windows 7 to a Solid State Drive Follow How-To Geek on Google+

    Read the article

  • SQLBeat Podcast – Episode 6 – And the Winner is…Meredith Ryan from Albakerkee.

    - by SQLBeat
    In this episode I speak with the winner of the Exceptional DBA Award for 2012, Meredith Ryan.  We talk about a lot of things, but mainly attending the PASS Summit, first timers (this is PASS related too) and SQL Saturdays. Meredith has been with her present company for 14 years, an achievement of a bygone era in IT, but we are kindred in this area having worked at my present position for nearly 7. We also agree that every DBA should have to spend at least 2 years on Help Desk. I feel really, really dumb for not having recognized her tattoo, which I shamelessly ask about.  Congratulations, Meredith on your award and I look forward to meeting you this year in a few short weeks. Download the MP3

    Read the article

  • Integrating Twitter Into An ASP.NET Website Using OAuth

    Earlier this year I wrote an article about <a href="http://www.twitterizer.net/">Twitterizer</a>, an open-source .NET library that can be used to integrate your application with <a href="http://twitter.com/">Twitter</a>. Using Twitterizer you can allow your visitors to post tweets, view their timeline, and much more, all without leaving your website. The original article, <a href="http://www.4guysfromrolla.com/articles/021710-1.aspx">Integrating Twitter Into An ASP.NET Website</a>, showed how to post tweets and view a timeline to a particular Twitter account using Twitterizer 1.0. To post a tweet to a specific account, Twitterizer 1.0 uses <i>basic authentication</i>. Basic authentication is a very simple

    Read the article

  • Social Network Updates: While You Were Busy Marketing 2

    - by Mike Stiles
    Since social moves at the speed of data, it’s already time for another update, as we did back in April, on the changes the various social networks have made or gone through while you were busy marketing. Facebook There’s a lot of talk Facebook’s developing a mobile product to act like Flipboard and surface news, from both users and media outlets. The biggest news was Facebook/Instagram’s introduction of 15-second videos, enhanced with with filters, to take some of Vine’s candy. You can also delete parts of videos and rerecord them, and there’s image stabilization. Facebook’s ad revenue is coming along just fine, thank you very much. 35% quarter-to-quarter growth in Q2. And it looks like new formats like Mobile App Install Ads and Unpublished Page Posts are adding to the mix. If you don’t already, you’ll soon see a little camera in comment boxes letting you insert photos right into the comments you make. The drive toward “more visual” continues. The other big news is Facebook’s adoption of our Twitter friend, the hashtag. Adding # sets apart the post topic so it can be easily found or discovered. It’s also being added to Google Plus, Tumblr, and Pinterest. Twitter Want to send someone a promoted tweet when they’re in range of your store? That could be happening by the end of this year. Some users have been seeing automatic in-stream previews of images on Twitter.com. Right now it’s images in your own tweets, but we can assume all tweets are next. Get your followers organized! Twitter raised the limit on the number of lists you can create from 20 to 1,000. They also raised the number of accounts you can have in a list from 500 to 5,000. Twitter started notifying you when someone favorites a tweet you’re mentioned in or re-tweets a tweet you re-tweeted. Anyway, it’s the first time Twitter’s notified you about indirect interactions like that. Who’s afraid of Instagram? A study shows 6-second Vine videos are being posted to Twitter at the rate of 9/second, up from 5/second 2 months ago. Vine has over 13 million users and branded Vines are 4x more likely to be shared than video ads. Google Plus Now featuring a 3-column redesigned stream, and images that take up a whole column. And photo filters Auto Highlight and Auto Awesome work to turn your photos into a real show. Google Hangouts is the workhorse for all Google messaging now, it’s not just an online chat with 9 people anymore. Google Plus Dashboard improves the connection between your company’s Google Plus business page and your Google Plus Local. Updates go out across all Google properties and you can do your managing from the dashboard. With Google Plus’ authorship system, you can build “Author Rank” based on what you write and put on the web. If your stuff is +1’ed and shared a lot, you’re the real deal and there are search result benefits. LinkedIn "Who's Viewed Your Updates" shows you what you’ve shared recently, who saw it and what they did about it in real-time. “Influencers” is, well, influential. Traffic to all LI news products has gone up 8x since it was introduced. LinkedIn is quickly figuring out how to get users to stick around awhile. You and your brand can post images and documents in status updates now. In fact, that whole “document posting” thing is making some analysts wonder if LinkedIn will drift on over to the Dropboxes and YouSendIts of the world. C’mon, admit it. Your favorite part of LinkedIn is being able to see who’s viewed your profile. Now you’ve got even more info and can see what/who you have in common. Premium users get even deeper insights about how people are finding them. If you’re a big fan of security, you’ll love that LinkedIn started offering two-factor authentication (2FA). It’s optional, but step 2 is a one-time code texted to your registered mobile. Pinterest A study showed pins have a looong shelf life compared to other social net posts. “Clicks kept coming for 30 days and beyond.” Most pins are timeless, and the infinite scroll causes people to see older pins. Is it a keeper? Pinterest jumped 82% to 54 million users in the past year. It’s valued at $2.5 billion and is one of the biggest sources of referral traffic there is. That said, CEO Ben Silbermann adds, "Right now, we don't make money." A new search feature stops you from having to endlessly scroll through your own pins looking for that waterfall picture you posted. Simply select “just my pins” in the search bar. New "Rich Pins" lets brands add info like price and availability to pins that can be updated daily via a data feed from your merchant site. Not so fast, you have to apply to Pinterest for it first. Like other social nets, Pinterest does not allow sexual content, nudity, or even partial nudity. However…some art contains nudity, and Pinterest wants to allow art. What constitutes “art” will be judged by…what we have to assume are Pinterest employees who love their job. @mikestilesPhoto: stock.xchng, Tim Marmon

    Read the article

< Previous Page | 93 94 95 96 97 98 99 100 101 102 103 104  | Next Page >