Patricia Aas

Though this is based on a true story, who even knows what parts are true anymore? And it doesn’t really matter for the story anyway.

You can get a list of Mastodon handles for folks on your block-list from Debirdify, and then you can import that into Mastodon.

I’m not one for fluff, and if you’re here you’ve made up you mind, so let’s get to it. Here’s the plan

We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old.

Proposed - Transparency Report on CppCon Safety

Proposed - Include <C++> Position on CppCon Safety

After my blog post Survival Tips For Women In Tech surfaced yet again, @e8johan replied “I would love something of a guide to complement the warnings. Like ‘How to manage teams for diversity’”, and in response I posted the thread below, starting with the final one here to keep the thread together.

A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?

Computers changed. They changed in many ways, but for the purpose of this text they changed in one significant way: The relative cost of reading from RAM became extremely high.

More and more we see technology, both hardware and software, intersect with fundamental issues like privacy, democracy and human rights. The opaqueness of tech makes it a handy instrument of oppression and manipulation. We have taught the population to trust us. We have constructed a world in which they have to exist, with little to no oversight or transparency. We build critical infrastructure on hardware and software that even we cannot audit. How can we wield that responsibility? How do we protect those that speak up? How do we protect the population?

Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.

This workflow was inspired by the Windows Subsystem for Linux (WSL) workflow described by Jetbrains here.

Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an “attacker”, and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.

Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an “attacker”, and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture? We will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.

Undefined Behavior and Compiler Optimizations can result in programs that display surprising behavior. In this presentation we look at some examples, and I hope to convince you that you should not reason about Undefined Behavior and that you should take care and use your tools.

Someone else’s code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models?

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.

Can you describe a situation that caused to realize you were privileged?

From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective...

Yesterday I saw a tweet from Erin Fox @erinfoox where she asked a simple question: “Who else is the only woman on their dev team?” When I answered her that I’d been the only woman dev most of my career, she asked me if I had any survival tips, and I wrote her a list of 24 tips. Quite frankly it could easily be 50. I will list the 24 here, with a little more elaboration.

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.

I’ve had a secret dream for years of starting my own company. Being my own boss, making something cool and building a great team to do it with. I didn’t tell anyone, but I have mentally refurbished our basement to be a cool office space maybe a hundred times.

Bjarne Stroustrup, the creator of C++, once said : “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” He has also said : “Within C++, there is a much smaller and cleaner language struggling to get out.” Both are true.

Making a Headless Android Device

Trying to prepare your project or organization to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects. This talk describes some of the most common challenges and how to counteract them.

Secure Programming Practices in C++

C++ for Java Developers

Trust, Elections and Twitter

Making a Headless Android Device

This last week has been a harrowing experience for me. I’m an introverted programmer and generally a very private person, and in the space of just a few days I was suddenly in the news, both nationally and internationally. Even though the experience was completely overwhelming, I have rarely been so touched and so grateful.

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.

Coming into a code base can be overwhelming. Taking responsibility for the security of a project can be truly terrifying. This talk will describe a set of common scenarios for a project, and how to counteract them. Hopefully, this will help to move your codebase and project to a state where you will be more prepared to handle incoming vulnerability reports. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Presented at Paranoia 2017