Posts

Note: Navigate the presentation with n and p keys. There are 2D slides. Presentation about: large scale empirical ethereum smart contract analysis There is also a blog post about the findings.

The lecture Machine Learning for the Natural Sciences promises to focus on applications of machine learning to natural sciences, especially physics and chemistry. However, most of the actual content is repeating machine learning basics, that is already in foundational lectures on machine learning. In the remaining time, a few interesting are presented, but sadly just very shallowly. There is also programming homework that counts for 1/3 of the final grade. This is nice, and I think more courses should do that.

There is no such thing as the perfect university exam, but if we agree that its purpose is to give an objective score about an individual’s comprehension of the covered topics, then there is clearly a way to be less wrong when creating exams. This post lists a few DONT’S that can be easily avoided. If you think there is an anti-pattern in this post, you can write me an email and I will add it here.

Lecture summary of the lecture operation systems security, organized with self test toggles. The lecture is concerned with binary exploitation from an offensive as well as a defensive point of view. I can really recommend the lecture, if you are interested in modern security mechanisms implemented by operating systems and hardware. Basic DefinitionsWhat is a vulnerability?What is the definition of an exploit? Set-uid-bitAllows an executable, that is owned by the user, to use root privileges during execution

With my CTF team KITCTF each semester we do introductory talks about how to get started with CTFs. I gave the introductory talk to the introductory talks, i.e. what even are CTFs?, twice. You can find the slides of the latest iteration on the KITCTF website: Acquiring practical security knowledge through enjoyable hacking challenges. Additionally, I wrote a blog post just listing great materials, updating our last blog post from 2014, looking it might already be time for a slight update.

With KITCTF we participated in the bo01lers CTF and finished 6th. There were some quite fun challenges. Including the resnet challenge, which is a machine learning challenge. I hope to see more machine learning challenges in the future. Challenge description: A naive AI startup released a new visual password system based on State-of-the-Art Neural Network technology. Wanting to save on costs they reuse the popular Resnet model to create embeddings which input password images are checked against hoping to leverage the feature extraction capabilities of Resnet.

Answers to self test questions for the lecture “Data Science I” at KIT. If you spot any errors, write me an e-mail or Discord message. Lecture 1: IntroductionGive examples of applications of clustering.Customer groups clustered based on bought productsUnsupervised malware family identificationOutlier DetectionDescribe a scenario from natural sciences, in which classification is useful: What are the attributes/class? How would you try to solve it?Flower family classification: Attributes (features)Color of different partsShape of different partsSize of different partsSolve it by training a multi-class NN with enough high quality training dataExplain the principle of the One Rule classifier.

Self test questions for the lecture “Machine Learning - Foundations and Algorithms” at KIT. Lecture 3: Model SelectionWhy is it a bad idea to evaluate your algorithm on the training set?Evaluating on the training set, rewards overfitting. Overfitting means learning training points by heart, instead of approximating the distribution the training points were drawn from. A trivial algorithm that just stores and queries all training points, has 100 % accuracy on the training set.

Read more writeups at kitctf.de Challenge description: Our lab administrator has just passed out from a strange virus. Please help us find the password to his messaging app so we can identify what he was working on and save his life. We are given an apk (Android Package) starting it, it asks for username and password to enter. It does not require any network connection, so it is a classical CrackMe.

Read more writeups at kitctf.de Challenge description: Please use my shitty blog 🤎! We are given a docker container running php. The only notable things about it, is that there is a readflag binary on the server and that the webroot is /var/www/html. Other than that only index.php is interesting: <?php // TODO: fully implement multi-user / guest feature :( $secret = 'SECRET_PLACEHOLDER'; $salt = '$6$'.substr(hash_hmac('md5', $_SERVER['REMOTE_ADDR'], $secret), 16).'$'; if(! isset($_COOKIE['session'])){ $id = random_int(1, PHP_INT_MAX); $mac = substr(crypt(hash_hmac('md5', $id, $secret, true), $salt), 20); } else { $session = explode('|', $_COOKIE['session']); if( !