AI Chatbot Free Unlimited

AI Chatbot Free Unlimited — independent reviews, comparisons, pricing and step-by-step guides on Aizhi.

  • New York Institute of Technology Computer Graphics Lab

    New York Institute of Technology Computer Graphics Lab

    The New York Institute of Technology Computer Graphics Lab is a computer lab located at the New York Institute of Technology (NYIT), founded by Alexander Schure. It was originally located at the "pink building" on the NYIT campus. It has played an important role in the history of computer graphics and animation, as founders of Pixar and Lucasfilm Limited, including Turing Award winners Edwin Catmull and Patrick Hanrahan, began their research there. It is the birthplace of entirely 3D CGI films. The lab was initially founded to produce a short high-quality feature film with the project name of The Works. The feature, which was never completed, was a 90-minute feature that was to be the first entirely computer-generated CGI movie. Production mainly focused around DEC PDP and VAX machines. Many of the original CGL team now form the elite of the CG and computer world with members going on to Silicon Graphics, Microsoft, Cisco, NVIDIA and others, including Pixar president, co-founder and Turing laureate Ed Catmull, Pixar co-founder and Microsoft graphics fellow Alvy Ray Smith, Pixar co-founder Ralph Guggenheim, Walt Disney Animation Studios chief scientist Lance Williams, Netscape and Silicon Graphics founder Jim Clark, Tableau co-founder and Turing laureate Pat Hanrahan, Microsoft graphics fellow Jim Blinn, Thad Beier, Oscar and Bafta nominee Jacques Stroweis, Andrew Glassner, and Tom Brigham. Systems programmer Bruce Perens went on to co-found the Open Source Initiative. Researchers at the New York Institute of Technology Computer Graphics Lab created the tools that made entirely 3D CGI films possible. Among NYIT CG Lab's many innovations was an eight-bit paint system to ease computer animation. NYIT CG Lab was regarded as the top computer animation research and development group in the world during the late 70s and early 80s. == The 21st century == The lab is presently located at NYIT's Long Island campus, and NYIT currently offers a Ph.D. program in Computer Science.

    Read more →
  • International Clinical Trials Registry Platform

    International Clinical Trials Registry Platform

    The International Clinical Trials Registry Platform (ICTRP) is a platform for the registration of clinical trials operated by the World Health Organization. The ICTRP combines data from multiple cooperating clinical trials registries to generate a global view of clinical trials worldwide, with a search portal that allows access to the entire dataset. It requires a minimum standard set of database fields, the WHO Trial Registration Data Set, to be present for a trial to be registered. All entries are given a Universal Trial Number (UTN) that identifies them uniquely. The organization has sought to assist various national governments in establishing their own clinical trials databases. It combines data from the following primary registries and data providers: Australian New Zealand Clinical Trials Registry (ANZCTR) Brazilian Clinical Trials Registry (ReBec) Chinese Clinical Trial Registry (ChiCTR) Clinical Research Information Service (CRiS), Republic of Korea ClinicalTrials.gov Clinical Trials Information System (CTIS), European Medicines Agency Clinical Trials Registry - India (CTRI) Cuban Public Registry of Clinical Trials (RPCEC) EU Clinical Trials Register (EU-CTR) German Clinical Trials Register (DRKS) Iranian Registry of Clinical Trials (IRCT) ISRCTN (UK) International Traditional Medicine Clinical Trial Registry (ITMCTR) Japan Registry of Clinical Trials (jRCT) Japan Primary Registries Network (JPRN) Lebanese Clinical Trials Registry (LBCTR) Overview of Medical Research in the Netherlands (OMON) Thai Clinical Trials Registry (TCTR) Pan African Clinical Trial Registry (PACTR) Peruvian Clinical Trial Registry (REPEC) Sri Lanka Clinical Trials Registry (SLCTR)

    Read more →
  • Vanish (computer science)

    Vanish (computer science)

    Vanish was a project to "give users control over the lifetime of personal data stored on the web." It was led by Roxana Geambasu at the University of Washington. The project proposed to allow a user to enter information to send across the internet, thereby relinquishing control of it. However, the user can include an "expiration date," after which the information is no longer usable by anyone who may have a copy of it, even the creator. The Vanish approach was found to be vulnerable to a Sybil attack and thus insecure by a team called Unvanish from the University of Texas, University of Michigan, and Princeton. == Theory == Vanish acts by automating the encryption of information entered by the user with an encryption key that is unknown to the user. Along with the information the user enters, the user also enters metadata concerning how long the information should remain available. The system then encrypts the information but does not store either the encryption key or the original information. Instead, it breaks up the decryption key into smaller components that are disseminated across distributed hash tables, or DHTs, via the Internet. The DHTs refresh information within their nodes on a set schedule unless configured to make the information persistent. The time delay entered by the user in the metadata controls how long the DHTs should allow the information to persist, but once that time period is over, the DHTs will reuse those nodes, making the information about the decryption stored irretrievable. As long as the decryption key may be reassembled from the DHTs, the information is retrievable. However, once the period entered by the user has lapsed, the information is no longer recoverable, as the user never possessed the decryption key. == Implementation == Vanish currently exists as a Firefox plug-in which allows a user to enter text into either a standard Gmail email or Facebook message and choose to send the message via Vanish. The message is then encrypted and sent via the normal networking pathways through the cloud to the recipient. The recipient must have the same Firefox plug-in to decrypt the message. The plugin accesses BitTorrent DHTs, which have 8-hour lifespans. This means the user may select an expiration date for the message in increments of 8 hours. After the expiration of the user-defined time span, the information in the DHT is overwritten, thereby eliminating the key. While both the user and recipient may have copies of the original encrypted message, the key used to turn it back into plain text is now gone. Although this particular instance of the data has become inaccessible, it's important to note that the information can always be saved by other means before expiration (copied or even via screen shots) and published again.

    Read more →
  • Autocommit

    Autocommit

    In the context of data management, autocommit is a mode of operation of a database connection. Each individual database interaction (i.e., each SQL statement) submitted through the database connection in autocommit mode will be executed in its own transaction that is implicitly committed. A SQL statement executed in autocommit mode cannot be rolled back. Autocommit mode incurs per-statement transaction overhead and can often lead to undesirable performance or resource utilization impact on the database. Nonetheless, in systems such as Microsoft SQL Server, as well as connection technologies such as ODBC and Microsoft OLE DB, autocommit mode is the default for all statements that change data, in order to ensure that individual statements will conform to the ACID (atomicity-consistency-isolation-durability) properties of transactions. The alternative to autocommit mode (non-autocommit) means that the SQL client application itself is responsible for ending transactions explicitly via the commit or rollback SQL commands. Non-autocommit mode enables grouping of multiple data manipulation SQL commands into a single atomic transaction. Some DBMS (e.g. MariaDB) force autocommit for every DDL statement, even in non-autocommit mode. In this case, before each DDL statement, previous DML statements in transaction are autocommitted. Each DDL statement is executed in its own new autocommit transaction.

    Read more →
  • Caffe (software)

    Caffe (software)

    Caffe (Convolutional Architecture for Fast Feature Embedding) is a deep learning framework, originally developed at University of California, Berkeley. It is open source, under a BSD license. It is written in C++, with a Python interface. == History == Yangqing Jia created the Caffe project during his PhD at UC Berkeley, while working the lab of Trevor Darrell. The first version, called "DeCAF", made its first appearance in Spring 2013 when it was used for the ILSVRC challenge (later called ImageNet). The library was named Caffe and released to the public in December 2013. It reached end-of-support in 2018. It is hosted on GitHub. == Features == Caffe supports many different types of deep learning architectures geared towards image classification and image segmentation. It supports CNN, RCNN, LSTM and fully-connected neural network designs. Caffe supports GPU- and CPU-based acceleration computational kernel libraries such as Nvidia cuDNN and Intel MKL. == Applications == Caffe is being used in academic research projects, startup prototypes, and even large-scale industrial applications in vision, speech, and multimedia. Yahoo! has also integrated Caffe with Apache Spark to create CaffeOnSpark, a distributed deep learning framework. == Caffe2 == In April 2017, Facebook announced Caffe2, which included new features such as recurrent neural network (RNN). At the end of March 2018, Caffe2 was merged into PyTorch.

    Read more →
  • Security and Privacy in Computer Systems

    Security and Privacy in Computer Systems

    Security and Privacy in Computer Systems is a paper by Willis Ware that was first presented to the public at the 1967 Spring Joint Computer Conference. == Significance == Ware's presentation was the first public conference session about information security and privacy in respect of computer systems, especially networked or remotely-accessed ones. The IEEE Annals of the History of Computing said that Ware's 1967 Spring Joint Computer Conference session, together with 1970's Ware report, marked the start of the field of computer security.

    Read more →
  • Operational image

    Operational image

    An operational image, also known as operative image, is an image that serves a functional, rather than aesthetic, purpose. Operational images are not intended to be viewed by people as representations of the real world; they are created to be used as instruments in performing some task or operation, often by machine automation. Operational images are used in a wide variety of applications, such as weapons targeting and guidance systems, and assisting surgeons performing robot-assisted surgery. The term "operational image" was first coined in 2000 by German filmmaker Harun Farocki in the first part of his three-part audiovisual installation, Eye/Machine. Farocki's installation included operational images used by militaries, such as weapons guidance and targeting systems. Eye/Machine featured images shown to the public by the United States military from the cameras used by laser-guided missiles in the Gulf War. Farocki defined operational images as "Images without a social goal, not for edification, not for reflection," and that they "do not represent an object, but rather are part of an operation." According to Volker Pantenburg, operational images are more accurately characterized as "visualizations of data". He describes operational images as a "working image" or an image that "performs work". Operational images are ubiquitous in modern society, used for a variety of military and non-military applications, such as inspecting sewer piping, and assisting surgeons performing robotic surgery.

    Read more →
  • Security.txt

    Security.txt

    security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily. The standard prescribes a text file named security.txt in the well known location, similar in syntax to robots.txt but intended to be machine and human readable, for those wishing to contact a website's owner about security issues. security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook. == History == The Internet Draft was first submitted by Edwin Foudil in September 2017. At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback. In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now". In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all US federal agencies to publish a security.txt file within 180 days. The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020. A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered. The study also noted a number of discrepancies between the standard and the content of the file. In April 2022 the security.txt file has been accepted by Internet Engineering Task Force (IETF) as RFC 9116. == File format == security.txt files can be served under the /.well-known/ directory (i.e. /.well-known/security.txt) or the top-level directory (i.e. /security.txt) of a website. The file must be served over HTTPS and in plaintext format.

    Read more →
  • Dynamic Graphics Project

    Dynamic Graphics Project

    The Dynamic Graphics Project (commonly referred to as DGP) is an interdisciplinary research laboratory at the University of Toronto devoted to projects involving computer graphics, computer vision, human computer interaction, and visualization. The lab began as the computer graphics research group of Department of Computer Science Professor Leslie Mezei in 1967. Mezei invited Bill Buxton, a pioneer of human–computer interaction (HCI) to join. In 1972, Ronald Baecker, another HCI pioneer joined, establishing DGP as the first Canadian university group focused on computer graphics and human-computer interaction. According to csrankings.org, the DGP is the top research institution in the world for the combined subfields of computer graphics, HCI, and visualization. Since then, DGP has hosted many well known faculty and students in computer graphics, computer vision and HCI (e.g., Alain Fournier, Bill Reeves, Jos Stam, Demetri Terzopoulos, Marilyn Tremaine). DGP also occasionally hosts artists in residence (e.g., Oscar-winner Chris Landreth). Many past and current researchers at Autodesk (and before that Alias Wavefront) graduated after working at DGP. DGP is located in the St. George campus of University of Toronto in the Bahen Centre for Information Technology. DGP researchers regularly publish at ACM SIGGRAPH, ACM SIGCHI and ICCV. DGP hosts the Toronto User Experience (TUX) Speaker Series and the Sanders Series Lectures. == Notable alumni == Bill Buxton (MS 1978) James McCrae (PhD 2013) Dimitris Metaxas (PhD 1992) Bill Reeves (MS 1976, Ph.D. 1980) Jos Stam (MS 1991, Ph.D. 1995)

    Read more →
  • MyRadar

    MyRadar

    MyRadar is a free weather forecasting application developed by Andy Green and his Orlando, Florida-based company ACME AtronOmatic (ACME). The app began operations in 2008 and ran on government-provided weather and radar data for its first decade. In 2019, ACME launched personal satellites to improve predictions of ongoing weather. The app received funding to improve its radar and imaging from the Federal Communications Commission (FCC), National Oceanic and Atmospheric Administration (NOAA), and the Office of Naval Research (ONR). ACME created a weather data satellite constellation named "Hyperspectral Orbital Remote Imaging Spectrometer" (HORIS), which utilizes machine learning and artificial intelligence (AI) to create a current weather map. With the introduction of additional features, including the detection of wildfires and illegal fishing, the app has more broadly become an environmental intelligence app since 2022. In 2024, the app partnered with the Total Traffic and Weather Network (TTWN) to provide traffic flow and incident data for users with paying subscriptions via CarPlay and Android Auto. == History == The app's creator, Andy Green, had created internet tech since the 1980s. His first major project was the development of a public access internet service company based in Rhode Island, which he later sold to finance the creation of ACME AtronOmatic ("ACME" for short), based in Orlando, Florida. The first major app created by ACME was called "Flightwise", which provided users with flight tracking information. In summer 2008, Green had the idea to use the animated location tracker already built-in to Flightwise to make a stand-alone weather forecasting app after wondering if a meal he was eating outdoors would get rained out. MyRadar was launched in 2012 out of an office in Orlando. Despite running solely off of free government-provided weather and radar data for the first decade after launch, Green said the app "took off like wildfire" in downloads. In December 2017, the app partnered with "TripIt" to provide users with information about flight delays and gate changes, eliminating the need for a separate app like Flightwise. In 2019, ACME launched their first personal satellite for the app, a small prototype from New Zealand, as part of an effort to provide detailed imagery and improved predictions of ongoing weather unique to the app. More satellites were eventually launched by ACME to create a weather data satellite constellation named "Hyperspectral Orbital Remote Imaging Spectrometer" (HORIS), monitored by ground stations maintained by Kongsberg Satellite Services. HORIS operates MyRadar by taking the environmental data and imagery it collects and pairing it with machine learning and artificial intelligence (AI) to create a real-time weather map. In 2022, HORIS was expanded upon after ACME won approval from the Federal Communications Commission (FCC) to improve their satellite constellation to include 250 satellites or more. The main batch of satellites were PocketQubes, which entered the atmosphere on May 2, 2022, by Rocket Lab Electron launched from New Zealand, with the additional purpose to test and validate the existing satellites in orbit. In October 2022, ACME received a US$150,000 Small Business Innovation Research (SBIR) grant from the National Oceanic and Atmospheric Administration (NOAA) to improve the app's wildfire detection and air quality measurement technology to better detect smoke, aerosols, fire hotspots using satellites and aerial drones. On August 18, 2023, phase two of the NOAA grant was approved, providing an additional US$650,000 to aid in the app's aforementioned goals by launching a pair of CubeSat satellites to provide high-definition infrared imagery. On September 8, 2023, ACME secured another US$1,200,000 in crowd funding to aid accomplishing the goals of the NOAA grant by expanding the app's workforce from 35 to 100 employees by the end of 2024. In January 2024, MyRadar partnered with Total Traffic and Weather Network (TTWN) to provide traffic data overlaid with its pre-existing weather graphics for users in the United States. The partnership allowed for the app to additionally become a tool for navigation. This officially became a feature days later on January 8, 2024, when the app was made compatible with Apple's CarPlay. On February 7, 2024, the Android equivalent Android Auto also gained the ability to display the app on car interfaces. In March 2024, the app launched a "meteorological wedding planning service" in the United States and Canada for prices between US$1,000 and US$5,000, in which users can request a personal meteorologist to provide an in-person meeting about the best dates for a wedding, and on-call local weather updates the day of. Scheduled for February 2025, four more satellites to help with the NOAA-sponsored wildfire detection are to be launched, and the first by ACME to have AI processing in the satellites themself and not computers on the ground, allowing for quicker transfer of information. == Features and general information == The app's primary function is to provide weather forecasting and prediction to users. The app includes toggleable options to track and send alerts to users for rain, wind patterns, earthquakes, tornadoes, tropical cyclones, wildfires, and more. In early 2020, a feature was added to track orbital objects such as the International Space Station. In May 2022, with the imagery improvement of HORIS, the app gained the secondary abilities to better monitor algae blooms, coral reefs, illegal fishing, and wildfires. In January and February 2024, the ability to display traffic flow and incident data in a feature called "RouteCast" was added, and can be displayed in video and 3D options via CarPlay and Android Auto for users with paying subscriptions. The app also provides annual tropical storm and tornado outlooks for their respective seasons, gathered through satellite and aerial drone data, as well as through on the ground storm chasers.

    Read more →
  • Plane Finder

    Plane Finder

    Plane Finder is a United Kingdom-based real-time flight tracking service launched in 2009, that is able to show flight data globally. The data available includes flight numbers, how fast an aircraft is moving, its elevation and destination of travel. Several variants of the service are available as mobile apps including free, premium 3D and augmented reality versions. The flight tracking map and database can be accessed by web browsers. Plane Finder allows registered users to share their ADS-B and MLAT data via the Plane Finder ADS-B Client, available for macOS, Windows and Linux. Plane Finder supports VFR charts from NATS, and was the first major flight tracking app to introduce a replay feature, allowing users to replay flights dating back to 2011. == Flight tracking == Plane Finder collects data from its own global network of receivers, using the following sources. === Automatic dependent surveillance-broadcast (ADS-B) === A network of automatic dependent surveillance-broadcast (ADS-B) receivers gathers aircraft data such as callsign, position and speed. Plane Finder serves to supplement this data with additional information, including aircraft registration/tail number, departure airport, destination, artwork, and photographs. Plane Finder users can apply for an ADS-B receiver in exchange for their flight data. === Multilateration (MLAT) === To deliver aircraft position data where ADS-B is unavailable, Plane Finder uses multilateration (MLAT). Using three or more receivers running Plane Finder client software, monitoring the aircraft simultaneously, the aircraft’s position is calculated using receiver location and accurate timestamps. While European airspace is widely covered, only some parts of North American airspace are covered. === Federal Aviation Administration (FAA) feed === ADS-B is prevalent across Europe and Australia, but not in North America. Where MLAT or ADS-B data is unavailable, a feed from the Federal Aviation Administration provides flight information. The FAA feed covers United States and Canadian airspace, including bordering areas of the Atlantic and Pacific Oceans. === FLARM feed === Plane Finder collects data from a centralised FLARM feed, for monitoring small aircraft and gliders. == Flight data source == The Plane Finder website and database is widely used as an information source to support articles in the media. The Independent used Plane Finder flight tracking to demonstrate to readers the flight path of flight MT2706, which turned back as a result of last minute Egyptian government flight restrictions on 6 November 2015. The Independent also used Plane Finder information to demonstrate a timeline of the speed/altitude of flight 7K 9268, a Russian plane which crashed on 31 October 2015. The BBC cited Plane Finder in regard to the point at which at British Airways flight turned back to Heathrow Airport to make an emergency landing after smoke was seen coming from its engines. Plane Finder data has also been used to create original imagery for the media, such as the Washington Post, which used Plane Finder as a source to show flight patterns immediately after the Brussels bombings in March 2016.

    Read more →
  • Nobody (username)

    Nobody (username)

    In many Unix variants, "nobody" is the conventional name of a user identifier which owns no files, is in no privileged groups, and has no abilities except those which every other user has. It is normally not enabled as a user account, i.e. has no home directory or login credentials assigned. Some systems also define an equivalent group "nogroup". == Uses == The pseudo-user "nobody" and group "nogroup" are used, for example, in the NFSv4 implementation of Linux by idmapd, if a user or group name in an incoming packet does not match any known username on the system. It was once common to run daemons as nobody, especially on servers, in order to limit the damage that could be done by a malicious user who gained control of them. However, the usefulness of this technique is reduced if more than one daemon is run like this, because then gaining control of one daemon would provide control of them all. The reason is that processes owned by the same user have the ability to send signals to each other and use debugging facilities to read or even modify each other's memory. Modern practice, as recommended by the Linux Standard Base, is to create a separate user account for each daemon.

    Read more →
  • TalkBack

    TalkBack

    TalkBack is an accessibility service for the Android operating system that helps blind and visually impaired users to interact with their devices. It uses spoken words, vibration and other audible feedback to allow the user to know what is happening on the screen allowing the user to better interact with their device. The service is pre-installed on many Android devices, and it became part of the Android Accessibility Suite in 2017. According to the Google Play Store, the Android Accessibility Suite has been downloaded over five billion times, including devices that have the suite preinstalled. == Open-source == Google releases the source code of TalkBack with some releases of the accessibility service to GitHub, with the latest of these changes being from May 6, 2021. The source for these versions of Google TalkBack have been released under the Apache License version 2.0. == Release history ==

    Read more →
  • Pwnie Awards

    Pwnie Awards

    The Pwnie Awards are an annual awards ceremony that recognizes both excellence and incompetence in the field of information security, described by SecurityWeek as an event that "recognizes excellence and mocks incompetence in cybersecurity." Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference. == Origins == The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony," is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City. == History == The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (CVE-2007-2175) and Alexander's discovery of an ANI file processing vulnerability (CVE-2007-0038) in Internet Explorer. == Winners == === 2024 === Most Epic Fail: Crowdstrike for 2024 CrowdStrike incident Best Mobile Bug: Operation Triangulation Lamest Vendor Response: Xiaomi for obstructing Pwn2Own researchers from using their services Best Cryptographic Attack: GoFetch Best Desktop Bug: forcing realtime WebAudio playback in Chrome (CVE-2023-5996) Best Song: Touch Some Grass by UwU Underground Best Privilege Escalation: Windows Streaming Service UAF (CVE-2024-30089) by Valentina Palmiotti (chompie) Best Remote Code Execution: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080) Most Epic Achievement: Discovery and reverse engineering of the XZ Utils backdoor Most Innovative Research: Let the Cache Cache and Let the WebAssembly Assemble: Knocking’ on Chrome’s Shell by Edouard Bochin, Tao Yan, and Bo Qu Most Underhyped Research: See No Eval: Runtime Dynamic Code Execution in Objective-C === 2023 === Best Desktop Bug: CountExposure! by RyeLv(@b2ahex) Best Cryptographic Attack: Video-based cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED by Ben Nassi, Etay Iluz, Or Cohen, Ofek Vayner, Dudi Nassi, Boris Zadov, Yuval Elovici Best Song: Clickin’ Most Innovative Research: Inside Apple’s Lightning: Jtagging the iPhone for Fuzzing and Profit Most Under-Hyped Research: Activation Context Cache Poisoning Best Privilege Escalation Bug: URB Excalibur: Slicing Through the Gordian Knot of VMware VM Escapes Best Remote Code Execution Bug: ClamAV RCE Lamest Vendor Response: Three Lessons From Threema: Analysis of a Secure Messenger Most Epic Fail: “Holy fucking bingle, we have the no fly list,” Epic Achievement: Clement Lecigne: 0-days hunter world champion Lifetime Achievement Award: Mudge === 2022 === Lamest Vendor Response: Google's "TAG" response team for "unilaterally shutting down a counterterrorism operation." Epic Achievement: Yuki Chen’s Windows Server-Side RCE Bugs Most Epic Fail: HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains Best Desktop Bug: Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Architecturally Leaking Data from the Microarchitecture Most Innovative Research: Pietro Borrello, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz for Custom Processing Unit: Tracing and Patching Intel Atom Microcode Best Cryptographic Attack: Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 by Yingchen Wang, Riccardo Paccagnella, Elizabeth Tang He, Hovav Shacham, Christopher Fletcher, David Kohlbrenner Best Remote Code Execution Bug: KunlunLab for Windows RPC Runtime Remote Code Execution (CVE-2022-26809) Best Privilege Escalation Bug: Qidan He of Dawnslab, for Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace Best Mobile Bug: FORCEDENTRY Most Under-Hyped Research: Yannay Livneh for Spoofing IP with IPIP Best Song: Dialed Up by Project Mammoth === 2021 === Lamest Vendor Response: Cellebrite, for their response to Moxie, the creator of Signal, reverse-engineering their UFED and accompanying software and reporting a discovered exploit. Epic Achievement: Ilfak Guilfanov, in honor of IDA's 30th Anniversary. Best Privilege Escalation Bug: Baron Samedit of Qualys, for the discovery of a 10-year-old exploit in sudo. Best Song: The Ransomware Song by Forrest Brazeal Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries. Best Cryptographic Attack: The NSA for its disclosure of a bug in the verification of signatures in Windows which breaks the certificate trust chain. Most Innovative Research: Enes Göktaş, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida at VUSec for their research on the "BlindSide" Attack. Most Epic Fail: Microsoft, for their failure to fix PrintNightmare. Best Client-Side Bug: Gunnar Alendal's discovery of a buffer overflow on the Samsung Galaxy S20's secure chip. Most Under-Hyped Research: The Qualys Research Team for 21Nails, 21 vulnerabilities in Exim, the Internet's most popular mail server. === 2020 === Best Server-Side Bug: BraveStarr (CVE-2020-10188) – A Fedora 31 netkit telnetd remote exploit (Ronald Huizer') Best Privilege Escalation Bug: checkm8 – A permanent unpatchable USB bootrom exploit for a billion iOS devices. (axi0mX) Epic Achievement: "Remotely Rooting Modern Android Devices" (Guang Gong) Best Cryptographic Attack: Zerologon vulnerability (Tom Tervoort, CVE-2020-1472) Best Client-Side Bug: RCE on Samsung Phones via MMS (CVE-2020-8899 and -16747), a zero click remote execution attack. (Mateusz Jurczyk) Most Under-Hyped Research: Vulnerabilities in System Management Mode (SMM) and Trusted Execution Technology (TXT) (CVE-2019-0151 and -0152) (Gabriel Negreira Barbosa, Rodrigo Rubira Branco, Joe Cihula) Most Innovative Research: TRRespass: When Memory Vendors Tell You Their Chips Are Rowhammer-free, They Are Not. (Pietro Frigo, Emanuele Vannacci, Hasan Hassan, Victor van der Veen, Onur Mutlu, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi) Most Epic Fail: Microsoft; for the implementation of Elliptic-curve signatures which allowed attackers to generate private pairs for public keys of any signer, allowing HTTPS and signed binary spoofing. (CVE-2020-0601) Best Song: Powertrace by Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki and Kater Lamest Vendor Response: Daniel J. Bernstein (CVE-2005-1513) === 2019 === Best Server-Side Bug: Orange Tsai and Meh Chang, for their SSL VPN research. Most Innovative Research: Vectorized Emulation Brandon Falk Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ Mathy Vanhoef, Eyal Ronen Lamest Vendor Response: Bitfi Most Over-hyped Bug: Allegations of Supermicro hardware backdoors, Bloomberg Most Under-hyped Bug: Thrangrycat, (Jatin Kataria, Red Balloon Security) === 2018 === Most Innovative Research: Spectre/Meltdown (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom) Best Privilege Escalation Bug: Spectre/Meltdown (Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom) Lifetime Achievement: Michał Zalewski Best Cryptographic Attack: ROBOT - Return Of Bleichenbacher’s Oracle Threat Hanno Böck, Juraj Somorovsky, Craig Young Lamest Vendor Response: Bitfi hardware crypto-wallet, after the "unhackable" device was hacked to extract the keys required to steal coins and rooted to play Doom. === 2017 === Epic Achievement: Federico Bento for Finally getting TIOCSTI ioctl attack fixed Most Innovative Research: ASLR on the line Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida Best Privilege Escalation Bug: DRAMMER Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida Best Cryptographic Attack: The first collision for full SHA-1 Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov Lamest Vendor Response: Lennart Poettering - for mishandling security vulnerabilities most spectacularly for multiple critical Systemd bugs Best Song: Hello (From the Other Side) - Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner === 2016 === Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida Lifetime Achievement: Peiter Zatko aka Mudge Best Cryptographic Attack: DROWN attack Nimrod Aviram et al. Best Song: Cyberlier - Katie Mous

    Read more →
  • Automated penetration testing

    Automated penetration testing

    Automated penetration testing (also known as autonomous penetration testing or automated offensive security) is the application of software-driven workflows and orchestration to simulate cyberattack techniques. These methods are used to identify, validate, and exploit security vulnerabilities in IT assets such as networks, applications, and cloud infrastructure. Automated penetration testing is the use of software to simulate cyberattacks in order to rapidly identify exploitable vulnerabilities across systems without relying solely on human testers. In technical literature, the term describes a spectrum of activities ranging from scripted exploit orchestration to experimental systems designed for fully autonomous attack planning. Automated Penetration Testing falls short of testing using manual experts in terms of discovery of deep complex vulnerabilities and contextual business logic vulnerabilities. == Terminology and scope == The label “automated penetration testing” appears frequently in vendor and practitioner writing but lacks a single, neutral, standards-based definition. In the literature the term’s scope varies: some authors use it to mean automation of specific penetration-testing tasks (scanning, exploitation attempts, evidence collection), others to describe integrated, repeatable assessment pipelines, and a smaller body of work investigates autonomous decision-making agents that select attack steps algorithmically. To avoid implying consensus, this article describes common techniques and architectures reported in the literature and industry, and it notes where claims are primarily found in practitioner publications or early-stage research. Its important to note the differences between automated penetration testing and traditional penetration testing using human skill. The most important difference is scope and speed. Automated penetration testing generally fails at discovering exposures and weakness associated with business logic due to a lack of contextual understanding. The benefit of Automated Penetration testing is speed at which it can be conducted. Traditional penetration testing also is expected to be accurate and contain no false positives. This is due to the human validation aspect of the test. Automated approaches are expected to contain mistakes and false positives which need to be validated upon completion of the test. == History == Automated offensive techniques build on decades of tools and scripting that aided vulnerability discovery and exploitation. Early vulnerability scanners and community scripting in the 1990s and 2000s created the first layers of automation. Later, modular exploitation frameworks (notably Metasploit) integrated scanning and exploitation modules and made automated proof-of-concept attacks more accessible. Over the 2010s–2020s, as cloud platforms, APIs and continuous delivery practices increased the need for frequent validation, academic and industry interest in formalizing automated approaches also grew. == Methodologies and architectures == Descriptions in the literature and technical reports cluster automated capabilities into several overlapping models: Scripted/engineered playbooks (task automation): Predefined workflows or playbooks encode common attack paths (for example, web application exploit sequences or lateral-movement chains). These playbooks are designed to reproduce known techniques in a controlled way to validate exploitability and reduce manual repetition. Exploit-oriented orchestration: Automation orchestrates exploitation modules from established frameworks to perform controlled proof-of-concept attacks that confirm exploitability rather than simply flagging potential weaknesses. This approach can reduce false positives versus passive scanning when tests are run in an appropriately controlled environment. Orchestrated multi-tool pipelines: A coordinated toolchain integrates reconnaissance, vulnerability scanning, credential testing, exploitation modules and reporting. Data and state persist across stages so that multi-step workflows (e.g., discover → escalate → pivot) can be executed repeatably, approximating manual penetration-test methodologies at larger scale. Continuous / CI-integrated testing: Automation embedded in build or deployment pipelines (CI/CD) triggers assessments automatically on new builds, configuration changes, or on a schedule, supporting frequent, repeatable validation aligned with DevOps practices. Academic theses and experimental work describe CI/CD-integrated proof-of-concept systems for web applications and internal networks. Research on autonomous planning and learning: Recent academic work explores machine learning and reinforcement-learning approaches to select or prioritise attack steps, generate attack sequences, or optimize the testing path; these approaches are largely experimental and raise distinct validation and safety questions. == Tools and vendors == Automated penetration testing is provided by a mix of open-source projects, commercial platforms, and professional services. These often follow the penetration testing as a service (PTaaS) model, which integrates automated scanning with manual validation by security analysts. Examples of widely known tools and vendors in the space include exploitation frameworks such as Metasploit, commercial automated platforms and PTaaS providers, and specialist vendors that offer breach-and-attack simulation (BAS) or continuous testing capabilities. == Applications and deployment models == In industry practice, some organizations deploy automated techniques through dedicated security validation platforms rather than bespoke toolchains. These platforms are typically used for continuous or scheduled validation in pre-production or controlled environments and are often positioned alongside, rather than in place of, human-led penetration testing. Examples discussed in secondary literature include platforms such as Pentera, which are commonly classified under breach-and-attack simulation or automated security validation rather than as standalone penetration-testing methodologies.

    Read more →