Podcasts about deserialization

Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218 Our honeypots detected a deserialization attack against the CMS Sitecore using a thumnailaccesstoken header. The underlying vulnerability was patched in January, and security firm Searchlight Cyber revealed details about this vulnerability a couple of weeks ago. https://isc.sans.edu/diary/Sitecore%20%22thumbnailsaccesstoken%22%20Deserialization%20Scans%20%28and%20some%20new%20reports%29%20CVE-2025-27218/31806 Blasting Past Webp Google s Project Zero revealed details how the NSO BLASTPASS exploit took advantage of a Webp image parsing vulnerability in iOS. This zero-click attack was employed in targeted attack back in 2023 and Apple patched the underlying vulnerability in September 2023. But this is the first byte by byte description showing how the attack worked. https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html Splunk Vulnerabilities Splunk patched about a dozen of vulnerabilities. None of them are rated critical, but a vulnerability rated High allows authenticated users to execute arbitrary code. https://advisory.splunk.com/ Firefox 0-day Patched Mozilla patched a sandbox escape vulnerability that is already being exploited. https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/

Some New Data Feeds and Little Incident We started offering additional data feeds, and an SEO spamer attempted to make us change a link from an old podcast episode. https://isc.sans.edu/diary/Some%20new%20Data%20Feeds%2C%20and%20a%20little%20%22incident%22./31786 Veeam Deserialization Vulnerability Veeam released details regarding the latest vulnerablity in Veeam, pointing out the insufficient patch applied to a prior deserialization vulnerability. https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/ IBM AIX Vulnerablity The AIX NIM service is vulnerable to an unauthenticated remote code execution vulnerability https://www.ibm.com/support/pages/node/7186621 thanks Chris Mosby for Spotify comment

Three years after Log4Shell caused a significant security issue, we still struggle with insecure dependencies and injection problems. In this podcast, we'll discuss how developers can secure their code. I talked with three authors who posted a security and code quality post on Foojay.io.Guests     Jonathan Vila          https://www.linkedin.com/in/jonathanvila/          https://about.me/jonathan.vila          https://twitter.com/jonathan_vila      Brian Vermeer         https://www.linkedin.com/in/brianvermeer/          https://brianvermeer.nl/          https://twitter.com/BrianVerm      Erik Costlow          https://www.linkedin.com/in/costlow/           https://twitter.com/costlow   Content00:00 Introduction of topic and guests 01:35 Brian: Why is Log4Shell still around?    https://foojay.io/today/the-persistent-threat-why-major-vulnerabilities-like-log4shell-and-spring4shell-remain-significant/   03:24 Outdated dependencies are still used a lot 04:31 Who is responsible for dependency updates? 07:55 Snyk tools to help discover issues 10:15 Comparing to Dependabot 11:21 How to keep dependencies up-to-date 14:32 Responsibility to use dependencies with care 17:17 Looking forward to the JFall conference  18:48 About Foojay  19:49 Jonathan: Is SQL injection still a problem?    https://foojay.io/today/top-security-flaws-hiding-in-your-code-right-now-and-how-to-fix-them/  24:50 Deserialization injection 27:30 Logging injection 31:22 Even experienced developers make mistakes 33:17 About Sonar tools 35:53 Other articles by Jonathan    https://foojay.io/today/author/jonathan-vila/     https://foojay.io/today/ensuring-the-right-usage-of-java-21-new-features/ 38:20 Other security tools    https://www.youtube.com/watch?v=-wVCYj8oQUY 39:47 Erik: Trash Pandas are attracted by unused code    https://foojay.io/today/trash-pandas-love-enterprise-java-garbage-code/   43:01 How bad are insecure but unused libraries? 45:16 Problem of code only used by unit tests 47:15 Testing in different layers (develop, test, production) 49:31 How much code is not used in production? 50:31 How code becomes unused    https://foojay.io/today/foojay-podcast-57/ 54:29 Conclusions

2024-09-24 Weekly News — Episode 219Watch the video version on YouTube at https://youtube.com/live/DBqxto5X7iE?feature=share Hosts: Gavin Pickin - Senior Developer at Ortus SolutionsDaniel Garcia - Senior Developer at Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there including BoxLang.A few ways to say thanks back to Ortus Solutions:Buy Tickets to Into the Box 2025 in Washington DC https://t.co/cFLDUJZEyMApril 30, 2025 - May 2, 2025 - Washington, DCLike and subscribe to our videos on YouTube. Help ORTUS reach for the Stars - Star and Fork our ReposStar all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content regularlyBOXLife store: https://www.ortussolutions.com/about-us/shopBuy Ortus's Books102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)Now on Amazon! In hardcover too!!!https://www.amazon.com/dp/B0CJHB712MLearn Modern ColdFusion (CFML) in 100+ Minutes - Free online https://modern-cfml.ortusbooks.com/ or buy an EBook or Paper copy https://www.ortussolutions.com/learn/books/coldfusion-in-100-minutes Patreon Support (supercali)We have 58 patreons: https://www.patreon.com/ortussolutions. News and AnnouncementsColdFusion 2023 Security Update 10, ColdFusion 2021 Security Update 16Release Date: September 10, 2024Adobe Product Security Bulletin APSB24-71 fixes one critical vulnerability.Vulnerabilities FixedCVE-2024-41874 - critical (9.8) Deserialization of Untrusted Data vulnerability allowing for arbitrary code executionLinks & Resources- APSB24-71 - Adobe Product Security Bulletin https://helpx.adobe.com/security/products/coldfusion/apsb24-71.html - CF2023 Update 10 - Adobe KB article for ColdFusion 2023 Update 10 https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-10.html - CF2021 Update 16 - Adobe KB article for ColdFusion 2021 Update 16https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-16.html - Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 10 and CF 2021 Update 16.https://community.adobe.com/t5/coldfusion-discussions/now-live-adobe-coldfusion-2023-and-2021-september-2024-security-updates/td-p/14852233 Notes / IssuesNo updates to connector or packages in this release. Fixed bug CF-4223435 caused by previous update.https://tracker.adobe.com/#/view/CF-4223435 CFCamp - Save the DateMay 22, 23rd - 2025Atomis Hotel Munich AirportInto the Box 2025 - Call for Speakers Still Open - Closing soon Nov 1stWe're excited to invite you to share your knowledge and insights at Into the Box 2025: The Future is Dynamic for Modern Web Developers!We're seeking speakers eager to discuss their latest projects, share best practices, or explore new trends in web development. If you have valuable insights, we'd love to hear from you!Submit your topics using the form below. The deadline is midnight on November 1, 2024. We encourage everyone to submit up-to-date and trendy topics like Modern CFML tools, BoxLang, AI, Frameworks, Open Source Libraries, Modern Web Development Trends, Cybersecurity, etc. Feel free to share all your ideas!https://www.ortussolutions.com/blog/call-for-speakers-into-the-box-2025 New Releases and UpdatesFusionReactor 12.1: Expanding Horizons with Java 21 Support and Enhanced Cloud IntegrationWe're thrilled to announce the release of FusionReactor 12.1, our latest update that brings exciting new features to enhance your application performance monitoring experience. This release focuses on expanding language support, improving cloud integration, and streamlining user access. Let's dive into the key features that make FusionReactor 12.1 a game-changer for developers and operations teams alike.https://fusion-reactor.com/blog/fusionreactor-12-1-expanding-horizons-with-java-21-support-and-enhanced-cloud-integration/ BoxLang Betas — Beta 11-158/23/24 - BoxLang 1.0.0 Beta 11 Launched9 New Features9 Improvements8 Bugs Fixedhttps://www.ortussolutions.com/blog/boxlang-100-beta-11-launched  8/30/24 - BoxLang 1.0.0 Beta 12 Launched 5 New Features8 Improvements5 Bugs Fixedhttps://www.ortussolutions.com/blog/boxlang-100-beta-12-launched  9/6/24 - Blog - Ortus Solutions - BoxLang 1.0.0 Beta 13 Launched4 New Features5 Improvements20 Bugs Fixedhttps://www.ortussolutions.com/blog/boxlang-100-beta-13-launched 9/13/24 - Blog - Ortus Solutions - BoxLang 1.0.0 Beta 14 Launched6 New Features4 Improvements16 Bugs Fixedhttps://www.ortussolutions.com/blog/boxlang-100-beta-14-launched 9/19/24 - Blog - Ortus Solutions -  BoxLang 1.0.0 Beta 15 Launched5 New Features10 Improvements22 Bugs Fixedhttps://www.ortussolutions.com/blog/boxlang-100-beta-15-launched  Webinars, Meetups and WorkshopsICYMI - Online ColdFusion Meetup - "Options for running Redis (Valkey/etc), locally or as-a-service", w/ Charlie ArehartYou may be considering use of Redis (or alternatives like Valkey), whether for caching or as a document store/db or as an alternative repository for sessions (such as is an option for ColdFusion sessions since CF2016). But before you can USE Redis you need to have some IMPLEMENTATION of it. In this session, veteran server troubleshooter Charlie Arehart will review different approaches for implementing Redis (and/or Valkey, and other plug-compatible replacements): with most approaches being free, while some come at a...

Our take on the important conversations spurred by the recent R deserialization CVE, how simulations may save you from cracking open that probability textbook, and recapping the exciting 2024 Shiny Conference.Episode LinksThis week's curator: Colin Fay - @colinfay@fosstodon.org & [@ColinFay]](https://twitter.com/ColinFay) (X/Twitter)Everything you never wanted to know about the R vulnerability, but shouldn't be afraid to askCalculating birthday probabilities with R instead of mathHighlights from ShinyConf 2024Entire issue available at rweekly.org/2024-W19Supplement ResourcesR-bitrary Code Execution: Vulnerability in R's Deserialization https://hiddenlayer.com/research/r-bitrary-code-execution/CVE-2024-27322 Should Never Have Been Assigned And R Data Files Are Still Super Risky Even In R 4.4.0 https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0/Safety Radar for RDA Files https://github.com/hrbrmstr/rdaradarR's new exploit: how it works & other ways you're vulnerable (Josiah Parry) https://www.youtube.com/watch?v=WGvXEi4nG5kBogus CVE follow-ups https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/Data serialisation in R https://blog.djnavarro.net/posts/2021-11-15_serialisation-with-rds/Tapyr https://connect.appsilon.com/tapyr-docs/Podcast Index Database Dashboard (built with R and Quarto) https://rpodcast.github.io/pod-db-dash/Eric will be a guest on the Podcasting 2.0 show this Friday! (10-May-2024 1:30 PM EDT) https://podcastindex.org/podcast/920666 Supporting the showUse the contact page at https://rweekly.fireside.fm/contact to send us your feedbackR-Weekly Highlights on the Podcastindex.org - You can send a boost into the show directly in the Podcast Index. First, top-up with Alby, and then head over to the R-Weekly Highlights podcast entry on the index.A new way to think about value: https://value4value.info Get in touch with us on social media Eric Nantz: @rpodcast@podcastindex.social (Mastodon) and @theRcast (X/Twitter) Mike Thomas: @mikethomas@fosstodon.org (Mastodon) and @mikeketchbrook (X/Twitter) Music credits powered by OCRemixGreen Glade Groove - Donkey Kong Country 2: Diddy's Kong Quest - TSori, dpMusicman, etc - https://ocremix.org/remix/OCR04437Salut Voisin! - Final Fantasy IV - colorado weeks, Aeroprism - https://ocremix.org/remix/OCR04553

Another Day, Another NAS: Attacks against Zyxel NAS326 Devices CVE-2023-4473, CVE-2023-4474 https://isc.sans.edu/diary/Another%20Day%2C%20Another%20NAS%3A%20Attacks%20against%20Zyxel%20NAS326%20devices%20CVE-2023-4473%2C%20CVE-2023-4474/30884 R-Bitrary Code Execution: Vulnearbility in R's Deserialization https://hiddenlayer.com/research/r-bitrary-code-execution/ Coordinated Docker Hub Attacks using Malicious Repositories https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/ NVMe-oF/TCP Vulnerabilities https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller

Another Day, Another NAS: Attacks against Zyxel NAS326 Devices CVE-2023-4473, CVE-2023-4474 https://isc.sans.edu/diary/Another%20Day%2C%20Another%20NAS%3A%20Attacks%20against%20Zyxel%20NAS326%20devices%20CVE-2023-4473%2C%20CVE-2023-4474/30884 R-Bitrary Code Execution: Vulnearbility in R's Deserialization https://hiddenlayer.com/research/r-bitrary-code-execution/ Coordinated Docker Hub Attacks using Malicious Repositories https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/ NVMe-oF/TCP Vulnerabilities https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller

Why R 4.4.0 may reduce your trips to a certain kind of stack overflow, a call to update your favorite Shiny application code snippets, and how the steller ASTHOS Profile Shiny dashboard has your hosts blown away and fighting the urge to refactor their applications UIs!Episode LinksThis week's curator: Eric Nantz: @rpodcast@podcastindex.social (Mastodon) and @theRcast (X/Twitter)What's new in R 4.4.0?It's time to add bslib to your shinyapp snippetTailoring Shiny for Modern UsersEntire issue available at rweekly.org/2024-W18Supplement ResourcesFull R 4.4.0 changelog https://cran.r-project.org/doc/manuals/r-release/NEWS.htmlR-bitrary Code Execution: Vulnerability in R's Deserialization https://hiddenlayer.com/research/r-bitrary-code-execution/ASTHO Profile dashboard https://astho.shinyapps.io/profile/{plotcli} command-line plots for R https://github.com/cheuerde/plotcli Fritz Leisch (1968-2024) https://www.r-project.org/doc/obit/fritz.htmlSupporting the showUse the contact page at https://rweekly.fireside.fm/contact to send us your feedbackR-Weekly Highlights on the Podcastindex.org - You can send a boost into the show directly in the Podcast Index. First, top-up with Alby, and then head over to the R-Weekly Highlights podcast entry on the index.A new way to think about value: https://value4value.info Get in touch with us on social media Eric Nantz: @rpodcast@podcastindex.social (Mastodon) and @theRcast (X/Twitter) Mike Thomas: @mikethomas@fosstodon.org (Mastodon) and @mikeketchbrook (X/Twitter) Music credits powered by OCRemixTrippin' on the Bridge - Streets of Rage - lazygecko - http://ocremix.org/remix/OCR00993You Are Not Confined - Final Fantasy IX - Sonicade - https://ocremix.org/remix/OCR01064

[Referências do Episódio] - FG-IR-23-074 - FortiNAC - java untrusted object deserialization RCE - https://www.fortiguard.com/psirt/FG-IR-23-074  - CWE-502: Deserialization of Untrusted Data - https://cwe.mitre.org/data/definitions/502.html  - An Overview of the Different Versions of the Trigona Ransomware - https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html - PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID - https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid  [Ficha técnica] Apresentação: Carlos Cabral Roteiro: Carlos Cabral e Daniel Venzi Edição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia Projeto gráfico: Julian Prieto

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw201

This week in the AppSec News: SynLapse shows shell injection via ODBC, Java deserialization example, MFA for Ruby Gems ecosystem, simple flaws in firmware, the decade-long journey of a Safari vuln, & more!   Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw201

Ken and Seth are back to talk about potential of package hijacking based on DNS takeovers due to domain expirations. Ken provides a walkthrough of Ruby Deserialization techniques based on recent news articles.

Allen Wyma talks with Armin Ronacher, creator of Deser. Deser is an experimental serialization system for Rust. Contributing to Rustacean Station Rustacean Station is a community project; get in touch with us if you'd like to suggest an idea for an episode or offer your services as a host or audio editor! Twitter: @rustaceanfm Discord: Rustacean Station Github: @rustacean-station Email: hello@rustacean-station.org Timestamps [@0:50] - Armin's background [@2:49] - The difference between Jinja & Jinja2 [@3:47] - What is Twig? [@4:14] - Where did the names Jinja & Twig come from? [@7:36] - What makes Jinja2 good in portablility? [@12:46] - Armin's programming history [@16:07] - How did Armin go from Delphi to Python? [@19:18] - The Pocoo team [@23:25] - When did Armin start using Rust? [@27:26] - The pros & cons of mixing Python and Rust together [@36:14] - Stacktrace errors [@41:41] - How does Armin deal with developers having different compilers in a working environment. [@45:57] - Armin talks about Serde and other serialization challenges [@55:33] - Serialization Frameworks [@1:04:23] - Where to check out Armin's library: https://github.com/mitsuhiko/deser [@1:07:34] - Armin's tips and tricks for people starting in Rust Other Resources Armin's Github Credits Intro Theme: Aerocity Audio Editing: Plangora Hosting Infrastructure: Jon Gjengset Show Notes: Plangora Hosts: Allen Wyma

On this week's show Patrick Gray and Adam Boileau discuss recent security news, including: More info on the Belarusian Cyber Patriots How infosec overhyped election security risks Is data ransoming dying? All about the Azure Cosmos DB drama Much, much more… In this week's sponsor interview Airlock Digital's Daniel Schell and David Cottingham join the show to talk about EDR bypasses. They are a thing. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Belarusian hackers are turning the country's surveillance state against it | MIT Technology Review A new wave of Hacktivists is turning the surveillance state against itself - The Record by Recorded Future Trump conspiracies strain election cybersecurity experts T-Mobile CEO apologizes after hacker stole millions of users' personal information Bangkok Air confirms passenger PII leak after ransomware attack - The Record by Recorded Future Leaked Guntrader firearms data file shared. Worst case scenario? Criminals plot UK gun owners' home addresses in Google Earth • The Register Hackers steal $29 million from crypto-platform Cream Finance - The Record by Recorded Future U.S. spy agencies rule out possibility the coronavirus was created as a bioweapon, say origin will stay unknown without China's help - The Washington Post Australia's 'hacking' Bill passes the Senate after House made 60 amendments | ZDNet White House rolls out pipeline, supply chain security initiatives as companies pledge billions in cyber spending CISA adds single-factor authentication to its catalog of 'Bad Practices' - The Record by Recorded Future DHS urges Microsoft customers to update Azure to avoid security flaw Microsoft Azure vulnerability exposed thousands of cloud databases CISA and the FBI warn of ransomware gangs' tendency of launching attacks over holidays and weekends - The Record by Recorded Future FBI warns that Hive ransomware hackers are calling victims by phone Deserialization bug in TensorFlow machine learning framework allowed arbitrary code execution | The Daily Swig A Dark Web Murder-For-Hire Scammer Became An FBI Informant WhatsApp, Facebook, and Twitter fined for not storing user data inside Russia - The Record by Recorded Future A Bad Solar Storm Could Cause an 'Internet Apocalypse' | WIRED Trial & Error in Kuwait - CyberScoop How Data Brokers Sell Access to the Backbone of the Internet Man Robbed of 16 Bitcoin Sues Young Thieves' Parents – Krebs on Security Front Matter | Understanding and Managing Risk in Security Systems for the DOE Nuclear Weapons Complex: (Abbreviated Version) | The National Academies Press JCP | Free Full-Text | An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors | HTML

A new universal deserialization gadget for Ruby, a Rocket.Chat SAML auth bypass, and some heap exploitation research. [00:00:36] Cybersecurity Knowledge and Skills Taught in Capture the Flag Challenges https://arxiv.org/pdf/2101.01421v1.pdf [00:10:36] Universal Deserialisation Gadget for Ruby 2.x-3.x https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html [00:13:54] Stealing Your Private YouTube Videos, One Frame at a Time https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/ [00:21:43] Rocket.chat - SAML authentication bypass https://hackerone.com/reports/1049375 [00:25:49] curl is vulnerable to SSRF due to improperly parsing the host component of the URL https://hackerone.com/reports/704621 [00:31:02] Issue 2095: Node.js: use-after-free in TLSWrap https://bugs.chromium.org/p/project-zero/issues/detail?id=2095 [00:35:28] Preventing Use-After-Free Attacks with Fast Forward Allocation https://gts3.org/assets/papers/2021/wickman:ffmalloc.pdf [00:49:38] Automatic Techniques to Systematically Discover New Heap Exploitation Primitives https://www.usenix.org/system/files/sec20fall_yun_prepub.pdf [00:59:50] A Samsung RKP Compendium https://blog.longterm.io/samsung_rkp.html [01:11:32] Analyzing CVE-2020-16040 https://faraz.faith/2021-01-07-cve-2020-16040-analysis/ [01:13:51] HexLasso Online https://suszter.com/hexlasso-online/ [01:15:30] A Side Journey to Titan https://ninjalab.io/a-side-journey-to-titan/ Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)

In this episode of security headlines the following vulnerabilities are mentioned: For wordpress: WordPress Aviary Image Editor Add-On For Gravity Forms Plugins 3.0 Beta R7 CSRF Shell Upload Vulnerability Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting Wordpress Plugin PicUploader 1.0 - Remote File Upload WordPress StatTraq 1.3.0 SQL Injection WordPress WP Forms 1.5.8.2 Cross Site Scripting WordPress WPForms 1.5.9 Cross Site Scripting Tor: Medium CVE-2020-10592: Torproject TOR Medium CVE-2020-10593: Torproject TOR TROVE-2020-002 TROVE-2020-004 remotely triggerable memory leak on relays and clients Causing denial of service https://trac.torproject.org/projects/tor/ticket/33619 Sharepoint: SharePoint Workflows XOML Injection which is now a metasploit module https://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html Joomla: Joomla GMapFP 3.30 Arbitrary File Upload Joomla HDWPlayer 4.2 SQL Injection Joomla! com_hdwplayer 4.2 search.php SQL Injection Jenkins: jenkins-2-plugins: Execute arbitrary code commands openshift/jenkins-plugin: Deserialization in snakeyaml YAML() objects allowed for remote code execution (CVE-2020-2167) Weechat: Medium CVE-2020-9759: Weechat Weechat Medium CVE-2020-9760: Weechat Weechat https://weechat.org/doc/security/ One crash and one buffer overflow based on nick prefixes. SCADA: New scada vulnerability affecting Schneider Electric IGSS SCADA Software https://www.zerodayinitiative.com/advisories/upcoming/ https://www.us-cert.gov/ics/advisories/icsa-20-084-02 http/3 QUIC vuln: Specially formatted HTTP/3 messages may cause the Traffic Management Microkernel (TMM) to produce a core file. (CVE-2020-5859) https://support.f5.com/csp/article/K61367237 Check us out at: https://firosolutions.com https://watchers.firosolutions.com https://blog.firosolutions.com https://status.firosolutions.com

Learning api programming in flutter

Apple Security Updates Details Released https://support.apple.com/en-us/HT201222 Untitled Goose Deserialization https://pulsesecurity.co.nz/advisories/untitled-goose-game-deserialization Insecure Pagers Leak Medical Data https://techcrunch.com/2019/10/30/nhs-pagers-medical-health-data/ Kibana Vulnerablity https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/

Apple Security Updates Details Released https://support.apple.com/en-us/HT201222 Untitled Goose Deserialization https://pulsesecurity.co.nz/advisories/untitled-goose-game-deserialization Insecure Pagers Leak Medical Data https://techcrunch.com/2019/10/30/nhs-pagers-medical-health-data/ Kibana Vulnerablity https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/

Sodinokibi Ransomware Exploits WebLogic Server Vulnerability https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html Facebook Leaking Sellers Exact Locations https://www.7elements.co.uk/resources/blog/facebooks-burglary-shopping-list/ Revive Adserver Deserialization Vulnerability https://www.revive-adserver.com/security/revive-sa-2019-001/ AutoMacTC: Automating Mac Forensics Triage https://www.crowdstrike.com/blog/automating-mac-forensic-triage/ Kroll Artifact Parser And Extractor (KAPE) https://learn.duffandphelps.com/kape

Sodinokibi Ransomware Exploits WebLogic Server Vulnerability https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html Facebook Leaking Sellers Exact Locations https://www.7elements.co.uk/resources/blog/facebooks-burglary-shopping-list/ Revive Adserver Deserialization Vulnerability https://www.revive-adserver.com/security/revive-sa-2019-001/ AutoMacTC: Automating Mac Forensics Triage https://www.crowdstrike.com/blog/automating-mac-forensic-triage/ Kroll Artifact Parser And Extractor (KAPE) https://learn.duffandphelps.com/kape

Cisco Security Bulletins https://tools.cisco.com/security/center/publicationListing.x Ruby Deserialization https://www.elttam.com.au/blog/ruby-deserialization/ Ouch Newsletter: Am I Hacked? https://www.sans.org/security-awareness-training/resources/am-i-hacked Jonathan Sweeny: Smart Contract Botnets https://www.sans.org/reading-room/whitepapers/covert/botnet-resiliency-private-blockchains-38050 https://www.sans.org/reading-room/whitepapers/warfare/tearing-smart-contract-botnets-38650

Cisco Security Bulletins https://tools.cisco.com/security/center/publicationListing.x Ruby Deserialization https://www.elttam.com.au/blog/ruby-deserialization/ Ouch Newsletter: Am I Hacked? https://www.sans.org/security-awareness-training/resources/am-i-hacked Jonathan Sweeny: Smart Contract Botnets https://www.sans.org/reading-room/whitepapers/covert/botnet-resiliency-private-blockchains-38050 https://www.sans.org/reading-room/whitepapers/warfare/tearing-smart-contract-botnets-38650

Aleksei Tiurin is the Senior Security Researcher for Acunetix. Aleksei is giving a technical segment on insecure deserialization in Java/JVM and explains what polymorphism is. Aleksei Tiurin is a security researcher and pentester with over 8 years of experience in penetration testing and with a particular focus on ERP and banking systems and Windows-networks. To learn more about Acunetix, go to: https://www.acunetix.com/securityweekly Full Show Notes: https://wiki.securityweekly.com/Episode581 →Visit our website: https://www.securityweekly.com →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly

Aleksei Tiurin is the Senior Security Researcher for Acunetix. Aleksei is giving a technical segment on insecure deserialization in Java/JVM and explains what polymorphism is. Aleksei Tiurin is a security researcher and pentester with over 8 years of experience in penetration testing and with a particular focus on ERP and banking systems and Windows-networks. To learn more about Acunetix, go to: https://www.acunetix.com/securityweekly Full Show Notes: https://wiki.securityweekly.com/Episode581 →Visit our website: https://www.securityweekly.com →Follow us on Twitter: https://www.twitter.com/securityweekly →Like us on Facebook: https://www.facebook.com/secweekly

Many Large Websites Affected by Branch.io XSS Flaw https://www.vpnmentor.com/blog/dom-xss-bug-affecting-tinder-shopify-yelp/ Medtronics Pacemakers Disable Remote Update https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/REV-Medtronic-2090-Security-Bulletin_FNL.pdf IBM Updates WebSphere Update https://www-01.ibm.com/support/docview.wss?uid=swg22016254 Incomplete JET Database Patch https://blog.0patch.com/2018/10/patching-re-patching-and-meta-patching.html

Many Large Websites Affected by Branch.io XSS Flaw https://www.vpnmentor.com/blog/dom-xss-bug-affecting-tinder-shopify-yelp/ Medtronics Pacemakers Disable Remote Update https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/REV-Medtronic-2090-Security-Bulletin_FNL.pdf IBM Updates WebSphere Update https://www-01.ibm.com/support/docview.wss?uid=swg22016254 Incomplete JET Database Patch https://blog.0patch.com/2018/10/patching-re-patching-and-meta-patching.html

Hello from the Internet In this we count down the OWASP TOP 10 and explore the implications of each of the issues that we should be looking at in securing our applications. Enjoy the show! ## Show Notes - [OWASP](https://www.owasp.org/index.php/Main_Page) - [OWASP TOP 10 for 2017](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) ### 10. Logs - Insufficient Logging and Monitoring - https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring - Graylog - https://www.graylog.org/ - Logstash (ELK) - https://www.elastic.co/elk-stack ### 09. Components - https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities - Safety - Python - https://pyup.io/safety/ - Ruby - http://guides.rubygems.org/security/ - Node - Node Security - https://github.com/nodesecurity/nsp ### 08. Deserialization - https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization ### 07. XSS - https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS) ### 06. Security Misconfiguration - https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration - How to harden a Linux server: - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf - https://medium.com/viithiisys/10-steps-to-secure-linux-server-for-production-environment-a135109a57c5 - https://www.cyberciti.biz/tips/linux-security.html ### 05. Broken Access Control - https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control - Firesheep - https://codebutler.com/projects/firesheep/ ### 04. XML External Entities - https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE) - Billion Laughs Attack - https://en.wikipedia.org/wiki/Billion_laughs_attack ### 03. Sensitive Data Exposure - https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure - PCI DSS - https://www.pcisecuritystandards.org/pci_security/ - GDPR - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - Password Hashing - https://crackstation.net/hashing-security.htm - Best practice for SSL + TLS - https://www.ssllabs.com/ssltest/ - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - Let's Encrypt - https://letsencrypt.org/ - CipherList - Strong config for Apache / Nginx https://cipherli.st/ ### 02. Broken Authentication - https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication - Horse staple - https://xkcd.com/936/ - NIST - https://www.passwordping.com/surprising-new-password-guidelines-nist/ - Rainbow tables - http://project-rainbowcrack.com/table.htm - Google 2FA - Authy - https://authy.com/ - Duo - https://duo.com/ ### 01. Injection - https://www.owasp.org/index.php/Top_10-2017_A1-Injection - Bobby Tables - https://xkcd.com/327/ - Misc - Nessus - https://www.tenable.com/products/nessus/nessus-professional - OpenVas - http://www.openvas.org/ - ZED Attack Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project - zxcvbn: realistic password strength estimation - https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ - Be afraid, be very afraid - https://attack.mitre.org/wiki/Main_Page

A short minisode on Apache Struts, XML deserialisation attacks, and Equifax. XML? Be cautious! Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805) CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin Apache Struts Statement on Equifax Security Breach Apache Struts Security Bulletins OWASP Dependency Check struts-pwn - an exploit tester Remotely Exploitable Java Zero Day Exploits through Deserialization (2015 alert for Apache Commons Collections 3.x) A critical Apache Struts security flaw makes it 'easy' to hack Fortune 100 firms Upgrade your s**t!  

Download Here: http://traffic.libsyn.com/brakeingsecurity/2016-011-Hector_Monsegur-bug_bounties-serialization.mp3 iTunes Direct Link: https://itunes.apple.com/us/podcast/2016-011-hector-monsegur-serialization/id799131292?i=364768504&mt=2 Hector Monsegur has had a colorful history. A reformed black hat who went by the name 'Sabu' when he was involved in the hacker collectives "Lulzsec" and "Anonymous", he turned state's evidence for the FBI, working to stop further hacking attempts by the same people he was working with. https://en.wikipedia.org/wiki/Hector_Monsegur This week, we got to sit down with Hector, to find out what he's been doing in the last few years. Obviously, a regular job in the security realm for a large company is not possible for someone with a colorful past that Mr. Monsegur has. So we discuss some of the methods that he's used to make ends meet. Which brings us to the topic of bug bounties. Do they accomplish what they set out to do? Are they worth the effort companies put into them? And how do you keep bounty hunters from going rogue and using vulnerabilities found against a company on the side? In an effort to satisfy my own curiosity, I asked Hector if he could explain what a 'deserialization' vulnerability is, and how it can be used in applications. They are different than your run of the mills, every day variety OWASP error, but this vulnerability can totally ruin your day... https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications https://securityintelligence.com/one-class-to-rule-them-all-new-android-serialization-vulnerability-gives-underprivileged-apps-super-status/ Finally, we ask Hector some advice for that 'proto black hat' who is wanting to head down the road that Hector went. The answer will surprise you... We hope you enjoy this most interesting interview with a enigmatic and controversial person, and hope that the information we provide gives another point of view into the mind of a reformed "black hat" hacker...   Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast RSS FEED: http://www.brakeingsecurity.com/rss On #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969 Player.FM : https://player.fm/series/brakeing-down-security-podcast Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ #infosec, #blackhat, hector #monsegur, #hacker, #anonymous, #lulzsec, #FBI, #Sabu, #deserialization, #bug #bounties, #hackerone, #bugcrowd, #podcast, #de-serialization, #penetration tests, #social #engineering, #CISSP

Welcome to another episode of Hack Naked TV recorded December 10th 2015. Today Aaron talks about Cybersecurity Information Sharing Act, Kazakhstan, Flash updates, encryption backdoors, and cyber espionage.

Welcome to another episode of Hack Naked TV recorded December 2nd 2015. Today Aaron talks about Dell root certificate fiasco, Hacking Back being reviewed by the government, the LANDesk breach, new tool releases, and more! For a full list of stories visit our wiki here.

Welcome to another episode of Hack Naked TV recorded December 2nd 2015. Today Aaron talks about Dell root certificate fiasco, Hacking Back being reviewed by the government, the LANDesk breach, new tool releases, and more! For a full list of stories, visit our wiki here.

Don’t miss out! Sign up for Angular Remote Conf!   02:28 - Sean Griffin Introduction Twitter GitHub thoughtbot @thoughtbot 02:53 - Rails 5 Ship Estimate? 03:15 - What’s Coming in Rails 5? actioncable turbolinks 3 04:13 - Approachability For New Developers Turing School 05:49 - Making Decisions 06:46 - “Syntax” 07:40 - Adding or Matthew Draper 09:36 - The Attributes API 12:57 - Serialization & Deserialization 21:26 - Feature Proposal & Policies The Rails Core Mailing List The Rails Talk Mailing List Stack Overflow 22:46 - preload, eager_load, includes Robert Pankowecki: 3 ways to do eager loading (preloading) in Rails 3 & 4 23:59 - prepend Ruby 2 - Module#prepend 25:29 - Deconstructing/Constructing APIs or where Abstract Syntax Tree (AST) arel 28:27 - bound_attributes() 29:58 - Trying Ideas and Going About Development in Rails 32:01 - Legacy Code Yehuda Katz: Keynote: 10 Years! @ RailsConf 2014 33:43 - The Migration Path From Rails 4 => 5 34:59 - Other Changes Outside Active Record 39:19 - Performance 41:09 - Trying Rails 43:05 - Tests 43:52 - Are the guides and documentation up-to-date?   Extras JavaScript Jabber Episode #161: Rust with David Herman The Bike Shed Podcast @_bikeshed RubyConf Portugal WindyCityRails Sean Griffin: Designing a Great Ruby API - How We're Simplifying Rails 5   Picks Maria Matveeva: Design sprints: what are they for? (Saron) LoneStarRuby (Saron) Support CodeNewbie! (Saron) Mockaroo (Coraline) Jim Kazanjian (Coraline) Mastermind Groups (Chuck) Planning (Chuck) The Rust Programming Language (Sean)

Don’t miss out! Sign up for Angular Remote Conf!   02:28 - Sean Griffin Introduction Twitter GitHub thoughtbot @thoughtbot 02:53 - Rails 5 Ship Estimate? 03:15 - What’s Coming in Rails 5? actioncable turbolinks 3 04:13 - Approachability For New Developers Turing School 05:49 - Making Decisions 06:46 - “Syntax” 07:40 - Adding or Matthew Draper 09:36 - The Attributes API 12:57 - Serialization & Deserialization 21:26 - Feature Proposal & Policies The Rails Core Mailing List The Rails Talk Mailing List Stack Overflow 22:46 - preload, eager_load, includes Robert Pankowecki: 3 ways to do eager loading (preloading) in Rails 3 & 4 23:59 - prepend Ruby 2 - Module#prepend 25:29 - Deconstructing/Constructing APIs or where Abstract Syntax Tree (AST) arel 28:27 - bound_attributes() 29:58 - Trying Ideas and Going About Development in Rails 32:01 - Legacy Code Yehuda Katz: Keynote: 10 Years! @ RailsConf 2014 33:43 - The Migration Path From Rails 4 => 5 34:59 - Other Changes Outside Active Record 39:19 - Performance 41:09 - Trying Rails 43:05 - Tests 43:52 - Are the guides and documentation up-to-date?   Extras JavaScript Jabber Episode #161: Rust with David Herman The Bike Shed Podcast @_bikeshed RubyConf Portugal WindyCityRails Sean Griffin: Designing a Great Ruby API - How We're Simplifying Rails 5   Picks Maria Matveeva: Design sprints: what are they for? (Saron) LoneStarRuby (Saron) Support CodeNewbie! (Saron) Mockaroo (Coraline) Jim Kazanjian (Coraline) Mastermind Groups (Chuck) Planning (Chuck) The Rust Programming Language (Sean)

Don’t miss out! Sign up for Angular Remote Conf!   02:28 - Sean Griffin Introduction Twitter GitHub thoughtbot @thoughtbot 02:53 - Rails 5 Ship Estimate? 03:15 - What’s Coming in Rails 5? actioncable turbolinks 3 04:13 - Approachability For New Developers Turing School 05:49 - Making Decisions 06:46 - “Syntax” 07:40 - Adding or Matthew Draper 09:36 - The Attributes API 12:57 - Serialization & Deserialization 21:26 - Feature Proposal & Policies The Rails Core Mailing List The Rails Talk Mailing List Stack Overflow 22:46 - preload, eager_load, includes Robert Pankowecki: 3 ways to do eager loading (preloading) in Rails 3 & 4 23:59 - prepend Ruby 2 - Module#prepend 25:29 - Deconstructing/Constructing APIs or where Abstract Syntax Tree (AST) arel 28:27 - bound_attributes() 29:58 - Trying Ideas and Going About Development in Rails 32:01 - Legacy Code Yehuda Katz: Keynote: 10 Years! @ RailsConf 2014 33:43 - The Migration Path From Rails 4 => 5 34:59 - Other Changes Outside Active Record 39:19 - Performance 41:09 - Trying Rails 43:05 - Tests 43:52 - Are the guides and documentation up-to-date?   Extras JavaScript Jabber Episode #161: Rust with David Herman The Bike Shed Podcast @_bikeshed RubyConf Portugal WindyCityRails Sean Griffin: Designing a Great Ruby API - How We're Simplifying Rails 5   Picks Maria Matveeva: Design sprints: what are they for? (Saron) LoneStarRuby (Saron) Support CodeNewbie! (Saron) Mockaroo (Coraline) Jim Kazanjian (Coraline) Mastermind Groups (Chuck) Planning (Chuck) The Rust Programming Language (Sean)

02:53 - Nick Sutterer Introduction Twitter GitHub Blog Trailblazer: A New Architecture For Rails by Nick Sutterer 03:31 - Trailblazer [GitHub] trailblazer 04:56 - Form Object “Operation” 07:28 - Validations ActiveModel::Validations lotus/validations Introducing Lotus::Validations 08:47 - Decoupling 09:45 - Namespace Reuse Concepts/Concerns 11:50 - Process Method => Procedural Code 12:54 - Inheritance 13:57 - Contracts 14:57 - How is Using Trailblazer Different? 18:17 - What Would DHH Think? 19:32 - Trailblazer as an Extra Layer Single Responsibility Principle Monoliths RailsConf 2015: David Heinemeier Hansson Keynote 27:20 - Testing 28:35 - When Should You NOT Use Trailblazer? 29:53 - Moving to Trailblazer 36:03 - Rails 5 and Trailblazer 37:22 - Maintainers Abdelkader Boudih Celso Fernandes 38:44 - APIs Deserialization 41:04 - Parts of Trailblazer reform roar cells 44:16 - Generators Picks A Gentleman’s Guide To Street Harassment (Saron) Tor and HTTPS (Saron) How it feels to watch a user test your product for the first time (Saron) Humane Development (Coraline) The Left Hand of Darkness (Coraline) Star Wars: Episode VII - The Force Awakens (Chuck) WorkFlowy (Chuck) Ruby Rogues Episode #204: Limerence with Dave Thomas (Chuck) JS Remote Conf Talks (Chuck) Trailblazer: A New Architecture For Rails by Nick Sutterer (Nick) [YouTube] Cinco Face Time Party Snoozer (Nick)

02:53 - Nick Sutterer Introduction Twitter GitHub Blog Trailblazer: A New Architecture For Rails by Nick Sutterer 03:31 - Trailblazer [GitHub] trailblazer 04:56 - Form Object “Operation” 07:28 - Validations ActiveModel::Validations lotus/validations Introducing Lotus::Validations 08:47 - Decoupling 09:45 - Namespace Reuse Concepts/Concerns 11:50 - Process Method => Procedural Code 12:54 - Inheritance 13:57 - Contracts 14:57 - How is Using Trailblazer Different? 18:17 - What Would DHH Think? 19:32 - Trailblazer as an Extra Layer Single Responsibility Principle Monoliths RailsConf 2015: David Heinemeier Hansson Keynote 27:20 - Testing 28:35 - When Should You NOT Use Trailblazer? 29:53 - Moving to Trailblazer 36:03 - Rails 5 and Trailblazer 37:22 - Maintainers Abdelkader Boudih Celso Fernandes 38:44 - APIs Deserialization 41:04 - Parts of Trailblazer reform roar cells 44:16 - Generators Picks A Gentleman’s Guide To Street Harassment (Saron) Tor and HTTPS (Saron) How it feels to watch a user test your product for the first time (Saron) Humane Development (Coraline) The Left Hand of Darkness (Coraline) Star Wars: Episode VII - The Force Awakens (Chuck) WorkFlowy (Chuck) Ruby Rogues Episode #204: Limerence with Dave Thomas (Chuck) JS Remote Conf Talks (Chuck) Trailblazer: A New Architecture For Rails by Nick Sutterer (Nick) [YouTube] Cinco Face Time Party Snoozer (Nick)

02:53 - Nick Sutterer Introduction Twitter GitHub Blog Trailblazer: A New Architecture For Rails by Nick Sutterer 03:31 - Trailblazer [GitHub] trailblazer 04:56 - Form Object “Operation” 07:28 - Validations ActiveModel::Validations lotus/validations Introducing Lotus::Validations 08:47 - Decoupling 09:45 - Namespace Reuse Concepts/Concerns 11:50 - Process Method => Procedural Code 12:54 - Inheritance 13:57 - Contracts 14:57 - How is Using Trailblazer Different? 18:17 - What Would DHH Think? 19:32 - Trailblazer as an Extra Layer Single Responsibility Principle Monoliths RailsConf 2015: David Heinemeier Hansson Keynote 27:20 - Testing 28:35 - When Should You NOT Use Trailblazer? 29:53 - Moving to Trailblazer 36:03 - Rails 5 and Trailblazer 37:22 - Maintainers Abdelkader Boudih Celso Fernandes 38:44 - APIs Deserialization 41:04 - Parts of Trailblazer reform roar cells 44:16 - Generators Picks A Gentleman’s Guide To Street Harassment (Saron) Tor and HTTPS (Saron) How it feels to watch a user test your product for the first time (Saron) Humane Development (Coraline) The Left Hand of Darkness (Coraline) Star Wars: Episode VII - The Force Awakens (Chuck) WorkFlowy (Chuck) Ruby Rogues Episode #204: Limerence with Dave Thomas (Chuck) JS Remote Conf Talks (Chuck) Trailblazer: A New Architecture For Rails by Nick Sutterer (Nick) [YouTube] Cinco Face Time Party Snoozer (Nick)

We all have the need to serialize/deserialize objects (either through the "wire" or to file). In this podcast we go and analyze what exactly happens when we create an ObjectOutputStream and write to it, and more importantly what pitfalls are there to avoid (Out ot memory errors, stale object updates, Not Serializable Exceptions, and toenail fungus!). If you ever considered using ObjectOutput/InputStream, or are actively using in your current projects, take a listen! https://github.com/eishay/jvm-serializers/wiki/ (Serialization performance comparison for Java, pick one!) Questions, feedback or comments! comments@javapubhouse.com Subscribe to our podcast! (http://javapubhouse.libsyn.com/rss) ITunes link (http://itunes.apple.com/us/podcast/java-pub-house/id467641329) Java 7 Recipes book! (http://www.amazon.com/gp/product/1430240563/ref=as_li_ss_il?ie=UTF8&tag=meq-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1430240563)