Eerste deel online VJ2024

content/evenementen/nluug/voorjaarsconferentie-2024/_index.md

@@ -39,7 +39,7 @@ event_sponsors:
 - at-computing
 event_status: "scheduled"
 event_schedule:
-  hidden: true
+  hidden: false
   title: Programma
   description:
   columns: 4
@@ -83,10 +83,10 @@ event_schedule:
       time: 09:30
     - column:
       talk:
-        speaker:
+        speaker: Peter Honeyman
-        title:
+        title: Money for Nothing, Chips for Free
         keynote: true
-        link:
+        link: talks/peter-honeyman-money-for-nothing-chips-for-free/
       center: true
       size: 3
   - row:
@@ -151,6 +151,15 @@ event_schedule:
         text: Lunch
       center: true
       size: 3
+  - row:
+    columns:
+    - column:
+      time: 12:35
+    - column:
+      textfield:
+        text: Algemene Ledenvergadering (ALV)
+      center: true
+      size: 3
   - row:
     columns:
     - column:
@@ -259,7 +268,10 @@ event_schedule:
       size: 3
 ---
 
-De programmacommissie heeft alle inzendingen bekeken. De volgende sprekers zijn inmiddels bekend:
+
+De programmacommissie heeft alle inzendingen bekeken. De keynote zal worden verzorgd door Peter Honeyman!
+
+Het volledige programma komt binnenkort online. De volgende sprekers zijn inmiddels bekend:
 
 - Alain van Hoof
 - Alexios Zavras
@@ -278,11 +290,9 @@ De programmacommissie heeft alle inzendingen bekeken. De volgende sprekers zijn
 - Niels Hatzmann
 - Patrick Kuin
 - Paul K. Gerke
-- Peter Honeyman
 - Robbert Schep
 - Rudi van Drunen
 - Stefan Ubbink
 - Tom Lyon
 
-Het programma komt binnenkort online. Zet in de tussentijd alvast de datum in je agenda!
 

content/evenementen/nluug/voorjaarsconferentie-2024/talks/alexios-zavras-the-increasing-importance-of-sboms-and-the-latest-developments.md

@@ -0,0 +1,23 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Alexios Zavras - The Increasing Importance of SBOMs and the Latest Developments"
+speakers:
+- alexios-zavras
+---
+
+## Abstract
+
+While other domains like construction, mechanical engineering, or even computer hardware have long used the concept of Bill of Materials (BOMs), software traditionally has not followed this best practice. There have been efforts running for over a decade to address this, and recent developments have pushed forward the use and wide adoption of Software BOMs.
+The presentation will delve into the growing significance of SBOMs, spurred by recent regulatory changes such as the Executive Order 14028 in the United States and the Cyber Resilience Act in the European Union, which are oriented towards managing security through the software supply chain. These changes have highlighted the necessity for a comprehensive and standardized approach to SBOMs, which are becoming increasingly crucial in the software industry. The presentation will also explore the diversification of software, particularly with the advent of Artificial Intelligence (AI). AI has expanded the traditional definition of software beyond source code to include datasets and models. This shift necessitates a broader and more inclusive understanding of SBOMs, which the presentation will discuss in detail.
+Furthermore, the presentation will provide an overview of the current state of the Software Package Data Exchange (SPDX), the freely available ISO standard for SBOMs. This will include an examination of its structure and the information that can be recorded.
+The aim of this presentation is to provide attendees with a comprehensive understanding of the importance of SBOMs in today's software industry, the impact of recent regulatory changes, and the role of standards like SPDX. It will also offer insights into the future of SBOMs, particularly in the context of AI and other emerging technologies.
+
+## Biography
+
+Alexios Zavras is the Chief Open Source Compliance Officer of Intel Corporation. He has been working on issues related to SBOMs for more than a decade. He currently serves as chairperson of the Outreach team and member of the Steering Committe of SPDX, and has organized the SBOM devroom in the last two FOSDEM conferences.
+Alexios has been involved with Free and Open Source Software since 1983, and is an evangelist for all things Open. He has presented in and helped organize a number of national and international conferences, including FOSDEM, CopyleftConf, Linux Foundation events like Open Source Leadership Summit and Open Source Summit, and academic conferences — and back in the day the SANE conference in the Netherlands. He has a PhD in Computer Science after having studied Electrical Engineering and Computer Science in Greece and the United States.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/armijn-hemel-having-fun-with-the-zip-file-format.md

@@ -0,0 +1,24 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Armijn Hemel - Having Fun with the ZIP File Format"
+speakers:
+- armijn-hemel 
+---
+
+## Abstract
+
+The ZIP file format is one of the most widely used file formats. Popular formats, such as Android APK, Java JAR, OpenDocument and others are based on ZIP.
+
+Since the format started in 1989 the specifications have been open, meaning anyone can implement it. Unfortunately the specifications themselves are a bit vague and leave plenty of room for interpretation. Design choices, as well as the fact that extra functionality has been glued on in the last 30 years, mean there is a surprising large number of ways to create valid ZIP files. Not all ZIP tools have implemented ZIP the same way and it is possibly to create valid ZIP files with one tool that cannot be unpacked with other tools.
+
+In this talk I want to take you on a tour of the ZIP file format, where the specifications and tool implementations contradict each other, as well as some new research of how malware data was creatively hidden to avoid detection, confusing almost all popular malware scanners at some point, and getting malware past them undetected.
+
+## Biography
+
+Armijn Hemel, MSc, is the owner of Tjaldur Software Governance Solutions, a consultancy specializing in open source license compliance, binary scanning and code provenance. Armijn was on the NLUUG board from 2006 - 2010.
+

content/evenementen/nluug/voorjaarsconferentie-2024/talks/ben-de-haan-jeroen-willemsen-how-to-not-use-secrets-with-owasp-wrongsecrets.md

@@ -0,0 +1,27 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Ben de Haan and Jeroen Willemsen - How to (not) Use Secrets with OWASP WrongSecrets"
+speakers:
+- ben-de-haan
+- jeroen-willemsen 
+---
+
+## Abstract
+
+If you want to bring an app to production, you need to know where to put your secrets and how to access them safely. In this session, we'll go into how to *not* use secrets with a purposefully vulnerable application. We hope you'll take this knowledge and not make the same mistakes in your own app. Of course, you'll also learn a thing or two on how to do secrets management properly. Alternatively, you can use this app to teach others!
+
+## Biography
+
+### Ben de Haan 
+
+I am a Freelance Security Consultant and engineer, and co-project lead of OWASP WrongSecrets. My specialties are security in application development/SRE and cloud.
+Outside of regular work, I like to spend time creating cool (and secure) things.
+
+### Jeroen Willemsen 
+
+Jeroen is a typical security jack-of-all-trades. He is a hands-on security architect, who loves to secure anything: from (private) clouds, to mobile apps, and anything in between. Jeroen has been involved in various OWASP projects, now focusing on OWASP WrongSecrets. He enjoys a pentest every now and then, while helping organizations to get secure enough. Jeroen is often engaged in knowledge sharing through talks, blogs, projects at Github, and trainings.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/jeroen-baten-making-ansible-playbooks-to-configure-single-sign-on-for-popular-open-source-applications.md

@@ -0,0 +1,34 @@
+---
+categories:
+date: 2024-04-10T19:31:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Jeroen Baten - Making Ansible Playbooks to Configure Single Sign-on for Popular Open Source Applications"
+speakers:
+- jeroen-baten
+---
+
+## Abstract
+
+TL;DR: I spend 11 month developing a set of playbooks to configure SSO for several open source application and/to a Keycloak identity server. In my talk I present the process and some gotchas.
+
+The Dutch Onestein organization (specialized in Odoo implementations) invested 11 month of research. Goal was to create a set of easy to use Ansible playbooks to configure single sign-on (SSO) for popular open source applications. This would enable them to authenticate to a Keycloak server as the central identity provider.
+
+These playbooks have been published on https://github.com/onesteinbv/project_single_sign_on and are meant to be a starting point.
+
+The list of supported applications are currently:
+
+- Bitwarden
+- CMDBuild
+- Jenkins
+- Gitlab
+- Nextcloud
+- Odoo
+- Xwiki
+- Zabbix
+
+## Biografie
+
+Jeroen Baten is an IT consultant and specializes in Linux and open source software. He is particularly interested in complex technical and policy issues. Jeroen is sometimes active as JeroenBaten on Mastodon and Kwootman on X, but he actually tries to avoid social media as much as possible. His professional career can be found on LinkedIn, where he sometimes also posts posts about relevant topics in his field. His personal blog can be found at https://www.jeroenbaten.nl. As a hobby he likes to read, he collects AS/400 systems and enjoys playing with synthesizers and computers.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/joost-gadellaa-oh-nee-schaduw-ict.md

@@ -0,0 +1,24 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Joost Gadellaa - Oh nee, Schaduw-ICT!"
+speakers:
+- joost-gadellaa
+---
+
+## Abstract
+
+Schaduw-ICT is een terugkerend fenomeen in allerlei discussies over informatiebeveiliging, privacy en compliance. Voor SURF heb ik onderzoek gedaan naar mogelijke risico’s die het veroorzaakt in het hoger onderwijs en denk dat de bevindingen breed toepasbaar zijn.
+Schaduw-ICT verwijst naar ICT-middelen die zonder officiële goedkeuring of zelfs kennis van een ICT-afdeling worden gebruikt. Bestaand onderzoek suggereert dat dit verlies van controle ernstige gevolgen heeft voor de cyberbeveiliging, maar over technische details (of oplossingen) van die gevolgen blijft het vaak op de vlakte.
+Mijn afstudeeronderzoek bij SURF omvatte een literatuurstudie en interviews met elf informatiebeveiligingsprofessionals over hun ervaringen met schaduw-ICT. Uitkomsten tonen aan dat schaduw-IT veelvormig is en in alle lagen van allerlei organisaties voorkomt en een boel risico’s met zich mee kan brengen, maar ook dat de oplossingen niet ver weg zijn.
+De resultaten leidden tot de identificatie van verschillende typen risicos en mogelijke tegenmaatregelen. Het blijkt dat een verantwoorde omgang met schaduw-ICT heel haalbaar is, mits organisaties hun bestaande verdedigingsmaatregelen aanpassen. Verbieden van schaduw-IT is noch haalbaar noch wenselijk; de uitkomsten van dit onderzoek geven aanbevelingen om verantwoord Schaduw-ICT toe te laten.
+
+## Biografie
+
+Joost is Technisch Productmanager bij SURF, de ict-coöperatie van onderwijs en onderzoek in Nederland. In zijn rol is hij betrokken bij het leveren van diverse securitydiensten, zoals emailbeveiliging en certificateninfrastructuur. Hij werkt nauw samen met de leden van de coöperatie om nieuwe behoeften in cybersecurity te identificeren. Op het moment is hij bijvoorbeeld bezig met het ondersteunen van weerbaarheidstesten (red teaming, hacking-evenementen, attack surface mapping, etc.).
+
+Zijn interesse in open-source en open standaarden, probeert hij zowel professioneel als in zijn hobbies in de praktijk te brengen. Joost heeft een master in Bedrijfsinformatica behaald aan de Universiteit Utrecht en een bachelor in Economie, met focus op governance, gedrag en de raakvlakken met Informatica. Bij SURF heeft hij een masterscriptie geschreven over de rol van Schaduw ICT binnen de informatiebeveiliging van onderwijsinstellingen, iets waar hij nog graag over doorpraat.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/joost-grunwald-patrick-kuin-harnessing-ai-and-open-source-tools-for-enhanced-it-security-vulnerability-assessment.md

@@ -0,0 +1,38 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Joost Grunwald en Patrick Kuin - Harnessing AI and Open-Source Tools for Enhanced IT Security Vulnerability Assessment "
+speakers:
+- joost-grunwald
+- patrick-kuin
+---
+
+## Abstract
+
+In the ever-evolving landscape of IT security, the need to effectively identify and manage vulnerabilities is paramount. This study delves into how the amalgamation of different vulnerability scanners, coupled with open-source projects, can yield comprehensive and trustworthy data. It also elucidates how Artificial Intelligence (AI) plays a pivotal role in enriching reports and prioritizing vulnerabilities based on a multi-faceted equation of Threat, Risk, and assurance of an appropriate Tool.
+
+Taking the leap to partially automated penetration testing, the research explores the application of AI in automatically verifying vulnerabilities as Proof of Concept (POC) exploits. By actively exploiting vulnerabilities using exploitation tools in combination with a Linux shell and a Metasploit console, the AI can attempt to exploit multiple version-based vulnerabilities to prove their exploitability. This approach demonstrates the robustness and efficacy of combining traditional vulnerability scanners with AI and open-source projects in enhancing IT security.
+
+To cater to organizations with varying security requirements, the proposed solution offers modularity in tool selection. Organizations can choose from a range of scanning options, from internet-based scans (InternetDB, Shodan) that have minimal impact, to full vulnerability management and even penetration testing-like scans that attempt to exploit discovered vulnerabilities for validation.
+
+By mapping vulnerabilities to risk scores based on factors like EPSS, CVSS, and tool confidence, professionals can prioritize their remediation efforts accordingly. The AI-powered system also generates comprehensive HTML reports containing recommendations and reproduction steps for each vulnerability, making it easier for IT teams to address the issues.
+
+In conclusion, this research highlights the benefits of harnessing AI and open-source tools for enhanced IT security vulnerability assessment. By combining traditional vulnerability scanners with AI-powered prioritization and reporting, organizations can optimize their security protocols and strategies, leading to more robust and effective IT security management.
+
+## Biography
+
+### Joost Grunwald
+
+As a security enthousiast, I have always been fascinated by finding vulnerabilities, manually, but also automatically, because of scale and because I am only able to spent my time once.
+
+I have two cybersecurity related companies in which I do a lot of pentesting and love building systems related to vulnerability management or SIEM/IDS/etc.
+
+I do project Darkstar, as we call it, at SURF as part of my master in cyber security on the radboud university.
+
+###  Patrick Kuin
+
+Enthusiastic student specializing in cybersecurity.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/paul-k-gerke-building-and-replacing-on-prem-deep-learning-infrastructure-for-medical-image-analysis.md

@@ -0,0 +1,23 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Paul K. Gerke - Building and Replacing On-prem Deep Learning Infrastructure for Medical Image Analysis "
+speakers:
+- paul-k-gerke
+---
+
+## Abstract
+
+In 2015, the Diagnostic Image Analysis Group (DIAG) of the Radiology Department, Radboudumc Nijmegen adopted _deep learning_ for diagnostic image analysis research. This required building custom, on-prem computing infrastructure centered around NIVIDA GPUs. This on-prem solution is effective for experimentation but scaling and maintaining the system remains a challenge.
+
+To address these challenges, we have pivoted away from the on-prem solution towards an in-house developed, large open-source platform called [Grand Challenge](https://grand-challenge.org/). This change solves our specific scaling and maintenance issues, and also enhances the visibility of research output in the field in general.
+
+During the presentation I showcase the specific setups and discuss different hardware and software problems that we encountered.
+
+## Biography
+
+Professional software developer trying to cover the in the entire software and hardware stack "from wire to website". Working professionally at the Diagnostic Image Analysis Group (Radboudumc Nijmegen) for 10 years after finishing my Master of Science in Artificial Intelligence at the Radboud University Nijmegen.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/peter-honeyman-money-for-nothing-chips-for-free.md

@@ -0,0 +1,19 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Peter Honeyman - Money for Nothing, Chips for Free"
+speakers:
+- peter-honeyman 
+---
+
+## Abstract
+
+How a team of academic hackers discovered bugs in a widely deployed smart card payment protocol, kept them secret (until now!), and turned what they learned into parties, papers, conferences, and advanced degrees.
+
+## Biography
+
+Peter Honeyman is Research Professor Emeritus of Computer Science and Engineering at the University of Michigan.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/stefan-ubbink-de-algoritme-rollover-voor-nl.md

@@ -0,0 +1,20 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+title: "Stefan Ubbink - De Algoritme-rollover voor .nl "
+speakers:
+- stefan-ubbink
+---
+
+## Abstract
+
+In juli 2023 heeft SIDN de overstap van .nl naar een nieuw cryptografisch algoritme succesvol afgerond. Deze ‘rollover’ verliep zonder problemen en .nl is nu met een moderner en efficiënter algoritme beveiligd. 
+In deze presentatie zal er worden uitgelegd wat SIDN allemaal heeft gedaan om een succesvolle algoritme rollover voor .nl te kunnen doen en welke, deels verrassende, effecten de rollover op ons netwerkverkeer had.
+
+## Biografie
+
+Stefan Ubbink is een DNS en System Engineer bij SIDN (de .nl registry) en heeft een ruime ervaring met het beheer van de DNS infrastructuur voor .nl . Hierbij heeft hij ruime ervaring met OpenDNSSEC en verschillende open source name server software. Samen met andere leden van Team DNS binnen SIDN zorgt hij ervoor dat de wijzigingen aan .nl ondertekend en gepubliceerd worden o.a. door te zorgen dat ns1.dns.nl blijft werken. Hij heeft ook al meerdere presentaties gegeven in de DNS gemeenschap, zoals bij SIDN Techtalk, CENTR, DNS-OARC en ICANN.

content/evenementen/nluug/voorjaarsconferentie-2024/talks/tom-lyon-why-nfs-must-die-and-how-to-get-beyond-file-sharing-in-the-cloud.md

@@ -0,0 +1,47 @@
+---
+categories:
+date: 2023-04-10T19:21:43+02:00
+description:
+layout: event-talk
+slug:
+tags:
+- nfs
+title: "Tom Lyon Why NFS must die, and how to get Beyond File Sharing in the Cloud."
+speakers:
+- tom-lyon
+---
+
+## Abstract
+
+One of the most important lessons learned in distributed computing and concurrency is that
+**shared mutable data is a bad idea**.  What is the purpose of a network file system? --
+to **provide a shared mutable data space**.
+There are many other problems with the NFS model at cloud scale.
+NFS remains popular because its killer feature is access to large data sets,
+by network-unaware applications, without having to frst copy them.
+Using existing file systems, *OverlayFS*, and *NVMe-Over-Fabrics*,
+we propose a new approach to achieve blazing-fast, highly scalable, and consistent access to
+dynamic data sets.  We solicit contributors.
+
+## Biografie
+
+Tom Lyon is a mostly retired computing systems architect, serial entrepreneur and UNIX Greybeard.
+His most recent startup was DriveScale, which created a disaggregated server management system,
+and was sold to Twitter in 2021.
+Prior to DriveScale, Tom was founder and Chief Scientist of Nuova Systems,
+a start-up that led a new architectural approach to systems and networking.
+Nuova was acquired in 2008 by Cisco, whose highly successful UCS servers and Nexus switches
+are based on Nuova's technology.
+He was also founder and CTO of two other technology companies.
+Netillion, Inc. was an early promoter of memory-over-network technology.
+The Netillion team moved to Nuova Systems.
+At Ipsilon Networks, Tom invented IP Switching.
+Ipsilon was acquired by Nokia and provided IP routing and security technology
+for many operator and enterprise networks.
+As employee #8 at Sun Microsystems
+he contributed to the UNIX kernel, led many networking and storage projects,
+and was one of the NFS and SPARC architects.
+He started his Silicon Valley career at Amdahl Corp., where he was a software architect
+responsible for creating Amdahl's UNIX for mainframes technology.
+Tom holds numerous U.S. patents in system interconnects, memory systems, and storage.
+He received a B.S. in Electrical Engineering and Computer Science from Princeton University.

data/personen/peter-honeyman.json

@@ -0,0 +1,21 @@
+{
+  "id": "peter-honeyman",
+  "name": "Peter Honeyman",
+  "email": "",
+  "gender": "Male",
+  "honorary_member": false,
+  "nationality": "American",
+  "profile_page": "",
+  "sameas": "",
+  "social": {
+    "facebook": "",
+    "github": "",
+    "gitlab": "",
+    "instagram": "",
+    "linkedin": "",
+    "mastodon": "",
+    "mastodon_url": "",
+    "twitter": ""
+  },
+  "thumbnail": "/afbeeldingen/personen/peter-honeyman-200x200.jpg"
+}