pattern language for microservices – chris richardson – qcon

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

http://microservices.io – pattern language, best practices, etc

Gartner hype cycle

  • Docker at peak of inflated expectations
  • Node.js on it’s way down

How do we make decisions – elephant/rider analogy. The rider can try to direct the elephant, but it basically goes where want. The elephant is our emotions and the rider is our rational mind.

Pattern – reusable solution to a problem occuring in a particular context
Structure of a patern is a great framework for discussing and thinking about technology.

Structure:

  • Name
  • Context – the situation
  • Problem
  • Forces – issues need to address to solve problem; can conflict
  • Solution
  • Resulting context – consequences of using a pattern; includes drawbacks
  • Related patterns – patterns that solve subproblems created by using pattern or related solutions to original problem

Pattern language – collection of related patterns – from Christopher Alexendar fom architecture

Core Patterns

  • Monolithic architecture – traditional way of building an app, simple to develop/test/deploy/scale. Successful apps grow. Then have millions of line of code in one war file and beyond comprehension. No longer agile. Much fear. Infrequent deployments. Overloads IDE and container. Can’t scale. Too much coordination and communication required just to deploy. Fores into long term commitment to tech stack. Works really well on small apps because can move incredibly fast.
  • Microservice architecture – apply functional decomposition – scale by splitting simiar things and/or different things and/or horizontal duplication. Amazon needs 100 microservices to render a page. Smaller/simpler apps. Lss jars/classpath hell. Easily and safely experiment with different techs. Opposite of release train. Low risk because small. Drawbacks: more complexity, inter-process communication, partial failure

Communication Patterns
What does client talk to when services distributed. API gateway is common to do request routing and API aggregation.
How do services with system communicate? Syncronous or messaging API?

Deployment Patterns

  • Multiple Services per host – older approach. Like when servers were like pets and kept them alive forever efficient resource utilizatio, fast deployment, poor isolation, risk depenency version conflicts, can’t constrain resource use. Some benefits, but lots of downsides
  • Single service per VM host – Netflix does this- great isolation/manageability, detailed metrics on resources using, resources constrained, less efficient resource utilization, slower deployment because creating new VM
  • Service per container host – like Docker images, great isolation/manageability, container encapsulations implementation tech, efficient resource utilization because virtualizing OS. Fast deployment. Immature infrastructure for deploying containers

Discovery Patterns
For identifying microservices

java 8 in anger – tricia gee – qcon

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

This session was from the Java Sig. It’s a repeat of the conference session I didn’t attend then since I knew I’d see it here.

Java 8 has lots of new features, but people think of streams/lambdas. This session isn’t slides. It’s building a real app live. Trisha starts with an architecture diagram – small serivces and MVC layer. They aren’t microservices because they aren’t reliable. Then she has a sketch of the screen.

The code is on github.. The master branch is the whole app. There’s also a skeleton branch if you want to try it/play along. The page for this presentation has slides and video.

The Java 8 features I see go by:

  • Stub Service uses a Supplier for generating random numbers.
  • JavaFX for basic UI. [I’m not familiar with JavaFX.]
  • Compute if absent and method reference:
    map.computeIfAbsent("key", TwitterUser::new);
  • Streams, comparators
    map.values().stream()
    .sorted(Comparators.comparing(TwitterUser::getTweets)
    .reversed()).limit(10).collect(Collectors.toList();
    
  • JavaFX
    laterPlatform.runLater(() -> items.setAll(x));
    
  • JavaFX comes with built in animation
  • Date/time to get current minute
    LocalDateTime.now().getMinute();
    
  • Loop from to y
    IntStream.range(0, 10).forEach(this::method);
    

    This coud be better or worse than a regular loop in terms of readability or performance.

  • Read fileStream
    lines = Files.lines(path);
    
  • Filter:
    lines.filter(s -> !s.equals("Ok"));
    
  • Check on stream:
    lines.peek(s -> method())
    
  • Convert array to stream, map
    functionStream.of(arr).map(String:toLowerCase)
    
  • Join strings with delimiter in between
    stream.collection(joining(",")
    

Intellij

  • automatically shortens to simplest thing that could work making code a method reference or lambda.
  • Keyboard shortcut to use appropriate functional interface. Complicated shortcut, but nice function

bitcoin and blockchain – olaf carlson – qcon

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

primary risk isn’t with the protcol; it’s with the security on the websites where trading takes place

hackers love bitcoin because have cash if can get into it

Identify theft

  • a lot of people try to buy bitcoin with a stolen identify
  • identity theft can be 100% virtual
  • Most common way is to steal online banking password
  • Or compromise your email
  • One password rules your whole identity
  • 7% of US resident ages 16+ are victims of identity theft in 2012. 85% involved use of existing credit card of bank account
  • Only 7% of users lost over $100
  • Payment companies have operational cost for reversals but don’t lose much. It’s merchants who eat the loss (when charge back within 60 days). If takes 60+ days, credit card user eats the loss.

Automated clearing houses not designed for internet. Hacked on after. That’s why we verify a bank account by verifying the amount of two small transactions.

Credit card is like private key. Everytime you use your credit card, it’s like handing over your private key.

Fraud detection is like wack-a-mole. Have to catch each instance of the problem. Fraud industry is like duct tape.

No incentives for bank and email to create better account security. They don’t take any loss and push liability to someone else.

Bitcoin

  • Psuedonymous – don’t know who received bitcoin
  • Peer to peer
  • Irreversable – legacy payments are pull. Bitcoin is push so can’t redebit and never learn private key
  • Instant

There’s theft – like with cash. It’s not identity theft; it’s like regular theft.

Risk moves to consumers and payment companies. For example, if have Bitcoin on computer and have malware, it can be stolen.

Many bitcoin hacks in past few years. Steal money directly. Don’t need to launder money.

Coinbase wallet architecture
Double moat model. Meant to be hard to get past the whole thing. Admin accounts have same security as user accounts have.

Assumptions and how address

  • Passwords will leak
  • Emails are compromised
  • Users will be phished
  • Computers will be left open and unlocked
  • There will be social engineering

How address

  • 2 factor on everything. Login, sending money, changing things. Send SMS message when sending money so on separate channel.
  • Rate limit to minimize danger
  • Device verification required. Must authorize to continue
  • Added five minute delay on transfering money after changing password to avoid using that token to transfer money
  • Optional vault with extra security features – time delayed withdrawals, alerts to two verified emails and confirm from both, SMS notifications, cancel at any time, banner reminders to enable,option for M-of-N management (3/5 people must authenticate)
  • Train support really well on social engineering
  • Multi-sig vault – only for technical users, key splitting architecture. cold stoarge as a service. three keys – user key, coinbase key and shared key that is encrypted key with password that only user knows. Need two of three keys to get access to bitcoin

Largest targets of phishing – paypal, google, yahoo, bank of america, wells fargo

Bitcoin aligns incentives between users, payment companies and merchants. Forces payment companies to design better security and educate users on how it works. The savings go to the users and merchants.

Q&A

  • For passport story, how figure out who was who? A lot of looking at logs. Also confirmed by phone
  • Can you take bitcoin back if theft? At moment of theft, can look at theft and see IP if leaked anything. Can’t get it back though
  • How much training for support staff so don’t open something malicious? A lot! Training and setup. Support staff all on Chromebooks so can’t open zip file anyway.
  • Can you go after attackers legally? Usually on a different continent with a different legal system
  • Bitcoin price volatility. More steady in last 6 months than in past. [that’s not long to predict future]

Impressions: great last session of the day. Liked the real examples of attacks against their compmany. And how to prevent assorted issues. I thought it would be more about the blockchain, but this was interesting too.