[devnexus2022] help your boss help you

Speaker: Ken Kousen

Twitter: @kenkousen

Link to table of contents


  • Target audience: professionals who don’t want to move to management

Conflicting Wants

  • Conflict with manager is inevitable because want different things.
  • Intrinsic motivations include autonomy, using strengthens, promoting learning/development
  • As get older, care more about intrinsic needs
  • Want respect/rewards, but not accidentally getting promoted into management
  • Management wants those things, but only if they make money
  • Management evaluated differently. Costs matter.
  • Priorities/incentives overlap but are different
  • Money includes budget, resources, personnel. Management cares way more about these things than we do. Higher the levels of management think about these even more than your direct supervisor
  • If technical problem goes up high enough, conversation about cost – fine, people, etc. The problem itself is secondary
  • Try to operate in intersection, but acknowledge discrete parts still happen

Why managers bad at job

  • Our supervisors are on lowest rung of management
  • Many places, switch job from technical to management so new to role
  • Ambitious managers already looking to leave job and move up
  • Everyone needs to show confidence and look like know what doing to be trusted with project. Which is very different than school where get called out if wrong.
  • Not as technical as employees, especially senior ones.
  • Their job isn’t to be a technical person. Others work full time on being technical.
  • Know not great at managing yet. We have to train them to become better at their job
  • Rookie managers don’t know what is worth discussing vs rubber stamping

Learning in software

  • Imposter syndrome is extreme of this
  • Professionals working at limit of what know. If well defined, can be outsourced. Don’t need a professional.
  • Hard to make leap to OO. We’ve done so long we don’t remember not knowing.
  • ”Everything in math is arithmetic because know it already”


  • Build professional relationship for as long as work together
  • Establish trust that manager will fight organizational battles, look out for best interest, defend when problems arrise
  • Consider your manager an ally at a higher level so listened to by other people at that level
  • Manager needs to trust you to do your job to the best of your ability or let them know about a problem while still early enough to replan/manage problem. Manager can help you figure out a plan.
  • Know your manager and whether can tell about mistakes honesty or if it will backfire
  • Manager needs you to support their decisions, at least publicly.

Constructive loyalty

  • This is why a high level person brings in their own people
  • Goal is not to do everything they tell you, not following blindly,
  • Can do nothing or leave. Or…
  • Alternative is a long term solution and may not work. May have to tune to circrumstances. Better than doing nothing or leaving.
  • Only two messages want to give your boss: ”I got this” (confidence, will take responsibiity) and ”I got your back” (will support publicly, say ”we”)
  • Manager knows you don’t know how to do a task when given to you. Need to know when you talk about ”impossible” when real vs venting
  • When manager’s manager asks about a problem, say ”we”. Have team own it. Manager’s manager is a manager and knows what you are doing/will view it as loyalty
  • Part of your job is to make your manager look good to their manager. Do not violate this. Your manager will know who said it.
  • Instead say, ”I think you are wrong, I’d like to appeal to X” and go together. They will likely backup boss and then you listen. Should be issue, not crisis.


  • Respond to requests as fast as practical.
  • Manager doesn’t care that busy and wait for a response.
  • Email template to any long term/open ended request, ”I don’t know, but . Here’s what I do know/think/would go to find out. Do you want me to look into it”. This lets you know if it was a gut reaction thing or a request to spend time on it at the expense of what you were originally doing
  • Gets manager a response quickly and gets off your plate
  • Most of the time, the manager doesn’t want you to spend time on it
  • A good enough answer today is better than a great answer next week

Prisoner’s Dilemna

  • Book: Evolution of Cooperation.
  • Can play at ncase.me/trust
  • If only one iteration, makes sense to defect
  • Tit for Tat is a top strategy – cooperate on first move an play opponent’s previous move. Favors cooperation. Retaliates/forgives immediately
  • Cooperation can emerge naturally as long as both parties recognize will be doing this again.
  • Pushing back against manager is scary the first time. Gets easier.
  • Retaliation doesn’t have to be symmetrical/job not symmetrical. Can be a conversation with your manager and discuss/negotiate privately and then go back to work
  • Balance. Cooperation (I got this), retaliation (push back), forgiveness (back to work)


  • Builds up evidence that you are unhappy an tried to deal with it
  • Don’t want to surprise manager that leaving. Want change to make it work
  • For business conflicts, not harassment.
  • If doesn’t work, would have left anyway
  • Words used for push back, vary by person. Try on something small. ”Hey, I’m not happy about x”

Your Boss is not your Friend

  • This is a trap
  • Don’t want to be surprised/hurt when make decision against you.
  • Will overshare. Could lose opportunities

Your boss is not your Enemy

  • Expensive to replace you
  • Boss looks bad if let you go


  • Can’t fix micromanagement. Will work out because can’t do management while doing your job
  • Flat org is thought of a feature, but means low regard for management skills. Someone needs to do job. Whomever decides your future is your manager regardless of title.
  • Important to meet every few weeks. Regular interactions necessary
  • “That turns out not be the case” or ”I can see why you might think that” – good phrases for saying wrong

My take

I really need to read the book. I own it, but haven’t gotten to it yet. The talk was great and relatable I definitely need to read the book. I like that there were a lot of stories. I was definitely able to tie them to eamples of things I’ve experienced. Only problem is that Ken ran long and I was late to the next session.

[devnexus 2022] java and ransomware

Speaker: Steve Poole

Twitter: @spoole167

Link to table of contents


Ransomware crimes

  • robbery
  • blackmail
  • extortion
  • revege
  • murder – ex: hospital attacks


  • files gone
  • files corrupt
  • unexpected files on system – obvious so believe it is real
  • prevent logging on
  • threats to delete or publish data
  • link to cryptocurrency wallet and amount – hard to trace

How get into system

  • Phishing – Impersonate boss, etc. Significant targetted social engineering. Understand business/context. Attachment with malware
  • Malware – mostly Windows
  • Government #1 target. Then education/services/health care/tech/manufacturing/retail/utilities/finance
  • Target single company or org. Look for poor security hygene
  • Vulnerabiliteis/CVEs
  • Suply chain attacks
  • Remote code execution

Once have access

  • Pull encrypton keys
  • Encrypt files not used often first
  • Then encrypt files used in memory so works until restart
  • Gigabytes/terrabytes of data – takes time
  • Would notice if network got slow so sneaky
  • Copy critical data out disguised as normal traffic. Hide in other payloads
  • Sometimes responses to ”legit” request
  • Almost always via botnets
  • Paying helps fund more
  • Rare to shut down. Instance of giving up decryption keys when one group folded


  • Data kidnapping – pay or release data
  • Blackmail – dirty payments, porn
  • Revenge – disgruntled employee, cripple systems
  • Competitor – wipe you out/steal secrets
  • Worse – weaponsized attacks from nation states
  • Some of these cases do not intend to give data back
  • Cybercrime beat drugs in value
  • Ransomware is worth 6 trillion


  • Can be test case to see if can get in
  • Goal is to infiltrate infrastructure and essential serices quietly so can manipulate/terminate when need
  • Break supply chain


  • Used to wait for vulnerability to be announced and build attack. Now create own.
  • Open source repo attacks – attempts to get malware into source
  • Typosquatting – lookalike domain/dependency with minor typo
  • Build tool attacks – attempts to get malware into tools tat produce dependency
  • Dependency confusion – later version ex ”latest”
  • Designed to stay hidden until needed


  • Dependency confusion, typosquatting and malicious code injection increased 650% in 2021
  • New world – state funded, professionally developed, regularly exercised very sophisticated and exeremely lucrative
  • Could even be someone at conference – have to gain the skills


  • Being out of action
  • Recovery
  • Data loss – data recovery never 100%
  • Human cost – finger pointing, guilty feelings, feeling of being invaded/not trusting security systems
  • Data integrity – can modify/inject data when return



  • Still lots of log4j downloads (thru 4/11/22)
  • 36% on a day in April were vulnerable
  • Need right tools – check dependencies, not just your pom or in fat jar
  • Try dependabot
  • Write test cases and see if your tool can find

My take

Good collection of info and supporting data. Wrapped in a compelling story. Security talks are often scary and first conference in a while provided more time for bad things to happen!

[devnexus 2022] typescript for the busy java developer

Speaker: Orlando Valdez


Link to table of contents



  • All JavaScript is legal Typescript
  • Developed/maintained by Microsoft. Other contributors like Google
  • tsc – like javac – transplies to Javascript
  • tsserver – for IDE and editor support language services. Standalone server
  • .ts extension
  • Type analysis system


  • Install from VS Studio or npm
  • npm install -g typescript


  • Version: tsc –version
  • Create project: tsc –init (creates tsconfig.json file)


  • target – JS language version
  • module – module name
  • rootDir
  • outDir
  • sourceMap – whether to create a source map for emitted JS
  • strict – whether to enable strict type checking. Recommended for new projects. If migrating from JS, can use more fine grained flags as make more typescript like


  • Can define same class twice.
  • Can create “any” type – discouraged for new projects. Used for migration. Prefer “unknown” type instead. Can’t use until type is known. Ex, casting: x as {a : boolean}
  • null is different than undefined
  • never determines a value is unreachable so can’t use
  • can use linter to follow team standard on semicolons (inconsistent in the talk and notes below)
  • Some unexpected things because valid JavaScript still works
  • If can return null show return type as X | null
  • flow analysis for determining if a type is known
  • Tag/discriminating property – constant literal with same name and unique value across types. Use tag if own object/API

Sample code

class Foo {
  x: String; 
  y: number = 12; // type is optional (can infer based on value)

let bar = new Foo()
const a - 40

const arr = ["hi", "hello"]
const tuple = { x: "y"}

function error(message: string | number): never { // never returns

if (typeof stringOrNumber === "string") {}

enum Foo {
 Up = "UP";

type ID = number // alias - lets use domain language. can use for more complex entities like  a tuple. can be alternative to create a class

type Bird = Animal & { flights: boolean } // intersection

interface Foo {
 name: string
 hi: () -> void /// function that takes nothing and returns void

interface Sub extends Foo {} 

interface Foo {  // can add properties to an interface that already exists by redefining it (even if don't have access. can also extend an enum
  color? : String // optional property
  readonly id: number
  status : "new" | "done"

type K - string | number | null //union type. can only use if shared properties. otherwise we need type guards (typeof check)

if ('id' in result) // checks if property is defined. also narrows down type so might be able to determine real time and not just that has id

obj['prop'] // don't know type or even if exists

function genericGetProperty<T, K extends keyof T>(obj:T, propName: K) { //keyof returns keys of all props in object. the generic function won't allow you to pass invalid property name. return type is known so variable assigned to is also correct type
  return obj[propName]

let str = `Template: ${language} // multiline and interpolations

type messages = // can use to generate all combinations of a parmeterized message
 | "learn X"
 | "learn Y"

My take

This was cool. A lot of info, but easy to follow. It built up in a way that I was able to read the code as more things got added. This was a great session!