Speaker: Crux Conception @cruxconceptoin (pen name)
For more, see the table of contents
On walking in
- He asked what talk was in the room and teased people about giving too much info
- Also commented there is too much info (wifi password) on the badge
- Ability and talent to connect with emotion
- Can be offline or online
- We all do it. Ex: lying about what movie you want to see.
- May earn trust
- Goal is to do something or gain data
- Highly evolving method
- Teaching in college now
- Anonymous test messages with links
- Facebook messages asking where from
- Phishing – say have tickets but didn’t plan trip. Asks for employee id to confirm. Also gave up name by confirming it and said interested in going to Budapest (came from screensaver), – Called you so already know name.
- Team building – where grow up, how many siblings and unique challenge from childhood. Think about how much you disclosed and if you held anything back.
- Scenario where pen tester tries to get in building. Try to get someone to let you in. Most people say take to security or get security
- Scenario – pen tester pretends changed auto pay info and asks for employee id
- Companies have offices all over US. Try to get id number by calling Miami office and speak to receptionist then victium
Useful insider info
- Knowing how much a company would pay to recover from an attack
- Fill in the blanks
- Spoof text message numbers
- Israeli software to crack phone. Don’t even have to click link anymore. Get access to phone just by sending a SMS.
- 40% of major companies reported industrial espionage incidents in 2016
- Ex-employee stealing self driving car info from Apple. We focused too much on China. More African students in US than anywhere else.
- Leaking is making info public. Info is power. Have goal.
- Spilling is like leaking without intent.
- Sharing info at conferences. Ex: where you work.
- Russian and China trying to steal COVID vaccine research using malware and spear phishing
- Twitter hack on Obama/Biden/Bezos.etc, Trying to get money. Got data from internal employees
- Fake social media
- Steal sensitive data
- Espionage is like a double life
- Affects personality
- Traits (thrill seeking, sense of entitlement, desire for power/control) are also found in politicians and CEOs
- Helpful to be calm (see in tech a lot) and strong sense of responsibility
- May have regrets after
- Logical at the time
- More life crises because more than one personality
- When someone calls and says “is this Jeanne”, ask who it is rather than confirming
- Be cautious when people ask you a lot of questions
- No defense. Just try to avoid answering too many questions.
- Be careful if they initiate call.
- Think about info they should now. Ex: HR has employee id already
- In psych, organized means have life together.
- Psychopath – born that way. Sociopath – traumatic event started it
Crux is an ex-cop. I like that they had someone from outside development for a different perspective than we usually get. He’s a good speaker and kept it interactive. The scenarios were fun to think about.
Speaker: Shradha Khard
For more, see the table of contents
- Site Reliability Engineering
- Operations is a software problem.
- SRE is what you get when you treat ops as software and staff it with software engineers
- Software dev: idea -> strategy -> dev (design, code, test)-> ops(build, deploy, support) -> deliver (real world)
- Ops – maintenance, system upgrades and isntalls, security, compliance, cost, support help desk escalations, vendor contracts
- Conflict – dev wants new features, ops want to make sure doesn’t break
- SRE implements DevOps.
- SRE is a substream
- Ensures durable focus on engineering. Need to make sure product up and running. 50% time automate to make sure that happens
- ex: augment S3 bucket
- See how fast can make changes without violated SLO
- Error budget – metric for how unreliable a system is allowed to be
- Monitoring is not just logging in system. Need to alert and ticket too
- Change management
- Demand forecasting/capacity planning
- Efficiency and Performance
- SRE doesn’t replace DevOps people who deploy to cloud
Enabling SRE/How to Start
- Centralized SFE team (core platform, networking)
- Embedded (full team members of project team, teach devs how to manage, work with core team)
- Need same skillset as dev to be SRE
- MTTR – mean time to recovery – how long to get system healthy again. Emergency response helps with this
- Lead time to release or rollback
- Improve monitoring to catch and detect issues earlier
- Estabilish error budget to have budget based risk management
- SLA (service level agreement) – legal agreement. Often involves compensation if not
- SLO (service level objective) – number which SLI should be before needing improvement
- SLI (service level indicator) – metric over time. Quantitive measure – ex: throughput, latency, error rate, utlization
- 3 nines (99.9%) – 10 mnutes per week, 8.8 hours per year
- 4 nines – 1 minute per week, 52 minutes per yeaar
- 5 nines – 6 seconds per week, 5 minutes per year
- Goals: Restore service to normal and minimize business impact
- Be able to get the people who can help solve it
- Log of events so can see when started
- Blameless post mortems
- Google book ”Seeking SRE”
- Google book ”The Site Reliability Workbook”
- Book: Implementing Service Level Objectives
There was a lot of info, but easy to follow. It was great to see a structured intro vs that random things I’ve read online
Speaker Mark Heckler @mkheck
For more, see the table of contents
- Developers don’t believe in magic
- Most developers are bad at debugging. Or at least not as good as they could be
- We got sloppy when we get used to thinking we know what’s happening
- Important to isolate problem and not just symptoms
- @SpringBootApplication – meta-annotation. Enables the other scaning annotations
- Starter parent pom has dpendencies that have been tested together. Provided in dependency management so can choose what need
- Proved @Component still creates a @Bean
- SpringApplication.run returns a ConfigurableApplicationContext. We don’t typically use it directly, but can look into it.
- ApplicationRunner (creates prop object from args) vs CommandLineRunner (has args as array). The later is slightly more efficient.
- @Value lets you get a property
- application.properties with wrong key name. Typo causes code not to use the value
- application.yaml – ignored; still uses application.properties because higher precedence
- Can expose a lot of info
- By default, opens two endpoints, status and one other. If want actual info, allow by privilege.
- Can expose everything via management.endpoints.webexposure.include=* (don’t do this in prod)
- loalhost:8080/actuator – see endpoints
- localhost:8080/actuator/env – see java version, list of beans, etc (so can see order)
- In IDE config, set -agentib:jdwp=transport=dt_socket,server.. (missed the end)
- Can set config in Docker fil.
You don’t know. You can suspect and hypothesize, but not assume.
I like that Mark showed Spring source code to show what was happening. It took a long time to get to the first thing that went wrong (missing property).. (40 minutes in; another session was already applauding by then). Once he got to that part, I started learning stuff. Mark also seemed rushed for the end and that info went too fast for me. (Combo if it being new and I think he was going faster) Also, the using the audience members as names in the example was fun.