Category Archives: Conferences

unifying banks & blockchains at coinbase – live blogging at qcon

Posted on by
Reply

Unifying Banks & Blockchains @Coinbase
Speaker: Jim Posen

See the list of all blog posts from the conference

Coinbase converts blockchain currency with traditional/fiat currency. Started doing that in 2012. Then added support for European banks in 2014. Then in 2015, added an Exchange.

In 2016, the Rails app was becoming a problem and the BitCoin logic started to degrade. Created first microservice at that point. Now support multiple currencies. Still maintain monolithic Rails app.

Bitcoin

  • definition – Bitcoin is a scarce digital asset and a protocol for transfering the asset over the internet. “Email” is overloaded in two ways as well.
  • Public transactions ledger
  • About 30 minutes for transactions to clear – regardless of hours and holidays
  • Irreversible payments

Coinbase architecture

  • Uploads batch file daily to the originating depository financial institution (ODFI). Clears thorough ACH operator to receiving depository financial institution (RDFI) and receiver receives
  • The RDFI has 24 hours to return for insufficient funds
  • Then the receiver can challenge/return for up to 60 days – important consumer protection, but a challenge
  • Bitcoin uses gossip protocol where nodes talk to other nodes

More happened after I left. The session was good. I had a hard stop today and had to leave.

removing friction in the developer experience – live blogging from qcon

Posted on by
Reply

Removing Friction in the Developer Experience
Speaker: Adrian Trenaman

See the list of all blog posts from the conference

Started with a funny story explaining his talk was about removing red tape and bureaucracy. To TSA/immigration.

Goal: minimize the distance between hello world and prod. Need to be able to deploy quickly, safely and own in prod

Developer hierarchy of needs

  1. self actualize – get stuff done and have cool stories that impress your friends
  2. perks – fuzbul,beanbags,free food – we don’t work for treats. a bit like the breakfast buffet at a hotel; love at first, but then meaningless
  3. basics – laptop, wifi, vpm, eat, standing desk, screen, warmth, light

Good software org

  • Teams 3-7
  • Departments 16-24
  • Leaders not managers, leaders who code – 85% of time as lead, 60% of time as director, 15% of time beyond that
  • DevOps, ownership, open source

Work is hard – like pushing up a hill. Friction is a force that pushes back when try to do something

Friction: Staging/Testing environments

  • Too many of these such environments. Waste
  • In physical world, draw map of area and make one continuous
  • line of what need to do in order to complete job. The resulting spaghetti diagram shows wasted effort.
  • Doing this on the environment shows number of people deploying and number of deployments. Helps highlight handoffs between groups of people – dev, qa, deployers.
  • Muda – waste in process – Intellect (building environments), Overprocessing (retest in multiple enviroments), rework (environments never match prod), inventory (commits held up), transporation (deliveries to prod), motion (commit/deploy cycles), waiting (held up on someone else) and overproduction (fewer big bing releases)
  • Instead deploy directly to prod – dark canary (see if working), canary (one of X servers has new code) release (all servers get new code), rollback (if needed)
  • Think of team as a startup providing services to other dev teams
  • Teams need secure, unfettered control to their infrastructure. Break down master account into subaccounts. Also helps with cost model because can see which teams use what. Some teams need everything locked down, but not all do.

Friction: Forced technology choices

  • Voluntary adoption – let people choose technology. If successful, more will use. If nobody using, see should stop using it
  • Looks like chaos, but creating an environment where people can create own choices
  • Standards and recommendations on github: https://github.com/gilt/standards
  • Continuum of adoption by role and voluntary adoption.
  • Eventually converges on a set of norms

Friction: Fear of breaking all the things

  • Knowing going to prod makes one cautious
  • Gilt is LOSA – lots of small apps – aka “micro-frontends”. Each page considered own app
  • Gives confidence that can’t break checkout by changing the product page

Friction: Forced team choices

  • Nothing worse than working with people you don’t like
  • Leader locks down product manager, tech lead, etc.
  • Pitch and let people sign up
  • Somehow this works and everyone wants to be on the team. Everyone picks in a room on a board so can see if too many people have same skill set or too many junior people. Ultimately the tech lead chooses. Can negotitate : will do unsexy work if can also work on X. If nobody wants to work on project, think about why can’t get people excited about it. If it is operational work, can spread across teams.
  • Teams stay together 12-18 months. Better to bring work to the teams than to self-select teams every few months

Friction: Distractions

  • Coding is the primary activity
  • Everyone likes being in flow
  • Red Hot Engineer – one person is in charge of problems/distractions for a few weeks. If quiet, they can read a book or whatever
  • Minimize meetings – they have 2.75-5 hours of meetings a week. Ask at end of recurring meeting if useful and if should meet again.

Measure how doing and compare over time – delivering value, fun, ease of release, health of codebase, whether learning, missing, are we players aor pawns, speed, suitable process, support, teamwork

lessons learned from fighting nation states in cyberspace – live blogging from qcon

Posted on by
Reply

Lessons Learned from Fighting Nation States in Cyberspace
Speaker: Dmitri Alperovitch

See the list of all blog posts from the conference

Dmitri and his team uncovered 2016 DNC hack – not focus of talk because not that technically interesting
Focus on collecting a lot of data and applying AI to big data
Store data in ThreatGraph (their product) and Apollo/Hadoop

Today’s threatscape

  • Whatever business you think you’re in, you’re in the security business – hacktivists, money, etc. If have nothing of value, why in business?
  • In past, only government entities had to worry about nation state attack. Now commercial entities have to protect IP and info.
  • Examples of China stole weapons design from United States.
  • North Korea using random ware attacks – largely in South Korea – to fund weapons
  • Once you use a cyberweapon, others can use it. Ex: WannaCry is good example of reuse.
  • Inserting fake data in real data makes it hard to determine what is true.
  • Track over 40 different threat entities in China, over 10 criminal entities worldwide, 6 activitist groups worldwide, 8 in Russia and a few others around the world. Code names have animal last name – Chinese panda, criminal spiders, etc. The analyst who discovers it picks the first name.
  • Criminal actors are opportunistic. Will move on if costs too much to atack you. Nation states are more like a dog with a bone. They aren’t giving up because only one source has the information.

War stories

  • Hurricane Panda (China) – Focus on telecom for economic esponiage to benefit China.
    • webshells – web scripts to get control of webservers. They get it on the web server and then can use a browser to run any command via get requests. Typically password protect script so doesn’t return anything unless supply right password – prevents scans from finding. Attack went undetected for a year. Stole credentials and tried to remove evidence. Persisted after attack remediated.
    • Sticky keys – modify Windows registry key and then can get in without admin password. Ex: on screen keyboard runs before login. If tell Windows to run debugger first, get command prompt with full admin privilege
    • Only need a PowerShell command to steal credentials.
    • Once fixed, got thrown out in minutes. Started making typos as rushed. Continued trying to get in for four months.
    • Then they found a zero day to get admin access to machine
    • Then they finally went away and found a new victim. Dmitri’s company repeated the pattern.
    • Crowdstrike won. (article) – hackers moved on if saw CrowdStrike software on server
  • Large defense company noticed problem but couldn’t figure out how got in. CrowdStrike asked to find malware, but wasn’t one. The problem was the RSA SecurID two factor keys were compromised. Chinese thread actors stole the seeds for the token. RSA said would send seeds to company rather than storing them. However, the Chinese stole the seeds from the company directly and could VPN in using two factor.
  • Cloud VM data theft. Again no malware. Adversary had stolen API keys.
  • Other attack method to get into environment: phishing, embed powershell in a .lnk (windows shortcut files) and make .lnk file look like word doc or pdf
  • Bypassing Windows Access Control is a bunch of steps. But there is an open source tool to do all of it
  • Anti-forensic methods – delete log files, wipe data to obsfucate their activity.

Lessons learned

  • Windows is scary 🙂 [seriously though; the talk focused on Windows – presumably their expertise]. Someone asked about this and Dmitri said 95% of intrusions occur on Windows.
  • Embrace visibility/logging and AI – you will always be behind if trying to find last attack. Aggressive logging for all system help. Anonomoly based algorithms help find the unknown
  • Leverage peers – work with other entities and share information
  • Hunt for the adversary – think what you would do if you were the adversary