Category Archives: Conferences

[devnexus 2022] hacking the OSS supply changes

Posted on by
Reply

Speaker: Stephen Chin

@steveonjava

Link to table of contents

———————

Theme is security with sci fi references

Examples

  • Equifax data breah – from not patching Struts for at least two months
  • Solarwinds – hacked TeamCity instance injected
  • log4shell – zero day in log4j core. Affected almost all systems. Could send class file and having it excecute on the serer
  • spring4shell

Binary repos

  • Which do you trust?
  • npm, pypi, rubygems, maven central
  • Like picking up thumb drive off sidewalk and plugging into your production server

Dependency confusion attack

  • Sci fi – Matrix – agents disguised theselves as other people
  • package mining
  • npm has no security on namespaces
  • Can use same name as a company internal package and give it higher version number
  • If grabing latest version, pull mallicious package
  • When pull from npm, announcing what package you have
  • Artifactory resolves against internal repo first. Protects even if using virtual repo which mixes public and private content

Supply Chain Attacks

  • Sci fi: millinium falcon
  • Assume depedencies built on a clean system
  • Anyone can upoad to pipi
  • About 400 zero day volunerabiities in open source/cloed source/OS, embedded systems, etc
  • Sveder uploaded library to go to his website
  • JFrog scans looking for suspicious Python code behavior
  • noblesse – “optimizes your PC for python” – steals credit card/passwords and sends via dicord
  • pythatoras – supposed to help with calculations but does remote code executio

Namespaces

  • Sci fi: War games
  • Moscow – Russia and Idaho
  • St Petersburg – Russian and Florida
  • azure-core-tracing is proper name. Created core-tracing.
  • NPM took down once repored. At least 218 packages affected.
  • Stole personal data
  • Think bug bounty of test because minimal and not steaing credit cards

Pyrisa

  • Scitfi: Avengers
  • Need automated (IronMan), trustworthy (Black Widow) and dependable (Captain America)
  • trusted binary network – secure by defaut, reliable inimal outages), open
  • peer to peer
  • multi-node verification
  • reproducabe build trust model

Websites

  • research.jfrog.com

My take

I hadn’t heard of all those attacks so learned about the Python ones. The sci fi element was a nice touch. As was the community picture with a ton of people on stage.

[devnexus 2022] the new excitement about the good old java

Posted on by
Reply

Speaker: Venkat Subramanium

Twitter: @venkat_s

Link to table of contents

———————

Notes

  • Java is a passport to the world – spoke at 50 user groups in hoor of turnig 50
  • Celebrated Paris JUG’s anniversary in Eifflel Tower
  • Ukrainian flag slide

Agile

  • good to say that, now talk about what do
  • Hates word – Scrum-master – Agile Manifesto does’t say SM
  • Love ceremony and rituals
  • Easy to hide from what really do
  • Also hates word velocity – sustainable and producing results is what matter
  • TDD – ticket driven development
  • Agile is really feedack driven development
  • Cost of failure low if train leaves every 30 minutes vs plannig a flight

Java

  • Java now evololving faster
  • Java 8 was game changer because of streams
  • “Java late to party but came with amazing desserts”
  • Releases used to be slow because targeted features to releases. Not agile. Want to adapt plan to reality
  • ”When will project loom be ready?” ”When it is ready”
  • Java is not being developed on a 6 month release cycle. It is being released on a 6 month cycle
  • People ask questions about feature while still remember writing it
  • Can learn and adopt technologies as they come out vs all at once
  • Less ceremony/redundancy

Live coding

  • pattern matching with if – smart casting
  • switch expression
  • pattern matching with switch including conditions
  • multi-line string with smart indentation (incidental whitespace
  • sealed interface – use but don’t implement

My take

I don’t think I learned anything new, but Venkat is an entertaining and engaging speaker, so that’s fine! Good coverage of the new Java features in live coding

[devnexus 2022] ARIA: A grande method of accessible markup

Posted on by
Reply

Speaker: Chris DeMars

Twitter: @saltnburnem

Link to table of contents

———————

General

  • low vision vs no vision
  • some types can be corrected and some cannot
  • memory problems included
  • Think about: hearing, visual, cognitive, movement and temporary
  • 1 billion people around the world have some type of disability
  • People don’t have to disclose they have a disability. Assume 20-25% do.

What is accessibility?

  • numeronym: a11y == accessibility
  • w3c – “people with disabilities can use the web”. better to say everyone can use the web
  • Don’t use accessibility overlays. [looked online – hack to use tool to patch bad accessbility]

ARIA

  • Accessible rich internet applications
  • Helps AT (assisted technology) with web pages
  • One rule: don’t use ARIA. Better to use semantic markup.
  • Stop using divs/spans unless have to. No semantic meaning. Better to be using header/nav/etc tags (vs h1/h2/etc heading level)
  • Anchor links for navigation only
  • When have to use div/span, add ARIA

Roles

  • abstract – command, input, landmark, select, structure, widget, etc
  • widget – button, link, option, radio, tab, textbox, etc
  • document structure – article, directory, figure, img, table, tooltip, etc
  • landmark – banner, contentinfo, form, main, navigation, search
  • live region (auto updating section) – alert, log, marquee, status, timer

States and Properties

  • States and Properties
  • describe what is happening
  • aria-describedby – if need to write a lot about what an image does
  • aria-haspopup
  • aria-label
  • aria-labeledby
  • aria-checked
  • aira-disabled
  • aira-required
  • etc

WAI/ARIA

  • Want to get to level AA.
  • Bank of America, Dominos, Red Roof In got sued for not meeting
  • Only get to AAA if in academia or government. Expensive. Ex: need closed captioning, ASL video, downloadable transcript, VPAS?
  • Want to get to level AA.
  • Bank of America, Dominos, Red Roof In got sued for not meeting
  • Only get to AAA if in academia or government. Expensive. Ex: need closed captioning, ASL video, downloadable transcript, VPAS?

Other notes

  • Don’t set outline to 0/none for focus. User needs that
  • https://caniuse.com
  • https://gist.github.com/chrisdemars/e8ca7a5282ab65ea2f412776a7cf0aa3

My take

The intro was good to pull me in. As were the examples of why to use semantic tags where can. The actual ARIA info felt a little like an info dump. I would have liked examples on a web page to see what these are/how they work. Or what the code looks like. Some was said out loud which helped. ARIA has changed a lot since I last used it. (so have front ends overall). The references to old tags like blink were fun.