applying java 8 idioms to existing code – trisha gee – qcon

For more QCon posts, see my live blog table of contents. Last year, she talked about creating new apps in Java 8. This year is about migrating to Java 8 for “legacy” code. She showed specific JetBrains IDEA features. I just took notes on the concepts that are IDE agnostic. Presentation will be at bit.ly/refJ8

Usage from audience poll

  • About half compile with Java 7
  • About half compile with Java 8
  • About a quarter (half of Java 8 people)  compile with Java 8, but apps still looks like Java 7

Why use Java 8

  • Performance improvements in common data structure
  • Fork/Join speed improvements
  • Changes to support concurrency
  • Fewer lines of code – less boilerplate
  • New solutions to problems – more elegant/easier to write code
  • Minimize errors – ex: Optional avoids NullPointerException

Before refactoring

  • Make sure have high test coverage
  • Focus on method level changes – tests should still work
  • Have performance tests too to ensure not negatively impacting system
  • Decide on goals – performance? clearer code? easier to write new code? easier to read new code? use lambdas because team used to it? developer morale?
  • Limit the scope – small incremental commits. Don’t make change that will affect whole code base.

Straightforward refactoring of lambda expressions

  • Predicate, Comparator and Runnable are common places where might have used anonymous inner classes and can switch to lambdas
  • IDEs suggest where can replace code with lambdas (SonarLint does as well)
  • Quick win – reduce old boilerplate
  • [She didn’t talk about this, but it will make your code coverage go down. Make sure your management doesn’t worry about that!]
  • Lose explicit type information when use lambda. Might want to extra to method to make it clearer and call the method from the lambda.

Abstract classes – candidates for lambdas

  • See if can use an interface (if single abstract method) so can start using lambdas
  • Tag with @FunctionalInterface to make clearer
  • Then look at implementers (especially anonymous inner classes) and see if can convert to lambda expressions

Conditional logging

  • if (debug) { log.debug() } pattern is a good candidate for logging
  • Often people forget to add that conditional so opportunity to defer evaluation for those too via search/replace. Also, protects against conditional not matching log level. if (debug)  { log.severe() }. Uh oh!
  • Use a default method on the existing logging interface that takes a supplier instead of a String and has the if check

Collections and Streams API

  • Turn for loops into collect() or forEach()
  • Remember you can call list.forEach() directly without going through a stream
  • If do something like get rid of initial list size, test performance before and after to make sure not a needed optimization
  • The automatic streams refactoring might not result in shorter code. Think about whether the surrounding code wants to be refactored as well. A more dramatic refactoring. Go back to later. Also, avoid refactoring if and else code since not  a simple filter.
  • Remember to include method references when converting code too
  • Watch for surrounding code. For example, if sorting a list, move into the the stream. Or if iterating over new list, add as a forEach instead of turning into a list.

Optional

  • Be careful. Refactor locally.
  • Easy to accidentally change something that requires changing a ton of code.

Performance

  • Lambdas expressions don’t necessarily perform better than anonymous inner classes. Similarly for streams.
  • Using lambdas to add conditional logging is a big quick win performance improvement.
  • Streams didn’t need the “initial size of list” optimization
  • Adding parallel() to stream operations sometimes performs better and sometimes worse. Simple operation often performs worse in parallel because of overhead of parallelizing.
  • Introducing Optionals increases cost.

Java 7 refactorings

  • Use static imports
  • Reudndant type in diamond operator for generics

the bad things happen when you’re not looking – ryan huber – qcon

See the live blog table of contents. Gist is posted at https://goo.gl/ZAxCnH (github login required)

Ryan was the first security employee at Slack. He is doing an experiment where red slides means don’t take pictures or tweet about the slide. I really like that idea. It makes speaker intent clear.

How find out about a problem

  • Don’t want to find out from Brian Krebs that you’ve been breached
  • Don’t want hackers to tell you something strange is going on. They are done at that point and are showing off
  • Even worse – don’t notice

General Notes

  • Time to detect is important metric
  • Credential theft is biggest/one of the biggest
  • Goal – watch as many things as possible, but don’t be a dashboard. Want as little as possible on the dashboard. If it is mostly empty, things will get noticed when they are there.
  • Bad model – NetCool – train people to acknowledge all alerts and they miss things because bad habit
  • The defender’s advantage – if the attackers don’t know what you are looking for/trip wire, they dont know what to avoid
  • “Zero days are not invisibility cloaks” – other boxes can pick up on it
  • The hypothetcial malicious insider – a former security team member has a lot of knowledge. And an insider with credentials has access
  • Don’t overwhelm users. Confirm bulk actions in bulk not one at a time.
  • Canaries – need to validate monitoring, recording, etc.
  • Do table top red team exercises if not doing real ones.

Slack Security

  • Setup reliable logging platform
    • RELP (reliable event logging protocol)
    • steamstash/logstash -> Elastic search (Splunk is superior but costs more)
    • Two weeks of data is about 2 terrabytes of logged data. Almost never sits on disk
  • auditd – part of Linux. Run auditctl commands and kernel looks for matching events.
  • audisp – works with auditd to transform data
  • osquery – Facebook project for system monitoring using SQL
  • ElastAlert – yelp project to pick up on ElasticSearch events. Does queries on a timer against Elastic Search.
  • AlertCenter – have SecurityBot looking at alerts. Security bot posts to Slack asking user to type “acknowledge” on phone to confirm action. That way, know have phone and not just Slack account. If no reply in X hours, goes to Pagerduty. Automated triage to avoid flood of data. Instead of security team looking at all alerts, whole company is helping. This means the security team responds to less than 5 alerts a day.

Rules

  • Listeners – specific events
  • Time awake – nobody is awake for 24 hours. Trigger an alert when this happens
  • GeoIP – Doesn’t work perfectly. T-Mobile has feature that can travel abroad without paying roaming. This works by routing some traffic through Texas so your location keeps jumping between Texas and aboard
  • IPs – less unique IPs than you’d think. Worth looking at when user comes from new IP.

security war stories – shuman ghosemajumder – qcon

For my other blog posts on QCon, see the live blog table of contents. Shuman is from ShapeSecurity and used to be the “Click Fraud Czar” at Google – which protects AdWords from malicious users.

  • “Computer security is like broccoli. You know you should have it but would rather have chocolate”
  • “My objective today is not to scare you, but it doesn’t necessarily hurt”
  • “If I were legally responsible for the security of the software I wrote, I would quit my job immediately … and probably move to a non-extredition country” – anon at QCon

How make completely secure

  1. Get rid of business model
  2. Don’t connect to internet

Security is relative – really about tradeoffs

History

  • 1903 – Marconi showing telegraph at Royal Institution. Tapping didn’t sound right to his assistant’s assistant. A magician (Nevil Maskelyne) was tapping “rats” in morse code. Then changed to “There was a young fellow if Italy who diddled the public quite prettily.” Marconi claimed nobody could interfere – don’t promise what you can’t deliver! And an early white hat hacker to identify that.
  • 1939 – Bletchley Park – crack Enigma during World War II
  • 1957 – Joe Engressia learned if one whistles at a certain frequency, can get free long distance calls. In 60’s and 70’s if couldn’t whistle at 2600 hertz, produced blue box to hack this.
  • 1968 – Morris worm – one of first worms
  • 1992 – First polymorphic virus – constantly changes as infect each new machine so anti-virsu looking for standard signature can’t see it
  • 1994 – First kit for script kiddies. Didn’t need to be very skilled to attack.
  • 2002 – Bill Gates finally made security a top priority at Microsoft

Present

  • Don’t even have to go back 24 hours to find a data breach.
  • Mark Zuckerberg’s bad password
  • Credential stuffing – relatively new type of attack with multiple specialists. Has multiple parts.
    • Attackers usually have .1%-2% success rate in finding password reuse.  (using one stolen password on another site)
    • If steal a million stolen passwords, can quickly take over 10K accounts without anyone knowing.
    • Invisible – don’t know account is hacked.
    • Using botnet so target site can’t detect pattern of bad attempts either. Looks like a popular day on your website and not a hacking attempt
    • Over 500 million leaked passwords on dark net. So starting with known good passwords
    • Good – Netflix reset passwords based on ANOTHER company’s breach
    • Sentry MDA has credentials stuffing tool. Raw materials: credentials that are out there, IP addresses in proxy list and even help to get past captchas. Third party system for getting passed captchas as well mixing OCR (computers doing it) and mturk (humans doing it in developing countries)
    • Organic traffic has pattern/cycles throughout day. Inorganic traffic has different shape. Can see normal shape if look at graph without login URLs.
    • Botnets are distributed globally so can’t block IP by region.
    • Other things like monitoring also produces a spike.
    • Every website has a tiny bit of attacks. These crawlers are just the background radiation of the internet. This is an opportunistic probe. A bigger attacher has a profit motive so will stop or re-tool. The idea is to make is as expensive as possible for the attacker.

Future

  • Because the present isn’t scary enough, the future is scarier
  • Attack surface is related to complexity
  • “Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can” – Jamie Zawinski.
  • Weak AI is already here. (ex: AIs representing users) Strong AI is much further out.
  • Sci fi: Black Mirror. Device records everything and you can replay it on demand. Privacy and security implications. Imagine if this data could be changed or published.
  • New attack surfaces:
    • autonomous vehicles
    • always on IoT devices like Amazon Echo could do surveillance
    • Apple Home – can unlock your home doors. Can turn on your lights/stereo at night randomly like horror movie. Someone could have a heard attack because think house is possessed
  • New technology creates new attacks
    • Audio/video fidelity – could steal fingerprints from far away or record every conversation from far away
    • Battery life – run surveillance device for weeks
    • CPU power – defeat encryption
  • New attacks create unforeseen consequences – now we have to take off shoes before flying

What can we do?

  • Pareto Principle – focus on where get most benefit
  • Cybercriminals innovate. So do security services/standards/platforms