My 2020 – Year in Review

Each year I used to write a reflection on the last year, set out goals etc but for whatever reason I stopped doing this. I’m not too sure why as I found it a useful exercise.

Last week I saw Paul Glavich’s post and felt inspired this year to give this some time.

This post is mainly for my benefit but maybe it has something useful in it for others too.

2020

2020 was a weird and challenging year for everyone and a year I don’t think one anyone wants to repeat!

I’m grateful to live in Australia where we have so far been relatively untouched by everyone’s least favourite Corona Virus. I live in Melbourne however and we experienced some of the heaviest restrictions in the world designed to reduce the spread of Covid (everyone limited to 5km travel radius, schools and day-care shut, most non-essential shops shut etc).

Whilst the strategy has been a success reducing cases the impact of these restrictions in Melbourne was very unequally distributed with some individuals and businesses hit in an absolutely devastating way and I felt lucky to be able to work from home for a supportive company. In fact my employer was one of the first to move staff to work from home and very supportive over this period.

Whilst the restrictions were frustrating for all, I tried to make the most of the time and saw the following advantages:

  • I got to spend more time with the kids and with my daughter in particular as part of home schooling (this was good and bad!)
  • I saved some money having no commute and with various activities being closed
  • I revisited some hobbies/stuff I hadn’t touched for ages such as drawing, astronomy and playing on the Xbox (No Mans Sky)
  • I ate healthier – probably by not having access to Melbourne’s various lunch time options!
  • I had less of a commute so had more time*

* I’m not sure this actually worked out this way and the work day appeared to just extend..

There were some aspects I really didn’t enjoy:

  • Juggling work and kids was very draining and more so with co-parenting.

    Most colleagues and clients were pretty good about the impact of this but I ended up working some pretty long hours once kids were in bed to keep up with work/make hours up.

    On reflection I probably created some of this pressure myself and would have been better working less hours and taking personal leave.

    I remember one particularly terrible call to a client where I was looking after my kids. They spent the time making cockerel noises in the background whilst jumping between two sofa’s. One of them also had a er toilet accident to round off a great meeting..

    On another meeting I was assisting my son to find his favourite toy monkey and hit the unmute button on my head-phones so other folks could hear me walk round the house with him calling out for monkey. I didnt know this until my colleague texted me bahaha
  • Context switching is always hard and wasteful but I found the switch between work and parent mode very draining. I had not realised that my commute back from work provided a kind of transition between the two parts of my life that I no longer had working from home. I ended up building a transition period into my day where I wound up work stuff as found I would be tired and grumpy when I had my kids dropped off/picked-up without it
  • Teams etc is good but I missed in-person conversations, team meetups, socials etc
  • After a while I grew to hate the repetitiveness of working from home and being in the same room. Yesterday I moved my computer into a different room which probably isn’t as well suited a space just for the variety

What went well last year?

  • We had significant success on several proposals, and I increased my commercial knowledge, awareness, and understanding of contracts
  • I improved my security knowledge and obtained (at least as far as I know) a good foundational understanding of penetration testing via Offensive Security’s PWK course.

    I also found a mentor in this area and cant recommend enough this being a great way to rapidly upskill in an area by having someone more experienced to advise and coach you.

    I focused on security as wanted to understand how an attacker would approach applications so I could better defend against them and well it sounded pretty interesting as well 🙂

    I really enjoyed learning about a new area as had probably become a bit jaded by .NET and front-end frameworks and enjoyed the variety and challenge of something different. It was great to get into some lower-level stuff such as buffer overflows/assembly programming.

    I also discovered CTF style challenges such as Hack the Box which worked well during lockdown to keep me occupied and challenged!

    I’m scheduled to do the exam for this course in March. OSCP is known as being a difficult exam and many folks seem to retake a few times so suspect it will be challenging and may require a few attempts.

    I’ll give it a go through although I have a queue of other items starting to build up requiring attention so not sure how long I’ll be able to spend on this but will see how it goes
  • I obtained a good working knowledge of Linux as part of the course discussed above. Whilst I knew Linux would feature heavily this was kind of an unexpected benefit and an area, I’d like to explore more. It’s probably also looking in future if your PD study could hit a few areas at once for efficiency purposes
  • Savings from lockdown meant I could pay off a loan 5 months earlier than I expected
  • At the end of the year I replaced my 11 year old car which made driving more enjoyable and easier to transport kids & their stuff

Plans for 2021

  • This year needs a better work life balance. I’m not sure what this looks like yet but last year work certainly got the majority of my time and energy and the kids had a tired and grumpy dad at times which isnt right. Some of this was probably on me as due to everything being shut in Melbourne during lockdown it could lead to the decision of well I’m not doing anything else so might as well do some more work..
  • Building breaks in between conference calls. Conference calls at one point seemed continuous throughout the day which was very draining, made it difficult to maintain attention and also do other work. I now build in time between calls which I wont move. I also block out focus periods, lunch and try to leave the house during the day
  • I have a good desk and chair setup but need to move around/stretch more as started getting various aches and pains I have never experienced before. I saw a physio last year who said he was seeing a heap of folks complaining of various issues related to working from home 😦
  • I’m enjoying learning about the security stuff and once the OSCP exam is complete intend to shift my focus here to developing some kind of security foundations/basics program. I think most of us tend to learn this stuff from a theoretical perspective only and getting some more hands on knowledge could assist us getting a better knowledge.
    I’m not too sure what this looks like yet but maybe some form of intentionally vulnerable app. It would also be great to have some more Microsoft tech focussed examples in this area. I’d also like to spend some time looking at threat modelling.
  • Miro has proved a useful tool for remote collaboration for us and I’d like to spend a little time looking at what can be done with it beyond the basics
  • I’d like to spend some more hand’s on time with AWS. I’ve spent a fair bit of time with Azure and want to learn something different. I had planned to get a bit more involved hand’s on in one project but this didn’t eventuate due to other commitments but I’m planning on insisting on doing this in 2021
  • Revisit Azure DevOps build and deployment functionality. This has progressed considerably since I last looked and I need to update my knowledge
  • Spend more time for personal development – and do it during work hours.

    We have a good PD program at Purple but due to work-load most of my study for the security course was done in my own free time.

    Whilst I enjoyed the course it is also important to get rest (whatever form that takes for you) and my approach to do this study in the evening eventually left me felling quite burnt out by the end of the year.

    I found that with a long list of tasks its very easy to focus on these at the expense of your own development and this will eventually lead to the atrophy of skills.

    I think most folks who start to get a larger workload will go through something like:

    1) Work longer hours to try and keep up. Maybe you start to do a sweep of emails/items at the weekend or work a longer day. This works for a bit but isn’t a long term strategy especially as work loads dont tend to decrease
    2) You might then look at stop doing “non-essential things” like personal development to make more time. You later realise some of this stuff is er essential/you enjoyed
    3) Realization that you are dropping things so then look at other options such as delegation/prioritisation
    4) Declare work load bankruptcy!

    This is a trap – build time to focus on skill development and make sure you do some stuff you enjoy as well as stuff that needs to be done.

Summary
Anyway if you have made I to the end of this I wish you all the best for 2021.

Thoughts on PWK/OSCP Course

This year I wanted to improve my security knowledge and understand how an attacker would approach compromising an application so I could better secure solutions I was involved in developing.

I suspect most developers (including myself) learn about security from a mainly theoretical perspective and wont be exposed to an attackers methodology, tools or techniques. I think this is probably a mistake and most of us would benefit from seeing or having hands on (legal!) experience so we can build more resilient and secure applications.

I wasn’t sure where the best place to start with this was but my manager Horay had previously suggested that certifications in addition to providing proof of knowledge can be a good option by providing a learning path to work through. They also ensure you cover some areas that you might not cover on your own.

I had a look at what was available in the security cert space and there were a few options. Previously I’d chatted with one of my colleagues (hello Vats!) some time ago about Offensive Security’s Penetration Testing with Kali Linux course. This course concludes with a 24hr exam where you have to compromise a number of machines and then another 24hrs to write up how you did it and I was kind of intrigued by this.

The PWK is a self-study course aims to introduce you to penetration testing methodology, key tools and approaches. I understand this qualification is well respected in the industry due to the tough nature of the test and is currently pretty much essential for those wanting to start a pen testing career.

The course
The course costs start at $999 USD at the time of writing. This gives you 1 month’s lab access, 850 page PDF, a set of videos and access to their forums. It’s not cheap but I don’t think its unaffordable either and cheaper than your average multi-day conference. I felt overall it was good value for the money although I’ve listed some cheaper options at the end of the article.

Probably one of the best things about this course is the lab. You connect to the course lab using OpenVPN and it’s made up of an extensive set of machines (70ish) and connected networks all waiting for you to compromise them. I don’t want to spoil any surprises as participants will enjoy the details but I will say that a lot of thought has gone into the setup of this and its not just 70 separate machines..

One thing you should be aware of and that creates some pressure is that when you enrol in the course you have to select a date to start. Your lab time will then start ticking down from this date so make sure you have cleared some time in your schedule as this course will consume substantial time..

How long is enough lab time?
Unless you are studying this course full time (how good would that be?) or have prior security experience and are doing this for the certification most folks will need 2 or 3 months lab time at least. From what I read multiple extensions and exam retakes are common.

I enrolled in the course with 2 months lab access. I work full time in a demanding job and am a single parent with 2 little kids and I worked on the course mostly once the kids were in bed or at weekends. I made it through the book & exercises and compromised about 16 machines in the lab and another 10 or so on Hack the Box (more about this later). This was fun but exhausting and I’m not sure I’d recommend this pace. If you can do get more lab time – you wont regret it.

You can extend your lab time afterwards but it is more expensive to extend than upfront (currently $359 USD for 30 days). There are also other cheaper practice machine options but we’ll get to that.

Pre-Req Knowledge
To make the most of the course you will need to have knowledge in 4 main areas:

  • Networking (basic stuff – DNS, TCP/IP basics, ports etc)
  • Linux (intermediate?)
  • Windows (basic)
  • Programming (basic and comfortable modifying Python & Bash scripts. I’d rarely worked with Python but it was trivial to make the basic mods necessary during the course e.g. setting variables, basic logic)

For those of you starting out in IT I probably wouldn’t recommend this course as a starting point and guess you’d get frustrated pretty quick. Even if you know you want a pen testing career you’ll probably get more from it with a few years dev or infra experience. Having said that I did read some blog posts from a few folks who had jumped right in and had success so each to their own I guess.

I think most folks coming to this course unless they are coming from the security world already will find they have at least one weak area in the above. For me it was limited Linux experience and knowledge although this was offset by a software development background and understanding of web applications. An unexpected benefit I found was that by the end of the course I had a good working knowledge of Linux and loved working with it 😊

What I enjoyed
I really enjoyed this course and loved the range of subjects and areas it covered.

I think this was probably the most fun course I have ever done and you get a genuine rush when compromising one of the lab machines which was er weirdly addictive and led to some late nights as I worked through a tricky problem.

By the end of the course, you will have a decent understanding of the methodology pen testers (and I guess also attackers) will approach compromising a machine and network.

This gave me a new perspective on development projects and will assist with the development of secure software.

For me the highlights of the course were:

  • Compromising my first lab machine. I cannot stress enough that the lab and most of the exercises are really fun, time will fly and it doesn’t feel like work
  • Whilst I was familiar with the concepts of subjects like buffer overflows it’s a different thing altogether to create one yourself and having it initiate a reverse shell 🙂
  • I was surprised at how sophisticated some of the common tools were and how easy they made tasks e.g. MetaSploit & SQLMap
  • Playing with assembly – cant think of when I have done this outside of uni!
  • SSH tunnelling – wow didnt know you could do some of this stuff!
  • Abusing various inbuilt Windows and Linux functions to do things like download a file from a remote machine using regsvr, certutil etc

What I wish I had known
Offensive Security have a motto “Try Harder” that you’ll come across this many times in the course materials and forums.

I can imagine that pen testers require resilience and perseverance and if you are not the sort of person who will get curious about a problem and work through it then you probably wont enjoy this course or pen testing for that matter. However, let’s remember you are doing this course to learn and there is a point where “Try Harder” is not useful (“Bean dad” anyone?).

You have limited lab time and want to make the most of this. Whilst you can and will learn something researching a challenging topic there’s a point where you are probably better off getting some help. In this course help will come mainly from the forums.

At the beginning of the course I got stuck on a machine for nearly a week. Whilst I learnt stuff trying to work through this issue I probably should have looked at the forums earlier to learn a concept I wasn’t aware of. I also would have found this wasn’t one of the best machines to begin with. When you start you also want something matching your skill and experience level so you can practice the basics without getting frustrated and not getting anywhere. My advice would be to set a time limit and then look at the forums if you are stuck to help you get past the blockage then continue on your own.

Offensive Security provide a lab learning path of machines they suggest you work through. I didn’t spot this at the beginning even through its on the lab machine control page doh. This has 10 or so machines to work through with the first 2 having a detailed step by step write-ups in the forums. Do look at this as you’ll learn a lot especially with the first 2 writeup’s!  

The machines are of varying difficulty and by the end I could exploit 2-3 in one night with I think the quickest being 15 or so minutes and the longest a week (at the beginning of the course!).

For most machines you’ll run a port scan and maybe some other scans and then work through the various services. It took me a while to realise this but its very easy to get stuck thinking one option is certain to be the route in. This is a trap! Set a time limit for each service/hole and then work through them systematically. You will be amazed what you missed when come back round or what you might discover on another service you haven’t looked at yet.

For me I mostly found I could get a foot hold on most machines fairly easily but the challenges came around privilege escalation.

Privilege escalation is where you have some kind of access to a machine but it is of a limited level and you then attempt to increase this access. There’s various ways of doing this from exploiting misconfigured setups and binaries to full on kernel exploits. As a beginner I found this area the hardest and had to grind through all the options which could be tiring and frustrating but worth persevering with.

Tib3rius has two really great privilege escalation courses on Udemy (one for Linux and one for Windows) which I wish I’d watched earlier in the course and would highly recommend.

Conclusion
I haven’t taken the exam for this course yet (that’s in a couple of months as I wanted a break over xmas period and need to get some practice in!) so cant comment on that aspect yet (you’ll find a heap of posts around others experiences). I will say however that really enjoyed this course and learnt a lot from it so would highly recommend it. It also had the unexpected benefit for me of massively upgrading my Linux skills 🙂

Alternatives/Supplements
For those folks not caring about the OSCP Certification or wanting a cheaper option Heath Adams’s (the Cyber Mentor) Practical Ethical Hacking course is amazing value at AUD $10.99 for over 24hrs content.
This covers much of the same areas as PWK and is really well put together (I also think the Windows AD stuff in examined in more depth).

Other Resources
Now it should go without saying that trying to compromise machines you don’t have permission to do so is illegal and shouldn’t be done under any circumstances.

There are several great and free/cheap services offering legal and great options to practice against that can help you prepare for the course:

Hack the box has many machines to practice against and some are similar to those on the course. If you’ve never done this stuff before however do not start here as you’ll get frustrated quickly as there is little to no guidance provided. I’d recommend the paid version of the service as it gives you access to older machines that have detailed write-ups if you get stuck.

TryHackMe have many “rooms” that take you through the development of various skills and experiences e.g. specific tools and techniques. If you are not sure if this stuff is for you then the recent Advent of Cyber room is a really nice basic intro to some basic techniques:

IppSec YouTube Channel. IppSec provides video walkthroughs of hacking various (mainly HackTheBox) machines. This guy is a genius and entertaining to watch. I’d watch a few videos each week and found I would learn heaps and come across some great tools and techniques.

Linux Smart Enum. This script makes it really easy to see Linux privesc options more than the better known LinPEAS and LinEnum. Highly recommend adding to your toolkit.

MXChip Microsoft Azure IoT Developer Kit

I recently ordered a MXChip Microsoft Azure IoT Developer Kit to have a play with.

It looks like this when it arrives:

pic1

The MXChip Dev Kit is an awesome solution designed for prototyping IoT and cloud-based solutions and comes with a heap of functionality and sensors including:

  • WiFi
  • OLED
  • Headphone
  • Microphone
  • Temperature sensor
  • Humidity sensor
  • Motion sensor
  • Programmable buttons
  • Security encryption chip

Lots of goodies to play with without having to order and setup more components and sensors!

Setup
Setup couldn’t be easier and within about 10 minutes I had my dev kit sending data to Azure IoT hub (setup would have been even shorter had I typed in the WiFi password correctly – duh!).

Setup was basically:

  • Create an Azure IoT hub in the Azure portal
  • Plug in the dev kit via USB
  • Download the latest firmware and copy it onto device like you were copying to a USB stick
  • Connect to the MXChips WiFi access point
  • Browse to a setup web page page, enter WiFi and IoT hub connection details
  • You are good to go and the device will then send temperature info to Azure IoT hub

pic3

Development
So how do you create your own applications?

The kit is Arduino compatible and Microsoft has developed a heap of extensions, samples and tutorials for Visual Studio Code aimed at making it easy to develop, debug and deploy your own applications.

Setup was mostly painless although one of the extensions had some trouble installing and I couldn’t get the debug stuff that would allow me to see what the device was sending. I think this may be some USB driver issue and will require further fiddling..

One of the extensions gives you access to several tutorial projects and samples making it easy to explore the devices capabilities further.

I haven’t touched C++ for many years but the sample code was very readable and could easily be tweaked for your own projects.

Overall whilst the MXChip dev board is more expensive than some other options I was really impressed by all the functionality contained on the board, tutorial and sample support and ease of setup with Azure IoT hub.

If you want your own kit I purchased mine for about $90 AUD (American readers will find this considerably cheaper) from Core Electronics (https://core-electronics.com.au/mxchip-microsoft-azure-iot-developer-kit-pre-order.html).

NDC Oslo 2019 – Developing Solutions for Everyone

It was great to have the chance to speak at NDC Oslo 2019 on the subject of developing solutions for everyone.

This was a very personal talk for me and a bit different to the more technical talks I generally focus on.

This is a talk about how we sometimes can exclude, make harder or even harm groups of people to use what we create software and how we can avoid this.

ndcAlexSpeak

I found this one a challenging one to give given the subject matter which touches on everything from discrimination to hate groups.

For those wanting to know more about this area the talk was influenced by Sara Wachter-Boettcher’s book Technically Wrong. I also attended a few other talks at NDC Oslo that talk about this area such as Tess’s “We are the guardians of the future” and Sasha’s “Why our products and communities need our empathy” that i’d highly recommend watching when the videos are released.

The talk video will be available shortly but slides are online in the downloads section of my website/NDC Oslo 2019 folder.

Thoughts on Conference Submissions

The last week I’ve been in Oslo, Norway where I had the pleasure of being on the NDC Sydney 2019 Agenda committee and speaking at the conference.

Whilst I’ve had a fair bit of experience creating agendas via DDD Melbourne and user groups it was very interesting to see how a large commercial (and one of my two fav Australian conferences along with Web Directions) handles putting an agenda together.

Opinions are mine and mine alone
I should probably start of by saying what follows is my opinion and may not reflect that of other agenda committee members or NDC organizers.

The agenda we proposed will also be reviewed by NDC organizers before speakers are informed so is likely to change a bit (and no I wont tell you who got in etc you’ll have to wait until the official emails!).

With that out the way there are a few things I wanted to talk about and things you can do to maximize your chances of getting in.

NDC

Sometimes you may do everything right and not get in
First up don’t be put off if you are declined from a conference.

NDC Sydney 2019 received over 800 submissions and there are a lot less spots. This means many people are not going to be successful and includes some well-known names.

You not getting in isn’t necessarily (but might be!) a reflection of your speaking abilities, how your talks went previously or your topic it is simply impossible to squeeze everyone in.

There was more than enough awesome content to fill multiple conferences.

What can you do to maximize your chance of speaking well I have a few thoughts but the main thing I’d encourage you to do is simply keep submitting!

Commercial conferences need to make money
Whilst it would be wonderful for a conference to be able to support every speaker and topic a commercial conference is significantly different to a community event such as DDD Melbourne and needs to attract customers.

Whilst these are not the only drivers having well known great speakers and interesting topics will likely equal more customers

Have a think about your subject – would you or your colleagues pay to see the talk you are proposing?

If the answer is no then your talk may be better placed in a local user group.

Choose a great title
Major conferences get many submissions and the title is the first thing the agenda committee sees.

A good title is interesting, enough to draw the reader in for a deeper look or makes it obvious what the session is about and I guess in an ideal world all of the above.

Also avoid cliché titles such as Make SAP great again (it’s probably not possible), in the trenches with Silverlight etc as these titles suck.

Write a clear & concise abstract that describes what your session is about
With many sessions to review you want to make the agenda committee’s job easy.

Some session summaries were like mini novels and despite all the text it was still difficult to work out what the presenter wanted to actually talking about!

Writing a good abstract is hard (as is concise writing) and needs practice. Get someone else to read your abstract does it make sense?

Also avoid swearing (many of us enjoy a good swear but this isn’t the place for it) and slang as it may not make sense to the reader.

Tag your session correctly
If a conference asks you what category your session fits in please don’t tag it with every subject.

Most sessions have 1 or 2 primary categories they fit in.

Categories are one way of ensuring a distribution of subjects in a conference and if you tag your session with everything it just makes more work.

Proofread and spelling
Just do it, there’s tools to help and if you are crap at this stuff get a friend or colleague to help.

Review pre-booked speakers at conference
If you can see a conference has a well-known expert, author or contributor to a library, language or framework talking you probably don’t want to be submitting a what’s new in X or introduction to Y talk on the same subject.

Whilst some subjects will warrant multiple talks guess who the general public would rather hear from a) the author of a framework/library or b) an unknown speaker?

Having said this it is certainly not impossible to speak about the same topic as a big name speaker (we accepted sessions that did on popular subjects) but you’ll probably need want something unique to make your session relevant.

Avoid intro level talks unless its something very new
If it’s a subject that has been around for a while and is well understood I think you’d be better avoiding an intro-level talk for a commercial conference.

Attendees will likely be familiar with what you will discuss or can quickly learn about it and it wont draw people to the conference.

Well known speakers can however probably revisit any topic they want as will still draw a crowd but if you are reading this article this probably is not you (yet!).

Consider the conference you are submitting to
NDC has a wide range of development talks with probably a lean towards the Microsoft platform. A talk on very niche subjects of say Perl may be better suited else where.

Consider avoiding personal story/philosophy style talks
Whilst you may have some awesome stuff to say unless you are well known or have a particularly interesting story to tell the general audience we may not be that excited about how your cat gave you a different perspective on Angular (I’d love to hear over a beer however).

Some subjects are going to be a harder sell
Its no surprise that the development world has trends and there are some subjects that just aren’t that popular right now.

Something that is very niche such as run SQL Server on custom Finish Alpine Linux kernel reverse proxy docker container on Google cloud is probably only going to be relevant to a few people so likely wont get in.

Other subjects such as old JavaScript libraries or stuff that has fallen out of favour will also be a harder (but not impossible) sell.

Make it easy for us to find your past talks
You do have past-talks right?

A commercial conference likes to see a speakers history so they have some assurance you will do a good talk.

If you have no history then you are a risk which is a shame as you may be awesome and have lots to say!

There’s an easy way to deal with this and that’s to go and talk at various user groups and meetups and do talks.

Practice is also going to make you a better speaker full stop.

Expecting a commercial conference to take a chance on you if you have no history of speaking is a bit of an ask – but does happen.

We do look in detail into short listed speakers, try and find a quick look at videos of previous talks etc so make them easy to find!

Summary
For those of you that wont be successful this time to NDC Sydney please don’t be put off -keep submitting talks, talk at your local user group & DDD events and try again next year.

I’m really excited about the agenda we have for NDC Sydney 2019 and (I’m biased) but its seriously the best ever!

 

 

Alpaka Gear 7venMessenger Bag

 

My friend Jin of Alpaka gear kindly sent me a prototype of his kickstarter project the 7venMessenger bag.

The 7venMessenger bag describes itself as “the only bag you will need” and aims to be suitable for everyday work & leisure usage and also for a short weekend away.

When I was working for IT consultancies there was a regular discussion around what is the best laptop bag which is very relevant when you are frequently travelling.

I have always favoured Samsonite Backpacks as found them comfortable and hard wearing so was interested to see the 7venMessenger bag and how it compares.

Here’s a picture of my bag – note this is the prototype and Jin tells me there may be a couple of changes coming so the final bag may be slightly different:

IMG_20160816_061929

Well I am probably not the best judge of aesthetics (2 kids soon change your priorities to robustness of any clothing or gear) but the 7venMessenger certainly looks smart & wouldn’t be out of place at the smartest of soirees which er i’d never get invited to. The bag also receives a nod of approval from my wife (who knows a heap more about bags than I do) so this is a good sign.

The bag is constructed out of 1000D Ballistic Nylon – I don’t know what that is and what its bullet protection abilities are but it certainly feels tough, durable and looks smart. The bag is also water proof and easy to clean according to the website.

The bag feels reasonably light although is certainly heavier than some of my other bags. Its pyramid shape also means it stands on its own rather than collapses.

The attention to detail & quality on the bag is impressive. There is a massive amount of pockets, mesh compartments and storage (even on the strap!) which I love as there are always various cable chargers, USB sticks etc that need a storage location.

The bag can be worn in a number of ways such as over the shoulder, as a brief case or backpack – it also has a sleeve for fitting over a case handle that you might use at airports. The bag is very comfortable to carry using its leather handle and I find this is the preferred option standing on the train.

The bag has a magnetic clip on the front that looks like it would be released by pulling it up but is actually opened by sliding it sideways. It did confuse me at first and I spent a couple of minutes puzzled but I do like how the magnet pulls the clip together.

The bag is a decent size and easily holds my Dell XPS 13 inch in a padded section. I understand from Jin & his team that the final bag will hold a Macbook 15 inch comfortably. It does feel a little wider than the average messenger bag and I notice sitting on the train with it on my lap it expands slightly beyond my seat area but it’s not a huge issue.

In conclusion the 7venmessenger bag is an awesome product that I would highly recommend.

You can get this bag at a great price by backing the kick starter project at: https://www.kickstarter.com/projects/alpaka/7ven-messenger-the-only-bag-you-need what are you waiting for?

 

Famous Software Bugs

Despite the best of intentions and processes we all screw up sometimes.

I think pretty much every developer has made a screw up of some kind over their career (and if you haven’t you are either very lucky, unaware you have done so or prob not doing anything interesting!).

I spent some time putting together a list of high profile bugs for an article on gooroo.io.

Some issues are amusing & entertaining, some are downright terrifying & a few tragically resulted in loss of life.

Check out the article here: https://gooroo.io/GoorooTHINK/Article/16833/Famous-Software-Bugs/23477#.V3TtN7h96M8

 

Building Resilient Systems

No one likes using unreliable computer systems.

There can be few things more annoying (in terms of 1st world problems anyway) than having an application freeze and losing a load of work.

Losing work is annoying but what if the system performed a more important function such as managing your bank account or maybe even helping an aircraft navigate?

  • How can we measure resiliency?
  • What are the best ways to ensure our systems are resilient?
  • How do companies such as Netflix approaching this?

Check out my post on this at gooroo.io:
https://gooroo.io/GoorooTHINK/Article/16830/Building-Resilient-Systems/23364#.V2-0Irh96M9

SOA Principles of Service Design book review

I am currently involved in a project that is part of our larger SOA strategy. SOA and related topics is a massive area and I am currently reading everything I can get my hands on to learn more about this complex area.

Sometime ago I was recommended Thomas Erl’s SOA Principles of Service Design (I’m going to shorten this to POSD to avoid RSI) as a good overview/introduction by a consultant I was working with (thanks Dave S!).

It is also worth noting that POSD has a brother/sister book called SOA Design Patterns which is apparently designed to complement & follow on from POSD. I haven’t read it so cannot comment much about this.

soaPOSD

POSD weighs in at just under 600 pages & claims to introduce the reader to SOA principles and concepts, explain design approaches, techniques for maximizing reliability and much more – sign me up!

Despite its length POSD is a straight forward read & the text is broken up with frequent full colour diagrams. The use of colour is actually really nice in a heavy book such as POSD.

In many places the diagrams do a great job of explaining important concepts but I couldn’t help thinking that many were unnecessary and conveyed very little or the data/concepts would be better represented in tabular format. Having content broken up with an unnecessary diagram was a bit frustrating & I found myself flicking through them quickly as say you might those songs/poems in a Tolkien classic.

The book does an excellent job of introducing core concepts & some of the advantages/disadvantages of this style of architecture.

Subjects such as contracts. Schemas etc are given a thorough treatment. I guess at times some of the focus on XML related technologies & approaches can make it feel dated but it certainly doesn’t distract too much from the core concepts/principles.

For me at times the book felt like a school or university text book & I couldn’t help feel the content could be distilled into say a quarter of the size without losing anything. Maybe it’s arrogant to say but I think I could get the important stuff down to around 100-150 pages and lose very little.

A case study is used throughout the book with issues that will be very familiar to any developers/architects currently working with SOA.

I really wish the author has used the case study more and gone into more depth (say similar to Vaughn Vernon’s implementing domain driven design). The case study forms a tiny part of the book in relation to lengthy explanations of abstract principles which would benefit from further pairing with a solid example.

Overall for those new to SOA this book does an excellent job of covering the core concepts, it is easy to read despite its length & the colour diagrams make it nice to read.

I suspect an experienced practitioner probably wouldn’t learn so much from the book – I was familiar with much of the content (which is probably partly be due to some of the awesome people I work with).

Despite some of my concerns I have yet to find a clear introduction to SOA concepts so if you are new to this area you probably won’t do much better.

Overall 6.5/10.