The other day while browsing the electronics at Goodwill I found an old calculator for $1. The screen wasn't working correctly but I thought I could fix it. I used the opportunity to dip my toes in the YouTube waters. I present to you Tachyon's first video, enjoy.
Tachyon Engineer
Wednesday, April 12, 2023
Saturday, February 18, 2023
Throw the Coding Interview into the Trash
Despite nearly every company having coding interviews as part of their hiring process, poor developers get hired. Somehow having people write code from college exams in web-based IDEs while a clock is ticking is failing the industry. The reason for that is that it doesn't resemble the everyday reality of a software developer.
Writing code is such a small part of development having a candidate to do it in a game show environment isn't going to provide much helpful information. Ask a software development what they do all day long and typing code into an IDE would probably be less than 15% of their job. A good developer has been able to look at a code base that he hasn't written, gain a working knowledge of what it does and how it does it, and somehow make a change without breaking everything.
I don't have any official data but I am willing to bet that 99% of the time that code change is not inverting a binary tree in under thirty minutes.
According to Frederick Brooks' inescapable Mythical Man-Month, the average developer spends half of their time doing some kind of testing. How many coding interviews involve writing a unit test? Has there ever been a coding interview that asked a candidate to dig through an APM or log aggregator to find the reason an API call is failing? Instead of pulling a hard question off of LeetCode, could we just give a candidate several hours to fix a failing Maven build and get better hiring decisions?
Enough complaining, what is the solution? What is the NFL Combine of the Software Development world?
It's the GitHub Open Source Pull Request.
The biggest poorly kept secret in the software world is that also every commercial software product relies on a myriad of Open Source Software and the second biggest poorly kept is how overworked and underappreciated Open Source contributors are.
Critical OSS projects, like log4j, have hefty backlogs of bug fixes and security issues. What if we could help address those issues and improve the hiring process?
It begins with the hiring manager selecting an appropriately sized and difficult fixes for OSS that the company depends upon. The candidate would have the opportunity to read requirements, learn a code base, follow a build and testing regiment, and conform to a submission process. Ultimately having a group of their peers accept the PR.
The standard interviewing process often produces little to no value. The code is thrown away as no one needs a solution to a non-existent problem. The PR Test creates actual value and that value is not owned by the hiring company so there is no awkward feeling of exploitation. Whatever happens with the job opening, there will still be some value created and released into the world.
Imagine if log4j was fixed by a candidate before it was exploited. Imagine if developers had an intimate understanding of the libraries they use because they were part of the development effort. Imagine finding out the guy who can solve the Towers of Hanoi in 5 lines can't solve a simple bug without re-writing several modules from scratch?
After the PR test, in the follow-up interview questions should be asked about challenges and design decisions. This helps gain insight into the candidate's thought process and also an indication if they actually did the work themselves.
There is one missing piece though, the acquisition of new knowledge. Pick a topic that the candidate is unfamiliar with and give them a week to learn it. A thought exercise in an interview could ask the candidate to use the topic in a hypothetical problem. Not a pass/fail but doesn't provide insight into how the future employee could be directed in their professional development. Pro tip: people can learn how to learn better.
Better developer interviews lead to better hiring decisions and better professional development. For an industry that believes in better efficiencies and less waste, that should be reflected in the hiring process.
Sunday, January 10, 2021
Multiple Versions of Java
- never updated to fix security patches
- may be many years out of date with many known security issues
- almost guaranteed not to be configured to be secure
Saturday, October 31, 2020
Clock Update
Until this week, the clock was programed by curl'ing octets to the web server on the ESP32 controller. I decided that I wanted a REST API interface to the clock but I didn't want to implement it on the ESP32.
Since I've been trying to get better at python, I decided to put together a python app for it, found a good REST API Python Tutorial and got to work.
It took most of Friday night but it was a great success. This afternoon I built a Docker image for it and now I can run it on any random raspberry pi I have on the network.
If you're interested in the code, it's on my GitHub:
Next step is a React app to talk to the REST API and maybe even a phone app based on that.
Sunday, June 28, 2020
My New Clock
I crack open box of my electronics stuff and start taking inventory. My plan is to use the chips I have to drive 7-segment displays to drive a home-built over sized 7-segment display. Think old school game shows before everything became LCD screens.
I start with a breadboard, add a 7-segment display and a CD4511 7-segment display driver chip, and wire it to a USB battery. Great success as I can display all the numbers I need by changing around the jumper wires.
Next step I hookup an Arduino and control the inputs that way. It looks like I have my successful proof-of-concept.
The first real problem I encounter is how do I build the clock circuitry and it looks like that's going to harder than the display component. Things change as I find out the ESP32 can be used with Arduino IDE and I can have the ESP32 call out to an NTP time server and set its own internal clock.
Now I have the clock and the display drivers all that remains is building the numbers and figuring how how to power thing without burning out my logic chips.
I start my research into different ways to drive large, bright LED displays and I come across NeoPixels RGB strips.They can cut with scissors and soldered in a chain easily. I do the math on how many LED's I need and I order a 100-LED strip from Amazon.
I get the strand in the mail and right away start playing with it by hooking up power and data lines. Nothing happens. This is real bummer, I take out my multi-meter, check power levels, check the connections, everything seems fine. After a while of confusion and frustration I come up with the idea to plug wires into the other end of the strip and everything lights up. I run sample program and it's magical, I ever think I hear music playing (probably just in my head). This will work.
Actual construction begins and the first thing I need is a box to mount the digits in. After some searching and head scratching I decide the perfect box will be the tray from a case of water bottles so I run out to Target late that night to pick up some paint brushes and black paint. After the paint dries, I cut out paper outlines to size display, mark rectangles with pencil and then start cutting the LED strip into 4 light segments; no turning back now.
Laid out the first digit, cut the lengths of wire, soldered one segment to the next until the whole first 7-segment display built. The moment of truth comes as I mount it in the box, tape it down with electrical tape and plug it in.
And it kind of works. Re-solder some flaky joints and I have myself a device that display any number between 0 and 9. Thirty-two careful wire solders later (not counting re-solders) and I have myself a working clock display.
I finished up by moving the ESP32 and the LED power supply to the right size breadboard and mounting it to the back of the box. Wrote the code in the Arduino IDE and put it on GitHub (https://github.com/tachyonknave/NeoClock_ESP32). Final step was testing it from the swimming pool and it was perfect.
Future plans: Add a flashing dots between hour and minute. Set up a web server to control it over WiFi that will allow additional functions such as 20 second countdown for heartbeat, show the date periodically, timer mode to count up or count down, change the colors and switch between 12 and 24 hour mode.
Added wax paper to diffuse the LED's and significantly improve readability.
View from the Pool
Tuesday, August 27, 2019
How to and why use VirusTotal
Of course you should have your malware definitions list automatically update, but what if you could scan suspicious files with 60+ scanners, all them are up to date? That's where VirusTotal comes in. It's a free tool that scans files for bad stuff like malware. You wouldn't use VirusTotal to scan all your files, but it's perfect for one or two suspicious files, especially files you receive via e-mail or other questionable sources.
How to Use VirusTotal: Scan Types
There are two ways in which you check a file against VirusTotal. If the file is under 250MB you can upload it. The other option is you can take a hash* of the file and send that hash to VirusTotal.
To take the hash of the file you can use many tools. For example, here's a PowerShell command:
Get-FileHash C:\sol.exe -Algorithm SHA1 | Format-List
There are several tools available on the Internet to take a hash of the file, and you should check them before you use any. I occasionally use Microsoft's FCIV.
VirusTotal accepts hashes from the following algorithms: md5, sha1, or sha256.
Copy the hash part and paste into the VirusTotal search box
VirusTotal Search
If VirusTotal recognizes the file then, that's great news. If it doesn't, you need to assess whether the file contains any sensitive info (like your e-mail or software license assigned to you). Personal files such as documents and spreadsheets should not be uploaded to VirusTotal. Part of the deal you make with VirusTotal to use their service is that they don't keep the files you upload private, so always keep that in mind.
Results
Most times you will get results like this, where nothing is found:
For comparison here is a bad result:
If this happens, delete the file without running it.
False Positives
Unfortunately there is always the possibility of false positives, which is when some scanners will say the file is bad while other scanners say it's good. My rule of thumb: if Microsoft, Symantec and McAfee all say the file is good, it's probably be okay, but if one of them says it's bad, don't trust it.
Misc
VirusTotal also offers a REST API to check hashes or files. It most cases this would be overkill. A special script could be written to go through every file in a directory, generate its hash and send that hash off to VirusTotal. However, VirusTotal does limit how many files and how often you can send files to the API with a free account, so you can't use it to scan all the files on your hard drive. In some instances you should be using a local scanner for instead, and VirusTotal isn't a replacement for those times.
The following blog post by JC_SoCal offers a reason why you may not want to upload a file or hash to VirusTotal for you to consider.
Malware Analysis #1 Protip
Unless you are a malware analyzer or think you are being directly targeted you'll be okay.
Conclusion
Using this post you should know everything you need to know to be a basic VirusTotal user. VirusTotal is a great tool to have in your cyber protection toolbox.
*hash - a hash is the output of a special mathematical function used to assign an id to a file or a message. ( Wikipedia - Hash Function )
Saturday, April 20, 2019
InfoSec News
One of the most important things for a professional to do is keep up with the latest cybersecurity news and alerts. Below are a list of blogs and twitter users I follow. I use feedly.com to aggregate the blogs.
Google Online Security Blog
HackRead
Krebs on Security
SANS Internet Storm Center
Schneier on Security
The Hacker News
US-CERT Current Activity
E Hacking News
Errata Security
Graham Cluley
Hackmageddon
Have I Been Pwned
Malwarebytes Labs
Open Web Application Security Project (OWASP)
security - Ars Technica
TaoSecurity
The Register
TrendLabs Security
Twitter Handles to Follow
@RGB_Lights
@climagic
@VessOnSecurity
@2sec4u
@nostarch
@briankrebs
@DFIRTraining
@sempf
@markrussinovich
@azeria_labs
@secureideas
@x0rx
@jessfraz
@eric_conrad
@Fox0x01
@malwareunicorn
@malwrhunterteam
@swiftOnSecurity
@MalwareJake
@kevinmitnick
@Code_analysis
@OnRyanmac
Thrift Shop Find
The other day while browsing the electronics at Goodwill I found an old calculator for $1. The screen wasn't working correctly but I tho...
-
One of the most important things for a professional to do is keep up with the latest cybersecurity news and alerts. Below are a list of bl...
-
Necessity is the mother of invention. My apartment building has an indoor swimming pool that I like to swim laps in. Some time last year, bu...
-
Most people have an anti-virus program running on their PC, continually scanning for known malware. That's a good idea but what about un...