Takeaway from conferences (so far…)

Time flies when you’re hav­ing fun, and we’re already into the sec­ond half of 2015!

On a per­sonal level, it’s been a great 6 months, I have spo­ken at 10 con­fer­ences in as many cities and as you read this post I’m at Poly­conf in Poznan! 

The great thing about being at so many con­fer­ences is that you get to learn so much from oth­ers. I’ve got­ten into the habit of writ­ing up a sum­mary of what I learnt from these con­fer­ences (where time per­mits of course).

If you missed them here are my take­aways from the con­fer­ences from 2015 so far.



Kyle Kings­bury — Jepsen IV: Hope Springs Eternal

Michael Nygard – Archi­tec­ture with­out an End State

Tam­mer Saleh – Microser­vice Anti-patterns

Michael Feath­ers – The Hid­den Dimen­sion of Refactoring

Adrian Tre­na­man – Scal­ing micro-services at Gilt

Dan North – Beyond Features

Expe­ri­ence report

You can find the record­ing of all the talks by room here:


QCon Lon­don

Melissa Per­ris – The Bad Idea Terminator

Matt Ran­ney – Scal­ing Uber’s real­time mar­ket platform

Randy Shoup – Ser­vice archi­tec­tures at Scale, Lessons from Google and Ebay

Kevlin Hen­ney – Small is Beautiful

Adam Torn­hill – Code as Crime Scene

You can find record­ing of the other talks here, the list is incom­plete yet as InfoQ releases only one video a week.


Code­Mo­tion Rome

Richard Rodger – Mea­sur­ing micro-services


Joy of Coding

Expe­ri­ence report


Func­tional Pro­gram­ing eXchange

Expe­ri­ence report

You can find record­ing of the talks here.


What next?

For the sec­ond half of the year, I’ll exer­cise bet­ter restraint and limit my appear­ance at con­fer­ences (I have all but exhausted my vaca­tion days this year already…).

But, that said, I’m signed up to a few more con­fer­ence yet:

code.talks in Ham­burg, Sep 29th — 30th


OSCON Europe in Ams­ter­dam, Oct 26th — 28th


Ore­dev in Malmo, Nov 4th — 6th


NDC Oslo 15 – Takeaways from “50 Shades of AppSec”

This year’s ver­sion of NDC Oslo has a strong secu­rity theme throughout,and one of Troy Hunt’s talks — 50 Shades of AppSec — was one of the top-rated talks at the con­fer­ence based on attendee feedbacks.

Sadly I missed the talk whilst at the con­fer­ence but hav­ing just watched it on Vimeo it left me amused and scared in equal mea­sures, and won­der­ing if I should ever trust any­one with my per­sonal infor­ma­tion ever again…


Troy started by talk­ing about the democ­ra­ti­sa­tion of hack­ing, that any­body can become a hacker nowa­days, e.g.:

  • a 5-year boy that hacked the XBox;
  • Chrome exten­sion such as Bishop that scans web­sites for vul­ner­a­bil­ity as you browse;
  • online tuto­ri­als on how to find a site with SQL Injec­tion risk and paste a link into tools like Havij to down­load its data;
  • or you can go to hack­erlist and hire some­one to hack for you

The fact that hack­ing is so acces­si­ble these days has given rise to the cul­ture of hacktivism.


When it comes to hack­tivism, besides the kids (or young adults) you keep hear­ing about on the news, there’s a darker side to the story – crim­i­nal hack­ing.

Crim­i­nals are now tak­ing black­mail­ing and extor­tion to the dig­i­tal age and demand­ing bit­coins to:

  • remove your (sup­pos­edly com­pro­mised) data from the internet;
  • to expose more (sup­pos­edly com­pro­mised) data;
  • stop them from com­pro­mis­ing a busi­ness’ rep­u­ta­tion and online presence

And it’s not just your com­puter that’s at risk – routers can be hacked to ini­ti­ate spoof attacks too. This is why encryp­tion and HTTPS is so important.


The good news is that even smart crim­i­nals are still fal­li­ble and some­times they get tripped up by the sim­plest things.

For exam­ple, Ross Ulbricht (cre­ator of Silk Road) was caught par­tially because he used his real name on Stack Over­flow where he posted a ques­tion on how to con­nect to a hid­den Tor site using curl.

Or how Jihadi John was iden­ti­fied because he used his UK stu­dent ID to qual­ify for a dis­count on a Web Devel­op­ment soft­ware, that he was try­ing to pur­chase from a com­puter in Syria with a Syr­ian IP address.


Are we devel­op­ers mak­ing it too easy for  crim­i­nals? Judg­ing by the hor­ror exam­ples (which, ok, might be a bit extreme) Troy demon­strated, per­haps we are.

From the hor­ri­fy­ingly obvious…




to per­haps some­thing a bit more sub­tle (any­one who knows your email and DOB could reset your bet­fair pass­word, until they fixed it after Troy wrote a post about it)…



Some­times we also make it too easy for our users to be inse­cure. Again, from the obvious…



To some­thing more sub­tle (the fol­low­ing makes you won­der if pass­words are vis­i­ble in plain text to a human oper­a­tor who is offended by cer­tain words)…



Notice that a recur­ring theme seems to be this ten­sion between secu­rity and usabil­ity – e.g. how to make login and pass­word recov­ery simpler.


Per­haps the prob­lem is that we’re not edu­cat­ing devel­op­ers correctly.

For instance, how is it that in 2015 we’re still teach­ing devel­op­ers to do pass­word reset like this and leav­ing them wide open to SQL Injec­tion attacks?


or that base 64 encod­ing and ROT13 (or 5 in this case..) is a suf­fi­cient form of encryption…




But it’s not just the devel­op­ers that are at fault, some­times even secu­rity audi­tors are account­able too.



And of course, let’s not for­get the users.

For exam­ple, you might not want to have your pass­words broad­casted on national TV




But we are also at fault for giv­ing mixed mes­sages to our users.

For exam­ple, why would a QR code scan­ner need access to your cal­en­dar and con­tacts? But with the design of this UI, all the user will see is the big green ACCEPT but­ton that stands in the way of get­ting done what they need to do.


And social media is par­tic­u­larly bad when it comes to giv­ing con­fus­ing messages.

Some­times they aren’t even trying…


other times they make up things such as “secu­rity cer­tifi­cates” and throw scary words like “brute force attack” at users (how you are left open to one if you allow peo­ple to paste pass­words in the text box is beyond me)…


and some­times we leave users vul­ner­a­ble to crim­i­nals (e.g. what if a crim­i­nal were to look for sim­i­lar responses on EE’s twit­ter account and then con­tact these users from a legit­i­mate look­ing account such as @EE_CustomerService with the same EE logo)…



And you can’t talk about secu­rity with­out talk­ing about gov­ern­ments and sur­veil­lance (and Bruce Schneier talked about this in great detail in his open­ing keynote too).

For exam­ple, the US gov­ern­ment has tech­nol­ogy that can wire­tap your VGA cable and see exactly what’s on your monitor.


Snowden’s leaks also showed that the US gov­ern­ment was look­ing at Google’s infra­struc­ture to find oppor­tu­ni­ties where they can siphon up all your data.


And UK’s prime min­is­ter David Cameron was recently call­ing for an end to any form of dig­i­tal com­mu­ni­ca­tion that can­not be inter­cepted by the government’s intel­li­gence agencies!



Finally, appsec gets really inter­est­ing when it inter­sects with the phys­i­cal world.

For exam­ple, when we blindly apply prac­tices in the dig­i­tal world in the phys­i­cal world, some­times we for­get sim­ple truths about this world such as let­ters are deliv­ered in envelops with large win­dows on them…


and the phys­i­cal world has a way of cir­cum­vent­ing secu­rity mea­sures designed for the dig­i­tal world…



As the dig­i­tal and phys­i­cal become ever more inter­twined in IoT, secu­rity is going to be very interesting.

For exam­ple, a vul­ner­a­bil­ity was found in LIFX light bulbs which leaked cre­den­tials for the wire­less net­work, allow­ing an attacker to com­pro­mise your home network.

Whilst LIFX has since fixed the vul­ner­a­bil­ity, the con­cern remains that any wifi-connected devices is ulti­mately vul­ner­a­ble and may be hacked.

How do we edu­cate devel­op­ers to defend against these attacks when so many of them are start ups in a hurry to hit the mar­ket just to sur­vive? How do we detect these vul­ner­a­bil­i­ties and inves­ti­gate them? If your net­work is com­pro­mised would you look to your light bulb as the entry point of the attack?

There are many ques­tions we don’t even know to ask yet…

As for the users, if they’re strug­gling with keep­ing their pass­words under con­trol, how do we begin to edu­cate them on the dan­gers they’re expos­ing them­selves to when they pur­chase these “smart” house appliances?


For any­one who has played Watch Dogs, remem­ber at the end of the game Aiden Pearce kills Lucky Quinn by hack­ing his Pace­maker? This is the real­ity of the world that we are headed, and these kind of risks will be (are?) very real and would impact all of us. Based on the evi­dence Troy has shown, it’s a world that many of us are not ready for…




My adventure with Elm @ NCrafts

Yan Cui - MY ADVENTURE WITH ELM from NCRAFTS Conferences on Vimeo.

with accom­pa­ny­ing slides here:

All the FP talks at NDC Oslo

Great news, record­ing of all the talks at this year’s NDC Oslo has been uploaded to Vimeo!

It’s a lot of videos to go through, so I’ve curated all the talks from the FP track this year, includ­ing my new talk “A tour of the lan­guage land­scape” where I cov­ered some inter­est­ing ideas and con­cepts span­ning across a num­ber of lan­guages – F#, Clo­jure, Go, Rust, Idris, Elm and Erlang.

Binary and Json benchmarks updated

DISCLAIMER : as always, you should bench­mark against your pay­load and use case, the bench­mark num­bers I have pro­duced here is unlikely to be rep­re­sen­ta­tive of your use cases and nei­ther is any­body else’s bench­mark numbers.

You can use the sim­ple test har­ness I cre­ated and see these exam­ple code to bench­mark against your par­tic­u­lar payload.



Only FsPick­ler was updated for this bench­mark so there are no sig­nif­i­cant changes in per­for­mance here.





Quiet a few of the JSON seri­al­iz­ers had been updated since the last update:

  • fastJ­SON
  • FsPick­ler
  • Jil
  • Mon­goDB Driver
  • ServiceStack.Text
  • System.Text.Json

I have retired Jay­Rock and JsonFx from the test since both are way behind the com­pe­ti­tion and haven’t updated for a while, so I con­sider both to be no longer of interest.



*protobuf-net is in this list purely as a bench­mark to show how the tested JSON seri­al­iz­ers com­pare to one of the fastest binary seri­al­izer in .Net.