[devnexus 2022] pattern matching for Java

Speaker: Neha Sardana

Twitter: @nehasardana09

Link to table of contents

———————

Records

<missed this part; I was late>

Sealed class

  • Want to control children
  • More declarative than access modifiers
  • Can make widely accessible interface without widely extensible
  • Sets stage for pattern matching.

Pattern Matching

  • Pattern matching created in 1960s
  • Helps with clean code, avoiding repetition/bugs

Instanceof

  • matches target object to type pattern
  • sets binding variable – special case of local variables, can be assigned, can shadow field declarations
  • flow scoping – places in program where variable definitely assigned

Switch expressions

  • Limitations on switch/case are accidents of history.
  • Java 17 preview allows pattern matching in case
  • Java 19 – write ”when” instead of && in case
  • Can assign result if all cases covered. (enums and sealed classes can be listed exhaustively

Future

  • Record patterns (deconstrution patterns). ex if (r instanceof Rectangle (Point ul, Point lr))
  • Can also deconstruct arrays

My take

I thought this topic woud be fully review, but I still learned something (“when”). It was great to see Neha’s first public in person presentation! Good job!

[devnexus2022] help your boss help you

Speaker: Ken Kousen

Twitter: @kenkousen

Link to table of contents

———————

  • Target audience: professionals who don’t want to move to management

Conflicting Wants

  • Conflict with manager is inevitable because want different things.
  • Intrinsic motivations include autonomy, using strengthens, promoting learning/development
  • As get older, care more about intrinsic needs
  • Want respect/rewards, but not accidentally getting promoted into management
  • Management wants those things, but only if they make money
  • Management evaluated differently. Costs matter.
  • Priorities/incentives overlap but are different
  • Money includes budget, resources, personnel. Management cares way more about these things than we do. Higher the levels of management think about these even more than your direct supervisor
  • If technical problem goes up high enough, conversation about cost – fine, people, etc. The problem itself is secondary
  • Try to operate in intersection, but acknowledge discrete parts still happen

Why managers bad at job

  • Our supervisors are on lowest rung of management
  • Many places, switch job from technical to management so new to role
  • Ambitious managers already looking to leave job and move up
  • Everyone needs to show confidence and look like know what doing to be trusted with project. Which is very different than school where get called out if wrong.
  • Not as technical as employees, especially senior ones.
  • Their job isn’t to be a technical person. Others work full time on being technical.
  • Know not great at managing yet. We have to train them to become better at their job
  • Rookie managers don’t know what is worth discussing vs rubber stamping

Learning in software

  • Imposter syndrome is extreme of this
  • Professionals working at limit of what know. If well defined, can be outsourced. Don’t need a professional.
  • Hard to make leap to OO. We’ve done so long we don’t remember not knowing.
  • ”Everything in math is arithmetic because know it already”

Trust

  • Build professional relationship for as long as work together
  • Establish trust that manager will fight organizational battles, look out for best interest, defend when problems arrise
  • Consider your manager an ally at a higher level so listened to by other people at that level
  • Manager needs to trust you to do your job to the best of your ability or let them know about a problem while still early enough to replan/manage problem. Manager can help you figure out a plan.
  • Know your manager and whether can tell about mistakes honesty or if it will backfire
  • Manager needs you to support their decisions, at least publicly.

Constructive loyalty

  • This is why a high level person brings in their own people
  • Goal is not to do everything they tell you, not following blindly,
  • Can do nothing or leave. Or…
  • Alternative is a long term solution and may not work. May have to tune to circrumstances. Better than doing nothing or leaving.
  • Only two messages want to give your boss: ”I got this” (confidence, will take responsibiity) and ”I got your back” (will support publicly, say ”we”)
  • Manager knows you don’t know how to do a task when given to you. Need to know when you talk about ”impossible” when real vs venting
  • When manager’s manager asks about a problem, say ”we”. Have team own it. Manager’s manager is a manager and knows what you are doing/will view it as loyalty
  • Part of your job is to make your manager look good to their manager. Do not violate this. Your manager will know who said it.
  • Instead say, ”I think you are wrong, I’d like to appeal to X” and go together. They will likely backup boss and then you listen. Should be issue, not crisis.

Responsiveness

  • Respond to requests as fast as practical.
  • Manager doesn’t care that busy and wait for a response.
  • Email template to any long term/open ended request, ”I don’t know, but . Here’s what I do know/think/would go to find out. Do you want me to look into it”. This lets you know if it was a gut reaction thing or a request to spend time on it at the expense of what you were originally doing
  • Gets manager a response quickly and gets off your plate
  • Most of the time, the manager doesn’t want you to spend time on it
  • A good enough answer today is better than a great answer next week

Prisoner’s Dilemna

  • Book: Evolution of Cooperation.
  • Can play at ncase.me/trust
  • If only one iteration, makes sense to defect
  • Tit for Tat is a top strategy – cooperate on first move an play opponent’s previous move. Favors cooperation. Retaliates/forgives immediately
  • Cooperation can emerge naturally as long as both parties recognize will be doing this again.
  • Pushing back against manager is scary the first time. Gets easier.
  • Retaliation doesn’t have to be symmetrical/job not symmetrical. Can be a conversation with your manager and discuss/negotiate privately and then go back to work
  • Balance. Cooperation (I got this), retaliation (push back), forgiveness (back to work)

Leaving

  • Builds up evidence that you are unhappy an tried to deal with it
  • Don’t want to surprise manager that leaving. Want change to make it work
  • For business conflicts, not harassment.
  • If doesn’t work, would have left anyway
  • Words used for push back, vary by person. Try on something small. ”Hey, I’m not happy about x”

Your Boss is not your Friend

  • This is a trap
  • Don’t want to be surprised/hurt when make decision against you.
  • Will overshare. Could lose opportunities

Your boss is not your Enemy

  • Expensive to replace you
  • Boss looks bad if let you go

Other

  • Can’t fix micromanagement. Will work out because can’t do management while doing your job
  • Flat org is thought of a feature, but means low regard for management skills. Someone needs to do job. Whomever decides your future is your manager regardless of title.
  • Important to meet every few weeks. Regular interactions necessary
  • “That turns out not be the case” or ”I can see why you might think that” – good phrases for saying wrong

My take

I really need to read the book. I own it, but haven’t gotten to it yet. The talk was great and relatable I definitely need to read the book. I like that there were a lot of stories. I was definitely able to tie them to eamples of things I’ve experienced. Only problem is that Ken ran long and I was late to the next session.

[devnexus 2022] java and ransomware

Speaker: Steve Poole

Twitter: @spoole167

Link to table of contents

———————

Ransomware crimes

  • robbery
  • blackmail
  • extortion
  • revege
  • murder – ex: hospital attacks

Symptoms

  • files gone
  • files corrupt
  • unexpected files on system – obvious so believe it is real
  • prevent logging on
  • threats to delete or publish data
  • link to cryptocurrency wallet and amount – hard to trace

How get into system

  • Phishing – Impersonate boss, etc. Significant targetted social engineering. Understand business/context. Attachment with malware
  • Malware – mostly Windows
  • Government #1 target. Then education/services/health care/tech/manufacturing/retail/utilities/finance
  • Target single company or org. Look for poor security hygene
  • Vulnerabiliteis/CVEs
  • Suply chain attacks
  • Remote code execution

Once have access

  • Pull encrypton keys
  • Encrypt files not used often first
  • Then encrypt files used in memory so works until restart
  • Gigabytes/terrabytes of data – takes time
  • Would notice if network got slow so sneaky
  • Copy critical data out disguised as normal traffic. Hide in other payloads
  • Sometimes responses to ”legit” request
  • Almost always via botnets
  • Paying helps fund more
  • Rare to shut down. Instance of giving up decryption keys when one group folded

Motive

  • Data kidnapping – pay or release data
  • Blackmail – dirty payments, porn
  • Revenge – disgruntled employee, cripple systems
  • Competitor – wipe you out/steal secrets
  • Worse – weaponsized attacks from nation states
  • Some of these cases do not intend to give data back
  • Cybercrime beat drugs in value
  • Ransomware is worth 6 trillion

War

  • Can be test case to see if can get in
  • Goal is to infiltrate infrastructure and essential serices quietly so can manipulate/terminate when need
  • Break supply chain

Attacks

  • Used to wait for vulnerability to be announced and build attack. Now create own.
  • Open source repo attacks – attempts to get malware into source
  • Typosquatting – lookalike domain/dependency with minor typo
  • Build tool attacks – attempts to get malware into tools tat produce dependency
  • Dependency confusion – later version ex ”latest”
  • Designed to stay hidden until needed

General

  • Dependency confusion, typosquatting and malicious code injection increased 650% in 2021
  • New world – state funded, professionally developed, regularly exercised very sophisticated and exeremely lucrative
  • Could even be someone at conference – have to gain the skills

Costs

  • Being out of action
  • Recovery
  • Data loss – data recovery never 100%
  • Human cost – finger pointing, guilty feelings, feeling of being invaded/not trusting security systems
  • Data integrity – can modify/inject data when return

Java

Log4j

  • Still lots of log4j downloads (thru 4/11/22)
  • 36% on a day in April were vulnerable
  • Need right tools – check dependencies, not just your pom or in fat jar
  • Try dependabot
  • Write test cases and see if your tool can find

My take

Good collection of info and supporting data. Wrapped in a compelling story. Security talks are often scary and first conference in a while provided more time for bad things to happen!