NDC Oslo 2015: Talk notes, recommended talks (security, FP, etc.)

A great conference. A good deal of good talks.

To (perhaps) check later




Keynote Data and Goliath ☆☆☆☆


Inspiring, slightly eye-opening!

Key points: We live in a society of ubiqutious surveillance. We need to share data to get great services yet we need to ensure personal privacy and security - finding the right balance will be a major dialog in the near future. Currently we share too much, too freely. Even high-tech, presumabely super secret surveillance tools and SW had their cousins presented at security conferences => anybody can build these, and many do. Either everybody gets to spy - or nobody does => build security in.

Check out Schneier's book Data and Goliath and blog.

Lean and FP ☆☆


Nice intro to Lean and FP, some nice points (e.g. why do companies fail in adopting FP). A little new stuff for me; it wasn't a waste of time but perhaps I could have seen a more valuable talk.

A tour of the language landscape ☆☆


It's interesting to learn about various cool capabilities of other languages. But it is more useful as an inspiration, there is little you can start using in your daily work. The slides are worth going through.


  • F#: Pipes (~ Clojure threading macro), Type Providers (e.g. get autocompletion, compile-time checks for browsing your Amazon S3 bucket), Unit-of-Measure (=> 2 + 2 fails), Statically Resolved Type Parameters
  • Clojure: Macros
  • Go: Implicit Interface Implementation (define an interface with a method; everything having the method autom. implements it, no need to tag those (which would be impossible for 3rd party code) => type safety and convenience)
  • Rust: Borrowed Pointers (autom. memory management without GC overhead - a piece of code owns a pointer => destroyed when the scope is left but can "borrow" it to code (of not longer scope) that it calls)
  • Erlang: Actor Model, Bit Syntax
  • Idris: Dependent Types, Uniqueness Types
  • Elm: Signals (reactive programming (Rx))

Also: Example: Functional Reactive Programming decisively beats Imperative on simplicity, length

Async and Streaming JavaScript, We're All Doing it Wrong! ☆☆☆


Useful. Highlights limitations of / issues with Promises and (Node, WHATWG Streams). Demonstrates how Reactive Programming (e.g. RxJS) is a superior solution. About the coming inclusion of (some of) Rx in JS.

See NDC: Async and Streaming JavaScript, We’re All Doing it Wrong! (Promises, Streams, Rx)

Learning from Haskell ☆☆☆


Venkat Subramaniam is a skilled speaker. This was fun and enriching look at what we can learn from Haskell and hopefully use in our daily programming even if we use C#.

See list of the lessons learned.

50 Shades of AppSec ☆☆☆


Fun, scary. Examples of some hacks, surprisingly terrible security at many places, demo of tools that hack a site for you. Recommended as an eye opener to the importance of security.


  • Bishop: > Bishop is a vulnerability scanner that searches websites in the background while you browse, looking for exposed version control systems, misconfigured administrative tools, and more. With a whitelisting regex system, you can easily restrict this tool to hosts that you are authorized to scan.
  • Havij: Find & elverage SQL injection vulnerabilities automatically
  • Hire a hacker on-line: https://hackerslist.com/

Idioms for building distributed fault-tolerant applications w/ Elixir ☆☆


A light introduction to the Erlang VM and Elixir.


  • Explicit over implicit state
  • Transformation over mutation

Elixir is a distributed > concurrent > FP lang (in the order of importance).

Elixir goals: Compatibility, Extensibility => macros, Productivity.

  • Productivity: 1st class docs, tooling (ExUnit, IEx, Mix), hex packages

Demo: Agents, pattern matching, tools, supervision, streams (=> lazy computations), ... .

Event Sourcing and DDD with F# ☆


After a brief introduction of E.S. (without going into why/when), the speaker presented E.S. as two functions (decide, evolve) and went on implementing a simple card game in F# using that. Cool: Own given-when-then test "framework" in just few lines of code. The talk concluded with demonstration of plugging in an actual Event Store server and load + save functions and using an Agent to hold the current state.

Command + [state]: (decide) -> event(s) -> store them, evolve the state

decide: fn(state, command) -> Eventsevolve: fn(initial state, state, Event) -> state

A little too low-level both on F# and even sourcing but OK to follow on the some-understanding level. My main lesson learned is that F# looks nice, concise, powerful. And FP is certainly a good match for E.S.

Phoenix - a framework for the modern web ☆☆


Elixir with Phoenix (and Plug) => Performance and Productivity.

The most frequent quote:

It's just a function call

  • Request lifecycle: Endpoints -> Routers -> Controllers


  • Middleware = just functions => compositions
  • Helpful errors (and web view); "if you can't understand an error, it's a bug"
  • Just mix in the comments generator to enable comments in the page and add the generated controller to your pipeline
  • mix ecto.migrate => data migrations
  • static assets with Brunch (Node; combine, minify, watch for changes, ...)
  • ES6 transpiler included
  • live reload (html, css, ..)


  • Under-1ms response times
  • Views and templates: precompiled, fast, function calls. Views render templates (embedded elixir, HAML, or another). Thx to metaprogramming, render becomes just string concat. at runtime.
  • Ex.: Phoenix on RaspberryPi (16MB mem, 540req/s serving a simple HTML)
  • Robust concurrency model - extremely lightweight processes ( no global pauses; load balances on IO and CPU
  • Pattern-matched route dispatch, the VM is very fast at it (Note: Convenience fn to get route for a controller/... => metaprogramming posibilities)
  • Channels (Pub/Sub): trivial realtime communication (for connected devices) - WebSockets with minimal code Clients for the browser (fall-back to long-polling), for Objective-C, eventually Android. Embedded devices: CoAP instead of WS. Can use Redis, ... . Synchronous0like communication possible; JS ex.: chan.push(..).receive("ok", okFn).receive("error", errFn).
  • Distributed cluster support (that's what Erlang always did with multiple communicating switches)
  • Everything is a separate process => one channel crashing cannot harm other channels.

Ex.: Chat.Endpoint.broadcast("rooms:lobby", "new_msg", %{username: "me", body: "hello"}) => all connected clients receive it, no matter whether local or remote.

  • Erlang: Erlang handles 1/2 of the world's telecom traffic. Reported 99.999999999% availability.
  • WhatsApp: 2M conn/server; 400M users, 30 engineers
  • Update your code while the app is running! Apps that run forever.

Awesome Elixir: A curated list of amazingly awesome Elixir and Erlang libraries, resources etc.

The Power and Practicalities of Immutability ☆☆☆☆


In F#, mutable is the keyword of shame.

Immutability (assignment-less programming where mutation is replaced by transformation) doesn't remove mutation it just pushes it to lower-level code - the same we did with goto, which disappeared from our code but still is in the bytecode/asm/.. .

Assignment is to Functional Programming as goto is to Structural Programming.

How to program w/o assignments:

  • Recursion; cons:
  • It can blow up the stack (tail-cole optim.)
  • Some problems do not fit it naturally
  • Move mutation to lower level => build from a higher-level, safe building blocks; Ex.: for loop -> list.Select(e => e*2)

The problems

  • Mutability
  • Hard to reason about the code (especially if multiple variables)
  • Difficult to manage state transitions; concurrency difficult;
  • Imperative progr. (e.g. a for-loop)
  • I need to say both what and how to do (like a toddler - fun on the 1st day, not the other 18 years :-))
  • Mutating variables all the time

Benefits of immutability (and pure functions)

  • easy to reason, understand, explain, test
  • memoization
  • referential transparency (it's possible to replace a call with its result) => optimizations (exec. reordering, running concurrently, memoization, ..)
  • immutability enables laziness (e.x: {1,2,3,4}.Where(e => e > 3).Where(e => e % 2 == 0).Select(double).firstOrDefault() - all the checks and the doubling are only executed 0-3 times)
  • immutability makes parallelization affordable


  • Examples in C#, F#
  • Ex.: sum, double a list, ...
  • "Encapsulation" = "I don't care" :)

How to turn software into competitive business advantage ☆☆☆☆


Gojko Adzic is my favourite speaker, with many good thoughts (and experiences).

Continuous delivery has huge side-effects. Exploit them and open new business opportunities. Fast is good when there is human control over it - when business people have no say in what gets updated when, they loose control (and are unhappy).

  • Can we control C.D. or are we loosing control of it?
  • Ex.: Vehicle charger => possible fire: for Tesla it was just an over-night automatic software update contrary to GM that had to recall the cars.
  • Marketing side-effect of C.D.: No more big releases to have press conference about
  • C.D. is important for devs but we don't want to piss off users
  • UX: CD (i.e. partial delivery) => user confusion

Gojko's 3 rules

C.D. nay not ...

  1. confuse users
  2. interrupt users' work of sessions
  3. disrupt or prevent marketing initiatives

Deployment != Release

  • Release is a marketing event, biz decides.
  • We need to support running multiple versions of the SW in production (so current users are not interrupted, biz may decide when to switch over)
  • Problem: data. Ex. solution: add data (format) version field
  • Gentle deployment: Release a new version in || to the old one, enable (and motivate) users to switch at will while preserving the ability to go back (if they encounter any issues ...)

Continuous Delivery without multi-versioning is irresponsible!

2 things to remember:

  • Decouple deployment and release
  • Give 2% of users a 100% solution, do not force-feed 100% users with 2% of scope

Modern architectural patterns for the cloud


Perhaps not a bad overview of various patterns (DB replication, sharding; CQRS, event sourcing, map reduce). Too little knew at start and then I lost focus :)

Get Unblocked (unleash your creativity) ☆☆☆


Fun, inspiring. Good tips for overcoming our internal barriers to creativity (and a happier life). Slides. Book: Banish Your Inner Critic.

The entire industry is broken - managers are from Mars, developers from Venuse. Micromanagement, open spaces / cubicles, time pressure, demanding clients, bureaucracy, ... .

  • Face and ID your internal critic
  • Impostor syndrom ("I don't deserve this, I am not good enough for it")
  • Don't compare yourself to other people
  • Perfectionism (focus on the product rather than the creative process) (Pottery exp.: 1/2 tries to make the best pot, 1/2 as many as possible => the latter had more and many really good.)
  • Procrastination (feeds Perf. and v.v.)
  • Banish slave words from your vocabulary - Eliminate should/must/ought to/...
  • "Failure is only the opportunity to begin again more intelligently." H. Ford
  • Stressed? Make it really bad on purpose => overcome the block of trying to be perfect.
  • Get into the Alpha brain waves mode (more relaxed than the normal beta)
  • Breath to re-focus
  • Lay down
  • Daydream / space out
  • Take shower
  • Get physical - movement allows the hemispheres to sync, ...
  • Exercise discipline
  • Manage time (if stressed => no place for creativity)
  • Make "To DON'T" lists - what not to do (stop, delegate, ...)
  • Say NO to distractions (see http://theheadphonesrule.com/)
  • Apps: Consider the RescueTime app => increase awarness; Mac: HeyFocus.com when on, stops you from going to distractive pages and apps; GetConcentrating.com; browser extensions, .. - see the slide
  • Single-task (instead of multi-tasking) - e.g. the Pomodoro Technique; especially useful when you do something you don't like to do (during the 5 min break activate via a walk, laying down, having a look at the sky, ...)
  • Do it with others - we come up with better / different things when working with others. Avoid sameness! => diverse environments. Share your ideas. Share mistakes. Amplify the ideas of others - try to help them to build them. Make your partned look good.
  • "Yes, and .." technique (useful for meetings!) - don't shut down others' ideas - "yes, we can do this - and we can do this other thing"


F.alse E.vidence A.ppearing R.eal (Or Fuck Everything And Run)


A security testers toolkit ☆☆☆☆


Awesome! Scary! You have to see this! This is a real eye opener, demonstrating how easy hacking can be (especially with cooperating users via little social engineering).

You can only fight the way you practice - Miyamoto Musashi


  • Kali Linux
  • nmap (network mapper)
  • Veil fwrk - avoid anti-virus
  • Metasploit
  • BeEF - The Browser Exploitation Framework


  • To find: https://cve.mitre.org/ - more info at the web.nvd.nist.gov (linked)
  • To exploit: https://www.exploit-db.com/
  • To find possible targets: shodan.io - search by SW (e.g. "IIS 6.0") and punkspider - search for vulner. in a given site or domain: ".no". Search Diggity - incl. Google Hacking DB - also a good learning source about vulnerabilities (what does it search for?)

Kali Linux

  • Kali Linux VMs
  • Many hacking tools
  • Demo (see exploiting vsftpd):
  • Run against Metasploitable is an intentionally vulnerable Linux virtual machine
  • Zenmap: GUI for nmap
  • Metasploit - provides an interactive shell; need to know the exploit: use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST ; exploit
  • Wifi hacking
  • Use a wifi card enabling monitoring, compatible with Kali - e.g. one of the Alpha cards
  • Aircrack-ng - WPA-PSK keys cracking program
  • airmon-ng => start the device in monitor mode, list devices around, ...
  • WPS (Wi-Fi Protected Setup) is very crackable
  • PwnSTAR - soft access point - set up an AP, nmap scan clients, ...
  • Armitage - GUI - if nmap, metasploit complicated, this is a nice, visual representation of the network and vulnerabilities on it; scan net -> scan a host -> "Attacks - Find Attacks" (Hail Mary - lunches 100s of exploits, not stealthy at all). Also a paid version Cobalt Strike, more powerful.
  • BeEF - hook into a website, take over a browser => detect extensions, send commands to them, metasploit, social eng. attacks, ... Send fake flash/java/last pass update, petty theft - "facebook session timed out" popup (e.g. on any site with Fb integration), a Clippy help offer, ... .
  • Veil - SW avoidance toolkit - generate payloads against machines, take them over - create f.ex. a "call home" .exe (connects to your metasploit server later command the app and take over the PC) (call it e.g. LastPassUpdate.exe, FlashUpdate.exe, ...)
  • load espia; screengrab; keyscan_start; keyscan_dump; getsystem => elevate to local admin; load incognito; add_user XYZ myPsw; add_localgroup_user Administrators XYZ

Framework for Man-In-The-Middle attacks - => Bypassing HSTS (HTTP Strict Transport Security) with MITMf - downgrade the connection to HTTP * The PC with MITMf makes itself to be the gateway for the victim PC * Tip: http://wwww.google.com - can YOU spot the 4th w?; skandiabanken.no => webskandiabanken.no * Only works if the user hasn't accessed the page before in this browser, cookies and HSTS list are clear (wifi coffees & online banking = bad!)

Going beyond OWASP ☆☆


Walk through some past vulnerabilities in .NET. Some really nice hacks. Likely worth watching.

Few interesting examples:

  • HashDoS attack due to consistent hashing, putting all form fields starting with the same latter to the same bucket (common in other languages too)
  • When encrypting, also sign it so that when you get an encrypted stuff back, you're sure you did indeed produce it (there was an endpoint allowing to check whether st. is properly encrypted => play with bytes and high math to encrypt st. w/o the key)
  • Misusing REST - constructing URLs from user input => make sure the input does not contain path (e.g. user = "./admin"), query strings, # chars, anything else affecting the path - basically 0-9a-Z
  • in Turkey, "interesting".ToUpper() != "INTERESTING"; ppl make security decisions based on string comparison (.NET: string.Compare(a,b, ))
  • Unicode has "full width" chars: < (<); when put into SQL varchar, it becomes normal " don't use non-unicode columns to store Unicode
  • Common cryptographic mistakes: e.g. key / init.vector reuse (=> larger attack surface). Writing own crypto.
  • Hashing concat. strings - but hash(builtin+securely) == hash(built+insecurely) => do len(builtin) + hash(builtin) + len(securely) + hash(securely)
  • Cert pining - do; checking the thumbprint is fragile, check the signing chain, subject name too
  • Time-incons. hashing => timing attacks => don't do early exit (when (mis)match found)
  • MVC in web apps with auto-binding data to objects assign even properties that normally are not in the form (but added by a hacker), e.g. ID - "over-binding"
  • Don't trust file names from uploads
  • Zip bombs - tiny file which recursively uncompress; e.g. 42.zip (42kB) => 4.5 petabytes
  • XML bombs - e.g. Billion Laughs; preventable by turning of DTD Parsing

Making Hacking Child’s Play ☆

A fun talk though it contained only little new after being to Troy's workshop and the other talk.

Knowledge is power! The guide to measure what matters. ☆


Essentially an intro into StatsD. I had to leave early.

Copyright © 2024 Jakub Holý
Powered by Cryogen
Theme by KingMob