For certain assignments for our class, we’re required to submit videos. I’ve done it before by saving my narration in a PowerPoint file, but this time I opted to export it to an MP4 and publish to YouTube. Why, I’m not sure. Seemed like a good idea at the time.

Replaying my video through YouTube, I’m amused to see the list of things YouTube next recommends for me, after viewing a video entitled ‘CYB670 Team2 Project3 CyberOperationsAndRiskManagementBriefing’. (Eh, I should probably have cleaned that up a bit and put in spaces at least, but…)

In order of listing:

All of those sound much more interesting than my briefing on cyber risk management. Tempted to add a few recommended links for the professor’s enjoyment! Definitely check out the Carol of the Bells!

Bit of context: in June, I changed companies and thus changed projects. In the world I work in, it can take a bit to get new accounts and be viable as a developer, so I think by mid July I was committing code into an established baseline for a monolith service. Technical architecture: Spring Boot, providing RESTful services, interacting with JPA repositories, and a smidge of interacting via Feign clients out to another service. Code is there, can be interactively debugged, etc. Plenty of meat to dig into, plenty of tools to do it with, but a decently robust codebase for a heavily used system for our customers.

Over the summer, we changed objectives. Instead of adding new capabilities to the project, we were figuring out how to safely port it to another environment, where most of the original code for the monolith wouldn’t make it just yet. E.g., rearchitecture it a bit, figure out how we could stub some things out, borrow what we could of the build system, and make it work. Our code would be developed in the new environment and imported into the old, and the goal was to be able to develop new things while not breaking things in the old. Challenging, particularly since the old thing was still moving forward with or without us. Still the same technical architecture, but less code to work with (since not all of the production code made it into our new environment). And moving targets on versioning: is our version foo+1 compatible with the production foo+1 in the production environment? Did they change something we rely upon? Note that things don’t change often in the areas we’re dealing with, but, since the production code’s model is that all things are at the same version, there’s a bit of extra strat-eg-ery to work through. And, of course, we don’t have a strongly built out test dataset or deployment infrastructure in the new environment.

We’re not quite resolved as of early October. But now we’re pivoting to a new thing. Entirely new objectives, entirely new codebase, entirely new architecture. Switch to providing multiple microservices, using Reactive programming and API calls for the microservices. Reading up this morning on Reactive programming, I was relieved to see the statement: “If you’re familiar with Spring MVC and building REST APIs, you’ll enjoy Spring WebFlux. There’s just a few basic concepts that are different.” (1). I’ve long thought Matt Raible was a good geek whisperer, from I think well back in Struts and AppFuse development days.. Matt apparently collaborates with Josh Long (@starbuxman), who wrote much of the code Matt included in that post. So I hop out to @starbuxman and see the following near the top of his feed:

Amused that “a few basic concepts that are different” could translate to “480 pages 😯”. Recognizing that reactive style programming’s been out for a few years now and is a mature construct, I’m not super worried. I do have some development background in asynchronous programming and event handling, after all, based on an interesting websockets-based web user interface I built out a few years ago. Still hoping that 480 pages of “Reactive Spring” is really a rehash of “everything you otherwise need to generally know about Spring” with a few extra Reactive details. Else I’ll start keeping this emoji ( ☢️ ) a little closer at hand and “reactive” might start referring to my facial expression when we get the next new shift in direction.

Between open carry laws that don’t require training or registration and a new law that incentives folks to turn in women or those who help them, Texas looks like it’s become quite the dangerous state. Churches and the government should establish refugee resettlement programs for any Texas women and their families that seek to leave. Texas is seeking to become a retirement only state. Warning: it’s hard to care for retirees without younger folks.

In a surprise shift in my career, my customer and employer is now supporting work from home. After a few weeks of working from home 4 days of 5, here are a few surprising reflections:

  • Not commuting is wonderful!
  • I can happily wear Crocs and PJs 4 days out of 5. (We have no video meetings!) That whole idea of dress for success? Doesn’t apply when you’re in the groove in code.
  • Makeup is an optional thing
  • Jumping out to the gym in the middle of the day means fewer people => more access to the weights. And not having to be at work (and no video meetings) means showering is a thing that can be done when the work day is done… (No, you don’t want to share a home office with me on workout days…)
    • Surprisingly, old people at the gym are the ones who are getting too close for my comfort in COVID times. Guess who’s at the gym in the middle of the day?
    • Note that me being at the gym in the middle of the day suggests the logical inference that I am old, which I attempt to avoid acknowledging…
  • While there are no distractions from too loud coworkers, the puppy who wants to play can consume some significant cycles that need to be accounted for in the timesheet
  • Beer can be consumed, but should only be done (1) in the evening, (2) when you’re almost done anyway, and (3) used as a stopping function. E.g., I’m on beer #2, billable time is over!

In July, I signed up to be a “fundracer” for a group doing great things in the Baltimore area. Back on My Feet is a national organization with a Baltimore affiliate. In each affiliate location, they set up running groups at local homeless shelters. They worry about making sure that running groups have structure and running partners (both residents from the shelter and from the community), help folks connect with shoes, and connect participants with employment and housing opportunities. Their model literally walks/runs alongside the folks they’re seeking to serve, committing to regularly be there with them and connect. They’ve got some impressive stats, too, in terms of numbers of folks employed and housed through the program – check out their website. The program says: “Our unique model demonstrates that if you first restore confidence, strength and self-esteem, individuals are better equipped to tackle the road ahead.” and that they “seek to engage you in the profound experience of empowering individuals to achieve what once seemed impossible through the seemingly simple act of putting one foot in front of the other.”

I’ve fundraced for BoMF before. They get entry slots in the local Baltimore Running Festival, which runs in October as a 5K, half-marathon, and marathon. I used to be more of a runner and would train for the half. I’m older and a bit less in shape than I was, with other priorities at the moment that keep me from dedicating time to build up to logging 12 mile+ training runs on weekends. But…. I can put a few fewer steps in front of the other and make the 5K (3.1 miles) happen. I’m now regularly running 2-2.5 miles during the week, with a long run on the weekend of 4 miles. I’m slow, but getting slowly faster. Using that same approach to commitment that the running club participants put in, I’m slowly seeing results. I’ll only earn success and complete the race if I keep it up, though, just as they’ll only earn their success if they keep putting in the work towards employment and housing.

If you, like me, find the approach valuable and/or inspiring, support Back on My Feet and their mission by supporting me in my fundracing. Earlier this month, I met my “goal”, which was the minimum tally to enter the race on behalf of BoMF. That said, just as your own home’s budget would appreciate any bonus amounts, so of course would BoMF’s. More $$ means abilities to support more folks and do bigger things.

Oh, did I mention? Thanks to one donor’s request, I’ll be running this a tutu, clown socks, with a clown horn and probably a goofy hat (heat dependent). Want me to up the ante somehow? Let’s talk! Want me to show up at your event in such??! Well, that’s possible, too. Although I can’t promise to run in full Clementine mode (clown shoes are _not_ a safe running option for 3.1 miles!), other events are possible…

Last link to make it easy to contribute here!

I created a new Git project on my GitHub profile today as I began some work on a possible conference presentation. I was surprised to see a message that said I’d received an achievement badge because I’d “contributed code to the 2020 GitHub Archive Program and now have a badge for it. Thank you for being part of the program!”

Clicking through the Archive program link to find out more, I saw that “On 02/02/2020 GitHub captured a snapshot of every active public repository. Those millions of repos were then archived to hardened film designed to last for 1,000 years, and stored in the GitHub Arctic Code Vault in a decommissioned coal mine deep beneath an Arctic mountain in Svalbard, Norway.”

Which sounds kind of cool, in more ways than one. However, I’m not excited about not really getting a way to opt out of that archive. Although the message on the achievement badge notification says something about being able to opt out in settings, clicking through to settings doesn’t take me anywhere that makes it clear what setting I’d need to adjust. Further, if they’ve already “archived to hardened film designed to last for 1,000 years”, thinking any setting I list now is sort of moot anyway.

This isn’t the only usage of code item GitHub’s made public lately: their new CoPilot program uses the source of public code repositories, apparently regardless of the license used by the repository owner. Starting to wonder if I need to check more seriously into Gitlab’s offerings….

Was dismayed to discover this morning that O’Reilly is no longer putting on in-person conferences, to include the wonderful OSCON conference I so enjoyed both attending and presenting for. I tripped across that news today when I went to find links to my previous talks (2014, 2016). Both talks were based around the idea of delivering the bad news that your build is broken by way of obnoxious Furby chatter. I had submitted talk topics for several years before that first talk got picked up – guess the conference review assessors similarly thought Furbies might be hard to look away from.

So, farewell, OSCON, Strata, and an abundance of other conferences. I’ve been finding my geek conference fix in other places of late, more related to cyber, and it’s not as if there isn’t an abundance of ways to learn in person and online. But OSCON will forever hold a sweet spot in my heart.

Succumbed to temptation today and bought a laptop. I’ve been thinking about it for a while. In two more weeks, I’ll need to hand back in the one I’ve been using from work. This Macbook has stood me well through college and capture the flags, and I’ll be sad to see it go, particularly since it’ll take another week after that before my new one arrives. That said, 32GB of RAM, a 1 TB NVME drive, an NVIDIA GPU with 8GB, and an AMD Ryzen chip: gotta put this poor box to shame. I’m going to have to grow my chops in reverse engineering and cyber exploitation to match it!


You may have seen a few more geek notes on here of late. I’ve really enjoyed jumping into CTFs. My objective isn’t to win, but to find more ways to solve puzzles.

This weekend’s adventures were a little different, though. My company sponsors UMBC’s CyberDawgs team, and they’ve asked us to contribute challenges to their upcoming CTF. I tasked our IRAD team with coming up with a few and I wrote a couple, as well. So this weekend I spent some normalizing our submissions’ README files and doing a final test of the submissions.

One of the submissions was really giving me trouble. The IRAD team member who’d developed it had demonstrated it to us, but the solution instructions in the README just weren’t “clicking” to then be able to reproduce a solve, much less help anyone else understand how to solve. It’s customary in CTFs to have a Discord channel where mentors can offer assistance to those on the right track; given that I don’t want to be up all night myself providing that support, thought it best to provide a walkthrough for someone else..

Not only did I “crack” it (helped, of course, by the solution instructions in his README), but then I was able to provide a linked reproducible recipe using a tool called CyberChef that is really useful for a lot of CTF grunt work. I’m avoiding linking to the recipe or giving any more info on the challenge, of course, given that there’ll be hopefully lots of folks taking a crack at it in early May. I’m now more confident, though, that there may be some folks who solve it AND I better understand a particular kind of encryption approach.