It’s been 10 months since I’ve updated my blog and it’s not been for lack of want – for a lot of this time I was working for a startup in “stealth mode” – meaning there wasn’t a lot that I could talk about.
That startup was Sum (formerly Project Florida), which was a very ambitious startup focused on creating a meaningful purpose from wearable data – attempting to transform the way we think of our health from the reactive to the preventive.
A few friends have suggested that considering the domain on which I host my blog, I ought to share my thoughts on “shellshock” – the catchy name that has been given to Bash shell vulnerabilities detailed in CVE-2014-6271, CVE-2014-6277, CVE-2014-7169 and friends
First of all I should state that as with any vulnerability, particularly one which has a potential remote vector, you should ensure your systems are patched – and keep eyes out for further patches coming down the line as the first few patches were only partial fixes as they were rushed out of the door.
However to read websites like BBC News, which have headlines like “‘Deadly serious’ new vulnerability found”, suggesting that half a billion computers could be affected, you would think the world was about to cave in.
In short it’s not. Its a serious vulnerability, but to my mind at least it’s not “a bigger deal than Heartbleed” as some researchers are saying.
Here is why:
At Hacker School, fridays are a little different to the rest of the week. Firstly they’re optional, and secondly rather than work on your usual projects its typical to do interview preparation.
These consist of mock interviews, fun with recursion, and coding challenges. One such challenge is to “Create a URL shortener in under 2 hours” which has become quite popular recently.
When faced with this challenge, I opted for Ruby with the Sinatra web framework backed by MySQL as I am pretty familiar with them, and was confident that I could complete the challenge within the time constraints.
Indeed 1 hour 54 minutes into the challenge (including a break for lunch!) I had a functioning system and spent the remaining few minutes tidying up my code. At the demo/review session it worked (phew!). What would normally have happened is we’d each return to our own projects and never look at that code again.
However a conversation at the end of the review sparked my interest – that of how useful our freshly written services would be in the real world – would they scale? So I decided the following friday to embark upon some performance testing and optimisation of the service I built.
My goal was to focus on the low hanging fruit which are available to make a web service perform significantly better, and was able to take it from initially under 15 requests/second to over 1000 requests/second on the same hardware!
It seems not a week goes by without breaches of some sort or other affecting a large generally reputable establishment being announced. I have been on the receiving end of just such a breach during my time at Betfair.
I don’t have inside knowledge to the ins and outs of each breach, but can talk to my experiences. In the case of Betfair, we were audited to PCI DSS regulations, we had a top team of InfoSec professionals, and we were on top of security patching – contributing useful fixes back to the community.
However a number of config mishaps coincided leaving a window of opportunity of just a few days. That was enough for someone skilled to get inside and gain access to data. Following that incident processes and procedures were updated to prevent a recurrence of that type of breach and action was taken to further improve security.
However as long as companies are home to interesting data they will be targets.
A typical online retailer holds the following information about a customer:
- One or more addresses
- Payment details for one or more cards
- Possibly data of birth, mothers maiden name or other data as extra security questions.
The question is, how much of the data that they hold do they actually need to?
Finally got round to setting this thing up.
Last time I had a go at maintaining a blog was back when I was at Joost – almost 7 years ago. I set something up on tumblr and made a couple of posts, but never got into it.
This time I’ll try harder – I think I’ve got some interesting stories to share from the lessons I’ve learnt along the way at Expedia and Betfair, and my time at HackerSchool this summer has made me realise the value in sharing what you know.
For those who don’t know, I left Expedia at the end of May, and opted to take the summer off and go to Hacker School for the summer. My main goal for Hacker School is to learn, to write code, and to have some fun. I’m now half way through my time there, and its exceeding all expectations thus far.
My initial project was to work in computer vision – to automate the categorising of images by content – in particular to take the motorsport photos I have, and separate by car manufacturer, or other significant details (e.g. sponsor logos).
A video of the results from the end of the my first week at Hacker School is available here:
Since then have improved up on that significantly, through pairing with Nava, and learning more about how OpenCV works behind the scenes, I’ve begun to move onto my next project, which is a network monitoring project. The purpose of this is to help visualise slowdowns within the Hacker School network to help us quickly see the cause – on and to continue my other goals of learning, writing code and having fun!