DEV Community: Periklis Gkolias

The journey to join the offensive security highs (part 1)

Periklis Gkolias — Sun, 02 Apr 2023 13:05:45 +0000

Over the years and regardless of their specialization, I have met only a couple of people that didn’t like offensive security operations. But most people, have no idea how such an engagement happens.

N.B: In this article (and the subsequent ones in the series) we are only talking about legal engagements, where you have permission to attack a system (or for fun, in your own local vulnerable VMs). Don’t forget that you can be prosecuted if acted against those common sense guidelines.

What is an Offensive Security Engineer?

An offensive security engineer is a professional who is responsible for identifying and exploiting vulnerabilities in networks, systems, and applications. They conduct penetration testing and other security assessments to find weaknesses in a company’s defenses and provide recommendations for improvement.

Also, offensive security engineers work on “ethical hacking projects”, performing simulated attacks to test the security of a company’s systems and networks. They use their skills and knowledge to mimic the actions of real-world attackers and identify potential entry points that could be exploited by malicious actors.

High-level engagement steps

A team of offensive engineers (usually called red team), uses a set of steps like the below, to perform their engagement

Performing an engagementScope: Determine the scope of the engagement, including what systems and networks are in scope and what types of attacks will be simulated.

Gather information: Conduct reconnaissance to gather information about the target systems and networks, such as IP addresses, network topology, and software versions. Reconnaissance can be either passive or active.

By passive we mean, searching public information or semi-private ones like social media. Two known tools in the passive recon realm are the Shodan search engine and theHarvester.

By active we mean directly probing a system with tools like Nmap or Amass

Identify vulnerabilities: Use tools and techniques to identify vulnerabilities in the target systems and networks. This can include scanning for open ports, testing for weak passwords, and looking for unpatched software. Known tools here are Nessus and OpenVAS.

Exploit vulnerabilities: Attempt to exploit the identified vulnerabilities to gain access to the target systems and networks. Metasploit anyone?

Document findings and report: Record all findings, including vulnerabilities that were successfully exploited and those that were not, as well as any recommendations for remediating the issue. You thought you will only break machines and go home? 🙂

Who decides the minutiae?

A company might have an internal or an external red team.

An engagement process is usually proposed by cybersecurity organizations like MITRE and might be adapted to the team’s needs. An internal team might be affected more by the decision of senior leadership (e.g. the CISO) than an external team.

Regardless of whether the red team is internal or external, the engagement process should be well-defined and documented to ensure that all parties understand the scope and objectives of the engagement.

How do you become a red team member?

I think the right question is, how to increase your offensive engineering mindset. Becoming a red team member is a by-product of that. In my humble opinion, even though there is a shortage of people with proper cybersecurity skills, the red team area is a bit congested.

To start building your offensive mindset I would suggest the following process:

Learn about cybersecurity foundations. Yeah, there is no shortcut to that. A good starting point is Coursera’s course on the fundamentals of cybersecurity.
Confidence with programming. Not a deal breaker, but you will need to write your exploit or automate a process, sooner rather than later.
Confidence with networking. Same as above, not a deal breaker, it will level up your game faster if you do.
Analytical thinking. You need to be able to construct an attack route, given a vulnerability. Most of the time you will have seen something similar before, but sometimes not. And this is where you truly need that skill
Practice, practice, practice. No escape here either. You can use platforms like tryhackme and hackthebox or build your own lab with vulnerable images like vulnhub
Stay up-to-date. Attend conferences, read industry publications, and participate in online communities to stay informed.

Conclusion

Becoming an offensive security engineer is a challenging but rewarding career path. It requires a combination of education, work experience, certifications, and ongoing learning to stay up to date with the latest security tools and techniques.

With the right skills, knowledge, and experience, offensive security engineers play a critical role in protecting organizations from cyber threats and helping them stay one step ahead of attackers.

The IAM introduction I wish I had

Periklis Gkolias — Tue, 29 Mar 2022 16:21:26 +0000

The term IAM is one of the common you hear in cloud-native environments. What does such a system do, though? And if you do know, how long did it take you to understand the full purpose? I will explain the main concepts behind this massive software family, having the busy engineer in mind.

The fundamentals described here are vendor agnostic. Though most of my experience derives from AWS's implementation.

What is IAM

IAM stands for Identity Access Management. It is a complex system of entities (humans, applications, etc) that request access to a system, on the one hand. And also, there is a complex hierarchical set of rules, to grant or deny the requested access. Before we go any further, below are the main terms you will encounter.

Resource: Anything worth protecting. A storage service a virtual machine etc
Policy: A set of rules which dictate "who can what" on which resource. And of course, who cannot
Action: Anything someone can do, inside the cloud environment. For example, creating a virtual machine
User: Well...a user :)
Group: A group of users, with the same permissions, applied
Principal: A user or an application requesting access
Role: A set of powers assigned to a principal. Usually for a limited amount of time.

Why it is useful

Its main usage roams in the realms of authentication, authorization, granular access, governance. Let's see what those things are:

Authentication: We have verified who you are
Authorization: We want to identify if you can perform the action you ask for. Usually, combined with Authentication but not necessary.
Granular access: Each action that can happen in a resource, is controlled by permission. Having access to see the firewall rules doesn't mean you can change them. This is implemented with Role-Based Access Control
Governance: The actions you take to know what the f@ck is happening to your environment. Mostly from a budget, compliance, proper access scope.

Are you a company of 1-3 people? Then, setting up a full-blown IAM solution is overkill and a burden to maintain. But if you are more than that or you are planning to scale, then you should start considering it

Problems from the lack of one

I believe you can see the benefits of an IAM solution. Let's see what are some common problems organizations face in the absence of it.

Hard to audit and administer access

Have you heard of cases where an employee had more access than they should? And additionally, no one knew? This can be prevented with a properly set-up IAM solution.

Setting up new hire accounts is a pain

With a properly set-up IAM solution, this is a matter of a few clicks. Namely, set up the users, add them to the IAM groups their teams use. And that's all.

But without it? You need to do all the permission settings from scratch. You might have a reference user to "copy from". But do we need all the permissions this reference user has? Do we want to have special handling for users that are less than 6 months in the company? Does the reference user have superuser permissions that should not accidentally be assigned to the new hire?

Offboarding people

Here you have problems of a similar nature to the "new hire case". But you also need to change the password to all the accounts they potentially used. This can turn ugly very fast, not to mention the side effects it has on other team members.

For example, one will have to update all the password occurrences on every offboarding. In every script and application. What if you have a team change 2-3 times per month? How productive this will be?

Commodity identity tasks need human intervention

By commodity, I mean tasks like, resetting a password or re-enabling an account that was locked. The top-tier IAM solutions have a way to resolve such issues fast without much hassle.

Best practices

Below are some best practices I have derived. It is far from being a full list, it is only my personal experience. I have seen them in more than one team though, so they are probably good enough.

No full access...EVER

In a real-world scenario, you don’t want every user to have unlimited access to the account. Ideally, no one should have (apart from the account owner).
If Jack is working on monitoring logs, they should have read access to that tool. They should not be able to restart a service. Or the accounting team should only view billing information.

Knowing how the VM scalability rules are set is not gonna help anyone.

Groups vs multiple users

Prefer a single group to multiple users when you have a choice. The groups make administration exponentially easier.

Roles vs multiple groups vs a new user

When you have the choice, prefer assigning a role to a user, rather than creating a new user. For example, don't create an admin user and share the password between 10 people. Create an admin role and assign it to whoever needs it for a limited amount of time.

Permissions should be frequently audited

It is easy to make mistakes or perform malicious actions. At the very least, a company should audit that only the proper people have access and this is at the minimum level.

You could also send an email to a certain team when a suspicious action happens. For example, assigning an Admin role to a new hire.

Setup boundaries beforehand

If the IAM solution allows it, add boundaries to your ecosystem. Copying from Amazon's documentation ( I know, I promised vendor-agnostic :) )

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

In layman's terms, you can define the "maximum" permissions that can be assigned to anyone. For example, a user will at most be able to view the logs from the relevant tool and restart a service. If someone attempts to get a role to create a new virtual machine they will be disallowed.

Conclusion

Thank you for reading this far. I hoped you enjoyed the introduction to the IAM technologies. Any questions, please reach out.

What can La Casa De Papel teach you about Cybersecurity

Periklis Gkolias — Thu, 13 Jan 2022 19:18:19 +0000

I was watching the TV series, La Casa De Papel (Money Heist) on Netflix, a few weeks ago. I realized that the story of the gang can reveal some best practices we should use while dealing with the security of the products we build.

Beware, the text contains spoilers. If you haven't seen the show till the end and you are planning to, please visit the article on a later day. Or proceed with your own responsibility :)

Threat modeling can protect you against unexpected events

First of all, what is threat modeling?
Threat modeling, in layman terms, is an analytical process. In there, the engineers who build a product coordinate with the security team. They collaborate towards the security architecture of the product.

More specifically, the model, how someone can attack the product, and what is worth protecting (assets). They also model what they can be loose about. Being loose, not because they don't care. But because protecting it can be more costly than the asset itself.

Threat modeling can get you a long way and protect you from events, against the odds. What is threat modeling in our "Money Heist" case? It is Professor's (aka Sergio Marquina's) plan against all potential routes the plan will take. In having alternatives, even for the edgiest scenarios. The assets are clearly, the stolen money or his comrades in the heist.

A single point of failure can cause a chain of bad reactions

Threat modeling might help you recover from many security problems that will arise. You can recover from a cyber-attack but things will never be the same. A crack in the security wall can have a domino effect.

Imagine a lake dam, with a few cracks around, going unnoticed and being exploited by nature. You can always fix it, but it might take time for the lake visitors to establish trust again.

Like the Professor, where he lost respect after the gold (temporarily) vanished. Even though his great problem-solving skills, helped resolve the issue, things got hairy very fast.

Luck is not a strategy in the long term.

In the show, there are some provocative cases of luck. For example:

Raquel renegading the police organization
Police and army failing plans to invade the bank
Failing to shoot to the target many times. From troops, that are supposed to be professional shooters.

Snitches and below-expectations defense might give you some extra time. to move with your plan or escape. But you have to take advantage of it. To either move with your plan or escape. Always think your luck might go away, any time soon.

Never drop the weapons

This is not specific to cybersecurity but to life in general.

Pain is temporary, quitting lasts forever. Accept your mistakes, remediate them and learn from them. As long as your heart is pumping blood, you are not dead yet.

Architectural mistake? Patch it immediately and re-architect the product (yeah, I know...delivery and business constraints)
Below expectations monitoring? Fix it now. Add more people and see how they can be more effective
Serious defects in the code? Train your team insecure practices and code review focused on security. Buy a license to a package like Snyk or Nessus. Plan some percentage of your capacity to patch the most severe ones

Even in the worst of moments, keep your composure

Imagine a ransomware attack. It is there, it is happening. Screaming over people's heads will not solve the problem.

When you cannot win against an attack, you still have to do your best, to at least not lose. For sure, don't panic. As the Stoics say, you have to be your best self on the things you control. And let the rest, just be. Accept them.

You cannot control the next stage of an attack. But you can do your best to prevent it, to not repeat the same mistakes, and to close the open doors that exist now.

Don't lose your temper and clear mind,. Like Tamayo lost it, when he realized the gang was blackmailing him for various reasons.

He got angry, he got blackmailed, he was even ridiculed in the eyes of the European Central Bank. And what was the result? He lost, hands down, even though he lied to the media about winning.

Conclusion

Top-notch cybersecurity is not a free lunch. And not everyone can do it, as the caveats are so many. But with some discipline, retrospection, and humility, you can do wonders. Also, the show is great, if you haven't seen it, please do.

How to evaluate if a Certification is worth it (for you)

Periklis Gkolias — Mon, 22 Nov 2021 18:06:25 +0000

Asking whether you should go for a certification or not, is maybe the most sought-after knowledge in the tech internet. Usually, accompanied by a flamed discussion of people with strong opinions and virtual verbal fights.

I will share with you how I approach such dilemmas.

Current or near-future career plans

Getting a certification, at least a quality one, requires hard work and study. If this certification is going to improve your career prospects, tangibly, by all means, go for it.

If not, I would spend my precious and limited time elsewhere. Life is too short and a piece of paper alone means nothing.

Changing tech tracks

Like the above remark, a certification might be a good vehicle to land a new job, especially if this requires changing your technical domain.

Are you a mathematician and you want to become a data engineer? Earning a reputable certification in data engineering will give you extra points.

Keep in mind though, not all transition pairs, are created equal.

Both for this and the previous point, remember:
Some companies filter out CV keywords while hiring, so a certification might give you extra points for the next step of the process. You have fewer chances of being disqualified early, all other things equal.

Cost

Do you pay the tuition? Does your employer pay? Certifications usually vary from a hundred dollars (e.g. AWS cloud practitioner) to a few thousand (e.g. Cisco Architect).

Sometimes the cost is in proportion to the opportunities (and the salary) this certification can bring. Hype though is also playing a vital role in the cost. Make sure you evaluate the relationship beforehand.

Current knowledge

I would choose to certify easier if I am starting from a way above zero point. My philosophy is to pair a certification with battle-tested knowledge of the domain. That way you get more value as a professional and the certification shines on you.

Let's revisit my above example on data engineering again. It is easier to get it (and more valuable to you and your company) if you back it up with existing good knowledge. But might take 2-3 times more to study if you have never seen how a data pipeline work.

Desire to go deep

In your career, unless you love your comfort zone or you are pro-early-specialization, you will gain a good breadth in the sector within 5-10 years.

Not all knowledge requires a certification. I am very confident with Linux and administration, as I have used it at home and work for many years. Though, getting a Linux administration is not something I consider (at least for now), as it is not the focus I want to have in my career.

Vendor reputation

We will agree, hands down here. Anyone can create a certification. That doesn't mean the rest of the world gives a damn. As mortals, we have limited time slots for certifications. As Wilfredo Pareto would say, 20% of your actions, will give the 80% of the results. Use your limited time quota, wisely.

Conclusion

What is your view on certifications? There are many opinions in the field, and I would like to listen to other perspectives.

Not so obvious tech that I believe will become mainstream

Periklis Gkolias — Mon, 14 Jun 2021 20:13:49 +0000

By the time of writing of this article everyone knows, the "technologies of the future" as listed from various mainstream media. And I agree with most of them. It is worth discussing a few not so obvious though. I expect my "predictions" to be fulfilled by 2030.

Please note that these are my personal views. The views are built according to my understanding of how technology (and society) evolves. I am by no means a psychic, so reality might prove me wrong.

Blockchain will end bureaucracy

Unless you have been in a coma for the past decade, you should have heard about blockchain. In two sentences, blockchain is a technology that helps someone confirm that an action has taken place. No one can alter the action or the source of truth, at least not in an illegitimate way.

The most popular blockchain-based application is bitcoin. Though various domains can benefit from blockchain.

A very interesting case is checking out from a hotel without the need for a receptionist. That will happen with the help of applications that run on blockchains, called smart contracts. When the time has passed and you have not returned the keys to a special vault, alarms will start ringing. Or if the rent has not been deposited on time, consequences will fire (eg late interest). If you have worked with services like IFTT you know what I mean.

But of course, the big pain point is not a renter with a bad credit score and behavior but bureaucracy. Bureaucracy can hinder innovation, drain your energy, and can be costly. You may check this paper from the EU to read more about their research.

I understand it sounds crazy at the moment, but who wouldn't think the same for today's circumstances (e.g. Covid19) 10 years ago, if described in an article?

Doctors will stop dealing with commodity cases

As we have robot investing or self-managed investing nowadays. Where did stockbrokers go? They only deal with big bucks. The same will go with doctors. Artificial intelligence will take off of their shoulders a handful of cases.

I appreciate different opinions; though spending 20 minutes of a doctor's time to get, the same remedy as last year is not optimal to me.

Speaking about "technology acting as doctors", there are even models that can predict skin cancer better than doctors. The future here is exciting and...intense.

Hopefully, in that way, the medical community will free up resources to focus on more important problems the human race faces.

Frontend development will completely transform

Frontend development has created many dev jobs in the past decade (at least since Angular come out in 2010). Though I don't think it will remain a lot more in the current state.

Companies (should) pay more attention to the user experience. So, sooner or later they will stop creating another custom feed or login page. Dear company, your app is not that special.

Here come low-code tools (N.B: I don't like them, but they are here), just like static HTML development transformed when Adobe Dreamweaver became the new cool kid in town.

What about the backend? Backend can lose some of its glory too, though the commodity parts are less, in my humble opinion.

Zoom fatigue will fade

Don't get excited so fast. Augmented reality calls might replace Zoom calls. Not sure if we have a new form of fatigue then. :)

We have seen how augmented reality works, in various movies, like Ironman. So you may see the movie (or similar Sci/Fi ones) to understand it better.

Driverless cabs

Self-driving means of transportation and cabs, in tandem with more eco-friendly governments, will probably reduce the need to own a car. At least for a city commute. But even for off-city commute, there is a (yet baby) trend that car rental companies offer cars with a per-hour lease.

Cars drove (no pun intended) the last industrial revolution but are considered a bad asset to have (financially). More and more companies have entered the self-driving battlefield in the past few years. So we expect jaw-dropping results sooner rather than later.

Cryptography v2

Quantum computers might hit the reset button to the cryptography sector. I am not a cryptography expert. Though quite a few algorithms have based their success on computational hardness to break a ciphertext without the key(s).

But Quantum computers can run exponentially faster than classic binary ones. So there is a fear that cornerstone cryptographic technologies like SSL will be affected adversely. Maybe they become obsolete too. That sounds scary, as our communications, banking transactions, etc., will be exposed in transit.

There is work in the post-quantum area and hopefully, the countermeasures will be deployed before the...measures.

Conclusion

Thank you for reading this article, I hope you liked it. What are your thoughts on such developments?

How different are managed and serverless services?

Periklis Gkolias — Sun, 16 May 2021 15:17:23 +0000

A common confusion between people who have their first touchpoint with cloud technologies is

What is the difference between serverless technologies and managed services?

What Are Managed Services?

A managed service enables the end-user to focus on using a service rather setting up the service. Not that the cloud provider can detect your thoughts. Rather any input the service requires is happening via a user-friendly form. Managed services fit into the category of PaaS products (Platform as a Service).

One of the most famous managed services around is Amazon's Elastic Beanstalk. In ElasticBeanstalk you can
a) set up some parameters
b) provide a docker image

and the service will set up the rest for you. Things like:

Virtual machines
A webserver (if needed)
Expose your application to the public
Monitoring and logging infrastructure
Semi-automated configuration
Load balancing
Scaling etc.

You will be able to see the results of the Elastic Beanstalk operation e.g. the virtual machines, that were bootstrapped, as a result. Usually, you won't be able to access and fiddle around with them. Otherwise, it is not a managed service, you are the manager.

So a managed service is essentially an abstraction of a... non-managed service. The abstraction is usually interfaced via web forms. Additionally in a managed service as a user, you don't bother with updates, patches, etc.

This is because you have no access to the machines, someone has to do the laundry. Usually, you have only limited choices, if any, on the underlying system. That might be the operating system, version of the software used.

Fairly simple, right? Let's go to serverless who is a bit more complex.

What Does Serverless Mean?

With the word serverless we refer to a different computing model, on the contrary to the "traditional" one which is server-oriented. In server-oriented computing (or serverfull if you like more sophisticated words), we use virtual or physical machines to set up and execute our application.

Qualities like the availability and the performance of our applications are strongly bound to the health of your machines.

Clusterisation solutions have been perfected over time (amongst other reasons) to make the decline of machines' health less and less important.

What about the cost though? Why do we still pay for idle or underutilized servers (either in money or in lost CPU cycles)? If we need to scale a cluster of machines why does this take time?

Here comes serverless. Serverless fits in the category of FaaS products (Function as a service).

The name is a bit misleading; the server where "the code" runs does exist.

Though you don't care, just like in managed services. Serverless goes a bit further. Your application runs, when it is needed and for just as long as it should. Idle times are eliminated.

You never get to see the server in your virtual machine dashboard and of course, you don't know any details about it/them.

Serverless implementations are usually event-driven. The instances are idle unless an event occurs.

N.B: There might be a case where you have instructed them to not be idle which is known as "scale-to-one". They get busy and when done, they go idle again. If they get too busy they get support from other clones aka horizontal scaling.

There are few benefits with serverless implementations. A big one is that they are scaling easily and effectively. That is because they are usually based on lightweight installation media, like Docker images/containers and there is no need to provision extra machines.

In theory, with serverless computing, you have the whole cloud infrastructure of the provider on your feet. With the respective cost of course. :)

Speaking about costs, serverless code is billed per second and at a higher rate than a machine lease. So it is recommended to run for relatively short workloads in time.

Some providers put a hard limit on how long serverless code can run. this is to also avoid unpleasant surprises on your bill.

One notable example of full-stack serverless and the cost benefits that come with it is acloud.guru.

I remember studying for the AWS Architect certification using one of their courses (awesome content btw, highly recommended), and the instructor mentioning that "We pay 400$ per month with Serverless and it would be around 100000$ using servers".

One of the cons serverless architectures have is on time-critical applications. Usually, newly deployed serverless functions, experience some kind of latency also known as "cold start". There are mitigations around that, called -surprise, surprise- "warm starts". But you may want to check other architectures for such a requirement.

By the way, serverless solutions provided by the cloud providers are i.e AWS Lambda, Azure Functions are...managed too. That means you can set up your serverless architecture using high-level abstractions and input your preferences/configuration with provided forms.

Managed Services + Serverless

As you have probably figured by now, serverless and managed services have some interesting similarities. We can sum them up like: Don't worry about the infrastructure, focus on your business value.

There is a very interesting public service that comes with both flavors, managed and serverless. This is AWS Aurora. Aurora is a managed database, compatible with MySQL and Postgresql. There are two flavors of Aurora.

The managed one, where you set up a database using a form, and brings up a few virtual machines, and takes care of their health. You may just focus on deploying a good database schema.

In this flavor, the database is running 24/7/365. Or at least that's the goal, as it offers very high availability and otherwise works in the same way as any database server you have used in the past.

There is also the serverless flavor, where Aurora is set up as such. In that case, you have the storage "deployed" 24/7/365 as above. You cannot have serverless storage, which is contradictory (according to my current knowledge at least). :)

The processes though, that perform data manipulations on your data, like fetch and update, can be easily converted to serverless functions. Aurora serverless can have significant cost reductions, as the data manipulations run on an as-needed basis. Though if the database is fairly busy the cost might be higher than in a serverfull architecture. That being said Aurora serverless is better used when your workload is intermittent and unpredictable.

Openfaas

During this article, I explained those technologies with public cloud providers.

If you want to run serverless computing / FaaS without relying on a public provider you may use OpenFaas (future article to come).

This technology will not only give you more control over your architecture. It will also help you realize that the serverless model relies on clustering technologies like Kubernetes. Also, you will learn how you can set up scaling rules and cold/warm starts.

Conclusion

Thank you for reading till the end. We spoke about Serverless technologies and compared them with managed services. They have serious overlap but cover different needs too. If you need to add something I would love to hear your view.

What are your first-choice when it comes to picking convolutional neural network architectures and why?

Periklis Gkolias — Fri, 02 Oct 2020 20:38:56 +0000

Myths about self teaching that need to be busted

Periklis Gkolias — Mon, 28 Sep 2020 16:22:42 +0000

Self-teaching is the norm in the industry, many years now. Most of the technologies you learned during your official education 2, 10, or 30 years ago are almost obsolete in the industry.

So, no official education would constantly give you everything you need, here, almost by design.

But lately, it has been popularized too. The main reasons IMHO is the need for more "coding hands NOW" aka supply vs demand and the cost (in terms time and money) to go to the university (in terms of time and money again).

Sadly with that popularization comes some level of...myths and things that are dangerous to spread; especially for people that are entering the field. Here is my view on them:

We are paid to google things

Google searches are an important part of our day. Though that doesn't mean people google solutions and paste them blindly into their IDE (which happens of course).

You need to have some certain level of competency to know WHAT to google. And some higher level of competency to filter out the crap from the results. That's how the following joke came up:

Where did you find this crappy code?

Stackoverflow

From the question or the answer(s)?

As Mark Richards said to one of his books Fundamentals Of Software Architecture:

Architecture is the stuff you can’t Google.

If you think you are paid to google things and you feel an impostor, try becoming an architect. Let me know how it goes. :)

Also, don't forget that some things MUST be googled.

We are dealing with so many different technologies, libraries, and tools every day which will be close to impossible to remember more than the basics, in more than a few of them. Or if you are looking for research papers that were created 6 months ago you cant know it from the top of your head.

Last but not least, most professions google a lot...but you wouldn't pick a cardiologist who is paid to Google. Don't be that guy/girl.

You don't need computer-science theory or math

Oh, that's a very touchy topic.

You will not need any advanced math if you are working as a backend web developer 95% of your time. I doubt you will ever need non-high school math if you are a frontend developer.

Though, mathematics can teach you serious problem-solving skills which many people I have encountered throughout my career don't have.

But what about game programmers? What about people that are working on machine learning and need to know serious linear algebra and statistics (you can be a practitioner without those, though)?

Computer science theory, in a similar manner, will help you scale up.

What if you are having issues with the network handling in your application? Will you go to the "network expert"? Will you just cross your hands because you are the in "the java-only team"?

Can you be a security engineer (not expert) by not having deep knowledge of computer science theory? And no, Metasploit tutorials on YouTube are not enough.

As a former colleague wrote on Twitter once: "You appreciate big-O complexity when you get your first AWS bill".

I can continue with more examples, but I think you get the point. I am not saying to attend a university (I understand the high tuition fees, though many universities in Europe provide high-quality education at minimal or no costs), out of compulsion.

But whatever way you choose, at one point or another if you want to scale up, you cannot escape the necessary reading.

My advice is: Don't disregard and nag about something that is just challenging your comfort zone. This is how people grow. And think if you are better off as a one-trick pony or a swiss knife.

Speaking about universities...

We should learn interviewing git and scrum in the universities

The main mission of a university is to learn someone how to think and learn. And of course the foundation of the science you are about to serve.

Yes, I am expecting to learn python or javascript instead of Cobol. But those would be the tools to implement a purpose, not the purpose.

I would appreciate any seminars or talks to prepare me for my first days in the industry (and I didn't have those, back my days), though NOT EVERYONE IS CHOOSING A CORPORATE PATH. Their needs need to be respected as well.

You will certainly do it

I like the encouragement there is in the dev community. Of course, there are stupid trolls and bitter people out there but their power is pretty much inexistent.

Mastering any STEM profession takes grit, tenacity, and perseverance. But to project those you need (at the very least) to like what you do. Alas, as with all professions, it is not a field for everyone. Some people are here because of career prospects or peer pressure and not because they like it.

Even though in some countries it is considered a taboo discussion topic, not everyone can do everything. And surely not equally good. Some countries in Europe do such filtering early on (like around the age of 13) and people tend to be happy with their choices without feeling inferior if they exercise an "unpopular profession'.

So my advice is, pick what you like and ignore the pop-talk. Who knows, you might be an early rider of the next wave, which seems to be public health and space industry (again) at the moment.

Bootcamps can teach me everything I need

Sadly a bootcamp can only prepare you for your first months/year in the industry.

Not because they are of low quality. But because they can't teach you anything you might need in a few weeks. And if they could, you probably wouldn't be able to absorb them so fast as they are complex concepts by nature.

I am almost ten years in the industry and still feel an impostor. 😃 Why do you think a few-months-bootcamp is all you need?

If you choose a bootcamp for the start of your career, make sure you do not rely there completely. Make sure, as I mentioned above, to do the necessary reading sooner or later. Being a well-rounded engineer will never go out of fashion.

Conclusion

Thank you for reading this article. What do you think about such myths? Have you heard any other opinion that should be addressed?

A gRPC primer from a non-gRPC dev

Periklis Gkolias — Tue, 15 Sep 2020 18:49:19 +0000

I keep hearing about gRPC those days; not sure if the existing trend is soaring or it is a coincidence. In any case, as I have never dug to the concept, I thought it is a good time to do so.

High-level view of gRPC

gRPC is an RPC framework, created by Google. Interestingly enough, the initial "g" stands for "general (purpose)" and not for "google".

So gRPC is an RPC framework that can be used in any kind of situation where an RPC style communication is required.

Usually, we are talking about communications between services.

gRPC takes care of all the boring stuff that is required for communication between services, like defining service interfaces, communication formats, authentication, health checking, etc.

But in order to do so, we need to do some upfront work first.

Wait...What is RPC

I understand you might have encountered some unknown terminologies in the previous paragraph.

So, RPC is a technique (and used to be very popular before RESTful APIs take over) to make service-to-service calls.

In that case service, A calls service B but from a code reader perspective, it looks like this is on the same machine.

As with all high-quality abstractions, RPC does great work at hiding the low-level details that are required to perform network communication.

RPC also has different conventions and semantics from REST. From example, whereas in RPC you can see calls like

POST /addNewProduct

with body

{"company_id": 2}

in REST you would do something like

POST /products

with the same body.

Below is a nice diagram I borrowed from geekstogeeks which shows an RPC client-server communication

Protocol Buffers

Protocol buffers are the most popular entity of the gRPC framework. They are part of the "upfront work we need to do" in order to leverage gRPC.

What they do is to serialize and deserialize data at both ends of the communication. You can declare them in a struct-like format like:

message Point {
  int32 x = 1;
  int32 y = 2;
}

Easy, right?

The best part is that protocol buffers get serialized in binary, which means (amongst other benefits) a smaller size (comparing to text formats like JSON) and faster transmission.

Supported languages

gRPC supports officially most of the main programming languages. By the time of writing this article, those are:

C/C++
C#
Dart
Go
Java
Kotlin/JVM
Node.js
Objective-C
PHP
Python
Ruby

Where do I start

Apart from grpc.io, I struggled to find free resources. If I could pick two those would be:

Building a Basic API with gRPC and Protobuf

10000 Messages in 2.18 seconds with Python and gRPC

If you are willing to pay a few bucks, Stephane Maarek's course will not let you down.

Conclusion

Thank you for reading this short article. I have to say gRPC is a very interesting framework that I recommend you into if you are working with (micro)services.

If a candidate has been cofounder in a startup, will that increase the possibility of you, handing them an offer?

Periklis Gkolias — Fri, 11 Sep 2020 19:02:39 +0000

Git Bisect, the Undervalued Debugging Machine Gun

Periklis Gkolias — Tue, 21 Jul 2020 15:24:21 +0000

Git bisect is a fantastic tool that could make debugging a breeze. Yet, very few people use it actively.

In this quick article, I will showcase how git bisect can point out the where your bug cause lies, fairly fast.

But first, lets talk about...

Delta debugging

Delta debugging is a process where you do many steps and in each one your plan is to eliminate half the "problem". You can think of it as the binary search of debugging. Or as the man who made the term popular, Andreas Zeller is saying:

Delta Debugging automates the scientific method of debugging. The basic idea of the scientific method is to establish a hypothesis on why something does not work. You test this hypothesis, and you refine or reject it depending on the test outcome. When debugging, people are doing this all the time. Manually. Delta Debugging automates this process

Git bisect is how we apply delta debugging with git.

Assuming we have an injected bug and we try to find the root cause, in every step of our investigation for a solution, we eliminate half the solution space. Configuration, code, input...anything. Lets see an example to make it more clear.

Example

Initialize a repository to track our work.

mkdir test_git_bisect && cd test_git_bisect && git init

Let's say we will make a script that gets an epoch and converts to

datetime

We will do that by using an input file (named epochs.txt) that should contain only epochs.

Please note, that in order to run a git bisect smoothly, we need to have quite a few commits.

The python script parse_epochs.py we will use, nothing special here.


from time import localtime, strftime

with open('epochs.txt', 'r') as handler:
    epochs = handler.readlines()
    for epoch in epochs:
        current_datetime = strftime('%Y-%m-%d %H:%M:%S', localtime(int(epoch)))
        print(current_datetime)

Let's commit the first change:

git add . && git commit -m "Created epoch parser"

then create the input:

for i in {1..100}; do sleep 3; date +%s >> epochs.txt; done

which is essentially all epochs from the time we started the script (plus 3 seconds) till five minutes later, with a 3 seconds step.

Again commit the change:

git add . && git commit -m "Generated the first version of input"

If we now run the initial script, we get all inputs parsed to dates:

$ python3 parse_epochs.py
2020-07-21 16:08:39
2020-07-21 16:10:40
2020-07-21 16:10:43
2020-07-21 16:10:46
2020-07-21 16:10:49
2020-07-21 16:10:52
...

Let's amend the input now to make it faulty:

echo "random string" >> epochs.txt

and commit again

git add . && git commit -m "Added faulty input"

For the sake of entropy, to make the example more complex, let's add more faulty inputs - commits.

echo "This is not an epoch" >> epochs.txt 
&& git add . && git commit -m "Added faulty input v2"

echo "Stop this, the script will break" >> epochs.txt
&& git add . && git commit -m "Added faulty input v3"

Here is the commit log we have created:

$ git log --pretty=format:"%h - %an, %ar : %s"
b811d35 - Periklis Gkolias, 2 minutes ago: Added faulty input v3
dbf75cd - Periklis Gkolias, 2 minutes ago: Added faulty input v2
cbfa2f5 - Periklis Gkolias, 8 minutes ago: Added faulty input
d02eae8 - Periklis Gkolias, 20 minutes ago: Generated first version of input
a969f3d - Periklis Gkolias, 26 minutes ago: Created epoch parser

if we run the script again, it will obviously fail with the error:

Traceback (most recent call last):
  File "parse_epochs.py", line 6, in <module>
    current_datetime = strftime('%Y-%m-%d %H:%M:%S', localtime(int(epoch)))
ValueError: invalid literal for int() with base 10: 'random string\n'

Looks like we need git bisect to fix this. To do so we need to start the investigation:

git bisect start

and mark one commit as bad (the last one usually) and one commit as good. This would be the second commit when we generated the input:

git bisect bad b811d35 && git bisect good d02eae8

After that git bisect will split the history between the good and the bad commit in two. You can see that by doing

git bisect visualize

to see the commits that are considered the culprits and

git show

to print the currently checked out one, in our case

dbf75cd

If we run the script it will still fail. So we mark the current commit as bad

git bisect bad dbf75cd

It is worth mentioning the output of git in that case:

git bisect bad dbf75cd
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[cbfa2f5f52b7e8a0c3a510a151ac7653377cfae1] Added faulty input

Git knows we are almost there. Yay!!!

If we run the script again, it of course fails. And if we mark it as bad git says:

git bisect bad cbfa2f5
cbfa2f5f52b7e8a0c3a510a151ac7653377cfae1 is the first bad commit

By then, you may either fix the bug or contact whoever committed the bad code/input/configuration. Here is how to get the details:

$ git show -s --format='%an, %ae' cbfa2f5
Periklis Gkolias, myemail@domain.com

Conclusion

Thank you for reading this article. Feel free to comment on your thoughts towards this great tool.

You set up a new dev team. What are the first things you would do to make things go as smoothly as possible?

Periklis Gkolias — Mon, 25 May 2020 16:52:58 +0000

Imagine you are setting up a new dev team. Either to your current company or to a new one.

What are the first things you would do to safeguard the quality of your day to day life? Those could be technical or more procedural like:

Setting up CI/CD, coding standards, remove technical debt, etc
Setting out a clear process the various recurring meetings, ground rules like "leave the meeting if it is not valuable to you", evaluation processes, 1-1s, etc