Some notes from the first day of Deconstruct Conf 2019 which is an annual conference in Seattle organized and hosted by the eternally optimistic Gary Bernhardt.

Here’s what I recall.

2 auth 4 humans

By Karla Burnett. Covered some of the history of two factor auth. RSA SecurID, SMS, mobile app, USB key. Two main threat models.

One is credential stuffing. Breach at one site leaks password (or crackable hashes) which then get applied to other sites. Users reuse passwords, and boom. Could use password manager, too much friction for many users. Two is phishing. Unique password won’t help if you enter it anyway.

Hardware tokens help, but inconvenient. SMS can be “ported” as in stolen. Mobile app like Duo is good, but users may still approve login when being phished without verifying all details. USB key (Yubikey) finally removes humans from the auth loop, but you have to have one. Doesn’t work with phone, etc.

Takeaway: threat model matters. Don’t give users perfect advice they won’t follow. Anything, even SMS, is better than nothing.

multiuser game engine

By Ayla Myers. So you want to build a multiplayer online game engine? It’s complicated. The clients get desynced. The clients lie. The server is too slow.

This was a great talk on the theme of incremental improvement, solve one problem to discover another, and nothing is ever easy. It’s not failing if you’re learning.

A short write up, but this was one of my favorites.

jepsen

By Kyle Kingsbury. The first half was a cornucopia of bugs discovered in three different databases. Ordinarily I kind of love talks like this. Let’s look at bugs all day. Unfortunately, we didn’t look close enough at many of them to learn much, and they weren’t really thematically related, except by occurring in a similar set of applications. Logic bugs, concurrency bugs, network bugs, etc. I like these talks more when there’s a bit more of a pattern, something that can be applied in the future. I mean, I still liked it, I just didn’t learn too much from it.

The second half was more about how to test such systems, in a more general way. This seemed more learnable. Don’t just test sending a value and getting it back, send different values each time. SIGSTOP is a great way to replicate GC pauses and other disconnections. Use your firewall to simulate network partitions.

prolog mushrooms

By Josh Cox. Mushrooms have a variety of properties, like black spores or white caps, or edible or poisonous. So we’d like to identify them based on some observed attributes, and then maybe not confuse them with something else that we’d rather not eat. A very good problem for an introduction to prolog. We tell the computer some facts, then it allows us to make queries and it returns truth.

I frequently describe programming as giving instruction to a very literally minded child. Josh made the same analogy for prolog and it seems very apt. What are all the attributes of this mushroom? Well, it has black spores, and it has black spores and black spores, and it has black spores and black spores and blacks spores. What? Totally valid answers to your question.

wet abstractions

By Dan Abramov. (Does anybody in the audience use React? I think every hand went up but me? This is not a react talk.) There was some duplicated code. It was turned into a library. Another project used it, but needed some changes. The little abstraction grew and grew until it terrified all those who gazed upon it. Maybe we shouldn’t abstract things right away? A tale as old as time. This seems to be an evergreen talk, always popular, mostly varying in how the system architecture diagram evolves from slide to slide, as I wait in anticipation of the final horrific reveal. Nevertheless, I like this talk every time I see it.

One nice point here was using M. C. Escher’s Reptiles to illustrate why this recurs. Everybody knows good development is more complicated than copy paste code is bad, but that’s what we tell the next generation, who then need to rediscover that copying code to achieve decoupling is actually a good thing.

culture free programming

By Ramsey Nasser. Learning to program basically means learning English. Open, close, free, list, all these English words. Some modern languages support Unicode, so you can pick your own names in your own code, but there’s still the issue with libraries. If you want to call glutSwapBuffers, you need to call it glutSwapBuffers, because that’s the name in the symbol table in the library.

The speaker previously implemented scheme with all Arabic identifiers, which works, but is very restricted in calling external code. A thought provoking talk, but without an easy solution. We can hash the code, so that instead of calling quicksort directly, I write quicksort but the compiler maps that to calling 0xbdd789, and then another programmer can give that code a new name. But where to store all these names and hashes and mappings?

clock akew

By Allison Kaptur. Clock skew is not merely the providence of distributed systems and distributed systems wizards. Whether you know it or not, you use or are part of a distributed system, which is more than one computer. And thus, probably subject to bugs arising from more than one clock with differing times. We cover a few bugs and oddities, in web interfaces, chat logs, Dropbox client, chrome browser, everywhere.

Then an explanation of the NTP network time protocol. This was a very nice segment I thought, since probably everyone in the audience uses or could use NTP, but may not know how it works or that it exists.

Finally, a few suggestions. Timestamps, especially from wayward clients, may not be the best ordering for events. Pick an authoritative source of time if possible.

voice driven development

By Emily Shea. What if you have really bad RSI and can’t use a keyboard? And you want to write Perl? Voice control. If you’re like me, you imagine this going something like the first video played, which is pretty much a disaster. Computer gets nothing right.

Fortunately, things have improved. A lot of the magic comes from Talon, which extends Dragon with essentially macros and plugins. But there’s still a lot of spelling, which requires a custom phonetic alphabet. Watching a real video it’s impressive. There’s a lot of learning involved, but it’s interesting to see voice control allows some custom “keys” to be used. From the video, I picked up “slap” to mean end of line and enter. Very useful when you might input a line, go back to correct something, then want to start a new line. I press end and enter as separate keys all the time. I certainly wouldn’t want to trade a keyboard for voice, but I hadn’t considered the ways in which voice control need not be bound by keyboard based use.

fin

Today was good. And then came day 2.