Tag: Security

Conference: Handmade Seattle 2020
Table of Contents:
Intro
Speakers Day 1
Freya Holmér
Nuno Leiria
Joey de Vries
Ramón Santamaría
Elizabeth Baumel
Andrew Kelley, Ginger Bill, Joshua Huelsman
Speakers Day 2
Gal Zaban
Vegard Nossum
Hannah Gamiel, Eric A. Anderson
Randy Gaul
Abner Coimbre
Allen Webster, Ryan Fleury
Project Demos
Ripcord
WhiteBox
SYZYGY
Footnotes

I spent this past weekend attending Handmade Seattle which is an independent, low level programming conference. It is usually held in Seattle but due to the ongoing COVID-19 pandemic, this year’s conference was held online.

First things first: wow. I was blown away.

I was really impressed at the quality of speakers and the content they brought to the table. It never ceases to amaze me how many smart folks are out there deep diving into complicated topics and sharing what they learn with the rest of us. Huge kudos as well to Abner Coimbre for organizing the event and the job he did facilitating as its host. Abner did a fantastic job of being professional and informed with the topics he discussed with the speakers while managing to keep it real in true indie fashion 😎.

Some of the talks were interviews between the speakers and the host, some were pre-recorded presentations or podcasts, but all ended with a Q&A with the speakers where all ticket holders were able to engage directly with the speakers using a private Matrix chat for which an invite was sent upon ticket purchase. It was really cool to see Matrix used like this in the wild, especially as it’s a project that my company recently invested millions into. I love the idea of this open, decentralized communication platform of the future. If you do too, we’re hiring engineers to help bring Matrix to Automattic 😊.

Without further ado – I have included a list of the speakers below with a brief take on some of their topics with links to where you can check out more of what some of these folks are doing.

Speakers: Day 1, November 14th 2020

Freya Holmér
Indie Game Dev – Developing Shader Expertise

This was my first exposure to Freya as I haven’t dipped many toes into the shader world but oh. my. god. This is the person that accidentally created the industry standard shader editor for the biggest game engine in 2014?

What a way to kick off this conference. Freya spoke heavily to the value in focusing on one thing and really digging down. In that, however, she emphasized a few points that I think is fantastic advice in general:
1. Only learn the things you need to learn to do what you need to do.
2. Don’t try to step into dozens of different topics, drill down and master one.
3. Laser focus on one thing will result in getting more done faster.
I love this because it’s a super common problem in the tech world and for learning in general. You start working on a project, but there is so much to learn that it’s easy to get distracted or never progress because you start looking into the various adjacent technologies. You end up becoming okay at the basics in a dozen technologies but have no deep understanding required to truly innovate.

By the way, her YouTube channel is so good. Among other things, she has a dedicated series called “Math for Game Devs” which will make you a better game developer.

References:
https://acegikmo.com/

Nuno Leiria
Polystream Senior Engineer – Modern CPU Optimizations: From the kernel to the cloud

This was so good. I know I probably sound like a broken record, but wow. Here was a AAA production solve for a performance bottleneck. The first obstacle had all of us laughing. Whoever had “Adobe Updater on the Server” on their systems bingo card, cash in that ticket!

Beyond that, Nuno orchestrated a deep dive into performance profiling. On this particular project, he and his team went so deep into the matrix that they ended up discovering a bug in the Microsoft kernel. What’s more, they were able to provide specific enough information to have that bug patched, fixing their application.

_{Yes, I couldn’t believe Microsoft actually patched a kernel bug either 😊.}

References:
https://twitter.com/nunopleiria
Full list of profiling tools at the bottom of this post¹

Joey de Vries
Author – The History behind learnopengl.com

Really great talk about the history behind learnopengl.com and how Joey ended up starting what many to be the definitive resource behind learning what is basically the industry standard in graphics rendering.

Joey also has a new book: Learn OpenGL: Learn Modern OpenGL Graphics Programming in a Step-by-step Fashion which I will definitely be picking up!

References:
https://learnopengl.com/
Book: Learn OpenGL: Learn Modern OpenGL Graphics Programming in a Step-by-step Fashion

Ramón Santamaría
Epic MegaGrants Recipient – Developing a Handmade Mindset for raylib

This guy. I have pretty much been Ramón’s self-proclaimed #1 fan for about a year now, and I knew that this talk was going to be amazing but holy moly.

How do you make an entrance into an indie programming conference? How about starting your presentation by compiling it from vanilla C source to web live using the software you wrote.

Do you think it stopped there? Um…..

I can fit on zero hands the amount of folks that thought guitar, cooking, and tree pruning would be the core tenants of a software conference talk.

Ramón expertly translated how he applied these three passions from his life to his approach to software development. I won’t be able to give this talk its due justice here, so I highly recommend checking out the recorded video.

References:
https://www.raylib.com/

Elizabeth Baumel
Unity3D Engineer – You CAN Teach an Old Programmer New Paradigms!

Data Oriented Design. This is the content I purchased my ticket for. Elizabeth teaches DOD for a living and expertly broke down components of DOD using various worksheets throughout her talk:

This is my favorite software presentation slide ever:

Slap 👏 that 👏 shit 👏 together 👏 — PREACH!

References:
https://twitter.com/icetigris

Andrew Kelley, Ginger Bill, Joshua Huelsman
Compiler Writers – The Race to Replace C and C++

Excellent podcast between uber smart developers who work heavily with compilers and bring different perspectives to the table. Bill is the creator of the Odin Programming Language and converted many of his strong opinions into actions into his programming language. Josh is the creator of the Jiyu programming language and also worked on Johnathan Blow‘s upcoming Jai Language at Thekla. Andrew is the creator of the Zig Programming language. Abner keeps everything in order 😊.

References:
https://twitter.com/andy_kelley
https://twitter.com/thegingerbill
https://twitter.com/machinamentum

Speakers: Day 2, November 15th 2020

Gal Zaban
Security Researcher – Linux Kernel Adventures: Reversing & Exploiting a Linux Driver

🤯. A very humbling talk about exploiting systems via kernel device drivers. Gal’s talk goes deep into the matrix, discussing and breaking down ioctl syscalls in depth.

This is one of those talks I’ll need to watch again….more than once 😅.

References:
https://twitter.com/0xgalz

Vegard Nossum
Kernel Developer – Parallelisation in the Linux Kernel

Outstanding presentation from a true legend in the space. Check out this rig that his friend built:

This is a computer with 6,144 cores. Yes, Linux supports this.

As a point of reference, Windows supports a max of 256 cores.

Linux Parallelism is state-of-the-art
Vegard Nossum

This talk perfectly covered the topics required to understand parallelism without going too deep into the rabbit hole on each branch (note: it is easy to do this). This is another talk I’m not capable of delivering justice to and highly recommend checking out Vegard’s work, white paper, and the talk itself.

References:
https://twitter.com/vegard_no
White Paper – Ksplice: Automatic Rebootless Kernel Updates
White Paper – Compact NUMA-aware Locks

Hannah Gamiel & Eric A. Anderson
Myst VR Directors – Cyan, Inc.

Myst is upcoming VR game – but you already knew that. This interview was a cool chat between Abner and the directors of the project.

One recurring topic in the podcast was the obstacles encountered via a sudden switch to remote work during the global pandemic. In the private chat I told Hannah she could reach out if she wanted some insight on some best practices, as I know a few folks who set the gold standard for remote work 😏.

Other than that, it was just super cool getting a behind the scenes look at the folks @ Cyan and how they approached work on Myst and their transition to remote.

References:
Myst on Steam

Randy Gaul
Microsoft Engineer; Cute Headers

Randy is a legend in the low level programming game space. If you’ve ever worked in this area you know about the Cute Header Libraries.

This talk highlighted how good these small and useful libraries actually are and referenced future improvements I wasn’t even aware of, like networking libraries supporting both TCP and UDP. He also laid out the roadmap for the project and what we can expect to be released within the next year or so. It’s always cool to know awesome projects are under active development working towards features everyone wants 😀.

References:
https://github.com/RandyGaul/cute_headers
https://twitter.com/randypgaul

Abner Coimbre
System Software Engineer – A New Terminal Emulator

I was super looking forward to this as I basically live in the terminal, but it was postponed and totally understandably so. Abner has a working demo and is ready to present but was working so hard to host and keep everything organized that he chose to delay this a bit. Respect.

References:
https://twitter.com/AbnerCoimbre
https://www.handmade-seattle.com

Allen Webster, Ryan Fleury
The How And Why Of Reinventing The Wheel / (Introduction To Dion)

DION

DION

DION!!

It turns out the hype was worth the wait as Allen and Ryan revealed Dion to the world in a big way.

These guys weren’t kidding about reinventing the wheel. Imagine programming as you know it re imagined. When writing this I had a really hard time defining everything I was seeing, so I’ll let Ryan share his take:

Dion is our experiment at a new iteration of what it means to program. Our existing programming tools are hamstrung, and it shows; they are often dumber, slower, and more difficult to use than it feels like they should be. We (Dion Systems) have a theory about why that is, and we’re focused in on demonstrating what we think is the solution.

Dion aims to be an entire computing environment with one key tweak to the architecture of the programming systems we’re familiar with. Instead of storing code as text files, we store it as a more direct, structured representation that more closely maps to a traditional abstract syntax tree (which is a data structure that a compiler, for example, will use to store extracted semantic information from code).

Instead of storing code as text files, we store it as a more direct, structured representation that more closely maps to a traditional abstract syntax tree

This key tweak opens many doors. We now have the freedom to render code in different ways, achieve much smarter tools with much less effort, iterate on the user-interface and user-experience of the programmer, surface more sophisticated information about code, provide more insight for experts, improve the educational experience for beginners, and more, all with much less work.

We’re not done with our experiment, and our demo is just a first glimpse into the kind of future that rethinking the architecture of our programming environments can bring, but we’re really excited with what we’ve found so far, and wanted to share that vision with the Handmade community.

our demo is just a first glimpse into the kind of future that rethinking the architecture of our programming environments can bring

There were too many “omg” moments for me to count but a few include:
- All functions/procedures can be built by themselves.
- How you view the code is up to you. Inline braces, newline braces, no braces, it’s all on the table.
- Instant feedback on changes, errors, etc. The system knows not to build until something is fixed.
- Zooming in and out on code granularity. This is crazy to watch. You can look at all definitions and calls, or just the calls or definitions.
- Function arguments, variable declarations update their references instantly. By the way, this isn’t matching a string to do it. What? 🤯
I’m so excited to see where this project goes. There are a few hurdles the team will need to overcome (e.g. version control) – but there are more possibilities than there are obstacles…. you can count on that.

References:
https://twitter.com/DionSystems
https://twitter.com/ryanjfleury
https://twitter.com/AllenWebster4th
https://twitter.com/debiatan

All of these talks were recorded and will be available soon at: https://www.handmade-seattle.com/

Bonus!

Between the interviews, there were “5 minute indie demos” which showcased some extremely interesting up-and-coming projects. Here were a couple that stood out to me:

Ripcord

This is one of the coolest cross-platform chat clients I’ve seen in a long time. It reminds me a lot of the old Trillian days. Remember Trillian? It would bring your AIM/ICQ/IRC convos into a single client.

Built in qt, it is a program designed to bring all of your various modern-day chat programs into one place in a localized client – without needing four 2GB electron apps murdering all of your CPU and RAM.

From the website, check out some of the features (emphasis mine):

Features
- Not made from a web browser
- Tabs
- Multiple windows
- Multiple accounts
- Voice chat (Discord OK, Slack WIP)
- Graphical emoji and custom emoji
- Tab completion for user names and emoji
- Customizable fonts, colors, and sizes
- Custom bookmark lists for easily accessing only the channels you actually use
- Variable DPI and multi-monitor support
- Low CPU and memory usage
- Zero GPU usage
- No tracking or analytics
- No installer or forced updates
Here are some screenshots of the software:
I’m already tooling around with this, and really excited to see how this project evolves!

WhiteBox

A really cool tool that compiles, runs, and debugs real time as you write code 😲. Is there more to say? Check it out below:

Home

SYZYGY

Syzygy is a crazy cool puzzle game which uses topology deformations as a game mechanic. I haven’t seen something like this before.

Get it here on Steam. Releasing 20 November 2020 (this Friday!)

Footnotes:

¹Full list of profiling tools from Nuno Leiria’s talk

System wide profiling tools:
https://developer.nvidia.com/nsight-systems
https://docs.microsoft.com/en-us/windows-hardware/test/wpt/
https://github.com/google/UIforETW

GPU profiling:
https://gpuopen.com/rgp/
https://developer.nvidia.com/nsight-graphics
https://software.intel.com/content/www/us/en/develop/tools/graphics-performance-analyzers.html

Sampling/Instrumented profilers:
http://www.codersnotes.com/sleepy/
https://superluminal.eu/
https://github.com/wolfpld/tracy
https://github.com/Celtoys/Remotery
https://github.com/jonasmr/microprofile
https://www.puredevsoftware.com/framepro/index.htm

Micro-architecture profilers:
https://software.intel.com/content/www/us/en/develop/tools/vtune-profiler.html
https://developer.amd.com/amd-uprof/NVIDIA Nsight Systems
November 16, 2020
It is impossible to get hacked*
*No, not really. It’s just that when you say “I have been hacked!” you’re handing off responsibility. People think these things “just happen” – hackers hack, right?

Wrong

In the present day, people use the word “hacked” as if they were being targeted by hackers, then getting their accounts broken into by some sort of voodoo computer magic. The reality is: this couldn’t be further from the truth.

This is *not* how someone got into your Facebook account 🤦‍♂️

There are many forms of hacking. In this post, we’re going to focus on modern day account security since this is where most people will tell you they get “hacked”. When I say account security, think Facebook, Twitter, Apple, Netflix, Instagram, Email, etc.

What is “hacking” ?

The early days of the internet were basically the wild west. As a result, account penetration was a much simpler process. Passwords could be guessed over and over by programs until it guessed the right one (computers can do this really fast) and direct p2p connections were extremely common as well since IPs were more exposed to the (relatively) few folks online. When I first started using the internet in the late 90s, it was a common practice to open a direct client-to-client connection with a stranger in IRC to share a file. You would never do that today, and modern communication platforms like discord abstract things in a way where you’d never actually know the IP of a person you were sharing a file with.

Nowadays, there isn’t a service with over 20 active users out there that doesn’t have rudimentary security in place like brute force protection. Your larger platforms with millions of users will have much more sophisticated protection. For example, if you live in Chicago and log into Facebook, then try and log in from Bangladesh 5 minutes later, the system is going to block that attempt. In short, it’s nearly impossible for someone who has never met you to hack you without you handing them the keys to do it.

So how does it happen, then?

Here are the most common ways an account gets compromised:
1. Clicking phishing links in emails or on websites which redirect to false pages reconstructed to look like a service you use: Facebook, Apple, Amazon, Chase banking, etc. You’ve clicked this link because it said in the email that you had an urgent notice that needed to be resolved, then you willingly entered your account information, which someone now has.
2. You have a ridiculously easy password. 123456, qwerty, password, hunter02, your name, your kid’s name, your pet… the list goes on. Don’t do it.
3. You use a universal password. A universal password means you use the same password or a variation of it for multiple accounts. This is literally the worst thing you can do. Why? Because if an entity legitimately gets hacked, like Equifax in 2017 for example, whoever gets that data is going to try to login to every other service they can with the account credentials they gained. Fun fact: Equifax got “hacked” because their database username was admin and the password was….. admin! Yes, really.
4. YOU PROVIDE answers to password security questions, sometimes freely. These are questions you often set up when creating an account: What is your birth date? What is your Mother’s Maiden Name? When is your anniversary? I can find out 90% of the answers to these questions just by being friends with the average person on Facebook. People that answer Facebook “quizzes”? *Shudders* 😬.
5. This brings us into what modern day hacking usually comes down to: social engineering. People trick you into revealing information that help them hack you. Whether it’s over a social media DM, a video game, or on the phone. Modern day hackers are experts at piecing together seemingly innocuous information… until it’s too late.
What can I do about it?

Here’s are some extremely easy ways to significantly reduce your odds of getting an account compromised:
1. Don’t click links in emails. If you get an account notice, log in directly through the organization’s portal and see what’s up. Reach out to the organization directly. If you get an email saying your Netflix account is frozen, try logging into Netflix at https://netflix.com – if you can login, the account obviously isn’t frozen.
2. Use long, strong, unguessable passwords. Zhwg(=B)wMNOd(m1l;1BHl/-O?Z:kVko#aMaclcd is an example of a strong password (230 bits) combining numbers, letters, case, and special characters. Length is one of the things that make a password tough to hash, but isn’t the only factor.
3. Even better is to get a password manager and let the password manager generate the passwords for you. The password manager will ensure the password is as difficult as can be for a machine to guess, while allowing you to one-click copy/paste it into the service in most cases.
4. Never ever use the same password in more than one place. Seriously, don’t do it. This includes if your password is just an alteration of the same thing. For example: packers01, packers1!!, Packers!! might as well be the same password.
5. Never store username/password credentials in your browser (when you log in to a site, this is the “save password” prompt that you see.) The first thing a “hacker” who gains control of your computer does is check your browser for usernames and passwords which can be viewed as plain text.
6. Set up two-factor Authentication…. everywhere. There aren’t any mainstream services that don’t offer this. Start with your emails (yes you should have more than one) as they’re the key to most account recoveries. If someone gains access to your email, they can reset your accounts in other places by sending a password recovery link to your email. Your email needs to be the hardest thing to get into. This is like the easiest thing to do, yet 90% of people with a Gmail account do not have 2FA set up. That number is staggering.
7. Don’t use text-message based 2FA. SIM cards can and do get compromised remotely. Someone can assume your SIM and have 2FA codes sent to them if they care enough. It has happened to people I work with. Instead, use an Authentication app like Google Authenticator or Authy. These apps generate tokens that change every 30 seconds that you’ll need to provide when logging into a 2FA-connected service.
So is it really impossible to get “hacked” then?

No. True security breaches happen every single day. Usually someone discovers and exploits a security vulnerability in a service and figures out a way to query a database or gain access to an administrator’s account. I talked about Equifax a bit, but this has happened to other large organizations as well.

What then happens is now someone has a list of username/email and password combinations used for that service. They then use these lists and throw them at other services until they work, banking on the fact that people can (and do) use the same credentials across multiple services. These attacks are known as credential stuffing. Again, using unique passwords for every service greatly mitigates the impact this has on you.

“Have I been Pwned” is a great site for checking if you have an account that’s been compromised in a data breach somewhere: https://haveibeenpwned.com/

Is it all worth it?

In a word: yes.

Think of how much you value everything on your computer and on web services: photos of your loved ones, correspondence, financial information, your writing. Your computer and web accounts are access points to things you own, things that are yours. The small inconveniences here and there are big inconveniences for hackers. Do you know what more inconvenient than entering a 2FA code? Trying to explain to Facebook that it’s your profile that someone else is using or getting your money back when someone gets into your bank or credit services.

In Summary

These are the basics. As you’ve learned, simply enabling two-factor authentication on your email will make you a harder target than 90% of the 1.5 billion people who have a Gmail account.

Use Two Factor Authentication. Never re-use passwords. Get a password manager.

Questions? More tips? Let me know in the comments 👇
December 2, 2019