Author: PerfectSlayer

Instrumenting the Instrumenter: A meta-agent Story

PerfectSlayer Software Leave a comment

I attended for the first time at JavaZone this year. This was an amazing experience to meet some new folks and I learned a lot through the various conferences and workshops I could attend during those three days.

Discovering meta-agent

Among the things I discovered, there was meta-agent presented by Marco Sussitz during his talk: Demystifying OpenTelemetry: Java Agents Unveiled. This is a tool created by Johannes Bechberger and Mikaël Francoeur which was originally designed to investigate the generated bytecode from Spring proxies and Mockito mocks. Basically, you will have a hard time trying to debug (byte)code that is generated at runtime, whose source does not exist. Such proxies and mocks implementations only live in JVM memory so this tool provides a way to look at class file content that is loaded by the JVM. Internally, it works as a JVM agent that hooks into the Instrumentation API to decorate the other instrumenters and record their changes introduced through the ClassFileModifiers.

When it looks too beautiful…

While my job at Datadog involved a good amount of bytecode injection work, I was a bit disappointed to discover that meta-agent did not work with The Datadog Java Client Library (aka dd-trace-java) nor the OpenTelemetry Java agent. During Marco’s presentation, he showed that only a limited amount of class transformation was captured by the meta-agent. But unlike him, I did not want all the troubles of forking and patching the JVM to dump transformed classes to troubleshoot the bytecode our agent changes.

Read More

Building a Code Review Assistant: When AI Actually Makes Sense

PerfectSlayer Software Leave a comment

As software engineers gain seniority, we usually find ourselves shifting from writing code to reviewing it. With broader impact and scope comes the responsibility to review more pull requests across different projects and teams. The question becomes: how do we make the best use of our limited review time? Which PRs deserve our attention first?

I’ve been skeptical about AI tools for writing business code. After trying numerous products and tools, I found them to be mostly a waste of time when it comes to actual development work. The promises rarely match the reality, especially for complex, domain-specific code like the Datadog Java tracer where no other Open Source projects exist for the AI to get inspiration from.

But here’s where it gets interesting: AI is great at understanding concepts and somewhat good reasoning about priorities. So instead of trying to make AI write code, I decided to leverage its strengths for something it’s actually good at: helping me choose which pull requests need my attention most.

Read More

Reversing for fun thanks to intelligence service

PerfectSlayer Android, Security Leave a comment

Capture The Flag, or CTF for short, always are a good opportunity to challenge its knowledge and capabilities about software security. This year again, the DGSE (Directorate General for External Security, the French foreign intelligence services) and Telecom SudParis school teamed up to create the 404 CFT: a free-to-join online CTF. I decided to give it a try to check how my reverse engineering skills aged.

I tackled the Android reverse engineering challenge. It was split in two parts: Bugdroid Fight [1/2], rated as easy I won’t detail here, and Bugdroid Fight [2/2] rated as average difficulty (the second of the four difficulty levels before hard and extreme) I will walk through in this post. The goal for a CTF challenge is to find a flag: like an hidden text or a password. Running the application inside an emulator quickly gives how to find the flag: you have to find the text that validates the application form.

Read More

Chrome

Chromebook: End of Support

PerfectSlayer Hardware Leave a comment

I like my ASUS C300 Chromebook: it’s my way to go laptop. It is cheap, something like 200~250€ few years ago, light and solid, only plastic here and no hard-drive which poorly handles transport, and it lasts long enough to endure any conference. Yes, even 8am to 10pm long Devoxx days.

I previously owned a HP laptop, five time more expensive than this Chromebook and I had to change the keyboard each year, touches broke too easily, the screen ribbon two times, the motherboard, the speaker, the fingerprint sensor, which was shocking my wrist when typing, one time each. Even the case itself broke after 3 years in my backpack. So Chromebook is definitely a good deal: 5 years now and not even a (deep) scratch!

But earlier this month I discovered this surprising new notification on my Chromebook:

Chroomebook end of support notification

Read More

Google Cloud Platform

Google Cloud Summit & OnBoard

PerfectSlayer Cloud, Software Leave a comment

The last few weeks, I attended to two conferences about the Cloud by Google. The first one was the Google Cloud Summit, the first toke place at Paris, the 19th of October in the Palais des Congrès. It started with a keynote by the VP (EMEA) of Google Cloud to welcome everyone and remember some impressive figures. Whereas Google deploys a new data-centers each month, the cloud only represents only 5% of the overall companies workload but it uses 40% of the Internet traffic! They invested $30 million until now and they want to be ready when the shift will happen!

Google Cloud Summit 2017
Few minutes until the theater to be full!

IMG_20171019_083806
IMG_20171019_095757
IMG_20171019_104657

The conference was divided in three tracks with theirs own subjects: Data, DevOps and Collaboration & Infrastructure. I personally chose to go to at least one conference on each subject so I covered various topics from technical ones with Kubernetes and serverless applications with Function to machine learning with Google APIs or using TensorFlow passing by secure applications on ChromeOS and Android. It helped a lot to understand the product catalog and offered a global vision of the Google Cloud Platform. Conference like “Where should I run my code” summarized it well.

IMG_20171019_124914
IMG_20171019_150629
IMG_20171019_163143
IMG_20171019_163201
IMG_20171019_163224

The second event I attend was Google Cloud OnBoard, a training session about Google Cloud the 8th of November in the Salle Wagram at Paris too. Whereas the Google Cloud Summit was composed by 60% of developers and the others were mainly decision makers, the Google Cloud OnBoard was a technical training in order to (re)discover the Google Cloud Platform and its products. It started by some key concepts, like roles and permissions with IAM, then moved to key products like App Engine, Compute Engine and Datastore. OnBoard sessions trained more than 300k people across 50 countries.

IMG_20171108_173109
IMG_20171108_093731
PANO_20171108_093653

Both events were very well planned and organized. Communication was excellent and everything was done in order to enjoy the moment. I mean, no queue to get your badge, WiFi password on the back of your badge, training notes and drinks set up on every seat of the room, people everywhere to answer your question or guide you to your next conference room: impressive! I really enjoyed those two days and it helped me a lot to understand the platform and how it can fit my needs. Don’t hesitate to create your account and give it a try: there is free trier on a lot of products and you will be offer $300 for the first year!

Azure Days

Microsoft Azure Days #1

PerfectSlayer Cloud, Software Leave a comment

A quick blog post about the past Thursday at Microsoft conference center where the (French) Azure Days #1 took place. As a previous insider, I was invited to a full day of conferences about the Microsoft cloud platform and I was really impressed how it becomes massive: about 80 services from VM and hosting to database and AI. I won’t make ads here but numbers speak by them self:

Numbers about the strong Azure momentum
Azure Days #1 – Momentum

During the day, we learned basics of the platform: platform specific wording and concepts, how to prevision VM, deploy applications, setup networking and deal with the resource manager. The speakers, 4 architects, were very motivating and knew how to keep people attention (specific mention for Pierre’s distraction when a live demonstration temporary failed). The event will be repeated each 6 to 8 weeks and, good news, it’s totally free! Except if you have to take a day off like me because your company doesn’t think cloud is important… Anyway, I should be present the 12th of September for the Azure Day #2 and I’m now looking forward to participate to the first Google Cloud summit at Paris this October!

azure-days-1 (0)
azure-days-1 (1)
azure-days-1 (2)
azure-days-1 (3)
azure-days-1 (4)
azure-days-1 (5)
azure-days-1 (6)
azure-days-1 (7)
azure-days-1 (8)
azure-days-1 (9)

GitHub header

Dev story: project hosting

PerfectSlayer Firefox, Software Leave a comment

It was a long time since the previous post and it’s the opportunity of trying a new format I call « dev story ». A less verbose post format but more based on day-to-day coder life. The story I would like to share is about the port of one of my Firefox add-on: Scroll Up Folder. I recently made big changes for this project on which I could share: first I had to change its hosting then I rewrote the whole add-on using a new SDK.

Read More

Android header

Android for left handed

PerfectSlayer Android 1 Comment

Guess what? I’m left handed! And I’m sad to see that Google is still not offering a left handed option to theirs users. Until now, one solution is to use a custom rom witch allows you to customize navigation bar. But with the recent Lollipop release, no custom rom is yet ready for daily use… Moreover, ART, the new runtime, breaks Xposed Framework compatibility. Xposed Framework was another solution for stock rooted rom to install a module for navigation bar customization. I recently bought a Nexus 6 (still shipping!) and I don’t want to wait a new solution (Xposed Framework compatibility is not coming soon). Never mind, I’m a developer so let’s do this myself!

Read More

Mozilla Sync header

Firefox Sync server hosting

PerfectSlayer Firefox, Security Leave a comment

The last weeks demonstrate how personal information are sensitive and valuable. Companies like Ebay, Spotify, AVAST have been hacked and stolen of their client databases. Those facts motivate me to host my own Firefox Sync server instead of uploading my data to another big cloud company.

Firefox sync banner

Firefox Sync is a solution to store and keep synchronize Firefox data like bookmarks, history, passwords or preferences. Since Firefox 29, a new version of Sync is available (version 1.5). It uses the new Firefox accounts as authentication mechanism. The service definition and separation between authentication, token and storage allow to change and plug new servers on the fly. So you could host your own Sync server without having to worry about auth. Auth will be provided by Mozilla servers, which don’t store your plain text passwords or encryption keys. You may check the source code of the authentication server on Github or the Sync protocol for more details.

The Sync server installation procedure is quite well described by Mozilla. It explains how to get, build and run and test a custom Sync server on the built-in server (some git and make commands). Once everything works, you could set up your Firefox browser to point at your own server and test with your account and data. For production use, you could bind it on your Apache on Ngnix server throw WSGI or Gunicorn module (the built-in server is not intended to be use in production context).

In conclusion, I run my own Sync server to store my personal data. The server is lightweight and data takes less than 10 mo of storage. I enforced the security with requested client certificate and IP filtering and I could have a look to all access done with the Apache logs. So even if Firefox accounts are leaked (and we should consider they will be), attacker needs to know location of the server, get a certificate, find a valid IP address before getting access to my Sync server. According the interest of my data, the risk is very low.

I encourage your to host as often as possible your data. Nowadays, it is the real people value. So take care of it and thanks the Mozilla company to allow us to do it (hey Google, what about Chrome ?).

Firefox Sync test
Bonus: Testing server and account synchronization