Show Notes: linuxunplugged.com/390

The post Eating the License Cake | LINUX Unplugged 390 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/173

The post Linux Action News 173 first appeared on Jupiter Broadcasting.

Episode Links:

linuxactionnews.com/97

The post Linux Action News 97 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/392

The post Keeping up with Kubernetes | TechSNAP 392 first appeared on Jupiter Broadcasting.

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Total Solar Eclipse Meetup

This should be a great view of the action, and hopefully not too busy.

PiCluster: A simplified Docker Swarm or Kubernetes alternative to container scheduling and orchestration

• Move containers to different hosts in the cluster
• Run commands in parallel across Nodes
• Heartbeat for services
• Easily build and orchestrate Docker images across nodes
• Command-line interface
• Web interface
• HTTP interface
• Virtual IP Manager
• Rsyslog Analytics
• Built-in web terminal to easily run commands on nodes
• Integrate the Kibana dashboard into PiCluster
• Integrates with Elasticsearch to store the PiCluster logs.
• Automatic container failover to different nodes
• Pull container images from a registry

Cloud Explorer

Cloud Explorer is a open-source S3 client. It works on Windows, Linux, and Mac. It has a graphical and command line interface for each supported operating system.

Kibana

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers.

jBot on Github

An omnipresent multi-platform bot who’s goal in life is become Skynet

The post Clustered Pi | CR 269 first appeared on Jupiter Broadcasting.

Zero-day exploits striking over 100 systems, if you think copying links to bash scripts from the internet is okay, maybe you shouldn’t be root & the day Google automated itself off the internet.

Plus your questions, our answers, a huge round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Zero-day exploits against Microsoft used against PoS systems of over 100 companies

• “More than 100 North American companies were attacked by crooks exploiting a Windows zero day vulnerability. The attacks began in early March and involved the zero day vulnerability CVE-2016-0167 reported and partially fixed in April’s Patch Tuesday security bulletins by Microsoft. The zero day was found by researchers at FireEye, who on Tuesday disclosed details.”
• “The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability””
• “FireEye said the flaw is a local elevation of privilege flaw in the win32k Windows Graphics subsystem. Attackers are able to exploit the flaw once they are able to remotely execute code on the targeted PC. Microsoft patched the vulnerability on April 12 and released a subsequent update (MS16-062) this week”
• “In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and executed a malicious downloader that we refer to as PUNCHBUGGY.”
• “PUNCHBUGGY is a dynamic-link library (DLL) downloader, existing in both 32-bit and 64-bit versions, that can obtain additional code over HTTPS. This downloader was used by the threat actor to interact with compromised systems and move laterally across victim environments.”
• “In some victim environments, the threat actor exploited a previously unknown elevation of privilege (EoP) vulnerability in Microsoft Windows to selectively gain SYSTEM privileges on a limited number of compromised machines”
• “This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication”
• “Security experts say, as more U.S. companies snuff out point of sale malware by deploying chip-and-PIN bank card technology, attackers are rushing to exploit existing magnetic strip card systems still vulnerable to malware. FireEye, for example, reported last month that that a group of hackers that go by the name Bears Inc. are behind the latest barrage of attacks with a custom-built point of sale malware called Treasurehunt. This latest zero day vulnerability follows the same trend.”
• I would argue that chip&pin does not make the PoS terminal any less vulnerable to malware
• While it does make it harder to clone cards, it think it should not be viewed as a solution to malware
• FireEye Report

If you think doing curl|bash is ok, you shouldn’t have root

• “Installing software by piping from curl to bash is obviously a bad idea and a knowledgeable user will most likely check the content first. So wouldn’t it be great if a malicious payload would only render when piped to bash?”
• So, we all know it is bad, some some people do it anyway. They tell themselves it is alright because they check the contents of the script before they run it
• That only works if what you end up downloading is the same as what you actually reviewed
• “Luckily the behaviour of curl (and wget) changes subtly when piped into bash. This allows an attacker to present two different versions of their script depending on the context :)”
• “It’s not that the HTTP requests from curl when piped to bash look any different than those piped to stdout, in fact for all intents and purposes they are identical”
• “Execution in bash is performed line by line and so the speed that bash can ingest data is limited by the speed of execution of the script. This means if we return a sleep at the start of our script the TCP send stream will pause while we wait for the sleep to execute. This pause can be detected and used to render different content streams.”
• “Unfortunately it’s not just a simple case of wrapping a socket.send(“sleep 10”) in a timer and waiting for a send call to block. The send and receive TCP streams in linux are buffered on a per socket basis, so we have to fill up these buffers before the call to send data will block. We know the buffer is full when the receiving client to replies to a packet with the Window Size flag set to 0”
• “The only character you can really use to fill the buffer is a null byte as it won’t render in most consoles. It also won’t render in chrome when the charset text/html is specified. As we don’t know the content-length data is transferred with chunked encoding with each chunk being a string of null bytes same size as the TCP send buffer.”
• So, the attacker sends chunks of null bytes until all of the buffers on the client side are full, because bash is sleeping and not reading any more data yet
• So the attacker just has to see if you are piping the content to bash, or to your terminal or browser. Only in the case of bash do they send the “payload”
• There is a nice demo included in the article

Post Mortem: When google automated itself off the internet

• “On Monday, 11 April, 2016, Google Compute Engine instances in all regions lost external connectivity for a total of 18 minutes, from 19:09 to 19:27 Pacific Time.”
• This is the story of how automation knocked all of GCE off of the internet
• “Google uses contiguous groups of internet addresses — known as IP blocks — for Google Compute Engine VMs, network load balancers, Cloud VPNs, and other services which need to communicate with users and systems outside of Google. These IP blocks are announced to the rest of the internet via the industry-standard BGP protocol, and it is these announcements which allow systems outside of Google’s network to ‘find’ GCP services regardless of which network they are on.”
• “To maximize service performance, Google’s networking systems announce the same IP blocks from several different locations in our network, so that users can take the shortest available path through the internet to reach their Google service. This approach also enhances reliability; if a user is unable to reach one location announcing an IP block due to an internet failure between the user and Google, this approach will send the user to the next-closest point of announcement. This is part of the internet’s fabled ability to ‘route around’ problems, and it masks or avoids numerous localized outages every week as individual systems in the internet have temporary problems.”
• Also know as “anycast”
• “At 14:50 Pacific Time on April 11th, our engineers removed an unused GCE IP block from our network configuration, and instructed Google’s automated systems to propagate the new configuration across our network. By itself, this sort of change was harmless and had been performed previously without incident. However, on this occasion our network configuration management software detected an inconsistency in the newly supplied configuration. The inconsistency was triggered by a timing quirk in the IP block removal – the IP block had been removed from one configuration file, but this change had not yet propagated to a second configuration file also used in network configuration management. In attempting to resolve this inconsistency the network management software is designed to ‘fail safe’ and revert to its current configuration rather than proceeding with the new configuration. However, in this instance a previously-unseen software bug was triggered, and instead of retaining the previous known good configuration, the management software instead removed all GCE IP blocks from the new configuration and began to push this new, incomplete configuration to the network.”
• “One of our core principles at Google is ‘defense in depth’, and Google’s networking systems have a number of safeguards to prevent them from propagating incorrect or invalid configurations in the event of an upstream failure or bug. These safeguards include a canary step where the configuration is deployed at a single site and that site is verified to still be working correctly, and a progressive rollout which makes changes to only a fraction of sites at a time, so that a novel failure can be caught at an early stage before it becomes widespread. In this event, the canary step correctly identified that the new configuration was unsafe. Crucially however, a second software bug in the management software did not propagate the canary step’s conclusion back to the push process, and thus the push system concluded that the new configuration was valid and began its progressive rollout.”
• So, the automation software detected that the new configuration was bad, but, ignored this signal and went ahead anyway
• “As the rollout progressed, those sites which had been announcing GCE IP blocks ceased to do so when they received the new configuration. The fault tolerance built into our network design worked correctly and sent GCE traffic to the the remaining sites which were still announcing GCE IP blocks.”
• “With no sites left announcing GCE IP blocks, inbound traffic from the internet to GCE dropped quickly, reaching >95% loss by 19:09. Internal monitors generated dozens of alerts in the seconds after the traffic loss became visible at 19:08, and the Google engineers who had been investigating a localized failure of the asia-east1 VPN now knew that they had a widespread and serious problem. They did precisely what we train for, and decided to revert the most recent configuration changes made to the network even before knowing for sure what the problem was. This was the correct action, and the time from detection to decision to revert to the end of the outage was thus just 18 minutes.”
• “With the immediate outage over, the team froze all configuration changes to the network, and worked in shifts overnight to ensure first that the systems were stable and that there was no remaining customer impact, and then to determine the root cause of the problem. By 07:00 on April 12 the team was confident that they had established the root cause as a software bug in the network configuration management software.”
• Moving forward, Google will add:
• Monitoring targeted GCE network paths to detect if they change or cease to function
• Comparing the IP block announcements before and after a network configuration change to ensure that they are identical in size and coverage
• Semantic checks for network configurations to ensure they contain specific Cloud IP blocks.
• “We take all outages seriously, but we are particularly concerned with outages which affect multiple zones simultaneously because it is difficult for our customers to mitigate the effect of such outages. This incident report is both longer and more detailed than usual precisely because we consider the April 11th event so important, and we want you to understand why it happened and what we are doing about it. It is our hope that, by being transparent and providing considerable detail, we both help you to build more reliable services, and we demonstrate our ongoing commitment to offering you a reliable Google Cloud platform.”

Drama at the Internet’s malware dumping ground

• VirusTotal is a popular online malware aggregation service started in 2004, and acquired by Google in 2012.
• It allows researchers and users to submit malware samples which are tested against the static detection engines of some 50+ anti-virus vendors
• An example analysis
• However, there is concern that many “NextGen” Security startups, are just abusing the VirusTotal API rather than building their own detection engine
• Worse, this type of use doesn’t contribute anything back to the community
• So Google has changed the Terms of Services: “All scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services”
• “Additionally, new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO)”
• Traditional vendors have applauded the move:
• Trend Micro
• MalwareBytes
• Of course, there is also a response from the other side
• The AV Bomb That Never Was
• Includes responses from Cylance, and SentinelOne, two of the larger “NextGen” security companies
• Also has summaries from Palo Alto Networks and CrowdStrike
• How this actually impacts the industry is yet to be seen, but I don’t expect much outside of a few shady startups going away, but they were going to do that anyway
• Additional Coverage

Feedback:

• Remote Access

• Remote Tracking of Log files

• Logstash | Elastic
• How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 14.04 | DigitalOcean

• Centralized Logging with ELK Stack (Elasticsearch, Logstash, and Kibana) On Ubuntu 14.04 | DigitalOcean

• FreeNAS DMZ

• Adobe releases emergency patch, Flash 21.0.0.242, to fix Zero Day

Round Up:

• FBI Can Obtain A Warrant If You Run Tor Come December
• AllWinner ships SDK containing a custom kernel with root backdoor, used in many devices including the OrangePi, BananaPi, Cubietruck, pcDuino8 Uno, and many more. Just echo “rootmydevice” > /proc/sunxi_debug/sunxi_debug and you own the device
• Schools are recording student’s results on the blockchain
• Developers of the “SmartGrid” developed their own crypto, which is never a “smart” idea
• Medical Equipment Crashes During Heart Procedure Because of Antivirus Scan
• 40 Maps that explain the origins of the Internet
• This Isn’t a Google Streetview Car, It’s a Government Spy Truck
• In the online black market of exploits, what is the cost of getting caught?
• How we found a bug in Amazon’s Elastic Load Balancer
• PornHub offers new Bug Bountry program, rewards of up to $25,000
• Security Researcher arrested for pointing out SQL injection flaw in voting system
• Attackers targetting SAP, the most enterprisey or enterprise software
• Twitter to block the US Federal Government from accessing its data mining service
• Data on Google employees leaks when benefits contractor accidently emails details including SSN to the benefits manager of another company
• A policy that requires you to frequently change your password is likely to lead to you using a weaker password
• US Congress blocks Yahoo Mail, Gmail, and Google App Spot, in attempt to stem flood of ransomware attacks

The post Curl Sleeper Agent | TechSNAP 266 first appeared on Jupiter Broadcasting.

Holly is a software engineer at BlackLocus, a big data analyzer for Home Depot. She discusses her journey into technology that started in college & took a big detour.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Holly Gibson (@hollyglot) | Twitter
• Women Who Code ATX (@wwcodeatx) | Twitter
• SSD Cloud Hosting – Linode
• BlackLocus
• Women Who Code Austin (Austin, TX) – Meetup
• Welcome | Women Who Code

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE:: So Angela, today we are going to talk to Holly Gibson. She is a programer for BlackLocus. Yes, it was awesome, which apparently has a reference to black hole, which is bad ass. Anyway, she is working kind of on data science and she went through boot camp and she does all sorts of cool things. And we talk about all of them.
ANGELA: Yes. It’s a very good interview that we are going to get into as soon as I mention that you can support this show. If you’re listening week after week and you like the content and you would like to help in some way, you can go to Patreaon.com/today. It is how the whole network of Jupiter Broadcasting is funded, but specifically, when you subscribe you are helping out Women’s Tech Radio as well. Patreon.com/today.
PAIGE: And we get started with today’s interview by asking Holly what she’s up to in tech today.
HOLLY: I’m a software engineer at BlackLocus. It’s a subsidiary of Home Depot and they do data science for Home Depot. They do a lot of web scraping and track all of Home Depot’s product catalog and their competitor’s prices so that they can price their products accurately. So lots of big data.
ANGELA: That’s really cool, because in a previous episode we were discussing that, was it Sears that needed a total IT aspect to it.
PAIGE: Yeah.
ANGELA: And so now this is similar. BlackLocus, you said?
HOLLY: Yes.
ANGELA: Yeah, for Home Depot.
HOLLY: Uh, Locus means place. They’re kind of like the black hole of the internet. They’re sucking in everything.
ANGELA: Wow.
PAIGE: I like that. That’s really cool.
ANGELA: Yeah, it is.
PAIGE: So we were essentially touching on the idea that at this point all companies are become tech companies.
ANGELA: Yeah.
HOLLY: Yes. Yes. Home Depot acquired them three years ago. They had become a client and immediately started negotiating to buy them, because their tool was so awesome.
PAIGE: Awesome. So you do data science, which I think of as kind of like a magical unicorn at this point, because no one is quite willing to nail down what that means in the tech sphere, so can you enlighten me?
HOLLY: Sure. I’m more on the software engineer side so I”m not writing the fancy algorithms that the data science people are. We’re working in Python and Java and Javascript to consume the data and wrap it and make it beautiful so that an average person can look at it and understand what it means.
PAIGE: Okay. So you write tools in Python and Javascript and stuff and then you take what they’ve done and make it so that someone like me can get their head around it?
HOLLY: Yes.
PAIGE: Very cool. What’s your favorite piece of that stack?
HOLLY: I really like all of it still. I”m a generalist engineer. I’m, you know, full stack as they say, but generalist. I dabble in a little bit of everything. I came out of a boot camp two years ago and my first job was working at an education startup doing everything from supporting the IT for the office to managing the serve and the databases, doing the front end and the back end. So I really like all of it. Mainly I like solving problems. So just let me solve problems. Let me use logic and my brain and I’m happy.
PAIGE: So, boot camp, is that the way that you got into the technology field?
HOLLY: Sort of. It was a reboot. I studied Javascript and databases in college and I took over the college website and I managed it for five years. And i really enjoyed it, but I was a one woman team and solo. So it was very lonely. I didn’t have any mentors at that time. You know, web applications were just coming out and it was before Facebook, so that’s how old I am. So people were just figuring stuff out and so I didn’t know how much I knew. I thought, I’m just a beginner. I don’t know very much. I’ve done this for five years. This is fun, but now I”m going to go try a bunch of other stuff. So I sold antiques on Ebay. I managed a restaurant. I did summer camps for kids with disabilities. And then two years ago I found out about a boot camp here in Austin, Texas, where I live, and my husband I signed up to do it together. It was a three-month program over the summer. The hardest thing I’ve ever done, but got through it and really enjoyed having teachers I could ask questions from, classmates along side of me. We were learning together. Building actual applications and projects. It was a really, really great experience.
PAIGE: What do you think was the major difference between studying at a university level and being in the boot camp. Maybe, was it the timeliness of it? Where the internet has grown so much and we have so much more to work with and so many more resources, or more like the way that the instruction was done? What was the real standout to you that made it stick this time around and didn’t last time?
HOLLY: The way the instruction was done. I think sometimes universities are behind the ball so the technology I was learning in school was already a couple years old. I went to a very small school and the classes were really little. Most of them I was by myself so the professor would hand me a text book and say go read this. Which was great, I was learning, but having the hands on experience of the boot camp really resonated with me. I’m a mechanical person. I like building. I like learning by projects. So it cemented the theory much more in my brain when I was actually doing stuff.
PAIGE: That makes total sense. So you mentioned in talking about your university that it was really confusing to you to tell what the next steps were and understanding how much you knew. Do you think that was — and then you mentioned a lack of mentors. Do you think that those two are kind of related and how have you tackled that this time around?
HOLLY: Sure. Yeah. The program that I studied in school wasn’t a traditional computer science program. It was a degree in Theology and they had just added web design, because they thought, well people might want websites. So I took all the classes, because I actually thought theology was boring. So I loved the web design and I wanted a job afterwards, and i didn’t want to be a minister. So the web design seemed like a good route to go, but then I, you know, after I had built some sites and when I was thinking about leaving the university, I wasn’t sure how to go about that, because I didn’t have computer science degree on my resume. I didn’t know anybody in computer science. All I knew is I liked web design and I had built some stuff, but I wasn’t sure how to translate that into getting a different job. And so I kind of just gave up and went and did other stuff where I knew I could sale myself in marketing, graphic design, and stuff. Since going through the boot camp, it was great because they had relationships with local companies. They recommended we go to meetups, that we looked for mentors, that we meet people in the local tech scene. And so immediately in the boot camp we started as a class going to different meetups. Going to the Javascripts meetup. Going to the Rails meetup. And then I was really lucky to go to a Women Who Code meetup that had just started here in Austin at our bootcamp. They had the first night there and I went and it was an informational meeting and I said how can I help? And the women said how would you like to run Austin Women Who Code. So-
PAIGE: The same thing happened to me.
ANGELA: Wow.
HOLLY: Yeah.
PAIGE: Yeah, not kidding.
HOLLY: So I took it over and now two years later we have 1,200 members and it’s been awesome. So that’s really been a great avenue for me to meet other women in tech, to find mentors. But what i tell the women in my group is go to the meetups. If you see someone talking intelligently about something and you want to know more, go ask them questions. They could turn into a mentor. Like I mentioned, my first job was at an education startup by myself. So again, that’s like a one woman team and I knew I needed help. And I knew where to go. So I went to the meetups. I met some people and I was like can you help me? Explain this code. I”m not understanding this. You know, I’m all by myself. And I said, yeah, let’s meet for coffee. And I said I”ll buy you coffee. I’ll buy you tacos, whatever you want. So one guy, we started meeting weekly for about four months and he explained code to me and design patterns and different things, and really got me over the first hump in my job. And since then I’ve been kind of networking through his friends and going, so do you know of someone who knows this, and someone who knows that. And just finding where the holes are in my knowledge and who can help me with those. There’s lots of online classes and blogs and videos and those are great. I learn mostly sitting with someone in pair programming and so I’ll read books and I will look up blogs. My best source of learning is from an actual physical person. So I really do like meeting. I write. Now I’m learning Haskell and functional programing so I meet weekly with my mentor, who came through my first mentor. And it’s great, because he has a master’s in Computer Science and he’s been doing this for 15 years and I can ask so many questions. I have this wealth of knowledge in that brain.
PAIGE: So did you find it with these mentors, were they resistant to the idea of being an official mentor or were they welcoming? How did you get over the fear of asking them for that relationship?
ANGELA: Or do they know that they’re your mentor?
PAIGE: Yeah, also that.
HOLLY: That’s a funny question. Yeah, a lot of them don’t like the label mentor, but they’re getting used to it. Most of them have been fascinated to teach a woman how to program, because some of them haven’t worked as often with a woman in programming. And I”m fine with being a social experiment for them.
PAIGE: You’re their token female programmer friend.
HOLLY: Yes. And I’m fine. If they want to explain things and teach me, that’s fine. I just make sure that it’s someone i connect with, you know, on a personality level. I’m not going to work with someone who’s going to speak down to me, you know, or be a programmer. And the guys I work with have been very nice and very supportive and want to start a mentorship program for Women Who Code so that they can get more women into tech. First of all, I didn’t say will you be my mentor. I would just say will you explain some code to me. And then if they’re willing to meet, then I”ll ask do you ever mentor people. And if they’re like, no I, I don’t and I’m not sure what that means, I’ll say well I’m learning this, would you mind explaining stuff with me. Could you work with me on a weekly or a bi-weekly, bi-monthly basis. What would fit in your schedule. So far, the people I’ve met, have said oh yeah I can meet with you weekly. I”ll buy them coffee. I make sure that I’m thanking them in some way. And they have all been really casual and nice about it. And I do the same. You know, I meet with women from my Women Who Code group. We have a Sunday morning ladies coding brunch and we code every Sunday morning. And I explain things to them that my mentors are teaching me. I think it’s important that people keep giving and raising up the people below them.
PAIGE: That was totally going to be my question for you and you answered it. Do you mentor as well? That’s very awesome that you do. I love that it’s a brunch.
ANGELA: Yeah.
PAIGE: That’s perfect. It’s just perfect. Very cool. So you go from like mentor first dating. Like, can you explain this thing to me? And then if it goes well you ask for more.
HOLLY: Yes.
PAIGE: So you filled out our awesome guest form and you mentioned this and I just have to ask about it, that you rebuilt a server from a remote cabin in Finland?
HOLLY: Yeah. So, last summer our server was hacked while I was on a two-week vacation in Finland. My mother-in-law is Finnish and she has a cabin on a lake. A lot of people do there. They have saunas and cabins and stuff. And so we were on — I was on the train with my husband and they have WiFI. Finland is, you know, great tech country. You know, that’s where Linux came from and Angry Birds and everything. So there’s WiFi on the train and I was checking my email and I saw that our server had been quarantined and over the next week I got to rebuild our server. I got a hotspot from the only electronic store in the village and had about three hours of sleep a night for a week.
PAIGE: Wow, that’s crazy. I do love that though about the modern world. It’s like you can be anywhere and do what we do.
HOLLY: Yeah. I was Facetiming with my boss. There was an eight hour difference and it would be 3:00 in the morning for her, but I was awake and telling her what I had fixed, where the progress was. And what happened is our app had been built by a backend team in Siberia and they had forgot to put a firewall on our elasticsearch engine, it has an open facing port and it didn’t have a firewall and a robot got installed and was DDosing other servers.
PAIGE: Oh man. That’s not fun.
HOLLY: No, but I got it fixed and that actually, that experience really made me feel like I can do this, because up to that point I’d been at that job straight out of the boot camp nine months. And it was nine months of being terrified. Do I know what I’m doing? I’m all by myself. You know, even with my mentor you have fear and sometimes the imposter syndrome and you can make things bigger than they really are in your head, because you’re not sure what’s going to happen. This is a whole new experience. You don’t know what’s coming down the road. And the unknown is more scary than the known. Well the worst thing that can happen to you is having your server hacked. But once I got through that I was like I can do anything. I’m not afraid anymore. I can solve anything.
PAIGE: Totally. So I can’t imagine that you went through that much ops during boot camp. At least with the boot camps I’ve been exposed to and know about, they don’t do a ton of server stuff. How did you dive into that? Was that something you brought from before or were you just kind of teaching yourself on the fly to fix this thing?
HOLLY: Everything I learned on the job. We used Linode so they did have some documentation. I knew the services that we used so I knew how to install them and set them up. Thankfully we used New Relic as a monitoring tool so I could see what processes were running and see that elasticsearch had a crazy amount of data being processed, because it was DdoSing other stuff. So having the right tools I think is also really important and thankfully the team in Siberia, even though they forgot the firewall, did set up New Relic and we have now — that company I had, after I came back we switched over to Herope so we didn’t have to worry about security anymore, but I still kept New Relic because I said I need to be able to see the different processes. I need to know the health of our application and what’s going on. I Googled a lot.
PAIGE: Right.
ANGELA: Yeah.
HOLLY: And Linode did have a brief document on how to deal with a quarantined server what tools to install to scan your files and make sure they weren’t corrupted. But mainly it was just me solving this big riddle of what happened, what’s going on, and how do I fix it.
PAIGE: That’s how I do things. You kind of dive in and start Googling.
ANGELA: Uh-huh.
HOLLY: Google knows.
PAIGE: How did you get to the point where you could kind of know what to Google? I’ve had that question from a lot of ladies as I start to mentor them or they come into Women Who Code and they’re like, well I don’t even know what to ask. Was a lot of that — where did that happen for you or did that happen for you?
HOLLY: Sure. That was one thing that I really appreciated from the boot camp. They worked with us on how do you Google. In the beginning the teachers would say oh well just Google it and I said I don’t know what to Google. Like what? What terms? Like if I’m trying to solve this how do I Google? Like what’s the tech speak. And so having them work with us a few times, then you started to get comfortable with realizing, okay these are the terms I need to search and is this bringing a result on Stack Overflow. Then I’m probably searching the right thing. You know, if I’m getting results for tech forums then, you just keep doing it and if it’s not returning the right thing, then switching out some terms and just trial and error.
PAIGE: Uh-huh.
HOLLY: Really helped. And time. As you do it more often and often then you’re going to start to know what are the key terms to search and it will get easier.
PAIGE: It is definitely a practiced skill, I would say, personally.
ANGELA: So I wanted to ask about your Ebay selling and you mentioned already a little bit that you were selling antiques.
HOLLY: Uh-huh.
ANGELA: So how did you even — did you get into Ebay when it was super — I think it was like ‘99 or 2000 that it really-
PAIGE: Yeah, right about then.
ANGELA: Became popular. When did you get into it and why?
HOLLY: 2009 is when I got into it, because my mother-in-law is a power seller. Her whole job is selling on Ebay. She had been doing it since ‘96. So after I left the university and I was looking at other things to do, she said well I can teach you a skill that you can use all the time, no matter what job you’re at. And so she showed me how to set up a store, so again, mentoring is so important.
ANGELA: Yes.
HOLLY: And she showed me how to take good pictures. She bought me a light box so that I could place the items in the light box and take quality photos and a scale so I could say how heavy the things were for jewelry. The different things that people want to know in the description of antique stuff. So having her as a resource was really great. And then also where to find the stuff. We went to a lot of estate sales and since my mother-in-law had been doing this for about 14 years she knew what kind of brands to look for and how to find good deals and we would buy box lots and sift through the stuff and she knew what could be sold by itself. What could be sold as an assortment. Having her as a mentor was great and it was fun. I never made enough money at it, because it’s something you have to really work at full time to build up enough inventory.
ANGELA: Yeah.
HOLLY: But my mother-in-law does it and she makes a good income and loves it.
PAIGE: Great.
ANGELA: I actually just went to a garage sale recently and it’s people that I actually know and they buy storage units that are unpaid and it’s just the luck of the draw. Everybody bids on it, whoever is the highest gets it. And then they have a garage sale. It’s a really interesting model, but a lot of work. A lot of footwork, but interesting.
HOLLY: A lot of footwork. So if you like that stuff, great. I was like man I don’t want to do this. This is taking me hours to make a few dollars.
ANGELA: Right. Right.
HOLLY: So I want to go work in an industry where I can make a nice amount of money for just an hour of work.
ANGELA: Yeah. If you’re passionate about finding really unique antiques or something I could see it being a fun thing to do on the side, but yeah, definitely not-
HOLLY: Definitely fun on the side.
ANGELA: A primary thing.
HOLLY: I got my furniture through an estate sale and so it’s nice to have that resource.
PAIGE: It’s amazing how, like, the skills we accumulate over a lifetime and how they affect everything.
ANGELA: Yes. Yes, definitely.
HOLLY: Yeah, it actually came back to be a benefit, because I judged at a Paypal Ebay Hackathon here in Austin and I got to say yeah I’m an Ebay seller.
PAIGE: Yeah, there you go. It’s always interesting. So one last question before we go. I wanted to know, since you mentioned it kind of before, like what tools do you use on a daily basis to do the work that you’re doing now? You said you’re in Python and Javascript, but what’s on your laptop kind of a thing?
HOLLY: Sure. The text editor I use is Sublime Text. I really like it. I have installed a bunch of different packages that help me work with the code. I use Mac, Macbook so I use iTerm as my terminal. I’m running in a virtual environment for Python using VIrtual ENBS and, let’s see, for (indiscernible) testing we like to use Gulp or Karma. We are using Elasticsearch and Redis for our search engine. The whole team is on HipChat and then Slack if HipChat breaks.
ANGELA: NIce to have an alternative.
HOLLY: Yes. And we have a lot of fun making our own little GIFs to have emoticons. I would say those are the main tools that I’m using. We use AWS for our servers and our fancy ops guys do all of our builds at Debian packages so builds have to be done on a Linux machine, but most of the team is on Macbooks.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember, you can find the full transcript of the show over at JupiterBroadcasting.com in the show notes. You can also catch us on Twitter, @HetyWTR or email us, WTR@JupiterBroadcasting.com
PAIGE: You can also find us and subscribe on any podcasting network of your choice, including iTunes. Or check us out on YouTube if you are not a podcast person or have a friend who’s not a podcast person. Please feel free to recommend us. You can also email us directly if you have comments, feedback, or people you’d like to hear on the show’ we’d love to hear about it. Our email is WTR@JupiterBroadcasting.com Thanks so much for listening.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post Not a Bro-grammer | WTR 42 first appeared on Jupiter Broadcasting.