Keynotes

My Talk!

First session Wednesday morning was my talk! First, I have to say that I was bizarrely calm before giving my talk. The kind of nerves I get are usually a very physical kind, where for the full hour before my talk starts I'll have butterflies in my stomach, and sweaty palms, and short breath. But this time none of that happened. shrug. Maybe my body is catching on that public speaking isn't scary? But about the talk! It's so hard to have perspective about talks you give, and so my initial reaction when people asked how it went was to say "Oh, there were so many things I could have improved or done better". For example, I completely neglected to include any contact information or the link to my slides in my presentation. But everyone I spoke to after the talk, even those who had constructive feedback, told me that they had really enjoyed the talk and had gotten something out of it. Overall I'm reasonably pleased with how it went, have a list of notes to myself for future versions of this talk, and sincerely hope that I was able to make contributing to open source software a little less intimidating for someone.

Finding your way in the dark: Security from first principles

By Susan Sons

How do you secure the equipment used to measure water movement below ice floes? Or equipment taking measurements in a volcano? At the National Science Foundation, these are the kind of questions Susan Sons is asked. This talk was really great for a few reasons: 1. It presented general lessons that anyone in the room could use 2. It also provided specific examples to illustrate how to apply those lessons. 3. It supported it's claims 4. Susan told interesting stories, and was clearly an incredibly competent and knowledgeable human.

None of this is to say that talks without the above are bad, but I think these things were at least part of what made Susan's talk an incredibly successful one. I walked away with a new set of tools that I could apply to my job (and likely future jobs), a full understanding of how to use those tools, and more knowledge about Thermopylae!

Susan talked about 7 principles that help guide and support decisions about how to secure a wide variety of systems:

1. Comprehensivity - Am I covering all my bases?
2. Opportunity - Am I taking advantage of my resources?
3. Rigor - What is correct behavior, how am I ensuring it?
4. Minimization - Can this be smaller?
5. Compartmentalization - Is this made of distinct parts with limited interactions?
6. Fault Tolerance - What happens if this fails?
7. Proportionality - Is it worth it?

After introducing the principles, the rest of the talk used examples to color in details on how to apply the principles and justify their place in the list. If you have the time and are interested in security, I highly highly recommend watching!

Enhancing cloud security with the TPM

By James Bottomley

Another excellent talk! James talks at a mile a minute, though I was lucky to know juuust enough background knowledge to be able to keep up. The TPM is a small chip that's used to securely generate, store, and limit use of cryptographic keys. James talk was about using the TPM to store cloud machine's secrets, specifically VPN keys and potentially RSA keys. There are a number of stumbling blocks towards this goal, not the least of which is a radical difference in how the TPM 1.2 and TPM 2.0 work (which makes backwards compatibility difficult at best and impossible at worst). I had never heard of the TPM before this talk, and while I can't say I fully grok how it might be used in the future it certainly seems worth knowing more about and keeping an eye on, in the context of security in the cloud! Definitely worth a watch if you are mathematically or security inclined.

Stephen King's practical advice for tech writers

By Rikki Endsley

I'll start by saying I adore Rikki. I've only met her a few times, but she's always lovely, welcoming, and easy to talk to. She spoke about tips for writing, most of which are relatively common knowledge but as an occasional writer I found them both inspiring and helpful! It never hurts to be reminded of how to structure your articles based on your audience, have a clear point, and that the only way to get better at writing is by writing. Rikki also provided a number of tech-industry specific tips (how technical to be in various articles, for example), as well as a number of quips from Stephen King (kill your darlings, kill your darlings). Although this was a "common knowledge" type of talk, it's also the talk I got the most out of in the whole conference, particularly since writing plays such an important role in my job and life. I was reminded to edit my pieces (woops, don't usually do that!), to learn to handle criticism, and to know who I'm writing for. Overall, a super worthwhile and excellent talk from a true expert (and open source hero!).

Key Takeaways:

• Before you write know what you are writing about, why you're writing, and who your reader is
• Research, outline, write, revise
• 3 categories of audience in tech: lay audience, managers, experts
• Good writing requires lots of reading and writing
• Have clear expectations for what your piece needs to deliver
• Invite the reader in
• Tell a story
• Leave out the boring parts
• Include lists
• To write is human, to edit is divine
• Kill your darlings
• Find a brutally honest editor
• Start writing!

How I learned to stop being afraid and love the JVM

By James Turnbull

Ok, if you're reading this post straight through, I know at this point it might seem like I loved all of the talks I went to at OSCON, which makes loving a talk feel cheap. Let me assure you that 1. This is an anomaly, and 2. There will be less great reviews later on! I think this a combination of OSCON attracting particularly stellar speakers this year, as well as my own increased skill in finding which talks I want to go to and can get the most out of. Or maybe I'm just really happy as I'm writing this because I'm heading home and get to see my boyfriend in an hour. Who knows. But I digress.

James' talk about how the JVM has improved since the mid-2000s was also excellent. As someone who never writes java and only occasionally interacts with the JVM via clojure, I wasn't sure if I would have enough context to get much out of this talk. But James explained in great detail the pain points and horror stories of the old JVM that many grizzled sysadmins will tell you about. His talk set up the problem, explained how the JVM has improved and how those improvements have made impacts in the industry.

Key Takeaways:

• Legacy java is pretty ugly, verbose, and repetitive. And there's lots of bad java out there
• JVM has always been generally performant
• JVM doesn't always respond to general fixes (for example, you have to tell it to use more memory, not just throw memory at it)
• JVM needs tuning, not always intuitive
• JVM stacktraces are impossible to read
• Hard to automate the JVM (mentioned Puppet!)
• JVM wasn't transparent
• Android has really helped modern java improve
• JVM is super fast
• Logging has improved dramatically
• More transparent now
• Security has become a much higher priority

Web application security: Browsers fight back

By Christian Wenz

Last talk of the day is a tough slot, but Christian made HTTP headers both interesting and hilarious. This talk covered the major threats facing web applications today (namely XSS, Cookie hijacking, CSRF, and referrer data leakage), and what we as web developers can actively and easily do to prevent those attacks. Favorite quote was

"To allow inline javascript, I need to add script-src unsafe-inline;. Writing 'unsafe-inline' feels so good."

Key Takeaways:

• Content Security Policy is a W3C standard for security related http header content
• https://caniuse.com to look up which security policies are supported by which browsers
• CSP works by having the header and a 'directive', for example default-src 'self';

Keynotes

The frontend dev's illustrated Rust adventure survival guide

By Liz Baillie

If this conference wasn't already chock full of outstanding talks, I would say this was the best talk of the conference. In addition to being a programmer Liz is a comic artist, storyteller, and game developer, all of which came together in an illustrated (and narrated, with voices) guide to Rust. I loved that Liz was totally silly throughout the talk, and although the metaphor sometimes made her points opaque some aspects of Rust are common knowledge enough that it would make sense to most people. After describing her adventures in "Rustlandia", Liz spoke about her programming experience with Rust, and compared / contrasted writing a text-based game in Ruby and Rust. This was a unique, fun, and informative talk delivered with confidence, poise, and silliness all in good measure. The kind of speaker I strive to be!!

Making cross-browser testing beautiful

By Meaghan Lewis

I made a classic conference mistake with this talk: I already knew a lot about the subject. While I didn't gain any new insights, I was still impressed with the content and structure of the talk! Meaghan covered common issues one might run in to when testing using Selenium across multiple browsers, and what might be causing those issues. She also prescribed some patterns that can help avoid this issues (like using data-test selectors in your html), and talked about some general testing best practices.

Selling open source, keeping your soul

By Jessica Rose

This was like the talk version of a self-help book: mostly generic advice that's really difficult to implement. Jessica seemed aware of this, repeating a few times "This is easier said than done", but that didn't make her content any more useful or meaningful. Such advice included:

• Everyone in your organization should know what open source means to your org, and why it's important for your org
• Your open source org should balance transparency with too much information
• Collaborative conflict and compromise are what drive the product

And don't get me wrong, all of this is great advice. We should all be transparent, and make compromises that drive our product, and be open to feedback. We should also probably stop having so much pizza and wine. By the end of the talk I didn't know any more about how to have a successful open source company, or even what I could do to advocate for open source within my company. A good topic, and good if irrelevant advice, but overall and underwhelming talk.

Multilayered testing

By Alex Martelli

Honestly, by this point my brain was definitely not running on all cylinders, so I can't say I got as much out of this talk as I might have liked. But Alex presented an interesting idea: to have the same set of tests run for both unit and integration tests, with the main difference being mocked vs real dependencies (like databases, modules, etc.). This gave you a unified set of tests, and helps avoid making some 'white box' assumptions in unit tests. The rest of the talk went through 'layers' of modules (from low-level modules that many things depend on, to high-level ones that nothing depends on) and talked about how to use unit and integration tests at each layer. Being in QA, I think if I had a few more years of experience under my belt this talk could have been incredibly valuable, and provided ideas for how to apply these concepts in my job. At this point, though, it just seems like a neat idea for Later Down the Road.