Uncategorized

What's good, 2016?

2016 goals list since I'm a different person every year, and my interests and goals always change.

  • Write at least 1 blog post every 2 weeks
  • Don't be afraid to ask for what you want
  • Learn one new recipe a week
  • Cocktail recipes galore
  • Mandala tattoo on right forearm
  • Ukelele chords and being confident enough to play for others
  • Brogramming 2.0 - Shakes for breakfast, shakes for lunch, shakes post workout. Shoutout to my mom for getting me a magic bullet.
  • BASS CENTER & TELLURIDE!!!! (Also first time visiting Colorado)
  • Sports Analysis blog posts
  • Data Mining + Data Analysis techniques
  • Align with the last 2 goals, push forward on my FantasyDevil app
  • Giving back to the community and my friends - as well as finding more time to hang out with friends

I've developed a lot in the past 2 years since I wrote my last post, and I really do feel a lot healthier with myself and in my own skin. I am ready to give back to the world. Don't be afraid to hit me up for anything, I'm making it my life's mission to give back.

Standard
Programming

Cloud Security and a $20000 AWS Charge

Cloud security is a hot topic right now. In the current state of the Software Revolution, pretty much everything in everyday life is moving to the cloud: movies (Netflix & Hulu), business communications (Google Hangouts & Slack), driverless cars (Google & Tesla), storage (DropBox & OneDrive), cloud robotics (Google & Industrial Perception) to name a few of the thousands of cloud-based technologies available today. There are so many smart-* apps and devices coming out that all of our daily computational power is moving to the cloud.

This is awesome. This allows software developers and engineers like me to work from any location as long as I have an internet connection. In fact, my current job (shameless plug for Yappee) allows me to work remotely because all of our technologies are based on the cloud - GitHub, Amazon AWS, and Slack are a developer's best friend.

Under the carpet, all of these applications have critical security features and complex API's which are crucial to the success of these technologies. On the front-end side of things, the users are presented with elegant interfaces with a ton of power at their fingertips. This is the future and it's awesome.

This magical ride with cloud computing is only going to get bigger and faster according to Moore's Law. This 2^* exponential growth is going to allow us to do things we never thought possible with software, but STOP RIGHT THERE...

We are becoming so enveloped within this digital world that we are failing to recognize the consequences that may occur from cloud security.

Two days ago, I was playing around with my GitHub repo and to make room for another private repository, I switched one of my previous Ionic projects to a public, open-source project because what the heck someone might find it useful. That someone wasn't who I expected.

I received an email yesterday morning, with the title Your AWS account is compromised. Wow what's going on here? I read into the email and saw that my GitHub project was listed with my AWS security credentials listed through my elastic beanstalk configuration. I took immediate action to change all my passwords and keys associated with this account as well as deleted my github repo from the cloud. It didn't take long until I received another email regarding a support case I didn't even open myself.

Thank you for taking quick action to delete your exposed access key. The hold on your account has been lifted.

However, prior to you deleting your access key your AWS account has been compromised and currently there's a charge of $13510.95 USD. To prevent further charges as well as for me to submit a concession request, please go through and delete any unauthorized resources.

Holy shit!!!! $13510.95 USD. My account was compromised... as fuck. These GitHub bots have no mercy. Overnight, they were able to acquire my AWS credentials through their scraper and launch up 500 SpotInstances as well as 500 more c3.8xlarge EC2 instances in all regions of the world - all using my billing account. Absolutely nuts.

I contacted Amazon AWS support immediately with my pressing issue. One of their employee's, Ben, let me know about all of "suspicious" activity that my account had undergone. Ben is my hero. He got my attention immediately through a phone call and voicemail, and immediately submitted a concession request on my behalf, assuring me that all of my expenses would be covered by Amazon. Amazon and their customer support receive my highest regards. 10/10.

Screen Shot 2015-10-29 at 3.38.57 PM

This is my billing account by the morning. Within 1 day of my GitHub repo going public, the bot was able to launch off 500 of the largest EC2 instances available on Amazon with spot requests to continually relaunch them if they went down, accruing over $20000 of computing costs. This is insane (also impressive from a hacker standpoint).

Admittedly, I am 100% responsible for leaking my credentials to a public zone, but trust me, if it can happen to me, it can happen to anyone. There are bots these days for everything. Keep your shit safeguarded.

tldr: Cloud Security is important. Keep your passwords safe.

Standard
Programming

WordPress Automatic Updates

They suck so hard. I had my entire site configured how I wanted it to look like, and of course automatic theme updates are default for this piece of shit platform.

How many hours am I going to waste to achieve the same effect that I've had before?!

What the fuck.

Download Easy Automatic Updates plugin to stop the bleeding.

WordPress is the worst developer platform.

Standard
Programming, Thoughts

Venmo

Something really, really, really needs to be addressed here, and it's the current state of everyone's favorite instant money app: Venmo.

Hell, I use Venmo for rent, splitting checks, and paying for just about anything. It's quick, easy, and all emoji jokes aside, it gets money to your bank in a day's time. That's amazing, considering that PayPal, the software-boom parent of Braintree, takes three days time to transfer money from PayPal to your bank.

Last year in 2014, Venmo processed $2.4 billion of payments. $2.4 billion dollars. It doesn't stop there though, as Venmo has already processed $1.6 billion in transactions in the 2nd quarter alone. At this current rate, Venmo will process anywhere between $5 - $10 billion dollars in 2015.

The money-making scheme behind Venmo is actually quite genius: all of the cash-moneys sitting inside your Venmo account is actually gathering interest for the company. But this is also the whole reason why Venmo is unsafe. When you transfer your Venmo credits to any of your friends on Venmo, that money is only getting moved around on the application layer. That money is not being moved from your account to your friend's. Let me repeat that, even if you receive the notification, the email, and the verbal confirmation that the money was transferred, there's absolutely no guarantee that money will reach your bank account when you cash out.

This article does a tremendous job of explaining the intricacies of Venmo:

if I Venmo you $20 for Chipotle, the “+ $20.00” notification you get isn’t actually reflecting a transfer from me to you. Rather, in most cases, Venmo is floating you the money until it can come out of my account. The actual mechanics of the transaction are much more complicated; the point is that Venmo is just the top layer with which you interact. “The current systems that [the United States has] in place for consumers don’t allow for real-time payments or instant payments, but instead just create this illusion that the funds are good and immediately available,”

It's completely plausible for someone to deposit to Venmo from a fraudulent or maxed out credit card. Those "funds" can then be moved around from account to account until a user decides to cash out on his/her Venmo funds. One day later, the funds from that cash-out transaction will come back with an error: "payment that you requested to be transferred to your bank came back for insufficient funds".

This is how a Venmo scam works. You trade your virtual credits for real-life goods or services, only to realize that you never received your money. The biggest difference between Venmo and PayPal is that PayPal has securities to prevent merchants from scamming you; however, Venmo's user agreement has something completely different:

“Business, commercial, or merchant transactions may not be conducted using personal accounts.”

This means that if you sold your Craigslist item for illicit Venmo funds, Venmo will not refund you the price of the item if the transaction doesn't go through because you violated their terms of service.

Wow. Talk about shady business practices. Venmo wants you to use their application for virtually all transactions, but they conveniently forgot to mention that they won't reimburse your loss.

Be careful out there. Venmo isn't magic.

Standard
Thoughts

Expectations vs. Being Grateful

Since it's the holidaze, I just wanted to post something a little more cheery and less work-related for everyone who reads my blog. One of the biggest topics in human psychology is what keeps people going - what keeps them motivated, what makes them want to do work, what makes them want to stay...

Besides the usual work achieved and progress made, we need the carrot at the end of a stick to keep us moving forward. I think one of the biggest motivating factors for both work and personal relationships is being grateful and tempering expectations.

Too many times in my life do I see people pissed the fuck off because they feel underappreciated. A simple thank you goes a long way (as does as simple sorry). Everyone feels like they're working their asses off, and the easiest way to piss them off is to expect more from them.

It's fine if you want to extort your workers and friends for all they're worth - just don't expect them to react the same way when you asked them the first time. Instead, let's be grateful for everything that the other person has accomplished.

Let's say thanks everytime something goes as planned, and say thanks for all the hard work each and everyone of us put in day in and day out. Let's be grateful that the other person cares about the company or another individual. After all, we're only human. We all have expectations and we all have duties, but to let those wash aside and come to expect them - that's being snobby and down right rude.

So let's take some time this holiday to say thanks to your relatives, your friends, your bosses, your coworkers, your girlfriends, your boyfriends.. Everyone deserves it.

Standard
Programming, Thoughts

Startup Girlfriend Threesome Balance

And this one comes up a lot.. How do you balance your girlfriend with your 60-70 hr / week job affair?? Short answer - you don't without some sacrifice. Choosing your job before girlfriend creates a rift in communication and questions about priority. Choosing your girlfriend before your job results in unnecessary stress, poor work, and unwarranted work-review meetings with your boss.

What do you do? And how do you achieve this balance when it seems impossible? I'll start by saying that it's not an easy task, but if you want results, you must be attentive and willing to put in the effort with sacrifices.

  1. Communication is key. Don't fret the hours and be confident on what your needs are. Make sure you and your girlfriend are aware of the commitment necessary for both people to be happy.. You get to work while she curls up next to you in bed.
  2. Keep your priorities straight. Don't let the love of your life become an afterthought. Your girlfriend loves and cares about you -- something that your job can't offer. Emotional support is the name of the game. Make sure she knows that you're not purposefully ignoring her for your work.
  3. Reassure her about your free time availability. This is a big one. You must be able to set boundaries on when you're working and when you're playing. There's no in between ground, so make sure you have your entire day's schedule straight. The best is when you both can find free time to work together.
  4. Create a list of goals each day, and achieve them. This one may seem unnecessary, but it's important. These don't have to be work related at all! Even small goals like 'Take girlfriend out to dinner' or 'Spoon her for at least 20 minutes' should be on this list.
  5. Compromise. This is a given in any relationship, but especially important in the startup / girlfriend threesome. Your weekends are limited while hers are empty. Go out and have fun, but let her know that you'll need to be up early the next morning to get your shit done.
  6. Have fun. Don't let the work clog your mind. I am for one, an emotional robot whenever I'm working. It's either coding or girlfriend.. They both deserve your full attention. When you're out having fun, have fun and don't worry about work until you boot up your laptop again. Trust me, there will be plenty of time to do that.

These are the most important things off the top of my head. Any less and I wouldn't be the best working / loving man I could be. Life moves on in mysterious ways, but you can't get what you want or deserve without setting some boundaries with communication. I suck at it, but I'm working towards a more mutually beneficial threesome here.. Coding, love, happiness. That's all.

Standard
Programming, Thoughts

First Software Job

It's been awhile since I last blogged, but I just wanted to say how pleased I am with life at this moment. Since taking a 5 month hiatus from any strenuous work/code, I've decided to get back on the horse of life.

Trust me, taking 5 months off was one of the best decisions in my life. I FINALLY disintegrated my dependence from stimulants, and I evolved socially in ways I could have never imagined.

Coming out of college, I wanted to find the highest paying salary job possible -- $100,000 sounds just superb. But I realized there's more to it than just money. Sure, I could afford better cars, better booze, better food, but would I really be happy? Probably not.

I interviewed with over 20 companies for senior-level development roles. In retrospect, I was a little too ambitious. Senior-level software roles need their employees to deploy code from day one. I remember being asked to code a 20 questions AI on the spot, and just miserably failing. Not saying that all college grads should go for easier roles, but senior engineers need the experience to deploy quickly -- something that us juniors could accomplish, but in a much larger time frame.

Even though you would make a dick-load of money, ask yourself if doing your job is all that's important in your life. For me, the spare time away from work and the ability to hang out with my girlfriend all days of the week easily trumps any job which requires you to work 60+ hours a week.

Nerds need time away from the computer.. Ya know?

Standard
Programming, Thoughts

Heartbleed Bug & Conspiracy Theory

So for those of you who don't know, the heartbleed bug was recently exposed as a direct vulnerability in the OpenSSL library. SSL is the handshake technology which allows all websites to 'secure' their transfer of information via HTTPS. Ever see that green lock at the top of your URL bar?? Yeah, that means it's a secure connection.

Well the shitty part is that SSL connections are used in every single private technologies in our everyday life. This includes (but not limited to): email (Gmail), instant messaging services (Facebook), credit cards (Amazon/PayPal).. basically the entire web. What we thought was 'secure', really was vulnerable all along. (Here's a list of the top 10000 websites which are still vulnerable)

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."

Sounds like a lot of technical mumbo-jumbo, but in essence, the Heartbleed bug allows any attacker/anywhere to access all the information from these 'secure' servers without anyone ever knowing anything was touched/accessed/tainted. Your passwords -- vulnerable; your emails -- vulnerable; your messages -- vulnerable; your ENTIRE IDENTITY -- vulnerable. Want to see how easy it is? Look here

You want to know what's the absolutely scariest part of this bug? Here's a short excerpt from BBC:

Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.

Did you guys read that correctly? Read it again.. This vulnerability has been out for MORE THAN TWO FUCKING YEARS. Can anyone say conspiracy theory????

(More technical portion here) Essentially, the way SSL works is through certificate authorities (CA's) which are Queen Certificates -- these queens determine which sites/certificates are deemed secure (HTTPS). Why does this suck? Because the whole security of the systems and web is based off these Queens. Let's take a look (taken from here):

Queens

  • Symantec (Verisign, Thawte, Geotrust) - 38.1%
  • Comodo - 29.1%
  • GoDaddy - 13.4%
  • GlobalSign - 10%
  • Others - 9.4%

This is absolutely fucking retarded because 4 companies control 90% of the internet's secrets. Who the hell trusts 4 companies with 90% of all of your secrets???!!!!

Which brings me back to the conspiracy theory here. For 2+ years, the NSA/Government could have known about this bug within OpenSSL and easily exploited it to retrieve not one, but ALL OF YOUR INFORMATION without any of the consent of the larger corporations Google/Facebook/Amazon just to name a few. Remember that PRISM scheme in which every single large company released very similar statements to plug their butts from leaking??

Well guess what. There's been a fucking IV inserted directly in their heart, in which not only the USA, but any human being in the world can peek at your DNA. Heartbleed & NSA. You win.

PRISM: Please Remember I'm a Slave Mind.

Standard
Thoughts

Moving Forward

One of the hardest things I go through in life is moving forward. Leaving friends, leaving home, leaving school -- abandonment. This isn't a cry for help, but more of the deevolution of my brain. I can't quite put my finger on it, but I've definitely become less social and more content with my surroundings and my experiences.. A sort of zen-esque experience, if you will.

When I first came to California, I wanted to meet everyone around me and try new things all the time, but now that my life is at the cornerstone of moving forward again, it seems that these things are all the things I don't want to do. Maybe, I'm lacking the proper motivation to get me out of my towel lifestyle. Maybe, I still feel like I'm in school. Or maybe, I just don't give a damn about getting ahead anymore.

The people that I'm surrounded by; the life that I live; my nonexistent job.. This is my safe haven.. my royal throne.. my loves.. my legacy.. I can't grow up, even if I have all the tools to do so. When I was a little kid, all I wanted to do was grow up and do whatever my little heart desired (my AIM screen name was dasuntheman26, lol). But now that I'm a fledgling adult, all I wish for is being a kid again -- dasunthekid26.

Standard
Programming

Why you should use Angel List vs. LinkedIn

I'm a budding software developer. I have the most experience with full stack web development. Ruby on Rails, JavaScript, PHP -- that's my game. After filling out my profiles to the best of my ability, I've noticed something very significant. This is a comparison for startup and job opportunities for 2 places to market yourself (Note: I'm not a LinkedIn Premium member):

LinkedIn profile creation date: 03/02/13
LinkedIn connections: 518
Emails from companies/recruiters: 6

Angel List talent profile creation date: 02/09/14
Angel List followers: 30
Emails from startups/recruiters: 15

Bottom line: USE ANGEL LIST. Startups desperately need engineering talent like YOU. The best part: you get to see the salaries (and equity %) all upfront.

Standard