Brightball

Security Automation with Gitlab

I recently had the opportunity to speak to DEF CON 864 about the multiple layers of security automation within Gitlab, the open source tools that drive them and how the findings are managed and resolved.

[ continue reading ]

[ Previous Articles & Presentations ]

Rebooting the Carolina Code Conference

Business | - May 21, 2023 // Barry

The Carolina Code Conference is a welcoming and community-driven “polyglot” conference that’s set to take place in beautiful downtown Greenville, SC on Saturday August 19th, 2023 in the Greenville ONE building. This conference, which returns for the first time since 2019, invites coders of all experience levels to attend, plug into the development community, share their experiences and have a great time as well.

How Microsoft Became Phishing's Biggest Enabler

Email | DMARC | Security | - February 23, 2023 // Barry

It might sound strange to hear that Microsoft, a company who goes to great lengths to protect computers and networks, is one of the biggest contributors to phishing and fraud on the planet. It's true unfortunately.

They aren't actually committing the acts themselves of course, but they are enabling the problem by withdrawing support for standards designed to help stop it. Here's why this is such a big deal.

UPDATE 4/12/2023: After years, Microsoft is finally fixing this by honoring p=reject. This is a huge improvement and deserves to be applauded. The work isn't done though. We need aggregate reports to avoid blind spots during our implementation. Offering the reports for enterprises is a great step though.

The Time I Accidentally Ended Up Combatting Fraud for a Year

Security | Rails | Email | DMARC | - February 10, 2023 // Barry

Lately, I’ve been spending a lot of time enjoying the Darknet Diaries podcast and it’s compelled me to finally share the entire story of the most intense year of my 20 year professional career. I was the sole developer hired by a company going through a circus-like ownership transition while criminals actively worked to defraud the 300,000 users of this 14 year old, high end marketplace.

We experienced late nights, numerous technical challenges, worked with abuse response teams, learned a lot of lessons about phishing and fraud, high emotions, death threats and at least one person lost a business that depended on the site. Here’s the story from start to finish, including how to prevent many of these problems on your own site. Buckle up.

Waste Spammers Time to Kill Their Return on Investment

Business | Security | - July 30, 2022 // Barry

Continuing our series from 2012 where I accidentally ended up combating phishing and fraud for a year, we move onto the spam issue. Everything that happened that year was an exercise in triage. Problems were everywhere on the system and in the marketplace. The site I was working on was the leader in a niche space but it wasn't just the phish who tried to capitalize on the chaos, it was our competitors too.

Spam takes a time investment and every time investment is a business decision. If you can't stop it completely, you can at least dramatically increase their costs...and have fun doing it.

Enterprise Challenges with DMARC Deployment

Security | Email | DMARC | - July 25, 2022 // Barry

DMARC deployment projects in larger organizations come with their own variety of challenges. A great many more people are involved, so there will be more communication, more approvals and more politics. Others will object on the basis of size. "Our company is simply too large!" some will say.

In the final section of our DMARC guide, we will discuss these common concerns and how to address the challenges. If 74% of the US Federal goverment did this in about a year, you can too.

Deploying DMARC Without Breaking Everything

Security | DMARC | Email | - July 23, 2022 // Barry

Too scary? Messing with the configuration on your domain email is scary, especially if you're already sending a lot of it. You have to worry that you're going to screw something up and break all of the email communications for the entire company.

That's what I was worried when I first rolled this out and had no idea what I was doing. One of the reasons I'm such a big advocate for DMARC today is that it was painless, easy and involve no risk at all.

Combatting Phishing with DMARC

Email | DMARC | Security | - July 18, 2022 // Barry

Email shouldn't feel like a dark art, but to a lot of people it does. Everyone should have DMARC setup by this point, but they don't. Here's the first piece of a 3 part guide covering why it works and how to set it up.

Since writing about how to reverse account takeovers last week I've decided to write a security series covering all the weird things I encountered back in 2012, when I accidentally ended up combating phishing and fraud for a year. In the last article, the first recommendation was to setup DMARC. So let's take a deeper look at why, how and what's involved in long term management once it's setup.

Automatically Reversing Account Takeovers

DMARC | Email | Security | - July 11, 2022 // Barry

Today, Brian Krebs reported on account takeovers happening at Experian, one of the 3 major credit agencies. The first step after getting account access is to lock out the account owner, usually by swapping the email address. 10 years ago I dealt with this problem extensively, so I'd like to share how to solve it.

I'm offering my first Scaled Agile Class

SAFe | Classes | - October 30, 2021 // Barry

After 20 years in software development, my frustations with watching organizations hurt themselves from bad practices finally boiled over in my article, Reality Driven Development. The response and discussion from Hacker News lead me into the work of Donald Reinertsen, who laid out the math that validated everything I was experiencing. Much of the Scaled Agile Framework is based on his work, which lead into my journey with SAFe 3 years ago. Join me on December 9th for my first class, Leading SAFe 5.1.

Ansible + Terraform, the PBJ of DevOps Presentation

DevOps | - October 12, 2021 // Barry @ UCLUG
This week I had the opportunity to speak to Upstate Carolina Linux User Group (UCLUG) to share my thoughts on how well Ansible and Terraform compliment each other, as well as the many ways to share information between the tools to use them together.

Video: Developing a Layered Email Security Strategy Webinar Presentation

Email | Security | DMARC | - September 23, 2020 // Barry @ dmarcian
In this joint webinar between dmarcian, GreatHorn and Inspired eLearning I had the opportunity to share an overview of SPF, DKIM and DMARC as part of a layered email security strategy.

Thank You TailwindCSS

Phoenix | Design | TailwindCSS | - August 17, 2020 // Barry

In the last 2-3 weeks, after seeing a lot of recommendations, I decided to read the Refactoring UI book and then dove into TailwindCSS. Design has always been a huge gap in my skillset. As frontend complexity increased over the last decade, it seemed less and less worth it to invest time to fill it. Then came TailwindCSS.

What to Expect When You're Emailing Presentation

Email | DMARC | - July 20, 2019 // Barry @ Carolina Code Conf
During Carolina Code Conf, I gave what is probably the most entertaining presentation ever given about email. We walk through how to protect, raise and nuture the domain for my pirate themed gym, Slimmer Ye Timbers.

Phishing Leaves a DMARC Trail

DMARC | Email | - August 7, 2018 // Barry @ A.P.W.G.

In May I had the opportunity to present at the Anti-Phishing Working Group (APWG) Conference after spending some time cross referencing the APWG's eCrime Exchange data with dmarcian's historic DMARC reports to see if we could identify consistent patterns among known bad actors, as well as potentially identifying a wider scope to the attacks that any single entity could see. The results were interesting!

Repeating History with Elixir...again Presentation

Elixir | Phoenix | - July 28, 2018 // Barry @ Carolina Code Conf

Over the weekend I got the chance to speak at the inaugural Carolina Code Conf in Greenville, SC. It's the upstate polyglot conference where just about any relevant subject is welcome, so I submitted a talk on Elixir. I also gave a lightning talk on DMARC thanks to our wonderful sponsor, dmarcian.

Reality Driven Development

Business | Pairing | - May 21, 2018 // Barry

Not a lot of people know this about me, but I've almost exited programming at three different times in my career...because I wanted to get into project management at a high level. Ever since my first project management class in grad school, it just made sense to me...but after about 15 years in software it doesn't anymore. Let me explain how to fix it.

Comparing Elixir and Go

Golang | Elixir | - January 26, 2017 // Barry @ Codeship

Elixir and Go have both grown significantly in popularity over the past few years, and both are often reached for by developers looking for high concurrency solutions. The two languages follow many similar principles, but both have made some core tradeoffs that affect their potential use cases. Let’s compare the two by taking a look at their backgrounds, their programming styles, and how they deal with concurrency.

Belated ElixirConf 2016 Recap

Elixir | Phoenix | - November 30, 2016 // Barry

This past September I took vacation time and paid out of pocket to drive to Orlando and attend ElixirConf with a few other programmers from Greenville who did the same thing. We weren't the only ones. Here is a belated recap from our combined notes and experiences.

Repeating History...on Purpose...with Elixir Presentation

Phoenix | Elixir | - November 29, 2016 // Barry @ Upstate Elixir

A dive into the highlights of Elixir that make it the ideal platform for the web...and how all these questions were answered figured out 30 years ago. Presented to Upstate Elixir in Greenville, SC on Nov 16.

Elixir ETS + Mnesia vs Redis

DevOps | Elixir | - September 27, 2016 // Barry @ Codeship

Learning Elixir has a way of challenging everything you know about programming. Redis is becoming an assumed part of many web stacks, in the same breath as your database. But with Elixir, do you need it? Do you even need a database?

Email as a Microservice

DevOps | Email | - August 6, 2016 // Barry @ Codeship

Email might be one of the most often overlooked pieces of any web application. Usually the biggest discussion around it in a project begins and ends with “and we’ll send them an email when this happens…”.

A little thought and some minor adjustments can help us avoid some problems that will grow as your project does. Let’s talk about email as a microservice.

PostgreSQL functions with Elixir Ecto

Phoenix | PostgreSQL | Elixir | - July 27, 2016 // Barry

Functions within PostgreSQL can be setup to return rows and included in queries just like any other table. Continuing with our theme of trying to push Elixir and Phoenix a little on this site rebuild, we will move our site search inside of a database function and experiment with different ways to call it from Ecto.

Insanity with Elixir + Phoenix + PostgreSQL

Elixir | Phoenix | PostgreSQL | - July 6, 2016 // Barry

I'm at the borderline of obsessed with Elixir and Phoenix lately. I've avoided writing about it so far because it feels a bit too good to be true. In an effort to test my own enthusiam, I decided to rebuild this site with them in the most ridiculous way possible just to try to test some limits. Because I already have an unhealthy obsession with PostgreSQL, we're getting crazy with it too.

DISCLAIMER: This is not a "how to build a blog" article. If you do what I'm about to do, people will look at you funny (and probably should).

Why Docker?

DevOps | Docker | - October 29, 2015 // Barry @ Codeship

Containers are not a new thing, but implementing them was always a little more complicated than it needed to be. Docker made great leaps in simplification of containers and set the world on fire from there. Let’s look at why.

Monitoring with Bosun

Golang | DevOps | - October 15, 2015 // Barry @ Codeship

Bosun is a monitoring and alerting system developed by the good folks at Stack Exchange, then open sourced for the rest of us. It’s written in Go, meaning its monitoring agents can run anywhere that Go can drop a binary… which is just about everywhere. So what exactly does it do and how does it compare to the likes of New Relic, CloudWatch, Nagios, Splunk Cloud, Server Density, and other monitoring tools?

Heroku Data Links with Postgres and Redis

Heroku | DevOps | PostgreSQL | - September 16, 2015 // Barry @ Codeship

PostgreSQL has a great feature called Foreign Data Wrappers (FDW) that allows it to connect directly to outside systems. Although the setup can be a little complicated, once it’s available you can run queries with joins or subqueries against them, insert data, create views, etc. Heroku has dramatically simplified the process of using FDW with PostgreSQL and Redis thanks to Data Links. Let’s try it out.

Zero Downtime Deployment with AWS ECS and ELB

DevOps | Docker | - August 25, 2015 // Barry @ Codeship

As development teams push farther toward continuous delivery, deploying updates to an application without disruption to users is constantly becoming a more sought-after practice. Amazon’s EC2 Container Service helps to make that easier than ever with tight Elastic Load Balancer integration.

How to Use Heroku PGBackups

DevOps | PostgreSQL | Heroku | - August 11, 2015 // Barry @ Codeship

Backing up your data is one of the most critical activities for your application. Heroku PGBackups makes the entire experience pretty simple but comes with a lot of flexibility too, with a number of options for smooth restoration.

No such thing as "real programming"

Business | Life | PHP | - July 20, 2015 // Barry @ freeCodeCamp

I read an article earlier today called The self-hating Web Developer that I found on Hacker News and it bothered me. It resonated with me as something that I professionally internalized over my career but it bothered me because Joseph encountered personal financial difficulty for both himself and his family due to the struggle. For that reason (and insomnia), I feel compelled to write this as reference to refer to for anybody else who may be struggling with the same thing.

Exploring Microservices Architecture on Heroku

DevOps | Heroku | - July 8, 2015 // Barry @ Codeship

Building an application with a microservice architecture is an excellent long-term decision if you can afford the increase in upfront time investment to do it properly. Heroku provides a platform that most developers know for simple deployment, but it also dramatically simplifies microservices architecture.  

Heroku PostgreSQL vs Amazon RDS for PostgreSQL

PostgreSQL | Heroku | - July 3, 2015 // Barry @ Codeship

PostgreSQL is becoming the relational database of choice for web development for a whole host of good reasons. That means that development teams have to make a decision on whether to host their own or use a database as a service provider. The two biggest players in the world of PostgreSQL are Heroku PostgreSQL and Amazon RDS for PostgreSQL. Here's a detailed comparison.

Organizing Background Worker Queues

DevOps | - April 23, 2015 // Barry

At work earlier today I ran across an issue where one of our application queues got backed up and it got me to thinking about how queues are organized in general. The TLDR answer: use urgency and intensity. 

Go from a PHP Perspective Presentation

Ruby | PHP | Golang | - April 16, 2015 // Barry @ Upstate PHP

Here are the slides from my recent presentation to UpstatePHP in Greenville, looking at Go (Golang) from a PHP Perspective.

Ruby on Rails and PostgreSQL Class Slides

PostgreSQL | Rails | Ruby | - April 6, 2015 // Barry @ OpenWorks

In August I taught a course titled Ruby on Rails and PostgreSQL - Intro to Advanced in Greenville over the span of 3 weeks. Here is the compilation of slides from the class.

Protecting Users from Phishing and Fraud Presentation

Security | Email | DMARC | DNS | - April 2, 2015 // Barry @ Upstate PHP

This presentation covers my experiences combatting phishing and fraud using DMARC and assorted other techniques in a large eBay-like platform for a niche market...when the site previously did everything over direct user email...for over a decade. Good times.

Code is the Cure for Developaralysis

Ruby | PHP | - October 22, 2014 // Barry

A couple of days ago, TechCrunch ran a column about Developaralysis that hit a little close to home. Developaralysis is defined as "the crippling sense that the software industry is evolving so fast that no one person can possibly keep up." This results in otherwise accomplished developers freezing up when trying to make decisions about the best language / framework / cloud platform to use for their project. There is a cure and it involves code. A code specifically.

SSH::Batch - Simple remote shell commands

DevOps | SSH | Perl | - September 15, 2014 // Barry

SSH::Batch is a simple command line tool, written in Perl, that allows you to run shell commands over SSH across multiple servers. These days it seems most people turn to Puppet / Chef / Ansible for that type of thing, but sometimes your needs aren't that complicated. For that, SSH::Batch fills the gap nicely and it's really simple to get started.

Video: SQL vs NoSQL Discussion at UpstatePHP Presentation

PostgreSQL | NoSQL | - September 13, 2014 // Barry @ Upstate PHP

Here's the video from the August UpstatePHP meeting in Greenville discussing SQL vs NoSQL and where they are useful for your development process. I represented SQL solutions (*cough* PostgreSQL *cough*) while Benjamin Young represented NoSQL. Ben has actively contributed to CouchDB, worked for Cloudant, Couchbase, organizes the REST Fest Unconference (happening again September 25-27th) and is the owner of Big Blue Hat. I am a gainfully employed programmer...so...there's that.

Rails Gems to Unlock Advanced PostgreSQL Features

Ruby | PostgreSQL | Rails | - September 9, 2014 // Barry

If you've spent any amount of time on this site you may have noticed that I'm fond of PostgreSQL...and Ruby on Rails...and that I dislike the general trend among Rails developers to ignore all of the amazing features in PostgreSQL that make your application better in favor of risking data integrity just so that all logic can remain in Rails. So here's my top collection of Rails gems to get at all that untapped power in PostgreSQL that you didn't know you had.

What exactly happened to Brightball for hire?

Business | Life | - August 11, 2014 // Barry

It's been about four years since we last took on a new project as a company. Work continued for existing clients for a long time after that, but the company itself was basically dead from that point. I was on vacation with my family last week and somewhat reflecting on exactly how I got there after ending up in a hospital bed in the middle of the night four years ago trying to keep it going. Here's how it happened.

NOTE: I still personally consult through Brightball.

Screenhero - This is your Business Plan

Pairing | Business | - July 31, 2014 // Barry

I got a newsletter last night from Screenhero announcing version 1.0. The problem is that in the announcement, they also announced a change in pricing that will probably kill a lot of what they have going for them. And I hate that. I REALLY hate that. I've worked for companies where we had to invest a lot of time cleaning up bad decisions, so maybe it bothers me a little more. I really like Screenhero though, so I'm going to try to help. I wasn't doing a good job of explaining myself to them via Twitter, so this should hopefully be a better explanation of what I was trying to communicate.

Why should you learn PostgreSQL?

PostgreSQL | - July 21, 2014 // Barry

Nearly a year ago I put together an hour long presentation on PostgreSQL to provide an overview of all of the benefits it provides you over other options in the database space. In hindsight, that wasn't nearly enough time because it has the capability to replace almost your entire application stack outside of the web server. In any case, here is an attempt to summarize all of the amazing functionality that you're cheating yourself out of by not choosing PostgreSQL.

Ruby on Rails and PostgreSQL - Intro to Advanced

Classes | Rails | PostgreSQL | Ruby | - July 15, 2014 // Barry @ OpenWorks

Beginning August 18th I will be offering a three week evening class aimed at professional programmers who want to learn Ruby on Rails and PostgreSQL, with the goal of becoming proficient with both in a very short time.

Pair Programming - The Lightning Talk Version Presentation

DevOps | Pairing | - July 4, 2014 // Barry @ ACS Technologies

Lightning talk introduce pair programming based on information gleaned from RailsConf 2014. Bulk of the credit for this presentation goes to Chuck Lauer Vose of New Relic and Joe Moore of Pivotal Labs.

Exploring Ruby on Rails and PostgreSQL Presentation

Ruby | PostgreSQL | Rails | - July 4, 2014 // Barry @ The Ironyard

An overview of Ruby, jRuby, Rails, Torquebox, and PostgreSQL that was presented as a 3 hour class to other programmers at The Ironyard in Greenville, SC in July of 2013. The Rails specific sections are mostly code samples that were explained during the session so the real focus of the slides is Ruby, "the rails way" / workflow / differentiators and PostgreSQL.

What's the "right" PHP Framework? Presentation

Rails | Ruby | PHP | CakePHP | - June 21, 2014 // Barry @ Upstate PHP

This is a presentation that I recently gave at UpstatePHP in Greenville evaluating the framework landscape in PHP. We discussed why there are so many, history, goals, benefits, concerns and ultimately a recommendation.

Tempering My Docker Enthusiasm (retracted)

DevOps | Docker | - June 4, 2014 // Barry

In a recent post I provided my initial impressions of Docker, which were glowing to put it mildly. After spending more time working with it, I've found that it does still have some additional drawbacks in certain situations just about every situation covered thanks to Vagrant.

Docker is the Heroku Killer

Heroku | Docker | - May 14, 2014 // Barry

After getting an intense look at Docker last night, I firmly believe that it is going to be the most disruptive server technology that we've seen in the last few years. It fills a much needed hole that's currently managed by very expensive solutions and it's being actively funded by some of the biggest players in the market.

PostgreSQL - It's kind've a nifty database Presentation

PostgreSQL | - November 27, 2013 // Barry @ Upstate PHP

This is a presentation I recently gave to provide an overview of PostgreSQL and some of it's excellent features, including full-text search, multiple built in datatypes, data compression and extensions. 

Also, Morgan Freeman is narrating. You're welcome.

Learning Ruby on Rails: Why? How? Pitfalls?

Ruby | Rails | - May 9, 2013 // Barry

I've always been a proponent of the "right tool for the job" approach to programming. Different languages are well suited for different situations. Over the past 2 years I've spent a great deal of time with Ruby on Rails after coming from a background of PHP, Java and Perl. Here's how I got started and some of the lessons I learned along the way.

The Drawback to Web Frameworks

Rails | Ruby | CakePHP | - April 29, 2013 // Barry

Web frameworks are great, don't get me wrong here. They provide a structure and consistency across projects that will transcend developers over the life of a system while dramatically simplifying the code base amongst other wonderful side effects. But what's the downside?

"Make it faster."

Life | - April 28, 2013 // Barry

 I'm obsessed with performance tuning.  It's an itch that can never fully be scratched.  A sickness that can never be cured.  Here's the story of how I caught the bug.

The Impossible Assignment

Clemson | Life | - April 25, 2013 // Barry

I had the opportunity to visit the class of one of my legendary former professors yesterday and got to share a classic story about him...the time he gave us an impossible assignment.

A Study of Pricing and Billing Models for the Web

Business | - September 13, 2010 // Barry

Asking people for payment for work is a touchy subject for everyone involved.  We've had the luxury of experimenting a little bit over our first couple of years, and here's what we learned.

The difference that expert Quality Assurance makes

Business | - July 6, 2010 // Barry

When we first started out, we listed the thorough quality assurance review as an optional piece of our estimates.  We had this incredibly naive idea that if we gave people the option to save a little money up front that they'd fully understand if there was anything that needed to be tuned up, post-launch.  We learned our lesson...hard.

The Wonders of SSH Tunneling

DevOps | SSH | - May 11, 2010 // Barry

Have you ever been working on a website and needed direct access to the database, but couldn't get access without using something like phpMyAdmin?  SSH tunneling can solve this common problem and a whole lot more.

Should my domain name include a "www"?

DNS | DevOps | - May 6, 2010 // Barry

In the age of Twitter and Web 2.0, we've started to see a lot of websites drop the standard www from their domain names.  This could simply be a product of people following trends or just trying to be a little different, but the real question is "What are the drawbacks?"

String localization with dynamic content in CakePHP

i18n | CakePHP | PHP | - June 20, 2009 // Barry

Cake has a wonderful shell script function built into it called extract that will run through your code and create a .po file full of all of the text contained within your __('My text here') calls. You can then pass these files onto to translators to modify them for your languages. When you want to add variables though, you have to break it up into pieces which may change the context of the phrase. Here's a way around that.

WYSIWYGPro Helper and tutorial for CakePHP

CakePHP | PHP | - June 14, 2009 // Barry

I couldn't find any resources on setting up WYSIWYGPro with Cake so I developed this helper along with instructions for total integration with your system. If you've never used WYSIWYGPro, you should check out the demos. I've tried every WYSIWYG editor out there and none of the other ones even come close as far as I'm concerned.

PublishableBehavior for CakePHP

PHP | CakePHP | - June 10, 2009 // Barry

PublishableBehavior allows the use of datetime fields for start and end ranges on content. Included functionality allows for checking published status, toggling to published / unpublished status, and adding conditions to a find to properly filter those results.

Smoother CakePHP date/time fields with jQuery

PHP | CakePHP | - April 22, 2009 // Barry

While working with the date/time input fields in Cake I got tired of having to select 3/6 drop down boxes to choose all of the date/time information and specifically of having to select 3/6 drop down boxes if I decided to clear the date. A little bit of jQuery will clear this right up though.

Automatically loading your ACL tables

PHP | CakePHP | - January 27, 2009 // Barry

If you've spent anytime wanting to use ACL on your applications, you know how tedious it can be to manually enter your entire controller and action structure. This Task will handle finding and loading or updating all of those for you whenever you run it from the command line.