Talks

2022

Hackertools 101

29.07.2022 - Internal talk @ QAware

We all build applications - and they should be “secure”. At least that’s what it says as an acceptance criterion in our user stories. But what does that actually mean?

And how do I check whether the requirement has been implemented correctly? Usually, the login is clicked through once in the regression test - everything is fine.

The fact that there are many more ways to take such an application apart is usually swept under the carpet. Professionals use a whole range of tools for their penetration tests to test applications for every conceivable security vulnerability. And these tools are of course also available to those who are interested in our secrets and user data in order to blackmail us with disclosure or to turn them into money.

We believe that an understanding of hackers’ methods and tools will help us harden our own applications against them. That’s why we show you a small selection from our toolbox in this QAtalk.

> Language: DE

Cloud Observability mit Loki, Prometheus, Tempo und Grafana

19.07.2022 - Heise Mastering Kubernetes 2022

Observability is a critical component of any serious Kubernetes-based platform. It is the only way to ensure the reliable operation of cloud-native applications and the rapid debugging by developers of the trickiest problems that only occur in the production environment.

The essential pillars of good observability are logs, metrics and traces. There are a large number of commercial tools and SaaS providers that support the aggregation and analysis of relevant diagnostic data.

In this talk, however, we use a stack built entirely on open source building blocks: Promtail to forward logs to Loki, Prometheus to collect metrics, and Tempo to receive traces. We will also show how the new Exemplars storage function enables the fast transition from metrics to traces and logs.

> Slides > Language: DE

Quarkus Quickstart

10.02.2022 | 18.06.2021 - Codineers Meetup Rosenheim | Internal Seminar @ QAware

Since 2019, there has been a new star in the enterprise Java sky: Quarkus. In order to outrun the proven frameworks such as Java EE or Spring, many things are done differently here. "Container First" and "Reactive" are the two buzzwords with which Quarkus enters the race. Built entirely on the reactive platform "Vert.x", Quarkus applications are supposed to be built completely differently than before.

In this talk we will learn about some of the concepts of Quarkus - e.g. Reactive Everything with Mutiny and Vert.x, Web Services with RestEasy or simple database access with Panache. We look at how to compile Quarkus applications to a native binary with GraalVM.

We also take a quick look at the performance and production readiness of Quarkus. It has to prove itself in comparison with JEE app servers that have been used for years under various conditions. This will allow us to assess whether the system is mature enough for customer use.

> Slides > Video > Language: DE

Lecture "Cloud Computing"

- 31.01.2022 - from 01.10.2021 - Faculty of Computer Science @ Rosenheim University of Applied Sciences

One semester lecture for Computer Science students in the 6th Bachelor semester.

Chapters:

> Language: DE

2021

Making the internet faster - HTTP/3 und QUIC

27.07.2021 | 05.03.2020 - Linux-Stammtisch München (online) | Internal Seminar @ QAware

Since its introduction, the HTTP protocol has been based on TCP. This makes it reliable, but also relatively slow, because a TCP handshake must be performed for each resource offered. HTTP/2 has tried to compensate for this disadvantage with multiplexing.

To get rid of the limitations of TCP, Google has developed QUIC (Quick UDP Internet Connections). QUIC and the HTTP/3 it enables are intended to significantly speed up client-server communications on the Internet.

In this Lightning Talk, we’ll see a summary of the old HTTP protocols and what advantages and disadvantages they bring. We learn how QUIC and HTTP/3 fit into the OSI stack, what improvements the new protocols bring, and what IT security looks like in the process. We’ll also take a look at the practical applications that are already available today.

> Slides > Language: DE

2020

Pentests für Einsteiger – das Metasploit Framework und andere Tools

12.05.2020 | 14.03.2019 - Linux-Stammtisch München (online) | Internal Seminar @ QAware

No software is without a bug - but you should do your utmost to find and fix many of them - especially critical vulnerabilities. One well-known tool for penetration testing is the Metasploit framework. It combines exploits for known vulnerabilities with useful payloads to actively exploit them. It also brings tools to specifically scan systems for information.

In this talk, we’ll look at the features of the Metasploit Framework in detail. We’ll learn how exploits actually work, how to detect common vulnerabilities and how to actively exploit them. Using the intentionally vulnerable Metasploitable VM, we’ll be able to test out the Metasploit Framework live.

> Slides > Language: DE

Consistency, Availability and Partition Tolerance in Practice - A deep dive into CockroachDB

06.03.2020 | 18.02.2020 - Internal Seminar @ QAware | Cloud Native Night Munich

Most IT systems rely on some sort of persistent storage. This problem has been solved a long time ago and market niches seem to be satisfied. In this field, CockroachDB declares itself to be “resilient, horizontal scale across multiple clouds with always-on availability and data partitioned by location”. Because databases like PostgreSQL or MySQL already offer high availability features, we will discuss if there is a need for new HA database at all. We learn about features, up- and downsides, distribution and resiliency of CockroachDB. CockroachDB can be used with a PostgreSQL driver, which enables existing projects to use it out of the box. We will examine if this really is that easy and which obstacles you might need to overcome. Also, we will have a look if CockroachDB is consistent, available and partition tolerant at the same time, like they claim on their website.

> Language: EN

2019

Private meets Enterprise: Auswertung von Tinder-Daten mit Apache Ignite

14.06.2019 | 09.09.2018 - e-fellows.net IT day | MRMCD 2018 (Darmstadt)

What is actually the most used emoji on Tinder? And which is the most popular #hashtag? This talk not only shows funny evaluations of “open” APIs using the in-memory computing framework Apache Ignite, but also takes a critical look at the mass collection and “provisioning” of private data.

> Video > Language: DE

Kein Backend, kein Problem - statische Webseiten mit Jekyll

15.03.2019 - Internal Seminar @ QAware<

Jekyll is a generator that turns plain text and Markdown into HTML. With the simple template syntax Liquid you can build arbitrarily complex websites that only need a web server. This also eliminates a large part of potential security gaps and performance problems. Once the basic framework is created, further data, blogposts, tables etc. can be added only with Markdown and without HTML knowledge.

On the other hand, you have to do without some dynamic features - e.g. a search function - or upgrade them on the client side.

This talk shows how Jekyll can be used to set up websites for different use cases in a flash. It also shows how to retrofit dynamic features like a search function in the browser.

> Language: DE

2018

Leveraging the power of SolrCloud and Spark with OpenShift

26.09.2018 - Munich Kubernetes/Cloud-Native Meetup

One of the most commonly used big data processing frameworks is Apache Spark. Spark manages to process large datasets with parallelization. Solr is a search platform based on Lucene. Solr can be distributed across a cluster using ZooKeeper for configuration management. Both applications can be combined to create performant Big Data applications.

But what if you want to scale up horizonally and add a node? In a manual setup, you’d have to install the new node manually. Cluster orchestrators like OpenShift claim to solve this problem. This talk shows how to put Spark, Solr and ZooKeeper into containers, which can then be scaled individually inside a cluster using OpenShift. We will cover OpenShift details like DeploymentConfigs, StatefulSets, Services, Routes and Persistent Volumes and install a complete, failsafe and horizontally scaleable SolrCloud / Spark / Zookeeper cluster in seconds. You will also learn about the drawbacks and pitfalls of running Big Data applications inside an OpenShift cluster.

> Slides > Language: EN

2017

(Un)professionelle Unkrautvernichtung: Ransomware vs. Antivirus

03.09.2017 - MRMCD 2017 (Darmstadt)

Ransomware continues to pose a major threat to the IT landscape. This presentation shows motivation, functionality and (more or less bad) ways to protect oneself against ransomware. For an example, a small experiment will test how ransomware can be hidden from virus scanners.

> Video > Language: DE