Defrag 2015: Our Favorites From Day Two


This post is a continuation of our Defrag 2015 coverage from yesterday. Read on to hear about our favorite talks from day two.


Where Does the Time Go? – Researching Top Activities At Work

Lisa Kamm is a Product Manager at Google. She got involved with a project to figure out how Googler’s spend their time at work. How could they make it better? Do their mobile products support their own workflows?

Kamm and a team of curious Googlers embarked on a journey to find out. The project started with a collaborative session, where Lisa posed the question: “Wait… what are the top 100 things an employee does in an average day.” Oops. By asking the question she surreptitiously also volunteered to find an answer.

The search for answers started the way you’d expect. Being a Googler, Kamm began the hunt for answers by analyzing a large set of data. Logs from mobile phone and computer usage seemed to be the easiest way to go. There were some hurdles with actually obtaining the logs, as well as with personal privacy. Kamm prevailed in the end, and was able to crunch down 2.5 billion records to get the data she needed.

Gathering experiential data was the next destination. Logs and statistical analysis are great quantitative tools. Their look at the workday would be best complemented by a qualitative set. To get meaningful qualitative data Kamm and team designed an app that a few volunteers would install on their phones. At random intervals, seven times a day, the app would buzz workers to ask them what they were doing at that moment. Was the task pleasant? Did they feel productive? A few other quality of life questions were mixed in to round out the questionnaire.

Finally, the data from both sets needed to be combined to perform some UX analysis. The ultimate goal of the project was to answer questions like:

  • How much time are people spending on each task?
  • Are activities being completed in one sitting?
  • How productive were they?
  • Do people FEEL productive doing certain tasks?

The results were pretty cool! What’s the biggest time sink for the average employee? Email.

No surprise there. What else? Well, grouping the data shows just how much time we spend on our top tasks.

Groupings Fraction of workday consumed (approximate)
Top 100 3/4
Top 25 2/3
Top 5 1/3


At Google, the top 5 list looks something like:

  1. Email
  2. Meetings
  3. Instant messaging
  4. Programming
  5. Calendar management

37 Signals will be pleased to see meetings as the second item on the list. Personally, I was surprised to see calendar management weigh in at a heavyweight number five.

Other surprises appeared elsewhere in the analysis. For instance, 54% of all activities happen away from an employee’s desk. Managers spend significantly more time away from their desks, and tend to rely on mobile more.

If you’re eager for more detail, Kamm submitted the study to CHI. She says a paper may appear online, as early as next week.

A Field Guide to Optimizing Your Web Application Security

The CTO of Distil Networks, Engin Akyol, spoke about why security matters.

He noted that security should be a priority even at growing organizations. Why? Attacks come from a variety of places:

  • Nation states
  • Professional hacking groups (looking to sell your data)
  • Hacktivists
  • Phishing attacks (social engineering)

This list includes just the sources who have intent. A hacking group wants to sell your data, while a hacktivist is looking for fame and to shame. A threat that’s often overlooked is networks of malicious bots.

Malicious bots are automated scripts that crawl websites. The ‘automated’ bit means they’re able to operate at scale. If your site has a vulnerability, they’re likely to find it.

Akyol backed this up with some stats. Up to 60% of traffic on ecommerce sites is from malicious bots. Additionally, since 2011 there’s been about a 15% year over year increase in bot activity.

Akyol offered some simple advice for getting your own security program up and running. The first bit was to get developer buy-in on the principles of confidentiality, integrity, and availability. This is fairly easy, as most developers are already in favor of these principles.

Similarly, most devs are also generally for the development of a SDLC. This is important, as many security vulnerabilities appear as new hires come on board and bring their own varied ways of doing things.

Make use of proven tools. Run application vulnerability scans, static code analysis, code reviews, and offer bug bounties.

Other strategies include:

  • Have a positive security model.
    I.e., Use a whitelist for trusted traffic coming to your site. Blacklists are reactive.
  • If it makes sense, use Geofencing.
    E.g., If you’re a US only e-commerce company, then you don’t need to allow traffic from europe or the rest of the world.
  • Block TOR exit nodes.
  • Block proxy Networks. Maxmind and Neustar keep lists of known proxy IP lists.
  • Use login enforcement.
    E.g., If a login attempt fails more than a few times, the session and ip are locked out for a short amount of time.
  • Do client enforcement.
    E.g., Reject User Agents that aren’t well known, can’t execute javascript, can’t store cookies, or just look suspicious.

Blurring the Lines: A Look At Next-Generation Cloud Infrastructure

Alex Polvi from CoreOS hopped on stage to explain why he started the company and to dispel a few common myths about containers.

First, what are Polvi’s goals with CoreOS? He wants to fundamentally improve security on the internet. He believes up-to-date software is the key to good security. Not a revolutionary idea, but in practice it’s quite difficult to pull off.

Updating usually means taking a server offline. So, the solution would need to be container based, fault tolerant, distributed, and runnable on standard hardware. Internally, CoreOS calls this idea GIFEE (Google’s infra for everyone else).

Unfortunately, the tech community at large seems to disagree on a common name. You may see the same idea under other names like:

  • Containers as a service (CaaS)
  • Container management infrastructure
  • Application infrastructure
  • Cloud native infrastructure
  • Or just plain “Containers”

The rapid rise of containers has led to more than a few misconceptions about how they work, as well. Polvi took some time to clear up the most common ones.

  1. Containers replace VMs
    It’s easy to see where this one comes from. VMs slice up servers. Conversely, tools like Kubernetes make a fleet of servers feel like one big computer. Despite the different abstractions, both containers and VMs treat bare metal the same way.
  1. Legacy apps do not work
    Almost anything can run in containers. Even Windows apps are runnable, since containers can host VMs. This is known as a “double hulled container.”
  1. You can’t manage state in a container
    The ephemeral nature of containers doesn’t change the physics of infrastructure. Containers rely on all the same techniques as non-container software.
  1. Containers are not secure
    Containers aren’t a perfect form of security, but they are a step forward compared to an Ops guy bin packing, and then choosing which server to run the app on.Compared to multiple apps or processes running naked on a single server, containers are a step up. They’re another wall, and another form of isolation. The only way to improve security is to run one app per server (or per VM).

One Last Word…

Big thanks to Eric Norlin for organizing Defrag. I had a blast and look forward to hearing more ideas next year!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.