Jonathan Lalou's Blog

Archive for the ‘en-US’ Category

At KotlinConf2024, Chantal Loncle, a JetBrains Exposed team member, introduced Exposed, an open-source Kotlin library simplifying database access. Since its 2016 debut as a JetBrains internal tool, Exposed has grown into a versatile abstraction layer, supporting multiple databases with type-safe SQL and minimal boilerplate. Chantal guided attendees through configuring connections, defining schemas, manipulating data via DSL, DAO, and plain SQL, and extending functionality with custom features, showcasing Exposed’s flexibility for Kotlin developers.

Why Exposed? Solving Database Pain Points

Exposed addresses common database access challenges, offering a balance between control and abstraction. Chantal explained that developers often need to map Kotlin objects to database records without complex SQL or frameworks requiring annotations. Exposed supports this by providing type-safe interactions, reducing boilerplate, and abstracting database differences. Its cuttlefish mascot reflects its adaptability, enabling database-agnostic apps. Whether needing high-level abstraction or low-level SQL control, Exposed’s consistent API caters to diverse needs, as seen in its growing popularity, ranking sixth among JetBrains’ GitHub repositories.

Setting Up Database Connections

Connecting to a database with Exposed is straightforward yet flexible. Chantal demonstrated the databaseConnect function, which accepts a connection URL or data source and relies on JDBC drivers. This function doesn’t establish a connection immediately but configures details for later use. Developers can set parameters via a config builder for specific database needs or create multiple connections by storing instances. This approach ensures Exposed handles underlying database variations, allowing developers to focus on application logic rather than connection management.

Transactions: The Heart of Data Operations

Transactions are central to Exposed’s data manipulation. Chantal illustrated how the transaction function wraps operations like schema creation or data inserts, accepting a database instance or defaulting to a registered one. For multiple connections, developers can set a default database or override settings per transaction. Transactions ensure atomicity, committing or rolling back changes, and Exposed’s transaction manager simplifies resource handling. This design supports both simple and complex workflows, with utility functions like SchemaUtils.create generating SQL tailored to the target database.

Defining Schemas with Table Objects

Schema definition in Exposed revolves around the Table class, which maps Kotlin data classes to database tables. Chantal used a docking bay app example, tracking ships and planets. For a Planets table, developers register columns (e.g., auto-incrementing Long for IDs, String for names) and constraints like primary keys. For a Ships table, a foreign key references Planets, establishing a one-to-many relationship. Exposed’s SchemaUtils handles table creation or updates, checking existing schemas to generate necessary SQL, ensuring compatibility across databases like PostgreSQL or MySQL.

Data Manipulation: DSL and DAO Approaches

Exposed offers two data manipulation approaches: domain-specific language (DSL) and data access object (DAO). Chantal showcased DSL’s SQL-like syntax, where extension functions like insert or selectAll on table objects build type-safe queries. For example, inserting a ship involves assigning column values, with autogenerated keys accessible post-insertion. The DAO approach, less verbose, maps records to entity classes, abstracting SQL further. Developers call new on entities instead of insert, manipulating fields directly. Both methods, switchable via configuration, support complex queries, joins, and updates, catering to different preferences.

Plain SQL and Extensibility

For developers needing direct SQL control, Exposed’s exec function runs raw SQL strings, as Chantal demonstrated with a stored function to calculate maximum planet distances. Beyond core functionality, Exposed shines in extensibility. Statement interceptors allow custom logic, like logging deletions, at specific lifecycle points. Entity hooks in DAO mode achieve similar customization. Custom column types, such as a PostgreSQL IntRange for pricing, extend Exposed to unsupported data types. These features, supported by open classes, empower developers to tailor Exposed to unique requirements, enhancing its versatility.

Future of Exposed: Roadmap and Community

Exposed’s roadmap reflects its community-driven evolution, with 43 new contributors in 2023 halving the GitHub issue backlog. Chantal highlighted plans for a stable 1.0 release, improved documentation with tutorials, and migration support via integration with tools like Flyway. IDE tooling will autogenerate table and entity classes, reducing boilerplate, while R2DBC support will enable non-blocking database operations. Community feedback remains vital, as seen in Q&A discussions on migration scripts, ensuring Exposed continues to meet developer needs across diverse applications.

Links:

• KotlinConf website
• Kotlin website
• JetBrains website
• Exposed GitHub
• Chantal Loncle’s Talk
• Kotlin on Twitter

Amid the relentless crescendo of expectations—ever-expanding portfolios, dwindling headcounts—Marion Løken, a product manager at FINN.no, chronicles a odyssey of astute adaptation. As FINN merged with Nordic kin like Blocket and DBA, Marion’s lean cadre of four developers and a designer scaled offerings from Norwegian dealer portals to pan-Nordic private and financial forays, all while safeguarding sanity. Her manifesto: intelligence over intensity, leveraging toolchains and toolboxes to transmute toil into triumph, ensuring expansion exhilarates rather than exhausts.

Marion’s narrative unfolds against FINN’s tectonic shift: from solitary insight apps to embedded analytics across platforms, reinventing for diverse demographics. This “more with less” maelstrom, she concedes, could crush spirits, yet a smarter ethos—component curation, documentation dynamism—drove delight. By embracing mainstream stacks like Kotlin and Spring, augmented by FINN’s Podium toggles, her team doubled revenues annually, sans burnout’s bite.

Cultivating Resilience: Buffers Against Overload

Stress, Marion posits, stems from workload, control, and reward imbalances. Her buffers: processes fortify all facets—planning preempts panic, frequent releases reclaim rhythm. Culture cascades calm: transparent retrospectives temper tensions, fostering feedback loops that affirm agency.

Tools tame tasks: reusable libraries liberate from reinvention, Swagger’s specs streamline specs. Marion’s metric: fun’s stability, tracked longitudinally, underscores sustainability’s success. Her heuristic: under duress, deliberate—rethink routines, not redouble efforts.

Toolbox Transformation: From Niche to Nimble

FINN’s evolution eschewed esoterica for ubiquity: Kotlin supplanted Kotlin Multiplatform, OpenAPI supplanted bespoke bindings. Marion marvels at Podium’s prowess—feature flags flipping functionalities fleetly—enabling A/B artistry without architectural upheaval. Documentation, once dormant, danced dynamically via auto-generated APIs, accelerating assimilation for newcomers.

This pivot propelled progress: a pricing tool, inherited and iterated, burgeoned from parity to prowess, yielding fiscal fruits. Marion’s mantra: mainstream multiplicity multiplies might, marrying maturity with maneuverability.

Embedding Efficiency: Innovation Amid Integration

Embedding insights into journeys demanded deft design: component catalogs curbed custom code, promoting parity across portals. Marion’s lean legion—four coders, one crafter—conquered complexity through collaboration, cross-pollinating with Nordic nests.

Her horizon: stress as signal, prompting smarter strides. By buffering buffers, teams transcend thresholds, turning “always more” into ample achievement.

Links:

• FINN.no company website
• Marion Løken on LinkedIn

At Devoxx Belgium 2024, David Vlijmincx delivered an engaging session on Project Panama, demonstrating its power by building a custom file system in Java. This practical, hands-on talk showcased how Project Panama simplifies integrating C libraries into Java applications, replacing the cumbersome JNI with a more developer-friendly approach. By leveraging Fuse, virtual threads, and Panama’s memory management capabilities, David walked attendees through creating a functional file system, highlighting real-world applications and performance benefits. His talk emphasized the ease of integrating C libraries and the potential to build high-performance, innovative solutions.

Why Project Panama Matters

David began by addressing the challenges of JNI, which many developers find frustrating due to its complexity. Project Panama, part of OpenJDK, offers a modern alternative for interoperating with native C libraries. With a vast ecosystem of specialized C libraries—such as io_uring for asynchronous file operations or libraries for AI and keyboard communication—Panama enables Java developers to access functionality unavailable in pure Java. David demonstrated this by comparing file reading performance: using io_uring with Panama, he read files faster than Java’s standard APIs (e.g., BufferedReader or Channels) in just two nights of work, showcasing Panama’s potential for performance-critical applications.

Building a File System with Fuse

The core of David’s demo was integrating the Fuse (Filesystem in Userspace) library to create a custom file system. Fuse acts as a middle layer, intercepting commands like ls from the terminal and passing them to a Java application via Panama. David explained how Fuse provides a C struct that Java developers can populate with pointers to Java methods, enabling seamless communication between C and Java. This struct, filled with method pointers, is mounted to a directory (e.g., ~/test), allowing the Java application to handle file system operations transparently to the user, who sees only the terminal output.

Memory Management with Arenas

A key component of Panama is its memory management via arenas, which David used to allocate memory for passing strings to Fuse. He demonstrated using Arena.ofShared(), which allows memory sharing across threads and explicit lifetime control via try-with-resources. Other arena types, like Arena.ofConfined() (single-threaded) or Arena.global() (unbounded lifetime), were mentioned for context. David allocated a memory segment to store pointers to a string array (e.g., ["-f", "-d", "~/test"]) and used Arena.allocateFrom() to create C-compatible strings. This ensured safe memory handling when interacting with Fuse, preventing leaks and simplifying resource management.

Downcalls and Upcalls: Bridging Java and C

David detailed the process of making downcalls (Java to C) and upcalls (C to Java). For downcalls, he created a function descriptor mirroring the C method’s signature (e.g., fuse_main_real, returning an int and taking parameters like string arrays and structs). Using Linker.nativeLinker(), he generated a platform-specific linker to invoke the C method. For upcalls, he recreated Fuse’s struct in Java using MemoryLayout.structLayout, populating it with pointers to Java methods like getattr. Tools like JExtract simplified this by generating bindings automatically, reducing boilerplate code. David showed how JExtract creates Java classes from C headers, though it requires an additional abstraction layer for user-friendly APIs.

Implementing File System Operations

David implemented two file system operations: reading files and creating directories. For reading, he extracted the file path from a memory segment using MemorySegment.getString(), checked if it was a valid file, and copied file contents into a buffer with MemorySegment.reinterpret() to handle size constraints. For directory creation, he added paths to a map, demonstrating simplicity. Running the application mounted the file system to ~/test, where commands like mkdir and echo worked seamlessly, with Fuse calling Java methods via upcalls. David unmounted the file system, showing its clean integration. Performance tips included reusing method handles and memory segments to avoid overhead, emphasizing careful memory management.

Links:

• Project Panama Documentation
• Fuse Documentation
• JExtract
• David Vlijmincx’s GitHub

As artificial intelligence advances image processing, surveillance technologies proliferate, raising privacy concerns amid rising hacks and illicit collections. Chanin Kim and Myounghun Pak, offensive researchers, probe network video recorders (NVRs), pivotal yet understudied components. Their analysis targets market leaders Hikvision, Dahua, Uniview, and Synology’s Surveillance Station, uncovering vulnerabilities exploitable worldwide and amplifying impacts through OEM supply chains.

Chanin and Myounghun’s journey, spanning four months and yielding a substantial bounty, begins with firmware extraction challenges. They bypass U-Boot mitigations via UART, JTAG, and eMMC methods, extracting systems for scrutiny. HTTP communications and binary analyses reveal flaws, with OEM validations extending reach.

The surge in surveillance, valued at $4.1 billion globally, stems from pandemic demands for monitoring in retail, urban planning, and access control. NVRs store and manage footage from CCTVs and IP cameras, often internet-accessible, making them prime targets.

Limited prior research on NVRs, contrasted with extensive CCTV studies, motivates their focus. Shodan scans reveal over 30,000 exposed devices, echoing past exploits like Mirai botnets leveraging Hikvision RCEs.

Firmware Extraction Methodologies

Extraction proves arduous. Hikvision and Dahua support limited access but restrict root, necessitating alternatives. UART on Hikvision yields shells post-soldering, while Dahua requires JTAG for U-Boot interruption.

Uniview demands eMMC dumping via adapters, bypassing encryptions. Synology’s package simplifies via SSH.

Bypasses include patching U-Boot for boot delays and exploiting environment variables. These enable comprehensive analyses.

Discovered Vulnerabilities and Exploits

Analyses uncover stack overflows, command injections, and credential leaks. Hikvision’s overflows in HTTP handlers allow RCE, while Dahua’s injections in recovery endpoints enable reboots or shells.

Uniview exposes hardcoded credentials and overflows in authentication. Synology suffers overflows in login processes.

Chaining yields scenarios: credential stuffing grants admin, injections open reverses, scanning locates Windows hosts for plugin RCEs, mirroring wild attacks.

Demonstrations automate compromises, shutting devices or commandeering networks.

Supply Chain Ramifications

OEM dynamics amplify risks. Hikvision and Dahua supply rebranded products to Lorex, Luma, Amcrest, and EZVIZ. Similar logics and firmwares mean vulnerabilities propagate.

Purchased devices confirm: four of six Hikvision flaws affect Annke; four of seven Dahua issues impact Swann and Reolink.

CVEs assigned via Korean CNA increase recognized flaws by 61%. Shodan estimates 130,000 Hikvision and 100,000 Dahua units vulnerable.

Recommendations for Defense

Offensive researchers should prioritize HTTP and private protocols beyond studied surfaces. Users avoid external exposures, leveraging vendor DDNS for secure access.

Their findings underscore surveillance’s dual-edged nature, urging robust protections amid expanding deployments.

Links:

• Chanin Kim on LinkedIn
• S2W company website

In an era where automated teller machines safeguard substantial sums, vulnerabilities in their protective mechanisms pose significant threats. Matt Burch, an independent security researcher specializing in IoT and hardware, unveils critical flaws in Diebold Nixdorf’s Vynamic Security Suite (VSS), the dominant solution in the sector. His investigation, conducted alongside a colleague, exposes six zero-day issues enabling full system compromise within minutes, highlighting systemic risks across financial, gaming, and retail domains.

Matt’s journey stems from a fascination with the surge in ATM crimes, up over 600% recently. Targeting enterprise-grade units holding up to $400,000, he dissects VSS’s full disk encryption, revealing offline code injection and decryption paths. Diebold Nixdorf, one of three primary North American manufacturers with global reach, deploys VSS widely, including in Las Vegas casinos.

ATM architecture divides into a fortified vault for currency and a less secure “top hat” housing computing elements. The vault features robust steel, multi-factor locks, and tamper sensors, while the upper section uses thin metal and vulnerable locks, facilitating entry via simple tools.

VSS integrates endpoint protection, whitelisting, and encryption, yet Matt identifies gaps in its pre-boot authentication (PBA). This layered integrity check, spanning phases, fails to prevent unauthorized access.

Pre-Boot Authentication Vulnerabilities

VSS’s PBA employs a custom Linux-based “Super Sheep” OS for initial validation. Phase one mounts the Windows partition read-only, computing SHA-256 sums for critical files. Successful checks lead to phase two, decrypting and booting Windows.

Matt exploits unencrypted Linux elements, mounting drives offline to inject code. CVE-2023-33204 allows execution via root’s .profile, bypassing sums by targeting non-checked files. Demonstrations show callback shells post-reboot.

Service releases introduce patches, yet recursive flaws emerge. CVE-2023-33205 leverages credential stuffing on weak defaults, enabling admin escalation and command injection.

Recursive Flaws and Persistence

Patches inadvertently create new vectors. Service Release 15 removes directories but overlooks symlinks, leading to CVE-2023-33206. Attackers create traversal links, injecting payloads into root’s directory for execution.

Further updates validate symlinks, yet CVE-2023-40261 strips execute permissions from integrity modules, disabling VSS entirely. This permits arbitrary unsigned binaries, affecting all versions.

Impacts span VSS iterations, with vulnerabilities identified from April to July 2023. Diebold’s responses include end-of-life for older variants and redesigns.

Mitigation and Broader Implications

Defending requires patching to latest releases, enabling security checks to withhold TPM keys, and monitoring physical access. Disabling unused ports and securing drives reduce risks. Alternatives like BitLocker offer robust encryption.

Matt’s findings influence Diebold’s Version 4.4, introducing full Super Sheep encryption. Yet, persistent unencrypted elements suggest ongoing challenges, with likely undiscovered exploits.

This research underscores the need for comprehensive security in high-value systems, where physical and digital safeguards must align.

Links:

• Matt Burch on LinkedIn

The realm of artificial intelligence is advancing rapidly, as evidenced by insights from Josh Gordon, Laurence Moroney, and Joana Carrasqueira. Their discussion illuminated progress in Gemini APIs, open-source frameworks, and on-device capabilities, underscoring Google’s efforts to democratize AI for creators worldwide.

Breakthroughs in Gemini Models and Developer Interfaces

Josh highlighted Gemini 1.5 Pro’s multimodal prowess, handling extensive contexts like hours of video or thousands of images. Demonstrations included analyzing museum footage for exhibit details and extracting insights from lengthy PDFs, such as identifying themes in historical texts. Audio processing shone in examples like transcribing and querying lectures, revealing the model’s versatility.

Google AI Studio facilitates prototyping, with seamless transitions to code via SDKs in Python, JavaScript, and more. The Gemini API Cookbook offers practical guides, while features like context caching reduce costs for repetitive prompts. Developers can tune models swiftly, as shown in a book recommendation app refined with synthetic data.

Empowering Frameworks for Efficient AI Development

Joana explored Keras and JAX, pivotal for scalable AI. Keras 3.0 supports multiple backends, enabling seamless transitions between TensorFlow, PyTorch, and JAX, ideal for diverse workflows. Its streamlined APIs accelerate prototyping, as illustrated in a classification task using minimal code.

JAX’s strengths in high-performance computing were evident in examples like matrix operations and neural network training, leveraging just-in-time compilation for speed. PaliGemma, a vision-language model, exemplifies fine-tuning for tasks like captioning, with Kaggle Models providing accessible datasets. These tools lower barriers, fostering innovation across research and production.

On-Device AI and Responsible Innovation

Laurence introduced Google AI Edge, unifying on-device solutions to simplify adoption. MediaPipe abstractions ease complexities in preprocessing and model management, now supporting PyTorch conversions. The Model Explorer aids in tracing inferences, enhancing transparency.

Fine-tuned Gemma models run locally for privacy-sensitive applications, like personalized book experts using retrieval-augmented generation. Emphasis on agentic workflows hints at future self-correcting systems. Laurence stressed AI’s human-centric nature, urging ethical considerations through published principles, positioning it as an amplifier for global problem-solving.

Links:

• Josh Gordon on LinkedIn
• Laurence Moroney on LinkedIn
• Joana Carrasqueira on LinkedIn

Amid the vibrant energy of a gathering that has evolved over decades, Jeff Moss, founder of DEF CON, extends a heartfelt invitation to participants, emphasizing the essence of community and shared discovery. Drawing from his experiences since initiating the event 32 years ago, Jeff reflects on its growth from a modest assembly to a sprawling nexus of innovation. His remarks serve as an orientation, guiding attendees through the philosophy that underpins the conference, while encouraging them to forge their own paths in a landscape brimming with possibilities.

Jeff underscores the principle that the event’s value lies in individual contributions, acknowledging the impossibility of experiencing every facet. Early iterations allowed him to witness all activities, yet as attendance swelled, he embraced the reality of missing moments, transforming it into motivation for expanding offerings. This mindset fosters an environment where participants can prioritize personal interests, whether technical pursuits or interpersonal connections.

The structure facilitates meaningful interactions by segmenting the crowd into affinity clusters, such as those focused on automotive exploits or physical barriers. Such divisions enable deeper engagements, turning vast numbers into intimate collaborations. Jeff highlights the encouragement of inquiry, recognizing the specialization driven by technological complexity, which renders no single expert all-knowing.

Origins and Inclusivity

Tracing the roots, Jeff recounts how exclusion from invite-only gatherings inspired an open-door policy, rejecting seasonal naming to avoid constraints. This decision marked a pivotal divergence, prioritizing accessibility over restriction. Growth necessitated strategies to manage scale without diluting intimacy, leading to diverse tracks and villages that cater to niche passions.

The ethos promotes authenticity, allowing attendees to express themselves freely while respecting boundaries. Jeff shares anecdotes illustrating the blend of serendipity and intent that defines encounters, urging newcomers to engage without hesitation.

Global Perspectives and Accountability

Jeff broadens the view to international contexts, noting how varying educational systems influence entry into the field. In some regions, extended periods of exploration nurture creativity, contrasting with structured paths elsewhere. He celebrates the cultural embrace of setbacks as stepping stones, aligning with narratives of resilience.

To ensure trust, a code of conduct governs interactions, applicable universally. Enforcement through transparency reports holds organizers accountable, publicly detailing infractions to validate community standards. This mechanism reinforces integrity, even when confronting uncomfortable truths.

Jeff transitions to highlighting speakers like General Nakasone, whose insights demystify complex topics. Originating from efforts to verify online claims, these sessions connect attendees with authoritative voices, bridging gaps in understanding.

In closing, Jeff invites immersion, promising encounters that enrich beyond expectations.

Links:

• Jeff Moss on LinkedIn

Understanding OxidOS and ISO 26262

Georgiana Vlădulescu and Alexandru Radovici, representing OxidOS, shared their journey of certifying an operating system written entirely in Rust for ISO 26262 ASIL-D compliance at OxidizeConf2024. OxidOS, a professional derivative of the open-source Tock operating system, is designed for safety-critical applications in small electronic control units (ECUs). Their presentation provided a deep dive into the challenges and innovative solutions encountered while aligning OxidOS with the stringent requirements of ISO 26262, a standard that defines functional safety for automotive components.

ISO 26262 categorizes safety requirements into Automotive Safety Integrity Levels (ASILs), ranging from QM (Quality Management) to ASIL-D, based on factors like severity, exposure, and controllability. Georgiana and Alexandru explained that OxidOS aims to achieve ASIL-D certification out of context, meaning it can be used across various automotive applications, from infotainment to critical systems like airbags. This ambitious goal requires meticulous documentation and process adherence, which their team has approached with a focus on automation and open-source tools.

Challenges in Certification

The certification process for OxidOS revealed significant hurdles, primarily due to the automotive industry’s reliance on legacy tools and processes. Georgiana noted that traditional expectations, such as exchanging Excel documents, felt archaic to a team accustomed to modern software development practices. These manual processes were not only time-consuming but also prone to errors, as they lacked integration with development workflows. Additionally, the absence of Rust-specific tools in the certification domain posed a challenge, as most existing solutions cater to C-based systems.

Another significant obstacle was maintaining team motivation, as developers often prefer coding over documentation. To address this, the OxidOS team transformed the certification process into a challenge, encouraging developers to innovate by creating custom tools and workflows. This approach empowered the team, fostering a sense of autonomy and reducing burnout by allowing developers to switch between projects during downtime.

Innovative Solutions with Rust

Rust’s ecosystem proved instrumental in overcoming these challenges. The team adopted Sphinx Needs, an extension of the Sphinx documentation tool, to implement a “document as code” philosophy. This approach allowed them to version control requirements using GitHub, enabling asynchronous collaboration and historical tracking. By integrating tools like Cargo Doc, they automated the generation of certification documents from Rust code, significantly reducing manual effort.

Alexandru emphasized the importance of minimizing transitive dependencies in OxidOS, relying solely on libcore to maintain control over the codebase. This policy, coupled with Rust’s safety guarantees, ensured that the operating system remained robust and compliant. The team also developed custom scripts to link code changes to documentation, ensuring that updates to Tock’s upstream repository could be seamlessly integrated into the certification process without requiring extensive manual rework.

Future Directions and Industry Impact

Looking ahead, Georgiana and Alexandru outlined plans to enhance automation further, particularly in tracking code changes and their impact on certification requirements. By creating a link between code and documentation, they aim to streamline the process of updating requirements as Tock evolves. This approach addresses a critical industry challenge: certifying open-source software that lacks the controlled development environment of proprietary systems.

The presentation also highlighted broader industry implications. Alexandru noted that many automotive companies face similar tool-related challenges, often duplicating efforts due to non-disclosure agreements. By open-sourcing their tools in the future, the OxidOS team hopes to foster collaboration and reduce redundancy, potentially transforming how open-source software is certified in the automotive sector.

Links:

• OxidOS company website

Carly Richmond, a Principal Developer Advocate at Elastic, captivated the DevoxxUK2024 audience with her engaging exploration of image classification using TensorFlow.js. Inspired by her love for the Netflix show Is It Cake?, Carly embarked on a project to build a model distinguishing cakes disguised as everyday objects from their non-cake counterparts. Despite her self-professed lack of machine learning expertise, Carly’s journey through data gathering, pre-trained models, custom model development, and transfer learning offers a relatable and insightful narrative for developers venturing into AI-driven JavaScript applications.

Gathering and Preparing Data

Carly’s project begins with the critical task of data collection, a foundational step in machine learning. To source images of cakes resembling other objects, she leverages Playwright, a JavaScript-based automation framework, to scrape images from bakers’ websites and Instagram galleries. For non-cake images, Carly utilizes the Unsplash API, which provides royalty-free photos with a rate-limited free tier. She queries categories like reptiles, candles, and shoes to align with the deceptive cakes from the show. However, Carly acknowledges limitations, such as inadvertently including biscuits or company logos in the dataset, highlighting the challenges of ensuring data purity with a modest set of 367 cake and 174 non-cake images.

Exploring Pre-Trained Models

To avoid building a model from scratch, Carly initially experiments with TensorFlow.js’s pre-trained models, Coco SSD and MobileNet. Coco SSD, trained on the Common Objects in Context (COCO) dataset, excels in object detection, identifying bounding boxes and classifying objects like cakes with reasonable accuracy. MobileNet, designed for lightweight classification, struggles with Carly’s dataset, often misclassifying cakes as cups or ice cream due to visual similarities like frosting. CORS issues further complicate browser-based MobileNet deployment, prompting Carly to shift to a Node.js backend, where she converts images into tensors for processing. These experiences underscore the trade-offs between model complexity and practical deployment.

Building and Refining a Custom Model

Undeterred by initial setbacks, Carly ventures into crafting a custom convolutional neural network (CNN) using TensorFlow.js. She outlines the CNN’s structure, which includes convolution layers to extract features, pooling layers to reduce dimensionality, and a softmax activation for binary classification (cake vs. not cake). Despite her efforts, the model’s accuracy languishes at 48%, plagued by issues like tensor shape mismatches and premature tensor disposal. Carly candidly admits to errors, such as mislabeling cakes as non-cakes, illustrating the steep learning curve for non-experts. This section of her talk resonates with developers, emphasizing perseverance and the iterative nature of machine learning.

Leveraging Transfer Learning

Recognizing the limitations of her dataset and custom model, Carly pivots to transfer learning, using MobileNet’s feature vectors as a foundation. By adding a custom classification head with ReLU and softmax layers, she achieves a significant improvement, with accuracy reaching 100% by the third epoch and correctly classifying 319 cakes. While not perfect, this approach outperforms her custom model, demonstrating the power of leveraging pre-trained models for specialized tasks. Carly’s comparison of human performance—90% accuracy by the DevoxxUK audience versus her model’s results—adds a playful yet insightful dimension, highlighting the gap between human intuition and machine precision.

Links:

• Elastic website
• Carly Richmond on LinkedIn

At PyCon US 2024, Patrick Hoefler delivered an insightful presentation on the advancements in Dask DataFrame 2.0, particularly its enhanced integration with pandas and its performance compared to other big data tools like Spark, DuckDB, and Polars. As a maintainer of both pandas and Dask, Patrick, who works at Coiled, shared how recent improvements have transformed Dask into a robust and efficient solution for distributed computing, making it a compelling choice for handling large-scale datasets.

Enhanced String Handling with Arrow Integration

One of the most significant upgrades in Dask DataFrame 2.0 is its adoption of Apache Arrow for string handling, moving away from the less efficient NumPy object data type. Patrick highlighted that this shift has resulted in substantial performance gains. For instance, string operations are now two to three times faster in pandas, and in Dask, they can achieve up to tenfold improvements due to better multithreading capabilities. Additionally, memory usage has been drastically reduced—by approximately 60 to 70% in typical datasets—making Dask more suitable for memory-constrained environments. This enhancement ensures that users can process large datasets with string-heavy columns more efficiently, a critical factor in distributed workloads.

Revolutionary Shuffle Algorithm

Patrick emphasized the complete overhaul of Dask’s shuffle algorithm, which is pivotal for distributed systems where data must be communicated across multiple workers. The previous algorithm scaled poorly, with a logarithmic complexity that hindered performance as dataset sizes grew. The new peer-to-peer (P2P) shuffle algorithm, however, scales linearly, ensuring that doubling the dataset size only doubles the workload. This improvement not only boosts performance but also enhances reliability, allowing Dask to handle arbitrarily large datasets with constant memory usage by leveraging disk storage when necessary. Such advancements make Dask a more resilient choice for complex data processing tasks.

Query Planning: A Game-Changer

The introduction of a logical query planning layer marks a significant milestone for Dask. Historically, Dask executed operations as they were received, often leading to inefficient processing. The new query optimizer employs techniques like column projection and predicate pushdown, which significantly reduce unnecessary data reads and network transfers. For example, by identifying and prioritizing filters and projections early in the query process, Dask can minimize data movement, potentially leading to performance improvements of up to 1000x in certain scenarios. This optimization makes Dask more intuitive and efficient, aligning it closer to established systems like Spark.

Benchmarking Against the Giants

Patrick presented comprehensive benchmarks using the TPC-H dataset to compare Dask’s performance against Spark, DuckDB, and Polars. At a 100 GB scale, DuckDB often outperformed others due to its single-node optimization, but Dask held its own. At larger scales (1 TB and 10 TB), Dask’s distributed nature gave it an edge, particularly when DuckDB struggled with memory constraints on complex queries. Against Spark, Dask showed remarkable progress, outperforming it in most queries at the 1 TB scale and maintaining competitiveness at 10 TB, despite some overhead issues that Patrick noted are being addressed. These results underscore Dask’s growing capability to handle enterprise-level data processing tasks.

Links:

• Coiled company website

Hashtags: #Dask #Pandas #BigData #DistributedComputing #PyConUS2024 #PatrickHoefler #Coiled #Spark #DuckDB #Polars