squbs: packaging and deployment instructions to run on AWS nodes


Overview This page describes a quick way to package, deploy, and start a squbs application. This guide uses Amazon EC2 as an example, showing how to run a squbs application in a few minutes. You can leverage either the scala activator template or the java activator template to begin development. Packaging You need to install the following on your build instance git java 8 sbt Steps to build: Clone the source code from the git repo to the <project> directory cd <project> Run the sbt build command, including “packArchive”, such as: sbt clean update test packArchive There are two archives created under… Read more

squbs: A New, Reactive Way for PayPal to Build Applications


Preface It is not uncommon for services in PayPal to cover 1000 VMs or more. These services make use of very small VMs and produce very low throughput for each VM. At the same time, the large number of nodes takes a toll on the network and routing infrastructure. Several of these services are interconnected into a complicated mesh, making a user request travel through many network hops. As the number of these services adds up, latency gradually increases and the user experience deteriorates. While it is good for a service to have a critical mass of VMs spread across many data… Read more

Statistics for Software


Software development begins as a quest for capability, doing what could not be done before. Once that what is achieved, the engineer is left with the how. In enterprise software, the most frequently asked questions are, “How fast?” and more importantly, “How reliable?” Questions about software performance cannot be answered, or even appropriately articulated, without statistics. Yet most developers can’t tell you much about statistics. Much like math, statistics simply don’t come up for typical projects. Between coding the new and maintaining the old, who has the time? Engineers must make the time. I understand fifteen minutes can seem like… Read more

We are hiring in the Payments team !


At PayPal, we are starting up a new team to build some cool mobile products in Payments. This initiative is aiming to provide an extremely integrated payment experience for our merchants and consumers alike and we’re looking for talented engineers to join the team. This is an exciting opportunity, because it’s both a new initiative and we’re experimenting with some cutting edge mobile technologies like react-native and node.js! Why Paypal ? We believe in hiring the best talent and investing in our people. And investing does not just mean remunerating them well (with competitive salaries/ unlimited vacation/ cool perks), but also… Read more

Nyx – Lightsout management at PayPal

By , , , , and

Nyx – Lightsout management at PayPal Overview Increased adoption of cloud-based infrastructure by the industry has shown tremendous improvements in effectively running and managing applications. But most of the industries’ current practices to manage these applications are imperative in nature. In an ever-evolving situation with an increasing demand to better manage these applications, a declarative approach is needed. The ideal declarative system aims to determine the base state of each of the managed applications, monitor them continuously for any induced mutations and restore it back to the desired base state. PayPal has one of the world’s largest cloud deployments with… Read more

Acceptance of FIDO 2.0 Specifications by the W3C accelerates the movement to end passwords


What if we could eliminate, or at least significantly mitigate the risk of passwords? On February 17, 2016, the World Wide Web Consortium (W3C) announced that the creation of the Web Authentication Working Group to move the world closer to this goal. The mission of the group is to define a client-side API that provides strong authentication functionality to Web Applications. The group’s technical work will be accelerated by the acceptance of the FIDO 2.0 Web APIs. This specification, whose co- authors include PayPal’s Hubert Le Van Gong and Jeff Hodges, help simplify and improve the security of authentication.  As the steward for the… Read more

Students practicing writing a program with post-it notes before jumping on to the computers

Hour of Code @ PayPal


On Dec 12th, as part of the Hour Of Code initiative, I taught programming to a room full of 5-11 year old children of PayPal employees. I have to say, I’m completely blown away by them. I thought I’d have to do a lot of teaching. However, once I showed them how the basic structures work and how to put a program together, they took off! I taught them about concurrent programming and debugging, disguised as a session on doing a dance animation. We started with post-it notes and a whiteboard to show them that computers are really dumb, and… Read more

Lessons Learned from the Java Deserialization Bug


(with input from security researcher Mark Litchfield) Introduction At PayPal, the Secure Product LifeCycle (SPLC) is the assurance process to reduce and eliminate security vulnerabilities in our products over time by building repeatable/sustainable proactive security practices embedding them within our product development process. A key tenet of the SPLC is incorporating the lessons learned from remediating security vulnerabilities back into our processes, tools, and training to keep us on a continuous improvement cycle. The story behind the Java deserialization vulnerability The security community has known about deserialization vulnerabilities for a few years but they were considered to be theoretical and… Read more

Enterprise Overhaul: Resolving DNS


Everyone assumes all software engineers are great with numbers. If only they knew the truth. How many people’s phone numbers can you recite? No peeking and emergency numbers don’t count! Don’t worry if you couldn’t name that many. Here’s the real embarrassing test of the day: How many sites’ IP addresses can you name? No pinging and local subnets don’t count! Most telephones still looked like this when DNS was invented. Not pictured: the phonebook. Back in the mid-1980s, the first Domain Name System (DNS) implementations started putting our IP addresses into server-based contact lists and the Internet has never… Read more

Secure Authentication Proposal Accepted by W3C


Today the World Wide Web Consortium (W3C) accepted a submission of proposed technical work from W3C members PayPal, Google, Microsoft, and NokNok Labs. This submission consists of three draft initially specifications developed by the FIDO Alliance to facilitate browser support for replacing passwords as a means of authentication on the Web with something more secure. It is expected that the W3C will take these draft documents as a starting point and, through its standard process, evaluate, enhance, and publish them as W3C Recommendations (link to W3C recommendations page).  The goal is for the final specification to be implemented by Web browsers. With… Read more