Igeometry Podcast

Bob Diachenko discovered an attack on MongoDB and ElasticSearch clustered that are unsecured. We discuss this attack in detail and how we as Backend Engineers can secure our databases.   0:00 The Meow Attack again MongoDB & ElasticSearch 1:43 How does it work? 5:00 Scope of the Attack 6:00 How Backup & MVCC Help 8:30 What does “Unsecure” mean? 11:00 Protecting Database Instances --- Support this podcast: https://anchor.fm/hnasr/support

My progress of researching webRTC --- Support this podcast: https://anchor.fm/hnasr/support

This is a podcast I did with @Adarsh Menon where I discuss my journey into Backend Engineering and some lessons learned during the course of my 20+ years engineering journey. Enjoy    0:00 Intro 2:45 Podcast Starts 3:15 How did you get into programming? 10:15 What problems do you solve at Esri ? 14:55 Generalist or Specialist ? 24:45 Advice to people starting out 33:15 On being Humble 47:05 YouTube advice for tech YouTubers 53:45 Thoughts on starting a company 56:45 Advice to 22 year old Hussein     

Was reading this article and it is interesting how relatable to backend engineering and security and how many times I made this mistake before. In this video I discuss how it is not a good idea to ignore certificate validation which can lead MITM attacks.   This article shows an ASUS router that does not verify TLS certificate which is a flaw discovered by Martin Rakhmanov a security researcher.   0:00 Intro 2:00 Validate Certificate  12:18 How to mitigate  18:00 Avoiding MITM   Resources https://www.techradar.com/news/this-router-is-vulnerable-to-fake-updates-and-cross-site-scripting-attacks   

WhatsApp is a chatting application written in Erlang. Let us have a discussion on how WhatsApp managed to run 3 million TCP connections on each FreeBSD server.   WhatsApp has the following metrics 42 Billion messages a day 1 Billion users 3 Million connections!!   0:00 Intro 2:00 How WhatsApp reached 1,2 then 3 Million Connection 7:00 How Many Processes?  10:00 Server Side Load Balancing 13:50 Client Side Load Balancing   Resources https://blog.whatsapp.com/1-million-is-so-2011 https://blog.whatsapp.com/on-e-millio-n https://developers.facebook.com/videos/f8-2016/a-look-at-whatsapp-engineering-for-success-at-scale/   

In this video I go through why TLS 1.0 and TLS 1.1 should go away.   Resources https://threatpost.com/riskrecon-the-tls-1-2-deadline-is-looming-do-you-have-your-act-together/157296/ https://www.zdnet.com/article/chrome-84-released-for-blocking-notification-popups-on-spammy-sites/ ‪https://www.theregister.com/2020/07/20/microsoft_roundup/‬ --- Support this podcast: https://anchor.fm/hnasr/support

Github security team has found a remote execution code in Node.JS library changelog. In this video I describe the bug and go through the code  Resources https://portswigger.net/daily-swig/github-security-team-finds-remote-code-execution-bug-in-popular-node-js-changelog-library https://github.com/conventional-changelog/standard-version/pull/351/files https://github.com/advisories/GHSA-7xcx-6wjh-7xp2 --- Support this podcast: https://anchor.fm/hnasr/support

In this video I discuss the VPN Leak of 1.2 TB of user logs data, IP addresses, password and much more   Resources https://www.theregister.com/2020/07/17/ufo_vpn_database/ https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/ --- Support this podcast: https://anchor.fm/hnasr/support

In July / 17 Cloud Flare had a 27 minutes outage, we discuss this outage what caused it and my thoughts on this ..  https://blog.cloudflare.com/cloudflare-outage-on-july-17-2020/ --- Support this podcast: https://anchor.fm/hnasr/support

A hacker used Twitter’s own ‘admin’ tool to spread cryptocurrency scam. In this video I discuss this attack --- Support this podcast: https://anchor.fm/hnasr/support

Server-Sent Events or SSE is when the server sends events to the client in a unidirectional manner. In this video I explain Server-Sent Events and compare it to websockets and HTTP and Long Polling.   Source Code https://github.com/hnasr/javascript_playground/tree/master/server-sent-events  Resources https://developer.mozilla.org/en-US/docs/Web/API/EventSource   0:00 Intro 1:50 HTTP 1.0/1.1 3:40 WebSockets 5:00 Server Sent Events 7:30 SSE Use Cases 9:00 SSE Code Example 18:00 SSE Pros & Cons 25:20 Do You Need SSE? 28:30 Summary --- Support this podcast: https://anchor.fm/hnasr/support

In this video I go through all possible ways the US can use to block TikTok?  0:00 Intro 0:22 App Stores 1:30 DNS 2:20 ISP Level Block  3:30 DOH/ DOT 5:00 SNI  5:50 VPN --- Support this podcast: https://anchor.fm/hnasr/support

This is a question from one of you guys that I thought I'd answer in its own video since its loaded.  Q/A - Shark Beak I currently have the same setup for my side project. What do you think about having a 'create table if not exist' running on startup that creates this table? Good/bad?    It is always a good idea to have a specific database user for each route with specific permissions and use connection pooling as much as possible. --- Support this podcast: https://anchor.fm/hnasr/support

ZeroMQ is an Open Source Messaging Library designed for a high-performance asynchronous messaging library. In this video I discuss this tech and build a simple queue with this tech 0:00 Intro 1:48 What is ZeroMQ? 4:48 Messaging Patterns 6:42 Socket Types 8:55 Simple Queue 11:00 Code 23:20 ZeroMQ Pros & Cons 29:30 Summary Source Code https://github.com/hnasr/javascript_playground/tree/master/zeromq-simplequeue Resources https://github.com/booksbyus/zguide/tree/master/examples/Node.js https://en.wikipedia.org/wiki/ZeroMQ https://blog.scottlogic.com/2015/03/20/ZeroMQ-Quick-Intro.html http://zguide.zeromq.org/page:chapter3#advanced-request-reply Outline What is ZeroMQ? Message library Message Patterns Broker less Simple you build the components that you need Sockets Types REQ REP PUSH PULL ROUTER DEALER Message PatternS Synchronous Request/Response Asynchronous Request/Response Publish/Subscribe

Discussing Layer 7 Reverse Proxy D=DOS Mitigation (Security Now Video by Steve Gibson ) --- Support this podcast: https://anchor.fm/hnasr/support

Google Chrome and Firefox to Join Apple’s Safari in One Year Certificate Validity (My opinion) --- Support this podcast: https://anchor.fm/hnasr/support

TCP Fast Open Spec https://tools.ietf.org/html/rfc7413#section-1 --- Support this podcast: https://anchor.fm/hnasr/support

In this video I discuss what is the TCP Slow Start and its effect on performance of backend applications, proxies and even frontend applications. --- Support this podcast: https://anchor.fm/hnasr/support

In this video, I explain why we can't run unencrypted HTTP/2 or HTTP/3 without enabling TLS. This is because of Protocol Ossification. --- Support this podcast: https://anchor.fm/hnasr/support

Article: Why Turning on HTTP/2 Was a Mistake - Lucidchart - https://www.lucidchart.com/techblog/2019/04/10/why-turning-on-http2-was-a-mistake/  In this video I discuss this article and my opinion.  That is not a limitation of HTTP/2 but of the application that couldn't handle the request. It is like driving a volvo all your life and then switching to a Ferrari and saying it was a mistake because its too fast. I disagree with the solutions of throttling the LB and I think the app should either be architected to not send this much requests if possible or just add more servers since HTTP is stateless you should be able to scale. HTTP/2 however does use more cpu it is dealing with many streams. The article doesn’t explain if it was H2 all the way though or not.    0:00 Intro 1:17 HTTP/1.1 Current Architecture  4:00 What happened when They Enabled HTTP/2 AT LB 7:00 Why I disagree with the throttling  8:00 Proposed Solutions  12:15 Why HTTP/2 can be CPU intensive