Igeometry Podcast

Watch this if you are using IP Address validation in both NodeJS and Python, these two libraries strip leading zeros which can lead to server side request forgery. Let us discuss Resources https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/ https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/ Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

In this video, I’ll discuss the Pingback attack, a new clever attack that uses both DLL files through Oracle Component Interface (OCI.dll) and ICMP protocol to deliver commands between the victim machines and the command center.  Resources  https://thehackernews.com/2021/05/new-pingback-malware-using-icmp.html  https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol  https://en.wikipedia.org/wiki/Oracle_Call_Interface Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

In this podcast I’ll explain the message queues, the request response pattern and the publish subscribe pattern. I will also illustrate the main differences between them and when to use over another. 0:00 Intro 0:30 Message Queues in 60 Seconds 1:24 When to Use Message Queues? 14:33 Request Response Pattern 20:00 Request Response Pros & Cons 24:11 Publish Subscribe Pattern in 60 Seconds 25:13 Publish Subscribe Pattern 31:49 Publish Subscribe Pattern Pros and Cons Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

502 Bad Gateway is one of the most infamous errors on the backend, it usually means “hey something wrong with your backend server” but it doesn’t really give enough information.  In this video,  I’ll go through details on why proxies and gateways like NGINX and HAProxy should consider throwing more fine detailed HTTP error codes.   502 Bad Gateway The server was acting as a gateway or proxy and received an invalid response from the upstream server.   0:00 intro   3:45 What Causes a 502 Bad Gateway? 8:00 Cloudflare HTTP error codes  13:00 Security Implications Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

In this episode I’ll talk about how VPN works, networking, IPSec and will also discuss the benefits of VPN and what happens when a VPN is hacked?   * Intro 0:00   * How Networking Works? 2:20   * How VPN Works? 10:00   * VPN Benefits 17:50  * What happens when VPN is hacked 20:20 Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

There is an ongoing situation with the Linux kernel community and the University of Minnesota Department of Computer Science & Engineering. We discuss this in this episode and I give my opinion   --- Support this podcast: https://anchor.fm/hnasr/support

Auth0 went down on April/20/2021 and this is the early report. Let us discuss. This incident affects: Auth0 US (PROD) (User Authentication, Machine to Machine Authentication, Multi-factor Authentication, Management API), Auth0 US (PREVIEW) (User Authentication, Machine to Machine Authentication, Multi-factor Authentication, Management API), and Management Dashboard (manage.auth0.com). 0:00 Update on Auth0 outage 6:00 Speculation of the outage https://auth0.com/blog/how-we-store-data-in-the-cloud-at-auth0/#Redis https://status.auth0.com/incidents/zvjzyc7912g5?u=v0zzz6jxvbv7 --- Support this podcast: https://anchor.fm/hnasr/support

Let us discuss the complexity behind this trojan hack, the multi-layer approach of hiding the RAT (remote access trojan) is absolutely genius. https://en.wikipedia.org/wiki/HTML_Application https://en.wikipedia.org/wiki/Portable_Network_Graphics https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ --- Support this podcast: https://anchor.fm/hnasr/support

Few vulnerabilities in WhatsApp for Andriod discovered that allow an attacker to send an HTML file attachment full access to the user's media, voice notes, pictures, and eventually chat messages (through TLS session resumption keys). In this video, we will discuss the scope of this attack. The vulnerabilities have been patched by facebook. Full article from CENSUS labs discussing in detail how to carry POC attack.  https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/ --- Support this podcast: https://anchor.fm/hnasr/support

Leaky abstractions occur when the consumer of the abstraction started asking questions about certain behavior which ends up with the need to understand the details behind the abstraction. Joel Spolsky coined this term and in this video I’d like to discuss this concept and provide few examples of my own experience towards leaky abstractions. Let us get on with the show. 6:00 Postgres Dead Tuples 7:25 MySQL Clustering 9:23 Axios HTTP Library 11:30 ORMs (N+1) 13:30 Beyond Abstractions 15:30 TCP 19:30 HTTP/2 27:00 Microservices 28:40 Index Only Scans Postgres 33:35 git 34:50 Summary Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

Two weeks ago the PHP source code git server got hacked and two malicious commits were made to the source code. Since then the PHP maintainers identified the source of the hack, let us discuss --- Support this podcast: https://anchor.fm/hnasr/support

Light episode today let's have some fun with Q&A, I collected some questions on Twitter and YouTube community and I'm going to attempt to answer them here. Support my work on PayPal https://bit.ly/33ENps4 Become a Member on YouTube https://www.youtube.com/channel/UC_ML5xP23TOWKUcc-oAE_Eg/join

In this episode, we will discuss NULLs in database systems. I’ll go through the following: What is Null? NULLs persistence Whether you store a 0 or 2 billion value in the field 32bit integer field it costs 32 bit when you store a NULL in 32 bit integer field we save 32 bit but add overheads When NULLs are naughty Semantics and inconsistent result Select count(*). Includes nulls count(column) ignores nulls T is NULL returns the null rows T is NOT NULL returns not null rows T In (NULL) returns nothing T not in NULL returns nothing Some database don’t index nulls When NULLs are useful I don’t have value , I don’t wish to provide a birthday not applicable field for certain use cases but not others fat tables (denormlization) Fat tables with many columns makes your rows longer which means fewer rows fit in your page (show pic).. NULLs help here .. that are NULL, it yields shorter rows, instead of storing a default 0 value Support my work on PayPal https://bit.ly/33ENps4 Become a Mem

The open web application security project is a recognized entity that helps developers identify critical security vulnerabilities to build secure web applications. In this video I will go through the 10 vulnerabilities and explain each one and give examples and anecdotes from real life examples. 0:00 Building Secure Backends 2:30 Injection 4:50 Broken Authentication 6:43 Sensitive Data Exposure 11:00 XML External Entities (XXE) 13:45 Broken Access Control 17:00 Security Misconfiguration 19:00 XSS 22:45 Insecure Deserialization. 24:48 Using Components with Known Vulnerabilities. 26:00 Insufficient Logging & Monitoring. Resources https://owasp.org/www-project-top-ten/ Cards 2:50 SQL Injection https://www.youtube.com/watch?v=Azo9tDUtC9s 4:20 Best practices building REST https://www.youtube.com/watch?v=6zHWU7zBep0&list=PLQnljOFTspQUybacGRk1b_p13dgI-SmcZ&index=4 8:30 TLS playlist youtube.com/playlist?list=PLQnljOFTspQW4yHuqp_Opv853-G_wAiH- 15:00 HTTP Smuggling https://www.youtube.com/watch?v=PFllH0QccC

Caching is the hardest problem in building software, and having the browser cache is not any different. In this video, I'll discuss Jake Archibald's article https://jakearchibald.com/2016/caching-best-practices/ 0:00 Intro 2:00 Pattern 1: Immutable content + long max-age 5:40 Pattern 2: Mutable content, always server-revalidated 8:00 max-age on mutable content is often the wrong choice 12:20 CDN and Caching Article https://jakearchibald.com/2016/caching-best-practices/ https://twitter.com/jaffathecake --- Support this podcast: https://anchor.fm/hnasr/support

Write Amplification Is a phenomenon where the actual writes that physically happen are multiples of the actual writes desired. In this episode, I'll discuss 3 types of write amplifications and their effects on performance and lifetime of storage mediums. 0:00 intro 2:00 Application write amplification 4:30 Database write amplification 9:30 SSD Disk write amplification 16:00 SSD hates BTrees 20:00 summary Resources https://en.wikipedia.org/wiki/Write_amplification https://www.cybertec-postgresql.com/en/hot-updates-in-postgresql-for-better-performance/ https://youtu.be/5Mh3o886qpg --- Support this podcast: https://anchor.fm/hnasr/support

Microsoft Had an Outage on April 1st that is caused by DNS surge, let us discuss this. Bonus I’ll also discuss the outage that happened on March 18th cpu 100% utilization RCA - DNS issue impacting multiple Microsoft services (Tracking ID GVY5-TZZ) Summary of Impact: Between 21:21 UTC and 22:00 UTC on 1 Apr 2021, Azure DNS experienced a service availability issue. This resulted in customers being unable to resolve domain names for services they use, which resulted in intermittent failures accessing or managing Azure and Microsoft services. Due to the nature of DNS, the impact of the issue was observed across multiple regions. Recovery time varied by service, but the majority of services recovered by 22:30 UTC. 0:00 April/1st Outage - DNS Issue 13:30 March/18th Outage - CPU 100% RCA https://status.azure.com/en-us/status/history/ --- Support this podcast: https://anchor.fm/hnasr/support

Hey Hussein I have a 2 million row table used in my CRUD python app, I’m worried that as the table grow my inserts will slow down, should I consider sharding my database or partition the table? thank you I’m avid of simplicity in design if I can do it in one machine I’ll do it. Sharding/Partitioning are all great inserts are fast, queries are slow 0:00 inserts can be slow 3:00 indexes/stored procedures selects, updates, and deletes can be slow 12:00 add proper indexes. simplicity wins, premature optimization is bad 15:20 crazy things that people say like microservices day 1 scares me --- Support this podcast: https://anchor.fm/hnasr/support

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account. 4:00 http connect https://curl.se/docs/CVE-2021-22890.html --- Support this podcast: https://anchor.fm/hnasr/support

Two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.php.net server. The commits were found and reverted two hours after it was committed. PHP is moving to github as a result. Article https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/ --- Support this podcast: https://anchor.fm/hnasr/support