Sunday, May 28, 2017

Zero MQ : implementation of Publisher/Subscriber model using node

Zero MQ is a very easy technology to implement various message passing technology. Here I am trying to implement one of most common pattern Publisher/Subscriber model  with  Node JS and Zero MQ .

In Publisher/Subscriber model , Publisher (server) publish a message , and number of client that can subscribe it to it.

Before starting to code , Plz go ahead and intall zmq in your machine . You can follow step by step command in the below github gist
https://gist.github.com/cdjhlee/b8e3c927a01b0948b42d

Next you need to install zmq node module in your machine. I have installed it "globally" .

Let now , begin our Publisher. Here in the below code our Publisher is constantly watching a file and send a message when it find that file has been change. Let assume the file name is "pub.txt".

Here I have added the fs.watch function that monitor the change in the above file and send message to all the connected client when there is change in file.So when ever u want to trigger a message all u need to make change in pub.txt file.

I have written 2 subscriber one that subscribe to cat and other to dog. Now when the server , send the message . The respective client capture the message and print it to console.





Thursday, May 25, 2017

Node JS : understanding the event loop in Javascript.

Most of the time , JavaScript developer have the confusion around the concept of event loop. How event loop , libuv and Google V8 interpreter works  together that make JavaScript I/O non-blocking and asynchronous.

Most of us will one-way or other , has/have encountered the question in the interview or have been asked to explain the event loop or asynchronous concept in small JavaScript script with "setTimeout" function with a callback.In many ways , the concept of event loop is a kind of  hard shell to crack for people coming from different programming background.

Recently I came across , Philip's lecture were he has not only explained the flow of code from stack , to callback queue to event loop  successfully but also demonstrated it very well.
He has even develop small tool to give demo of event loop flow and how various component of Javascript interact with each other . http://latentflip.com/



Hope the above lecture will able to clear the confusion surrounding  the concept.

Tuesday, March 14, 2017

Study Less, Study Smart

If you spend hours and hours of studying, without improving your grades, or information retention, then learn how to study smart by Marty Lobdell. Lobdell taught Psychology at Pierce College in Washington State for 40 years. During Lobdell's career, he has taught tens of thousands of students and he wants students to succeed. After watching students cram for eight hours or more for a test without any improvement, Lobdell has developed a studying technique that helps the brain retain the information that you are studying in this video "Study Less, Study Smart"





Wednesday, January 25, 2017

Which of the following two passwords is stronger?



Which of the following two passwords is stronger,
more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9

If you really want to know you need to check the gibson password brute force search calcultor. Most of the website are password strength calculator. Check out the website https://www.grc.com/haystack.htm

Sunday, January 22, 2017

nodemon : must have tool for node js developer

 Some of the tools we have make developer life easy. If you are node js developer and writing any server app , you must install this small command line tool . It will make ur life dam easy.

The tool restart the server as soon any files are modified. So life become bit easy.For more details check the nodemon website. 

Wednesday, January 18, 2017

Web security : tool that u can make use to test your website


It important for a web-developer to know kind of attack malicious people make use to do damage to your web site.

You can easily visualize how these attack is being used for some of the world biggest data breached
Check the information beaches around the world http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


some of the common one are

1. SQL injection.  here I will discuss error based sql injection.In these attacker try to modify the serach query in the url and then try to get the error and next he will modify the query to get output they you does not want to desirably want to share on the web page.

The easier way to make user of automated tool "Havij". Plz explore it to validate to test your website.
Make sure validate the data getting as external input eg if u are expecting number .. then it should be number in thr post and get request.
The other best way to get stay away from SQL injection to make use of binding variable  (parameterize queries) in query that you are making use having the input from the outside.
The last one is allow application to have access access to certain table with "principle of least permission". Eg should ur application db account , can run database admin command".
Last one but important is web application firewall and cryptographic storage.



2.  Insufficient Transport Layer Security : it  mean here that are you making lack of making secure layer (eg http or https) while communicating to web server on internet.Most people get hacked when they using open wifi network. Here , attacker may monitor the information in and out flowing through the router. Some attacker even modify the DNS server setting for common ip request to their own hosted website with replicated page.
Some times attacker inject the key loger js script into the page. So how to prevent such attack.
Make sure that you web application login page open in https mode along with https post form is used.So apply TLS to encrypt by default (U need to pay some money to get the certificate) if you are expanding your application especially for the login page authentication.

Also make use of encrypted authentication cookies in your application and firewall is the last defense.
Also check out out the blog how to setup SSL certificate.
https://ksylvest.com/posts/2014-05-06/setup-free-ish-ssl-tls-on-heroku-for-ruby-on-rails-or-any-other-framework



3. Insecure Password Storage
I hope very developer  is aware of rainbow table.Here the attacker has pre-computed hash table that he make use of guess the password. Easiest way to prevent , to make use of bcrypt algorithm (avoid md5) and save password and random salt used , save  in two separate column. You can add additional layer of security by encrypting the output from bcrypt again using md5.
 
eg
byscript alogorithm -> random salt + password -> md5 -> save salt column and password column
I future I may be sharing , how to implement the above in node js

4. Cross Site Scripting (XSS)

5. Weak Account Management