Programming

How to upgrade Amazon RDS MySQL from 5.7 to 8.0

I've been ignoring all of my Amazon AWS Emails about major/minor version upgrades for quite some time now (they always seem rather frivolous), but the email that did catch my eye was my monthly BILL (jumping 4x in costs in the last month or so). Turns out RDS Extended Support for old versions of MySQL costs $0.10 per hour ($75/month) for each end-of-life database. Now, I have not touched my AWS configurations for over 5 years, so it definitely took me some time to get reacquainted to all of the options and new UI in the console. My frustration is knowledge for the rest of y'all, so please enjoy my struggle notes.

Here's my step-by-step guide on how to successfully upgrade your instances and check your DB connections are still working.

  1. If you're like me and forgot where your DB credentials are located, I started off my trying to connect to it within the AWS RDS -> DB Instances -> [Select DB Name]. From here, I was able to find the connection details of Endpoint (Host), Port under Connectivity & security, and Username, Password under Configuration.
  2. I then took this information and attempted to connect using MySQLWorkbench by entering all of the Hostname, Port, Username, and Password and clicking "Test Connection". You should see a "Success" if everything is configured properly.

  3. Mine wasn't successful on the first try lol. Things I had to reconfigure on AWS: VPC Security Group (made sure my security group allowlisted my new public internet IP. for port 3306 on my Inbound connection rules. I also forgot my password for my username... whoops! Turns out you can reset your master password from RDS Dashboard when you enter (click) "Modify" -> Master password and Confirm master password. Apply changes immediately and wait for the DB Status to turn green again
  4. After I successfully verified my original connection, I made a manual backup of my database in MySQLWorkbench via Data Export into a Self-Container File.. just in case things went poorly.
  5. Next, I tried updating straight to 8.036 also via "Modify" -> DB engine version (please note, if this weren't my personal blog, I would have used an Amazon Blue Green Deployment to minimize Production downtime), but yet again, I ran into another dreaded AWS error:
  6. Current Option Group (default:mysql-5-7-db-randomhash-upgrade) is non-default. You need to explicitly specify a new Option Group in this case (default or custom)
    
  7. To solve this error above, I first changed the "Modify" -> Option group from "default:mysql-5-7-db-randomhash-upgrade" to default:mysql-5-7 and also unchecked
    Enable auto minor version upgrade, which created this invalid option group in the first place. Apply changes and wait for the Status to turn green.
  8. Finally, we're ready to do the final step of upgrading from 5.7 to 8.0 on step 5. This process took my around 15 minutes but may take longer for larger databases, so be prepared with a maintenance plan!!
  9. Once the upgrade is complete, your DB will reboot and Status will hopefully turn green again. Revalidate your connection from MySQLWorkbench or your preferred CLI command. It should all work as before!

Amazon indicates that you should stop getting charged for extended support as soon as you upgrade to 8.0, but double check your Billing $$$ after the upgrade to be sure. Hope that helped!

Standard
Mathematics, Programming

Mandelbrot Set and the Fractals of Life

I've been playing around with Rust for a few weekends just to see what all the hacker hype is about. I haven't done a math post in a minute, so I wanted to use this small project as an exploration of mathematical visual arts.

Tangentially, there's an amazing PBS Nova documentary about Fractals - Hunting the Hidden Dimension. If you haven't watched it already, do it NOW! (WARNING: May induce wook-like philosophies)

https://en.wikipedia.org/wiki/Fractal_landscape

I love fractals. They are the most intriguing shapes which can represent very natural phenomena. Every snowflake is a unique fractal. Mountain ranges are landscape fractals with infinite triangles. Rainforests -> trees -> tree roots -> branches -> stems -> leafs represent a natural fractal ecosystem. Extending this analogy to space, a planet -> lunar system -> solar system -> globular cluster -> galaxy -> cosmic web form a fractal universe. Watch this incredible Youtube video visualize our entire human experience as an isomorphic fractal structure to the universe and the quarks that make up our known existence.

In mathematical terms, fractals are shapes with non-integer dimensions, infinite length arounds its edges, and self-similar. This means one can infinitely zoom in or out of a fractal, and the fractal will still retain the exact same pattern.

Fractals were largely ignored in the mathematical community UNTIL they could be visualized by the power of computer graphics (shoutout Benoit Mandelbrot). Today, we see fractals in a plethora of digital art, design, and visual performance tools: see Electric Sheep or go attend any electronic music show with a projector.

Mandelbrot Set Fractal Properties

On March 1, 1980, Mandelbrot created the first visualization of the Mandelbrot Set on an IBM computer. I wanted to recreate this moment using modern computer languages.

A Mandelbrot Set is a set of complex numbers C that are bound and do not diverge from the recursive function f(z+1) = z^2 + C when iterated from z = 0.

To accomplish this, I wrote a concurrent image output Rust program which leveraged all 4 of my CPU cores by splitting the rendering output work among 8 threads by pixel row. I then iterated through the set of Complex numbers and determined which numbers did not recursively diverge from the function listed above.

Here are my initial thoughts of working with Rust:

  1. The language itself is like a combination of C++, JavaScript, and OCaml. I really enjoyed working with the success and error handlers of the language.
  2. The syntax is also NOT human readable at first glance - there is an unmistakable learning curve to this language.
  3. The cargo packaging system for Rust is simply amazing. I was easily able to add Complex numbers and concurrency to my program with a few import statements (I secretly wish Golang had a halfway decent package management system).
  4. Sublime Text really struggles with displaying the compiler errors in the code editor. This is the exact reason why I switched to bindings-packed VSCode.
  5. Documenting and writing test cases using /// and #[test] are extremely intuitive and forces you to write quality code.
  6. Rust is unbelievably fast.

Anyway, here's my super detailed 8000x6000 grayscale Mandelbrot Set. If you look close enough, you'll see even more miniature Mandelbrot Sets :).

Standard
Programming

How to Stop a Brute Force xmlrpc.php Attack on Bitnami WordPress

WordPress Inspiration (oxymoron).

I was trying to access my site the other day and noticed it took fucking forever for anything to load. I thought something was broken: server out of memory from a recurring CRON job, or maybe I had royally fucked over my WordPress ecosystem by accident. Who knows? It's WordPress after all...

Are you experiencing any of these symptoms? Then read on...

  • Perpetually waiting for a response from while your browser displays a white page?
  • When your website does manage to load, clicking any links could make the entire application stop responding..
  • Seeing an abnormally high AWS charge for a small instance? Blame Amazon for expensive cloud computing first...

Being the curious programmer here, I tried to look for the issue. PRO TIP: Always look at your Apache or NGINX logs. My god. Fuck this guy. Spamming my site with pointless brute-force password attempts on a file called xmlrpc.php. Eventually, you'll never succeed because the password is a million fucking digits long. Realistically, however, I'll probably be so pissed off at the AWS charge, that I would cancel the EC2 instance before giving into my blog's new commander.

Check out some of these logs from streaming the Apache logs:

$ tail -1000f /opt/bitnami/apache2/logs/access_log

185.188.204.7 - - [21/Nov/2017:08:07:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:17 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:20 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:20 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:22 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370

Great, my server is being spammed by a Russian bot every few milliseconds. WordPress, why the hell are these requests succeeding from an external source? At least this explains why my site has been unresponsive - someone else is using its resources.

Let's block their ass. The best way to do this is on the intermediary Apache server. We're going to write an Apache policy to prevent access to the xmlrpc.php file.

One thing to note before we continue here is that Bitnami automatically disables .htaccess files by default for performance reasons. So to write any Apache configurations at all, we'll have to edit the customized .conf file under:

vi /opt/bitnami/apps/wordpress/conf/htaccess.conf

// Now add these lines at the end of the file, please learn VIM to complete the edit

<FilesMatch "xmlrpc.php">
  Order Deny,Allow
  Deny from all
  Allow from 192.0.64.0/18
  Satisfy All
  ErrorDocument 403 http://127.0.0.1/
</FilesMatch>

Once we have edited the htaccess.conf file, we are going to restart the Apache server for the changes to take place:

sudo /opt/bitnami/ctlscript.sh restart apache

We can verify this works by trying to access the file via GET or POST on the file, http://dasun.us/xmlrpc.php, it should redirect. The policy above effectively redirects all external users to their localhost, while allowing traffic internally from WordPress. This allows certain plugins, such as JetPack, to correctly function. Let's look at the access logs now:

185.188.204.7 - - [21/Nov/2017:08:41:24 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:24 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:25 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:29 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:31 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:31 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:31 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201

Ahhh success, and a breath of go annoy someone else now. The 302 is a redirection status which means they are now trying to access their own localhost rather than wasting resources on your WordPress website. Cheers, hope this helps!

Standard
Design, Programming

Montserrat Font and Legacy Support

See the ongoing GitHub discussion.

Without going into too much detail, Google updated the Montserrat font and its weights remotely, affecting millions of designs across the world wide web which integrate with Google fonts. This affected me personally, as I use Montserrat for my blog titles.

I absolutely despise API's which introduce breaking changes. All of these breaking changes destroy any legacy applications which are using the API's. Google in particular has a penchant for deprecating, breaking, or removing their API's: remember when the internet of shit's favorite Samsung smart fridge couldn't connect to its dumb calendar? Lol. This time, millions of websites across the web were forcing shitty text overflows down everyone's throats.. Who wants that???

I'm not sure who's in charge of these decisions, but developers - the best rule of thumb to go by is once an API is deployed to production, everything in that API spec cannot change. LEAVE IT BE! The end consumer is always expecting things to abide by the status quo. The majority of users will not update their application, and they will immediately complain about anything that doesn't work at a prolific scale.

It's an awful user experience. All designers and programmers should consider these legacy customers and find creative solutions to scale and expand their API's rather than forcing major upgrades.

Before I sign off here, I'd like to talk about one of my nightmares. I can hear it now...

what about Internet Explorer??

If you don't want to deal with an awful browser or device (Windows phone I'm looking at you), do not build applications for these devices in the first place. Once you decide to start supporting anything at all, you will have to support it for all its technological life.

Standard
Programming, Thoughts

Introversion at the Latest / Earliest Hour

I often find myself coding deep into the night. I can't quite put my finger on it, but there's something subtly addicting about staying up late, by myself, with F.lux blasting on its most orange setting as I punch my keys in a sequence of logical events.

In the past, I would always take time out of my work day to play video games, socialize, or maybe even have a drink and smoke. But now... the digitalization of my coder life has become an artistic medium, unforeseen, and unexperienced by most. Many of my peers see computers as solely a tool for work. I see it as an evolution of sorts. A paradigm shift of life - as you must. An artistic grounds for innovation.

I can easily see myself never letting go of this addiction. This QWERTY keyboard layout... These languages. These console outputs... These frameworks - my own grown up K'nex. I can't even begin to express the ideas in which I want to tackle - the applications I want to build. The art I want to code. The relationship I want to nurture.

Alas, time is not on my side. Programming is a time consuming process, despite all of the optimizations I try to incorporate in my daily interactions. Shortcuts and five fingers can only get you so far.

It's quite possibly the ephemeral, evolution of Moore's Law. Holy shit, it is beautiful. Year over year, improvements on both hardware and software allowing us to do the most ridiculous of things. Once you reach the zen of programming, your life will never be the same. I feel limitless in this virtual realm. It has become my religion. A deity in the most computerized form, yet inhibited and enabled by these keystrokes...

I can deconstruct worlds and layers, unforeseen by 99% of the population. It is the most enjoyable experience I have ever been a part of. 25 years of my life and so much more to learn, so much more to suffer, so much more to LIVE.

Standard
Programming, Thoughts

Beat the Burnout

Inspiration from Sam Altman

After almost 3 years of nonstop hacking and coding, the toughest part of the job is not burning out. There are many a times when the thing that kept you interested (programming) just doesn't cut it anymore. The spark isn't there. When you don't want to go any further - when you'd rather eat ice cream for the rest of your life..

The burnout is real. Any programmer would be able to tell you this. Every big, massive undertaking has an equally large and massive undertaking for bug squashing, testing, and endless hours of debugging. No one writes perfect code, but in order to survive the gruesome, computer stare-down (maybe breakdown too) - you must know a few tricks:

  1. Coffee coffee coffee - I can't stress this one enough. Nothing gets you going like a cup (or 5) of joe. Nothing.
  2. Working out - Specifically, cardio. Even a twenty minute bike ride will light your brain on fire. Challenging your body is paramount to challenging your mind.
  3. Spoil yourself - Every techie is obsessed with something, whether it be a side-project, more electronics, energy drinks, video games, etc. Find that thing which keeps the hamster wheel spinning.
  4. Downtime - This is the part where you kick back, relax, and enjoy the show, or meal, or company, or music, or your bed.. Whatever it is, make sure you don't touch your computer during this time.
  5. Multitask - This could be unique to certain individuals, but being able to work on multiple projects with varying levels of difficulty, ensures that you are able to constantly stay busy while being productive. For example, in office, I will tackle the hardest challenges while I have all of the motivation, but when I lose focus, I will then revert to cleaning up the lower hanging fruit, such as icon updates.
  6. Operate on your best hours - Not everyone is productive at 5AM, but if you are, you know better to twiddle your thumbs during those times. Do what you got to do.
  7. Work on something you love - This is the best part about coding. You get to build something which has never been built before. Use a new framework with your favorite language or contribute to projects which you strongly believe in. The world is your oyster.

That's it for now. I revamped my website with a few more CSS goodies. I plan on adding a portfolio page soon to give you a snapshot of all the projects I'm working on!

Standard
Programming, Thoughts

Let's add a backdoor to one of the world's most secure devices

Apple's Letter

We are, yet again, at another pivotal piece of Internet legislature. Recently, a federal judge in Riverside, California ordered Apple to assist the government in unlocking and decrypting the iPhone 5C, used by Syed Rizwan Farook, responsible for the San Bernardino shootings in December.

These shootings were one of the worst acts of domestic terrorism in 2015. My thoughts go out to all of those affected. These attacks are despicable and those responsible for the attacks must be help accountable for their actions. Apple has already complied with all valid subpoenas and search warrants, even going as far to make Apple engineers available for advising the FBI.

The FBI fucked up. They compromised their entry to the sized iPhone 5C by changing the Apple ID and password associated with the phone by someone in the county health department, per the FBI's request.

Given that the iCloud auto-backup solution failed and all other feasible recovery solutions are now inviable, the FBI and the Department of Justice asked a judge to order Apple to re-write the firmware just for their unlocking purposes. This proposed new firmware would allow the FBI to remove the automatic wipe feature, allowing them to brute force the password.

I've been reading a lot of misinformed comments on the Internet and thought I'd give my computer science perspective of the situation:

1. Many Internet souls are arguing that Apple is operating based purely off its business model, and that they are using it's security features to maintain its company and brand marketability.

Let me make it very clear that Apple is NOT operating under its best marketing and business interests (surprisingly). This is about Apple's customers and their basic freedoms. Creating a backdoor is not only unlawful, but it puts the vast majority of law abiding citizens and their personal information at risk.

2. Many uninformed Internet warriors are wondering why Apple just doesn't comply with the FBI, given that it's only one user's iPhone and that that user is one of the San Bernardino shooters.

The issue isn't as black and white as it seems. The situation is not a hardware hack, rather it is a software hack. It is easy to think that the backdoor would only be applied to the single iPhone. However, this backdoor vulnerability could be applied to every iOS device in existence. That's over 1 billion devices.

I hope Apple takes this case all the way up to the Supreme Court. This backdoor, if created, could be abused by Apple's internal employees, hackers, even foreign governments if it ended up in the wrong hands. History has shown us that as soon as something is leaked, it becomes available on The Pirate Bay an hour later.

We cannot sacrifice our basic freedoms in the name of terrorism. As soon as we encourage this type of misbehavior, it gives our government unlimited access to all of our private devices. This is how oppressive regimes operate. Let democracy stand.

Standard
Programming

Cloud Security and a $20000 AWS Charge

Cloud security is a hot topic right now. In the current state of the Software Revolution, pretty much everything in everyday life is moving to the cloud: movies (Netflix & Hulu), business communications (Google Hangouts & Slack), driverless cars (Google & Tesla), storage (DropBox & OneDrive), cloud robotics (Google & Industrial Perception) to name a few of the thousands of cloud-based technologies available today. There are so many smart-* apps and devices coming out that all of our daily computational power is moving to the cloud.

This is awesome. This allows software developers and engineers like me to work from any location as long as I have an internet connection. In fact, my current job (shameless plug for Yappee) allows me to work remotely because all of our technologies are based on the cloud - GitHub, Amazon AWS, and Slack are a developer's best friend.

Under the carpet, all of these applications have critical security features and complex API's which are crucial to the success of these technologies. On the front-end side of things, the users are presented with elegant interfaces with a ton of power at their fingertips. This is the future and it's awesome.

This magical ride with cloud computing is only going to get bigger and faster according to Moore's Law. This 2^* exponential growth is going to allow us to do things we never thought possible with software, but STOP RIGHT THERE...

We are becoming so enveloped within this digital world that we are failing to recognize the consequences that may occur from cloud security.

Two days ago, I was playing around with my GitHub repo and to make room for another private repository, I switched one of my previous Ionic projects to a public, open-source project because what the heck someone might find it useful. That someone wasn't who I expected.

I received an email yesterday morning, with the title Your AWS account is compromised. Wow what's going on here? I read into the email and saw that my GitHub project was listed with my AWS security credentials listed through my elastic beanstalk configuration. I took immediate action to change all my passwords and keys associated with this account as well as deleted my github repo from the cloud. It didn't take long until I received another email regarding a support case I didn't even open myself.

Thank you for taking quick action to delete your exposed access key. The hold on your account has been lifted.

However, prior to you deleting your access key your AWS account has been compromised and currently there's a charge of $13510.95 USD. To prevent further charges as well as for me to submit a concession request, please go through and delete any unauthorized resources.

Holy shit!!!! $13510.95 USD. My account was compromised... as fuck. These GitHub bots have no mercy. Overnight, they were able to acquire my AWS credentials through their scraper and launch up 500 SpotInstances as well as 500 more c3.8xlarge EC2 instances in all regions of the world - all using my billing account. Absolutely nuts.

I contacted Amazon AWS support immediately with my pressing issue. One of their employee's, Ben, let me know about all of "suspicious" activity that my account had undergone. Ben is my hero. He got my attention immediately through a phone call and voicemail, and immediately submitted a concession request on my behalf, assuring me that all of my expenses would be covered by Amazon. Amazon and their customer support receive my highest regards. 10/10.

Screen Shot 2015-10-29 at 3.38.57 PM

This is my billing account by the morning. Within 1 day of my GitHub repo going public, the bot was able to launch off 500 of the largest EC2 instances available on Amazon with spot requests to continually relaunch them if they went down, accruing over $20000 of computing costs. This is insane (also impressive from a hacker standpoint).

Admittedly, I am 100% responsible for leaking my credentials to a public zone, but trust me, if it can happen to me, it can happen to anyone. There are bots these days for everything. Keep your shit safeguarded.

tldr: Cloud Security is important. Keep your passwords safe.

Standard
Programming

WordPress Automatic Updates

They suck so hard. I had my entire site configured how I wanted it to look like, and of course automatic theme updates are default for this piece of shit platform.

How many hours am I going to waste to achieve the same effect that I've had before?!

What the fuck.

Download Easy Automatic Updates plugin to stop the bleeding.

WordPress is the worst developer platform.

Standard
Programming, Thoughts

Venmo

Something really, really, really needs to be addressed here, and it's the current state of everyone's favorite instant money app: Venmo.

Hell, I use Venmo for rent, splitting checks, and paying for just about anything. It's quick, easy, and all emoji jokes aside, it gets money to your bank in a day's time. That's amazing, considering that PayPal, the software-boom parent of Braintree, takes three days time to transfer money from PayPal to your bank.

Last year in 2014, Venmo processed $2.4 billion of payments. $2.4 billion dollars. It doesn't stop there though, as Venmo has already processed $1.6 billion in transactions in the 2nd quarter alone. At this current rate, Venmo will process anywhere between $5 - $10 billion dollars in 2015.

The money-making scheme behind Venmo is actually quite genius: all of the cash-moneys sitting inside your Venmo account is actually gathering interest for the company. But this is also the whole reason why Venmo is unsafe. When you transfer your Venmo credits to any of your friends on Venmo, that money is only getting moved around on the application layer. That money is not being moved from your account to your friend's. Let me repeat that, even if you receive the notification, the email, and the verbal confirmation that the money was transferred, there's absolutely no guarantee that money will reach your bank account when you cash out.

This article does a tremendous job of explaining the intricacies of Venmo:

if I Venmo you $20 for Chipotle, the “+ $20.00” notification you get isn’t actually reflecting a transfer from me to you. Rather, in most cases, Venmo is floating you the money until it can come out of my account. The actual mechanics of the transaction are much more complicated; the point is that Venmo is just the top layer with which you interact. “The current systems that [the United States has] in place for consumers don’t allow for real-time payments or instant payments, but instead just create this illusion that the funds are good and immediately available,”

It's completely plausible for someone to deposit to Venmo from a fraudulent or maxed out credit card. Those "funds" can then be moved around from account to account until a user decides to cash out on his/her Venmo funds. One day later, the funds from that cash-out transaction will come back with an error: "payment that you requested to be transferred to your bank came back for insufficient funds".

This is how a Venmo scam works. You trade your virtual credits for real-life goods or services, only to realize that you never received your money. The biggest difference between Venmo and PayPal is that PayPal has securities to prevent merchants from scamming you; however, Venmo's user agreement has something completely different:

“Business, commercial, or merchant transactions may not be conducted using personal accounts.”

This means that if you sold your Craigslist item for illicit Venmo funds, Venmo will not refund you the price of the item if the transaction doesn't go through because you violated their terms of service.

Wow. Talk about shady business practices. Venmo wants you to use their application for virtually all transactions, but they conveniently forgot to mention that they won't reimburse your loss.

Be careful out there. Venmo isn't magic.

Standard