XSS, CSRF (or XSRF) and SSRF are common vulnerability in modern web applications where an attacker tries to imitates either a legitimate client to an unsuspecting server or a legitimate server to another unsuspecting server. The basic underlying principle behind each of these attack remains the same; performing action on behalf of a legitimate entity. Let’s look at each of them in a bit more detail and learn about how to protect our web applications against each of them.
XSS (Cross Site Scripting)
XSS or Cross Site Scripting occurs when an attacker manages to execute malicious script code in a victim’s browser as the victim. Browsers store a lot of sensitive information in them. Some of this information is used to identify a user on a website.
A script loaded from a website can access information stored on your browser through that website, which is how sessions work in your browser. That’s how Facebook or any other website knows to show you your personalized information and not someone else’s.
XSS occurs if an attacker gets control over the scripts running in your browser. If they can execute code, they can steal your login credentials and trick you into installing malware on your computer.
There are different kinds of XSS attacks and they depend on where the payload is stored.
Reflected XSS
A reflected XSS vulnerability occurs when a piece of data from a URL is reflected back into the website code unsanitized and can be injected into. This can be a result of a GET or a POST request, and it is especially severe as an unauthenticated GET request as that URL can be shared on social media and anyone clicking on it gets compromised.
Remediation of reflected XSS – Sanitization of all user inputs before passing it back into the view
Stored XSS
A stored XSS vulnerability occurs when a web application stores an XSS attack payload without sanitizing it and then displays it back to the same user or a different user. A notable recent example is British Airways website getting compromised and exposing sensitive data including credit card information of 380,000 transactions.
Remediation of stored XSS – It is the same as with reflected XSS: Sanitization of all user inputs before storing the data in the database.
DOM based XSS
Unlike reflected/stored XSS, a DOM based XSS occurs only on the client’s side. This can be a result of a user typing in a string into an input field that gets parsed and executed as code. An attacker can trick a user to paste a string into their browser which will execute due to insecure parsing and compromise a user’s credentials.
Remediation against DOM based XSS – Display text as text, and nothing else. Instead of element.innerHtml use element.innerText or element.textContext to ensure the data displayed back to a user is purely text.
CSRF (Cross Side Request Forgery)
CSRF occurs when a malicious website makes a request to a legitimate server through an unsuspecting victim.
Web applications communicate with clients through HTTP requests. When a request is made, the browser attacks all information that it knows about the website along with the request, including login/authentication credentials (called cookies).
If the web server doesn’t have protective measures, a request made through a legitimate website and an attacker’s website look exactly the same (or they can be forged to look the same). As a result, an attacker can make a request telling the victim’s bank to transfer $100 to the attacker’s account, and since the request is made through the attacker’s browser, the bank’s server will process it as a legitimate request.
Remediation of CSRF – CSRF can be easily prevented by requiring any unsafe request to validate itself using a valid CSRF token that can only be found in the website’s code and changes on every use. Additionally, authentication/login cookies can be marked as sameSite only, such that any third party website making the request doesn’t contain the sensitive authentication cookies.
SSRF (Server Side Request Forgery)
SSRF is similar to CSRF, but instead of an compromised client making a request to an unsuspecting server, here a compromised server makes a request to itself or another unsuspecting server.
Since a server might be a privileged node in the network, the attacker can make the server access and return sensitive information or perform privileged actions that the attacker’s account wouldn’t allow.
SSRF can also be used to trigger code execution in servers where the vulnerability can be exploited using the privileges of the server itself.
Remediation of SSRF – Any outgoing request needs to be explicitly allowed from the application by maintaining an allowlist of domains and servers a given server can connect to. The scope of these requests should be made as narrow as possible.
In conclusion
I hope that was an interesting quick read on one of the most common vulnerabilities in modern web application. Injection and SSRF are two of OWASP’s top 10 for 2021, so it is definitely worth looking into them and protecting our web applications from potential vulnerabilities.
ModSecurity is a web application firewall. It can protect your web application from preying eyes of vulnerability scanners and attackers. It is extremely customizable, and when paired with OWASP’s Core Rule Set, covers quite a lot of web technologies and frameworks.
In this article, we’ll set up ModSecurity on an AWS EC2 Server running Nginx web server.
For this tutorial, we’re using AWS LightSail’s Ubuntu image. Choose any instance size depending on your requirements. I’ll choose a 40$ / Month instance with 8GB RAM and 2vCPUs just so that the compilation of ModSecurity is faster.
Once the instance is created, log into the instance with SSH and update packages
$ apt update && apt upgrade -y
Install Nginx
$ sudo apt install nginx
Check what version of Nginx did we get from our package manager. This will be used when compiling Nginx later.
$ nginx -v
I got the following output:
nginx version: nginx/1.18.0 (Ubuntu)
To make sure the webserver is successfully installed and running, simply visit the IP address of the server. It should look something similar to this:
Set up ModSecurity
First we’ll need to install compilation and other dependencies.
Next we’ll clone the ModSecurity repository into the /opt directory
$ cd /opt && sudo git clone --recursive https://github.com/SpiderLabs/ModSecurity && cd ModSecurity
Next we run the build script
$ sudo ./build.sh
Next we’ll run the compile script that will fetch all the dependencies for the compilation
$ sudo ./configure
It is possible that this command fails and reports you of any dependencies that are still missing. You can simply google them with “install XYZ on Ubuntu” and run the configure command again. Ideally it will just exit without any errors. Next we start with the actual compilation of ModSecurity
$ sudo make
A reason why I didn’t go with the smallest server was that this step is resource intensive and could take 15 minutes or more depending on your server’s CPU and memory.
If all went through, we can now install ModSecurity
$ sudo make install
If all went through without any errors, we have ModSecurity installed.
Set up ModSecurity <-> Nginx connector
We start off by downloading ModSecurity-Nginx and Nginx source code. Note that the version of Nginx in the next command must match the version installed on our system. For me, that’s 1.18.0 but it could be different for you.
$ cd /opt && git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
$ cd /opt && sudo wget http://nginx.org/download/nginx-1.18.0.tar.gz
Untar the Nginx source. Replace the Nginx version in the next command if needed.
$ sudo tar -xvf nginx-1.18.0.tar.gz
Next, we need to grab configure arguments. For that, run the nginx command with a capital ‘V’ flag.
Don’t copy the above command. You must use the configure arguments supplied by your installation of Nginx.
Next we build the modules
$ sudo make modules
This is a compilation step and may take a little while (a minute or so) to complete. The final step here is to copy the compiled modules to a place from where we can reference them from our Nginx config.
OWASP’s Core Rule Set is a set of rules that cover most common frameworks and technologies as well as cover signatures for common web application attack payload. It is a good place to start if you don’t want to write custom rules for many common attacks.
So far, we’ve configured everything but if we restart Nginx now, it won’t filter attacks but only detect them since the default operating mode of ModSecurity is to only log malicious requests. To change that, let’s open the file /etc/nginx/modsec/modsecurity.conf and change the line
SecRuleEngine DetectionOnly
to
SecRuleEngine On
For our changes to go live, we’ll need to restart Nginx.
$ sudo systemctl restart nginx
Let’s test our ModSecurity installation. Open your browser and send a sample payload in the GET parameter. It doesn’t have to be a real parameter, but just something that can trigger an XSS filter.
That’s ideal. ModSecurity is working and blocking seemingly malicious requests to our web server. Now any application that sits behind our web server will be protected against many generic web application attacks, even OWASP Top 10 thanks to OWASP’s CoreRuleSet.
In conclusion
It isn’t the most straightforward of installations, but it isn’t very difficult either. The hard part, however, starts here and it is to get rid of all false positives and tweak the installation such that it fits the needs of your specific web application. Depending on how complex an application you’re trying to protect, it can be fairly time consuming.
I’ll write an article on how to tweak the parameters of ModSecurity and make it fit our needs in the future in a separate article.
That’s it for this article, thank you for reading!
WordPress has been powering my blog since the start of last year. In fact, migrating my Jekyll template to WordPress was one of the highlights of my new year 2021 and I’m very happy that I did, although I didn’t publish as much as I had hoped for. Fortunately, I’ve learned a lot more about WordPress over the course of a year than when I started. In this short primer, I hope to go into a bit more depth on how to securely run a self hosted WordPress website.
Prerequisites
Before we get started, there are a few things that we need to make sure we have to
Self hosted WordPress installation with SSH access
I wish I could just sticky something like this on top of most of my articles, but most people trying to attack our websites don’t have the time or resources to develop and use 0days. They use existing exploits out in the wild and some of these exploits can be months old, if not more. WordPress core and plugin authors can only do so much more than promptly releasing patches for security vulnerabilities that they find.
So then it is up to us as site admins to make sure we patch as soon as is feasible. Having worked on many large codebases, I know automatic updating isn’t always possible or even desirable, but having an eye on the changelog can definitely help not get compromised.
I’d also recommend a web security helper plugin that sends alert emails when it detects outdated plugins / themes / core.
2. Fix file permissions
During development, many files and directories permissions are way too open to make it easy to set up the website and all plugins. In production, however, the permissions can be dialed down a notch to prevent anyone with any access on the server to take over the whole website.
Similarly, attackers typically upload shell code using the uploads functionality, and if code execution is disabled in the directory, we make it harder for this attack to succeed.
Administrator accounts have many powers on a WordPress website, and a compromised administrator account can lead to uploading of PHP shell code leading to command execution and server compromise.
To make sure admin accounts are extra secure, enforce 2FA on all administrator accounts. This can be done by any 2FA or login security plugin on the WordPress plugin store.
4. Set up auto banning of failed logins
Since WordPress doesn’t ship with any builtin way of auto-banning failed login attempts, we have to rely on plugins like WordFence. WordFence will need to be configured with options to block login attempts after a certain number of failed attempts.
WordFence can also help you disable execution in upload directories, block IP addresses making malicious requests and much more.
5. Enable regular backups
While we can take preventive measures against mishaps, we can never be sure. Hence it is imperative that the website is backed up regularly. Backing up can be done at multiple places. The database can be backed up separately from the static assets and files. There are many plugins, like WPVivid, that help you fine tune what gets backed up and where it gets stored. It is always nice if you can afford an external backup location, like AWS S3.
The hosting provider might also have ways of backing up the website. For example, AWS Lightsail has daily instance snapshots which backs up the entire disk.
6. Disable XML-RPC
If you don’t use plugins that rely on XML-RPC or using the WordPress mobile app, it is wise to disable XML-RPC which removes another widely used attack surface by attackers. Many plugins allow the disabling of XML-RPC, including the aforementioned WordFence.
7. Disable file editing in WordPress admin
Disable editing of files from WordPress admin as that’s almost never a good idea, especially if you can achieve the same using more secure methods like SSH. To disable file editor, simply add
define( 'DISALLOW_FILE_EDIT', true );
to your wp-config.php file.
8. Use a Web Application Firewall
A firewall plugin like Sucuri or WordFence can identify attack signatures and block malicious requests. Many also include IP address block lists that prevent known malicious IP addresses from reaching your WordPress website.
For more control, there’s ModSecurity. ModSecurity needs to be installed alongside the web server and it can detect and block known attack signatures for not just WordPress but just about any popular web framework. It does require a deeper technical know how to setup and maintain ModSecurity, and a plugin might work be a better approach for most people.
9. Don’t forget the usual web security measures
A WordPress website is, at the end of it all, a website. While there are WordPress specific ways of hardening a WordPress installation, there is also a whole plethora of best practices that apply to every website, including the WordPress ones.
Use HTTPS – SSL/TLS certificates are free, and usually come by default with many hosting providers and CDNs. Don’t forget to turn it on and enforce it in strict mode.
Use appropriate security headers – Headers tell the browser how to handle your website’s content. Many client side attacks can be mitigated by using the right set of headers. A detailed list of useful headers can be found on OWASP’s website: https://owasp.org/www-project-secure-headers
Use CAPTCHA on login page – to prevent bot submissions and more sophisticated bruteforce attacks, enforce a CAPTCHA like reCaptcha on login page. WordFence supports this out of the box (needs an API key from Google).
Handle user input with care when using a custom theme – when using a custom theme that accepts user input in the form of query parameters to show filtered content, the regular best practices around user generated input has to be followed. Embedding user input in output can lead to Cross Site Scripting, while passing it straight to the database can lead to SQL Injection.
In conclusion
I hope that was useful. If you have any questions around WordPress or suggestions to improve this article, feel free to reach out to me via email. Thank you for reading!
A long time ago I worked on a theme called Elementary for my Jekyll blog. The goal was simple, to create a website that just works, and works fast. In fact, I’ll just paste the line from the readme of the GitHub repository.
This is my personal blog’s Jekyll template that I’ve been optimizing for performance, accessibility, usability, readability and simplicity in general.
I personally do not approve of personal blogs bloated with hundreds of kilobytes of trackers and analytics code, and hence, this is an attempt at creating something that I’d be comfortable with using on my website.
The goal was accomplished. I managed to get a perfect score on many of the pages. But I wanted to write more and while on the go, and plaintext editing on phones is a pain. Then the other problem was to add it to git and push it. In short, working with a static blog from an Android phone wasn’t easy.
That’s when I moved to WordPress. I ported the theme to Elementary-WordPress, which is essentially the same theme but in a WordPress shell. It worked really well, but the problem was all the bloat that WordPress sends to the frontend. For a while I didn’t care enough. I was still serving a fast website, albeit with Jquery, emojis and other code that wasn’t getting used anywhere else.
Today, that changed. I finally took some time to optimize the website and got back my perfect 100/100 PageSpeed score. Here’s how I did it.
If your website isn’t ancient, there’s a good chance you’re not using it. If some plugin you’re using is using jQuery, consider alternatives. It will save you ~30KB and an HTTP request. Adding the following to the functions.php should do it.
If you’re not super keen on using the smart browser detection functionality that Google Fonts offers and are happy only supporting modern browsers, simply downloading the font files and linking them with @font-face can save an additional DNS and HTTP request.
Use font-display: optional property
I’m using font-display: optional; CSS property on my @font-face and it pushed my PageSpeed score over the top. Essentially it prevents the CLS, or Cumulative Layout Shift metric of Core Web Vitals from getting affected due to page shifting due to slow loading of font files.
Building pages to serve the users is expensive as it involves the database, but isn’t something that needs to be done for every visitor visiting the same page. A plugin like W3 Total Cache coupled with a Memcached instance (could be running on the same server as the website) could enable caching of pages among other resources in memory, reducing the load on the server and improving performance for cache-hit pages.
Fix conflicting cache strategies
I’m using W3 Total Cache plugin that helps minify and cache CSS and JS files. But I wasn’t seeing any minification happening. Upon some reading, it turns out that CloudFlare’s minification conflicts with W3 Total Cache’s. Disabling it on CloudFlare’s side fixed the non-minification problem for me.
Use a CDN for asset delivery
Once the thing to deliver is optimized, it is a good idea to optimize the delivery pipeline as well. Since my server is in the same country as me, it is easy to make a mistake of thinking every visitor of the website is seeing a 50 milliseconds time to connect to the server. The further the user is from the origin server, the longer it could take.
Hence, an global CDN like CloudFlare should be used which can serve static content from its edge node physically closest to the visitor.
TODO: Inline all CSS and Javascript
It doesn’t go beyond 100, but I’d still like to improve it further. For one, the little bit of CSS and JS that does exist doesn’t have to need two additional HTTP requests. Inlining that bit will mean that blog posts without an image, which for me are most of them, will get served in only three HTTP requests; the document, the font file and the favicon. Pretty cool, huh?
Conclusion
I’m pretty pumped about the 100/100 score. WordPress has a reputation for being slow and bloated, but with some simple optimizations, it starts performing like how you’d expect some text on a page to perform like.
I see that I’ve picked up this habit of keeping half finished articles in the backlog. Need to fix that. Anyway, let’s hope this article gets to see the light of day on the internet.
I wanted to write some of my current thoughts on the idea of slow thinking. I’d warn you before we start that none of what you’ll read in this article is a novel thought of my own. Rather, it is an aggregate of the various different books I read in the past three months, many of which pointed me towards this idea. It is just my interpretation of the idea, but I’d like to document it nevertheless.
What is slow thinking?
The way I understood it, slow thinking is the non-reactive way of thinking and responding to a situation. When presented with a situation that sets off strong emotions — especially negative ones like anger, fear or jealousy — the idea is to take a step back and recognize the emotion itself, thereby detaching ourselves from that emotion. It is also handy when dealing with situations that trigger an impulsive reaction, not necessarily a negative one.
From experience, I can vouch for the fact that reacting when in an emotional turmoil isn’t usually the best idea. I’d struggle to find an example of a situation in my life when bursting with anger, screaming at someone, getting violent or very negative brought me any net positive.
Similar, impulsively doing something can sometimes be beneficial, but often, and especially in the modern world we live in, impulses are unwarranted and just a reminiscent of the tribal and fight-for-survival past of humans. Being able to recognize when an impulse is justified and when not can come in handy in many life situations, and the ability to do so can be treated like a skill to hone.
Of course, none of this is to suggest we shouldn’t feel emotions. It is perfectly reasonable to feel sad about some of the world events we’re constantly made aware of, just as it is nice to feel excited about the thought of having a cake or petting a cat. I think the idea here is to recognize the complexities and different parts of the mind that are responsible for different emotions and reactions instead of abstracting it all under the one “you”. The idea is to go from “I’m angry” to “I’m feeling anger” and so on.
The following idea is from Robert Wright’s Why Buddhism Is True. Essentially, one can imagine there to be different modules that keep getting activated and deactivated as we go about our lives, and we live through those modules as long as they are active, like experiencing feelings towards the protagonist in a movie or feeling happiness upon hearing a good news. The modules may be triggered by external stimuli, and as such, we’re not really in control of the orchestration.
Since we’re not orchestrating how exactly we feel or react to a situation, it implies there’s no “you” but a lot of different parts that become “you” depending on the situation and the trigger. Lost a game, the “dejected” module activates. Had a nice time at the park with your partner, the “happiness” or “gratitude” module activates.
Yep, we’re talking in very abstract terms, but that’s okay. There’s no way to comprehend the immense complexities of the inner workings of the mind without spending a lifetime studying the subject like the people whose thoughts I’m borrowing and interpreting did. And like they say, all models are wrong. So as long as this way of thinking helps us better understand why we do what we do, it can be useful.
So how does one slow think?
I don’t think there’s one way to do it. The book I referred to earlier, Why Buddhism Is True by Robert Wright, suggests meditation techniques that can be put to use to recognize our emotions and detach ourselves from them. Thinking, Fast and Slow by Daniel Kahneman educates us about the biases that we might not recognize in our behaviors and that knowledge makes us more aware of our cognitive fallacies. Relationships by The School of Life, speaks about many of the inherent complexities in humans and human emotions and why people behave in certain ways from time to time (of course, with a focus on romantic relationships).
I think it doesn’t matter which way we choose to learn to slow think; it could be through mindfulness meditation, or educating ourselves on the topic of cognitive biases, or understanding the person we’re dealing with and recognizing them as humans and their emotions. The end goal is the same: to be less reactive, judgemental and impulsive, and more curious.
In conclusion
I hope this was a useful primer on the topic of slow thinking. I’m looking forward to putting it to use in my life and seeing how it works for me. That’s it for now. I’ll go back to getting entertained looking at all sorts of interesting people and the life happening at Catania airport.
We’ve just entered a brand new calendar year, so I’ll start with that. Happy new year everyone!
New year warrants some new learnings, I know. But I’ll start with something that I got into a couple of months ago and that has changed the way I see the world. It is digital photography.
Like probably many people at some point or other in their lives, I started getting unusually fascinated by pictures. Not just pictures for the sake of pretty pictures, but pictures as a medium to tell stories and pictures as a canvas for creativity. At this point, I know for a fact that no matter how trivial an activity looks, there’s usually a lot more than what meets the eye and surely this was the case with photography. After all, it isn’t one of the most popular professions and side hobby for no reason.
I started reading a book (Understanding Exposure by Brian Peterson) that was a gift from a friend and it got me very involved in photography. I understood the basics, and then a bit more. I put into practiced what I’d learned by taking pictures of the places I traveled to and people I met. I used photo editing tools to give extra character to my pictures. I shared them on social media as a reminder to my future self, and now I’m writing this article about how I’m feeling as a reminder to myself but also a general guide to anyone stumbling upon this from search engines.
I’ll list down some interesting avenues where I spent the most time on, and probably you will too in case you decide to take up this beautiful hobby!
Equipment
If you’re like me, this is where you’ll spend the most time in the beginning — finding the right equipment. Any seasoned professional will tell you that it doesn’t matter nearly as much as the many other things you’ll learn down this path. All I can add to that is that the most important aspect of having the right equipment is that you should be excited to use it and carry with you. It doesn’t have to be the most expensive or the most shinny, but it should bring a smile to your face when you pick it up to leave your house (you wanting to pick it up when leaving your house when you go for a walk is implicitly implied here).
If you do basic research before buying stuff online, it is hard to go wrong with your first equipment. You’ll find yourself asking questions like what size sensor the camera should have, or what lenses to go for, but if you have limited money like most people, you’ll quickly realize the best options for a given budget aren’t all that many and from among those, you’ll probably be fine with either as a beginner.
For me, apart from the happiness factor of the equipment, the other very important factor is knowing the limits of your equipment. If it is a beginner’s camera, or a used old pro piece of equipment (or any, for that matter, but especially these), it has to have some quirks that you need to be aware of. Lack of high dynamic range, poor low light performance, not weather proof camera body, lens performance quirks, lack of 4K video or image stabilization to name a few. When you know the limits, you won’t be disappointed when your equipment doesn’t perform as per your expectations. Given how good phone cameras are these days, this is especially important as your phone will most likely take better pictures (bright colors with good contrasts and HDR) than your camera right out of the box.
The last piece of equipment advice is to make it easy to take your camera with you. After the initial excitement runs out, you don’t want to just find an excuse to not have your camera with you. I read somewhere that the best camera and lens is the one you have with you.
Exposure triangle
Even after centuries after the first photograph was ever taken, some of the basics of this trade haven’t changed. At the absolute basic, a photograph is just some light projected on a light sensitive film. This opening of the light sensitive film to light is called an exposure. A good exposure has three important components, forming the exposure triangle. The exposure triangle is formed by a simple set of parameters
How long do we expose the film?
How sensitive the film is?
What’s the size of the opening through which light falls on the light-sensitive film?
They are referred to as shutter speed, ISO and aperture respectively. All three do the same thing — control exposure or amount of light information captured by the film or sensor (in case of digital photography) — but each has its own tradeoffs. A clear understanding of the tradeoffs and when to prioritize what will help you take more controlled pictures.
WClarke and Samsara, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons
Shutter speed refers to the amount of time the “shutter” of the camera stays open. The longer it is open, the more light the sensor (or film, but I’ll use sensor as I’m guessing the vast majority of people think of digital photography when they hear the word photography) gathers. But if the shutter speeds are too slow (as in, it stays open for longer), your picture can turn out blurred if the camera isn’t kept steady for the duration of the exposure. On the other hand, too high shutter speeds can result in darker images as there just wasn’t enough light to properly illuminate the sensor.
ISO is the sensitivity or gain of the sensor. Just like with a microphone, increasing the sensitivity or gain increases the amount of sound captured, but also the noise. Digital cameras usually have an ISO range, like 100 to 6400 that you can choose depending on the situation.
Aperture is the size of the opening of the lens that focuses the image on the sensor. Naturally, larger opening results in more light captured. But interestingly, larger openings create a narrower plane of focus (creating beautiful bokah effect) which, while beautiful for some kind of pictures, isn’t always ideal and you have to “stop down” or increase the aperture number or reduce the size of the opening to get the desired depth of field.
Lenses – Reading the specifications
If you are able to afford an interchangeable lens camera (which is quite an appropriate name for a camera that you can attach different lenses to) you’ll be presented with a wide array of lenses you can buy that have very cryptic specifications. While it gets more complicated the more you know, a lens will generally have a few key specifications
Focal length
Specifies how wide or zoomed the perspective of the lens is.
Wide angle lenses are useful to capture a wide exposure, like landscapes while zoom lenses are useful to get closer to the subject without getting physically close. As you can guess, zoom lenses rule in the world of animal and sports photography.
It usually is measured in millimeters, and is either one number (For example, 50mm for prime or single focal length lenses) or a range (For example, 18-55mm for zoom lenses).
(Peak) Aperture
It is the measure of how large the camera’s lens can open and as a side effect, how blurry the foreground and background of your picture can get. It is measured in f-stop numbers and just like with focal length, it is either one number (For example, f1.8 for prime lenses) or a range (For example, f3.5-5.6 for zoom lenses).
By KoeppiK – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=78136658
Something to note is that a lens can always “stop down”, or shrink the size of its opening. The number on the lens is the maximum it can open for the focal length.
Just like with focal length, you don’t necessarily need to know what that number technically means to be able to select and operate the lens correctly. But it doesn’t hurt to know.
Image stabilization
Image stabilization is the ability of the lens (or camera) to reduce the impact of shaking on the final picture. Zoom lenses typically have image stabilization, while prime lenses typically don’t. The larger the focal length (or zoomed perspective), the more important having a stabilized lens becomes because the more “zoomed” your perspective is, the more prominent slight vibrations of your hand become.
Composition, and how it changes the way you see the world
While I can spend hours talking about topics like DSLRs vs mirrorless cameras, Sony vs Canon and the like, I think we can all agree those are better suited for Reddit and other internet forums. Here, I’d like to be a bit more personal and talk about something a bit more abstract and not technical. The experience of photography.
I’ve used smartphones with really good cameras. On multiple occasions I’ve owned a mobile phone with camera that was considered “flagship” at the time I bought it. Even then, I wasn’t exposed to the way of photography until I actually got hands on my first DSLR, my first “manual” camera.
I think I understand part of the reason. With phone cameras, you’re an operator of a blackbox. Sure, most phones take decent pictures most of the times (especially these days). They’re consistent, compact, internet enabled and always in our pockets. They’re also quick to share pictures on chat and social apps, which is arguably the end goal for many people taking pictures.
And don’t get me wrong. My phone takes wonderful pictures. Right out of the box, my iPhone 13 takes pictures that are arguably better to look at than my massive Canon 7D’s pictures with their poppy colors and HDR. But there’s no spark, no connection. When I take a good photo with my iPhone, I think the phone did a good job. When I take a bad one, I think the phone did a bad job.
That’s what makes manual photography so interesting. I own the composition and exposure. I envision the result before I take a picture and see if it worked out, and not simply like or dislike it after.
And if I fail, I know why. Or at least I know it was something that I did and I can improve upon it. This realization to see failure, a bad photo in this case, as just another opportunity to learn something new is what’s different between taking a picture with my phone and my 12 year old Canon DSLR.
The photos themselves have character and a story to tell for they are just an extension of your imagination at this point.
In closing
Ever since I started carrying my camera around, I started seeing beautiful compositions in even the most mundane of things.
I started noticing everything consciously for that’s where my next best picture could lie. Everyday streets had graffiti that I had never bothered to look at, or birds and animals and the detail in their creation. Even people and their faces seemed interesting — people that I’d known for years, even my parents. It filled me with gratitude for the beautiful world that we live in, and this experience of being alive.
I learned what “pause and ponder” meant and I started doing that even when I didn’t have my camera with me. Interesting what a hobby can do to you.
I was going through my phone’s gallery when I spotted a photo of Izma from The Emperor’s New Groove. It took me by surprise, because I discovered the movie just this year and was absolutely in love with it, especially the Izma character. But the image in my phone’s gallery was from 2018 in the form of a meme. Weird internet stuff. Anyway, I digress. So what are we talking about today.
Ah yes, intentional learning.
Growing up, we all have natural interests. Be it art, science, music or dance, or computers (sigh..). We are motivated to learn new things around our interests. And from time to time, we discover new interests. School is interesting in that regard. You’re thrown in between a bunch of other kids with completely different and random interests, and there’s osmosis of interests happening when we see that other kid in the class drawing something or reading a book about the solar system or they see us playing a new game or so.
But that diversity of interests decreases once we enter university. The people we’re with have chosen a similar course and chances are that they had a similar set of interests. There’s still a fair bit of interesting diversity, and it is still possible to meet people from courses other than ours and see what life outside is like.
But for me the biggest difference was getting out of university and starting full time work. Many small to medium sized workplaces hire people of specific types depending on their culture and/or domain, understandably so. Many are open to diversity of thoughts and ideas, but of course not too open so as to not destroy the culture that they’re trying to cultivate in the first place (which, of course, is important but to what extent is a separate discussion in itself). What happens then is that we end up in bubbles of people with similar interests as us.
Of course, like with many things, this isn’t a black or white, good or bad situation. On the bright side, our spiked growth (say a particular hard skill we’re trying to hone) in a field can really skyrocket when surrounded by the right people and mentors. That of course has a very positive impact on our careers and professional growth.
But what I found lacking was exposure to experiences, interests and hobbies that were far outside of my bubble. And since I wasn’t exposing myself to interests and hobbies outside of the ones that already existed, I was also not meeting people who had these drastically different interests or hobbies (or opinions, for that matter).
For this very reason, I am trying intentional learning. The basic premise is very simple. Find a new skill, hobby or interest and just learn to get good enough, what ever that means, but not perfect. So far this year, I’ve worked on my Chess skills, learned some German, learned a couple of songs on Ukulele, tried my hands on sketching and painting and picking up some photography basics now. Of course, the goal is not to become proficient or professional in any capacity, but just experience the joy of being a complete novice in a new field and seeing how far I can take it.
The side effect is that the curiosity and learning muscles stays in good shape for when one has to learn something new (which proved to be useful when studying for a certification exam recently). The other side effect is becoming more conversationally accessible to a wider part of the population, sharing interests with more and more people. Yet another side effect is that it makes one more empathetic and open minded. Playing chess isn’t any more worthy than making memes or playing guitar or learning programming. Sure, some skills are valued more in the world we live in due to a multitude of reasons, but it takes effort to build any skill and as such nothing can and should be dismissed as unimportant or unworthy of pursuing.
The real joy, however, is in the process of learning; going from not being able to do something to being able to, building muscle memory, watching amateur and pro videos of people doing it on YouTube and being able to talk to someone or join communities with the same interest.
And instead of looking at people who’ve honed that skill their whole life and getting sad that you’ll never reach there, find joy in the fact that you can instead get good enough at it and then move on to hundreds of new skills and hobbies, getting a taste of the different ways to be alive, to exist. You’ll also retain this phase of your interest in your memories, which will feel nostalgic when long time from today you encounter this skill or hobby in some form or the other or meet someone embarking on their journey into it.
In closing
I hope that was interesting to read and motivates a few of you to pick up some random new hobbies or learn something totally different, unrelated to your work or life and see how it goes. I am convinced it has some real merits over the demerits. From my perspective, the biggest demerit is that we end up spreading too thin over a bunch of thing, while not mastering anything. Personally, I’m okay with that right now. But depending on where you stand, it may or may not be. But having said that, it isn’t black or white and leaves a lot of room in the middle to play around and see what works best.
Thank you for reading. Following is a personal message unrelated to the article.
I took a long break from writing, but it is good to write something again. If you visited this website in the last four months anticipating a new post, apologies for the delay and thank you for being a super-reader of my blog. Until next time!
Like most things in life, WordPress isn’t perfect. But for a publishing platform, it is quite up there with the best in the business. For writing, I haven’t had any complaints so far, but when it came to customization or workflows around maintaining a theme, I was a little lost.
To me it somehow felt very liberating and restricting at the same time. Liberating, because of the ecosystem; themes, plugins, hosting platforms, tons of helpful resources and support. Restricting, if and when you want to build a custom theme and don’t speak much PHP, general added complexity compared to a static site generator, having to deal with hosting providers, updates and added maintenance work.
But depending on the requirements, WordPress might actually make a lot of sense as a publishing platform (well, of course. It powers 40% of the web). My blog used to be hosted on Github Pages with Jekyll as the site generator until I made the switch to WordPress a couple of months ago. What I did struggle with was finding a setup that offered a smooth workflow around managing a custom theme with self hosted WordPress instance.
This article is an attempt at fixing that and aggregating some useful tips. I’ll try to cover the following:
A self hosted WordPress website that’s affordable yet stable
Continuous deployment pipeline for custom themes
Backups that are reliable
CDN and caching
Securing the website
Let’s get started.
Platform setup
I decided to go with AWS Lightsail one click WordPress install. You’ll find more information on the Bitnami WordPress page about the stack. It is lightweight and runs perfectly fine on a 512MB RAM / 1vCPU instance. Once behind a CDN and page cache, the website can handle a fair number of visitors.
This step assumes you have a custom WordPress theme or source code of a theme available on a GitHub repository. You only need to follow this step if you think you’ll be making frequent changes to your theme files and would like to have a pipeline for the automatic deploy of the theme (say, for example, when you commit a change to the master branch of your repository). Alternatively, you can always create a zip file of the theme and upload it manually via the WordPress admin panel if you prefer to keep things simple.
Assuming you have a theme hosted on GitHub, you’ll need to make use of Travis CI to build your code (if there’s any CSS or JS that needs to be transpiled), test it (if there are any checks) and then upload the files to the AWS LightSail instance using secure copy (scp). Following are some resources to help you get started.
For backups, I’m using a couple of strategies but I think either one should suffice for my usecase.
AWS Lightsail snapshots
I’d recommend enabling automatic daily snapshots of your instance in AWS Lightsail. So if things go very south, you will lose 1 day’s worth of data at most. Since my blog’s content is rarely updated, this means this works near perfectly.
WPVivid is a nice plugin that offers more precise backups, meaning you can choose to backup just your database, or files, or both. It also has cron functionality and offer 12 hourly backups (more frequent if you’re a paying customer). WPVivid allows you to transfer the backups to Google Drive, AWS S3, Dropbox among many other third party providers.
Server health monitoring and alerts
I’m using New Relic to monitor the health of the WordPress instance. It isn’t necessary as AWS Lighsail already comes with basic dashboards for monitoring CPU performance and burst usage (giving a rough idea about whether the server is sweating under load), but if you’d like to go a bit fancy with the whole monitoring thing and set up alerts for throughput, error rate etc, New Relic is quite good.
New Relic really shines at showing you the external services your instance is talking to, database operations and the CPU usage share per plugin that you have installed on your WordPress website. That information can help you debug any services / plugins that are slowing down your website or doing something strange behind your back.
Metrics in AWS Lightsail
Metrics in New Relic
Both AWS Lightsail alerts and New Relic alerts support multiple channels, so feel free to use SMS, email, Slack or whatever your preferred way of getting alerted is.
CDN and Caching
My go-to CDN for any personal website is Cloudflare and that is what I’m using here. I didn’t have any problems with the admin interface behind the CDN and all seems to work very well. I have a page rule that overwrites cache control headers from WordPress and forces everything under /wp-content/* to be cached.
For page caching, I’m using a plugin called WP Total Cache. It was the most popular performance optimization plugin and was recommended to me. It has a “Page Cache” option which needs to be enabled and set to use disk as cache store.
Security
To secure the Lightsail instance, I’m following some basic good practices and a plugin to help me set up some blocking rules.
Lightsail instance is as close to stock as possible making sure there are no random packages installed from my side on the instance.
Disable port 80, and if you’re using a reverse proxy CDN like Cloudflare, only allow Cloudflare IPs to your origin server.
As with Lightsail, WordPress installation should be close to stock with minimal plugins.
Humans are fragile creatures. The illusion of stability and control we have in our lives is comical. Our mind seems to have mastered the art of separating itself from the world events. We almost know it. It is hard not to if you spend any time on internet social medias or any form of conventional news sources. Unfortunate things happen, lives end or get ruined for reasons so trivial that’d make you not want to believe it.
Yet, when it comes to our own lives, we’re fairly certain about our timelines. There’s career, that promotion, getting a house, getting married and so on. There’s always the end of life to be content with what we have; be grateful. Now’s the time to be at unrest, to complain and wish for more, to hustle. And not like it is our fault. The society is truly designed to make you feel exactly this way, discontent at every single stage of your life. Get good grades or you’d not get into a good university, study hard or you’d not have a good job, work harder or you’d not get that promotion, don’t plateau in your career or you’d not be able to afford a house, keep working to be able to enjoy a happy retirement and so on.
And what if you’re still not able to enjoy your life finally at 65? Oh those are just the guidelines, too bad it didn’t work out for you. Guess what, it is called 1% for a reason. Try again in the next one. And of course, thank you for your participation in the rat race.
So, what’s my point?
The point that I’m trying to make is that if something is important enough to you, do it without waiting for some special phase of life to come by. No one knows how tomorrow will look like. If this entire pandemic has taught us anything, it is that we have no control over the future, not tomorrow and much less months or years in the future. The present is the only thing we have for certain, so why not make the best of it; by treating it like it is the peak of our health, wealth, social skills and so on.
And how do we do that?
By being grateful for what we have. It is only when we consciously recognize how lucky we are to have all the things that we do, do we start valuing it. Being able to move around on your own, see, hear, talk, travel, read, write, meet friends, drink coffee, enjoy a sunset or snow; little things that many people might not have the good fortune to experience.
The world is like a nasty slot machine. Luck plays a huge role in almost everything we do, and it starts right at the moment you’re born. We are the product of our circumstances. There’s not much we can do about that, except that we recognize our privileges and act accordingly. Have a chance to do something good for someone? Do it. Realize your actions might’ve caused hurt? Apologize. Have people that pull you back? Filter.
Time really is the only real currency that we have. While it does seem like a tragedy to not know how much more of it do we have left, I think it is a blessing in disguise. Think of the last time you had a deadline for an assignment. Did you wait for the very last moment to do it? If you’re like most people then probably yes. That’s probably what would happen if we knew exactly how long we have to live. We would procrastinate everything until the last moment, wasting away most of it. Fortunately for us, we don’t, and each day can be lived as if it is the deadline for that life’s assignment, doing the things that matter the most to us.
So to summarize, there probably will never be a better time to do certain things, and that’s if you’re lucky to live a full life without many problems. If you’re in your teenage years, you probably have the time to learn something thoroughly, spend time with friends and family, have fun, see clearly if you’re into that. If you’re in your twenties, you have the best balance between intelligence, energy, time and maybe some money too. Later in life you get better with relationships, your emotional intelligence grows and the life experiences you accumulate make you wiser while you’re getting rusty physically. Basically, we live through different interpretations of ‘peak’ throughout our lives, and there’s no one big peak that’s going to solve all your problems and make you happy.
So make the most of your now; make memes, draw comics, write code, learn music, dance, sing, make someone’s day, be vulnerable, be nice, prioritize yourself, talk to random strangers and share stories, gift without a reason, sleep, cry, hug, do whatever you have to. But make your now count.
We’re finally out of 2020, yaay! It has been, for lack of a better word, an interesting year. Not intending on becoming Abhi News Network, I’ll spare you from having to read about the events of the past year for the thousandth time. Like many people, I realized my full nerd potential and learned how to live indoors for weeks at a time. I also unlocked a new hobby, Chess. Some other things like traveling and in-person events definitely took a backseat but can’t do much about that.
This short post is about moving this blog back to WordPress. I say back, but the fact is that this website was never on WordPress. I started this blog on ghost.org back in early 2014, but had to quickly move it away from there in spite of absolutely loving Ghost (mostly because of the $5/month fees). Next up was Blogger before finally settling on GitHub Pages which, by the way, if you’re just starting out with blogging and can find your way around git on a terminal, you should give a try. Now, feeling the need for a much more elaborate CMS, I’ve migrated to WordPress running on AWS Lightsail. It does cost money, but this time I can afford it.
Before this blog existed, I used to write on WordPress on an older blog. That feels like an eternity ago, which it was in internet time. I used to write about latest smartphones and compare them against each other (nothing that actually needed to be done by hand, now that I think about it; 8mp vs 5mp camera, 1gb vs 2gb ram and so on). I would walk into Samsung stores and try to make ‘hands-on’ videos of their latest phones. I can’t imagine doing that today, mostly because of how much the smartphone industry has expanded since 2012-13. Also because it doesn’t interest me anymore.
With WordPress, I hope to be able to write on the go using nothing more than just a browser. “On the go” might take some more time to become a normal everyday phrase again, but when that happens, I’ll be ready with my Thinkpad and a backpack. To not need a text editor to write Markdown/HTML, terminal to commit and push, and to see previews without a developer server would be very liberating. I’m excited about this future.
I’ll end this article with a nice picture I took today. Hope you enjoy looking at it as much as I did looking at Stitch in my house today.
