In late 2021, my friend Ed handed me his Canon 7D for me to try my hands at photography. I already had an itch to get into it but didn’t have the “gear”, or so I told myself. The camera came without a lens or SD card so I rode my bike to the Saturn store at Alexanderplatz and got myself a Nifty-Fifty; a Canon 50mm f1.8 lens. It is still to this day the most fun-to-shoot-with lens I own.
I’ve taken thousands of pictures since then. What’s changed between owning a smartphone (that features brilliant cameras) and owning a dedicated camera is that when I have a dedicated camera on me, I go looking for something interesting, something beautiful, something funny, something new. It is deliberate and intentional.
The world is full of patterns, symmetry, life, history, people, clues, colors, shades. There’s just so much that sparks curiosity. Would I find it interesting even if I wasn’t trying to take a picture? Probably. The camera on me reminds me frequently that I’m trying to focus on the beauty in the world that I can sometimes forget to notice.
Having a camera just gives me an excuse to step out, wander around, stare at walls, look at people and dogs and cats and insects and flowers.
The best camera is the one you have you on
I’ve read this quote at a bunch of places, and that’s why I got a paid pro camera app for my iPhone last year. A smartphone is perfect as a camera. It is always there, always charged and it is getting better at a rate faster than any dedicated camera system can imagine. It is getting to the point where smartphones are taking pictures that isn’t reality but what the phone thinks you wanted to shoot, but that’s a different topic.
But smartphones don’t just take photos. They have our social and work life on them, and they’re always connected. I struggle to stay intentional about anything with a smartphone around me, probably because it does so many things. And that constant state of being distracted by nothing in particular is quite exhausting.
What I wanted, for lack of a better excuse, was a camera that was just a camera. And that’s why I decided to get my self a relatively cheap point and shoot camera from Sony.
With the little Sony, it is as fun to take pictures with as my DSLR, but at the same time it is more subtle and it fits in my other pocket. It is like the best of both worlds! Of course, it isn’t without its drawbacks. It needs to be charged separately from the smartphone, the photos are worse than the DSLR and so on. But it is always with me and it forces me to be intentional with my hobby which makes it all worth it.
Photography as a memories generation tool
I remember watching this video where that idea of routine making time fly faster was exposed to me. I watched it many years ago and thought it was very true, although I had not had any real routine back then. Today, I kinda still think it holds true.
Photos are a good way to get back some memories, especially when they’re taken intentionally. I read somewhere that good photographers are intentional with their shots. They try to remember what made them take a picture. There’s a story associated with a picture in their heads that they can tell you. It isn’t about the camera or the lens or any of the technicality. Just the moment captured on film.
I’m trying to copy this–to think why I’m taking a picture before clicking the shutter button so that when I’m looking at the pictures later, I can really remember the scene very vividly; the scene in the frame, sure, but just as importantly, the scene outside of the frame–the sun’s warmth or the cold wind and rain on my skin, the sounds and my thoughts, and also did I decide to take picture of this very thing of all the other things. Like a wormhole back to that moment in time. That somehow helps make memories easier to go back to and make the time spent doing event the mundane-est of things count.
In closing
That was a bit all over the place, so apologies if you kept searching for a topic in this article and failed to find it. I just wanted to get it out. On a different note, I want to document my photographs better, but I’ve not found a good way to do so. Instagram isn’t ideal, and while Flickr might work, I find myself questioning how long will it be around. In the end, I think hosting an image gallery plugin on WordPress with my showcase-worthy photos might be a good idea. We shall see.
I don’t know why I started keeping track of my age in number of days, but I’m willing to bet it was in anticipation of this very day. I’ve not tracked it for long though. Just a couple of months really.
If you’re curious when you’ll turn or you turned 10k days old, it comes around when we’re 27 years, 4 months and 16 days old. 20k days is, naturally, when we’re 54 years and 8 months which feels much more further away than it should. What does that tell us about time?
The day itself is pretty ordinary. I’ll get myself a little cake to celebrate, but I’d have probably done that in any case. It is raining the whole day today. Not sure what’s up with that. I wanted to go to Conrad to get a USB-A to USB-B cable, and just window shop, but doesn’t look like I’ll be doing that given the weather situation.
I don’t have much to write about here. Just wanted to make this milestone post. Having said that, I’ll link to some of my poorly written past articles talking about time below.
After arriving in Berlin in January of 2019, I treated myself to a Casio F-91W. It was my first (non-essential) purchase in Germany, and for less than 10 Euros, it was a steal. Plus, a colleague of mine wore it and it looked cool. Easy decision!
Little did I know that this watch had a cult following on the internet. People collected all versions and variants of it and wore it with pride. I got pulled into the hype surrounding the F-91W and eventually more of the Casio retro digital watches.
It was an easy “hobby” to pursue given it is basically just buying more stuff. Nevertheless, it isn’t all that bad given how cheap these retro watches are. It is all relative of course, but given I’m also into photography, acquiring Casio watches is easier on my wallet.
Today, I own a couple more and I’m low-key proud of my collection.
Like with anything I get obsessed with, I spent a lot of time reading and watching YouTube videos about Casios. At some point I stumbled upon the Casio Wave-Ceptor series of watches. It struck me as something different: This fairly low tech wrist watch could set and correct its time automatically!
“But wait, it isn’t a smart watch” I thought. How does it do that?
That sent me down the rabbit hole which I’m still on my way down right now. Turns out, the watch can receive signals transmitted by a time signal transmitter and correct its local time.
In Germany, there’s Mainflingen longwave transmitter transmitting DCF77 time signal. The carrier signal has a 77.5 kHz frequency and the time signal is generated from the local atomic clock which syncs with the main atomic clock in Braunschweig. It is operated by the Physikalisch-Technische Bundesanstalt which also hosts four public NTP servers:
Querying the time using the commandline utility sntp and watching the network activity in Wireshark gives us some interesting data.
Wireshark
What’s next?
I’ve ordered a cheap radio receiver to play around with the radio time signal. On the watch side, I’ll look for cheap used radio Casio watches on the local Ebay here and try to acquire. I hope this new obsession ends up teaching me a thing or three about analog signals.
That is it for this side-quest post. Thank you for reading!
I have a love-hate relationship with articles such as this. On one hand, the thought of going back in time and changing certain decisions is always fascinating, and documenting some of those thoughts into text that I can keep coming back is alluring. What is also appealing is to have this documented as a reference for my future self who’d probably (read: most likely) also want to write back to his 18 year old (or 27 year old self đ¤ˇââď¸, who knows).
But on the other hand, articles with titles such as this are so cliche that they don’t feel sincere and make me cringe. What’s even the point of publishing it? Don’t I believe that my current state defines the combined success or failure of all my past decisions and events in my life? If I’m happy with the state of affairs in my life right now, doesn’t that mean everything in the past kinda worked out in the end?
I don’t know. My current philosophy doesn’t allow for an article like this one, for it doesn’t make any sense to wish for the possibility of a different present when I have the certainty of my current present, which I believe I’m okay with. But then, why stop myself from writing down all the lessons that I’ve learned ever since I turned 18. I guess I could post that under a less cringey title along the lines of “Generic useful lessons in life”.
But then, useful to whom? When? Would I like it to be handed over to me when I was 5? 10?
Exactly. We’ll move in circles here and never get anywhere. That’s probably the reason this article has been a draft for a year or more. But I think I’ll have to get it out of my head first, and deal with the above thought later. Having cleared that, let’s get started * snaps finger *
The satisfaction of reaching a goal is so much smaller than the satisfaction of doing something you love, so love the process for that’s where most of the satisfaction lies
Quotes that urge us to enjoy the climb more than the peak, the journey more than the destination or something along those lines are dime a dozen. Being a quote-collector, I’ve known them forever.
But it is only after repeatedly going through the same journey over and over again — desiring something, working my way towards it and then eventually getting it — have I learned that the joy of having achieved something is minuscule compared to the joy I got along the way doing the thing I loved.
Happiness derived from external sources is very limited, and once the basics are covered, very superficial
Very similar to the previous point, but with an important distinction. Time and again, something has repeated:
I’ve desired something materialistic
Spent countless hours reading about it and contemplating about the joys its possession will bring me
Eventually acquiring it
Only to have the joy feel underwhelming after a matter of minutes of doing it
And then recently I came across this quote
âTraveling is a fool’s paradise. Our first journeys discover to us the indifference of places. At home I dream that at Naples, at Rome, I can be intoxicated with beauty, and lose my sadness. I pack my trunk, embrace my friends, embark on the sea, and at last wake up in Naples, and there beside me is the stern fact, the sad self, unrelenting, identical, that I fled from. I seek the Vatican, and the palaces. I affect to be intoxicated with sights and suggestions, but I am not intoxicated. My giant goes with me wherever I go.â
Ralph Waldo Emerson wrote in his 1841 essay, âSelf-Reliance.â
I think what Emerson is trying to say is that trying to fix something that’s an issue on the inside by changing something on the outside seldom, if ever, works. But if you’ve ever spent hours browsing Amazon out of boredom thinking the new iPhone or Sony’s new mirrorless camera will make you content and solve all of your life problems, and were lucky to actually be able to buy it, you’ll know that the satisfaction was very short lived and things go back to being exactly the way they were before.
We also vastly overestimate how much joy we’d get from achieving our material goals. Getting to a higher salary, or a dream job, or the latest iPhone; I realized how little joy the outcome eventually brought compared to the misery that the desire for it brought.
Friends and family are what keep you going even on the gloomiest days
I arrived in Berlin on a very cold and gloomy day, and the next few weren’t any different. Unable to cope, and having had my luggage misplaced, I was naturally sad after the second day, asking why was I even there.
Just sitting quietly in my bedroom having exactly 0 friends in this new city, I was feeling (what I’d later learn) the seasonal low mood sprinkled over homesickness. Then I got a call from a friend back home. Then my parents called me. And within an hour or so, I was actually happy I was in Berlin, went out for a walk and had some kebab đĽ
Case in point, I learned that my brain is easily tricked into happiness by interacting with people I love and care about. Just a casual chat a day with a friend keeps me in generally good mood. It is like a tonic for my mental health, doubling as first aid when time comes.
Hence, I think it is important to always have people that one can open up with. These people don’t magically appear but have to be invested in over years to cultivate such relationships and that’s something I really value in my life today.
Bad decisions attract bad circumstances which bring a bad state of mind, and a bad state of mind brings more bad decisions. Works just as well with good decisions
Or the snowball effect. Habits, outcomes of decisions and events in our lives, both good or bad, generally start small and they slowly spiral and become greater in magnitude and have a greater influence on our lives.
For this reason, I think it is important to 1. Be mindful of smaller problems that might have the potential to spiral into bigger ones, 2. Have people around you who can point out and alert you of the small cracks developing and 3. Believe that little good habits, however small, will compound with other little good habits and bring much greater good than their perceived insignificance.
Be aware and intentional
David Foster Wallace’s speech titled this is water talks about learning how to think, how to chose what we think about inside our minds irrespective of what’s happening outside of it, to be in control of our thoughts. I’d highly recommend you listen to it.
Like many, I found the speech very educational, and decided to not only be more attentive of my thoughts and the way I think about things, but also be very intentional about my actions. For me, it means to jump out of the default setting and steering the direction in which I mind decides to run with a thought after having passed it through my values filter.
It also means that when something doesn’t work out, it is usually not a sad outcome, but an educational one because I chose this version of reality over the others, and accepted the risks and rewards associated.
In closing
Phew, that was not easy to write. But I’m happy I did. I can already see myself coming back to this article from time to time. I hope you found some value in the text above
Like many of my friends during the late 2000s, I embarked on my internet journey with Firefox. It started with Firefox being the only browser that could reliably resume downloads in the event of a power outage, which were frequent in my part of India, and that was very useful with a slow internet connection that gave me 10KB/s on a good day.
A few years later I learned about free and open source software, and started thinking of the internet as a public resource and a great equalizer of access to knowledge and opportunity. Firefox was a very natural fit in this newly discovered world of mine.
Since I’m now part of the organization that I’ve so long revered, I thought an update to the original post is appropriate, and started listing some reasons why Firefox is still my browser of choice today.
I am slightly biased towards Firefox, but in my defense that’s hardly ever changed.
Features that enhance your web experience
One of the reasons people love Firefox is its customizability. The functionality can be extended using Addons and for the truly adventurous, Firefox’s UI is customizable using a bit of custom CSS. Given how personal web browsing is and how much time we spend using a browser, a bit of customization can go a long way.
With enforcement of Manifest V3, Google dramatically limits capabilities of browser extensions. It removes access to powerful APIs that allowed us to provide innovation in privacy protection. Being subjected to those constraints, we have to re-invent the way our extensions operate. Intended or not, Manifest V3 takes choice away from users, exposing them to new threats. Manifest V3 is ultimately user hostile.
Ads are the de facto way of monetization on the internet, and many creators rely on it for making a living on the internet. However, since there’s so much money to be made through harvesting data for targeting ads, internet ad companies try to “spy” on people across the internet learning more and more about their browsing habits to show them the most relevant ads.
Many people face a dilemma of having to choose between giving back to the content creators they’ve come to love and depend upon, and not being okay with third party companies looking at their browsing habits all over the internet.
Tools like uBlock Origin prevent âcross site trackingâ and block ads and other annoyances from loading on webpages saving bandwidth and energy, and enabling a fast and pleasant web experience.
uBlock Origin also allows enabling ads on certain websites, which is something we should definitely do to support digital creators we rely upon for news, knowledge and entertainment.
Picture-in-picture mode detaches the currently playing video on many video streaming websites like YouTube, enabling you to watch a football game while reading an article on Wikipedia all in a resizable little window that can be moved around.
Multi-Account Containers
Want to keep work, social media and finance related websites all separate but donât want to bother having two browsers or separate web history? Multi-Account containers help you do exactly that.
Now you can browse Facebook in one âcontainerâ, access your banking apps on another and keep your work and personal email logged into a third and fourth container. Yes, logged into two Google accounts from the same browser.
None of the websites in one container âseeâ the websites open in another, either directly or with third party cookie based tracking.
Tree Style Tabs
Youâd have to pay me to have me move back to the old way of using browser tabs and youâd fail. Theyâre that good. Seriously.
Tabs arranged in a “tree” shape
Look maa, no Tabs bar!
Tree Style Tabs give you a quick way to visually see the which tab something came out of, essentially answering the question of “how did I even reach here?” when you are 6 levels down in a Wikipedia rabbit hole about deep sea internet cables or something.
P.S. Annie is one of my favorite creators on the internet. Go follow her page @depthsofwikipedia on Instagram for weird Wikipedia content.
Better privacy controls for all
Because privacy is a fundamental right and most people prefer not having third parties snooping over their shoulders as they browse the internet.
Total Cookie Protection
Firefox rolled out total cookie protection earlier this year which creates separate “cookie jars” for websites preventing cross domain tracking using shared cookies.
Firefox protects you from malice on the internet. It also does a good job at reporting the protections.
Enhanced Tracking Protection dashboard
Breach monitoring alerts you if your email address was involved in any data leaks across the internet.
Breach Monitor dashboard
Bonus section
This section will have weird things by design.
Custom CSS
As mentioned earlier, Firefox’s UI elements are made with web technologies like CSS. A bit of custom CSS goes a long way into making the Browser look exactly the way you want. A popular workflow is hiding the Tabs bar and relying on Tree Style Tabs for inter-Tab navigation.
Logo đŚ
This is very personal (that is, even more than the rest of this article), but I’m very fond of the Firefox logo. And as we’ve seen in the past, many people feel very strongly about the Fox in the logo so I’m not alone in feeling that way.
Firefox Developer Edition
I use the Firefox Developer Edition as my work browser. It is really good if you work with frontend web technologies like CSS or JavaScript. Debugging CSS or JavaScript on the Developer Edition is a joy, and I was especially impressed at how good it was with Grids.
In closing
If you had asked me 8 years ago why I recommend Firefox, I’d have gone on a long rant about how Firefox is one of the only two major non-Chromium based browsers, and the only one supported by a non-profit that fights to keep the web open and inclusive; That Firefox is built and maintained with the help of thousands of volunteers and open web enthusiasts and so on.
Today I would just say I recommend it because it is a great browser. It is also all of the above if you care, but if all you care about is the best web experience, Firefox will serve you just fine.
I turned 27 a month ago. I’ve not written a birthday post in a while (last time was turning 24, three years ago) so decided to write something for this one. Not that 27 is a special year or anything (well, I guess it is (un)special in the sense that it only comes once in a lifetime). However I do somehow feel 27 is a round number.
It is hard to explain, but I think I’m at the line that separates an early adult and a full real adult. It’s complicated, and I feel like neither to be very honest.
This year was quite exciting, from settling into my new role at CareerFoundry as a web & security engineer, to traveling around a bit, to getting my dream flat in the NeukĂślln district of Berlin (only to lose it six months later, but hey, not everything has to work out :), to getting my dream job at Mozilla, it has been a really happening year.
I’m really looking forward to this year. New job, new apartment, new part of the city, new technologies to learn and master. So much to be excited about. I decided to write more starting on my birthday, and I’ve been seeing good progress in the last month and a half since then. I’ll document my note-taking habit in an article about Obsidian soon.
My hope for the next one year is to get some stability into my life which got a bit rough in H2. Also hope to do well at work and life in general, but we’ll see that.
Currently I’m into this game called Life is Strange and have been listening to sound tracks from it. I play chess around once or twice per day, and sometimes paint.
Work takes up most of my time, but that’s expected and I’m really enjoying the new learnings coming my way. Overall, life’s good. I’ll go into more detail regarding some of the things I’m up to in separate articles.
I started working at CareerFoundry (“CF”) in January 2019. Ever since then, I’ve changed in many ways. Change is inevitable and we have very limited control over it. In fact, I think that that only tiny bit of control we have over it is the kind of change we’d like to see in ourselves.
One way to dictate positive change is by being curious about new environments and people, embracing new and often uncomfortable situations with an open mind.
Getting hired at CF carved a way to some of my most cherished memories, meaningful relationships and enabled me to pursue the hobbies and interests I always wanted to pursue and be the person I always wanted to be.
It also brought me to the beautiful city of Berlin that had space for me and my eccentricities.
I’ve met some amazing people at CF — people who’ve guided me, mentored me, praised me and then schooled me when I needed it. People who’ve shaped the person you see in me, the person I see in myself.
Inspiration for this article
The inspiration for this article came from a thought I had.
I was visualising our old office at KĂśpenicker StraĂe and thinking of my first day. I walked from Heinrich-Heine-StraĂe U-Bahn all nervous, not sure how I’ll feel about working in a new country with new people. I was scared.
I started imagining my current self; the one who has worked at CF for nearly 4 years, on my last day walking down the stairway, meeting my younger self walking up the stairway on his first day.
The young me asks if I have any tips for him thatâd help his CF journey.
This is the article I’d send him.
Lesson #1 – Gratitude makes everything better, so does kindness
I admit that it was strange standing in a circle hearing everyone thank one another in my first week at CF. But I got used to it. Some time later I understood the idea itself.
In a world of ever-increasing needs and wants, gratitude makes us look back at what we already have and feel good about it. The Friday gratitude forced us to look back and remember something good that someone did that helped us in some way. Not just remember, but also announce it.
It is like social-engineering happiness into people, pushing them to look at the beauty in the world. With practice, I got more and more comfortable thanking people and telling them I appreciate them.
Kindness is another quality that I found in abundance during my time at CF. The lengths people went toâto support one another, to assume the best of intentions and to help each other growâwas incredible. Iâm a recipient of much of that kindness myself.
Like with gossiping and complaining, gratitude and kindness are just habits. The more we practice them, the easier it becomes to do it the next time.
The more we are exposed to any of them, the more we reciprocate it to others. Hence it becomes easier to find people who exhibit the same. It is a beautiful self-sustaining cycle.
Lesson #2 – Growth mindset, or the idea of unlocking new skills with practice
Growth mindset is simply believing that many skills can be learned and improved upon by regular practice and timely feedback as opposed to being born with an innate capacity to do them.
The first time I heard about growth mindset was through one of Martinâs Monday morning speeches. It made sense, but it was only after applying it to many of the skills I wanted to pick up that I understood how powerful a simple change to a way of thinking can be.
I got into many hobbies after that, learned fun skills and gained many friends due to the hobbies. It changed my way of looking at everything and made me more curious.
Iâve gamified the whole experience of knowing absolutely nothing about something, then learning more and more about it, practising, getting feedback and improving, and then magically being able to do it — something that Iâd have deemed impossible a short while ago.
Lesson #3 – Good people with good intentions are the overwhelming majority
There was a rant post on Reddit about how Berlin is changing for the worse, and there was this following reply to that post. I thought it was really well written.
You leave a megaphone in a public space, and mostly as**oles pick it up to yell thinly veiled hatred in it. No one cares, except for the other assholes in the megaphone line, who cheer for the bile and canât wait to be cheered in return. But then, when I picked the megaphone and asked for help, I found help. And when I picked up the megaphone and offered some, I found people to help. The regular people are here. They just arenât ranting or cheering the rants.
– reddit r/berlin
It isnât news to anyone that negativity spreads much faster than positivity, and social media only amplifies that. As a result of this, it is very easy to be cynical of everything and everyone.
What Iâve learned at CF is that most people are just like me.
They will do good if given a chance.
Theyâll help if they can.
Theyâll get out of the way if told they or their actions are causing hurt
One of Martinâs Monday morning speeches was about assuming the best of intentions. I thought it was appropriate as most people have good intentions most of the time, so it makes a lot of sense to have that as our default stance.
Lesson #4 – Rules can be made up to come together with others, do good and spread happiness
Another important lesson Iâve learned at CF goes hand in hand with an amazing video I watched about Optimistic Nihilism from this youtube channel called Kurzgesagt. The premise of the video was that if the universe doesnât have any purpose, then we get to dictate its purpose; our purpose.
An extension to that idea is creating arbitrary rules for ourselves that help us do more of what we love. At CF, many people are givers. They love doing something for others.
So why wait for a special yearly holiday to cook for others? Just make up a couple of things like Soup Kitchen and Breakfast Thursdays to enable anyone who loves cooking for others to do it.
And why wait for Thanksgiving to thank someone when we could just thank them every Friday in our Friday Gratitude.
And why wait to take that new colleague of ours and the rest of the team to the best burger joint when you could just have Burger Fridays every Friday.
Convenient, eh?
Honestly, Burger Fridays is my most missed tradition at CF. Iâd have also proposed a Donnerstag DĂśners but Covid had other plans.
Lesson #5 – Company culture is just the people of CF
Recently I watched this speech titled âThis is waterâ by David Wallace in which Mr. Wallace tells us the importance of being aware of the most obvious things around us.
It made me think of this phrase âcompany cultureâ and wonder what it is. When I joined CF, I remember trying to fit into the culture. Before I knew it, I was interviewing people who were seeing me and judging the culture of the company. I went from trying to fit in, to defining what the culture at CF was. All of us did.
I then realised something interesting. Since âCFâ itself is a virtual entity that only exists in our shared minds, CFâs culture is just how we perceive the rest of CF. In that sense, each and everyone at CF is playing a part in defining the culture of CF at that moment. When someone joins, they bring something new to the table. When someone leaves, they take something away.
CFâs culture is as dynamic as the people it is made up of and suddenly, âHow will we keep the culture at CF the same?â — a question that gets asked a lot whenever we speak of hiring — automatically turns into âHow will we hire the kind of people weâd like representing CF?â, and I think that is a more useful question.
Lesson #6 – There’s more to life than just work
My first day at CF was 14th of January, 2019. I was busy setting up my laptop and various company accounts, and reading some documentation. At around 6.30pm, Megan came to my table and said âthatâs enough for the first day — go home nowâ. I looked around and almost everyone had already left.
This was strange to me. It was still a couple of hours till dinner time. Why not just keep working and go straight to dinner?
You see, I didnât have leisure time in my vocabulary back then. It was always doing something. Working, eating, sleeping, coding, studying. Something.
I grew up with a hustle-culture mindset where if I’m not working 10 hours a day and coding in my free time, I’d not consider myself âambitiousâ and probably not âmake itâ. Berlin and CF changed all of that.
All of a sudden, I had at least a couple of hours every day, and two full days of weekend when I wasnât expected to keep working. I could do something else. But what?
Anything.
I started pursuing hobbies that werenât career related or would ever be monetized. I started biking and playing chess, painting and playing music or just sitting by the canal doing absolutely nothing.
It is nice to not have to constantly think of free time as wasted time, and I have CF and Berlin to thank for this huge change in my way of thinking and living my life.
Thank you, dear friends
I am grateful for everything Iâve learned from the people at CF. It has made me a different and, in my opinion, better version of myself, and I canât thank you all enough. Iâll pay it forward wherever I end up in life.
A couple of months ago I was on a flight and had a thought: How far is the horizon at this very moment?
I got my notebook and pen out and tried to solve this using only the knowledge I had, since there was no internet anyway. Of course, many assumptions were made as were convenient for the calculation.
I planned on checking my answer once I landed. If you want to attempt it, stop reading here and come back later when you have a solution. Unfortunately for me, I made a little error subtracting between two big numbers and got a completely wrong answer.
Assumptions
I assumed the following
Perfect visibility, no degradation due to atmosphere
Earth is a perfect sphere with a radius of 6400km
Aeroplane flying at an altitude of 10km
Solution
Thanks to the assumptions, the problem reduces to primary school geometry problem and is trivial to solve once visualized clearly on a piece of paper.
Using Pythagoras Theorem we know how to calculate the third side of a right angled triangle give the first two. We also know that a tangent to a circle (the line of sight from an aeroplane) meets the circle in a way that it is perpendicular to the radius drawn from the point of contact.
Combining the two pieces of knowledge, the problem can be trivially arranged as follows
(R + r)² = R² + Dh²
Where
R is the radius of the earth (in Kilometers)
r is the distance of the aeroplane from the surface of the earth (in Kilometers)
Dh is the distance to the horizon
Rearranging, we get
Dh² = (R + r)² – R²
Expanding the (a + b)² equation
Dh² = R² + 2Rr + r² – R²
Dh² = 2Rr + r²
Taking square root on both sides
Dh = â(2Rr + r²)
Substituting the values
Dh = â(2*6400*10 + 10²)
Dh = â(128000 + 100)
Dh = â(128100)
Dh = 357.9
Distance to horizon is about 358 kilometers when the aeroplane is at an altitude of 10 kilometers. Now looking at the map while sitting in a flying aeroplane is a lot more insightful as I can guess which cities I’m looking at outside the window.
That’s it for this little post. Thank you for reading!
XSS, CSRF (or XSRF) and SSRF are common vulnerability in modern web applications where an attacker tries to imitates either a legitimate client to an unsuspecting server or a legitimate server to another unsuspecting server. The basic underlying principle behind each of these attack remains the same; performing action on behalf of a legitimate entity. Let’s look at each of them in a bit more detail and learn about how to protect our web applications against each of them.
XSS (Cross Site Scripting)
XSS or Cross Site Scripting occurs when an attacker manages to execute malicious script code in a victim’s browser as the victim. Browsers store a lot of sensitive information in them. Some of this information is used to identify a user on a website.
A script loaded from a website can access information stored on your browser through that website, which is how sessions work in your browser. That’s how Facebook or any other website knows to show you your personalized information and not someone else’s.
XSS occurs if an attacker gets control over the scripts running in your browser. If they can execute code, they can steal your login credentials and trick you into installing malware on your computer.
There are different kinds of XSS attacks and they depend on where the payload is stored.
Reflected XSS
A reflected XSS vulnerability occurs when a piece of data from a URL is reflected back into the website code unsanitized and can be injected into. This can be a result of a GET or a POST request, and it is especially severe as an unauthenticated GET request as that URL can be shared on social media and anyone clicking on it gets compromised.
Remediation of reflected XSS – Sanitization of all user inputs before passing it back into the view
Stored XSS
A stored XSS vulnerability occurs when a web application stores an XSS attack payload without sanitizing it and then displays it back to the same user or a different user. A notable recent example is British Airways website getting compromised and exposing sensitive data including credit card information of 380,000 transactions.
Remediation of stored XSS – It is the same as with reflected XSS: Sanitization of all user inputs before storing the data in the database.
DOM based XSS
Unlike reflected/stored XSS, a DOM based XSS occurs only on the client’s side. This can be a result of a user typing in a string into an input field that gets parsed and executed as code. An attacker can trick a user to paste a string into their browser which will execute due to insecure parsing and compromise a user’s credentials.
Remediation against DOM based XSS – Display text as text, and nothing else. Instead of element.innerHtml use element.innerText or element.textContext to ensure the data displayed back to a user is purely text.
CSRF (Cross Side Request Forgery)
CSRF occurs when a malicious website makes a request to a legitimate server through an unsuspecting victim.
Web applications communicate with clients through HTTP requests. When a request is made, the browser attacks all information that it knows about the website along with the request, including login/authentication credentials (called cookies).
If the web server doesn’t have protective measures, a request made through a legitimate website and an attacker’s website look exactly the same (or they can be forged to look the same). As a result, an attacker can make a request telling the victim’s bank to transfer $100 to the attacker’s account, and since the request is made through the attacker’s browser, the bank’s server will process it as a legitimate request.
Remediation of CSRF – CSRF can be easily prevented by requiring any unsafe request to validate itself using a valid CSRF token that can only be found in the website’s code and changes on every use. Additionally, authentication/login cookies can be marked as sameSite only, such that any third party website making the request doesn’t contain the sensitive authentication cookies.
SSRF (Server Side Request Forgery)
SSRF is similar to CSRF, but instead of an compromised client making a request to an unsuspecting server, here a compromised server makes a request to itself or another unsuspecting server.
Since a server might be a privileged node in the network, the attacker can make the server access and return sensitive information or perform privileged actions that the attacker’s account wouldn’t allow.
SSRF can also be used to trigger code execution in servers where the vulnerability can be exploited using the privileges of the server itself.
Remediation of SSRF – Any outgoing request needs to be explicitly allowed from the application by maintaining an allowlist of domains and servers a given server can connect to. The scope of these requests should be made as narrow as possible.
In conclusion
I hope that was an interesting quick read on one of the most common vulnerabilities in modern web application. Injection and SSRF are two of OWASP’s top 10 for 2021, so it is definitely worth looking into them and protecting our web applications from potential vulnerabilities.
ModSecurity is a web application firewall. It can protect your web application from preying eyes of vulnerability scanners and attackers. It is extremely customizable, and when paired with OWASP’s Core Rule Set, covers quite a lot of web technologies and frameworks.
In this article, we’ll set up ModSecurity on an AWS EC2 Server running Nginx web server.
For this tutorial, we’re using AWS LightSail’s Ubuntu image. Choose any instance size depending on your requirements. I’ll choose a 40$ / Month instance with 8GB RAM and 2vCPUs just so that the compilation of ModSecurity is faster.
Once the instance is created, log into the instance with SSH and update packages
$ apt update && apt upgrade -y
Install Nginx
$ sudo apt install nginx
Check what version of Nginx did we get from our package manager. This will be used when compiling Nginx later.
$ nginx -v
I got the following output:
nginx version: nginx/1.18.0 (Ubuntu)
To make sure the webserver is successfully installed and running, simply visit the IP address of the server. It should look something similar to this:
Set up ModSecurity
First we’ll need to install compilation and other dependencies.
Next we’ll clone the ModSecurity repository into the /opt directory
$ cd /opt && sudo git clone --recursive https://github.com/SpiderLabs/ModSecurity && cd ModSecurity
Next we run the build script
$ sudo ./build.sh
Next we’ll run the compile script that will fetch all the dependencies for the compilation
$ sudo ./configure
It is possible that this command fails and reports you of any dependencies that are still missing. You can simply google them with “install XYZ on Ubuntu” and run the configure command again. Ideally it will just exit without any errors. Next we start with the actual compilation of ModSecurity
$ sudo make
A reason why I didn’t go with the smallest server was that this step is resource intensive and could take 15 minutes or more depending on your server’s CPU and memory.
If all went through, we can now install ModSecurity
$ sudo make install
If all went through without any errors, we have ModSecurity installed.
Set up ModSecurity <-> Nginx connector
We start off by downloading ModSecurity-Nginx and Nginx source code. Note that the version of Nginx in the next command must match the version installed on our system. For me, that’s 1.18.0 but it could be different for you.
$ cd /opt && git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
$ cd /opt && sudo wget http://nginx.org/download/nginx-1.18.0.tar.gz
Untar the Nginx source. Replace the Nginx version in the next command if needed.
$ sudo tar -xvf nginx-1.18.0.tar.gz
Next, we need to grab configure arguments. For that, run the nginx command with a capital ‘V’ flag.
Don’t copy the above command. You must use the configure arguments supplied by your installation of Nginx.
Next we build the modules
$ sudo make modules
This is a compilation step and may take a little while (a minute or so) to complete. The final step here is to copy the compiled modules to a place from where we can reference them from our Nginx config.
OWASP’s Core Rule Set is a set of rules that cover most common frameworks and technologies as well as cover signatures for common web application attack payload. It is a good place to start if you don’t want to write custom rules for many common attacks.
So far, we’ve configured everything but if we restart Nginx now, it won’t filter attacks but only detect them since the default operating mode of ModSecurity is to only log malicious requests. To change that, let’s open the file /etc/nginx/modsec/modsecurity.conf and change the line
SecRuleEngine DetectionOnly
to
SecRuleEngine On
For our changes to go live, we’ll need to restart Nginx.
$ sudo systemctl restart nginx
Let’s test our ModSecurity installation. Open your browser and send a sample payload in the GET parameter. It doesn’t have to be a real parameter, but just something that can trigger an XSS filter.
That’s ideal. ModSecurity is working and blocking seemingly malicious requests to our web server. Now any application that sits behind our web server will be protected against many generic web application attacks, even OWASP Top 10 thanks to OWASP’s CoreRuleSet.
In conclusion
It isn’t the most straightforward of installations, but it isn’t very difficult either. The hard part, however, starts here and it is to get rid of all false positives and tweak the installation such that it fits the needs of your specific web application. Depending on how complex an application you’re trying to protect, it can be fairly time consuming.
I’ll write an article on how to tweak the parameters of ModSecurity and make it fit our needs in the future in a separate article.
That’s it for this article, thank you for reading!
