DEV Community: Pragya Sapkota

Phishing: The Complete Guide to Cyber Deception and Protection

Pragya Sapkota — Sun, 31 Aug 2025 14:24:22 +0000

Phishing: the art of convincing you to hand over your keys while you hold the door open for the thief. No fishing rod required — just a convincing email and a dash of misplaced trust.

Phishing is one of the oldest — and still one of the most effective — cybercrime techniques. Although the basic trick is simple (pretend to be someone trustworthy to get people to hand over secrets), attackers have refined the method into many forms that target individuals, executives, IT staff, and entire organizations.

This article explains what phishing is, how it evolved, the main variants, the psychology and technical methods attackers use, notable real-world incidents, how to detect phishing, how to prevent and respond to attacks, legal consequences for attackers, and recent trends — including AI-powered scams.

What is phishing?

Phishing is a form of fraud that uses social engineering and technical deception to trick people into revealing sensitive information (passwords, credit-card numbers, identity data), installing malware, or performing actions (e.g., wiring money) that benefit the attacker. Phishing commonly uses email, but can occur over SMS, phone calls, social media, web pages, QR codes, and other channels. The key element is deception: the victim believes they are interacting with a trusted party.

A short history and evolution

Early Days (1990s-2000s): Basic “spray-and-pray” email scams that impersonated banks or online services.
Large-scale takedowns and prosecutions (the 2000s): Law enforcement actions like Operation Phish Phry (2009) demonstrated both the scale of organized phishing rings and that international coordination could disrupt them.
Targeted, high-impact incidents (the 2010s): Spear-phishing became an entry vector for major breaches (e.g., RSA in 2011). Attackers combined targeted social engineering with malware and lateral movement to access critical systems.
Diversification and business impact (the 2010s-2020s): Business Email Compromise (BEC), supply-chain intrusions, and SIM-swap/SOCIAL engineering fraud (e.g., the 2020 Twitter cryptocurrency scam) highlighted that phishing can produce huge financial and reputational losses.
AI era (the 2020s-2025): Attackers increasingly use AI to create convincing text, synthesize voices, and produce deepfake media — enabling more realistic phishing across channels. Reports from industry and law enforcement warn that AI-assisted scams and new vectors (QR codes, automated credential harvesting) are accelerating.

Types of Phishing — What to Watch for

Below are the most common and important variants, with short descriptions and examples.

Mass (commodity) Phishing

Generic email blasts impersonating banks, delivery services, or major platforms. Goal: steal credentials or deliver malware at scale.

Spear Phishing

Targeted emails tailored with personal details (job title, colleagues’ names) to trick a specific person. Common initial vector for high-value breaches (e.g., RSA 2011).

Whaling

Spear-phishing aimed at senior executives or high-value targets (CFO, CEO) to obtain approvals or payments.

Business Email Compromise (BEC)

Fraud where attackers spoof or compromise corporate emails to instruct finance teams to wire money or reveal invoice details. Losses can be substantial and often end up in money-mule networks.

Smishing (SMS Phishing)

Fraud delivered by text messages (SMS), often impersonating delivery services, banks, or authentication systems to get victims to click links or reply with codes.

Vishing (Voice Phishing)

Phone-based scams where attackers pose as bank staff, IT help, or executives—increasingly combined with voice cloning to impersonate known figures.

Clone Phishing

Attackers copy a legitimate email previously sent to the victim, replace the link/attachment with a malicious one, and resend from an address that looks extremely similar.

Quishing (QR Code Phishing)

QR codes that point to malicious landing pages or trigger malicious actions. APWG and industry reports highlight rising QR use in phishing.

Credential-harvesting Pages and Homograph Attacks

Fake websites that mimic real sites (look-alike domains, internationalized domain homographs) to collect usernames and passwords.

How Phishing Attacks Work — The Anatomy

Reconnaissance: The Attacker gathers data (public profiles, organization charts, leaked credentials) to craft believable messages.
Lure/Delivery: Email/SMS/phone call contains the lure: an urgent invoice password reset, delivery notice, HR message, etc. Link or attachment is the bait.
Action: Victim clicks a link, opens an attachment, replies with credentials, inputs data into a fake page, or transfers funds. Attachments may contain malware (ransomware, remote access trojans) or scripts.
Exploitation and Persistence: If successful, the attacker uses credentials or malware to move laterally inside networks, escalate privileges, exfiltrate data, or issue fraudulent payments.
Monetization: Sell data, launcher funds through mule accounts, demand ransom, or perform secondary fraud (identity theft).

Psychological Tactics Attackers Use

Phishing succeeds because it exploits predictable human reactions. Common psychological levers:

Urgency/Scarcity: “Act now — your account will be closed.”
Authority: Impersonates bosses, banks, government agencies
Social Proof/familiarity: Uses familiar logos, names, or language patterns
Curiosity/fear: “See this invoice/security alert”
Reciprocity/obligation: Requests that feel like a favor from a colleague
Contextual relevance: Tying messages to current events (tax season, COVID relief, payroll changes) to increase plausibility.

Notable Real-world Phishing Incidents (Brief Cases)

Operation Phish Phry (2009): An International phishing ring targeted customers with fake bank sites; nearly 100 people were charged in the U.S. and Egypt. Demonstrated a serious and international coordination of phishing crime.
RSA breach (2011): Attackers used a spear-phishing email with a malicious Excel attachment; the compromise of SecurID seed data had cascading impacts for many defense and government contractors. The incident is often cited as an archetypal APT/spear-phishing success.
Target breach (2013): Attackers obtained credentials from a third-party HVAC vendor (initial access via compromised credentials and possibly phishing vectors) and installed POS malware, compromising millions of payment cards. The breach highlighted third-party risk.
Podesta/2016 political email hacks: High-profile example where credential-harvesting emails led to politically significant data leaks. (Public reporting and investigations show phishing played a central role.)
Twitter Hack (July 2020): Social engineering and phone-based SIM/SMS vectors were used to gain high-privilege access to a major platform, facilitating cryptocurrency scamming and high-profile account takeovers. Subsequent regulator reports analyzed weaknesses in account recovery and staff processes.
Voice Deepfake Scams (2019–2024): Multiple documented cases where attackers used cloned voices to convince employees to transfer funds (e.g., a 2019 case of £243k loss; more recent executive-targeted deepfake calls recorded in 2024). These incidents illustrate how AI voice synthesis is increasing the risk.

How to Detect Phishing — Practical Signs

Look for combinations of the following red flags:

Unexpected messages that pressure you to act immediately.
Sender’s email address that doesn’t match the organization (tiny differences or extra characters). Hover over addresses/links to inspect the real URL.
Poor spelling/ grammar combined with official logos — low-quality impersonations. (Sophisticated attacks, however, can be flawless.)
Generic salutations (“Dear customer”) when you expect personalization.
Requests for secrets, one-time passcodes, or to disable multi-factor authentication.
Attachments with unusual file types (.exe, .scr, .js, or Office files with macros).
Links that resolve to different domains than they display (check the browser status bar before clicking).
Unexpected or out-of-bank requests for wire transfers or payroll changes — verify by phone using a known number.
Unusual domain characters (Punycode/internationalized domain names that mimic letters).
QR codes in public places or emails that you didn’t request — they hide the destination until scanned.

Preventive Measures — Individuals

Think before you click: Pause and inspect sender, link, and context. If in doubt, call the organization using a known number.
Use multi-factor authentication (MFA): MFA reduces risk from stolen passwords, especially app-based or hardware MFA (authenticator apps, FIDO keys). Note: MFA is not foolproof (MFA push fatigue and SIM swap attacks exist), but it significantly raises the bar.
Keep software updated: Patches fix exploitable bugs that phishing-delivered malware might exploit.
Avoid opening unexpected attachments: Verify first via a separate channel (phone, known email).
Use password managers: They prevent credential reuse and auto-fill only on exact domains (limits credential harvesting).
Verify payment requests by an independent channel: Don’t rely solely on email for wire instructions or invoice changes.
Be careful with social media oversharing: Less public personal data reduces the effectiveness of spear-phishing.
Report suspicious messages: Forward phishing emails to your provider, employer security team, or report to local cybercrime authorities.

Preventive & Detective Measures — Organizations

Technical Controls

Email authentication: Enforce SPF, DKIM, and DMARC to make it harder to spoof corporate domains.
Secure inbound email gateways: Use anti-phishing filters, URL rewriting, and sandboxing for attachments.
MFA & strong authentication: Prefer phishing-resistant MFA (security keys, FIDO2/passkeys) for high-privilege accounts.
Endpoint protection & EDR: Detect malicious attachments or unusual lateral movement quickly.
Web filtering & DNS security: Block known malicious domains and use DNS-level protection to stop users from reaching credential-harvesting sites.
Isolate risky attachments: Convert Office attachments to safe formats or open attachments in sandboxed viewers.

Organizational & human measures

Phishing awareness training: Combine education with periodic simulated phishing to measure and improve behavior.
Incident response playbooks: Predefine steps to quarantine accounts, rotate credentials, and trace payments.
Least privilege & segmentation: Limit access to critical systems and make lateral movement harder.
Third-party risk management: Vet vendors, require security controls, and monitor vendor access closely (Target breach lessons).
Transaction verification controls: For payments, require multi-step approvals and independent verification for wire transfers.
Logging and monitoring: Keep audit trails for email and financial transactions and monitor for suspicious patterns.

Incident Response — A Concise Checklist

Disconnect and contain: Isolate infected hosts.
Preserve evidence: Keep logs, emails, and artifacts for forensics.
Reset credentials: Revoke session tokens and rotate passwords for compromised accounts.
Notify stakeholders: Legal/compliance, affected customers, and regulators as required.
Trace and recover funds: If money was sent, immediately contact banks and law enforcement — time matters.
Post-incident review: Identify root cause, patch controls, and update training.

Consequences For Victims

Financial loss: Direct theft (wire fraud, BEC), secondary fraud, and ransomware payments. FBI/IC3 and industry report document billions in annual losses.
Identity theft and fraud: Stolen PII is sold or used for new-account fraud.
Operational disruption: Malware, ransomware, or loss of critical system access.
Reputational harm: Public breaches damage customer trust and market valuation.
Regulatory & legal costs: Data breach notifications, fines, and litigation exposure.

Legal Consequences For Attackers

Phishing and related crimes are prosecuted under multiple statutes depending on jurisdiction and the nature of the offense:

Computer/hacking statutes: In the U.S., the Computer Fraud and Abuse Act (CFAA) is a common basis for federal charges involving unauthorized access.
Fraud & wire fraud: Charges for monetary theft (wire fraud, bank fraud) are commonly used in BFC and large-scale phishing prosecutions (e.g., Operation Phish Phry prosecutions).
Money-laundering & identity-theft statutes: Used to target the financial flows and identify crimes that follow initial phishing.
International cooperation & extradition: Many large phishing rings operate cross-border, and law enforcement operations show international coordination (FBI, Europol, national agencies).

Prosecutors have had notable successes (Operation Phish Phry and other takedowns), but enforcement faces challenges: jurisdictional complexity, money-launderers, mule networks, and the ability of attackers to move quickly.

Recent Trends and What’s Coming Next (2023–2025)

AI-assisted phishing: Attackers use large language models to craft highly convincing emails and chat messages, reducing the time to create personalized lures. Voice synthesis and deepfakes let attackers impersonate executives or family members on calls. Industry reports and news outlets documented deepfake-enabled and AI-amplified scams in recent years.
QR code phishing (quishing): Phishers embed malicious URLs in QR codes shared in emails, posters, or even invoices — APWG reports an uptick in QR-based campaigns.
Credential stuffing phishing combos: Using breached passwords combined with phishing to gain a second factor or to trick users into reusing credentials.
Targeted supply-chain and vendor attacks: As seen in Target and other breaches, attackers increasingly target third-party vendors to gain access to larger victims.
Scale and automation: Phishing infrastructure is commoditized; attackers can buy templates, spoofing services, and money-laundering “drop” services, increasing volume and reducing skill required.
Regulatory & enforcement shifts: Governments and regulators are increasing focus on cybercrime, fraud prevention, and corporate responsibility — expect more cross-border cooperation and penalties for lax security.

Practical Checklist — “Before you click” (Summary for individuals)

Pause. Think: Why did I get this?
Inspect sender address and hover links.
Don’t open unexpected attachments.
Call the sender on a known number to confirm payment or request changes.
Use MFA and a password manager.
Report suspicious messages to your IT/security or national cybercrime authorities.

Final Words

Phishing attacks thrive on human impulse and evolving technology. Technical controls (MFA, email authentication, endpoint protection) are essential but not sufficient — the human factor, training, verification procedures, and effective incident response are what stop most phishing-driven disasters. As attackers adopt AI and new vectors (QR codes, voice cloning), defenders must combine technology, processes, and user education to keep pace.

Remember: if something smells phishy, it probably is. Trust your instincts, verify everything, and never give your password to anyone — not even to that “Prince” who promises you a yacht. Because in phishing, the only “catch of the day” you want is zero.

References

[1] Anti-Phishing Working Group, “Phishing Activity Trends Report,” APWG, 2024. [Online]. Available: https://apwg.org/trendsreports/

[2] U.S. Department of Justice, “Nearly 100 Arrested in International Phishing Scam — Operation Phish Phry,” DOJ Press Release, Oct. 2009. [Online]. Available: https://www.justice.gov/opa/pr/nearly-100-arrested-international-phishing-scam

[3] RSA Security, “RSA SecurID Breach Analysis,” RSA, 2011. [Online]. Available: https://www.rsa.com/en-us/blog/2011/rsa-securid-breach-analysis

[4] Twitter, “An Update on Our Security Incident,” Twitter Security Blog, Jul. 2020. [Online]. Available: https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident

[5] L. Newman, “AI Voice-Cloning Scams in Financial Fraud,” Wired, Aug. 2023. [Online]. Available: https://www.wired.com/story/ai-voice-cloning-scams/

[6] Federal Bureau of Investigation, “2023 Internet Crime Report,” IC3, 2023. [Online]. Available: https://www.ic3.gov/

[7] Microsoft, “Digital Defense Report 2023,” Microsoft Security, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report/

[8] S. Abrams, “QR Code Phishing (Quishing) Attacks Surge in 2024,” BleepingComputer, May 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/qr-code-phishing-on-the-rise/

[9] Verizon, “2023 Data Breach Investigations Report (DBIR),” Verizon Enterprise, 2023. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[10] A. Greenberg, “How John Podesta Got Hacked: The Phishing Email That Fooled Everyone,” Wired, Oct. 2016. [Online]. Available: https://www.wired.com/story/phishing-podesta-email-hack/

[11] B. Krebs, “Target Hackers Broke In via HVAC Company,” Krebs on Security, Feb. 2014. [Online]. Available: https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

[12] Google Threat Analysis Group, “AI-Generated Phishing Lures and Deepfake Scams,” Google TAG, 2024. [Online]. Available: https://blog.google/threat-analysis-group/

[13] B. Krebs, “BEC Scams and Phishing Toolkits Exposed,” Krebs on Security, Mar. 2023. [Online]. Available: https://krebsonsecurity.com/2023/03/bec-scams-phishing-toolkits-exposed/

[14] J. Vincent, “AI-Powered Phishing Scams and Deepfake Threats,” The Verge, Nov. 2024. [Online]. Available: https://www.theverge.com/ai/2024/ai-phishing-scams-deepfakes

[15] Anti-Phishing Working Group, “Q1 2024 Phishing Activity Trends Report,” APWG, 2024. [Online]. Available: https://apwg.org/trendsreports/

[16] Microsoft Security, “Anatomy of a Phishing Attack and Mitigation Strategies,” Microsoft Blog, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/

[17] Europol, “Operation Phish Phry — Global Coordination Report,” Europol, 2010. [Online]. Available: https://www.europol.europa.eu/

[18] BBC News, “£243,000 Voice Deepfake Scam,” BBC, Sep. 2019. [Online]. Available: https://www.bbc.com/news/technology-49579520

[19] Cornell Law School, “18 U.S. Code § 1030 — Computer Fraud and Abuse Act (CFAA),” Legal Information Institute, 2024. [Online]. Available: https://www.law.cornell.edu/uscode/text/18/1030

[20] Anti-Phishing Working Group & Microsoft, “Phishing Prevention and Mitigation Best Practices 2024,” APWG, 2024. [Online]. Available: https://apwg.org/trendsreports/

Telemetry and Tracing: A Comprehensive Overview

Pragya Sapkota — Thu, 02 Jan 2025 08:48:14 +0000

We live in a time of complex distributed systems, where knowing what happens to an application in a certain environment is critical. But where can we obtain useful information about these systems’ development and functioning?

The answer is Telemetry and Tracing.

So, let’s begin with what telemetry and tracing are. We will also look into some advantages of both, and how they could be put into place within the industry.

What is Telemetry?

Telemetry is basically gathering, transmitting, and analyzing data from remote sources. In other contexts, it also refers to collecting information about the performance, health, and behavior of applications. It can be used for system performance monitoring, anomaly detection, and informed decisions on system optimization. The following are the main components of telemetry:

1. Data Collection

The gathering of data from various sources, including application logs, system metrics, and user interactions.

2. Data Transmission

Transmits the collected data for analysis at a central place.

3. Data Analysis

Processing and interpreting the collected data for meaningful insights.

What is Tracing?

Tracing is a specialized form of telemetry that focuses on tracking the execution of requests or transactions through a distributed system. It provides a detailed view of how requests flow through different components, helping to identify performance bottlenecks, errors, and dependencies. The aspects of tracing include the following:

1. Distributed Tracing

Tracking requests as they propagate through multiple services and components.

2. Span Analysis

Analyzing individual operations (spans) within a trace to understand their performance characteristics.

3. Dependency Analysis

Identifying dependencies between different components and services.

Key Benefits of Telemetry and Tracing

Needless to say, telemetry and tracing offer a multitude of benefits for organizations of all sizes. By providing valuable insights into application performance, behavior, and health, these tools enable teams to make data-driven decisions and optimize their systems. Let’s discuss some of these benefits in detail:

1. Improved performance

With telemetry and tracing, we can pinpoint performance bottlenecks, such as slow database queries or inefficient network calls. By understanding where the system is spending most of its time, we can take targeted action to improve performance.

Telemetry data can inform decisions about resource allocation, ensuring that resources are used efficiently and effectively. For instance, if a particular component is consistently underutilized, it may be possible to reallocate resources to other areas. Likewise, by identifying and addressing latency issues, telemetry and tracing can help improve the user experience and reduce application response times.

2. Enhanced Reliability

With telemetry tools, we can continuously monitor system health and detect anomalies before they lead to failures. This proactive approach can help prevent outages and downtime. By identifying issues early on, teams can take corrective action before they escalate into major problems. This can help reduce the impact of incidents and improve overall system reliability.

Since telemetry and tracing also help us identify dependencies between different components and services, we can design more fault-tolerant systems.

3. Simplified Troubleshooting

Tracing can help pinpoint the root cause of issues, making troubleshooting more efficient and effective. By understanding the flow of requests through the system, teams can identify the exact location of the problem.

By quickly identifying and resolving issues, telemetry & tracing can help reduce the time to resolution, improving overall system availability. Ultimately, this faster troubleshooting leads to improved customer satisfaction, as users are less likely to experience disruptions or downtime.

4. Enhanced Decision-Making

Telemetry and tracing also provide teams with the data they need to make informed decisions about system maintenance, upgrades, and resource allocation. This way, we can also understand how resources are being used, optimize their allocation, and avoid unnecessary costs. They can help ensure that systems meet or exceed service level agreements (SLAs), improving customer satisfaction and reducing penalties.

Common Telemetry and Tracing Metrics

Telemetry and tracing involve collecting and analyzing various metrics to gain insights into system performance and behavior. Let’s discuss some of the commonly used metrics.

Request-Related Metrics

1. Response Time

The total time it takes for a request to be processed and a response returned, includes network latency, processing time, and other factors.

2. Error Rates

The percentage of requests that result in errors or expectations. This metric helps identify issues with application logic, data integrity, or external dependencies.

3. Throughput

The number of requests that can be processed per unit of time. This metric is often used to measure system capacity and performance under load.

4. Latency

The time it takes for a request to travel from one component to another. This metric is particularly important for distributed systems with multiple components.

Resource-Utilization Metrics

1. CPU Usage

The percentage of CPU capacity that is being utilized by the application. High CPU usage can indicate performance bottlenecks or resource contention.

2. Memory Usage

The amount of memory being consumed by the application. Excessive memory usage can lead to performance degradation or even crashes.

3. Network Usage

The amount of network bandwidth being consumed by the application. High network usage can indicate network congestion or inefficient data transfer.

4. Disk I/O

The amount of disk input/output operations performed by the application. Excessive disk I/O can be a sign of performance bottlenecks, especially for applications that rely heavily on disk-based storage.

Custom Metrics

1. Business-specific metrics

Metrics that are specific to the application’s domain or business objectives. Examples include sales volume, customer satisfaction ratings, and conversion rates.

2. Custom application metrics

Metrics that are defined and collected within the application itself. This can include metrics related to specific components algorithms, or functionalities.

Popular Telemetry and Tracing Tools

1. OpenTelemetry

OpenTelemetry is not tied to any specific vendor or technology, making it a flexible and adaptable choice for various environments. It provides a consistent API and SDKs for different programming languages, simplifying the process of instrumenting applications. They support exporting data to various backends, including Jaeger, Zipkin, Prometheus, and custom solutions. And since OpenTelemetry is developed and maintained by a large community of contributors, we can be sure of ongoing development and support.

2. Jaeger

Jaeger is specifically designed for distributed tracing, making it well-suited for microservices architectures. It provides real-time visualization of traces, allowing teams to quickly identify and diagnose performance issues. Jaeger was designed to handle large-scale distributed systems and can scale horizontally to meet increasing demands. It can be used as a backend for OpenTelemetry, providing a powerful and scalable tracing solution.

3. Prometheus

Prometheus focuses on collecting and analyzing metrics, making it ideal for monitoring infrastructure and application performance. It provides a powerful query language (PromQL) for querying and analyzing metric data. The tool uses a time series database to store metric data, making it efficient for storing and querying large amounts of data. The best part is that it can be configured to trigger alerts based on specific metric conditions, helping teams proactively address issues.

4. Zipkin

Zipkin is another popular distributed tracing system that provides similar capabilities to Jaeger. It is an open-source project with a large community of contributors. We can integrate it with a variety of systems, including Spring Cloud, Twitter Finagle, and Dubbo. The tool has a user-friendly interface that makes it easy to visualize and analyze traces.

Best Practices for Telemetry and Tracing

Let’s discuss in detail the best practices for telemetry and tracing.

1. Instrumentation

a. Strategic Placement

Carefully consider where to instrument your application to collect the most relevant data. For example, you may want to instrument at the entry and exit points of functions, around critical code paths, or at the boundaries of microservices.

b. Minimal Overhead

Aim to minimize the performance overhead of instrumentation to avoid impacting the application’s behavior. Use lightweight libraries and techniques to reduce overhead.

c. Context Propagation

Ensure that context is propagated correctly across distributed components to accurately track requests and dependencies.

2. Data Retention

a. Data Lifecycle

Determine the appropriate lifecycle for different types of telemetry data. Some data may need to be retained for a longer period for historical analysis, while other data may be discarded after a shorter duration.

b. Storage Costs

Consider the storage costs associated with retaining telemetry data. Implement strategies to optimize storage usage, such as data compression or partitioning.

c. Legal and Compliance Requirements

Ensure that data retention policies comply with relevant legal and regulatory requirements, such as data privacy regulations.

3. Visualization

a. Clear and Concise

Use visualization tools that can present telemetry and tracing data clearly and concisely. This includes charts, graphs, and dashboards that are easy to understand and interpret.

b. Anomaly Detection

Look for tools that can automatically detect anomalies or outliers in the data. This can identify potential issues or trends that may require further investigation.

c. Customizable Dashboards

Choose tools that allow you to create custom dashboards to visualize the specific metrics and data that are most relevant to your needs.

4. Alerting

a. Critical Metrics

Identify the critical metrics that you want to monitor and set up alerts for significant deviations from expected values.

b. Alert Thresholds

Carefully define alert thresholds to avoid false positives or missed alerts.

c. Notification Channels

Choose appropriate notification channels, such as email, SMS, or push notifications, to ensure that alerts are received promptly.

d. Alert Escalation

Implement escalation procedures to ensure that critical issues are addressed promptly, even outside of normal working hours.

5. Security

a. Data Encryption

Encrypt sensitive telemetry data both in transit and at rest to protect it from unauthorized access.

b. Access Controls

Implement strong access controls to restrict access to telemetry data to authorized personnel.

c. Regular audits

Conduct regular security audits to identify and address vulnerabilities in your telemetry infrastructure.

d. Compliance and Regulations

Ensure that your telemetry practices comply with relevant data privacy and security regulations.

Conclusion

Telemetry and tracing are essential tools for understanding and optimizing modern software systems. Organizations can gain valuable insights into system performance, reliability, and behavior by effectively collecting, analyzing, and visualizing telemetry data. By adopting best practices and leveraging popular tools, teams can ensure that their applications deliver the desired performance and reliability.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

A Comprehensive Guide to Multi-Tenancy Architecture

Pragya Sapkota — Mon, 02 Sep 2024 09:10:13 +0000

As cloud computing and Software as a Service (SaaS) models rapidly dominate the software landscape, multi-tenancy architecture has become increasingly important. As the name suggests, muti-tenancy allows “tenants” or customers to share a single instance of a software application while keeping their data and configurations separate and secure.

What is multi-tenancy?

Multi-tenancy is an architectural approach where a single instance of a software application simultaneously serves multiple tenants or customers. Each tenant can be an individual user, a group of users, or an entire organization. However, despite sharing the same underlying infrastructure and application code, each tenant’s data, preferences, and customizations remain isolated from others. Imagine it like a shared apartment building where multiple tenants reside in separate units, but they all share common infrastructure like the building itself, hallways, and elevators. This is a key feature that makes multi-tenancy both efficient and secure.

Why should we use multi-tenancy?

1. Cost-Efficiency

Since multi-tenancy maximizes the utilization of available infrastructure and reduces operational costs compared to running separate instances of an application for each tenant, the cost is reduced for both the provider and the customers.

2. Scalability

It’s easier to scale an application with multi-tenancy architecture. It is designed in a way to accommodate increasing numbers of users and data. Since the resources are shared, adding new tenants typically requires fewer additional resources compared to a single-tenant environment.

3. Simplified Management

It is easier to manage a single codebase serving multiple tenants, updates, and bug fixes. These can be applied once, benefiting all tenants simultaneously. This is so much simpler to maintain.

4. Resource Optimization

Muti-tenancy optimizes the use of computing resources like CPU, memory, and storage, which are shared across multiple tenants. This leads to better resource utilization and reduced waste.

5. Faster Time-to-Market

We can onboard more new tenants more quickly, accelerating time-to-market which can be beneficial.

How Does Multi-Tenancy Work?

Multi-tenancy can be implemented in many ways, depending on the requirements of the application and the nature of the tenants. Let’s check out some of the common models.

1. Shared Database, Shared Schema

This model allows the tenants to share the same database and schema. Data from different tenants is differentiated by a tenant identifier. While this model is the most resource-efficient, it also requires strict access controls to ensure data isolation. This makes this model an issue for some.

2. Shared Database, Separate Schemas

Unlike the earlier model, here, tenants share the same database but each has a separate schema. The best part is — it provides a higher degree of isolation but it does so at the expense of increased complexity in managing multiple schemas.

3. Separate Databases

In a separate database model, each tenant gets their dedicated database. This provides the highest level of data isolation and security but at a higher cost in terms of resources and maintenance.

4. Hybrid Models

Some architectures use a hybrid approach, combining elements of the above models to balance cost, performance, and isolation based on the specific needs of the application and its tenants.

Types of Multi-Tenancy

There are multiple types of multi-tenancy architectures. Let’s discuss some:

1. Tenant Isolation

Physical Isolation

Each tenant has its own dedicated hardware or virtual machine. This offers us the highest level of security but can be a little expensive.

Logical Isolation

In this model, tenants share hardware or virtual machines, but their data is logically separated using techniques like database partitioning or virtualization. Since this approach balances its cost and security, they are very common these days.

2. Data Isolation

Full Isolation

Each tenant’s data is completely isolated, ensuring no data leakage.

Partial Isolation

Some data elements are shared across tenants, such as shared configuration settings or common data models.

Key Considerations for Multi-Tenancy

While choosing the model for multi-tenancy architectures, we need to consider a few things:

1. Security

We should look for good security measures to protect tenant data, including access controls, encryption, and regular audits.

2. Performance

Next, optimizing the application to handle multiple tenants efficiently helps avoid performance bottlenecks.

3. Scalability

Designing the architecture to accommodate growth and dangle increasing workloads can go a long way.

4. Tenant Management

We also need to provide effective tools and processes for tenant onboarding, management, and offboarding.

5. Data Privacy and Compliance

We must also ensure compliance with relevant data privacy regulations and industry standards.

Best Practices for Implementing Multi-Tenancy

1. Strong Access Controls

Implementing robust authentication and authorization mechanisms to make sure that tenants can only access their data and resources.

2. Data Encryption

Encrypting data both at rest and in transit to protect sensitive information.

3. Tenant-Aware Logging and Monitoring

Maintaining separate logs for each tenant to make sure that the issues can be traced back to the correct tenant without exposing sensitive information from other tenants.

4. Scalability Planning

Designing the system with scalability in mind, ensuring that it can handle a growing number of tenants without compromising performance.

5. Regular Security Audits

Conducting regular security audits to identify and address potential vulnerabilities in the multi-tenant environment.

Common Use Cases of Multi-Tenancy

1. Software-as-a-Service (SaaS) Applications

Many SaaS providers use multi-tenancy to deliver their applications to multiple customers.

2. Platform-as-a-Service (PaaS) Providers

PaaS platforms often offer multi-tenancy to enable developers to deploy and manage their applications.

3. Infrastructure-as-a-Service (IaaS) Providers

IaaS providers may use multi-tenancy to share physical or virtual resources across multiple customers.

Challenges of Multi-Tenancy

There are some challenges of multi-tenancy architecture:

1. Data Security and Privacy

It is a critical challenge to ensure that each tenant’s data remains secure and private in a multi-tenant environment. Any breach could affect multiple tenants, making security measures and access controls essential.

2. Performance Isolation

When in a shared environment, the performance of the application can be impacted by the activity of other tenants. It is important to integrate mechanisms to make sure that one tenant’s heavy usage doesn’t degrade the performance of others.

3. Customization

We have a shared environment where every tenant has different needs in a multi-tenant architecture. However, we need enough flexibility for customization without compromising the shared nature of the architecture which can be challenging.

4. Complexity in Management

Managing a multi-tenant environment is inherently more complex than managing a single-tenant environment. This includes everything from data segregation and security to tenant onboarding and monitoring.

Conclusion

Multi-tenancy offers a compelling architecture that brings us significant advantages in terms of cost efficiency, scalability, and maintenance. As cloud computing and SaaS continue to dominate the industry, multi-tenancy can be efficient in looking for a broad customer base.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

Chaos Engineering: Embracing Uncertainty

Pragya Sapkota — Sun, 18 Aug 2024 12:58:23 +0000

Web applications are getting more complex and interdependent by the day. This means we need to make sure that our web applications are resilient. But how do we do that?

Chaos Engineering!

One of the most innovative approaches in system design, Chaos Engineering will intentionally inject failures into systems to ultimately identify any underlying weaknesses. This makes the system resilient by fortifying systems against unexpected disruptions.

Let’s learn the principles, practices, and benefits of chaos engineering.

What is Chaos Engineering?

Chaos Engineering is the discipline of experimenting on a system in production to build confidence in its capability to withstand turbulent and unexpected conditions. Netflix started it to ensure that their streaming service always does good, particularly during peak times.

The fundamental idea of Chaos Engineering is to simulate random failures and observe how the system responds, thereby identifying and rectifying potential vulnerabilities before they cause significant issues.

The Principles of Chaos Engineering Guide

Several key principles guide Chaos Engineering. Let’s take a look at some of them:

1. Hypothesis-Driven Experimentation

While developing a system, we as developers must formulate hypotheses about how the system will behave under certain conditions. This step must be done before injecting chaos into the system. We can understand the expected versus actual outcomes of the experiment via this approach.

2. Gradual Introduction of Chaos

Start small and gradually increase the level of disruption. This principle helps ensure that experiments’ impact is manageable and doesn’t cause widespread outages.

3. Automated Experiments

Automate the chaos experiments to ensure consistency and repeatability. Automation allows for regular and frequent testing, which is crucial for maintaining system resilience.

4. Continuous Improvement

Chaos Engineering is not a one-time activity. It requires continuous iteration and improvement based on the findings from each experiment.

Implementing Chaos Engineering

There are several steps we need to follow while implementing Chaos Engineering:

1. Identify Steady State Behavior

First, we need to determine what normal operation looks like for our system. Without this, we cannot identify deviations caused by chaotic experiments. So, we need to define key metrics like response time, error rates, and throughput.

2. Formulate Hypotheses

Based on the steady-state behavior, we hypothesize how the system will react to different failure scenarios. For example, “If we shut down one of the database nodes, the application should automatically reroute traffic to another node without affecting the system performance.”

3. Design Experiments

Next, we design chaos experiments to test this hypothesis. This might involve shutting down servers, introducing network latency, or simulating hardware failures.

4. Execute Experiments

We now conduct the experiences in a controlled manner. Of course, we start with a staging environment before moving to production to minimize risk.

5. Analyze Results

After the experiments, we compare the system’s behavior during the experiment to the hypothesized behavior to identify any discrepancies and potential vulnerabilities.

6. Mitigate and Iterate

After implementing fixes for the previously identified issues, we iterate the process. With each cycle of experimentation and improvement, the system has enhanced resilience.

Tools for Chaos Engineering

There are tools for chaos engineering that can help us identify and improve our systems' weaknesses. It is beneficial to use them since they help us save time and be efficient. Let’s see some of them:

1. Chaos Monkey

Developed by Netflix, Chaos Monkey is an open-source chaos engineering tool that randomly terminates instances in production to ensure that services can handle failures gracefully. It was made to test the reliability and resiliency of Netflix; now we can use it on our system. One of the best parts here is that we can check for outages before deployment and write or edit code accordingly. It was also one of the first chaos engineering tools to initiate the method. We will not require any commercial license or cost to use Chaos Monkey as it is an open-source software.

2. Gremlin

A comprehensive platform for Chaos Engineering, Gremlin allows for the simulation of various failure scenarios in the system. These scenarios include CPU spikes, memory leaks, and network outages. It was the first hosted chaos engineering platform designed to improve web-based reliability. The software is efficient in pinpointing various software weaknesses to minimize revenue loss and negative systematic impacts. However, its pricing ranges from per-agent pricing to attacks per target to support the frequency of testing required by a team.

There are many other Chaos Engineering Tools like Chaos Toolkit, Simian Army, LitmusChaos, and Harness Chaos Engineering Powered by Litmus. But we can research them individually for our particular requirements.

Benefits of Chaos Engineering

Several benefits of chaos engineering extend beyond just identifying and mitigating vulnerabilities. Let’s discuss some of them:

1. Improved System Resilience

With chaos engineering, we regularly test and address system weaknesses, making it more robust and capable of withstanding real-world failures.

2. Enhanced Team Confidence

Knowing that the system has been tested against multiple failure scenarios helps build confidence among the engineering team and stakeholders.

3. Proactive Problem Solving

Chaos Engineering shifts the focus from reactive firefighting to proactive problem-solving, reducing the impact of incidents.

4. Better Incident Response

The constant injection of failures into the systems gives us a deeper understanding of the system’s behavior under failure conditions. As a result, our teams can respond more effectively to real incidents.

5. Cultural Transformation

Chaos Engineering fosters a continuous learning and improvement culture, encouraging us to embrace failure as a path to growth.

Real-World Applications

In today’s time, several popular organizations have successfully implemented chaos engineering to enhance their system resilience. Some of the examples are given below:

1. Netflix

Netflix is the pioneer of Chaos Engineering. They use tools like Chaos Monkey and Simian Army to ensure their streaming service remains reliable, even during peak times.

2. Amazon

Amazon has also used chaos experiments to test the resilience of its cloud infrastructure. This ensures that AWS services can handle disruptions seamlessly.

3. Google

Google also uses chaos engineering to validate the robustness of its distributed systems, making sure that services like Gmail and YouTube remain available under various failure conditions.

4. Microsoft

We can also see Microsoft integrating Chaos Engineering into their development lifecycle, particularly for Azure services, to identify and mitigate potential vulnerabilities.

Challenges and Considerations

While chaos engineering offers us numerous benefits, it also brings some challenges and considerations:

1. Risk Management

There are inherent risks of injecting failures into a production system. Hence, we must manage these risks by starting small, using staging environments, and gradually increasing the scope of experiments.

2. Cultural Resistance

With Chaos Engineering, we may face some resistance from teams accustomed to traditional approaches. We would require strong leadership and a culture that can embrace experimentation and learning to deal with this kind of resistance.

3. Tool and Automation

Effective chaos engineering needs robust tooling and automation. Investing in the right tools and integrating them into the development pipeline is essential for success.

4. Monitoring and Observability

Comprehensive monitoring and observability are crucial for detecting and analyzing the impact of chaos experiments. Make sure that the system has sufficient monitoring coverage before experimenting.

Future of Chaos Engineering

Despite these challenges, the future of Chaos Engineering looks promising with several trends and advancements on the horizon.

1. Integration with CI/CD Pipelines

Since organizations are slowly adopting DevOps practices, integrating Chaos Engineering into continuous integration and continuous delivery (CI/CD) pipelines will become more prevalent. Ultimately, this will enable automated and continuous testing of system resilience.

2. AI and Machine Learning

Integrating AI and machine learning can enhance Chaos Engineering by predicting failure points and optimizing experiment design based on historical data.

3. Broader Adoption

As the benefits of Chaos Engineering become more widely recognized, its adoption will spread beyond tech giants to smaller organizations and various industries, including finance, healthcare, and telecommunications.

The Bottom Line

Chaos Engineering is a paradigm shift in how we approach system resilience. By proactively identifying and addressing vulnerabilities through controlled chaos, organizations can build more robust systems capable of withstanding real-world disruptions. While it requires careful planning, robust tooling, and a cultural shift, the benefits of Chaos Engineering make it a valuable practice for any organization committed to delivering reliable and resilient software systems. So let’s together embrace the chaos and turn uncertainty into an opportunity for growth and improvement.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

Everything we know about Chrome Dino Game: From Game Mechanics to the Hacks

Pragya Sapkota — Tue, 30 Jul 2024 15:18:57 +0000

A small dino-shaped creature appears on our screen whenever our device is disconnected from the internet. The creature is a pixelated Tyrannosaurus Rex that runs forward to avoid objects like cacti and pterodactyls, a specific type of pterosaur from the group Pterosauria.

The game works when we click space after the screen appears and the T. Rex starts running and it goes on until the creature hits one of the objects that runs towards it. We are limited to cacti as foreign objects till we cross the score of 500 after which we can also get pterodactyls flying towards us. The difficulty level gradually increases and after we cross 700, the standard mode changes to dark mode and changes back to standard after 1400. This happens every multiple of 700.

We can pause the gameplay with Alt or F11 which also helps us switch to full-screen. Afterward, we can click the screen and resume the game.

History of Dino Game

The Chrome Dino game is a browser game developed by Google and integrated into the Google Chrome web browser. The dinosaur represents a joke that not having an internet connection is just like living in the prehistoric Jurassic age with no technology. The members of the Chrome UX team launched the game in September 2014 with designers Sebastien Gabriel, Alan Bettes, and Edward Jung. Originally, the game wasn’t supported on older devices which is why the team updated the code and re-released it in December 2014. Apart from these, pterodactyls were also only added with a browser update in 2015. The source code of the game is available on Chromium.

Accessing the game

The game can be accessed in three ways:

Turn off the internet on your computer and then input a URL in the address bar.

Type chrome://dino on the browser.

Type chrome://network-error/-106 on the browser.

The Scoring System

The primary factor in determining our score in the Chrome dino game is how far the dinosaur runs. This means that the longer the dinosaur survives, the higher our score will be. As the game progresses, the dinosaur’s speed increases, resulting in a faster accumulation of points.

Hacks to master the game

After starting the game, the difficulty level is gradually increased. This means that the speed and frequency of the obstacles increase. But we needn’t worry!!

Let’s discuss some hacks that we can use to master the game.

Step one is to open the game in any of the ways mentioned above.
Next, we need to open Chrome DevTools. We can open it by clicking right anywhere on the screen and selecting inspect from the menu that appears. Then, we need to select the tab “Console”.

Alternatively, we can press Ctrl+Shift+I and jump straight to the console tab without the hassle.

Now that we are in this space, we have three options:

To increase speed
To increase the jump strength
To be invincible

While we suggest you apply all, it’s important to know the working of all the commands. If we decide to opt for all three, we must first go for the option to be invincible because it might be a little harder to control when only the speed and jump strength are increased.

The first line of code to enter in the console tab for invincibility is:

let x = Runner.prototype.gameOver

The second line must be:

Runner.prototype.gameOver = function (){}

After pressing enter in the second line, we will see f(){} in the next.

For speed,

Runner.instance_.setSpeed(speed)

For jump,

Runner.instance_.tRex.setJumpVelocity(jumping_height)

Stopping the Game After the Hack

When we apply the invincibility hack, the game keeps on going and we are going to need to stop the game at some point. Here, we restore the original gameOver function.

Runner.prototype.gameOver = x

What does this code do?

When the game is over coming into contact with a cactus or bird, Runner.prototype.gameOver() is called and the action is triggered. In this case, we will hear a sound and the game stops and the game over message appears.

But we will replace the gameOver function with an empty function with our code. This means that instead of hearing the sound, called the gameOver function, and the appearance of the message, nothing happens upon collision, allowing us to can keep running.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

Beyond Money: The Impact of Enabling Widespread NFT Minting

Pragya Sapkota — Sat, 08 Jun 2024 08:16:49 +0000

The concept of Blockchain and NFT is rapidly revolutionizing the whole web landscape. Non-fungible tokens (NFTs) are transforming the digital ownership aspect day by day and while most people grasp the idea of how these tokens work, some are still confused about the whole concept.

In today’s blog, you will learn some fundamentals of NFT minting that can get you started on the concept. We will also get into the process of creating and issuing non-fungible tokens (NFTs) more accessible and user-friendly for creators and users, i.e., enabling widespread NFT minting.

What is NFT?

Non-fungible tokens (NFTs) are the cryptographic assets representing ownership and proof of authenticity of any unique digital item or piece of content. Unlike fungible cryptocurrencies like Bitcoin and Ethereum, NFTs are unique and in no way the tokens are interchangeable and equal in value. Each NFT has distinct properties and cannot be replicated or replaced. Each of the tokens holds metadata that includes details about the item it represents like its creator, creation date, and a unique identifier.

Over the past few years, NFTs have gained immense popularity and transcended the boundaries of traditional finance to permeate numerous economic sectors.

How do NFTs work?

Blockchain is a decentralized digital ledger that stores all the transactions in a chain of computers. NFTs are built across a network of computers that helps ensure the authenticity, ownership, and provenance of each token. We can mostly see NFTs on Ethereum where smart contracts are used to facilitate transactions. Smart contracts are self-executing contracts with the terms of the agreement written into the code itself. These contracts automate the minting process, ownership transfer, and transaction records on the blockchain.

What is NFT Minting?

NFT minting is a process of creating and issuing a new token. The process involves creating a unique digital asset and tokenizing it on a blockchain for transparency and authenticity of the item. In today’s date, most people prefer Ethereum for minting since it is widely accepted and also because it provides vigorous smart contracts. Other blockchain platforms like Tezos also support NFT minting.

Metadata containing the information about the digital item is attached to the token when the NFT is being minted. There are some token standards on Ethereum ERC-721 and ERC-1155 based on which the NFT minting can be done. The standard ERC-721 represents a single digital asset that is unique and indivisible and ERC-1155 represents multiple copies of an item or a collection of multiple items.

Minting an NFT also involves gas fees that can vary across network congestion and the complexity of the smart contract. These fees are only transaction fees used to compensate miners for validating and processing transactions on the network. While you are minting NFTs, you can have the option to embed royalty mechanisms into the smart contracts governing your NFTs so you can earn a percentage of the sale price each time the NFT is sold or transferred to a new owner in the secondary market. After completing the process, you can list your tokens for sale on various NFT marketplaces like OpenSea, Rarible, SuperRare, etc.

Finally, you should be aware of legal and copyright implications during the process if the asset holds any copyrighted materials or if there are disputes over ownership rights.

Step-by-step guide to the minting process

Here is a detailed guide to the minting process. We will deploy our smart contract on the Ethereum Sepolia Testnet. To get started, you need to install the MetaMask browser extension and some test ETH from QuickNode Multi-Chain Faucet. You need to connect the wallet and if you have 0.001ETH on the Mainnet, you can use the EVN faucets. Let’s see the steps one by one.

Open the terminal and start an IPFS repo

ipfs init

Open a separate terminal and start an IPFS daemon

ipfs daemon

Go back to the first terminal and add the image there with the .png file extension

ipfs add image.png

Copy the has that starts with Qm and add https://ipfs.io/ipfs. It will look something like https://ipfs.io/ipfs/QmPEVVUjuRi14T71sDttOzG4aodg
Create a JSON file with the name nft.json and save it in the same directory as the image in step 3

{
“name”: NFT Image”’
“description”: “This image shows the nature of NFT.”
“image”: “https://ipfs.io/ipfs/QmPEVVUJURI14T71sDttOzG4aodg”
}

Add the JSON file

ipfs add nft.json

Take the hash with Qm and prefix it with https://ipfs.io/ipfs. It will then look like https://ipfs.io/ipfs/QmIFnTguOpT51Bpahepn7BYU This URL will now be used to mint our NFT.
We will use OpenZeppelin ERC-721 contract for NFT creation and we do not need to write the whole interface but we can import the library contract and use its functions. Open Ethereum Remix IDE to create a Solidity file named Token.sol and paste this code into the script:

//SPDX-License-Identifier: MIT
//pragma solidity ^0.8.20;

import “@openzeppelin/contracts@5.0.0/token/ERC721/ERC721.sol”;
import “@openzeppelin/contracts@5.0.0/token/ERC721/extensions/ERC721URIStorage.sol”;
import “@openzeppelin/contracts@5.0.0/token/ERC721/extensions/ERC712Burnable.sol”;
import “@openzeppelin/contracts@5.0.0/access/Ownable.sol”;

contract myToken is ERC721, ERC721URIStorage, ERC721Burnable, Ownable {
       constructor(address initialOwner)
              ERC721(“MyToken”, “MTK”)
              Ownable(initialOwner)
       {}
       function safeMint(address to, uint256 tokenID, string memory uri)
               public
               onlyOwner
       {
             _safeMint(to, tokenID);
             _setTokenURI(tokenID, uri);
}
// overrides required by Solidity

   function tokenURI(uint256 tokenID)
       public 
       view
       override(ERC721, ERC721URIStorage)
       returns (string memory)
   {
         Return super.tokenURI(tokenID);
    }
    function supportsInterface(bytes4 interfaceID)
        public
        view
        override(ERC721, ERC721URIStorage)
       returns (bool)
   {
          Return super.supportsInterface(intergaceID);
     }
}

Now, use the OpenZeppelin ERC-721 contract and import the library contract to use its functions.
Get to Ethereum Remix IDE to create a new Solidity file with the new token name like — NewToken.sol
Prepare your Solidity script

//SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import “@openzeppelin/contracts@5.0.0/token/ERC721/ERC721.sol”;
import “@openzeppelin/contracts@5.0.0/token/ERC721/extensions/ERC721URIStorage.sol”;
import “@openzeppelin/contracts@5.0.0/token/ERC721/extensions/ERC721Burnble.sol”;
import “@openzeppelin/contracts@5.0.0/access/ownable.sol”;

contract MyToken is ERC721, ERC721URIStorage, ERC721Burnable, Ownable {
        constructor(address initialOwner)
                ERC721(“NewToken”,”MTK”)
                Ownable(initialOwner)
       {}

Function safeMint(address to, uint256 tokenId, string memory uri)
        Public 
        onlyOwner
{
       _safeMint(to, tokenID);
       _setToeknURI(tokenID, uri);
}
// overrides required by Solidity

function tokenURI(uint256 tokenID)
      public 
      view
      override(ERC721, ERC721URIStorage)
      returns (string memory)

{
          Return super.tokenURI(tokenID);
}


function supportsInterface(bytes4 interfaceId)
         public
         view
         override(ERC721, ERC721URIStorage)
         returns (bool)
    {
         return super.supportsInterface(interfaceID);
     }
}

This code will now create a custom ERC721 token contract named NewToken so we as the contract owners can mint new tokens with metadata URIs and the support for the necessary interfaces defined by the ERC721 standard.
You now need to customize the contract with your details for a more personalized experience. You can update the token name with the line

ERC721(“NewToken”,”MTK”)

After the completion, you can compile the smart contract and deploy it with the Injected Provider before pasting your wallet address into the box just near the Deploy button to define the initialOwner inside the constructor function.
You need to click Deploy on Remix.IDE
Select the appropriate contract under the contract tab to avoid an error message before deployment.
Confirm the transaction in the MetaMask wallet and then go to the Deployed Contracts section in the IDE and see the functions/methods.
Check the safeMint function and add your wallet address in the _to field.
Under the safeMint function, enter a big number value in the _tokenId field and it is usually better to use “1” as it represents the first token.
Input the URI of the previously prepared JSON file in the _uri field.
Click on Transact and confirm the transaction from MetaMask.
You have your NFT on the Sepolia chain. Check the metadata with tokenId.

Enabling Widespread NFT Minting

There are many aspects of the concept where you can try to create tokens that are more accessible and user-friendly for the creators and users. Let’s see them one by one in different parts.

1. Enabling Widespread NFT Minting to simplify the process

a. User-friendly Interfaces

With the creation of NFT minting platforms that are both intuitive and easy to navigate, even users with no prior blockchain experience can have no trouble using them. Some of the interface’s features include drag-and-drop interfaces, clear instructions, and pre-built templates.

b. Wallet Integration

Integrating crypto wallets directly into the minting platform can eliminate the need for users to manage private keys or transfer funds between wallets.

c. Fiat on-ramps

Next, allowing users to pay for minting fees with traditional currency or fiat using credit cards or debit cards can help you remove the barrier for those who are not comfortable using cryptocurrency.

2. Enabling Widespread NFT Minting to reduce costs

a. Layer 2 solutions

We can use Layer 2 scaling solutions on top of blockchains so the gas fees associated with minting NFTs can be reduced. With these layer 2 solutions, we can handle transactions off the main blockchain, making them faster and cheaper.

b. Alternative blockchains

Moreover, we can explore all alternative blockchains that were designed for NFTs with lower transaction fees than Ethereum like Tezos and Solana.

3. Enabling Widespread NFT Minting to Encourage Creators

a. Royalties

You can also build royalty structures into the minting process so the creators can earn a percentage of every future sale of their NFT. Statistically, it has been shown that this incentivizes creators to participate in the NFT ecosystem.

b. Community Building

Integrating features that creators can use to connect their audience and build communities around their NFTs can go beyond for the long term. This means we need to have forums, chat rooms, and exclusive content for NFT holders.

4. Enabling Widespread NFT Minting for Education and Awareness

a. Educational Resources

Finally, we can hold clear and concise educational resources that will explain the definition and potential use cases of NFT alongside the minting process. You can upload regular blogs, tutorials, and video guides within the resources.

b. Highlighting Success Stories

You can also showcase your successful NFT projects and creators can inspire others to participate and demonstrate the potential benefits of NFTs.

Potential Drawbacks of Enabling Widespread NFT Minting

There are some potential drawbacks to the widespread adoption.

Environment Impact

The energy consumption of some blockchains used in NFTs can be significant and this raises concerns for the environmental impact. We can, however, look for solutions to address this concern.
Market Volatility

Since the NFT market is still relatively new and volatile, investors need to be aware of the risks involved. This way the decision will be informed and educated.

Conclusion

The bottom line is that widespread NFT minting brings immense potential to empower creators, open new avenues for ownership, and fuel innovation across various industries. As we move forward, prioritizing education, fostering collaboration, and developing responsible practices, can be the key to ensuring that widespread NFT minting fosters a thriving digital future.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

Canary Release: For Deployment Success

Pragya Sapkota — Fri, 29 Sep 2023 09:06:53 +0000

For a software developer devoted to software development and continuous delivery, ensuring a smooth development process is important while minimizing the risk of failure. To achieve this balance, Canary Release has been the most popular technique over the last few years. This blog will discuss what Canary Release is, its benefits, and how it can be effectively implemented in your development pipeline.

What is a Canary Release?

Canary Release can be defined as a deployment strategy that you can use to introduce new features or updates to a small subset of your user base before rolling them out to the entire user population. The name canary was derived from the canaries in coal mines to detect toxic gases. In software development, canary release acts as an early warning system to help a developer identify potential issues or bugs in a controlled environment before they impact their entire user base.

The whole idea of Canary Release was created to minimize risk and gain confidence in the changes gradually. With initial exposure of users to the new version of the software, it gets easier to monitor its performance, gather feedback, and address any underlying issues before expanding the release to a wider audience.

Advantages of Canary Releases

1. Risk Mitigation

Canary Releases help reduce the risk associated with deploying new code. In case of any critical issues, they can be addressed quickly without affecting the majority of users.

2. Early Feedback

Developers can benefit from feedback from real users early in the deployment process. They can use it to identify usability issues, bugs, or performance problems that might have been missed during testing.

3. Improved Quality

With gradual deployments and continuous monitoring, developers can make the software quality higher. Since the issues are caught and resolved sooner, the final product becomes more stable and reliable.

4. Confidence Building

Canary Releases also build confidence in the release process and the changes being made. Teams can chill out with the new features and updates without disrupting the entire user base.

5. Rollback Capabilities

Any major issue detected during the Canary Release helps roll back to the previous version to minimize downtime and user impact.

Implementing a Canary Release

1. Feature Toggles

The feature toggles or feature flags help enable or disable specific features for a subset of users. Developers can get fine-grained control over what is exposed in the Canary Release.

2. Monitoring and Metrics

Developers can implement comprehensive monitoring and metrics to track the Canary Release’s performance. This includes application performance, error rates, and user feedback.

3. Gradual Rollout

Starting with a small percentage of users like 1–5% and monitoring their experience closely can help gradually increase the percentage of users exposed to the new version as confidence grows.

4. Feedback Loops

Establish feedback mechanisms for both users and development teams by encouraging users to report issues and provide feedback and ensuring that development teams are responsive to this input.

5. Automated Rollback

Setting up automated rollback procedures can help quickly revert to the previous version in case of critical issues or anomalies.

6. Communication

Communicate with your user base transparently so they can know about the Canary Release and the benefits it offers. Additionally, check if they can provide feedback or report problems.

Conclusion

In today’s world of software development, Canary Releases can be a powerful tool, allowing teams to reduce deployment risk, gather valuable feedback, and improve software quality. With gradual deployments and continuous monitoring, developers can make sure that their software changes are not only delivered faster but also with higher confidence in their success. As the technology continues to evolve, Canary Releases might get even better as a crucial strategy for achieving these goals.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

Lambda Architecture: Revolutionizing Data Processing for Big Data

Pragya Sapkota — Tue, 26 Sep 2023 10:51:56 +0000

We are living in a digital era where organizations deal with massive amounts of data generated from various sources. These data hold a huge potential for meaningful insights if processed correctly. It needs scalable and efficient data processing systems to harness this power and Lambda Architecture is one such approach with high prominence to handle large data volumes. It ensures fault tolerance and real-time processing capabilities that have benefited many organizations over the last few years.

What is Lambda Architecture?

Lambda Architecture is a data processing architecture that can handle large amounts of data in a fault-tolerant and scalable way. The architecture gets its name from the Greek letter lambda (λ), which signifies a function that transforms input data into output data.

Traditional databases and processing systems often struggle with the sheer volume, velocity, and variety of data generated in today’s digital landscape. They were originally designed for batch processing which makes them ill-equipped to provide real-time or near-real-time insights.

The concept of Lambda Architecture was first introduced in the book “Big Data: Principles and Best Practices of Scalable Realtime Data Systems” by Nathan Marz. It addressed the above challenges and provided a robust framework that can process large-scale data, making it suitable for applications ranging from social media analytics and e-commerce recommendation systems to fraud detection and IoT sensor data processing. It combines both batch processing and stream processing methods to make the data processing reliable and fast.

There are three main layers in Lambda Architecture:

Batch Layer
Serving Layer
Speed Layer

Let’s discuss these layers briefly:

1. Batch Layer

The first layer batch handles the process of storing and processing historical data in a batch-oriented fashion. With technologies like Hadoop MapReduce and Apache Stark, the batch layer performs large-scale batch processing jobs to generate batch views. Next, the batch views are precomputed and stored in a distributed file system or a NoSQL database.

Batch Layer can handle massive amounts of historical data efficiently without disturbing data consistency and fault tolerance. However, it is not suitable for real-time data processing.

2. Serving Layer

The serving layer is responsible for serving query results to users and applications in real-time. It uses the previously generated batch views from batch layers and uses databases like Apache HBase and Cassandra for quick data retrieval. The layer also provides low-latency access to query results.

3. Speed Layer

Lastly, we have the speed layer to address the need for real-time processing and incoming data. With technologies like Apache Kafka or Apache Flink, it ingests and processes streamlining data in near-real-time. The result is usually combined with those from the serving layer to provide up-to-date query results.

Why choose Lambda Architecture?

There are some reasons why you should choose lambda architecture for big data processing:

1. Scalability

Lambda Architecture is highly scalable and lets organizations handle growing volumes of data with additional computational resources.

2. Fault Tolerance

The architecture also brings redundancy and fault tolerance mechanisms that maintain data integrity and system reliability even when there are hardware failures or other issues.

3. Real-Time Processing

With the combination of batch and real-time processing, organizations can derive insights from historical and real-time data simultaneously.

4. Flexibility

Being a technology-agnostic architecture, it lets you choose the best-suited tools and technologies for specific use cases within each layer of the architecture.

5. Consistency

Batch views give a consistent and reliable source of truth for queries.

Challenges in Lambda Architecture

Though there are numerous benefits, lambda architecture also brings some challenges and considerations:

1. Complexity

Lambda Architecture can be complex to implement since it requires expertise in multiple tools and technologies.

2. Maintenance Overhead

With multiple layers, it might be hard to manage them and ensure synchronization. This can be resource-intensive which is a challenge for many.

3. Latency

Though the speed layer provides near-real-time processing, you can still experience some latency while delivering results compared to fully stream-based systems.

4. Data Consistency

It might be challenging to maintain data consistency between batch and real-time views.

Conclusion

Lambda Architecture is one of the powerful approaches to big data processing with the ability to handle large volumes of data while offering real-time processing capabilities and fault tolerance. If the architecture is implemented correctly, it has the potential to empower organizations to unlock valuable insights from their data and make data-driven decisions. However, it needs some careful consideration according to the needs of your organization. This helps later when you implement and maintain the architecture before adopting it for big data processing tasks.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

Consensus Algorithms: Paxos and Raft

Pragya Sapkota — Sat, 23 Sep 2023 13:25:28 +0000

Consensus Algorithms are the foundation of distributed computing systems. It enables multiple nodes to reach an agreement on a shared value or decision. A distributed system expects multiple nodes and processes to cooperate for a common goal, whether it is maintaining a distributed database, replicating data across servers, or electing a leader in a cluster. Hence, consensus helps achieve agreement among the nodes and ensures that they all converge on the same value or decision.

There are two prominent consensus algorithms with widespread recognition in distributed systems:

Paxos
Raft

Let’s discuss the principles behind Paxos and Raft with their similarities, differences, and real-world applications.

Paxos: The Pioneer of Consensus

In 1989, Leslie Lamport proposed Paxos as one of the earliest consensus algorithms. It is highly resilient and fault-tolerant for reaching consensus in any distributed system. There are two protocols in Paxos, the Prepare and the Accept.

1. Prepare

A node called a proposer broadcasts a proposal to other nodes called acceptors. The latter replies with promises not to accept any proposal with a lower number. So, if a proposal with a higher number is received, the proposal must restart the process again.

2. Accept

When the proposer receives promises from a majority of acceptors, an acceptance request is sent. If the majority of acceptors accept the proposal, consensus is reached and the value is chosen.

Paxos is robust and can easily handle network failures, node crashes, and message losses. However, it is challenging to understand and implement correctly, resulting in the development of the Raft consensus algorithm.

Raft: The Understandable Consensus

To overcome the challenges of Paxos, Diego Ongaro and John Ousterhout introduced Raft in 2013. It was designed with simplicity and understandability in mind so it could address some complexities of Paxos. In addition, it is more accessible to developers.

The core principles of Raft are leader election, log replication, and safety. The leader node is selected among the participants and it manages the log of commands and replicates it to other nodes. In case of a failure, a new leader is elected.

Some of its key features are leader leases that reduce the risk of split votes and electric churn, and the separation of leader election and log replication, which simplifies the algorithm.

Real-World Applications of Distributed Systems

1. Distributed Databases

Consensus algorithms are important for distributed databases like Apache Cassandra and etcd, where data consistency is vital.

2. Distributed File Systems

Hadoop’s HDFS and Google’s Cloud Spanner use consensus algorithms to manage distributed file storage.

3. Container Orchestration

Kubernetes uses etcd with the Raft algorithm to manage cluster state.

4. Blockchain

Blockchain networks like Bitcoin and Ethereum use consensus algorithms to ensure agreement on the state of the blockchain ledger.

Consensus algorithms play a crucial role in distributed systems. There are multiple nodes to agree on shared values and decisions to bring reliability and fault tolerance. Paxos and Raft have their areas to shine on — while Paxos is known for its resilience, Raft brings forth simplicity and ease of understanding. These algorithms are really important for engineers and developers working on distributed systems and technologies.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

API Gateway

Pragya Sapkota — Tue, 19 Sep 2023 11:11:21 +0000

We have API management tools that help create a bridge between a client and the backend services. As the name gateway itself suggests, this is an entry point to get into the system so that the clients can have a well-tailored API. Apart from these, an API gateway is responsible for authentication, monitoring, load balancing, caching, throttling, logging, etc. With the APIs provided by different microservices, the clients can easily interact with multiple kinds of services.

The main purpose of an API gateway is to create an entry point that lets the clients in the system work with various features. Some common examples of API gateways are Amazon API Gateway, Apigee API Gateway, Azure Gateway, Kong API Gateway, etc.

Features of API Gateway

Service Discovery
Reverse Proxy
Caching
Load Balancing
Logging, Tracing
Retry and circuit-breaking
Rate Limiting and Throttling
Versioning
Routing
IP Whitelisting or blacklisting
Authentication and Authorization
API composition
Security

Advantages

The client code is simplified.
Some features like monitoring, analytics, tracing, etc.
The internal structure of an API is encapsulated.

Disadvantages

The configuration operations are challenging.
Performance might be affected.
A single point of failure can cause problems to find out.
Scaling should be done properly to avoid bottlenecks.

BFF Pattern

BFF stood for Backend for Frontend and was first introduced by Sam Newman. It can be defined as a pattern where we create separate backend services for a specific frontend interface. We can implement a BFF pattern if we wish to avoid customizing a single backend service for multiple interfaces.

However, the output might sometimes differ from the format of the front end. We can have the front end loaded with some logic to reformat the data so that the BFF can be used to shift some logic to the intermediate layer.

The pattern also gets the formats and sends the data after receiving it from the service. GraphQL is an excellent example of BFF performance.

There are some conditions where it would be a great deal if the BFF pattern is used.

If you want to optimize the backend to meet the expectations of a specific client.
If we need to customize general-purpose backends to accommodate multiple interfaces.
If the general-purpose backend must be maintained with substantial development overhead.

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

SSL, TLS, and mTLS

Pragya Sapkota — Mon, 21 Aug 2023 09:46:13 +0000

System Design has many background concepts that might not sound so important but are always good to keep in mind. Similar concepts are some communication protocols like SSL, TLS, and mTLS.

SSL (Secure Sockets Layer)

SSL is a protocol that encrypts and secures communication happening over the internet. Though it was already developed in 1995, it has been deprecated in favor of Transport Layer Security (TLS). However, it is still called an SSL certificate because most of the significant certificate with SSL provides the certificate with the same name.

Why is SSL essential?

SSL was created so that not everyone can read the data transmitted during communication on the internet. It protects user privacy and doesn’t let anyone intercept the data.

This happens when SSL encrypts the data and stops possible cyber attacks when it prevents attackers in the transit itself.

TLS (Transport Layer Security)

As mentioned earlier, TLS is a deprecated version of SSL. It works for privacy and data security for communications over the internet between web applications and servers.

The components involved in TLS protocols are: -

Encryption

It hides the data so it can’t be transferred from or to third parties without proper authentication.

Authentication

It verifies whether the parties involved are who they claim to be.

Integrity

It verifies if the data have been tampered with.

mTLS (Mutual TLS)

Moving on, we have mTLS which means the parties at each end of the network connection need to be authenticated. It happens by checking that they all have the correct private keys. In addition, their individual TLS certificates add to the verification process.

Why use mTLS?

mTLS are commonly seen in microservice architectures and distributed systems in a zero-trust security model to verify each other. The mTLS ensures the secured traffic on both servers and the client’s part. It has an additional layer of security for the users who log in to the network or applications. Moreover, it verifies the connection with the client who has devices that don’t follow the login process as the Internet of Things (IoT).

I hope this article was helpful to you.

Please don’t forget to follow me!!!

Any kind of feedback or comment is welcome!!!

Thank you for your time and support!!!!

Keep Reading!! Keep Learning!!!

Virtual Machines and Containers

Pragya Sapkota — Sun, 13 Aug 2023 14:42:21 +0000

What is a Virtual Machine?

Virtual machines (VMs) are virtual environments that work as a system with all the requirements like CPU, memory, network interface, and storage. They are created on a physical hardware system with software called a hypervisor. It divides the resources and hardware separately, so they are prepared to be used by the machines.

On the system, the virtual machines are isolated from the rest and can be moved among the host servers according to the need. There can be multiple VMs in the same hardware — like a server.

Hypervisors

Hypervisors are also known as Virtual Machine Monitor (VMM) and isolate the OS, and the resources in the virtual machines. In addition, the hypervisors let on for creating and managing the VMs. All the resources in the devices such as CPU and memory act as a pool of resources so they can be relocated among the hosts or the new virtual machines (VMs).

Types of Hypervisors

1. Process Virtual Machines

Also called Bare Metal Hypervisors, process virtual machines operate on the host hardware directly by monitoring and managing the guest OS. We can usually see this hypervisor in business environments.

2. System Virtual Machines

Also called Hosted Hypervisors, system virtual machines run on physical host servers within the OS.

Why do we need virtual machines?

Server consolidation
Performance enhancement
To try a new OS
To clone a system to other machines
To run old and incompatible software
To develop software for various platforms
To manage the potential malware safely
To dismantle your system
To use the VM Snapshots
To test a new desktop
To separate the environment of the resources from the rest of the system
For easy transfer and migration on a network
For cost-effectiveness

Disadvantages of using a virtual machine

More resources are required.
High storage is required.
Video game players may not find it significant.

Containers

Containers are the software units with the logical packaging mechanism of the codes and dependencies like the runtime versions and libraries. With the help of containers, the application runs quickly and reliably from one computing environment to another. The applications are abstracted from the environment where they run making the deployment easy and consistent regardless of the target environment.

Why do we need containers?

Containers are flexible.
The responsibilities are separated — developers can work on application logic and dependencies and operations teams can work on deployment and management.
Containers can run virtually anywhere making it easy to develop and deploy — better workload portability.
Applications are isolated since the resources are virtualized.
Developers don’t need to worry about dependencies and environments.
The lightweight features let the developers use the computing resources according to the requirement.

Disadvantages of containers

They are not right for all kinds of tasks.
Application isolation is weaker.
There are limited tools in the containers.
Containers have the potential for sprawl.

Virtualization Vs. Containerization

Virtualization	Containerization
Virtual Machines are larger.	Containers are smaller in size.
A single machine can have multiple OS - so they appear as multiple machines.	The application is developed in the same OS under the environment - so the same machine works for multiple different environments.
The start-up time is higher than containers.	The start-up time is comparatively less.
Virtual machines are slower than containers since they have many resources.	Containers are faster.
The cost of implementation is very high.	The cost of implementation is lower than the VMs.
It works best for IT enterprise businesses.	It works best for software developers and related businesses.

DEV Community: Pragya Sapkota

Phishing: The Complete Guide to Cyber Deception and Protection

What is phishing?

A short history and evolution

Types of Phishing — What to Watch for

Mass (commodity) Phishing

Spear Phishing

Whaling

Business Email Compromise (BEC)

Smishing (SMS Phishing)

Vishing (Voice Phishing)

Clone Phishing

Quishing (QR Code Phishing)

Credential-harvesting Pages and Homograph Attacks

How Phishing Attacks Work — The Anatomy

Psychological Tactics Attackers Use

Notable Real-world Phishing Incidents (Brief Cases)

How to Detect Phishing — Practical Signs

Preventive Measures — Individuals

Preventive & Detective Measures — Organizations

Technical Controls

Organizational & human measures

Incident Response — A Concise Checklist

Consequences For Victims

Legal Consequences For Attackers

Recent Trends and What’s Coming Next (2023–2025)

Recommended Reading & Authoritative Resources

Practical Checklist — “Before you click” (Summary for individuals)

Final Words

References

Telemetry and Tracing: A Comprehensive Overview

What is Telemetry?

1. Data Collection

2. Data Transmission

3. Data Analysis

What is Tracing?

1. Distributed Tracing

2. Span Analysis

3. Dependency Analysis

Key Benefits of Telemetry and Tracing

1. Improved performance

2. Enhanced Reliability

3. Simplified Troubleshooting

4. Enhanced Decision-Making

Common Telemetry and Tracing Metrics

Request-Related Metrics

1. Response Time

2. Error Rates

3. Throughput

4. Latency

Resource-Utilization Metrics

1. CPU Usage

2. Memory Usage

3. Network Usage

4. Disk I/O

Custom Metrics

1. Business-specific metrics

2. Custom application metrics

Popular Telemetry and Tracing Tools

1. OpenTelemetry

2. Jaeger

3. Prometheus

4. Zipkin

Best Practices for Telemetry and Tracing

1. Instrumentation

a. Strategic Placement

b. Minimal Overhead

c. Context Propagation

2. Data Retention

a. Data Lifecycle

b. Storage Costs

c. Legal and Compliance Requirements

3. Visualization

a. Clear and Concise

b. Anomaly Detection

c. Customizable Dashboards

4. Alerting

a. Critical Metrics

b. Alert Thresholds

c. Notification Channels