Hash functions lose  information that is present in the input data. This is required in order to generate a fixed-length output hash value.

This loss of information makes it IMPOSSIBLE to recover the original input data from the output hash value.

In addition, many hash functions use key derivation functions to generate the hash value, which further complicates the process of recovering the original input data.

The Avalanche Effect in hashing:

• A good hash function exhibits the avalanche effect. A  small change in the input data should result in a significant change in the hash value.
• This makes it difficult for an attacker to guess the input data by modifying the hash value.
• In other words, even a small change in the input data should cause a completely different hash value to be produced, which further obscures the relationship between the input data and the hash value.

Salt:

In some cases, a salt is added to the input data before hashing.

• The Salt is a random value that is added to the input data.
• This makes it more difficult for an attacker to guess the input data by pre-computing a table of hash values for common input data.
• When a salt is used, the attacker would need to pre-compute a table of hash values for every possible salt value, which significantly increases the computational effort required to guess the input data.

The post Hashing and Loss of Information appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Recently, I came across some code that did this. It makes no sense to do this.

Hashing an input before encrypting it with an algorithm like DES/AES is generally unnecessary. Here’s a breakdown of when and why you might or might not do this:

The post Hash and then Encrypt? appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

MSTR is a runaway train. Once that stock starts going, it is hard to catch it. So – how does one still purchase it a lower price?

Write a PUT option!

Put sellers (writers) have an obligation to buy the underlying stock at the strike price. The put seller must have either enough cash in their account or margin capacity to buy the stock from the put buyer. 

This works if you ACTUALLY WANT TO BUY the stock at a LOWER price. Keep in mind that in the bull trend, this may never happen. So – you still win though – by pocketing the premium (which is yours as long as the stock stays above the strike price).

Put sellers generally expect the underlying stock to remain flat or move higher. Put sellers make a bullish bet on the underlying stock and/or want to generate income.  

Stock FALLS BELOW THE strike Price?

If the stock declines below the strike price before expiration, the option is “in the money.” The seller will be put the stock and must buy it at the strike price. 

Stock STAYS ABOVE THE strike Price?

If the stock stays at the strike price or above it, the put is “out of the money,” so the put seller pockets the premium. (Note – you can keep continuing this strategy – by writing another put on the stock, to generate  more income). 

Bull Market Comfort

In a bull market, stocks like the one above (MSTR) seem to follow an almost uninterrupted uptrend. This is good for a PUT writer who wants to a) Get some income b) Catch the stock at a lower price , if it does ever fall.

Note that this sense of comfort does not exist in an overall BEAR market.

Covered Calls to generate income?

If one owns the underlying stock, one can also generate income by writing a CALL – a covered call – which is COVERED by your underlying asset. This means that if the stock ever reaches the strike price of your call option, you WILL have to give up your stock. Still – in a bull market, the chances of the stock falling enough to get to your strike price (pick a LOW strike price), is considerably low. Hence, this strategy works too (for income generation). Personally, I am averse giving up ANY good stock in a BULL market, so I stick to the first option (WRITING a PUT).

The post Selling a put option in a BULL market – with Microstrategy (MSTR) as an example appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

When building software, ensuring security is paramount, especially when working with a widely used language like JavaScript. To achieve this, developers and security teams use various techniques, each targeting specific aspects of code security. In this post, we’ll explore the differences between static code analysis, penetration testing (pen testing), and threat analysis, using JavaScript code as a practical example.

1. Static Code Analysis

Static Code Analysis involves analyzing the source code without executing it. This method identifies potential vulnerabilities, bugs, or performance issues early in the development process. The analysis is performed by automated tools that scan through the codebase to find issues based on predefined rules.

What it Does:

• Looks for insecure patterns, improper use of functions, or vulnerabilities like SQL injections, buffer overflows, or cross-site scripting (XSS).
• Identifies best practice violations (e.g., poor error handling, lack of input validation).
• Highlights syntax errors and unused variables.

Example in JavaScript:

let userInput = "<img src=x onerror=alert(1)>";  // Untrusted input
document.getElementById("output").innerHTML = userInput;

Here, an attacker could exploit this vulnerability for cross-site scripting (XSS) attacks. Static code analysis tools like ESLint with security plugins (e.g., eslint-plugin-security) can flag this as a potential issue.

Static Code Analysis Tools for JavaScript:

• ESLint
• SonarQube
• JSHint
• Snyk Code

Pros:

• Quick to run and can be integrated into CI/CD pipelines.
• Provides immediate feedback to developers.
• Detects common vulnerabilities early in the development cycle.

Cons:

• Cannot find runtime issues.
• May produce false positives (flagging non-issues).

2. Penetration Testing (Pen Testing)

Penetration testing (commonly known as pen testing) is a security testing method where testers simulate real-world attacks on an application to find vulnerabilities. Unlike static code analysis, pen testing involves executing the application to see how it responds to various attack vectors.

What it Does:

• Simulates real-world attack scenarios, testing how an attacker might exploit vulnerabilities in the live environment.
• Finds issues that may not be detectable by simply scanning the source code.
• Focuses on both front-end and back-end vulnerabilities, such as SQL injection, cross-site request forgery (CSRF), or insecure API endpoints.

Example in JavaScript:

fetch("/api/update-user", {
    method: "POST",
    body: JSON.stringify({ username: "new_user", role: "admin" }),
    headers: { "Content-Type": "application/json" }
});

A penetration tester could try to manipulate the request body to elevate privileges (e.g., setting role: "admin" to gain unauthorized access).

Pros:

• Tests the entire application stack, including third-party services and configurations.
• Finds security weaknesses in the real-world execution of the application.
• Simulates how an actual attacker might behave.

Cons:

• Requires more time and expertise than static code analysis.
• Typically performed later in the development cycle, when changes are more costly.
• Can miss code-specific vulnerabilities if not combined with static analysis.

3. Threat Analysis

Threat analysis (also known as threat modeling) is a proactive approach where the goal is to identify potential threats or risks to the system before they become actual problems. It involves understanding how attackers might exploit various vulnerabilities in the application and designing defenses to mitigate these threats.

What it Does:

• Identifies potential attack vectors, like unauthorized access or data leakage.
• Maps out all the assets, entry points, and possible attack scenarios.
• Helps design the system architecture to minimize security risks from the outset.

Example in JavaScript:

Suppose you are building an e-commerce site using JavaScript and back-end services. A threat analysis may outline:

• Sensitive data exposure: Users’ payment information could be compromised if the API isn’t secured with HTTPS.
• Authentication threats: Weak passwords or a lack of multi-factor authentication (MFA) could be exploited.

Pros:

• Helps prevent vulnerabilities from being introduced in the design phase.
• Informs developers and architects about potential risks throughout the application’s lifecycle.
• Can guide security-focused development.

Cons:

• Requires security expertise and detailed system knowledge.
• Can be difficult to cover all potential threats.
• More of a preventive measure, so it may not address runtime vulnerabilities directly.

Key Differences

The post Javascript Security Testing – Pen Tests, Static Code analysis and Threat Analysis appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

1. Identity-Based Encryption (IBE):
   • Instead of relying on certificates like PKI, IBE uses identity information (e.g., email address) as the public key.
   • Competitors: Voltage Security (now part of Micro Focus), Zscaler.
2. Decentralized Identity Systems:
   • Blockchain-based and decentralized identity models provide alternatives to centralized PKI by enabling self-sovereign identities (SSI).
   • Competitors: Sovrin, uPort, Microsoft ION (built on Bitcoin), Hyperledger Indy.
3. Hardware Security Modules (HSM) and Secure Key Management:
   • HSMs offer secure key storage and management without relying on traditional PKI infrastructures.
   • Competitors: Thales, Entrust, AWS CloudHSM.
4. Web of Trust (WoT):
   • A peer-to-peer approach where trust is decentralized, and relationships are built on mutual endorsements rather than centralized authorities.
   • Competitors: PGP (Pretty Good Privacy) implementations like GnuPG.

The post Alternatives and Competitors to PKI Encryption appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Encryption-as-a-Service Providers:

1. Amazon Web Services (AWS) Key Management Service (KMS):
   • Provides encryption services with integrated key management for AWS services and custom applications.
2. Microsoft Azure Key Vault:
   • Offers cloud-based key management and encryption services integrated with Azure infrastructure.
3. Google Cloud Key Management:
   • Provides a cloud-based encryption service that supports symmetric and asymmetric keys for Google Cloud resources.
4. Thales CipherTrust Cloud Key Manager:
   • A multi-cloud encryption service offering centralized key management, with support for both cloud-native and hybrid environments.
5. IBM Key Protect:
   • A cloud-based key management solution that helps manage encryption keys used across IBM Cloud services.
6. Entrust Cloud Encryption Services:
   • Offers encryption and key management solutions for various cloud environments, supporting compliance and data security.
7. Boxcryptor:
   • Provides end-to-end encryption as a service for cloud storage solutions like Dropbox, Google Drive, and OneDrive.

The post Cloud Encryption as a service providers appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Project Maps (created by any agile software like Jira, Rally..even Azure DevOps…) is a better visual.

The post project maps replace gannt charts appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Relativistic Quantum Theory Part 2 – by Landau

An introduction to Quantum Field Theory  – Peskin and Schroder

Student Friendly Quantum Field Theory: Volume 1:   Klauber

Student Friendly Quantum Field Theory: Volume 2: – The standard model     Klauber

The post Books on Quantum Field Theory – Self Learning appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

These problems have been culled from the preliminary and general examinations created by the physics department at Princeton University for its graduate program. The authors, all students who have successfully completed the examinations, selected these problems on the basis of usefulness, interest, and originality, and have provided highly detailed solutions to each one. Their book will be a valuable resource not only to other students but to college physics teachers as well. The first four chapters pose problems in the areas of mechanics, electricity and magnetism, quantum mechanics, and thermodynamics and statistical mechanics, thereby serving as a review of material typically covered in undergraduate courses. Later chapters deal with material new to most first-year graduate students, challenging them on such topics as condensed matter, relativity and astrophysics, nuclear physics, elementary particles, and atomic and general physics.

University of Chicago Graduate problems in Physics

Covers a broad range of topics, from simple mechanics to nuclear physics. The problems presented are intriguing ones, unlike many examination questions, and physical concepts are emphasized in the solutions.

Many distinguished members of the Department of Physics and the Enrico Fermi Institute at the University of Chicago have served on the candidacy examination committees and have, therefore, contributed to the preparation of problems which have been selected for inclusion in this volume. Among these are Morrell H. Cohen, Enrico Fermi, Murray Gell-Mann, Roger Hildebrand, Robert S. Mulliken, John Simpson, and Edward Teller.covers a broad range of topics, from simple mechanics to nuclear physics. The problems presented are intriguing ones, unlike many examination questions, and physical concepts are emphasized in the solutions.

Many distinguished members of the Department of Physics and the Enrico Fermi Institute at the University of Chicago have served on the candidacy examination committees and have, therefore, contributed to the preparation of problems which have been selected for inclusion in this volume. Among these are Morrell H. Cohen, Enrico Fermi, Murray Gell-Mann, Roger Hildebrand, Robert S. Mulliken, John Simpson, and Edward Teller.

Problem Book in Relativity and Gravitation

this book is a unique collection of some 475 problems–with solutions–in the fields of special and general relativity, gravitation, relativistic astrophysics, and cosmology. The problems are expressed in broad physical terms to enhance their pertinence to readers with diverse backgrounds.

In their solutions, the authors have attempted to convey a mode of approach to these kinds of problems, revealing procedures that can reduce the labor of calculations while avoiding the pitfall of too much or too powerful formalism. Although well suited for individual use, the volume may also be used with one of the modem textbooks in general relativity

J.D. Jackson Electrodynamics

The post Problem Books for Mathematical Physics appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

These  stages are

a) Developing Powers of Concentration and

b) Developing Powers of Detachment.

c) Combining one and two – COncentration with Detachment

My Personal Experience – Detachment reigns supreme

Detachment is key to maximizing the outcome of any activity.

Concentration is a little overrated – at least  in the western meaning of the word. For instance, caffeinated people often believe that their concentration improves on caffeine. And while that may be true, that is NOT the type of concentration that is needed in yoga, or in meditation.

Need to overcome an illness or injury?

Detach yourself from it. Distance yourself from the ‘constantly focusing on the symptoms’. Believe it or not – the symptoms will start fading away

Need to do well in an interview?

Detach yourself from whatever the outcome will be. See how differently you perform. When you are no longer thinking about all the negatives ‘darn – I REALLY need this job…etc.’, your whole body language (and verbal language) is different.

Summary – Detach from your troubles as well

Detachment from troubles feels great. Just distance yourself (visualize a HUGE GAP) between you and your troubles. Often times, the troubling event (in the real world) actually recedes!

The post Detachment, Riding a Bicycle, Infinite Inner Potential appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.