Anuj Varma, Hands-On Technology Architect, Clean Air Activist https://www.anujvarma.com/ Production Grade Technical Solutions | Data Encryption and Public Cloud Expert Wed, 12 Mar 2025 15:41:03 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.2 https://www.anujvarma.com/wp-content/uploads/anujtech.png Anuj Varma, Hands-On Technology Architect, Clean Air Activist https://www.anujvarma.com/ 32 32 CORS origin False Positives https://www.anujvarma.com/cors-origin-false-positives/ https://www.anujvarma.com/cors-origin-false-positives/#respond Wed, 12 Mar 2025 15:41:03 +0000 https://www.anujvarma.com/?p=9652 Almost all CORS misconfiguration notifications are false positive. If you have checked “Access-Control-Allow-Origin: *”, you will get these false positives. It needs to be set to “Access-Control-Allow-Credentials: true

The post CORS origin False Positives appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Almost all CORS misconfiguration notifications are false positive.
If you have checked “Access-Control-Allow-Origin: *”, you will get these false positives.

It needs to be set to “Access-Control-Allow-Credentials: true

The post CORS origin False Positives appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/cors-origin-false-positives/feed/ 0
UTXOs and Transaction Fees https://www.anujvarma.com/utxos-and-transaction-fees/ https://www.anujvarma.com/utxos-and-transaction-fees/#respond Thu, 23 Jan 2025 19:37:15 +0000 https://www.anujvarma.com/?p=9642   Understanding Risks of Small Value UTXOs What is a UTXO? UTXO stands for Unspent Transaction Output, which represents chunks of bitcoin you own. When you send or receive bitcoin, […]

The post UTXOs and Transaction Fees appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
 

Understanding Risks of Small Value UTXOs

What is a UTXO?

UTXO stands for Unspent Transaction Output, which represents chunks of bitcoin you own. When you send or receive bitcoin, it’s tracked as UTXOs. Think of it like having several prepaid cards, each with its own balance.

Why Are Small UTXOs Problematic?

Whenever you use a UTXO, the transaction fee depends on the data size, not the value of the UTXO. This can create issues such as:

  • Small-value UTXOs may have their entire value consumed by fees.
  • Even medium-value UTXOs can lose a significant percentage of their worth to fees, reducing their effectiveness.

For instance:

  • If sending a UTXO costs 10,000 satoshis in fees, and the UTXO itself is worth 10,000 satoshis, there’s nothing left for the recipient.
  • If the UTXO is worth 50,000 satoshis, a 10,000-satoshi fee represents 20% of its value.

What is Considered a “Small” UTXO?

Generally, a UTXO smaller than 1,000,000 satoshis (0.01 BTC) is considered small, as higher fees can make them uneconomical to use.

Multisignature wallets or older wallets that don’t use Segwit (a technology that reduces transaction size) require even larger UTXOs to avoid these issues because they involve more data and higher fees.

Why Bitcoin Price Influences UTXOs

As bitcoin’s price increases, the cost of creating properly sized UTXOs also rises:

  • In 2019, 0.01 BTC was worth $50.
  • By 2025, 0.01 BTC is worth $1,000.

If bitcoin’s price continues to climb, acquiring a “safe” UTXO size could cost thousands of dollars, making it harder for small-scale users to manage their funds effectively.

Steps to Protect Yourself

  • Withdraw Larger Amounts: Avoid withdrawing small amounts of bitcoin from exchanges. Instead, wait until your balance reaches a “healthy” UTXO size (e.g., 0.01 BTC or more) before moving it to your wallet.
  • Review Your UTXOs: Use wallet tools (like Sparrow Wallet) to check how many UTXOs you hold and their values.
  • Combine Small UTXOs: If you have many small UTXOs, consider consolidating them into larger ones when fees are low. This reduces the risk of losing value due to rising fees in the future.
  • Explore Collaborative Custody: You can use multisig setups with trusted partners to securely and efficiently manage your UTXOs without handling everything alone.

Key Takeaway

Small UTXOs risk losing most or all of their value to transaction fees, especially as bitcoin’s price rises or network fees increase. Managing UTXOs carefully ensures you can spend your bitcoin efficiently without significant losses.

 

The post UTXOs and Transaction Fees appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/utxos-and-transaction-fees/feed/ 0
The art of teaching https://www.anujvarma.com/the-art-of-teaching/ https://www.anujvarma.com/the-art-of-teaching/#respond Thu, 09 Jan 2025 23:24:58 +0000 https://www.anujvarma.com/?p=9635   What you are trying to teach – EXISTS independently of your teaching!  So – it is a truth within this Universe. How you convey that truth is dependent upon […]

The post The art of teaching appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
 

What you are trying to teach – EXISTS independently of your teaching!  So – it is a truth within this Universe. How you convey that truth is dependent upon your own teaching method.

Nothing Prepared – Except the teaching SPACE

– Create a SPACE for communicating your thoughts

– Let the teaching unravel itself (remember, it is a Universal truth that can unravel on it’s own – you are just the medium).

 

The post The art of teaching appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/the-art-of-teaching/feed/ 0
Hashing and Loss of Information https://www.anujvarma.com/hashing-and-loss-of-information/ https://www.anujvarma.com/hashing-and-loss-of-information/#respond Tue, 19 Nov 2024 21:54:37 +0000 https://www.anujvarma.com/?p=9604 Hashing and Loss of Information, Key Derivation Hash functions lose  information that is present in the input data. This is required in order to generate a fixed-length output hash value. This […]

The post Hashing and Loss of Information appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Hashing and Loss of Information, Key Derivation

Hash functions lose  information that is present in the input data. This is required in order to generate a fixed-length output hash value.

This loss of information makes it IMPOSSIBLE to recover the original input data from the output hash value.

In addition, many hash functions use key derivation functions to generate the hash value, which further complicates the process of recovering the original input data.

The Avalanche Effect in hashing:

  • A good hash function exhibits the avalanche effect. A  small change in the input data should result in a significant change in the hash value.
  • This makes it difficult for an attacker to guess the input data by modifying the hash value.
  • In other words, even a small change in the input data should cause a completely different hash value to be produced, which further obscures the relationship between the input data and the hash value.

Salt:

In some cases, a salt is added to the input data before hashing.

  • The Salt is a random value that is added to the input data.
  • This makes it more difficult for an attacker to guess the input data by pre-computing a table of hash values for common input data.
  • When a salt is used, the attacker would need to pre-compute a table of hash values for every possible salt value, which significantly increases the computational effort required to guess the input data.

The post Hashing and Loss of Information appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/hashing-and-loss-of-information/feed/ 0
Hash and then Encrypt? https://www.anujvarma.com/hash-and-then-encrypt/ https://www.anujvarma.com/hash-and-then-encrypt/#respond Fri, 15 Nov 2024 18:30:54 +0000 https://www.anujvarma.com/?p=9602 Hash and then Encrypt? Recently, I came across some code that did this. It makes no sense to do this. Hashing an input before encrypting it with an algorithm like […]

The post Hash and then Encrypt? appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Hash and then Encrypt?

Recently, I came across some code that did this. It makes no sense to do this.

Hashing an input before encrypting it with an algorithm like DES/AES is generally unnecessary. Here’s a breakdown of when and why you might or might not do this:

1. When It Does Make Sense

  • Data Integrity Verification: If you hash the input and send both the hash and the encrypted data, the recipient can decrypt the data, hash it again, and compare it to the transmitted hash. This ensures the data has not been tampered with during transit.
  • Fixed-Length Input Requirement: If the encryption process or protocol has a requirement for fixed-length inputs, hashing (which produces a fixed-length output regardless of input size) could standardize the input size.

2. When It Does Not Make Sense

  • Loss of Original Data: A hash is a one-way transformation, meaning you cannot recover the original input from it. If the hash replaces the original data, the original content will be lost.
  • Added Complexity Without Benefit: Encrypting the raw data directly with DES achieves confidentiality. Hashing it first adds complexity but doesn’t inherently improve the encryption’s security.

3. Better Approaches

  • Encrypt-then-MAC: For ensuring both confidentiality and integrity, the standard approach is to first encrypt the data and then apply a Message Authentication Code (MAC) to the ciphertext.
  • Modern Encryption Standards: DES is outdated and considered insecure. You should use modern encryption algorithms like AES, which natively support modes (e.g., GCM, CCM) that provide both encryption and integrity.

Summary

Hashing before encrypting with DES only makes sense in specific use cases, such as ensuring integrity or meeting fixed-length requirements. Otherwise, it’s redundant and complicates the system without improving security.

The post Hash and then Encrypt? appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/hash-and-then-encrypt/feed/ 0
Selling a put option in a BULL market – with Microstrategy (MSTR) as an example https://www.anujvarma.com/selling-a-put-option-in-a-bull-market-with-microstrategy-mstr-as-an-example/ https://www.anujvarma.com/selling-a-put-option-in-a-bull-market-with-microstrategy-mstr-as-an-example/#respond Mon, 14 Oct 2024 02:46:54 +0000 https://www.anujvarma.com/?p=9591 Trying to BUY MSTR   – Selling a put option  MSTR is a runaway train. Once that stock starts going, it is hard to catch it. So – how does one […]

The post Selling a put option in a BULL market – with Microstrategy (MSTR) as an example appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Trying to BUY MSTR   – Selling a put option 

MSTR is a runaway train. Once that stock starts going, it is hard to catch it. So – how does one still purchase it a lower price?

Write a PUT option!

Put sellers (writers) have an obligation to buy the underlying stock at the strike price. The put seller must have either enough cash in their account or margin capacity to buy the stock from the put buyer. 

This works if you ACTUALLY WANT TO BUY the stock at a LOWER price. Keep in mind that in the bull trend, this may never happen. So – you still win though – by pocketing the premium (which is yours as long as the stock stays above the strike price).

Put sellers generally expect the underlying stock to remain flat or move higher. Put sellers make a bullish bet on the underlying stock and/or want to generate income.  

Stock FALLS BELOW THE strike Price?

If the stock declines below the strike price before expiration, the option is “in the money.” The seller will be put the stock and must buy it at the strike price. 

Stock STAYS ABOVE THE strike Price?

If the stock stays at the strike price or above it, the put is “out of the money,” so the put seller pockets the premium. (Note – you can keep continuing this strategy – by writing another put on the stock, to generate  more income). 

Bull Market Comfort

In a bull market, stocks like the one above (MSTR) seem to follow an almost uninterrupted uptrend. This is good for a PUT writer who wants to a) Get some income b) Catch the stock at a lower price , if it does ever fall.

Note that this sense of comfort does not exist in an overall BEAR market.

Covered Calls to generate income?

If one owns the underlying stock, one can also generate income by writing a CALL – a covered call – which is COVERED by your underlying asset. This means that if the stock ever reaches the strike price of your call option, you WILL have to give up your stock. Still – in a bull market, the chances of the stock falling enough to get to your strike price (pick a LOW strike price), is considerably low. Hence, this strategy works too (for income generation). Personally, I am averse giving up ANY good stock in a BULL market, so I stick to the first option (WRITING a PUT).

The post Selling a put option in a BULL market – with Microstrategy (MSTR) as an example appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/selling-a-put-option-in-a-bull-market-with-microstrategy-mstr-as-an-example/feed/ 0
Javascript Security Testing – Pen Tests, Static Code analysis and Threat Analysis https://www.anujvarma.com/javascript-security-testing-pen-tests-static-code-analysis-and-threat-analysis/ https://www.anujvarma.com/javascript-security-testing-pen-tests-static-code-analysis-and-threat-analysis/#respond Wed, 25 Sep 2024 16:13:25 +0000 https://www.anujvarma.com/?p=9573 Differences Between Static Code Analysis, Pen Testing, and Threat Analysis in JavaScript When building software, ensuring security is paramount, especially when working with a widely used language like JavaScript. To […]

The post Javascript Security Testing – Pen Tests, Static Code analysis and Threat Analysis appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Differences Between Static Code Analysis, Pen Testing, and Threat Analysis in JavaScript

When building software, ensuring security is paramount, especially when working with a widely used language like JavaScript. To achieve this, developers and security teams use various techniques, each targeting specific aspects of code security. In this post, we’ll explore the differences between static code analysis, penetration testing (pen testing), and threat analysis, using JavaScript code as a practical example.

1. Static Code Analysis

Static Code Analysis involves analyzing the source code without executing it. This method identifies potential vulnerabilities, bugs, or performance issues early in the development process. The analysis is performed by automated tools that scan through the codebase to find issues based on predefined rules.

What it Does:

  • Looks for insecure patterns, improper use of functions, or vulnerabilities like SQL injections, buffer overflows, or cross-site scripting (XSS).
  • Identifies best practice violations (e.g., poor error handling, lack of input validation).
  • Highlights syntax errors and unused variables.

Example in JavaScript:

let userInput = "<img src=x onerror=alert(1)>";  // Untrusted input
document.getElementById("output").innerHTML = userInput;

Here, an attacker could exploit this vulnerability for cross-site scripting (XSS) attacks. Static code analysis tools like ESLint with security plugins (e.g., eslint-plugin-security) can flag this as a potential issue.

Static Code Analysis Tools for JavaScript:

  • ESLint
  • SonarQube
  • JSHint
  • Snyk Code

Pros:

  • Quick to run and can be integrated into CI/CD pipelines.
  • Provides immediate feedback to developers.
  • Detects common vulnerabilities early in the development cycle.

Cons:

  • Cannot find runtime issues.
  • May produce false positives (flagging non-issues).

2. Penetration Testing (Pen Testing)

Penetration testing (commonly known as pen testing) is a security testing method where testers simulate real-world attacks on an application to find vulnerabilities. Unlike static code analysis, pen testing involves executing the application to see how it responds to various attack vectors.

What it Does:

  • Simulates real-world attack scenarios, testing how an attacker might exploit vulnerabilities in the live environment.
  • Finds issues that may not be detectable by simply scanning the source code.
  • Focuses on both front-end and back-end vulnerabilities, such as SQL injection, cross-site request forgery (CSRF), or insecure API endpoints.

Example in JavaScript:

fetch("/api/update-user", {
    method: "POST",
    body: JSON.stringify({ username: "new_user", role: "admin" }),
    headers: { "Content-Type": "application/json" }
});

A penetration tester could try to manipulate the request body to elevate privileges (e.g., setting role: "admin" to gain unauthorized access).

Pros:

  • Tests the entire application stack, including third-party services and configurations.
  • Finds security weaknesses in the real-world execution of the application.
  • Simulates how an actual attacker might behave.

Cons:

  • Requires more time and expertise than static code analysis.
  • Typically performed later in the development cycle, when changes are more costly.
  • Can miss code-specific vulnerabilities if not combined with static analysis.

3. Threat Analysis

Threat analysis (also known as threat modeling) is a proactive approach where the goal is to identify potential threats or risks to the system before they become actual problems. It involves understanding how attackers might exploit various vulnerabilities in the application and designing defenses to mitigate these threats.

What it Does:

  • Identifies potential attack vectors, like unauthorized access or data leakage.
  • Maps out all the assets, entry points, and possible attack scenarios.
  • Helps design the system architecture to minimize security risks from the outset.

Example in JavaScript:

Suppose you are building an e-commerce site using JavaScript and back-end services. A threat analysis may outline:

  • Sensitive data exposure: Users’ payment information could be compromised if the API isn’t secured with HTTPS.
  • Authentication threats: Weak passwords or a lack of multi-factor authentication (MFA) could be exploited.

Pros:

  • Helps prevent vulnerabilities from being introduced in the design phase.
  • Informs developers and architects about potential risks throughout the application’s lifecycle.
  • Can guide security-focused development.

Cons:

  • Requires security expertise and detailed system knowledge.
  • Can be difficult to cover all potential threats.
  • More of a preventive measure, so it may not address runtime vulnerabilities directly.

Key Differences

Aspect Static Code Analysis Penetration Testing Threat Analysis
Timing Early in development (pre-execution) After deployment or during testing Before development and during design
Execution Analyzes code without running the program Involves running and attacking the application Focuses on identifying risks and attack vectors
Primary Focus Code quality and known vulnerabilities Real-world attack simulation Identifying threats and designing mitigation strategies
Examples of Tools ESLint, SonarQube, Snyk OWASP ZAP, Burp Suite, Metasploit STRIDE, OWASP Threat Dragon
Strengths Fast feedback, prevents common mistakes Finds runtime and

The post Javascript Security Testing – Pen Tests, Static Code analysis and Threat Analysis appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/javascript-security-testing-pen-tests-static-code-analysis-and-threat-analysis/feed/ 0
Alternatives and Competitors to PKI Encryption https://www.anujvarma.com/alternatives-and-competitors-to-pki-encryption/ https://www.anujvarma.com/alternatives-and-competitors-to-pki-encryption/#respond Sat, 24 Aug 2024 08:29:46 +0000 https://www.anujvarma.com/?p=9553 Competitors to PKI: Identity-Based Encryption (IBE): Instead of relying on certificates like PKI, IBE uses identity information (e.g., email address) as the public key. Competitors: Voltage Security (now part of […]

The post Alternatives and Competitors to PKI Encryption appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Competitors to PKI:
  1. Identity-Based Encryption (IBE):
  2. Decentralized Identity Systems:
    • Blockchain-based and decentralized identity models provide alternatives to centralized PKI by enabling self-sovereign identities (SSI).
    • Competitors: Sovrin, uPort, Microsoft ION (built on Bitcoin), Hyperledger Indy.
  3. Hardware Security Modules (HSM) and Secure Key Management:
    • HSMs offer secure key storage and management without relying on traditional PKI infrastructures.
    • Competitors: Thales, Entrust, AWS CloudHSM.
  4. Web of Trust (WoT):
    • A peer-to-peer approach where trust is decentralized, and relationships are built on mutual endorsements rather than centralized authorities.
    • Competitors: PGP (Pretty Good Privacy) implementations like GnuPG.

The post Alternatives and Competitors to PKI Encryption appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/alternatives-and-competitors-to-pki-encryption/feed/ 0
Cloud Encryption as a service providers https://www.anujvarma.com/encryption-as-a-service-providers/ https://www.anujvarma.com/encryption-as-a-service-providers/#respond Sat, 24 Aug 2024 08:17:46 +0000 https://www.anujvarma.com/?p=9554 Also read Cloud KMS – Encryption as a service Encryption-as-a-Service Providers: Amazon Web Services (AWS) Key Management Service (KMS): Provides encryption services with integrated key management for AWS services and […]

The post Cloud Encryption as a service providers appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Also read Cloud KMS – Encryption as a service

Encryption-as-a-Service Providers:

  1. Amazon Web Services (AWS) Key Management Service (KMS):
    • Provides encryption services with integrated key management for AWS services and custom applications.
  2. Microsoft Azure Key Vault:
    • Offers cloud-based key management and encryption services integrated with Azure infrastructure.
  3. Google Cloud Key Management:
    • Provides a cloud-based encryption service that supports symmetric and asymmetric keys for Google Cloud resources.
  4. Thales CipherTrust Cloud Key Manager:
    • A multi-cloud encryption service offering centralized key management, with support for both cloud-native and hybrid environments.
  5. IBM Key Protect:
    • A cloud-based key management solution that helps manage encryption keys used across IBM Cloud services.
  6. Entrust Cloud Encryption Services:
    • Offers encryption and key management solutions for various cloud environments, supporting compliance and data security.
  7. Boxcryptor:
    • Provides end-to-end encryption as a service for cloud storage solutions like Dropbox, Google Drive, and OneDrive.

The post Cloud Encryption as a service providers appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/encryption-as-a-service-providers/feed/ 0
project maps replace gannt charts https://www.anujvarma.com/project-maps-replace-gannt-charts/ https://www.anujvarma.com/project-maps-replace-gannt-charts/#respond Mon, 17 Jun 2024 18:07:59 +0000 https://www.anujvarma.com/?p=9547 Gannt Charts are tedious and upating them is error-prone. Project Maps (created by any agile software like Jira, Rally..even Azure DevOps…) is a better visual.  

The post project maps replace gannt charts appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
Gannt Charts are tedious and upating them is error-prone.

Project Maps (created by any agile software like Jira, Rally..even Azure DevOps…) is a better visual.

 

The post project maps replace gannt charts appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]>
https://www.anujvarma.com/project-maps-replace-gannt-charts/feed/ 0