The Backend Engineering Show with Hussein Nasser
535 episodes - English - Latest episode: about 2 months ago - ★★★★★ - 5 ratingsWelcome to the Backend Engineering Show podcast with your host Hussein Nasser. If you like software engineering you’ve come to the right place. I discuss all sorts of software engineering technologies and news with specific focus on the backend. All opinions are my own.
Most of my content in the podcast is an audio version of videos I post on my youtube channel here http://www.youtube.com/c/HusseinNasser-software-engineering
Buy me a coffee
https://www.buymeacoffee.com/hnasr
🧑🏫 Courses I Teach
https://husseinnasser.com/courses
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
The Second Microsoft Global Outage in less than 6 months
March 16, 2021 04:09 - 12 minutes - 8.75 MBOn March 15, 2021, users couldn’t sign in to Microsoft services the majority of the impact was with teams but other services were affected. A similar outage happened back in Sep 2020 (I covered it here https://www.youtube.com/watch?v=0ozri9APCv0&t=68s) Microsoft 365 Service health status https://twitter.com/MSFT365Status/status/1371546946263916545
Is there a Limit to Number of Connections a Backend can handle?
March 16, 2021 04:00 - 19 minutes - 11.2 MBIn today's show, I'll answer the question do backend connections max out? There are many aspects to this question and I want to try to tackle all of them. I'll also mention the efforts that the @Cloudflare and team are doing to improve the CONNECT with MASQUE protocol Tune in to the Backend engineering Show with Hussein Nasser on your fav podcast player.
Fire Destroys Datacenter in France, Let us discuss the OVHcloud Fire
March 11, 2021 05:53 - 13 minutes - 10.8 MBOVHcloud is Europe's largest cloud provider, with facilities across the region. They were hit with a big fire that completely destroyed an entire datacenter. What happened? 0:00 What is the effect? 3:00 What OVH is going to do? 6:00 Resources https://www.ovh.ie/news/press/cpl1786.fire-our-strasbourg-site http://travaux.ovh.net/?do=details&id=49484 https://twitter.com/olesovhcom/status/1369504527544705025
Firefox State Partitioning for Cookies Might End Evil Tracking forever
March 10, 2021 05:28 - 8 minutes - 5.96 MBFirefox is implementing a feature that might end website tracking, let's get into how it works. https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ https://hacks.mozilla.org/2021/02/introducing-state-partitioning/
Did you get logged out of GitHub? - Backend Race condition Bug discussion
March 10, 2021 05:26 - 15 minutes - 10.7 MBOn the evening of March 8, GitHub invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out of an abundance of caution to protect users from an extremely rare, but potentially serious, security vulnerability affecting a very small number of GitHub.com sessions. Let us discuss https://github.blog/2021-03-08-github-security-update-a-bug-related-to-handling-of-authenticated-sessions/
Chrome 90 will start communicating in HTTPS (port 443) by Default - Let us discuss
March 04, 2021 05:00 - 12 minutes - 8.62 MBFor the longest time, all browsers will always use HTTP in schemeless URLs (when HTTP or HTTPS is not specified). Chrome is flipping this with version 90 Chapters * HTTPS by Default 0:00 * What happens Today 1:00 * What will happen in Chrome 90 4:00 * HSTS? 6:20 * is HTTPS everywhere dead? 7:10 * How to Enable 8:20 Video https://youtu.be/XrlfX0duLKQ https://latesthackingnews.com/2021/03/01/google-will-launch-https-first-approach-with-urls-from-chrome-90
S3 compliant MinIO Suffers an Server Side Request Forgery vulnerability, lets discuss
March 01, 2021 20:17 - 10 minutes - 7.39 MBMinIO, an S3 Compliant object-store suffered from a Server Side Request Forgery Vulnerability in early Feb 2021 which has been fixed quickly and addressed. In this video we go through the bug and what can we learn from it
Which DBMS will Implement QUIC First? Can the QUIC Protocol improve Database Performance in Web Applications?
February 25, 2021 21:23 - 13 minutes - 8.98 MBIn this video, I discuss why QUIC will make a great communication protocol for databases and how it solves a critical problem with stateless web applications. Web applications use database connection pooling to establish database connections on the backend. But that creates other sorts of problems.
3 New Ways to Crash your NodeJS Server, Update Node JS today! (Feb 2021 Security Update)
February 24, 2021 16:18 - 10 minutes - 7.5 MBNodejs Updates are now available for v10.x, v12.x, v14.x and v15.x Node.js release lines for the following issues. 0:00 Intro 1:50 HTTP/2 Unknown Protocol 4:24 Localhost6 DNS Rebinding 6:55 Integer overflow OpenSSL Resources https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
cURL creator Daniel Stenberg threatened - The entitlement towards OSS needs to STOP!
February 19, 2021 18:01 - 5 minutes - 4.58 MBThis is unacceptable and the entitlement towards open-source maintains needs to STOP! Danial’s blog https://daniel.haxx.se/blog/2021/02/19/i-will-slaughter-you/ Support curl by becoming a backer https://opencollective.com/curl#backer
SRE changes a single HAProxy config, Breaks the Backend and he troubleshoots it like a champ
February 19, 2021 02:51 - 7 minutes - 5.08 MBLet us go through an absolutely fantastic article and journey of how a single change in HAProxy config drove this SRE into a frenzy to find out what went wrong. A fantastic read. https://about.gitlab.com/blog/2021/01/14/this-sre-attempted-to-roll-out-an-haproxy-change/?utm_medium=social&utm_source=linkedin&utm_campaign=blog
A Bug in Stripe Caused by AWS Lambda Serverless Design (Container re-use)
February 17, 2021 02:47 - 15 minutes - 10.6 MBFrom time to time I like to loiter on people’s GitHub Repos look through issues submitted and see if there are interesting hidden gems and bugs that would make a good lesson or learning experience and boy did I find one for you. This bug is caused in stripe-node code in AWS Lambda serverless environment where requests are failing intermittently. We discuss how AWS serverless container re-use can cause this and how stripe solved it. Resources https://github.com/stripe/stripe-node/issues/104...
XMPP - Extensible Messaging and Presence Protocol (with Node JS and eJabberd)
February 15, 2021 20:50 - 19 minutes - 13.1 MBXMPP or the Extensible Messaging and Presence Protocol originally named Jabber[1]) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. it is used by almost all large messaging systems such as whatsapp, facebook, google talk and others. In this video we will go through XMPP architecture, explain how it works and then finallly show how to spin up an XMPP chat server and connect to it from node js.
How timeouts can make or break your Backend load balancers
February 15, 2021 01:13 - 21 minutes - 14.7 MBIn this video I go over the critical timeouts on a Proxy system such as reverse proxy or load balancer and how can you configure each one to protect against attacks or outages. Nginx and HAProxy just a few proxies that you can configure to be load balancers.
He Hacked Into Apple and Microsoft with this genius trick
February 11, 2021 01:06 - 16 minutes - 11.1 MBGuys this is absolutely genius and nuts! I have never seen anything like this before. This guy got access to paypal json and saw some private packages.. created public ones with a similar name and then made them do bad things, then thing because firewalls will shut those down.. he used DNS DNS requests are practically safe so firewalls allow them 11:05 chrome root https://youtu.be/qpC1YH0FhuY https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
CQRS is probably the cause of the Microservices madness
February 07, 2021 16:33 - 7 minutes - 5.03 MBReads and Writes don’t have to live in the same database, data model or even the same service. Let us discuss CQRS no separation one service that does read/write partial separation You can keep one service but backend have multiple connections with different users same database full separation Read services / write services two databases OLAP / OLTP Pros scalability security Cons complex and very hard to follow, what we see with microservices.. resources https://martinfowler.co...
Can China Block the New Encrypted Client Hello TLS Extension? Let us Discuss
February 07, 2021 02:32 - 29 minutes - 16.7 MBIn this video, I will discuss the new TLS extension Encrypted Client Hello which is a new mechanism to encrypt the entire client hello, very interesting and elegantly design but I have my few reservations and criticisms. Let us discuss. Intro 0:00 Classic TLS with SNI 7:00 ESNI 9:30 ECH 12:30 Limitations and Problems 21:00 Let's say the backend server hosts example.com with the cert of example.com and let us call this the “real” SNI. To support ECH, the same server should also host a c...
UUIDs are Bad for Performance in MySQL - Does Postgres Win? Let us Discuss
February 04, 2021 19:47 - 21 minutes - 12 MBMySQL is clustered by default on the primary key which means inserts have to be ordered, let us discuss why UUID (random in nature) has bad performance in MySQL and whether postgres wins here. We will also explain why Sequential Writes are Faster than Random in MYSQL and https://www.percona.com/blog/2019/11/22/uuids-are-popular-but-bad-for-performance-lets-discuss/
They Freed up 70GB of Unused Indexes Space on Postgres, How did they Do it?
February 02, 2021 19:46 - 18 minutes - 10.7 MBThis is a very interesting article that I encourage you to read it as it has lots of useful lessons in postgres. Using partial indexes, full vacuum, dropping unused indexes and much more helped this company save 70G worth of disk space. https://hakibenita.com/postgresql-unused-index-size
How do I learn new tech as a software engineer
February 01, 2021 19:32 - 18 minutes - 13 MBIn this video I discuss my approach of learning new technology and how I break it down so I understand it. Hope it helps
Overview of InterPlanetary File System - IPFS with (Examples with Command line & Brave Browser)
January 31, 2021 20:10 - 25 minutes - 14.4 MBThe InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system. IPFS uses content-addressing to uniquely identify each file in a global namespace connecting all computing devices. Intro 0:00 Why IPFS? 2:00 Explain the original web model and the limitation * Content addressing instead of location addressing * decentralized content distributed among peers Content 3:30 * Content is hashed as CID * Content is immutab...
This Certificate Authority is being banned from Google
January 29, 2021 23:26 - 8 minutes - 5.1 MBIt looks like digital certificates and other certificate authorities issued by Spanish certificate authority Camerfirma will stop working in Chrome 90, in April. https://www.zdnet.com/article/google-bans-another-misbehaving-ca-from-chrome/ https://wiki.mozilla.org/CA:Camerfirma_Issues
Is SELECT * Expensive?
January 28, 2021 16:37 - 7 minutes - 5.25 MBI explain why and when SELECT * can become expensive.
This YouTube Backend API Leaks Private Videos - Research rewarded $5000
January 24, 2021 19:12 - 16 minutes - 9.46 MBDavid Schuts, a security researcher earned $5000 dollars in Google VRP by finding a Backend YouTube API that leaks Private Video Thumbnails. let us discuss how did he do that. Resources https://bugs.xdavidhu.me/google/2021/01/11/stealing-your-private-videos-one-frame-at-a-time/ Twitter @xdavidhu https://twitter.com/xdavidhu
He found a way to Hijack Private Google Docs Screenshots with a clever hack - Google paid him $4000
January 24, 2021 18:42 - 10 minutes - 6.29 MBA vulnerability in Google Feedback component in postMessage allowed this security researcher to find a way to hijack private screenshots https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/ https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Brave is Decentralized - Users can Consume and HOST IPFS Decentralized Web Content through Brave
January 22, 2021 16:54 - 12 minutes - 7.2 MBBrave supports IPFS (InterPlanetary File System) which is a protocol designed to replaced HTTP as a decentralized alternative. This allows users to host and consume Resources https://brave.com/brave-integrates-ipfs/ https://ipfs.io/#how
RIP FTP - Chrome depreciates FTP for good
January 19, 2021 20:56 - 6 minutes - 3.49 MBThe current FTP implementation in Google Chrome has no support for encrypted connections (FTPS), nor proxies. Usage of FTP in the browser is sufficiently low that it is no longer viable to invest in improving the existing FTP client. In addition more capable FTP clients are available on all affected platforms. Google Chrome 72+ removed support for fetching document subresources over FTP and rendering of top level FTP resources. Currently navigating to FTP URLs result in showing a directory ...
The 2021 Slack Outage (Detailed analysis)
January 15, 2021 18:46 - 44 minutes - 25.4 MBOn Jan 4th 2021, Slack experienced a global outage that prevented customers from using the service for nearly 5 hours. Slack has released the Root cause analysis incident report which I’m going to summarize in the first part of this video. After that Ill provide a lengthy deep dive of the incident so make sure to stick around for that. If you are new here, I make backend engineering videos and also cover software news, so make sure to Like comment and subscribe if you would like to see mor...
HAProxy is closer to QUIC and HTTP/3 Support - Let’s discuss HAProxy 2.3
January 14, 2021 21:19 - 22 minutes - 12.8 MBIn this video I go through the new most exciting features in HAProxy, one of my favorite proxies. HAProxy 2.3 adds exciting features such as forwarding, prioritizing, and translating of messages sent over the Syslog Protocol on both UDP and TCP, and OpenTracing SPOA, Stats Contexts, SSL/TLS enhancements, an improved cache, and changes in the connection layer that lay the foundation for support for HTTP/3 / QUIC. Resources https://www.haproxy.com/blog/announcing-haproxy-2-3/ 0:00 Intro 2...
Apache Kafka 2.7 is One Step Closer to Killing ZooKeeper
January 13, 2021 17:18 - 19 minutes - 11 MBIn this video I go through the new features in Apache Kafka 2.7, it is very interesting to see the amount of work Apache Kafka is doing to get closer to removing ZooKeeper * [KAFKA-9893] - Configurable TCP connection timeout and improve the initial metadata fetch * [KAFKA-9915] - Throttle Create Topic, Create Partition and Delete Topic Operations * [KAFKA-10054] - Add TRACE-level end-to-end latency metrics to Streams * [KAFKA-10259] - KIP-554: Add Broker-side SCRAM Config API * [KAFKA-10...
Is EventStoreDB the First Native gRPC Database?
January 12, 2021 18:28 - 12 minutes - 8.74 MBI discussed this in many of my videos, the need for a database that natively supports a multiplexing protocol such as QUIC, gRPC or HTTP/2 in order to allow multiple isolated clients to make requests to the database without taking the overhead of establishing multiple connections. Resources https://www.infoq.com/news/2021/01/eventstoredb/ https://developers.eventstore.com/clients/dotnet/5.0/streams/#writing-to-a-stream
Demonstrate your Skills as Backend Engineer To Recruiters - Building a Full Backend Portfolio
January 10, 2021 00:42 - 20 minutes - 14.1 MBA lot of you guys ask me this question. “I have experience but not sure how to show it, how do I build my backend portfolio such that I can get hired in my dream job. “ Building a backend portfolio takes time and effort and In this video I will be discussing 9 tools that you can add to your backend portfolio 0:00 Intro Live Projects 1:50 System Design Documents 3:45 Architectural/System Design Diagrams 5:45 UX/UI (in case of frontend) 7:13 Papers 8:30 Books 9:50 Blog articles 10:55...
WhatsApp’s Ultimatum, What can They see and What are They Collecting (In Details)
January 09, 2021 02:43 - 20 minutes - 11.8 MBWhatApp has updated their terms of usage and privacy policy which caused many users to move to other platforms. This video will be a detailed report of their privacy policy, what they collect and what they can collect and see. https://www.whatsapp.com/legal/privacy-policy https://cdn.arstechnica.net/wp-content/uploads/2021/01/Image-from-iOS.png cards 1:30 end to end 16:30 Samesite cookie 0:00 WhatsApp New Privacy 4:00 Your Account Information 5:30 Your Messages 12:15 Your Connection...
Have a Node JS Server? Update it Now!
January 07, 2021 18:11 - 7 minutes - 4.25 MBNodeJS Jan 2021 released its security update and its time to go through them! Resources https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/use-after-free in TLSWrap (High) (CVE-2020-8265) HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287) OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
The Slack Outage (Early Report & Speculations)
January 05, 2021 19:44 - 11 minutes - 7.91 MBOn Jan 4th 2021 7:14 PST All Slack services went down. This video is an early report of the incident and speculation of what might have caused this outage. We still don’t know what caused the outage, we will wait for the full incident report from slack and I'll make a video once that's up. https://status.slack.com/
My Thoughts on How Clever the SolarWinds Hack Really Is
January 04, 2021 17:10 - 5 minutes - 3.79 MBThe SolarWinds hack is one of the largest highly coordinated and intelligent attempt to hit enterprise companies. In this video, I briefly explain how smart this is.
Got Bit by A Docker Default on my Postgres Container, Interesting Story, let us discuss!
January 03, 2021 00:07 - 5 minutes - 3.93 MBWhile working on a Postgres docker container executing some queries I noticed that my index-only scan query is hitting the heap which it shouldn't. After digging deep I found that it's the shared memory that docker allocates by default. Defaults are never enough, very interesting train of thought that I thought I’d share with you The Blog I found that helped me find it https://blog.makandra.com/2018/11/investigating-slow-postgres-index-only-scans/
2021's Exciting Backend Tech - Serverless, QUIC, Microservices, The Backend Engineering Show
January 02, 2021 01:55 - 2 hours - 81.1 MBLet us discuss what I'm excited for in Backend Tech in 2021 and answer your great questions
My Process of Designing and Architecting Software
December 29, 2020 23:00 - 15 minutes - 10.6 MBIn this video, I go through my process of how I design and architect full software from A-Z. This is part of a Twitter thread that you guys seem to enjoy so I decided to make a video on the topic. Although the spec I generate is usually Backend oriented this is applicable for all software. Twitter thread https://twitter.com/hnasr/status/1339021983195918337?s=20
How to Overcome Procrastination
December 28, 2020 20:55 - 9 minutes - 6.7 MBIn this video, I go through how I overcome procrastination as a software engineer. What is Procrastination? 0:00How to Defeat * Reward based system - a reward after achieving 1:20* discipline, remembering why started this, your goal 3:16* Professional - I need to do the work and ship 6:10
2020 Retrospective
December 24, 2020 19:34 - 12 minutes - 10.4 MB2020 retrospective Intro 0:00 Goals 0:50 Teaching vs Documenting 4:30 Channel Growth 7:40 2021 10:50
The 2020 Google Outage (Detailed Analysis)
December 20, 2020 22:15 - 51 minutes - 29.5 MB0:00 Intro 1:00 Summary of the Outage 4:00 Detailed Analysis of the Incident Report On Dec 14 2020 Google across the globe suffered from an outage that lasted 45 minutes nobody could access most of Google services. Google has released a detailed incident report discussing the outage, what caused it, technical details on their internal service architecture and what did they do to mitigate and prevent this from happening in this in the future In this video, I want to take a few minutes to...
Indexing Woes, The Secret to Backend Interviews, What is on my Bookshelf? The Backend Engineering Show
December 19, 2020 17:39 - 2 hours - 72.3 MBThe Backend Engineering Show Live with Hussein Nasser episode 10 we discuss many great questions!! Indexing Woes, The Secret to Backend Interviews, What is on my Bookshelf? Backend Engineering Show
Postgres Instances hacked and used to mine crypto - Let us discuss how is that possible
December 15, 2020 02:27 - 7 minutes - 5.26 MBExposed Postgres instances are being ssh into and used as a botnet to mine bitcoin, in this video we explain how does that happens. the trick is the COPY FROM PROGRAM command
Postgres Instances hacked and used to mine bitcoin - Let us discuss how is that possible
December 15, 2020 02:27 - 6 minutes - 5.89 MBExposed Postgres instances are being ssh into and used as a botnet to mine bitcoin, in this video we explain how does that happens. the trick is the COPY FROM PROGRAM command --- Send in a voice message: https://anchor.fm/hnasr/message
Did Google run out of disk space? - The Google Outage ( Early report )
December 14, 2020 17:14 - 7 minutes - 4.93 MBAt 3:47 am PST almost all google services went down including, gmail, youtube, drive, docs, meet, nest , google maps and many more. It took close to an hour to bring them back up. We still don’t know what caused this outage, in this video we will try to make sense from what we have gathered so far. A detailed analysis video will follow once we get a response from google symptoms Could not sign in to google (account not found) Could not authenticate if you already have a token Services no...
Certificates Gone Bad! Certificate Revocation Techniques Explained (CRL, OCSP, OCSP Stapling)
December 14, 2020 00:07 - 10 minutes - 7.21 MBWhen the private key of a matching public key that belong to a certificate is leaked, an attacker can intercept server hello, use their own dh parameters sign it with the stolen private key and ship it to the client effectively doing MITM. This is extremely dangerous and we have no way in the client to know a MITM has happened. That is why a certificate sometimes has to be revoked, and in this video I’m going to discuss those revocation techniques. 0:00 How Certificate Works 3:00 Certific...
Impostor syndrome and Staying Motivated - The Backend Engineering Show with Hussein Nasser - Q&A
December 12, 2020 19:43 - 1 hour - 76.1 MBIn The Backend Engineering Show Live, we discuss Impostor syndrome and Staying Motivated in software engineering field.
Oblivious DoH (oDOH) Introduces a TLS Terminating Proxy with additional Layer of Encryption
December 09, 2020 19:12 - 11 minutes - 8.03 MBOblivious DoH is a technology that separates IP addresses from queries, so that no single entity can see both at the same time. Cloudflare, Apple & Fastly worked on this and did a good write-up of the tech, we discuss it in this video https://blog.cloudflare.com/oblivious-dns/ https://blog.cloudflare.com/oblivious-dns/
Meet mySQL RAPID - distributed, in-memory, columnar, query processing engine by ORACLE
December 06, 2020 23:51 - 20 minutes - 11.9 MBOracle introduces a Game Changer Feature in MySQL that allows for OLAP & OLTP workloads in a single database. This is huge let us discuss https://www.oracle.com/emea/news/announcement/oracle-announces-mysql-database-service-with-integrated-analytics-engine-2020-12-03.html https://dev.mysql.com/doc/mysql-analytics/en/mysql-analytics-introduction.html 0:00 Intro 1:40 History of ETL 7:00 How Kafka Helped Data Warehouse 8:20 How RAPID Solves this 11:14 MySQL Database Service Analytics Eng...