JMeter Memory error

As I was running a load test on an WCF service for the first time with JMeter, once the samples reached 30k the JMeter UI froze up and I had to close JMeter abruptly. I happened to check on the JMeter logs and found that this was the last entry
jmeter.threads.JMeterThread: Test failed! java.lang.OutOfMemoryError: Java heap space

As usual I turned to google and found out that this error can be forgone by increasing the Java heap space.

This line in  jmeter.bat or jmeter.sh script which tells the launching instance of JMeter how much heap size it should use. 

JVM_ARGS="-Xms512m -Xmx512m" jmeter.sh

I changed it to -Xms1024m at both places and relaunched JMeter.  (Please Note that your system that has JMeter setup has sufficient RAM )

It FIXed the problem. 

I am able to test the application now, crossing the previous 30k sample and going beyond till I stop the test manually.

Also I found the below article with a couple of more fixes that you might need in case you are facing the above error still.

https://www.blazemeter.com/blog/9-easy-solutions-jmeter-load-test-%E2%80%9Cout-memory%E2%80%9D-failure

The decoration of objects

This is an image of tree rings. As you know the rings indicate the age of the tree. 

Now coming to our example of Decorator pattern, the "first year of growth is our original object and the rest of the rings are the decorators"

Decorator pattern is used as an alternative for subclassing when we need the functionality to be extended. It is also an example of the Open- Closed Principle where we are allowed only to extend instead of modify.

When do we used decorator pattern?

When we have a set of large combination of two or more different sets of logic to be performed, instead of having a nightmare of derived classes we would rather bind the required logic dynamically.

Consider a web cam device that rotates and takes a photo everytime it senses motion of object in front of it.

Pseudo Code

InstructionCode  ActionPerformed

CC                         Check if device is awake/Powered on

SS                          Check if sensor is functional

TT                          Take a snapshot

RR                          Rotate towards object of movement

DD                          Detect motion

MM                        TimerControl

Scenario 1:
The workflow will be such as

CC- Check if device is awake  >>  SS- Check if sensor is functional  >> DD- Detect Motion  >> RR- Rotate towards motion >> TT - Take Snapshot.


So the code you would need to write would be
CC SS DD RR TT

Scenario 2:
Now if the functionality of the device is changed to take pictures at every interval of time.

The workflow will be

CC- Check if device is awake >> MM- Timer Control >> TT- Take Snapshot.

So the code you would need to write would be

CC MM TT

If you considered the above scenario writing without a decorator pattern and having derived classes etc, it would have taken a lot of time modifying the codebase to fit in scenario 2 and violating the open closed principle of SOLID. Instead on using decorator we leave the scenrario 1  code untouched while we implement the scenario 2 logic.

In the above example we have limited number of instructions, consider writing a code for a IOT device which has numerous instruction sets all that need to be constructed to interact with a device. In such a scenario you would definitely prefer writing less code and opt for decorator pattern.

Below is a basic code example of an Ice Cream Preparation using decorator pattern.



The Ice Cream comes with a base Cone and with one scoop of ice cream.
It can be topped with chocolate sauce, sprinkles, gummy bears or all the above.

using System;

namespace IceCreamDecoration
{
    public abstract class BaseCone
    {
        protected double myPrice;

        public virtual double GetPrice()
        {
            return this.myPrice;
        }
    }

    public abstract class IceCreamToppingsDecorator : BaseCone
    {
        protected BaseCone basecone;
        public IceCreamToppingsDecorator(BaseCone baseconeToDecorate)
        {
            this.basecone = baseconeToDecorate;
        }

        public override double GetPrice()
        {
            return (this.basecone.GetPrice() + this.myPrice);
        }
    }

    class Program
    {
        
        static void Main()
        {
          
            OneScoop basecone = new OneScoop();
            Console.WriteLine("Just one scoop : " + basecone.GetPrice().ToString());

            SprinklesTopping sprinkles = new SprinklesTopping(basecone);
            SprinklesTopping moresprinkles = new SprinklesTopping(sprinkles);
            Console.WriteLine("single scoup with sprinkles: " + moresprinkles.GetPrice().ToString());

            GummyBearsTopping gummyBears = new GummyBearsTopping(moresprinkles);
            Console.WriteLine("single scoup with more sprinkles and gummy bears: " + gummyBears.GetPrice().ToString());

            ChocolateSauceTopping chocolateSauce = new ChocolateSauceTopping(gummyBears);
            Console.WriteLine("single scoup with more sprinkles and gummy bears and chocolate sauce: " + chocolateSauce.GetPrice().ToString());

            Console.ReadLine();
        }
    }

    public class OneScoop : BaseCone
    {
        public OneScoop()
        {
            this.myPrice = 6.99;
        }
    }

    public class Dessert : BaseCone
    {
        public Dessert()
        {
            this.myPrice = 7.49;
        }
    }

    public class SprinklesTopping : IceCreamToppingsDecorator
    {
        public SprinklesTopping(BaseCone baseconeToDecorate)
            : base(baseconeToDecorate)
        {
            this.myPrice = 0.99;
        }
    }

    public class GummyBearsTopping : IceCreamToppingsDecorator
    {
        public GummyBearsTopping(BaseCone baseconeToDecorate)
            : base(baseconeToDecorate)
        {
            this.myPrice = 1.49;
        }
    }

    public class ChocolateSauceTopping : IceCreamToppingsDecorator
    {
        public ChocolateSauceTopping(BaseCone baseconeToDecorate)
            : base(baseconeToDecorate)
        {
            this.myPrice = 2.49;
        }
    }
}

Web Watcher - Why you need to crawl the web for confidential data leaks of your company?

Abstract: Understanding the need to crawl notorious sites of the World Wide Web for Leaked/Compromised/Hacked data and to place a mechanism in place to report such findings so that the necessary action may be taken at a quicker pace to minimize the impact of the attack.

Why?

As we know in today’s world no amount of security can assure a system impenetrable, the least we can do is step up our guard and place a mechanism in place that minimizes damage in case of a worst case scenario.

Hackers have perfected few techniques to exploit money from their plunders of hacked data.

Hacked Data may contain email credentials, credentials of social networks, API keys, Subnet IPs, Password hashes, Machine configuration info etc. They sell the data to the victim’s rivals/competitors or in certain cases they end up blackmailing the victim.

Hackers /cyber criminals tend to share the results of their data heist on the open web on sites such as pastebin, slexy, reddit, 4chan and many other loosely moderated sites. They often share glimpses of the hacked data in order to gain attention and to pull up some interested buyers for their entire data dump.

This makes it evident that we need to be on the constant lookout for such data leaks in various forums, text sharing sites, social media etc. Since the data to be monitored is large it would be impractical to do it manually, hence we need a system/application in place to do the same. Once the data that is leaked comes through to us, it is upto the security team to take the necessary action which may be anything from changing the passwords/api keys or suspending the accounts etc or whatever action is apt for the situation.

Scope

To define a monitoring system which identifies data leaks of a specific Individual/company along with plausible data sources and tools which generate reports. The action to be taken on the data leak completely depends on the type of the system/data which is not in the scope of this 

Everyone Else is doing it?

Yes! A lot of the big companies do have a system in place for the sole purpose of looking for data leaks of their respective companies on the open web. Ever since the infamous hack “50 days of Lulz” everyone is rushing towards this approach. Cyber Security related companies constantly do this.

Overview of the system that needs to be in place to look for data leaks.

Data Source 1: As you can see in the above diagram, the data from text sharing sites are pulled up for analysis via their API and using regular expressions in our Pattern matching engine we shall pull up any leaked data.

Data Source 2: There are few twitter bots out there such as @dumpmon which monitor hacker’s playgrounds, forums and their popular sharing platforms and tweet in case of any leaks detected.

Data from such bots can be useful as it provides a defined amount of data to search, passing it to our PR-Engine will do the rest of filtering.

Data Source 3: Using custom search engine searches and using tools such as scumblr and integrating it with our system would help us get the leaked data at a quicker rate.

The key thing to be considered here is how quick we can get the data that interests us and make sure it is attained with minimum resource consumed.

Tools: There are no fully fledged commercial tools for this purpose. On exploring I found a few good tools.

Scrumblr & Sketchy: This is a tool developed and open sourced by Netflix. The purpose of the tool is to collect information on the web that interests you/ your company. This tool is currently being used by Netflix Security team.

HaveIBeenPwned: This is a online tool where you can search for a keyword it shows you if your account is compromised. It has API support too.

Amazon also monitors the web; there have been multiple instances where users are alerted that their API keys of their instances are on the open web. We are not aware which tool they use for this purpose.

However there is an open source tool called Security Monkey which monitors policy changes and alerts on insecure configurations in an AWS account. 

Pystemon

I happened to try out pystemon which is an open sourced tool built using python.

Below are the results.

Step 1: I posted a test email Id with some data to the text sharing site called slexy.

Step 2: I configured my system to be able to run pystemon.

Step 3: I set up the regular expression I was looking for in the tool configuration.

Step 4: Run the program

Step 5: Within a minute, I managed to find the text which I had shared in step 1 downloaded along with all the information surrounding it into the Alerts folder.

This is just a simple demonstration on how humongous data can be mined easily with the tools available, on customizing such tools we can set the path to effective monitoring of the web for confidential data leaks. The thing common in all tools is that they have used python.  Python is usually used to scrape data from large dumps and it is effective in doing so.

Conclusion: Using the information in this document as a precursor and setting up an effective system or an application consisting of multiple inbound data sources, to monitor the wide web and minimize the impact on the customers/victims thereby adding more Trust towards the brand which would not only be essential but pivotal in today’s world where security can be an illusion.

References:

https://securosis.com/blog/my-500-cloud-security-screwup

http://techblog.netflix.com/2014/08/announcing-scumblr-and-sketchy-search.html

http://www.infosecisland.com/blogview/15547-Pastebin-Security-Risks-Monitoring-with-Rollyo-Searchrolls.html

https://github.com/cvandeplas/pystemon/blob/master/README.md

Setting up OTP Auth for your application with Google Auth

Two factor authentication has become a necessary evil these days. Unlike the olden days where people carried a RSA token generator with them, these days we use apps such as Google Authenticator.

Below are the steps for helping you get started with it.

1. Get nugget package GoogleAuthenticator

2. Add the following code

     TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();

     var setupCode = tfa.GenerateSetupCode("issuer", "accountTitle", "poiuytrewq123456", 300, 300);

            string qrCodeImageUrl = setupCode.QrCodeSetupImageUrl;

            string manualEntrySetupCode = setupCode.ManualEntryKey;

            Console.WriteLine(manualEntrySetupCode);

Use any key in place of "poiuytrewq123456"
On execution of this code you will get a Manual Entry Setup Code.

3. Install GoogleAuthenticator on your phone from Google Play.
Open App Goto
Options >> Setup Account >> Enter Provided Key >>  Enter the alphanumeric displayed by the above program and enter the same "accountTitle" given in the code above in the "Account Name" field.

Now your account is setup.

4. Add the following code to validate the OTP in your mobile.

            Console.WriteLine("Enter OTP ");
            string enteredOTP=Console.ReadLine();
          
            bool isCorrectPIN = tfa.ValidateTwoFactorPIN("poiuytrewq123456", enteredOTP);
            if (isCorrectPIN)
            {
                return true;
            }
            else
                return false;

That's it you are done.

Run the Program
Enter the OTP in the console as shown in your mobile.
If the OTP matches you will get authenticated.

Will share the Github repo link.

Beware of Apps caching unwanted images

When you surf certain apps, the images are cached in your phone to help load the application fast next time. 
While some applications delete them or make them non readable it is still accessible and readable with some searching and tweaking, without any root access. 

I found this in the previous versions of tumblr and twitter using "Ess file Manager"

Browse to the sdcard/Android/data (    In this directory you will find all apps which cache data.  )

Further browse to sdcard/android/data/com.tumblr or com.twitter.android you will find lot of files with alphanumeric names.

Select all and proceed to rename all with option provided by "Ess file Manager" and in the extension field give ".jpg"

You will now see most of the images that you had browsed in the app. 

So be careful next time, remember to clean up such folders. You may choose to clear the cached data of all the apps as given in this link  http://lifehacker.com/clear-all-cached-app-data-at-once-on-android-1443937040 . But it will also erase your login details making you reenter your credentials the next time you log into tumblr/insta/ or any app that requires your credentials. Hence be wise and clear the data of only that apps, that you desperately want to. 


Whatsapp has a separate sent folder, which never appeared in my gallery for some reason.
It contains all the videos and pics which you forward to others. 

using "Ess file Manager" browse to /sdcard/WhatsApp/Media/WhatsAppImages/Sent and /sdcard/WhatsApp/Media/WhatsAppVideos/Sent 

Delete the contents of these folders if you want nothing to do with those images/videos.

Tackling "Phone storage full"

When you don't have an extendable memory slot and you thought that 16 gb /less was enough for your needs, you might find yourself in a shock when you get this problem.

Other than the fact that you managed to fill up your phone with data most of which you don't need, you might still be able to create some space by clearing up some of the junk you never use or which is created by your phone.

Below are a few quick ways to free up some space on your android phone. (no root)


Disable apps which you do not use.

For example, you may not be using google+ . Go to application manager, select the app and force stop it before hitting the disable button.(you can always enable it again) Also before doing this, you can uninstall the updates of such apps that come with the phone. Incase your phone does not come with this app disabling feature, then you would have to install some app of the playstore, such as "disable bloatware" or "app Freeze"

Uninstall apps that you never use.

Apps keep getting heavier after each update, so if you have not being using an app for a long time, you can uninstall it. If you still feel like you may use the app in the near future, back up the apk file using an app like "Ess file Manager" and then uninstall the apps.

Delete Big Files  / duplicated files

Use " Big File Locator " to find the large files in your phone and delete them if they are of no use to you.


Backup your files.

You can use "dropbox "or "box" or any reliable backup service that suits your needs. I use dropbox, it has 2 GB free storage available.(Box has 10gb) You can move your pictures or files to it and clear up the space on your phone.With some settings in such app, you can schedule your uploads or folder that you want to back up at certain intervals.

Misc: Few common tips.

• You can always root your phone if you want to get rid of the apps, that come bundled in your phone.
• Turn auto update app feature OFF. You can select the apps that you want to update.
• Use websites instead of app, wherever possible. (All websites promote their apps, but not all apps are good for you)
• Do not use apps like clean master or apps with such functionalities, they may do more damage than good.

Listing Dependencies of Stored Procedure in MS SQL

When you want to check the dependencies of a stored procedure as in which tables are being used,
you can use the below query

SELECT DISTINCT p.name AS proc_name, t.name AS table_name
FROM sys.sql_dependencies d 

INNER JOIN sys.tables     t ON t.object_id = d.referenced_major_id
INNER JOIN sys.procedures p ON p.object_id = d.object_id

ORDER BY proc_name, table_name

Below is the result on execution of the above query on the Northwind Database

You can also try

sp_depends Procedure_Name