Recent Posts
Archives

AI Cybersecurity DefCon32 developer devops Devoxx DevoxxBE2012 DevoxxBE2013 DevoxxFR DevoxxFR2012 DevoxxFR2013 DevoxxFR2014 DotAI2024 Google Hibernate Java JavaScript JetBrains Jonathan Lalou Kotlin KotlinConf Kubernetes Maven Maven 2 Microservices NDCConferences ndcoslo NDCOslo2024 Node NodeCongress NodeCongress2021 NodeJS Oracle OxidizeConf2024 PHP Python recommendation RustLang Scala Security softwaredeveloper SoftwareDevelopment Spring SpringBoot Weblogic

Archive for the ‘General’ Category

« Older Entries
Newer Entries »

PostHeaderIcon Understanding volatile in Java: A Deep Dive with a Cloud-Native Use Case

Author: Jonathan Lalou
In the modern cloud-native world, concurrency is no longer a niche concern. Whether you’re building scalable microservices in Kubernetes, deploying serverless functions in AWS Lambda, or writing multithreaded backend services in Java, thread safety is a concept you must understand deeply.

Among Java’s many concurrency tools, the volatile keyword stands out as both simple and powerful—yet often misunderstood.

This article provides a comprehensive look at volatile, including real-world cloud-based scenarios, a complete Java example, and important caveats every developer should know.

What Does volatile Mean in Java?

At its core, the volatile keyword in Java is used to ensure visibility of changes to variables across threads.

  • Guarantees read/write operations are done directly from and to main memory, avoiding local CPU/thread caches.
  • Ensures a “happens-before” relationship, meaning changes to a volatile variable by one thread are visible to all other threads that read it afterward.

❌ The Problem volatile Solves

Let’s consider the classic issue: Thread A updates a variable, but Thread B doesn’t see it due to caching.

public class ServerStatus {
    private static boolean isRunning = true;

    public static void main(String[] args) throws InterruptedException {
        Thread monitor = new Thread(() -> {
            while (isRunning) {
                // still running...
            }
            System.out.println("Service stopped.");
        });

        monitor.start();
        Thread.sleep(1000);
        isRunning = false;
    }
}

Under certain JVM optimizations, Thread B might never see the change, causing an infinite loop.

✅ Using volatile to Fix the Visibility Issue

public class ServerStatus {
    private static volatile boolean isRunning = true;

    public static void main(String[] args) throws InterruptedException {
        Thread monitor = new Thread(() -> {
            while (isRunning) {
                // monitor
            }
            System.out.println("Service stopped.");
        });

        monitor.start();
        Thread.sleep(1000);
        isRunning = false;
    }
}

This change ensures all threads read the latest value of isRunning from main memory.

☁️ Cloud-Native Use Case: Gracefully Stopping a Health Check Monitor

Now let’s ground this with a real-world cloud-native example. Suppose a Spring Boot microservice runs a background thread that polls the health of cloud instances (e.g., EC2 or GCP VMs). On shutdown—triggered by a Kubernetes preStop hook—you want the monitor to exit cleanly.

public class CloudHealthMonitor {

    private static volatile boolean running = true;

    public static void main(String[] args) {
        Thread healthThread = new Thread(() -> {
            while (running) {
                pollHealthCheck();
                sleep(5000);
            }
            System.out.println("Health monitoring terminated.");
        });

        healthThread.start();

        Runtime.getRuntime().addShutdownHook(new Thread(() -> {
            System.out.println("Shutdown signal received.");
            running = false;
        }));
    }

    private static void pollHealthCheck() {
        System.out.println("Checking instance health...");
    }

    private static void sleep(long millis) {
        try {
            Thread.sleep(millis);
        } catch (InterruptedException ignored) {}
    }
}

This approach ensures your application exits gracefully, cleans up properly, and avoids unnecessary errors or alerts in monitoring systems.

⚙️ How volatile Works Behind the Scenes

Java allows compilers and processors to reorder instructions for optimization. This can lead to unexpected results in multithreaded contexts.

volatile introduces memory barriers that prevent instruction reordering and force flushes to/from main memory, maintaining predictable behavior.

Common Misconceptions

  • volatile makes everything thread-safe!” ❌ False. It provides visibility, not atomicity.
  • “Use volatile instead of synchronized Only for simple flags. Use synchronized for compound logic.
  • volatile is faster than synchronized ✅ Often true—but only if used appropriately.

When Should You Use volatile?

✔ Use it for:

  • Flags like running, shutdownRequested
  • Read-mostly config values that are occasionally changed
  • Safe publication in single-writer, multi-reader setups

✘ Avoid for:

  • Atomic counters (use AtomicInteger)
  • Complex inter-thread coordination
  • Compound read-modify-write operations

✅ Summary Table

Feature volatile
Visibility Guarantee ✅ Yes
Atomicity Guarantee ❌ No
Lock-Free ✅ Yes
Use for Flags ✅ Yes
Use for Counters ❌ No
Cloud Relevance ✅ Graceful shutdowns, health checks

Conclusion

In today’s cloud-native Java ecosystem, understanding concurrency is essential. The volatile keyword—though simple—offers a reliable way to ensure thread visibility and safe signaling across threads.

Whether you’re stopping a background process, toggling a configuration flag, or signaling graceful shutdowns, volatile remains an invaluable tool for writing correct, responsive, and cloud-ready code.

What About You?

Have you used volatile in a critical system before? Faced tricky visibility bugs? Share your insights in the comments!

Related Reading

Posted in en-US | Tags: | No Comments »

PostHeaderIcon Advanced Encoding in Java, Kotlin, Node.js, and Python

Author: Jonathan Lalou

Encoding is essential for handling text, binary data, and secure transmission across applications. Understanding advanced encoding techniques can help prevent data corruption and ensure smooth interoperability across systems. This post explores key encoding challenges and how Java/Kotlin, Node.js, and Python tackle them.

1️⃣ Handling Special Unicode Characters (Emoji, Accents, RTL Text)

Java/Kotlin

Java uses UTF-16 internally, but for external data (JSON, databases, APIs), explicit encoding is required:

String text = "🔧 Café مرحبا";
byte[] utf8Bytes = text.getBytes(StandardCharsets.UTF_8);
String decoded = new String(utf8Bytes, StandardCharsets.UTF_8);
System.out.println(decoded); // 🔧 Café مرحبا

Tip: Always specify StandardCharsets.UTF_8 to avoid platform-dependent defaults.

Node.js

const text = "🔧 Café مرحبا";
const utf8Buffer = Buffer.from(text, 'utf8');
const decoded = utf8Buffer.toString('utf8');
console.log(decoded); // 🔧 Café مرحبا

Tip: Using an incorrect encoding (e.g., latin1) may corrupt characters.

Python

text = "🔧 Café مرحبا"
utf8_bytes = text.encode("utf-8")
decoded = utf8_bytes.decode("utf-8")
print(decoded)  # 🔧 Café مرحبا

Tip: Python 3 handles Unicode by default, but explicit encoding is always recommended.

2️⃣ Encoding Binary Data for Transmission (Base64, Hex, Binary Files)

Java/Kotlin

byte[] data = "Hello World".getBytes(StandardCharsets.UTF_8);
String base64Encoded = Base64.getEncoder().encodeToString(data);
byte[] decoded = Base64.getDecoder().decode(base64Encoded);
System.out.println(new String(decoded, StandardCharsets.UTF_8)); // Hello World

Node.js

const data = Buffer.from("Hello World", 'utf8');
const base64Encoded = data.toString('base64');
const decoded = Buffer.from(base64Encoded, 'base64').toString('utf8');
console.log(decoded); // Hello World

Python

import base64
data = "Hello World".encode("utf-8")
base64_encoded = base64.b64encode(data).decode("utf-8")
decoded = base64.b64decode(base64_encoded).decode("utf-8")
print(decoded)  # Hello World

Tip: Base64 encoding increases data size (~33% overhead), which can be a concern for large files.

3️⃣ Charset Mismatches and Cross-Language Encoding Issues

A file encoded in ISO-8859-1 (Latin-1) may cause garbled text when read using UTF-8.

Java/Kotlin Solution:

byte[] bytes = Files.readAllBytes(Paths.get("file.txt"));
String text = new String(bytes, StandardCharsets.ISO_8859_1);

Node.js Solution:

const fs = require('fs');
const text = fs.readFileSync("file.txt", { encoding: "latin1" });

Python Solution:

with open("file.txt", "r", encoding="ISO-8859-1") as f:
    text = f.read()

Tip: Always specify encoding explicitly when working with external files.

4️⃣ URL Encoding and Decoding

Java/Kotlin

String encoded = URLEncoder.encode("Hello World!", StandardCharsets.UTF_8);
String decoded = URLDecoder.decode(encoded, StandardCharsets.UTF_8);

Node.js

const encoded = encodeURIComponent("Hello World!");
const decoded = decodeURIComponent(encoded);

Python

from urllib.parse import quote, unquote
encoded = quote("Hello World!")
decoded = unquote(encoded)

Tip: Use UTF-8 for URL encoding to prevent inconsistencies across different platforms.

Conclusion: Choosing the Right Approach

  • Java/Kotlin: Strong type safety, but requires careful Charset management.
  • Node.js: Web-friendly but depends heavily on Buffer conversions.
  • Python: Simple and concise, though strict type conversions must be managed.

📌 Pro Tip: Always be explicit about encoding when handling external data (APIs, files, databases) to avoid corruption.

 

Posted in en-US | Tags: , , , , | No Comments »

PostHeaderIcon Mastering DNS Configuration: A, AAAA, CNAME, and Best Practices with OVH

Author: Jonathan Lalou

I am currently reorganizing a website of mine, hosted at OVHcloud, and it is worth reminding some concepts and best practices related to DNS.

(disclaimer: I am not part of OVH at all, I express myself as a mere customer)

DNS (Domain Name System) is the backbone of the internet, translating human-friendly domain names into IP addresses that computers understand. Yet, many website owners and IT professionals struggle with its configuration. Let’s break down the essential DNS records—A, AAAA, and CNAME—and illustrate best practices using OVH’s interface.

Key DNS Records Explained

1️⃣ A Record (Address Record)

  • Maps a domain (e.g., example.com) to an IPv4 address (e.g., 192.168.1.1).
  • Best practice: Ensure you update this if your server IP changes.

2️⃣ AAAA Record (IPv6 Address Record)

  • Similar to A records but maps to an IPv6 address (e.g., 2001:db8::1).
  • Best practice: If your hosting provider supports IPv6, use this alongside A records for better future-proofing.

3️⃣ CNAME Record (Canonical Name Record)

  • Points a domain (e.g., blog.example.com) to another domain (example.wordpress.com).
  • Best practice: Use CNAME for aliases but avoid pointing the root domain (example.com) to another domain using CNAME—stick to A/AAAA records.

Configuring DNS Records in OVH

To set up a subdomain (blog.example.com) on OVH:

  1. Log in to your OVH Control Panel.
  2. Navigate to Web Cloud → Domains, then select your domain.
  3. Go to the DNS Zone tab and click Add an entry.
  4. Choose A Record if your blog has a dedicated IPv4, or CNAME if pointing to another domain.
  5. Enter your subdomain (blog) and the corresponding IP or domain.
  6. Save changes and wait for propagation (~24 hours max).

Best Practices for DNS Management

  • Use TTL (Time-To-Live) wisely: Lower values (e.g., 300s) allow faster updates but increase queries to your DNS provider.
  • Keep DNS records minimal: Avoid unnecessary CNAME chains to improve resolution speed.
  • Secure with DNSSEC: If your registrar supports it, enable DNSSEC to prevent DNS spoofing.
  • Regularly review DNS settings: Especially after migrations, new SSL configurations, or changes in hosting.
Posted in en-US | Tags: , | No Comments »

PostHeaderIcon [DefCon32] Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels

Author: Jonathan Lalou

Vangelis Stykas, Chief Technology Officer at Atropos, delivers a bold exploration of offensive cybersecurity, targeting the command-and-control (C2) web panels of ransomware groups. His talk unveils strategies to infiltrate these systems, disrupt operations, and gather intelligence on threat actors. Vangelis’s work, driven by a desire to challenge criminal enterprises, showcases the power of turning adversaries’ tools against them, offering a fresh perspective on combating ransomware.

Targeting Ransomware Infrastructure

Vangelis opens by highlighting the resilience of ransomware groups, noting that only 3.5% of 140 tested web panels exhibited vulnerabilities, compared to 15–20% for Fortune 100 companies. He recounts infiltrating panels of groups like ALPHV/BlackCat, Everest, and Mallox, exploiting flaws such as outdated WordPress sites and chat features. These breaches enabled Vangelis to extract decryption keys and member identities, disrupting operations and aiding victims.

Methodologies for Infiltration

Delving into technical strategies, Vangelis explains how he exploited low-hanging vulnerabilities in ransomware C2 panels, such as misconfigured APIs and weak authentication. His approach, refined over two years, involved identifying data leak sites and leveraging penetration testing expertise to gain unauthorized access. By targeting infrastructure like Tor networks and custom firewalls, Vangelis demonstrates how attackers’ own security measures can be weaponized against them.

Ethical Dilemmas and Community Impact

Vangelis reflects on the moral complexities of his work, rejecting the vigilante label in favor of being a “Socratic fly” that disrupts the status quo. He urges cyber threat intelligence (CTI) firms to share data openly, noting that faster access to C2 information could amplify his impact. His successes, including contributing to ALPHV/BlackCat’s collapse, highlight the potential of offensive tactics to weaken ransomware ecosystems.

Future of Cyber Offense

Concluding, Vangelis emphasizes the need for persistent innovation in fighting ransomware. He advocates for collaborative intelligence sharing and proactive disruption of criminal infrastructure. By drawing parallels to the “Five Horsemen” of cyber threats, Vangelis inspires researchers to confront adversaries head-on, ensuring that the cybersecurity community remains one step ahead in this ongoing battle.

Links:

Posted in en-US | Tags: , , , , , , , , | No Comments »

PostHeaderIcon [DotJs2024] Dante’s Inferno of Fullstack Development (A Brief History)

Author: Jonathan Lalou

Fullstack webcraft’s tumult—acronym avalanches, praxis pivots—evokes a helical descent, yet upward spiral. James Q. Quick, a JS evangelist, speaker, and BigCommerce developer experience lead, traversed this inferno at dotJS 2024, channeling Dante’s nine circles via Dan Brown’s lens. A Rubik’s aficionado (sub-two minutes) and Da Vinci Code devotee (Paris-site pilgrim), Quick, born 1991—the web’s inaugural site’s year—wove personal yarns into a scorecard saga, rating eras on SEO, performance, build times, dynamism. His verdict: chaos conceals progress; contextualize to conquer.

Quick decried distraction’s vortex: HTML/CSS/JS/gGit/npm, framework frenzy—Vue, React, Svelte, et al.—framework-hopping’s siren song. His jest: “GrokweJS,” halting churn. Web genesis: 1989 Berners-Lee, 1991 inaugural site (HTML how-to), 1996 Space Jam’s static splendor. Circle one: static HTML—SEO stellar, perf pristine, builds nil, dynamism dead. LAMP stacks (two: PHP/MySQL) injected server dynamism—SEO middling, perf client-hobbled, builds absent, dynamism robust.

Client-side JS (three: jQuery/Angular) flipped: SEO tanked (crawlers blind), perf ballooned bundles, builds concatenated, dynamism client-rich. Jamstack’s static resurgence (four: Gatsby/Netlify)—SEO revived, perf CDN-fast, builds protracted, dynamism API-propped—reigned till content deluges. SSR revival (five: Next.js/Nuxt)—SEO solid, perf hybrid, builds lengthy, dynamism server-fresh—bridged gaps.

Hybrid rendering (six: Astro/Next)—per-page static/SSR toggles—eased dynamism sans universal builds. ISR (seven: Next’s coinage)—subset builds, on-demand SSR, CDN-cache—slashed times, dynamism on-tap. Hydration’s bane (eight): JS deluges for interactivity, wasteful. Server components (nine: React/Next, Remix, Astro islands)—stream static shells, async data, cache surgically—optimize bites, interactivity islands.

Quick’s spiral: circles ascend, solving yesteryear’s woes innovatively. Pantheon’s 203 steps with napping tot evoked hope: endure inferno, behold stars.

Static Foundations to Dynamic Dawns

Quick’s scorecard chronicled: HTML’s purity (1991 site) to LAMP’s server pulse, client JS’s interactivity boon-cum-SEO curse. Jamstack’s static revival—Gatsby’s graphs—revitalized speed, API-fed dynamism; SSR’s return balanced freshness with crawlability.

Hybrid Horizons and Server Supremacy

Hybrids like Astro cherry-pick render modes; ISR on-demand builds dynamism sans staleness. Hydration’s excess yields to server components: React’s streams static + async payloads, islands (Astro/Remix) granularize JS—caching confluence for optimal perf.

Links:

Posted in en-US | Tags: , , , , , , , , , | No Comments »

PostHeaderIcon Efficient Inter-Service Communication with Feign and Spring Cloud in Multi-Instance Microservices

Author: Jonathan Lalou

In a world where systems are becoming increasingly distributed and cloud-native, microservices have emerged as the de facto architecture. But as we scale
microservices horizontally—running multiple instances for each service—one of the biggest challenges becomes inter-service communication.

How do we ensure that our services talk to each other reliably, efficiently, and in a way that’s resilient to failures?

Welcome to the world of Feign and Spring Cloud.

The Challenge: Multi-Instance Microservices

Imagine you have a user-service that needs to talk to an order-service, and your order-service runs 5 instances behind a
service registry like Eureka. Hardcoding URLs? That’s brittle. Manual load balancing? Not scalable.

You need:

  • Service discovery to dynamically resolve where to send the request
  • Load balancing across instances
  • Resilience for timeouts, retries, and fallbacks
  • Clean, maintainable code that developers love

The Solution: Feign + Spring Cloud

OpenFeign is a declarative web client. Think of it as a smart HTTP client where you only define interfaces — no more boilerplate REST calls.

When combined with Spring Cloud, Feign becomes a first-class citizen in a dynamic, scalable microservices ecosystem.

✅ Features at a Glance:

  • Declarative REST client
  • Automatic service discovery (Eureka, Consul)
  • Client-side load balancing (Spring Cloud LoadBalancer)
  • Integration with Resilience4j for circuit breaking
  • Easy integration with Spring Boot config and observability tools

Step-by-Step Setup

1. Add Dependencies

[xml][/xml]

If using Eureka:

[xml][/xml]

2. Enable Feign Clients

In your main Spring Boot application class:

[java]@SpringBootApplication
@EnableFeignClients
public <span>class <span>UserServiceApplication { … }
[/java]

3. Define Your Feign Interface

[java]
@FeignClient(name = "order-service")
public interface OrderClient { @GetMapping("/orders/{id}")
OrderDTO getOrder(@PathVariable("id") Long id); }
[/java]

Spring will automatically:

  • Register this as a bean
  • Resolve order-service from Eureka
  • Load-balance across all its instances

4. Add Resilience with Fallbacks

You can configure a fallback to handle failures gracefully:

[java]

@FeignClient(name = "order-service", fallback = OrderClientFallback.class)
public interface OrderClient {
@GetMapping("/orders/{id}") OrderDTO getOrder(@PathVariable Long id);
}[/java]

The fallback:

[java]

@Component
public class OrderClientFallback implements OrderClient {
@Override public OrderDTO getOrder(Long id) {
return new OrderDTO(id, "Fallback Order", LocalDate.now());
}
}[/java]

⚙️ Configuration Tweaks

Customize Feign timeouts in application.yml:

[yml]

feign:

    client:

       config:

           default:

                connectTimeout:3000

                readTimeout:500

[/yml]

Enable retry:

[xml]
feign:
client:
config:
default:
retryer:
maxAttempts: 3
period: 1000
maxPeriod: 2000
[/xml]

What Happens Behind the Scenes?

When user-service calls order-service:

  1. Spring Cloud uses Eureka to resolve all instances of order-service.
  2. Spring Cloud LoadBalancer picks an instance using round-robin (or your chosen strategy).
  3. Feign sends the HTTP request to that instance.
  4. If it fails, Resilience4j (or your fallback) handles it gracefully.

Observability & Debugging

Use Spring Boot Actuator to expose Feign metrics:

[xml]

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency[/xml]

And tools like Spring Cloud Sleuth + Zipkin for distributed tracing across Feign calls.

Beyond the Basics

To go even further:

  • Integrate with Spring Cloud Gateway for API routing and external access.
  • Use Spring Cloud Config Server to centralize configuration across environments.
  • Secure Feign calls with OAuth2 via Spring Security and OpenID Connect.

✨ Final Thoughts

Using Feign with Spring Cloud transforms service-to-service communication from a tedious, error-prone task into a clean, scalable, and cloud-native solution.
Whether you’re scaling services across zones or deploying in Kubernetes, Feign ensures your services communicate intelligently and resiliently.

Posted in en-US | Tags: , , , , , | No Comments »

PostHeaderIcon Problem: Spring JMS MessageListener Stuck / Not Receiving Messages

Author: Jonathan Lalou

Scenario

A Spring Boot application using ActiveMQ with @JmsListener suddenly stops receiving messages after running for a while. No errors in logs, and the queue keeps growing, but the consumers seem idle.

Setup

@JmsListener(destination = "myQueue", concurrency = "5-10") public void processMessage(String message) { log.info("Received: {}", message); }

  • ActiveMQConnectionFactory was used.

  • The queue (myQueue) was filling up.

  • Restarting the app temporarily fixed the issue.

Investigation

  1. Checked ActiveMQ Monitoring (Web Console)

    • Messages were enqueued but not dequeued.

    • Consumers were still active, but not processing.

  2. Thread Dump Analysis

    • Found that listener threads were stuck in a waiting state.

    • The problem only occurred under high load.

  3. Checked JMS Acknowledgment Mode

    • Default AUTO_ACKNOWLEDGE was used.

    • Suspected an issue with message acknowledgment.

  4. Enabled Debug Logging

    • Added:

      logging.level.org.springframework.jms=DEBUG

    • Found repeated logs like:

      JmsListenerEndpointContainer#0-1 received message, but no further processing

    • This hinted at connection issues.

  5. Tested with a Different Message Broker

    • Using Artemis JMS instead of ActiveMQ resolved the issue.

    • Indicated that it was broker-specific.

Root Cause

ActiveMQ’s TCP connection was silently dropped, but the JMS client did not detect it.

  • When the connection is lost, DefaultMessageListenerContainer doesn’t always recover properly.

  • ActiveMQ does not always notify clients of broken connections.

  • No exceptions were thrown because the connection was technically “alive” but non-functional.

Fix

  1. Enabled keepAlive in ActiveMQ connection

    ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(); factory.setUseKeepAlive(true); factory.setOptimizeAcknowledge(true); return factory;

  2. Forced Reconnection with Exception Listener

    • Implemented:

      factory.setExceptionListener(exception -> { log.error("JMS Exception occurred, reconnecting...", exception); restartJmsListener(); });

    • This ensured that if a connection was dropped, the listener restarted.

  3. Switched to DefaultJmsListenerContainerFactory with DMLC

    • SimpleMessageListenerContainer was less reliable in handling reconnections.

    • New Configuration:

      @Bean public DefaultJmsListenerContainerFactory jmsListenerContainerFactory( ConnectionFactory connectionFactory) { DefaultJmsListenerContainerFactory factory = new DefaultJmsListenerContainerFactory(); factory.setConnectionFactory(connectionFactory); factory.setSessionTransacted(true); factory.setErrorHandler(t -> log.error("JMS Listener error", t)); return factory; }

Final Outcome

✅ After applying these fixes, the issue never reoccurred.
🚀 The app remained stable even under high load.

Key Takeaways

  • Silent disconnections in ActiveMQ can cause message listeners to hang.

  • Enable keepAlive and optimizeAcknowledge for reliable connections.

  • Use DefaultJmsListenerContainerFactory with DMLC instead of SMLC.

  • Implement an ExceptionListener to restart the JMS connection if necessary.

 

Posted in en-US | Tags: , , | No Comments »

PostHeaderIcon How to Bypass Elasticsearch’s 10,000-Result Limit with the Scroll API

Author: Jonathan Lalou
If you’ve ever worked with the Elasticsearch API, you’ve likely run into its infamous 10,000-result limit. It’s a default cap that can feel like a brick wall when you’re dealing with large datasets—think log analysis, report generation, or bulk data exports. Fortunately, there’s a slick workaround: the Scroll API. In this post, I’ll walk you through why this limit exists, how the Scroll API solves it, and share practical examples to get you started.

Why the 10,000-Result Limit Exists

Elasticsearch caps standard search results at 10,000 to protect performance. Fetching millions of records in one shot with from and size parameters can strain memory and slow things down. But what if you need all that data? That’s where the Scroll API shines—it’s designed for deep pagination, letting you retrieve everything in manageable chunks.

What Is the Scroll API?

Unlike a typical search, the Scroll API maintains a temporary “scroll context” on the server. You grab a batch of results, get a scroll_id, and use it to fetch the next batch—no need to rerun your query. It’s efficient, scalable, and perfect for big data tasks.

How to Use the Scroll API: Step by Step

Let’s break it down with examples you can try yourself.

Step 1: Start the Scroll

Kick things off with a search request. Add the scroll parameter (like 1m for a 1-minute timeout) and set size to control your batch size. Here’s a basic example:
GET /my_index/_search?scroll=1m
{
  "size": 1000,
  "query": {
    "match_all": {}
  }
}
This pulls the first 1,000 hits and returns a `scroll_id`—a long, encoded string you’ll need for the next step.

Step 2: Fetch More Results

Using that `scroll_id`, request the next batch. You don’t need to repeat the query—just send the ID and timeout:
POST /_search/scroll
{
  "scroll": "1m",
  "scroll_id": "c2NhbjsxMDAwO...YOUR_SCROLL_ID_HERE..."
}
Loop this call until you’ve retrieved all your data. Each response includes a new `scroll_id` (sometimes the same, depending on the version), so keep updating it.

Step 3: Clean Up

When you’re done, delete the scroll context to free up server resources. It’s a small but critical step:
DELETE /_search/scroll/c2NhbjsxMDAwO...YOUR_SCROLL_ID_HERE...
Skip this, and you’ll leave dangling contexts that could bog down your cluster.

A Real-World Example

Let’s say you’re sifting through millions of logs for a specific error. Here’s a targeted scroll query:
GET /logs/_search?scroll=2m
{
  "size": 500,
  "query": {
    "match": {
      "error_message": "timeout"
    }
  }
}
Then, use the Scroll API to paginate through every matching log entry. It’s way cleaner than hacking around with `from` and `size`.
Tips for Scroll API Success
  • Batch Size: Stick to a `size` like 500–1000. Too large, and you’ll strain memory; too small, and you’ll make too many requests.
  • Timeout Tuning: Set the scroll duration (e.g., `1m`, `5m`) based on how fast your script processes each batch. Too short, and the context expires mid-run.
  • Automation: Use a script to handle the loop. Python’s `elasticsearch` library, for instance, has a handy scroll helper:
from elasticsearch import Elasticsearch

es = Elasticsearch(["http://localhost:9200"])
scroll = es.search(index="logs", scroll="2m", size=500, body={"query": {"match": {"error_message": "timeout"}}})
scroll_id = scroll["_scroll_id"]

while len(scroll["hits"]["hits"]):
    print(scroll["hits"]["hits"])  # Process this batch
    scroll = es.scroll(scroll_id=scroll_id, scroll="2m")
    scroll_id = scroll["_scroll_id"]

es.clear_scroll(scroll_id=scroll_id)  # Cleanup

Why Scroll Beats the Alternatives

You could tweak `index.max_result_window` to raise the limit, but that’s a performance gamble. Export tools or aggregations might work for summaries, but for raw data retrieval, Scroll is king—efficient and built for the job.

Conclusion

The Scroll API has been a game-changer for my Elasticsearch projects, especially when wrestling with massive indices. It’s simple once you get the hang of it, and the payoff is huge.
Posted in en-US | Tags: , | No Comments »

PostHeaderIcon [DefCon32] The Rise and Fall of Binary Exploitation

Author: Jonathan Lalou

Stephen Sims, a veteran cybersecurity expert, navigates the evolving landscape of binary exploitation, a discipline long revered as the pinnacle of hacking challenges. His presentation at DEF CON 32 examines the impact of modern mitigations like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and newer technologies such as Control-flow Enforcement Technology (CET). Stephen explores how these defenses have reshaped the field, while emphasizing that the pursuit of novel exploitation techniques remains vibrant despite increasing complexities.

The Golden Era of Binary Exploitation

Stephen begins by reflecting on the historical significance of binary exploitation, where vulnerabilities in low-level languages like C++ enabled attackers to manipulate system memory. In the early 2000s, exploiting large applications was a hallmark of hacking prowess. However, Stephen notes that memory safety issues have prompted a shift toward safer languages like Rust, though these are not yet mature enough to fully replace C++. This transition has made exploitation more challenging but not obsolete.

Impact of Modern Mitigations

Delving into technical details, Stephen dissects key mitigations like DEP, which prevents code execution in data memory, and ASLR, which randomizes memory addresses. He also discusses CET, which enforces control-flow integrity, and Virtualization-Based Security (VBS), which isolates critical processes. These protections, often disabled by default on Windows to avoid breaking applications, have significantly raised the bar for attackers. Stephen illustrates their enforcement through practical examples, showing how they thwart traditional exploits.

Ethical and Legislative Challenges

Stephen addresses the ethical dilemmas facing researchers, noting that restrictive legislation, such as the Paul Maul Act, could push exploit development underground. He argues that the more researchers are constrained, the greater the risk of unethical markets flourishing. By sharing insights from past research, including contributions from Jeremy Tinder and Haroon Mir, Stephen underscores the need for responsible disclosure to balance innovation with security.

The Future of Exploitation

Concluding, Stephen likens modern exploit development to skateboarding legend Tony Hawk, where past techniques are now accessible to newcomers, enabling rapid advancement. He predicts that as bounties for zero-day exploits rise—some now fetching $500,000—the incentive to bypass mitigations will persist. Stephen encourages researchers to innovate ethically, leveraging open knowledge to uncover new vulnerabilities while navigating an increasingly fortified digital landscape.

Links:

Posted in en-US | Tags: , , , , , , , , | No Comments »

PostHeaderIcon Elastic APM: When to Use @CaptureSpan vs. @CaptureTransaction?

Author: Jonathan Lalou

If you’re working with Elastic APM in a Java application, you might wonder when to use `@CaptureSpan` versus `@CaptureTransaction`. Both are powerful tools for observability, but they serve different purposes.
🔹 `@CaptureTransaction`:
Use this at the entry point of a request, typically at a controller, service method, or a background job. It defines the start of a transaction and allows you to trace how a request propagates through your system.
🔹 `@CaptureSpan`:
Use this to track sub-operations within a transaction, such as database queries, HTTP calls, or specific business logic. It helps break down execution time and pinpoint performance bottlenecks inside a transaction.

📌 Best Practices:

✅ Apply @CaptureTransaction at the highest-level method handling a request.
✅ Use @CaptureSpan for key internal operations you want to monitor.
✅ Avoid excessive spans—instrument only critical code paths to reduce overhead.

By balancing these annotations effectively, you can get detailed insights into your app’s performance while keeping APM overhead minimal.

 

Posted in en-US | Tags: , , , | No Comments »
« Older Entries
Newer Entries »
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.