Reverse Engineering with Joyce Lin - JSJ 577

Joyce Lin is the Head of Developer Relations at Postman. She returns to the show to discuss Reverse Engineering. They talk about APIs, API security, proxy tools and explain its relevance in your applications. They dive into the process, purpose, and significance of Reverse Engineering. Additionally, they talk about API hacking.

Special Guests: Joyce Lin

Show Notes

Joyce Lin is the Head of Developer Relations at Postman. She returns to the show to discuss Reverse Engineering. They talk about APIs, API security, proxy tools and explain its relevance in your applications. They dive into the process, purpose, and significance of Reverse Engineering. Additionally, they talk about API hacking.

On YouTube

Sponsors 


Links


Socials


Picks

Transcript

 
Charles Max_Wood:
Hey, welcome back to another episode of JavaScript Jabber. This week on our panel, we have Dan Shapir.
 
Dan_Shappir:
Hello from somewhat rainy Tel Aviv.
 
Charles Max_Wood:
AJ O'Neill
 
AJ_ONeal:
Yo, yo, yo, coming at you live from, we're starting cloud hosting.
 
Charles Max_Wood:
Steve Edwards
 
Steve_Edwards:
Yo, coming from the Chick Magnet wig from my balmy port.
 
AJ_ONeal:
You look so good, Steve. You've never looked so good. I love it.
 
Charles Max_Wood:
I was
 
Steve_Edwards:
Thank
 
Charles Max_Wood:
so
 
Steve_Edwards:
you.
 
Charles Max_Wood:
ready
 
Steve_Edwards:
Thank
 
Charles Max_Wood:
to
 
Steve_Edwards:
you.
 
Charles Max_Wood:
say my name and I couldn't breathe. I'm Charles Max Wood from Top End Devs. And this week we have a special guest, is Joyce Lynn Joyce. Do you wanna introduce yourself, let people know who you are and why you're awesome and famous and all that good stuff?
 
Joyce_Lin:
Aw, thank you. Hi, it's nice to be here. My name is Joyce. I work at Postman out of San Francisco. So today is also a little bit gloomy, but I've been on this podcast once before many, many, many
 
Steve_Edwards:
Oh
 
Joyce_Lin:
moons ago. Thank you, Steve. And Steve, that wig is working.
 
Steve_Edwards:
Thank you, thank you. Just for our note's purposes, that was JavaScript ever 429, where we talked all about Postman.
 
Charles Max_Wood:
Yeah.
 
Dan_Shappir:
Oh yeah, I
 
Charles Max_Wood:
So,
 
Dan_Shappir:
remember that one. I'm actually
 
Charles Max_Wood:
yeah.
 
Dan_Shappir:
a postman user. I think most of the world is.
 
Steve_Edwards:
Thank you. Thank you.
 
Joyce_Lin:
Yeah,
 
Charles Max_Wood:
Yeah,
 
Joyce_Lin:
a lot
 
Charles Max_Wood:
it's
 
Joyce_Lin:
of
 
Charles Max_Wood:
a
 
Joyce_Lin:
devs,
 
Charles Max_Wood:
handy
 
Joyce_Lin:
especially
 
Charles Max_Wood:
tool.
 
Joyce_Lin:
JavaScript, yeah.
 
Charles Max_Wood:
Yep. But yeah, I heard you on Podrocket actually, a plug for another podcast. You were talking about reverse engineering private APIs, which I thought was interesting. And, you know, I've done a little of that, like setting up a Charles proxy between, you know, my phone and some service just to see what was floating by. But you were actually talking about like building stuff on it and stuff, which I thought was interesting. So I wanted to cover some of that here and talk a little we can use postman and things like that. So I always love a good story. So let's just start there. Like what got you into, oh, hey, I'm going to reverse engineer something. And
 
Joyce_Lin:
Well,
 
Charles Max_Wood:
yeah.
 
Joyce_Lin:
I'm going to give you a caveat. I am not an expert, and that was part of the reason. Actually, I started reverse engineering in API, or documenting it really, the process for Cascadia.js. I was going to give a talk,
 
Charles Max_Wood:
Okay.
 
Joyce_Lin:
and it was going to be about reverse engineering. And I am just the head of developer relations. I
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
can code, but I'm not day in, day out writing code. I'm certainly not doing penetration testing. I'm not a security person. I'm not a tester.
 
Charles Max_Wood:
Right.
 
Joyce_Lin:
came at it from like I really wanted to get something done. How can I do it? So I'm not an expert by any means.
 
Charles Max_Wood:
Well, that's fine. I don't feel like I'm an expert a lot of the time. And I'm writing code all day, so. So yeah, but yeah, so what API were you trying to?
 
Joyce_Lin:
So I took
 
Charles Max_Wood:
River Rich's
 
Joyce_Lin:
a look
 
Charles Max_Wood:
engineer.
 
Joyce_Lin:
at a couple. I was just getting on TikTok at the time, so I was curious about TikTok's web APIs. There's a lot of obscurity around their web APIs, and you can see all
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
that traffic in network calls, and a lot of it's obscured just with variable letters. And so what is that? I did not dig deep into TikTok, don't ban me TikTok.
 
Dan_Shappir:
Thank you. Thank you.
 
Joyce_Lin:
I personally had something that I wanted to do. Every time we talk about this, I have shame, So please modulate your expressions on this. But I hacked the Yosemite camping.gov website because I wanted to go camping. They've changed it since then, so don't ask me how that bot was built, but I just wanted camping. Like,
 
Charles Max_Wood:
Uh huh.
 
Steve_Edwards:
Thanks. Bye.
 
Joyce_Lin:
Taylor Swift, Beyonce Tickets, these are all reasons why you want to potentially understand how the website works. In those cases,
 
AJ_ONeal:
And
 
Joyce_Lin:
it's Ticketmaster.
 
AJ_ONeal:
when we say hack, in this case, we mean take advantage of undocumented features, not exploit illegally. Okay,
 
Steve_Edwards:
Thank
 
AJ_ONeal:
just.
 
Steve_Edwards:
you.
 
Joyce_Lin:
I
 
Steve_Edwards:
Bye.
 
Joyce_Lin:
did not do anything illegal. I was taking advantage of web APIs that are perfectly observable and used in their websites.
 
AJ_ONeal:
Yeah, so it was only like
 
Dan_Shappir:
Uh...
 
AJ_ONeal:
that hack from a few months ago where the government website was putting the social security numbers in the HTML, not like a hack where you actually did something to gain unauthorized access.
 
Dan_Shappir:
Yeah, I love it when people talk about, I use the hacking tool called the browser and view source to break into the highly secure.
 
Charles Max_Wood:
Write Chrome DevTools in the Network tab. Almost like it was built for it.
 
Dan_Shappir:
Yeah. So just
 
Charles Max_Wood:
Gotcha.
 
Dan_Shappir:
to understand what you're talking about, you're talking about websites that make, let's probably, RESTful API calls from the client side in order to get additional information or perform certain operations. But because these APIs are usually only invoked via the web facade that they build, there are certain restrictions on how they're used. For example, to perform multiple operations quickly. It's difficult. If you want to input a lot of values, it might be difficult because otherwise you would need to input it manually. So bypassing the UI and going directly to the API layer lets you be more, I don't know, carefree about it?
 
Joyce_Lin:
Yeah, and I think there's two reasons why people are reverse engineering. One is because they want to see what's going on, right? Visibility, understand all the steps that are happening. And then the other one, Dan, as you mentioned, is to replay and do it programmatically, do it super fast. And so there's two parts of it. And when you're saying like, well, are you really hacking when you're going into Chrome DevTools and viewing source? A lot of people don't know the full power of something Dev tools and I mean I work at Postman so there's a lot more like visibility tools. Chuck you're talking about Charles proxy. Postman has a proxy. I've
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
played with that. I actually played with that for the TikTok API and wow, who's going around scrolling TikTok with the inspection, you know, inspecting all the network calls until you capture that traffic. You don't know what's happening behind the scenes.
 
Charles Max_Wood:
Right.
 
AJ_ONeal:
What were the names of the proxies you just mentioned?
 
Joyce_Lin:
I think Chuck was using Charles Proxy
 
AJ_ONeal:
proxy.
 
Joyce_Lin:
and then
 
Charles Max_Wood:
Yeah,
 
Joyce_Lin:
Postman
 
Charles Max_Wood:
but anymore
 
Joyce_Lin:
also...
 
Charles Max_Wood:
I just use postman, so...
 
AJ_ONeal:
is
 
Joyce_Lin:
Postman
 
AJ_ONeal:
so
 
Joyce_Lin:
has a proxy.
 
AJ_ONeal:
the one the one I've been wondering is a lot of things are only on iOS right they never get released on anything else because it's some startup and they only care about iOS to start with if they don't have any web page and so the thing I'm really interested in is I know there's a way that you can set something up you can add the certificate to your phone so you just go to you set it up on your local network you go to it on your phone and then you just click a button to add certificate and then and then it will capture all of the data that goes to your phone and then you can look at it. Is Charles Proxy something like that, or is it, what is Charles Proxy, or do you know of tools that are like that for being able to understand how phone apps are working?
 
Charles Max_Wood:
Well, Charles
 
Joyce_Lin:
I haven't
 
Charles Max_Wood:
Proxy,
 
Joyce_Lin:
used Charles proxy.
 
Charles Max_Wood:
you just set it up as an endpoint and it's kind of a man in the middle is the way that it's designed to be used. So you have to be able to redirect the traffic coming off your phone if you're using your phone with it through the Proxy. And I
 
Joyce_Lin:
in.
 
Charles Max_Wood:
don't remember exactly how that was done way back in the day, but yeah.
 
Joyce_Lin:
Postman does it similarly where it's a man in the middle. You have to be able to set up and route the traffic. There's
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
a couple different ways to do it. You could do it from like web, like web to web, or just from a device. And if it's web, if you're just a proxying website traffic, you can filter on specific domains.
 
Charles Max_Wood:
Yep.
 
AJ_ONeal:
Well, one of the
 
Charles Max_Wood:
But
 
AJ_ONeal:
things.
 
Charles Max_Wood:
it's a really great way to see what's going across. And it's sometimes surprising to see what shows up in there.
 
AJ_ONeal:
Yeah, in the old days, back before HTTPS was a thing, in the original versions of Facebook, I used to open up Wireshark at college in just
 
Charles Max_Wood:
Mm-hmm.
 
AJ_ONeal:
one of the lounge areas. And it was interesting to see people's Facebook conversations going back and forth on the network. Ha
 
Joyce_Lin:
Oh.
 
AJ_ONeal:
ha.
 
Charles Max_Wood:
Thanks AJ, I don't feel so old anymore.
 
AJ_ONeal:
You're welcome.
 
Dan_Shappir:
So
 
AJ_ONeal:
Anytime.
 
Dan_Shappir:
basically you're saying, well, you know, so if you're doing it from, like you said, from a mobile application, then you need some sort of a proxy tool. But if you're doing it for a web-based interface, like Chuck kind of remarked before, all you kind of need is that amazing hacking tool called DevTools. I mean, you can pretty much see all the network traffic very easily inside of there.
 
Joyce_Lin:
Yeah, you can see it, but then when you're replaying it, how are you saving those calls? How are you capturing those calls?
 
Charles Max_Wood:
Hmm.
 
Joyce_Lin:
Right,
 
Dan_Shappir:
I think
 
Joyce_Lin:
so.
 
Dan_Shappir:
you can save individual calls by right clicking and doing a save. I think you can even save it as a curl command or something like that.
 
Joyce_Lin:
Yeah, you can save it and export it. So you can copy as curl. You can export hard files, which is like it records an entire session. And so I think my talk was talking about I had never heard of hard files before HTTP Archive. And so being able to capture and record an entire session and then sift through it afterwards instead of being in your dev tools.
 
Dan_Shappir:
Steve Saunders, I think, created that format. One of the grandfathers of Web Performance on, you know, he invented that format. And in the old days, we created tooling for recording exactly these type of things, network events.
 
Charles Max_Wood:
And we'll say though that when it comes to simulating the APIs, I mean that's where I've been using Postman. And lately I've been writing integrations between two systems. So I hit the API on one end and then I hit the API on the other end, right? So get all of these and then send them to the other thing through the API. And so if something's not working, that's a great way to isolate it. And so that's why I like using the proxy that's built into Postman is because it pretty seamlessly moves the stuff back and forth for me and I have to go switch tools.
 
Joyce_Lin:
And I was given this talk at Cascadia.js and I asked the entire conference, I said, who has successfully reverse engineered an API? And I think six hands went up. And I think it's easy enough to say, like I see those network calls and I know conceptually how to replay them, but you try that, you copy as curl and you import it and you try to fire off that HTTP call, see what you get back because tokens are gonna expire, there's gonna be something
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
that you need to replicate and having that visibility, like people are gonna get stuck real fast agree to get that camping spot at Yosemite or whatever it is, like you're just gonna give up.
 
AJ_ONeal:
Like I've had
 
Charles Max_Wood:
Yep.
 
AJ_ONeal:
that experience with the CRC SRF tokens where that can be a ping as that's often in the HTML. So you have to fetch the HTML file, then you've got to, you know, grab or whatever to find where the token is in the HTML file. Or I've noticed it's a ton with recent versions of React and Angular sites where the token is inside the JavaScript that's inside of JSON. So you have double or triple escape strings because when the page goes hydration, all the data for the page is there, including some of the tokens and whatnot. And then you, so you can, you can find that in the page and then pull that JSON in and then traverse it once you've parsed it. But yeah, it, the initial, the initial step can often be difficult, especially because of page rehydration, because they're, they're doing extra weird stuff, not necessarily obfuscated, but to quote unquote, make it perform it. Although the sites that I've seen that do this. I don't believe that they are at all any more performant for doing it. And then, you know, after that, if they're using their own API, because that's the other thing, is a lot of times sites don't use their own API because they develop their internal way of doing things like a Ruby on Rails site where everything's just HTML going back and forth. And then when they develop their public API, it's just a completely separate thing. It's a different server that accesses the database in a similar way, but it's a completely different way of exposing it. mixing and matching between posting HTML for something that can only be on the internal API, and then accessing the REST API. But this is what I said right before we started the show. A lot of times I find it better to reverse engineer. I like to click around and see what happens and watch those logs because it's often easier to read than the documentation. The documentation
 
Charles Max_Wood:
Ha ha ha 
 
AJ_ONeal:
documentation doesn't expose the same things that are exposed. If you look at the API, now granted, you don't have a compatibility guarantee on that. But a lot of times the documentation is terrible, but just clicking around in the interface and saying, okay, yeah, I want to be able to submit the form
 
Dan_Shappir:
Thank you.
 
AJ_ONeal:
that does
 
Dan_Shappir:
Thank
 
AJ_ONeal:
this
 
Dan_Shappir:
you.
 
AJ_ONeal:
thing, boom, you've got exactly what you need. And then the documentation can be helpful to cross reference if the documentation wasn't initially helpful in helping you get example responses through.
 
Charles Max_Wood:
Yeah, but that's a public API. And I will just chime in and I mean the integrations, and I'm working in logistics, right? So it's usually like order shipments, products, stuff like that. And yeah, usually I start with what's in the documentation and then I kind of tweak stuff in Postman until I get something that works. And yeah, it's because the documentation is, I think the friendliest term I can come up with is inadequate, right? explain things well, like it may be accurate-ish. And then some of them are just outright lies,
 
AJ_ONeal:
Well,
 
Charles Max_Wood:
but...
 
AJ_ONeal:
the thing that gets me is where there's nested objects and you go to look up
 
Charles Max_Wood:
Yeah.
 
AJ_ONeal:
the person object. And it only gives you the details, like the property names of the person object, but it doesn't tell you, does it expect it to be JSON or does it expect you to be URL? It
 
Charles Max_Wood:
Mm-hmm.
 
AJ_ONeal:
doesn't give you the context of a person object must always be contained within a group object. And so figuring out how to traverse that is what often gets me in the auto-generated documentation It's often auto-generated off of the quote-unquote object-oriented
 
Charles Max_Wood:
Hmm.
 
AJ_ONeal:
paradigm, which is not what it is, but that's what they say it is. And it's just so... BLAH!
 
Charles Max_Wood:
Yeah.
 
Dan_Shappir:
What I'm kind of concerned about is that, you know, so everything was RESTful APIs, which was awesome. And then people, you know, thought that, hey, that's too easy. Let's do GraphQL. By the way, how do you reverse
 
Charles Max_Wood:
Bye. Bye.
 
Dan_Shappir:
engineer GraphQL? Can you reverse engineer GraphQL? I've never tried. And now, I'm going to show you a little bit of what
 
AJ_ONeal:
typically
 
Dan_Shappir:
I'm going to do.
 
AJ_ONeal:
just stand up the playground endpoint pointing to the GraphQL instance that you're interested in reverse engineering and you just, you can either download the schema file because it's going to be in a well-known location or you can just start typing and it will auto complete. So you can discover it that way,
 
Joyce_Lin:
the
 
AJ_ONeal:
but
 
Joyce_Lin:
introspection.
 
AJ_ONeal:
yeah.
 
Dan_Shappir:
Yeah, that should actually be quite helpful if when I'm thinking about it. But then everybody said, no, GraphQL is not that good. Let's go back to RESTful APIs. And now it seems that everybody is going to be moving away from RESTful APIs all over again, because a lot of the modern quote unquote frameworks are actually implementing their own kind of alternatives that might be built on top of RESTful APIs, but not necessarily so. For example, the protocol that reacts server components used to download stuff looks a lot like JSON but isn't. So, yeah, interesting times.
 
Charles Max_Wood:
I guess that's one question that I have regarding some of this, right, Joyce, is that you've reversed engineered a couple of things, it sounds like. Were some of them easier than others based on the format or protocol or whatever that they were using to give you data and the way you would access it?
 
Joyce_Lin:
I think most of the stuff I looked at was web based. So I wouldn't say I wasn't reverse engineering somebody's internal
 
Charles Max_Wood:
right.
 
Joyce_Lin:
calls or nothing. But AJ was talking about rehydration. This one I actually needed help from one of the postman engineers, but dynamically rendered sites. When you hit linkedin.com, and I wanna scrape LinkedIn, following the terms and everything, I wanna scrape data from a LinkedIn page. If I plug linkedin.com, into the Postman website, I can inspect the page, but I'm not gonna get back any of that data. So how can I get that data when it's dynamically rendered? And actually tried to scrape Postman. I thought it would be so easy. I work at Postman, let me scrape Postman.com and scrape some of the stuff that, some of that great, great data. And I didn't, the way I got around that was, it is dynamically rendered, you know? But okay, this is a tiny quiz. Can you think of, like, the dynamically rendered website.
 
Dan_Shappir:
how well, you know, I could, I can think of several ways. I might use some sort of a headless browser, for example, as my, as my tool. And then basically I'm just, you know, building a DOM object out of, out of that HTML.
 
AJ_ONeal:
The way that I've had to do it was like I said, find the hydration data, find out where there's the HTML script tag and where it has the hydration data in it, typically as JSON or sometimes as JavaScript, and then look for the specific token and then from there, contact the API.
 
Joyce_Lin:
and you have to run that JavaScript.
 
AJ_ONeal:
No, no, I just use regular expressions.
 
Dan_Shappir:
Oh, parsing with regular expressions, that's always fun and never any problem.
 
AJ_ONeal:
Zalgo, he comes. Zaga was savior and king
 
Charles Max_Wood:
Yeah.
 
AJ_ONeal:
in the world of tech strings.
 
Charles Max_Wood:
No, it makes sense in the sense that, yeah, if it's hydrating off of data that you can embed into the HTML, yeah, you can read it out of there. But I'm imagining the situation where, yeah, you're hitting LinkedIn and maybe it's three or four clicks in and it's only updating part of the DOM in order to give you the information that it wants. And the thing is, is that, you know, if you know what framework they're using and things like that, I guess you could reverse engineer some of that. But otherwise, yeah. I mean, I'd probably just wind up watching the network. calls and kind of documenting as I go. Oh, they're calling this and getting this back.
 
Dan_Shappir:
Yeah.
 
Charles Max_Wood:
They're calling this and getting this back. And then I would just build my stuff around that. But that seems like a lot of work too.
 
Joyce_Lin:
So this was something that I would not have succeeded had I not had technical help. But what I tried to do is in Postman, there's something called User Agent header.
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
And it says Postman because you're making the call from Postman. So I was like, OK, well, what if I pretended I was really sneaky and pretended I was a browser?
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
And so I made that call and got back nothing. So what ended up happening was a lot of these dynamically rendered sites want to be searchable by search engines
 
Dan_Shappir:
Hmm.
 
Joyce_Lin:
Google or Bing, right?
 
Charles Max_Wood:
I
 
Joyce_Lin:
And
 
Charles Max_Wood:
love it.
 
Joyce_Lin:
maybe about once a week, they'll actually render everything and send it off. So what I had to do was pretend to be an SEO bot, Bing bot, Google bot, and
 
AJ_ONeal:
Yes.
 
Joyce_Lin:
then I got that data back.
 
AJ_ONeal:
Woohoo!
 
Dan_Shappir:
Although
 
AJ_ONeal:
That's
 
Dan_Shappir:
that's,
 
AJ_ONeal:
awesome.
 
Charles Max_Wood:
Nice.
 
Dan_Shappir:
in the case of Google, that's not such a best practice anymore. I mean, Google these days, I don't know what Bing does, but Google these days uses the engine of an evergreen Chrome browser. So the best practice is supposed to be, to actually, in the case of the Google bot, return essentially the same page that an actual Chrome browser would get. Obviously for various reasons and very often that's not the case and certainly with other Search engines which may not be that sophisticated then you know, they definitely I know try to simplify the HTML and Remove some of the interactivity out of it and make it more like flat and unadorned
 
Joyce_Lin:
And AJ, you were politely complaining about documentation for some of these web APIs. But if I wanted to scrape a site like LinkedIn, LinkedIn is going to be very protective about that data. They'll probably have endpoints that allow you to create new posts or push things to their website. But when it comes to taking, pulling information off of their platform, they might actively choose not to offer those endpoints. And so not only are they like the best documentation might not be up to par, but like they're actively choosing not to offer that functionality through their public API.
 
AJ_ONeal:
Well, I mean, I think that's most websites. I don't think that most web apps are created with the idea of, hey, we ought to structure this in a well-formed way using REST and JSON so that as we grow and we need to build sub-apps or we need to allow integrations with partners, we can easily do that. I don't think that most people have that going through their head. I think most people are starting out with something like WordPress and WordPress plugins. And then, you know, if it gets to, to where, I mean, I, I'm sure you're aware of the number of people that use literally Google sheets as their database, just to have a little, a little JavaScript going out to Google sheets, grabbing it, populating the database, right? I mean, people are really, really scrappy and that stuff persists for decades. Right. Was LinkedIn built in PHP or something? No offense to Steve. It probably wasn't quality PHP like Steve would do.
 
Steve_Edwards:
fence taken, but that's okay.
 
AJ_ONeal:
All right, well, take the fence, keep
 
Charles Max_Wood:
Ha ha.
 
AJ_ONeal:
it. Right? But so when these websites are coming up, most of them are not architected until the point where they've proven the idea, they've gotten the investor money, they're starting to hire engineers, and then it's like, oh crap, what do we do now?
 
Dan_Shappir:
But I think there are two concerns which are kind of legitimate. One is that if you create a documented public API, you need to support it with some sort of backward compatibility. Whereas when it's your own internal API that's intimately tied to your application, then you can decide to effectively just update both at the same time. It's not always convenient and it's sometimes challenging, but technically it's doable. So I think that that's One reason that people are kind of hesitant about exposing APIs like that is that support and backward compatibility issue. Another factor I think is that people kind of, even though it's obviously patently a false assumption or approach, people are concerned that if they expose their API in this way, they become more, well, hackable. That somehow, you know, when it's through their web interface, face, they have more control over which type of operations are performed. And that kind of actually reminds me of this funny thing that happened here in Israel. It turns out that it's really challenging to renew your passport in Israel these days, not for any nefarious government reason, more because of bureaucratic incompetence. Basically, you know, scheduling an appointment can, you know, They'll schedule an appointment for you like a year from now in some, you know, and if you really need to find somewhere because you want to fly somewhere, it can be really challenging. So some guy, actually, some guy that worked at Wix, I forget his name, I'll need to look it up afterwards, kind of looked at their website, reversed engineer their API and created a much more friendly interface for renewing your passport. which would basically be able to smartly locate the nearest possible free scheduled appointment time, like in any brand, in any one of the home office branches anywhere in Israel. So, you know, because Israeli small people can drive to other cities in order to renew there instead of their hometown. And for a while, like he was getting more hits website that he built, then the official Israeli government website. And then they realized it, so they did two things. First of all, they invited him to like give advice on how they can improve the service that they're giving based on what he learned. And the other thing that they did was to block his service. Ha ha ha. Ha ha ha.
 
Charles Max_Wood:
Yeah.
 
Dan_Shappir:
And basically now everybody's stuck with the same old crappy government service that, you know, sucks.
 
Joyce_Lin:
We had examples of that during the COVID vaccinations, where I think some very ingenious high school kids were reverse engineering the government sites. Because in the early days, you had to go to several sites to find your vaccination appointment. And so they just aggregated it, probably in a Google sheet or something,
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
but then fed it back. And so people could then sign up more effectively. But again, the only way that could happen is by aggregating that data. other platforms we're not going to cooperate.
 
Charles Max_Wood:
right. I have a question about this and this is something that I use Postman for probably more than anything else is just getting authorization keys, right? Or authentication keys, whatever you want to call them. Right, because I'm writing the integrations right, pull from here, push from there, pull from there, push to here. How do you reverse engineer some of that stuff, you know, like logins or getting the auth tokens or whatever? Because I'm assuming that you do this so that you can speed stuff up. You can run a script and grab the information you want. And so as you're running through that, yeah, that's one thing where I get hung up is, yeah, how do you make that request? Do you just post to the login endpoint and then...
 
Joyce_Lin:
Well, of course, everyone's
 
Charles Max_Wood:
Look
 
Joyce_Lin:
gonna
 
Charles Max_Wood:
at what you
 
Joyce_Lin:
follow
 
Charles Max_Wood:
get back.
 
Joyce_Lin:
the most documented proper way first. And then beyond
 
Charles Max_Wood:
Right.
 
Joyce_Lin:
that, then you're gonna try to replicate what's already open in public.
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
So if you do have those keys, you can plop them in there. I think somebody was talking about C-Serve tokens earlier. There are ways where you can import certificates and cookies. Postman has a way where you can sync web cookies to your instance of postman so that you don't have to copy and paste or export.
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
So there's a little extension the Postman app and Postman app looks back at the extension and then it just syncs your cookies so that
 
Charles Max_Wood:
Yeah,
 
Joyce_Lin:
you
 
Charles Max_Wood:
I've
 
Joyce_Lin:
can...
 
Charles Max_Wood:
done that.
 
Joyce_Lin:
Yeah, I mean that's pretty handy.
 
Dan_Shappir:
I also have
 
Charles Max_Wood:
Yeah.
 
Dan_Shappir:
a question about Postman. I'm actually looking to potentially, there's a project that I might be doing, which effectively is kind of hacking one of our own APIs at Next Insurance. We have a service that collects a lot of business intelligence data. Basically our clients, both the native clients and the web clients, send a lot of telemetry data to a server that collects all this information and sends it to various backend systems, and we have a certain performance issue there that occasionally it can get overloaded, and I want to try to pinpoint the scenario where it happens. And so basically I would want to emulate or simulate a lot of, let's say, web clients, sending a lot of performing, a lot of Ajax calls, sending simulated data into it. Now, one way that I could implement it. it is obviously write a node server that does it. Basically, it just does a whole bunch of fetch requests into the service. Can this, is this something that I could more easily do with Postman, like create some sort of script within Postman that does a loop and sends a lot of events with simulated data in them?
 
Joyce_Lin:
Yeah, you should be able to send API calls in waterfall fashion or sequentially rather. So you can fire them off from postman. But are you talking about large volumes?
 
Dan_Shappir:
Yeah, like sending, yeah, large volumes, like sending thousands of, you know, post requests into
 
Joyce_Lin:
Yeah.
 
Dan_Shappir:
that service.
 
Joyce_Lin:
If you're talking about like a performance testing or low testing scenario,
 
Dan_Shappir:
No, it's not a load
 
Joyce_Lin:
there's
 
Dan_Shappir:
testing scenario. It's just that in order to replicate the performance
 
Joyce_Lin:
sequence.
 
Dan_Shappir:
issue that we have there, we have this
 
Joyce_Lin:
Oh.
 
Dan_Shappir:
loop lag issue in that service, it's a node service itself. I'm thinking about running it locally on my own computer in some sort of a debugging environment, but then I need to feed a lot of data into it. So either I run a second node service that just does a lot of Ajax requests into that service, But that would require a little bit of development effort on my part. If it's just kind of baked into postman,
 
Joyce_Lin:
Yeah.
 
Dan_Shappir:
we have licenses for postman.
 
Joyce_Lin:
Yes, it is.
 
Dan_Shappir:
I use it. So
 
Joyce_Lin:
Yeah. So you're probably used to just like firing off a call like ad
 
Dan_Shappir:
Yeah,
 
Joyce_Lin:
hoc.
 
Dan_Shappir:
exactly.
 
Joyce_Lin:
There is a way there's a way to script like a sequence of calls, and then you could just run it locally, you can run it
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
from your command line. And then if you do need some sort of parallelism, the the CLI tool,
 
Dan_Shappir:
No, I don't
 
Joyce_Lin:
you're
 
Dan_Shappir:
need to.
 
Joyce_Lin:
able
 
Dan_Shappir:
I
 
Joyce_Lin:
to
 
Dan_Shappir:
can just
 
Joyce_Lin:
yeah.
 
Dan_Shappir:
do, you know, if I do like, it can be in sequence just, it would be a large number of events, that's it.
 
Joyce_Lin:
Yeah, you could do that. You could loop through external data and just continue feeding it.
 
Dan_Shappir:
Hmm.
 
Joyce_Lin:
I just posted a video about running chat GPT3 versus GPT4 and
 
Dan_Shappir:
Hmm.
 
Joyce_Lin:
wanted to see, kick them off in parallel, and visualize it. So I was using Postman Flows. Y'all probably haven't used it yet, but it's pretty snazzy. And I was able to log how much did it cost me in tokens, who won? GPT4 is much slower because it's a bigger model They're still fine tuning it, but you're able to see that kind of stuff pretty quickly.
 
Dan_Shappir:
Hmm, so it's like what on your on your YouTube channel or something?
 
Joyce_Lin:
I posted that one on TikTok, but I'll send you a link to that damn.
 
Dan_Shappir:
Please do.
 
Joyce_Lin:
Yeah.
 
Charles Max_Wood:
That sounds cool.
 
Dan_Shappir:
And this episode is already worth it for me.
 
Joyce_Lin:
Yeah.
 
Charles Max_Wood:
Right?
 
Joyce_Lin:
Well, and there's one other thing. I don't know when this podcast is going to air, but like this just announced, I'm excited, I don't have access to it. I just ping the P.M. to ask for early access. But Dan, you're talking about like a lot of stuff happening internally, right? So we're talking about reverse engineering public APIs or rather undocumented public APIs. But also a lot of companies, big companies have no idea how many APIs they have, and they have no idea being used, are there zombie APIs and so forth. And so a lot of times people will go to their gateway and look at the traffic coming through their gateway. And so Postman is launching something called Live Collections. And Chuck, if you've used a proxy, this is kind of similar, but you're going to put a little code snippet in your code. And then a Postman collection is just going to say, here's what your endpoints are. And then here's the traffic that's going to through each endpoint. So that allows you to sniff
 
Charles Max_Wood:
Nice.
 
Joyce_Lin:
the traffic. people are sending.
 
Charles Max_Wood:
right. That's cool.
 
Joyce_Lin:
I'm excited
 
Charles Max_Wood:
What?
 
Joyce_Lin:
about that one.
 
Charles Max_Wood:
Yeah. Well, and speaking of people not knowing like all the endpoints they have or things like that, I think somebody brought up earlier that, you know, they may not want you to use them because they're afraid of getting hacked through those endpoints and stuff. But if the endpoints exposed, the endpoint is exposed.
 
Dan_Shappir:
Oh yeah,
 
Charles Max_Wood:
And so
 
Dan_Shappir:
it's security by obscurity,
 
Charles Max_Wood:
Yeah.
 
Dan_Shappir:
which is never much.
 
Charles Max_Wood:
Right. But I like this idea of being able to see, oh, what all is coming in from where, you know, using what kinds of resources and then, yeah, being able to say, okay, well, this API is, you know, is something that we need to close off, right? It may not be insecure. It just may not be something we want to expose anymore, right? Or there's a better way to do it. And so we're going to make the concerted effort for all of the apps that use it to API endpoint and then start closing up some of those places. Because the thing that is interesting with security is that it's always a moving target. And so your endpoint that you didn't document and that you can't believe people are still using, it may not be insecure today, but then there may be a zero day that exposes that, hey, it was insecure the entire time, and now we've got to close it up. So yeah, just knowing about that stuff, advantage.
 
Joyce_Lin:
from a security standpoint, security and testing, but also a lot of business leaders don't have an idea of how many APIs or don't have an idea of the magnitude and the importance and
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
what's that word, exposure,
 
Charles Max_Wood:
Right.
 
Joyce_Lin:
the attack surface. And so
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
telling the business people, here's what your exposure is, maybe invest in protecting it.
 
Charles Max_Wood:
Yep.
 
Dan_Shappir:
Oh, for sure, the entire modern web and beyond web, like mobile apps, all of this stuff is built on APIs. I mean, we're living in a world where everything is done via some sort of a backend service, and the front end needs to be able to talk to it somehow. So it's APIs all the way, I mean, for sure. And I totally agree about this whole thing about how to close API. I mean, even like winding down an API can be really, really challenging. Because again, like you said, I don't want to support this API anymore. I've created a new API that let's say subsumes this API. It's better, it's more secure, it's whatever. But if I just close off that existing old API, there's a good chance that I might break some part of my application or process because you know in some weird set of thing of you know sequences something invokes that API and this is actually like I kind of alluded to before this is kind of going to get a little bit more challenging I think with with what's happening with some of the modern frameworks which are kind of subsuming what is currently done with RESTful APIs into the frameworks themselves. A lot of these modern frameworks are introducing their own proprietary mechanisms for performing RPC and it will be interesting to see how these are actually implemented and how well they are documented.
 
Charles Max_Wood:
Yeah. One other thing that's kind of tangential to what you're talking about there, Dan, and Joyce has kind of implied it as well is that since these aren't documented, they're not really publicly exposed in the way that, hey, come use this API. I'm curious, especially in your experience, Joyce, since I haven't done a ton of this, how often do those change, right, where somebody does close off one endpoint and open up another one or things like that to where I've got this script or this set of things that postman runs or whatever that just stop working, right? Because they upgraded their app and they didn't make a contract that said, this will continue to work until this date.
 
Joyce_Lin:
I mean, how many API providers do you know that promise no breaking changes? Or we're going to support this API indefinitely. I know of one
 
Charles Max_Wood:
Well...
 
Joyce_Lin:
off the top of my head.
 
AJ_ONeal:
Usually by
 
Charles Max_Wood:
Oh,
 
AJ_ONeal:
version
 
Charles Max_Wood:
really?
 
AJ_ONeal:
three they get there Why
 
Charles Max_Wood:
Well,
 
AJ_ONeal:
so get
 
Charles Max_Wood:
my...
 
AJ_ONeal:
get hub Facebook they are stable now, right?
 
Charles Max_Wood:
Yeah.
 
AJ_ONeal:
They were terrible for the first couple of years. Well, Facebook was I don't know about get up
 
Charles Max_Wood:
Well, my experience is that they usually will put out a version two and a version three, right? And they'll make it better and better and better. And then if there's no way for them to continue to either provide the services that were exposed by version one or, you know, they have security or other concerns with version one, then what they do is they let people know these parts of the API are turning off today and the rest of it will go away at a certain point.
 
Joyce_Lin:
Yeah, if you look at any of the research about how successful those communications of deprecation notices go, like, you will
 
Charles Max_Wood:
Right?
 
Joyce_Lin:
break some flow.
 
Charles Max_Wood:
Right? Yeah.
 
AJ_ONeal:
All the communication
 
Charles Max_Wood:
You're gonna
 
AJ_ONeal:
works.
 
Charles Max_Wood:
hurt somebody with it.
 
AJ_ONeal:
It works really great once the API is gone. Within 60 days, people notice.
 
Charles Max_Wood:
Yeah.
 
AJ_ONeal:
Typically not the first day.
 
Charles Max_Wood:
And then they go look in their Gmail archive and go, oh yeah, you did email
 
Joyce_Lin:
Yeah,
 
Charles Max_Wood:
me about that.
 
Joyce_Lin:
you have to look to make sure that you did get those deprecation notices.
 
Charles Max_Wood:
Right.
 
Dan_Shappir:
Well,
 
Charles Max_Wood:
I'm sorry I yelled at you. I'm really sorry.
 
Dan_Shappir:
just consider how many times certificates just expire and when websites
 
Charles Max_Wood:
Yeah.
 
Dan_Shappir:
break, I mean,
 
Charles Max_Wood:
Yep.
 
Dan_Shappir:
or domains expire. All of a sudden, somebody
 
Charles Max_Wood:
Yep.
 
Dan_Shappir:
loses their domain.
 
AJ_ONeal:
So my experience with SideCyberverse engineered has been every time a new framework comes out, the API that I was using breaks. So, you know, every other Thursday.
 
Joyce_Lin:
Yeah, but if
 
Charles Max_Wood:
Yep.
 
Joyce_Lin:
you're reverse engineering, you know, it's almost like being on a canary build or a beta build. It's like, there are no promises. If you are building it, you are responsible for maintaining it and updating it to follow whatever
 
Charles Max_Wood:
Yeah.
 
Joyce_Lin:
does work. Don't build a business off of it unless you're real certain that it's going to stay stable and stay up.
 
Charles Max_Wood:
Yep.
 
Steve_Edwards:
There's no promises. I mean, it's the only async await now.
 
Dan_Shappir:
Yeah, even when there's an even these days, even when there's an official API, there are no guarantees. Remember what happened with all the Twitter APIs? Like you know, there was like for for a brief while, there was like a whole ecosystem of people building their own custom Twitter clients. And then even before Elon Musk, they kind of decided that that's not going to be the case anymore. And they basically broke all of them. call. And now it's even more so for my understanding. So yeah, and even the big companies can get, well, how would I say, screwed in this way, like consider what has happened with Apple tightening up their privacy regulations and that's impacting, let's say, the Facebook client on iOS. So yeah, APIs change. And certainly when it's the result of a reverse engineering process, it's even more so. But if I can, you know, so we talked about using reverse engineering to compensate for lacking documentation. We talked about reverse engineering to circumvent some sort of limitations in the, let's say the website or the native application, you know, you want to do something that's more automated than they allow you to do, or you want to talk to several systems like together. But that's like, like, well, it kind of goes to the title of this conversation. This is more like hacking. Are there any examples of more quote unquote legitimate scenarios that you can think of where we want to do these sort of things?
 
Joyce_Lin:
And I'll say hacking is, in my opinion, is not a bad word. It just means taking something apart and seeing how it works. Of course, it has a negative connotation when you have those 80s movies with people with hoodies hacking into something. But reverse engineering is used very commonly in debugging. You're
 
Charles Max_Wood:
Mm-hmm
 
Joyce_Lin:
trying to figure out what went wrong or how to replicate something that went right. And so that's another synonym. I'm not saying like, I'm not playing like hacking is okay kind of thing, but devs have to debug. And to some extent they are reverse engineering to a point, right? Whether or not they completely replicate it, build an app, build a bot is another scenario, but you are reverse engineering in sniffing traffic and trying to figure out what's going on.
 
Charles Max_Wood:
Yeah, when I think of hacking, I think of either one kind of the nefarious, getting access to something that you shouldn't have access to or that they don't want you to have access to. And then the other is more along the lines of using something in a way that people didn't intend it to be used. And that's more what I think we're talking about here, where they've exposed these APIs behind the scenes that are used by a client that they designed, and they didn't really intend it to be publicly consumed. But, you know, there's nothing preventing you from doing it. And so, you know, yeah. I do,
 
Dan_Shappir:
unless it's a licensing
 
Charles Max_Wood:
one thing that
 
Dan_Shappir:
agreement.
 
Charles Max_Wood:
I'm thinking, yeah. I mean, one thing that I can think of is, I've seen different plugins for different websites, right? LinkedIn is probably the most highly abused. I've seen browser plugins that work with Gmail, but most of those work with exposed APIs and processes that Gmail has specifically handed up to developers to be able to use for that kind of a thing. LinkedIn, since I'm reaching out to people to do sponsorship outreach and we're finding information to invite people to come on the podcast, sometimes I have to get a little creative to find their contact information. And there are a ton of plugins out there that hook into LinkedIn that use the way that LinkedIn works and scrape the page or use the internal APIs the way you're talking about because LinkedIn does not want you to use it that way. And yeah, occasionally those tools break because LinkedIn figures out that, hey, you know, they're doing this. I think it's a losing battle because a lot of times they adapt within a few days. But yeah, I can see a use like that where one other one I used to use, hey.com email instead of Gmail. I just switched back because the tooling is so much better with Gmail. But I thought about building a browser plugin that did a lot of the same things. It added features and functionality to Hey, and then basically gave you buttons and functionality that pushed to their back end. It did extra stuff and then just used the limitations of their internal API to do things. I could see somebody doing something like that depending on the use case.
 
Joyce_Lin:
And I remember reading an article, it was at the top of Hacker News about in-app browsers. And so I wish I could remember this gentleman's name, but a security researcher was looking at TikTok, Instagram, Facebook, every social
 
Charles Max_Wood:
Mm-hmm.
 
Joyce_Lin:
media platforms in-app browser. And I was like, what's an in-app browser? Turns out when you're, and I didn't know when you're in a mobile app and you click through to like buy that thing that some influencers telling you about, you are still on the platform. house until if you know how to look at
 
Dan_Shappir:
It's
 
Joyce_Lin:
it
 
Dan_Shappir:
the devil's
 
Joyce_Lin:
you know it's
 
Dan_Shappir:
playground.
 
Joyce_Lin:
very
 
Dan_Shappir:
It's the worst of the worst. In-app browsers should all die and then burn in hell. For those of you who don't know, if you look at applications like Twitter or like Instagram or like Facebook, often they
 
AJ_ONeal:
Discord.
 
Dan_Shappir:
have, often they have like, you know, people post links. And when you click the link, rather than opening of the device's default browser, what they do is that they do a, they actually use an embedded web view to display
 
Charles Max_Wood:
Mm-hmm.
 
Dan_Shappir:
the content within the application itself. And the reasoning I assume is that this way, like they claim better user experience this way because they kind of control the flow, but in reality, it's mostly them not wanting you to leave their app.
 
Charles Max_Wood:
Mm-hmm
 
Dan_Shappir:
to within their app. Also, they want to be able to track interactions and stuff like that, even into the web interface. So you might think that you're now in
 
Charles Max_Wood:
Nailed
 
Dan_Shappir:
a web page,
 
Charles Max_Wood:
it.
 
Dan_Shappir:
but they're still tracking you. So there are a lot of issues with that. There are security and privacy issues with this whole tracking thing. And I think that's kind of some of the things that Apple, for example, those web views are kind of broken. And from experience, most developers don't really test for them because it's almost impossible to test for them, and you really can't debug them. So I've very often seen pages that come out looking totally broken when they're open inside an in-app browser like that. But it is what it is. You know, the reality is that they're around. There are a lot of them, unfortunately.
 
Joyce_Lin:
I did find the gentleman's name, the security research, Felix Kraus, was trying to see how much JavaScript gets injected through an in-app browser, and then also who's logging your keys, right? So if you click through to an Amazon store and you're entering in your password, who's logging those keystrokes? And then has a really nice table breaking down each common platform and who's the worst offender, which I'm sure you could probably guess who the worst offender is.
 
AJ_ONeal:
It was TikTok, wasn't it?
 
Joyce_Lin:
Huh?
 
AJ_ONeal:
It was TikTok.
 
Joyce_Lin:
Yes, yes, it was TikTok.
 
Dan_Shappir:
Is TikTok even still legal in the US?
 
Charles Max_Wood:
Yes, but they're debating it, so we'll see.
 
Dan_Shappir:
Ah.
 
Charles Max_Wood:
Um, yeah, we're kind of getting toward the end of our time. I mean, I guess we've kind of talked around a lot of ideas and I just kind of want to pull things together here at the end. So if you, let's say that you found some website that provided something and you wanted to start reverse engineering it, um, I mean, what, what approach would you take just to kind of get started? And what kind of issues do you. anticipate you would have to solve as you did it.
 
Joyce_Lin:
It sounds basic, but I would just start with DevTools and observing what's going on. The vast majority of people can't even imagine what's going on behind the scenes in terms of network calls. So recording that information and then sifting through every network call that's coming, that's how the security researcher, Felix Kraus, identified these vulnerabilities. And so Postman has a couple different ways to help you do that. We talked about a couple of them. You can import a hard file, you can import a curl command, proxy your calls, soon there will be live collections and then you can replay those calls. You are going to run into issues really quickly with any company that is worth their salt in security or even just web practices. So you will have issues replaying something when a token expires, when you don't have your correct authorization key. And so figuring out through either well-documented reasons or sniffing that traffic. is going to be your best bet. And I think reverse engineering, hacking, debugging, whatever you want to call it, can only make you a stronger dev. Having those tools and knowing when to start inspecting something can only make you a better dev.
 
Dan_Shappir:
I totally agree. Very often in my day job, I work with different teams and different products in an organization, trying to help them improve their performance. But I kind of join teams with developers or well-versed in their product, but I'm not. And so if it's a web-based product, it works is to look at the network tab and then to look at the profile tab and that gives you so much insight into it like you said into exactly what's actually happening you know what's it actually doing what's it waiting for why is it waiting for this sort of stuff and you know you you certainly learn a lot a lot of things this way this is like a fast track into understanding how things said in web-based applications. It's more challenging with native applications.
 
Joyce_Lin:
And Chuck, I think you were saying that how you start with something is you start with the documentation. And I'll tell you, that is such a surprise because most devs don't read the documentation right away. They do get to the documentation, but they start off with interacting and playing with the tech. And so, you know, obviously go to the documentation, the documentation is really important. But if it's not up to date, and if there is no documentation, play with the tech.
 
Charles Max_Wood:
Oh, absolutely. And a lot of times it's intuitive enough to where, I mean, the only documentation I really look at is how to get started. But sometimes, yeah, it's just, okay, I see how they structured stuff.
 
AJ_ONeal:
how to get your
 
Charles Max_Wood:
But yeah.
 
AJ_ONeal:
auth token in the first place is always the hardest part, because it's never, it's always buried somewhere
 
Charles Max_Wood:
It's never
 
AJ_ONeal:
in the
 
Charles Max_Wood:
the
 
AJ_ONeal:
documentation
 
Charles Max_Wood:
same.
 
AJ_ONeal:
because you only need it once. And so in every other page, it just assumes, oh, you already did this. It doesn't, you know, even when they give the
 
Charles Max_Wood:
Yeah.
 
AJ_ONeal:
curl examples, a lot of times they'll omit the token in, even though you have to have it, it's not actually correct curl. So we're,
 
Charles Max_Wood:
All right, well, let's go ahead and cut to the next portion of our episode. Before we do that, Joyce, if people want to connect with you online or if they have questions about this, where do they find you?
 
Joyce_Lin:
I'm on Twitter and don't comment me, but I'm also on TikTok for now until it gets banned by the US government Find me on TikTok Joyce Jetson
 
Charles Max_Wood:
Alright, let's go ahead and we added a segment after the picks and it's basically just self-promotion. So what are you working on now that people should know about? We'll start with AJ. AJ, what are you working on now that people should know about? AJ, what are you working on now that people should know about? AJ, what are you working on now that people should know about? AJ, what are you working on now that people should know about? AJ, what are you working on now that people should know about? AJ, what are you working on now that people should know about? AJ, what are you working on now that people should know about? AJ, what are you working on now that people should know about?
 
AJ_ONeal:
Absolutely nothing, but I'll tell you about something anyway. So, Beyond Code, we're doing workshops. We're starting with some shell workshops. If you're interested in that, I know it'll be, have been a month, but it's okay. I'm gonna redo it anyway, or do another series of them. But if you're interested in learning how to use the shell, so this is kind of bash, but it's kind of anti-bash. It's more the POSIX shell, but in order to learn the POSIX shell, you basically have to learn shell are the not bash parts because there's no documentation on the POSIX shell other than the technical reference manual. There are zero books on the shell that you have to use on BSD and Docker and all these CI CD environments etc. So when you're running a script and it just doesn't work you don't know why it's because that environment needs a POSIX script shell which is ever so... bash is a super set of POSIX essentially. So bash is like... a comparison. Anyway, so I've got that. So just search out beyond code boot camp at underscore beyond code on Twitter. Hit me up. Let me know if you're interested in participating on that. It's basically 99.9% off right now because I'm developing it and it's live working sessions rather than prerecorded material. And then the other thing is somebody's and I got together and we are doing cloud hosting services. We are buying servers. I think today they've been in the shopping cart. We've just been debating over some minor configurations, this RAM or that RAM, this drive or that drive, whatever. But in about two weeks, we should have them in a local data center. So I've already been in contact with the data center when visited it. Why would you choose our hosting service that doesn't yet have a name? I don't know, you probably wouldn't. But it's privately owned. We are not going to get any venture capital We are, you know, by the end of the year, if we have 100 clients and that's all that we have, that'll be great. We are using the same technologies that DigitalOcean uses in terms of how the containers and the virtualization and all that are done. It's all the same technology. We're using Ceph. You know, most of the stuff is open source for these, these VPS providers and cloud service providers, and then they just give you a really beautiful interface on top of the open source software. So we're, we're having a redundant. redundant set of servers. We have a cold spare server, so to speak. So in case anything does happen to any one of the servers, we've got extra drives. So we are all good. We've got a lifeline with the data center. We don't have to necessarily drive down there. If it's an urgent issue, we can call them up and say, hey, open the cabinet, pull out the spare drive, put it in server three where the red light's blinking, please. So it is going to be, as far as I can tell, we actually, because we're starting this now and running the latest version, of those open source packages, we actually, I think, will have an edge over digital ocean in a lot of regards because we're not starting like they did 10 years ago when all of this stuff was still kind of being formed and being figured out. We're starting with the best stuff, the latest versions today. So anyway, if you're interested in that, I think that the big thing is we're privately on. So we're not going to have the problems that VC backed companies have.
 
Charles Max_Wood:
Cool? Dan, what are you working on that people should know about?
 
Dan_Shappir:
I don't know if this is something that people should really know about, but it's still an interesting story that I actually tweeted about and got a lot of curious feedback. You may recall that back in episode 350, we had Adam Bradley from Builder.io to talk about one of their many projects, this one called Party Town. Party Town is this amazing hack they created, to move marketing pixels off of the main thread and into a worker, you know, stuff like the Google Tag Manager or the Facebook Pixel, because all these things are like the spawn of hell, kind of similar to in-app browsers in that they, you know, really eff everything up. Pardon my French. And yeah, so the problem with this is that thing with Party Town is that it's not so much a product like a concept. You can't really, like it's not plug and play. You usually need to, you will need to kind of really massage things on, in your particular website to get it to work with a set of pixels that you happen to be using. So actually we at Next Insurance went through the effort of integrating Party our public website and the results have been very nice. Dramatic improvement in the INP metric which measures kind of like the interactivity of the website. How quickly it responds to user interactions and user input. Obviously you want your website to be as interactive, as responsive as possible. rage clicking on your buttons because they just don't respond. Certainly, you don't want them to bounce because the website just doesn't work. And Party Town has made a really significant difference for us. One of our developers, Tom Tavol, she did all the heavy lifting of actually integrating it into a website. You know, I was like rooting for her, but she did all the actual work. And like I said, the results, you can, you know, plane is day in our graphs. And it's really cool. And a lot of people are like, wow, how did you do that? And stuff like that. And it's really nice to see a kind of a technological magic like this actually work out. That's put it this way. So that's an interesting story.
 
Charles Max_Wood:
Cool. Steve, what are you working on that people should know about?
 
Steve_Edwards:
Well, like Dan and AJ said, there's things I'm working on. And I don't know if people should necessarily know that I'm working on them. I just will say I'm still working on a long-term project that involves Nersha, JS with you, and Laravel. And it's a lot of fun. I'm thinking about maybe doing some blogs and videos and stuff, just from stuff I've learned from it and bumps I've had to overcome to integrate everything. But it's a stack that I really like just because it's quick. It's very fast. And it gives me all the control I like over my data and organization and structure and stuff without having to rely on an external data structure like a CMS, a Prismic or a sanity or something like that. But that's a long-term project that I'll hopefully finish here in the next month or so.
 
Charles Max_Wood:
Awesome. I'm going to throw mine on and
 
Steve_Edwards:
Wow,
 
Charles Max_Wood:
then Joyce
 
Steve_Edwards:
I excited
 
Charles Max_Wood:
will...
 
Steve_Edwards:
Dan there, I could see that.
 
Charles Max_Wood:
Ha ha ha!
 
Steve_Edwards:
Dan was yawning for those who couldn't see.
 
Dan_Shappir:
It's kind of linked here, you know.
 
Steve_Edwards:
Yeah.
 
Dan_Shappir:
Even though it's like savings on your side of the world and not on ours, which will probably be my
 
Steve_Edwards:
Yeah.
 
Dan_Shappir:
pick or something like that.
 
Charles Max_Wood:
All right, well, I'm gonna throw in real quick. I'm gonna make mine really brief. I've been talking to a bunch of people. There are kind of three things that people are concerned about these days or want more content from us on. One of them is especially given that some people seem to be losing their jobs. In fact, my contract ends on Thursday. And so I'm looking for more stuff to work on probably part time. But career stuff, right? How do I, you know, put my best foot forward, find the job that I like, stuff like that. Definitely working on content on that. The other one is React. People want more content on React. And then the last one is, is I've had, I can't tell you how many people ask me when we're going to put game development content out. So, to answer the last question, my friend Jason Wyman, he has course that he's put together. By the time you're done you will have built a game and he just walks you through the process of doing each step. His course, it's up at game.courses. I'll put a link in the show notes because if you use my link then he does give me a kickback now. He doesn't charge you anymore so it's just a referral link for me but he's also given me a coupon. JavaScript 5 will And what we're doing is, is anybody who buys the course, I'm just gonna do a call every week, probably on like Thursday morning. And we're just gonna talk about how our games are coming, right? Because this is something that I've wanted to learn for a while. My 17 year old son, he's convinced he's gonna be a game developer when he grows up. We'll see how that works out, but it's a way for me to connect with him. And so anyway, if you're interested, notes you can just click through and sign up and then I'll also have a link so that you can just join our calls every week. I'm not going to make it that complicated to get in or make you sign up for anything special, right? You just, you know, jump on our circle, uh, dot s O instance. It's, um, you know, where we can do chat and stuff. And so you'll be able to chat about it and then join the calls. Um, but yeah, that, that's what I'm looking at. And, uh, I am planning on starting a game dev podcast here within the next few weeks. So, uh, should be fun. What are you working on that people should know about?
 
Joyce_Lin:
Well, I don't do it game dev, but I just 3D scan my face using Unreal Engine and MetaHuman. So I'm getting ready for the metaverse. You guys can all
 
Charles Max_Wood:
Oh, fun.
 
Joyce_Lin:
see, we can all interact with each other in the meta, in a metaverse. I'm good
 
Charles Max_Wood:
then
 
Joyce_Lin:
to
 
Charles Max_Wood:
we'll
 
Joyce_Lin:
go.
 
Charles Max_Wood:
know what you look like.
 
Joyce_Lin:
Yeah, yeah. Okay, so I told you about the, I was playing with the OpenAI API running GPT3 versus GPT4 models and running the race. And I posted this video and people were really intrigued by Postman Flows, that's the program that I was using to set calls off in parallel. So last week I recorded a bunch of videos. Postman Flows has been in beta for the last year and by the time you hear this podcast it will be in general availability. So if you want to check out those videos of how to do low-code API workflows, check out the Postman YouTube channel.
 
Charles Max_Wood:
Awesome. All right, now let's roll into Picks. Steve, you have Picks for us?
 
Steve_Edwards:
Yes, the first pick is more of a visual pick for those who are watching. That is the wig I'm sporting. It's called the chick magnet. If you google the chick magnet wig, it's like night and day. I go from ugly to handsome. Although it's true that God created so many perfect heads and the rest he covered with hair. It's still nice to have hair and especially if we're keeping my head warm once in a while. A little itchy, but so it does the job. If you want to enhance your looks, the Dad jokes of the week. Those of you who are regular listeners know that I have a particular affinity for the cow jokes. And I really wish I had a cow joke sound effect, but I don't. But the question is what do you get when you cross a cow in a bazooka? You might know. Utter destruction, right? Now, a thought for the day is a sock of pennies is actually a great weapon because you never know when you'll need to beat some sense into someone. Right? And then for you sci-fi movie fans out there, there's two astronauts talking in space. And astronaut one says, I can't find any milk for my coffee. Astronaut two says, in space no one can hear. Use cream. In space, no
 
Dan_Shappir:
Yeah,
 
Steve_Edwards:
one can hear you
 
Dan_Shappir:
yeah,
 
Steve_Edwards:
scream
 
Dan_Shappir:
yeah.
 
Steve_Edwards:
in the alien movie. Well, it's our choice had the really confused look there. So I had to ruin it and explain that joke. But anyway, those are my jokes of the week.
 
Charles Max_Wood:
All right, AJ, what are your picks?
 
Dan_Shappir:
The unused button is its first pick.
 
Charles Max_Wood:
Yes.
 
Dan_Shappir:
He hasn't picked it yet.
 
Charles Max_Wood:
I
 
Steve_Edwards:
It's the mic
 
Charles Max_Wood:
did.
 
Steve_Edwards:
button, AJ Little One that says mic.
 
Charles Max_Wood:
I have a way of requesting him to
 
Dan_Shappir:
Ha
 
Charles Max_Wood:
unmute.
 
Dan_Shappir:
ha ha
 
Charles Max_Wood:
Sometimes I can do that.
 
AJ_ONeal:
Oh, that's weird. So I was double muted. I was muted in the software as well as muted by the shush app and the shush app has this weird thing where it was designed before the current Window management system that Apple has deployed and so it will not update the icon in the menu bar on all screens And so on most screens actually it's like 50 50 whether it shows me as muted right now or not It's been on which screen I'm looking at Anyway, so what was I going to pick? Oh, so I, I eventually did get a new phone. I got the iPhone SE 2020 and I have almost all the same problems on this phone as the other phones. So people would tell me, oh, you've got to update your phone. It's because your phone screen is so small. The screen on this, the resolution on this is almost exactly the same size. It's just larger so you I actually am enjoying it, but what makes it bearable, because I couldn't stand it. The reason I didn't want a huge phone is because I wanna be able to reach the whole phone and I don't wanna have to use two hands, because using two hands to text while driving is dangerous. And a lot of other activities too. So you don't wanna have to be using two hands to use your phone. But I found these cheapo little adhesives that go on the back. And I think it's $6 for a pack of six or something like that. So you can, you know, got some colors to choose from. But it makes it totally usable and I don't feel sorry, I'm gonna fend, you know, half, maybe three quarters of everyone. But the stupid little circle knobs on the back that make you look like a dork. Yeah, I didn't want one of those. No offense to anybody who uses those. Now you've got the ring. The ring is a little bit different. I'm not sure if it's better or worse, but you've got the ring there. But anyway, no, I just, I personally, the little circle knobs that pull out and push in that those, I just, I don't, looking at those as like nails on a chalkboard visually for me for some reason. And I just, I just, I couldn't bring myself to do it. But I found these little strappy do's and they work great. And I can, I positioned it a little bit off center so that if I use it as a kickstand on one side, it's a different angle than if I use it as a kickstand on the other side. So if I'm sitting in bed watching a movie or something as I'm falling asleep, then I've got two viewing angles to choose from. And then yeah, it just, really well. It's really simple. It's just an adhesive and some silicone and a little metal button and it's been working great for me and I'm loving it. So gotta share the joy.
 
Charles Max_Wood:
Alright, um, Dan, what are your picks?
 
Dan_Shappir:
Antipix today, so my first anti-pick is daylight savings because our listeners might have noticed that I was absent in our previous episode, the one where we interviewed the Tages about what's it called, the signals. And that's despite the fact that I was the one that really invited him to come and speak on our show. And the reason that I did not participate is that. It's daylight, it started to be daylight savings in the US, but it's not yet daylight savings in Israel. And I kind of had it in my head that, you know, the show was recorded at a particular hour. I didn't check the calendar. And guess who missed the recording? So yeah, you know, it's just so, I don't know. There's just something so stupid about the fact that you can't really tell what time it is somewhere predictable sort of a way. I don't know. It's it's it's you know, there's something I Understand how people used to live according to when the Sun came up and when it the Sun set But it I don't know so it's kind of seems kind of dated This this approach and not very productive anyway so that would be the first thing and my second is the still ongoing born Ukraine which I of people have stopped noticing or remembering or thinking about but guess what it's still ongoing so anything that our listeners can do to help the people in your crane please do and those would be my anti-picks for today
 
Charles Max_Wood:
Alright, I'm gonna throw in some pics. My first pick is I always pick a board game and this is a board game. It's not a board game. It's a card game We played it so every year in February Yeah, I keep backing up further and further so every February my wife and I and my sister-in-law and her husband and Her father we all go on a trip and we go to the parade of homes We walk through houses and one of the games we played is called the crew We always play card games and board games at night after we get back. And the crew is, it's a card game, there's a trump suit, there are four cards in the trump suit, there are nine cards in every other suit, the four other suits, and you basically get assigned to take a specific card in one of your tricks. And sometimes you have to do it in order, and sometimes you have to, you know, do other things during the game. But anyway, it's a pretty simple game. Board Game Geek ranks it at what was it a 1.97? So I mean casual game 20-minute rounds and they give you a bunch of different quests to complete and there are 50 of them So when you complete them all you anyway, so Yeah, so anyway, I've really enjoyed that I'm gonna pick that and then I've still been watching Battlestar Galactica, just re-watching that, because I really love that show. So, you know, it's not like an up-to-date pick, because the show's what, 15 years old or something, but it's one of my favorites. And so, whenever I'm like, I don't see anything I really wanna watch, that's usually something I put on. So I'm gonna pick that. And then, this one's for Steve. I saw a story, I was just browsing the internet, saw a story that showed this study, dad jokes help kids develop into healthy adults.
 
Steve_Edwards:
Yes.
 
Charles Max_Wood:
And
 
Steve_Edwards:
Yes, that is so true.
 
Charles Max_Wood:
so, I'm gonna post a link to that, we'll put it in the show notes. But yeah, I thought that was kind of fun and funny. So,
 
Steve_Edwards:
Yes, I like that.
 
Charles Max_Wood:
yeah. All right, Joyce, what are your picks?
 
Joyce_Lin:
I was trying to use context clues to figure out what pics were. Are they pictures? Are they dad jokes? Are they anti-pics?
 
Charles Max_Wood:
just call
 
Joyce_Lin:
Hardware?
 
Charles Max_Wood:
outs to anything you enjoy. Yeah.
 
Joyce_Lin:
was prepared for anything.
 
Charles Max_Wood:
Oh, sorry.
 
Joyce_Lin:
I love Battlestar Galactica. I watched it much later than when it first came out, but that I didn't like the first episode and so I stopped. I didn't, even though people raved about it, but like totally worth worth the watch. I don't really have anything that I feel super strongly about. So I do have a dad joke if Steve will permit
 
Steve_Edwards:
Yes!
 
Joyce_Lin:
me. So my postman has a dad joke And so I just picked the one that tickled my fancy. It's the image of a nursery or a plant nursery. And the sign says, you can't plant flowers if you haven't bought any.
 
Steve_Edwards:
I got it, anybody else get it?
 
Charles Max_Wood:
It took me
 
Steve_Edwards:
Okay.
 
Charles Max_Wood:
a minute. It took me a minute.
 
Joyce_Lin:
Badani.
 
Steve_Edwards:
Botany, yes,
 
Charles Max_Wood:
Yeah.
 
Steve_Edwards:
got it.
 
AJ_ONeal:
Oh.
 
Charles Max_Wood:
Yep.
 
Steve_Edwards:
AJ's a little slow in the uptake
 
Charles Max_Wood:
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha
 
Steve_Edwards:
here, but.
 
AJ_ONeal:
So my sister, she sent me a text message and my brother, he sent, yeah. So people send me text messages and they're not English. They're misspelled words, they're missing words, they're words out of order. Now granted, I do this too because I swear the phone auto-corrects. My phone auto-corrects to languages that don't even exist. Tell type of correct word and it'll just put out nonsense. It's just XJRKM force it, what? Anyway, so I get that sometimes it's the fault of the phone it random words in a text message. If you want to swap every letter of a word, but the whole sentence is still a complete sentence, I can read that no problem. But when words are missing or punctuation that's important is missing or homophones are used where it's a word like for example, there and there, there as in owned by them and then there as in over there, when that kind of stuff happens in a text message, I can't read it. So I'm actually not very good at sorts of puns, generally speaking. And my least favorite pun is the ones, the written puns, where one letter goes into the next letter of the next thing. I can't, I can't, I can't think of
 
Charles Max_Wood:
I
 
AJ_ONeal:
one
 
Charles Max_Wood:
never
 
AJ_ONeal:
off the
 
Charles Max_Wood:
thought
 
AJ_ONeal:
top of my
 
Charles Max_Wood:
of dad
 
AJ_ONeal:
head.
 
Charles Max_Wood:
jokes as a skill. I just... Okay.
 
Steve_Edwards:
It's definitely
 
Charles Max_Wood:
Okay.
 
Steve_Edwards:
an art.
 
Joyce_Lin:
There might be another research article about this, but the reason why puns are funny to people is because it does something special in your brain where you're expecting one thing and then getting another. So
 
Charles Max_Wood:
Hmm.
 
Joyce_Lin:
maybe that's going to be in the article that you post.
 
Charles Max_Wood:
Yeah, well, I have to say that my dad jokes earn me eye rolls every day with my kids. So totally worth it. All right, we'll let we're going to go ahead and wrap up. Thanks again for coming, Joyce. It was good to
 
Joyce_Lin:
Thank
 
Charles Max_Wood:
talk
 
Joyce_Lin:
you
 
Charles Max_Wood:
to
 
Joyce_Lin:
for
 
Charles Max_Wood:
you
 
Joyce_Lin:
inviting
 
Charles Max_Wood:
again.
 
Joyce_Lin:
me. Yeah.
 
Charles Max_Wood:
Yeah. All right. And we'll end it here till next time, folks. Max out.
 
Steve_Edwards:
Adios.
 
Joyce_Lin:
Bye.
 
AJ_ONeal:
Adios.
Album Art
Reverse Engineering with Joyce Lin - JSJ 577
0:00
1:16:20
Playback Speed: