Base Secrète

New Relic Vs Rorvswild

Fri, 30 Jun 2023 00:00:00 +0000

RoRvsWild vs. New Relic

June 30, 2023

We are making RoRvsWild, a monitoring tool for Ruby on Rails applications. New relic does that too, and much more.

RoRvsWild vs. New Relic seems like an unfair fight.
We might be biased, but like for David vs. Goliath or Ukraine vs. Russia, there is always a chance the kid kicks the ass of the giant.

New Relic

New Relic is the OG in web app monitoring. They have been the only choice for a while.

Today New Relic is also known as $NEWR, a public company with thousands of employees and huge revenue. Their stock rises and pleases their shareholders when they announce massive layoffs or when there is a rumor they are about to sell to an investment firm. This week alone, they fired 200 employees after the investment firm finally canceled their offer.
Still, they lose a staggering amount of money, $52 million in the last quarter alone, with a big part of their expenses in marketing and sales.
For how long can they stay in business? Are they too big to fail? Who knows? Probably their Chief Revenue Officer who just sold his shares.

New Relic is a powerful and feature-rich tool with a steep learning curve. They support all languages and target mainly «enterprises» with specialized DevOps teams. Understanding its graphs and menus requires a significant investment of time and effort.

They have a free plan, but their pricing structure can quickly get expensive. The cost explodes as you add more people, monitor additional hosts, etc. We have been using New Relic in another life when working in a comfortably VC-funded startup. It was overkill. The startup does not exist anymore.

Their agent is heavier as they grab much more data. They now collect all your logs by default, which some consider a shady tactic to get everyone to pay more and grow their revenue. It also raises privacy concerns, as they feed AI with your data; and use a massive count of trackers.

Last but not least, people frequently report challenges with their support services, including slow response times.

RoRvsWild

RoRvsWild is an independent company. We have no investors and a team of 2. The only people we have to please are our customers.

RoRvsWild is Ruby on Rails only. In the Rails community, we like to boast about how some big companies like Shopify use Rails. But in reality, most teams using Rails are small, as this framework makes it relatively easy to launch an app. It is unlikely you have a DevOps, performances, or site reliability team. Rails developers generally have to take care of performances and errors themselves.
RoRvsWild has no learning curve and is the fastest way to find an issue and get back to code.

We don’t have a free plan, but our simple pricing is requests based, with no hidden costs, much more affordable and granular. We certainly need to improve our marketing and communication, but we are not losing money; we are here for the long run.

We do our best to answer every request we get. We cannot escalate an issue. We all receive support emails, and you receive direct answers from the people building the service. You also get a high probability your feedback and feature requests will make it into the product.

So yes, we are taking our chance. Sometimes, we feel like we have to keep going and that New Relic will soon be a piece of history.

Active Hashcash

Fri, 12 Aug 2022 00:00:00 +0000

Active Hashcash Ruby Gem

Aug 12, 2022

Securing a web application is not trivial. Every feature and especially public exposed forms are potential security breaches. Any breach will eventually be exploited, even on small applications.

For a long time, we have been looking for the best way to protect login and registration forms against brute force attacks and spam bots, often using a combination of techniques.

Today, we are releasing active_hashcash, a gem to protect Ruby on Rails applications forms.

What about current solutions?

IPs rate limiting

This technique limits how often someone can repeat an action within a given timeframe. IPs rate limiting is efficient against brute force or DoS attacks, but not so much against bots or botnets. It might block legitimate users and lock them out of their accounts after too many failed login attempts.

We can use IPs rate limiting carefully. It is not sufficient to protect our applications.

Honeypot fields

This technique uses fake hidden input fields. If those fake inputs are not left empty on form submission, you can assume a bot filled the form. Honeypot form fields are simple and efficient against dumb bots. A bespoke bot targeting your site will not fall for it. Also, honeypot fields do not help against brute force attacks.

We can use Honeypot fields. It is not sufficient to protect our applications.

Captchas

Captchas require someone to correctly evaluate and enter a sequence of letters or numbers perceptible in a distorted image displayed on their screen. Captchas are efficient for blocking bots or slowing them down for the least.

Captchas also have some severe drawbacks:

They are annoying for the legitimate users of your application. Filling a captcha is fastidious and sometimes hard to do correctly. It takes the average person approximately 10 seconds to solve a typical CAPTCHA. This technique receives much criticism, especially from people with disabilities.
They depend on an external service, which can be slow or down, thus blocking access to your application.

As we want to build more accessible web applications, we would prefer not using captchas.

reCaptcha

reCaptcha, the most popular Captcha solution, is Google’s property. Your visitors become Google’s product.

Google collects and sells your customers' data to advertisers.
Google uses your visitors’ time to train its AI efforts for free.

Google or any other giant corporation should not own the internet.
We previously made an analytics gem to stop using Google Analytics and to respect our visitors’ privacy.

Moreover, reCaptcha does not block all bots. Some bots can solve captchas. Some even hire low-wage humans to do it for them.

For the same reasons, we would not use reCaptcha.

Reverse proxies

Another solution is to move behind a third party service such as Cloudflare. The goal of that extra layer is to block bad trafic before it reaches your site. But it makes the Internet more centralized and add an external dependency where you have no leverage. The reverse proxy sees all trafic sent to you. That means, you must have an extremely high trust into this service. Furthemore, it could be a nightmare for some legitimate users depending of their country.

For these reasons, we would not use a third party reverse proxy.

Active Hashcash: An alternative to captchas

We wanted to replace captchas with a user-friendlier solution, and after seeing some brute force attacks against our Rails application monitoring service RorVsWild, we developed the ActiveHashcash gem.

Hashcash is not a new technique. It was created in 1997 by Adam Back. It is used to help detecting email spam and by crypto currencies. It is a proof-of-work algorithm that can be useful as a denial-of-service countermeasure technique. The client has to spend some time solving a complex problem that is easy to verify for the server.

Hashcash is a proof-of-work algorithm

By enabling Active Hashcash on sensitive forms, the browser solves the problem while the user fills out the form. It cannot be submitted as long as the proof of work is not solved. Then the server verifies the proof of work from the hidden field.

Here is a demo on a registration form.

Most humans will not notice Active Hashcash since the problem is solved before they finish filling the form. Others, with less performant devices, will have to wait for a few seconds instead of deciphering hieroglyphics or solving a puzzle.

The complexity can be changed via ActiveHashcash.bits = 20. It can also be changed dynamically by overriding the controller's method hashcash_bits.

Active Hashcash is efficient against DoS. It blocks bots that do not interpret JavaScript; It slows down the others. For a default complexity of 20, the attacker must have 2^20 more CPU power than your site! That's 1'048'576 times more, which is quite a lot even with a small server.

Active Hashcash is complementary to rate IP limiting and honeypot field form. We strongly encourage everyone to have all three protections.

Compromises and future improvements

Some might object that botnets don't care about burning CPU cycles. An innocent is probably paying the electricity bill for them. But time is money too. The goal here is to become a difficult target. Eventually, they will look after a less protected one.

Others will retort that it's a lot of wasted energy and not environment friendly. For legitimate people, it's very true and sad. But as it does not concern all requests, the extra consumption is limited. And Bots would have wasted that same energy to attack more sites anyway.

We know Active Hashcash is not perfect and you can help:

The JavaScript implementation is 20 times slower than the official C version. It needs some work to be optimized, and your contributions are more than welcome.
We could have a dynamic complexity. If the same IP is requesting many times a login form, the complexity could be increased gradually. When the IP address is coming from a datacenter, the odd for a legitimate user are lower. In that case it could make sense to increase the complexity...

Good humans, let's unite against bots! Please Contribute

Ruby On Rails Developer

Thu, 11 Nov 2021 00:00:00 +0000

Ruby on Rails Developer (m/f)

November 24th, 2021

Base Secrète is a small independent web agency based in Geneva, specializing in Ruby on Rails development.

We are making web applications for our clients and operating RoRvsWild.com – A Rails application monitoring tool. We also publish some open-source libraries – https://github.com/basesecrete.

We are mandated to rebuild the website of the prestigious Swiss media Le Temps. It's a big, long-term project for an institution with more than 100 journalists – and a million monthly readers. We are 2 and we could be 3.

We are looking for a Ruby on Rails developer to strengthen and balance our team. We offer flexible conditions to discuss.

3+ years of experience in Ruby on Rails development
Independent or hire
60% to 100%
Remote (Timezone Geneva -2/+2)

Developpeur Ruby On Rails

Thu, 11 Nov 2021 00:00:00 +0000

Développeur Ruby on Rails (h/f)

11 Novembre 2021

Base Secrète est une petite agence web indépendante, basée à Genève, spécialisée en design et développement d’applications sur mesure en Ruby on Rails.

Nous développons des applications web pour des clients ainsi que nos propres produits (RoRvsWild.com). Nous publions aussi quelques projets de logiciels libres (https://github.com/basesecrete).

Nous venons d’être mandatés pour la refonte du site du prestigieux média Suisse Le Temps. C’est un beau projet, pour une institution avec plus de 100 journalistes, et plus de 100 000 lecteurs quotidiens. Nous sommes 2 et ne serons pas trop de 3.

Nous cherchons un développeur Ruby on Rails pour renforcer et mieux équilibrer notre équipe. Nous proposons des conditions flexibles, sur mesure.

3+ années d’expérience en développement Ruby on Rails
CDI ou Indépendant
Occupation 60% à 100%
Télétravail (fuseau horaire Genève -2/+2)

Active Analytics

Wed, 09 Jun 2021 00:00:00 +0000

Active Analytics

June 9, 2021

Website owners use web analytics tools to monitor their performances, to understand what their audiences like, and what they can improve. For years, they relied on third-party cookies and trackers, giving away their visitors' privacy to giant tech companies in exchange for these precious insights. This is about to change for good.

We are releasing a new Ruby gem called active_analytics. It is a simple first-party tool to inform Ruby on Rails website owners without compromising their visitors' privacy.

No cookies, no trackers

Thanks to GDPR and other customer protection laws, third-party cookies may come to an end. Hopefully, those unbearable cookie consent banners could also soon be history, when all website owners realize nobody is clicking “Yes, I think Google and Facebook are not rich and evil enough.”, or “Please give me more creepily relevant ads”.

Strangely enough, when people are given the choice to not being tracked, they choose not to be tracked.

Apple is also acting to help people block that privacy-invading bits of code, making Facebook super angry. It is working pretty well, as 96% of people being asked if they want to be tracked by Facebook answer NO.

Google is preparing for a cookie-less world with floc, or “cohort analysis”. Privacy-conscious website owners are already implementing measures to block it.

No javascript, no third parties

Privacy-focused Google Analytics alternative tools, like Plausible, Fathom or Simple Analytics have flourished over the recent years. They are pretty cool, and encounter great success as more and more people are looking for tools that do not sell their customers' moms.

They don’t use cookies, but a small Javascript script. For some reason, most of them are now considered trackers and are blocked by the majority of Privacy protecting extensions. As more and more people are concerned with their privacy and don’t trust third parties, more and more people find solutions to protect themselves. Depending on the kind of people you target (mostly developers in our case), this kind of convenient service quickly gets not so accurate.

No bullshit

Metrics like unique users, session duration or bounce rate are flawed. There is no way to precisely measure that. Referral spam makes you falsely believe your application is popular and can be a nightmare to block.

Active Analytics: simple open-source first-party analytics for Ruby on Rails applications.

Active analytics is first-party. You mount it in your own Rails app and decide yourself where you can access the data, yourdomain.com/analytics for example.

It doesn’t collect any personal data. It cannot be blocked by adblockers and other privacy-protecting extensions. It is compliant with all privacy laws and doesn’t require you to add a cookie consent banner.

It only gives basic information about what is going on in your web application: which pages are viewed and what are the sources leading to that pages. It also shows where people go from a given page. It never reveals anything about specific visitors.

This is probably enough. Marketers may cry for a while, but sooner or later, they will have to adapt anyway.

It is open source. You can install the gem and view the source code. You are very welcome to contribute or to provide us with your feedback on Twitter.