Forem: Tan Yong He

TrackLah!

Tan Yong He — Sun, 08 Jun 2025 14:12:41 +0000

This is a submission for the Postmark Challenge: Inbox Innovators.

🧾 TrackLah!

Freelancers and small businesses in Singapore often receive payments through peer-to-peer apps like PayLah! or PayNow, and clients typically confirm these transactions by emailing or messaging a screenshot. Manually checking each payment notification, extracting details, and updating a financial record or spreadsheet can be time-consuming and error-prone — especially with different formats, currencies, and inconsistent communication.

TrackLah! solves the problem by automatically parsing incoming emails (using Postmark's inbound email parsing feature), extracting payment information using OCR, and updating a Google Sheet to track each transaction. It ensures freelancers get real-time updates, avoid missed payments, and maintain a centralized record of all incoming funds — without lifting a finger.

📦 Features

✅ Extracts text from payment screenshots (e.g., PayLah!, PayNow)
🔤 Uses OCR.space API to parse text from image attachments
💸 Identifies amount and currency from text
📋 Appends or updates rows in a Google Sheet
⚙️ Health check endpoint

📦 Upcoming Features

📋 Generate invoices to clients
🛡️ Ignores duplicate MessageIDs

🧱 Tech Stack

Frontend: React 18
Backend: Node.js, Express
Email: Postmark (Transactional API)
Deployment: Fly.io
Secrets: .env / environment variables
Version Control: Git & GitHub

📊 Sequence Diagram

📦 Live Demo

How It Works

1. Send an Email
Compose an email to b5fec6c3607a2f29c77a448e01fedcf6@inbound.postmarkapp.com using any email client.
See /examples/ for payment screenshots you can attach to the email.

2. Trigger the Automation
The system receives and processes the email via Postmark inbound webhook.

3. Observe the Result
Updates will appear automatically in the connected Google Spreadsheet (you'll see a new row added).
https://docs.google.com/spreadsheets/d/19cZqjmo9-ZA1uyiAFQNiCbnNKZoQ0O-hrkYDSPclysI

Notes

Only the first attachment will be processed per email.
The Google Spreadsheet is read/write protected — edits are only made through this integration.

Code Repository

https://github.com/tanyonghe/track-lah

🌍 Redis Geohashing: Storing and Querying Location Data with Ease

Tan Yong He — Sat, 31 May 2025 06:56:40 +0000

Redis isn't just a blazing-fast in-memory data store — it also comes packed with geospatial capabilities that are incredibly handy when working with location-based applications. At the core of this is geohashing.

📌 What Is Geohashing?

Geohashing is a method of encoding geographic coordinates (latitude and longitude) into a single string or number. Redis uses a 52-bit representation of this concept to store locations efficiently.

Think of it as compressing a lat/lon point into a compact format that allows for:

Fast insertion
Efficient querying of nearby locations
Sorting by distance

🗺️ How Redis Uses Geohashing

Redis provides the GEOADD, GEOPOS, GEODIST, and GEORADIUS (deprecated in favor of GEOSEARCH) commands to handle geospatial data.

Example:

GEOADD places 13.361389 38.115556 "Palermo"
GEOADD places 15.087269 37.502669 "Catania"

Here's what's happening:

Redis converts each lat/lon pair into a geohash.
It stores the geohash under a sorted set (zset), using it as the score.
Location names (like "Palermo") are the values.

           +--------------------------+
           |     Sorted Set (ZSET)    |
           +--------------------------+
           | Score (Geohash) | Member |
           +--------------------------+
           | 34790932423489 | Rome    |
           | 34923498230912 | Milan   |
           | 34982342344933 | Naples  |
           +--------------------------+

Each location's latitude & longitude is converted into a geohash score.

You can now query nearby locations:

GEOSEARCH places FROMLONLAT 15 37 BYRADIUS 200 km

This will return all locations within 200km of the specified point — fast and sorted by proximity.

                   +-----------------------------+
                   |                             |
                   |        [Center Point]       |
                   |             🧭             |
                   |            / | \            |
                   |           /  |  \           |
                   |         /    |   \          |
                   |      [Nearby locations]     |
                   |         📍     📍            |
                   |                             |
                   +-----------------------------+

Using GEOSEARCH BYRADIUS, Redis returns all points within the specified radius, sorted by proximity from the center point.

🧠 Why Use It?

Ideal for "what's near me?" features – Great for location-based apps like food delivery, rideshare, social meetups, and store locators.
In-memory performance – Queries are lightning-fast compared to traditional spatial databases.
Simple, elegant API – Easy-to-use commands like GEOADD, GEOSEARCH, and GEODIST.
Sorted results by distance – Redis returns nearby places ordered by how close they are — no need for post-processing.
Compact storage – Uses 52-bit geohashes internally, making it memory-efficient.
Atomic operations – Redis commands are atomic, which avoids race conditions in high-concurrency systems.
Multi-purpose ZSET integration – Since geohashes are stored in sorted sets, you can combine geospatial queries with scoring, ranking, or expiring keys.
Cluster-friendly – Works well in distributed Redis setups for scalability and high availability.
Built-in distance calculations – No need for custom Haversine functions — Redis does it out-of-the-box in meters, kilometers, miles, or feet.

🧾 Final Thoughts

Redis geohashing is a powerful yet underused feature that provides a fast and efficient way to store and query geospatial data — perfect for building features like "find nearby places" with minimal setup. With simple commands and in-memory speed, it's a great tool to have in your backend toolbox for location-aware applications.

Give it a try and see how easy geospatial can be with Redis! 🌐✨

🚀 Pro tip: Try it out with redis-cli or libraries like ioredis for Node.js or redis-py for Python!

Beware the Evil Twin: Exploring Wi-Fi Impersonation Attacks

Tan Yong He — Tue, 20 May 2025 05:17:21 +0000

"Is this really Starbucks Wi-Fi... or a trap?"

Public Wi-Fi is convenient — but it could also be dangerous. Imagine you're sitting at a café, sipping coffee, and scrolling on your phone. You connect to a network named Starbucks_WiFi without thinking twice. But what if that network wasn't real? What if it was set up by a hacker just a few feet away?

Welcome to the world of Evil Twin Attacks — a stealthy and surprisingly common form of cyberattack.

😈 What is an Evil Twin Attack?

An Evil Twin Attack is a type of Man-in-the-Middle (MITM) attack where a malicious actor creates a fake Wi-Fi access point (AP) that mimics a legitimate Wi-Fi network's name (known as Service Set Identifier or SSID for short) and appearance.

When you connect to this rogue AP, the attacker can:

Intercept your traffic
Steal login credentials
Redirect you to phishing websites
Inject malware into downloads

In short, they're silently eavesdropping between you and the internet, watching and manipulating your connections.

🧠 How Does It Work?

Here's a simplified breakdown of the attack process:
1. The Setup
The attacker configures a Wi-Fi access point using the same SSID as a legitimate one — often something like Airport_Free_WiFi or Hotel_Guest.

2. The Bait
Devices that have previously connected to that SSID may auto-connect to the stronger signal — potentially the attacker's AP if it's closer.

3. The Trap
The attacker may serve a fake login page asking for credentials or silently proxy your traffic — essentially having access to any confidential data you send out.

4. The Exploit
Any unencrypted data sent through the fake AP can be logged or modified.

🔎 How to Spot an Evil Twin?

Malicious actors would often target popular public hotspots in cafés and airports - areas with high density of devices likely seeking for free Wi-Fi - where it is easy to blend in and set up a rough AP in seconds.

It's not always obvious — but here are red flags to look for:

🚩 Duplicate SSIDs with varying signal strengths
An attacker will often clone the SSID of a legitimate public Wi-Fi (e.g., Starbucks_WiFi) to make their rogue network look authentic. But because they're physically located in a different spot than the real router, the signal strength will be noticeably stronger or weaker, depending on your proximity.

🚩 No encryption (open networks with no 🔒 icon)
Legitimate networks, even in public, increasingly use WPA2/WPA3 encryption. If you see an open network (i.e. no password required) that mimics the name of a secured one, it could be an Evil Twin trying to sniff, intercept, and/or modify unencrypted traffic.

🚩 Unexpected captive portals asking for logins
Some rogue APs use fake captive portals — web pages that pop up when you connect, prompting you to "log in" to access the internet. These are commonly used for phishing credentials.

🚩 Frequent disconnections and reconnects
Attackers may force your device to disconnect from legitimate Wi-Fi in order to get it to connect to their rogue AP. This is done using deauthentication attacks.

🚩 SSL/TLS warnings in the browser (⚠️)
If you get a warning like Your connection is not private, that's a big red flag because browsers show warnings when certificates don't match. If you see these while on public Wi-Fi, your connection may be susceptible to malicious acts.

🛡️ How to Protect Yourself?

You don't need to be a hacker to defend yourself. Here are practical tips:

🔐 Use a Virtual Private Network (VPN)
Encrypts your traffic from your device to the VPN server, shielding it from local snooping.

🔐 Avoid public Wi-Fi
Prefer mobile data when accessing sensitive services (banking, email). If you must connect to one, treat the network as untrusted — avoid logging into sensitive accounts.

🔐 Disable auto-connect
Most operating systems allow you to turn off auto-join for public networks.

🔐 Use HTTPS Everywhere
Ensure sites you visit are encrypted (look for the 🔒 icon).

🔐 Use strong Wi-Fi security at home/work
Enterprises should adopt WPA3 + RADIUS and monitor for rogue APs.

👨‍💻 For Developers and Cybersecurity Enthusiasts

If you're interested in going beyond theory, here are hands-on exercises to deepen your understanding of Evil Twin Attacks and network security. These are intended for ethical learning in controlled environments — never use these techniques on networks or devices you don't own or have explicit permission to test.

1. Set Up an Evil Twin Access Point
Follow a guided tutorial like Cybrary's Evil Twin Attack Tutorial or similar walkthroughs using tools like airbase-ng and Fluxion.

📌 Goal: Understand how easy it is to spoof public networks and trick devices into connecting to spoofed networks.

2. Capture and Analyze Traffic Using Wireshark

Run Wireshark to observe unencrypted HTTP traffic, DNS requests, as well as visible credentials or session cookies (especially in insecure apps).

📌 Goal: See firsthand how unencrypted data travels across open Wi-Fi and why HTTPS and VPNs are critical.

3. Explore the MITRE ATT&CK Framework

Read about Technique T1557.002: Rogue Wireless Access Points and map the Evil Twin attack flow to MITRE's stages (Reconnaissance → Initial Access → Credential Access).

📌 Goal: Gain a structured understanding of how attackers use wireless access as part of a larger kill chain.

🧾 Final Thoughts

Evil Twin Attacks are deceptively simple, yet dangerously effective. And as we grow increasingly reliant on wireless connectivity, cybersecurity awareness is no longer optional — it's essential.

✍️ Have you ever suspected a rogue network? Share your experience or thoughts in the comments below!

Ditching Postman: Why and How I Transitioned to Bruno

Tan Yong He — Mon, 12 May 2025 18:00:39 +0000

The Pains of API Testing

As a developer who regularly works with APIs, Postman has been the go-to choice for testing, documenting, and sharing across teams. However, over time, I began to feel the bloat. Postman became increasingly heavy, slow to start, and frustrating to use in version-controlled environments. That's when I discovered Bruno: a lightweight, open-source API client aiming to take on Postman's heavyweight legacy.

In this article, I'll walk you through why I made the switch from Postman to Bruno, what the transition looked like, and how my workflow has improved.

Meet Postman: The King of the Court

Needing no introductions, Postman is undoubtedly a powerful tool. But with power often comes weight:

Resource Heavy: Postman's Electron-based architecture makes it noticeably slow and memory-hungry.
Git-Unfriendly: Collections are stored in a proprietary format, making version control awkward and merge conflicts inevitable.
Local-Unfriendly: Requires internet connection for full functionality.
Pricing Concerns: Collaboration and advanced testing features are locked behind paid plans.

I realized I needed something simpler — something more developer-centric and user-friendly without all the gimmicky features I'd rarely/never use.

Introducing Bruno: The New Kid on the Block

Built by a team of developers who understand the pain points of using Postman, Bruno was designed to address them head-on:

Lightweight: Built as a native application with performance in mind, Bruno is snappy and resource-efficient, even on modest hardware.
Git-Friendly: Its file-based request structure means you can version control your API work just like your code.
Local-Friendly: Works entirely offline, so you're never blocked by internet issues or cloud service downtimes.
Open Source: No paywalls, no subscriptions, just code.

Transitioning from Postman to Bruno

Two words — Export. Import.

Export from Postman: Export Postman collections in JSON format.
Import into Bruno: Bruno natively supports various imports from other platforms like Postman and transforms them into .bru files.

Easy!

Working with Bruno

Bruno may be minimal, but it's got the essentials covered:

Creating Requests: Simple interface for GET, POST, PUT, etc., with headers and body configuration.
Environment Variables: Supports multiple environments via env files.
Response Viewer: Neatly displays response headers, body, and time.
Scripting: Though not as robust as Postman's scripting, Bruno supports basic request chaining and JavaScript snippets.
Version Control: Every change is tracked, readable, and merge-friendly.

For most use cases, Bruno is more than enough.

Bruno Ain't Perfect

Like many tools out there, Bruno — despite the many benefits — may face drawbacks as well:

Smaller Community: Being a relatively new tool, Bruno doesn't yet have the same size or activity level as Postman's community. That means fewer community-made tutorials, integrations, or Stack Overflow answers when you hit a snag.
Limited Advanced Features: Lacks some of Postman's advanced capabilities like built-in test assertions, workflow automation (like Newman CLI runners), monitors, and pre/post-request scripting with detailed logic. For complex API validation flows or automated test suites, you might find Bruno underpowered.
No Cloud Sync / Collaboration: Lacks real-time collaboration, shared workspaces, and automated syncing features that are helpful for larger teams or non-technical collaborators.

It may not be the ultimate Swiss Army knife for API testing, but it gets the job done exceptionally well.

Living with Bruno

Since switching to Bruno, my workflow feels cleaner and more developer-centric.

I keep all API collection files in my Git repositories alongside the codebase where branches and pull requests will include both code and collection updates, which makes reviewing changes much easier. Bruno's simplicity lets me focus on what matters — building and testing APIs.

Conclusion

If Postman feels like an overkill for your day-to-day API work — or if you're frustrated by its limitations — Bruno might be the breath of fresh air you need. It is not trying to replace every feature Postman offers, but it does what it needs to, and does it well. For solo developers or small teams who value simplicity, performance, and Git-friendly workflows, Bruno is a compelling alternative worth checking out.

In fact, having both tools at our disposal can enhance our workflow — we just need to know when to use each one effectively.

Thanks for reading! If you've made the switch too or are considering it, I'd love to hear your experience.