Blog

Tech blog on web, security & embedded

When conducting a penetration test (also known as a hack test) on a website, one of the first things that will catch my eye is the configured (or better, not-configured) security headers on the targeted website. Security headers are a defense-in-depth#Information_security) measure, in the form of response headers, that let the browser know what is allowed and what is not. Browsers will respect the rules defined by these headers and thereby protect visitors from client-side attacks and potentially leaking sensitive information.

For the last couple of months, we've been working on a Rust implementation of the Precision Time Protocol called Statime ("statim" is Latin for immediately), and we're proud to announce the completion of the first phase of the project.

When iHub's Bernard van Gastel asked us to help them start with Rust, we were somewhat surprised by their bold step but absolutely happy to assist. In this article we'll describe how we went about designing a workshop for the iHub team.

It is no secret that we at Tweede golf love Embedded Rust, you can read about it in our other blog posts. But we thought it'd be fun to hear from the community too!

Last September, at the start of my internship at Tweede Golf, my tutors gave me a LoRa-E5 Dev Board. My task was to do something that would make it easier to write applications for this device in Rust. Here's what I did.

When you enabled Google Analytics (GA) on your website maybe you thought "I don't really have another viable option". Or maybe you thought "the negative effect on my visitors isn't that bad, is it?" Both are relatable, but recently Data Protection Authorities have put GA under a microscope and concluded it actually is pretty bad. Some things in GA violate the GDPR. Apart from the question of whether it is legal or not, the fact that your visitors are tracked across the internet - we feel - is just awful. And, as it turns out, you do have options.

Over the past months, we have worked with Scailable to optimize their neural network evaluation. Scailable runs neural networks on edge devices, taking a neural network specification and turning it into executable machine code.

It's time for another technical blog post about async Rust on embedded. This time we're going to pitch Embassy/Rust against FreeRTOS/C on an STM32F446 microcontroller.

Let me introduce myself, I'm Dion Dokter, 24 years old (as of writing) and the newest member at Tweede golf (TG). I've always been into computers and started writing desktop software and games in 2013, embedded software in 2015, and started with Rust in 2019.

In our last post, we've seen that async can help reduce power consumption in embedded programs. The async machinery is much more fine-grained at switching to a different task than we reasonably could be. Embassy schedules the work intelligently, which means the work is completed faster and we race to sleep. Our application actually gets more readable because we programmers mostly don't need to worry about breaking up our functions into tasks and switching between them. Any await is a possible switching point. Now, we want to actually start using async in our programs. Sadly there are currently some limitations. In this post, we'll look at the current workarounds, the tradeoffs, and how the limitations might be partially resolved in the near future.

Previously we talked about conserving energy using async. This time we'll take a look at performing power consumption measurements. Our goal is first to get a feel for how much power is consumed, and then to measure the difference between a standard synchronous and an async implementation of the same application.

Most of our web applications use either Node.js or Symfony for their server-side part. Both offer a lot in terms of productivity. But every now and again, when you look at the computing power used or the amount of time a simple HTTP request takes, you can't help to think "what if..?".

Sending documents over the internet can be a pain. Email providers generally support attachments with a maximum size between 10 and 50 MB, for larger files one would need to find another way. Most people would probably use one of the many public cloud or file sender solutions. But what if the files to be sent contain personal information, medical information or are private family photos? And how do you know that only the recipient can access and download these files?

CI/CD (continuous integration/continous deployment) is a proces where developers integrate new code into the main branch in regular intervals (preferably several times per day). Using CI/CD allows us to get up to a quick iteration pace and gives us a way to gather feedback quickly.

To more effectively write Embedded Rust applications, we want a clearer picture of two aspects: how can we ergonomically perform multiple tasks concurrently, and how can we exploit low-power modes to save energy. In the coming weeks, we want to write a small but non-trivial application that communicates with 2 sensors, uses async, and uses the low-power modes to conserve energy.

In embedded systems, energy efficiency is crucial for practical applications. Usually devices run on a battery, so the less energy you use, the longer the power supply will last. In this post we'll look at the basics of going to sleep and waking back up, and build a proof of concept using the nRF52840 development kit.

It is common wisdom that one should avoid implementing their own cryptography if at all possible. This is generally good wisdom as writing correct cryptography code can be very tricky and takes quite a bit of time to get done right.

As owner and technical lead of our company I'm very motivated to keep up to speed with all new developments and to continuously innovate our tech stack. Nevertheless, every once in a while I find myself lacking in in-depth, hands-on experience in languages and tools I really want to be on top of. At that moment, I know I need to hit pause and take the time for a deep dive, in the form of a personal learning project.

You might have seen the logo above on your identity card or passport. If you have it on there, then your card contains a NFC chip that allows it to be read by a computer. This way airport customs is supposed to more securely determine if your passport is really yours. But of course we could also try to read it ourselves with our own NFC reader.

David is Tweede golf's newest addition, and not just any addition, he combines his work as a software engineer with a PhD in theoretical high energy physics. Specialized in the field of privacy and security, David brings a lot of knowledge to the team. For 2021 we were on the look-out to strengthen our expertise in this domain. David joining the team is just that!

KubiKey as a project started out with one main goal: streamline and make more secure the process of accessing the kubernetes cluster used by Tweede golf.

Welcome to the age of communication. It's 2021 and technology has come a long way. People, large machines and small devices communicate more intensively than ever before, and many technologies to enable them to do so have been developed. Some of those technologies use physical pathways like fibreglass to reach their receivers, others use radio signals to send messages. It's these wireless communication technologies that spark the imagination the most.

Concurrency isn't easy and implementing its primitives is even harder. I found myself in need of some no-std, no-alloc Rust async concurrency primitives and decided to write some. I kept the scope small so even you and I can understand it. Even so, it still involved futures, wakers, atomics, drop and unsafe. I'll introduce each of those to you while building a simple primitive. At the end, you will be able to implement your own primitives!

With the current pandemic situation, it is hard to hold meetings at an appropriate and safe distance. Looking for secure alternatives, our local city government approached Tweede golf with developing a novel authenticated variant of videoconferencing, with the intention of holding city council meetings using this solution.

Recently, we worked on an embedded (STM32) project in Rust and we got some hands-on experience with the abstractions commonly used for that. There's embedded-hal, which offers abstractions related to timing, GPIO pins and common communication peripherals like SPI and USART. There's also multiple stm32xxx-hal crates which offer abstractions over most of the peripherals of different STM32 CPU families. Although many of them were nice to use, we found some parts to be lacking and we'd like to propose some potential improvements to embedded-hal and its implementing crates.

If one person at Tweede golf is a Rustacean, it’s definitely Wouter. Whether it’s about web, embedded, or even games: he tried it. And probably not just tried it, but prototyped, created, documented, presented, and nailed it. Just take a look at Wouter’s GitHub page[1]. He’s also engaged in the Rust community as an organizer of RustFest, member of the Dutch Rust foundation, and as maintainer of several open-source crates. He believes that Rust is well on its way to perfection.

Augustus 14, 2020

Functional Rust? (4/5)

Lars started at Tweede golf about a year ago. We lured him in with the prospect of working on a cool embedded project in Rust. Since then he clocked a lot of Rust hours on it and on a research project we are running. Still, he manages to astound us with critical notes on Rust. Rightly so? Let's just say interviewing a functional programming purist like Lars gives us a lot of new perspectives around Rust.

Marlon is the rookie at Tweede golf, joining us a few months back. He started out with Rust not too long ago and is therefore the guy to talk to about his learning experience with Rust.

Juli 31, 2020

Rust wide web (2/5)

Ruben has experience with a lot (and I mean a lot) of programming languages. When I asked which ones, he could name 21 off the top of his head. He loves experimenting with them, seeing what each can and can’t do. What makes a language unique? What can one language do better than the other? Why was Ruben the one to first evangelize Rust within Tweede golf? Let’s ask him!

The Dutch government offers the AHN [1] as a way to get information about the height of any specific place in the country. They offer this data by using a point cloud. That is, a large set of points with some additional meta information. With the current version of the AHN the resolution of the dataset is about eight points per square meter. This results in about 2.5TB of compressed data for the relatively small area of the Netherlands. While this is something that is not impossible to store locally, it does offer some challenges.

First-up is Henk Dieter, backend developer at Tweede golf. He has been interested in Rust for quite some time. Actually, it’s how Henk Dieter found out about Tweede golf, as it was one of the first companies in the Netherlands to adopt Rust as their weapon of choice.

In June 2020 Rust was voted Stack Overflow's Most Loved language for the 5th (!!!) year running. Stack Overflow is a leading resource for developers and its yearly developer survey the primary source for developers' preferences.

Typically embedded devices are developed using C++. At Tweede golf we have chosen to use Rust instead for implementing our embedded devices. This is controversial as the embedded hardware field is generally quite conservative. Convincing our clients to adopt Rust for their products can be a challenge.

The API documentation of cloud storage providers can be quite intimidating. If you are simply looking for a few straight forward storage actions these extensive APIs might seem a bit overkill. Another hurdle is that storage providers define their own distinctive APIs.

Rust is nice for a lot of things. At Tweede golf we've been using the language primarily for high-performance web applications. But that's not all Rust can do. Rust can be used to write embedded applications as well.

The point of setting up a miniservice architecture is to enable horizontal scaling, improve reusability and to speed up development by separating each domain into an independent application. Miniservices depending on a database pose a number of challenges. We'll explore a couple of them.

Embedded software has an issue that most software doesn't: It can be very hard to get it patched. Sometimes a device hangs 5 meters high on a street light in the middle of a highway in another country. Sometimes a device is attached to a customer's heart. Sometimes strict validation requirements make changes to the software very expensive. In each case it is important to build software that doesn't fail, even in unpredictable conditions.

Imagine this: you have made the wise choice of taking the monolith-first approach, setting up an application. You have read my previous article about the pros and cons of miniservices. And now, the time has come to start the transition to a miniservice architecture. How do you go about that?

De verhouding tussen groen (bomen, struiken, gras) en grijs (bebouwing, tegels, straat) is door de jaren heen verslechterd, met name in de steden. Weinig groen kan voor veel problemen zorgen, zoals slechte opname van regenwater en het lang vasthouden van hitte waardoor het in de stad een aantal graden warmer is dan daarbuiten.

Tweede golf has built quite a few big web applications over the last ten years. One of our specialties being the development of Symfony applications, some of these applications have become massive, with a lot of separate functionality baked into a single monolith. For now, this situation is being contained as we've been strict about minimizing technical debt. In practice, however, it's extremely hard to completely avoid accumulation of technical debt, which is one of the reasons we have started looking into introducing microservice architectures into our projects.

One of our clients helps companies in becoming GDPR-compliant. A goal is to recognize sensitive pieces of user data in a big pile of registrations, receipts, emails, and transcripts, and mark them to be checked out later. As more and more data is collected by companies, finding and eliminating sensitive data becomes harder and harder, to the point where it is no longer possible for mere human employees to keep up without assistance.

At Tweede golf, we’ve been visiting meetups and conferences throughout the years. As we have high hopes for Rust, and a strong personal adoration for the language, we decided on hosting our own Rust meetup and starting a Rust Nijmegen group.

In onze eerste blog over Team-as-a-Service (TaaS) las je dat we ons met ons 'Hire a Team'-concept met name richten op start-ups en scale-ups die tech first denken, hart hebben voor goede software en weten hoe het balletje rolt.

We often get the question how productive working with Rust is. "We know that it is awesome, but isn't it hard to learn? Don’t you struggle with the borrow checker?". Well, we put it to the test in Google's Hash Code 2019 programming competition.

At Tweede golf I've been working with Rust a lot lately. My interest in Rust has been there for years, so I was very happy to start applying it in my working life, about a year ago. Since then I have worked with Rust both for our clients as well as employing it for our operations setup. I have also experimented with Rust for web \[1\]. Until now however we did not contribute to the Rust ecosystem. About time that we get our feet wet and publish our first crate!

Progressive Web Apps have been around for a while and we - being the eager, happy web devs that we are - have already incorporated them in our standard practices. Faster loading times, offline availability, full-screen, notifications. Great.

Je bent de technische eindbaas, CTO of anderszins tech lead, en je hebt net een stevig softwaretraject achter de rug. Je had bij aanvang alles goed neergezet en je team goed voorbereid. En toch, gaandeweg bleken niet alle technische keuzes even goed uit te pakken en was er vaak extra effort nodig. Stakeholders werden ongeduldig en toonden steeds minder begrip. Herkenbaar?

September 3, 2018

Rust als webplatform?!

Wat is over 5 jaar het winnende open source webplatform? Inmiddels begint PHP - ondanks PHP7 - zijn ouderdom te tonen. Alternatieven als NodeJS zijn wel werkbaar, maar in lang niet alle scenario’s geschikt. We vertellen je graag waarom wij denken dat Rust de nieuwe speler kan worden voor high-performance applicaties op het web.

Je ziet het de laatste tijd steeds vaker: tech bedrijven die bewust kiezen voor het inhuren van een Nederlands development team, omdat - laten we het neutraal stellen - de ervaringen met offshoring niet onverdeeld positief waren.

Als je, net zoals ik, heel graag (lees: bijna dwangmatig) wil maken/bouwen/coderen, dan stopt dat natuurlijk niet als je de deur van kantoor achter je dicht trekt. Ook als ik niet bij Tweede golf ben is er altijd wel iets waaraan ik bezig ben. Mijn meest uit de hand gelopen pet project is toch wel mijn home-automation-system. Mijn appartement is inmiddels behoorlijk slim. Met microservices en al.

Is jouw auto tiptop onderhouden of stel jij een reparatie liever uit? Dat laatste is een risico. De kans is groot dat je auto kuren krijgt. Van vreemde geluiden tot onderdelen die het spontaan begeven. De snelweg kan ineens een serieuze uitdaging zijn.

Client-side rendering versus server-side rendering. Wat zijn de voor- en nadelen van beide methodes en hoe kun je het beste uit beide combineren? En wat zijn hiervan de consequenties op verschillende niveaus?

Het is al zeven jaar geleden dat Marc Andreessen onderwees "Why software is eating the world". Als het toen al niet duidelijk was, dan is het dat nu wel: softwarereuzen knabbelen voortdurend aan traditionele branches en soms gaat het met een minder subtiel, hap-slik-weg. Als het niet Google, Facebook of Apple is, dan zijn het wel "kleine" broertjes zoals Netflix, Airbnb, Spotify of Uber. En als die het niet zijn, dan staan er nog tienduizenden tech start-ups klaar om de wereld beter te maken met een nieuw stukje software.

Bij Tweede golf werken onze development teams altijd nauw samen met een product owner van de klant. Hoe beter de samenwerking, hoe beter het resultaat. Waar zou de ideale product owner volgens ons aan moeten voldoen? Hieronder vijf tips voor de ideale PO m/v.

With the start of the implementation of the WebRTC API around 2012, javascript developers gained access to the video and audio streams coming from webcams and microphones. This paved the way for augmented reality (AR) applications that were build solely with web technologies. Using webtechnologies for AR is also called “the augmented web”.

Februari 16, 2016

React and Three.js

In the autumn of 2015, we got to know the popular javascript library React very well, when we used it to create a fun quiz app. Soon the idea arose to research the usage of React in combination with Three.js, the leading javascript library for 3D. We've been using Three.js for some years now in our projects and we expected that using React could improve code quality in 3D projects a lot.

We all want our 3D visualisations to be as real as possible. A basic premise seems to be that they adhere to the laws of physics. No small feat! Or is it? We decided to give it a go during a two-day programming contest. Our team's idea was to develop a web-based game where the user cycles around and has to avoid crashing into cars. To create the game, we needed a physics engine.

In 2014 we won an innovation grant from the province of Gelderland based on our proposal to provide 'intelligent' gardening advice to users of Draw Your Garden (Dutch: Teken Je Tuin). We created this web application for one of our clients and we have been gradually expanding it since its release. In the app users can both design their garden and view it in 3D as well as order products and contact gardeners, who in turn can submit proposals based on the users' design.

The Collada format is the most commonly used format for 3D models in Three.js. However, the Collada format is an interchange format, not a delivery format.

Follow up post on point light shadows in Three.js.

At tweede golf, we value innovation: we take the time to research new technologies and subsequently challenge ourselves to try out these new techniques in order to discover new applications. We also like to learn by doing: build something first, ask questions later.

For a research and development project we created a small garden environment in which you can place lights. The objective was to visualise what your garden would look like during the night, beautifully lit according to your personal light design.

April 17, 2015

Threejs rotations

In this post we create a first person 3D setting, and we use rotations to accomplish this.

April 3, 2015

WebVR and Three.js

Let's start simple. Our first WebVR application is a big cube in Threejs and a simple 3D scene floating inside that cube. The 3D scene consists of a transparent floor with a few simple rectangular shapes placed on it.

Maart 4, 2015

VR, HMI and HCI

A revolution in human-machine interaction? Virtual reality (VR) and augmented reality (AR) have received a revived interest due to the development of devices like the Oculus Rift and Microsoft's Hololens.

Nowadays most VR applications are native games that are developed with tools like Unity and Unreal. These games have to be downloaded from the regular app stores, or from other app stores that have been set up by manufacturers of virtual reality headsets, like the Samsungs Gear VR app store.

The history of virtual reality (VR) dates back to the 1950's. Since then, a lot of - sometimes quite exotic - devices have been developed.