mahdi

A Nigerian startup launched their app. Built a clean OTP flow. No rate limiting on the SMS endpoint. Shipped it. Within 48 hours, their Termii balance went from ₦150,000 to zero. They woke up to failed OTP delivery complaints from real users. Checked their logs. Someone had been hitting their /send-otp endpoint in a loop with thousands of requests sending SMS to sequential phone numbers that were not even their users. This is called SMS pumping fraud. Here is how it works: • Fraudsters find your open OTP endpoint • They send requests to thousands of phone numbers, sometimes numbers they control on premium routes • Every successful SMS costs you money • They get a cut from the carrier. You get the bill. It is automated. It runs while you sleep. The fixes that would have stopped it entirely: • Rate limit by IP: max 3 OTP requests per IP per hour • Rate limit by phone number: max 3 requests per number per 10 minutes • Add a minimum delay between requests • Implement CAPTCHA or device fingerprinting on the frontend • Alert yourself when SMS spend spikes above a threshold None of this is complicated. All of it takes less than a day to implement. That startup lost ₦150,000 in two days and had to shut down OTP entirely while they fixed it. Their users thought the app was broken. Some never came back. The breach was not dramatic. No hacker. No sophisticated attack. Just an open endpoint and a bot. Secure your OTP flow before you launch. Not after you've learned the hard way.

There is a developer in Nigeria right now. Coding by generator light. Buying data 1GB at a time. Getting rejected by companies offering ₦80k. Being told they're not experienced enough. Watching their mates abroad earn 20x their salary for the same skill. Still opening their laptop tomorrow morning. That is not desperation. That is the most elite form of discipline on earth. And the world hasn't paid them what they're worth yet. But it will LETS GOO🚀

This is a huge unbounded query on a 70M row table. I wouldn’t run it as-is. I’d break it down step by step. 1. Understand the use case - Does the UI really need 6 years of data in one call? - Can we limit the range or paginate? 2. Check indexing Make sure there’s an index on the filter INDEX(created_at) or better if combined filters exist INDEX(created_at, other_filters) 3. Avoid returning massive payloads - Add pagination / cursor-based API - Or return aggregated data instead of raw rows 4. Consider partitioning If this query is common - Partition by date (created_at) → Only relevant partitions are scanned 5. Precompute / cache For reports: - Use materialized views / summary tables - Or cache results (Redis, etc.) 6. Async processing If it’s a heavy report - Trigger a background job - Return a report ID / download link

GitHub stores millions of repositories the same way they exist on our local machine - literally as git repositories. Nothing very special. Instead of one copy, GitHub stores at least three copies of every single repository to make sure the code is never lost. This replication system is called Spokes at GitHub. When we push code, the write is not accepted unless a strict majority of replicas - at least 2 out of 3 - can successfully apply the change and produce the same result. Interestingly, the system watches real application traffic to detect failures. If three requests in a row fail to one of the servers for a repository, that server is marked offline, and traffic is routed to other replicas within seconds. No heartbeats needed - just monitoring the real user operations. Each replica lives in a different rack. When an entire rack goes down, repositories remain available because the other copies live elsewhere. And when repairs are needed after a server failure, the whole cluster helps out - the bigger the cluster, the faster it recovers. Spokes refuses write operations that it cannot commit to at least two places. This ensures that when your push succeeds, your code is already safe. This is also why GitHub rejects pushes during partial outages. Reads might still work, but writes fail because the system refuses to risk losing data. This is pretty much how GitHub stores repositories and, more importantly, prefers a simple design with consistency over durability and availability. Hope you also found it interesting.