Sometimes I blink and it’s 5 am already. The whole night goes by without my notice because I get so enthralled in my projects. It’s always “Just one more class” or “Just one more test” I tell myself, but that is rarely the case.

Quantitative Analysis

You’ve heard of augmented reality? I’m actively developing augmented trading. Canada’s IIROC is tightening what retail trading algos are allowed to do automatically1, so completely unmanned and automated trading through a retail brokerage is not possible here. That’s actually inconsequential because an honest, TA-driven always-profitable algorithm likely doesn’t exist (as it is the Holy Grail of Quantitative Analysis).

That is not to say that algos are unable to aid in trading. Imagine algos that pour over real-time and historic data looking at what a sector is doing, how a FANG2 security affects the share price of others in the sector, what the candles suggest is coming, what trading pairs may exist, which stock share prices have risen too fast in vain on low volume, which securities are trading above average volume, and the like. Having such a powerful ally would improve the trading odds like having a Mr. Spock or a Data as a member of your crew. I go into more detail about my projects here.

Automated Cloudflare APIS

I like making APIs I can reuse and build on. For example, I have several convenient Cloudflare-related APIs my sites uses for cache control and even security. I don’t have to lift a finger to log into Cloudflare to manage my sites. That’s goal – peace of mind through well-designed automation.

Instant messaging APIs

Being notified in real-time about sales or web-site conversions just puts a smile on my face. My biggest choice is deciding how to me notified. I have convenience APIs for LINE, Twitter Direct Messages, ICQ (how can you not love that uh-oh sound?), and Facebook Messenger (and of course email). For example, when a given site runs into a rare 500 error, a LINE message will be dispatched. A sale? Twitter Message. I’m under attack from a click-fraud campaign? I’ll get a message for that too, and my bots will take care of defense and notifying Google.

PhantomJS APIs

I love PhantomJS. There are tasks I want it to do, like take screenshots or run performance checks on sites, with a RESTful invocation. I have PhantomJS running on physical machines and on cloud servers (paid and free). All of them are controlled via a single API that conveniently runs the given tasks. For example, when one server is busy, another can “bid” for the job (Think ps aux --sort -rss). This way PhantomJS power is always available for my projects.

Security monitoring bot

Who likes being hacked via some WordPress vector? At the outset I’ll confide that I keep WordPress installations locked up on hidden servers and rsync static generated HTML files to public servers. The sites I oversee get a lot of URL requests crafted in vain to capture the precious wp-config.php. My systems monitor log files for telltale 404 responses, and additionally monitor the latest modified directories and files. System processes are monitored too. Only the most dire of alerts are sent to me via a messaging API above, and an at-a-glance display summaries this information when I log in. This is one of my favorite systems that runs automatically on my servers and again provides peace of mind.

Personal Shell Script

Whitehat shell script
Whitehat shell script

If I’m on my iPad or somewhere when I need to get shell-level access to my server files, I’ve got that covered. Here’s a good story: I reverse-engineered a very naughty backdoor shell script3 I chanced upon on Stackoverflow. This thing is so dangerous that my virus scanners go berserk when the source code is pasted into a text editor! Additionally, network OSWAP scanners just drop the connection when this script is accessed remotely (and thankfully so). It was quite an adventure just to explore it. In a sandbox I de-weaponized it and removed the malicious bits (proxy, password brute-forcing, passwd scanners, etc.), and cleaned up and refactored much of it, plus now it looks pretty as source code. It is now doing something useful for humanity.

Even with all my efforts, OSWAP scanners still flagged my initial shell script. That’s because of the base64-encoded payload that is rightfully suspicious. How did I get around eventually eval’ing a massive block of base64 code? That’s a trade secret. I don’t want this method to get out because there are practically zero ways to scan for this and it isn’t suspicious at all. The upshot is I loved working on this whitehat tool, and it again makes my life easier because I can access the shell on my server from anywhere.

Static HTML Site Tools

I’ve created a whole set of tools for making WordPress sites static and minified. I have a smart load-balancing script that evenly separates assets into two domains, e.g. and regular for parallel downloading. This script runs after a crawling script parses HTML, JS, CSS and JSON to collect URLs to be rendered into static content. One of my favorite tools is an image lazy-loader script that generates base64-encoded image strings tailored to the size of the original image. Here is an example of a compressed, 1100×132 transparent image used as the initial image:

This way smooth scroll functions on anchor links will always scroll to the correct anchor position. These are mostly based around WordPress, but many of my tools are independent scripts, like APIs, that can be called and used from all kinds of CMS platforms.

With these tools, I try to keep performance above 90% according to one set of tools. For example, on my personal site, I can achieve this result:

Eric Draken speed test
Performance tests on this site


  1. See IIROC rule 3200
  2. Facebook, Apple, Netflix, Google(Alphabet)
  3. Not this exact script, but a script similar to it. The original post has been deleted.