POODLE yips: In what was a glorious nail in the coffin of SSLv3, the POODLE vulnerability(PDF) made sure no one would trust SSLv3 again. The simple fix is to turn off SSLv3 where its used. The bug itself is bad in terms of cryptography, in that it gives an attacker a route to completely decode a stream that has been encrypted, but in practice its not as bad because the attacker has to be a man in the middle to get started. So, using SSLv3 from the open Wi-Fi at the fast food cafe, a bad thing. More worthwhile reading includes Imperial Violet’s explanation and Zmap.io’s guide to disabling SSLv3 in servers.
Chasing Tails: The Tails Live Linux distro, which tries its level best to be an bootable anonymous secure distro, has had an update to Tails 1.2. In the wake of the POODLE hole, it’s switched over to Tor Browser, dropping the IceWeasel, and that change also happens to close its POODLE vulnerability. There’s also Tor and kernel updates and various other minor changes. If you use it, just upgrade.
Docker tightens security: Docker 1.3 has landed, or more accurately Docker Engine 1.3. Highlight is digital signature verification of repositories of images, albeit as a tech preview of the feature. A production option also lets you set SELinux and AppArmor profiles from the command line. Other goodies include the ability to inject a process into a running Docker app so you can wake up a shell when you need to debug something, create and start commands for containers (on top of existing the all in one run command) and most usefully to me at least, shared directories on Mac OS X. The more interesting (as in get the popcorn) move from Docker is its partnering with Microsoft with a long term goal of making Docker run on Windows containers, not just on an a VM with Linux inside. Big challenge there as Microsoft have to basically get cgroups and more onto Windows Server.
Redis Clustered: The Redis key/value cache and store has pushed a release candidate for Redis 3.0.0 out. This is a rather important release as @antirez explains in his blog, it’s the first version with Cluster support, a long in-development feature, which has reached “minimum viable product” level and is stable enough for testing.
First of all a catchup on some of my making. I presented a short talk at Oggcamp 2014 on using the 1Sheeld with an Android phone to make experimenting with Arduino much simpler. The 1Sheeld sits on Arduino’s serial ports and using Bluetooth, talks to an Android phone app. The app is able to emulate a whole range of devices, like keypads and LEDs, and sensors, such as gyroscopes and barometers, and act as a proxy to web services like Twitter and Facebook. You just click on the things you need active and write code for the 1Sheeld library that talks to the board and onwards to the phone.
The demo involved using a Nexus 5’s gyroscope to roll a pixel around an Adafruit Neopixel shield and you can check out that code for that on my Rollapixel page on Codebender.cc. Want to see that working? Here’s a bit of video:
Big shout out to the Codebender.cc folk as they have the 1Sheeld libraries and examples all online as part of their splendid online IDE – it’s great to be able to cut code without spending time wrestling Java and the Arduino IDE into shape and even better to be able to quickly share it.
Other devices I’ve been playing with recently….
The ODroid/W Raspberry Pi-clone: Lovely bit of work by the HardKernel folk. It’s built to go into those smaller devices that the Pi doesn’t address, has LiPo battery support, real time clock and it’s well compact. That Broadcom cut off the supplies is more a worry for Pi owners as it looks like your locked into a Pi Foundation organised ecosystem. The HardKernel folk still have their tiny quad core ARMs like the 4core Odroid/U3 and octocore Exynos-based Odroid/XU3, one of which is mounted behind a monitor here (the smller one).
The Light Blue Bean: A small BLE/Arduino compatible… the software’s a bit hairy and Mac OS X/iOS centric at the moment but its a little board with a lot of potential. The ones I have will probably all end up being turned into iBeacons at some point.
The Metawear wearable: Andother BLE/ARM-core controller combo, this is really tiny, so much so I’m not brandishing a soldering iron near it till I get some really tiny tips. Waiting to see where the creators go with it as the world of wearables is, well, odd.
Bashed: So the Bash bug is out there and real. These quick notes are still valid. The point is that this hideous feature (really, exporting function definitions through environment variables) is horrid and leaky by design and it’s only this bug in how that feature is implemented thats bringing it to the fore. CGI scripting, Qmail, some SSH and DHCP services are all potentially vulnerable, so patch away but be prepared to patch again because the lid is off this can of worms. Safest end point is, most probably, that the functionality goes away, but thats unlikely and even if it did there’ll still be old bash installs out there. Least helpful response – the FSF statement which fails to apologise and then pats itself on the back that free software let the patches be shared and then rattles the donation tin. Funniest response – Brian J Fox, Bash creator, quoted in the NYT joking his first response was “Aha, my plan worked”.
Security in a Qube too: The Qubes OS developers have been working away steadily on their virtualisation-compartmented desktop operating system and now Joanna Rutkowska has announced Qubes OS Release 2. The OS is now described as “a powerful desktop OS” rather than a proof-of-concept, and to reinforce that, Casper Bowden, is joining the advisory board for Qubes to see if it can be brought to a wider world. If you’ve not met Qubes, imagine a desktop Linux where each app or group of apps are run in their own virtualised sandbox while the OS works to make it easy for the user to not be bothered by that. If you were looking for a “post-Snowden” OS, Qubes should be on your list – check the site for downloads, resources and white papers explaining whats in the OS.
Linux from Scratch: You may, “post-Snowden” want to go through every bit of code is in your running systems. One place to start there is Linux from Scratch which takes you through assembling your own Linux system (and automated or hardened versions) from component parts. It’s just been [updated to LFS version 7.6], along with updated to Beyond Linux From Scratch (BLFS) and systemd editions of LFS and BLFS.
RethinkDB 1.15: NoSQL… no come back… Cool NoSQL database RethinkDB just got updated to version 1.15 getting a huge set of geospatial functions to add to its already interesting suite of functions. There’s also server-side UUID generation and performance boosts through lazy deserialisation.
Material world: Some folks love Google’s Material look and feel. Well, now they can have some of that on thje web with Bootstrap Material Design, a Bootstrap theme what brings the stylings and gives a nice flat look to apps.
Finally: Via Adafruit, a picture of Grace Hopper teaching COBOL.
HTML5 getting closer: Over at the W3C the HTML5 spec has got close with the publication of the Proposed Recommendation of HTML5. By the end of the year, HTML5 will, according to the activity statement and barring madness, be a W3C recommendation. Then it’ll be onto the HTML 5.1 track as it sees a Candidate Recommendation out at in early 2015 and wrapping up in a recommendation at the end of 2016.
Rust 1.0 nears too: Mozilla’s Rust language is about to head into the final straight as plans are laid out for 1.0. Expect a beta 1.0 by year end and a release after that. There’s been a lot of simplification of the language over the last year, but there’s still quite a list of things to integrate before that beta lands, like dynamically sized types, a new closure design, associated types, where clauses and more. Unless you’re a language fan wanting to watch a language evolve, Rust has been interesting by not one for adoption – when 1.0 arrives, we’ll be able to see how it performs and what it finally offers.
Playgrounds examined: Apple’s Xcode Playgrounds are an interesting development for developers in that they are super-interactive environments for trying out code. The folks over at Big Nerd Ranch had a look inside a .playground file (it’s a directory really) to see how the Swift environment is built and looks at how to turn them into a presentation tool for code teaching.
Other Bits: Wayland and Weston updated to 1.6.0, Joyent has some Patterns and other tips for Node.js developers and mess with animated SVG at the SVG Circus,
Node.js synchronously: Node.js is sweet if you can adapt to the asynchronous model of start thing, say what you want to do when its done, do everything else anyway. Good for web request handling but bleh for trying to emulate a shellscript. Turns out that in Node.js 0.12 (coming soon? anyone? Bueller?) we get synchronous child processes to now you can run that curl or find or whatever and just wait till its returned with its results. The folks at Strongloop have written about these synchronous child process methods and how they make writing command line utilities in Node easier. Check it out Noders.
Serviced Polyfills: Polyfills fill gaps in browser functionality and standards compliance. The older the browser, the more Polyfill you need to fill the gaps and the newer, the less. But it gets hard working out how much Polyfill you are going to need. Fear not, as Samuel Giles at FT Labs has an answer, “Polyfills as a Service“. Add a simple script tag pointing at a source from the polyfill.io content delivery network to your pages and whatever browser views your page, it gets the polyfill it needs. This is because the system sniffs the browser agent and works out the best set of polyfill based on that. Neat idea, potentially very handy – and you can run your own private version if you need to.
Spark sparks: Apache Spark just got a 1.1 release. Spark is Hadoop data processing engine which can run on YARN-based Hadoop clusters or in standalone mode. Spark 1.1 improves the performance (and they already say they are up to 100 times faster than Hadoop MapReduce) and has SQL layer enhancements. 1.1 also adds more statistical functions, can take steaming data fromAmazon Kinesis and pull data from Apache Flume and more. If your into clusters and data crunching and haven’t looked at Spark, you might want to look into it.
Tangram Mapping: Do you want to render cool 2D and 3D maps? Check out Tangram, a Mapping Library then as it is building out from a WebGL implementation to other OpenGL platforms to make oodly cool dynamic map renders. Very slick.
SHAaaaaaa!: We mention the Google sunsetting of SHA-1 the other week. If you were unsure why this was important, can we send you off to Why Google is Hurrying the Web to Kill SHA-1 which explains why it all and includes a brief history of collision attacks in the wild.
ECMAScript 6: It’s coming, for mid 2015, and its full of features. In this (https://www.youtube.com/watch?v=G21rdWfa_as), Alex Rauschmayer talks about all those features. If you prefer slides they are available too. It covers most of the language features (skipping promises and proxies), outlines the timetable for standardisation and how you can use ES6 features now. Bonus link, do checkout his blog.
Policy and Scala: Scala has been forked, and forked by one of its most active contributors. The fork, called Policy, is one of those forks which hopes to be folded back into the original because “The leadership of scala has shown itself unfit stewards of the core technologies and the total price paid by scala programmers (actual and potential) is too high. I failed for half a decade to change that from the inside. Now I’ll try from the outside”. The initial reception seems positive and the Hacker News thread is full of background. One to watch.
More JSON in Postgresql: Postgresql has some neat JSON support built into the database, but one developer wanted it somewhere else – in the logs. Michael Paquier shows how to make Postgresql emit JSON logs hooking in a JSON log function at runtime. The code can be found on GitHub in a repo of other plugins. Why JSON logs? Well, it does make it easy for a JSON aware system like Elasticsearch to analyse and search those logs.
SHA-1 Sunset Now: Back in 2005, SHA-1 was tagged as “weaker than it should be” as a crypto algorithm and its only got worse since them. So people are slowly stopping its use. Google has just announced its SHA-1 sunset which begins this month with Chrome 39 flagging sites with SHA-1 signatures that expire in 2017 and beyond as ‘secure with minor errors’. By end of 2014 that window will expand into 2016 and in 2015 those sites will come up with an straight error. Of course, thats just the Chrome and Chromium browsers… Google will have plenty of engineering to do to completely remove SHA-1 from their systems. Next time your doing crypto work, remember to have un-SHA1-ing on your todo list.
Let’s go fly a Kitematic: There’s plenty of command line tools for Docker and command line driven ways to run it on Mac OS X. The latter’s harder because you need to run a VM and load it with an image and… well there’s boot2docker to help but… Enter Kitematic which takes the previous tools and rolls them with a neat UI and some extra neat tricks to make it a lot easier to start playing with the idea. Among those tricks are things like automatically creating an [appname].dev DNS entry so you can quickly connect to your new apps when they are up and running. If you like to run GUI tools alongside terminal sessions on your Mac, you might want to give Kitematic a go.
Versioning wars: Yes, people are arguing on the Internet and this time its over versioning. Some years back, Semantic Versioning appeared and set out some rules for when to bump the major, minor and patch numbers in a version number to embue it with some meaning. While this works for libraries where the consumer is often another program, it works less well with code to be consumed by people. The argument starts on Underscore’s Github where breaking changes as fixes were causing friction over what the version should actually be. This spilled out onto Hacker News which lead to the suggestion that “Semantic Versioning Isn’t” and back to HN where people continued to disagree. But it did get Fear-Driver Versioning (ferver) and the idea of romantic versioning a moment in the sun. From what I see, SemVer works but it does require discipline and transparency from the developers and the consumers of that code. Still… Developers eh?… because those bike sheds won’t pick what colour they are going to be by themselves.
Old School on a Pi: Want to run old school stylee? We’re talking Unix V5 here. Matt Hoskins has updated his 2005 presentation on how to do this (think PDP emulation and similar) so you can now do it all on a Raspberry Pi. Read on to learn the true old ways of Unix.