Snippets: Tails, Vim 7.4 and Wi-Fi SD hacking


  • Not Telling Tails: If you need to cover your tracks on the internet and locally, then Tails (The Amnesiac Incognito Live System) will help as its a Debian GNU/Linux distribution with built in Tor support and other privacy tools which doesn’t even leave local logs. Latest version is 0.20 and details can be found in the Tails 0.2.0 announcement.
  • Vim scrubs up: Vim 7.4 was released last week. Highlights are a new, faster regexp engine, a thousand fixes and small improvements according to the announcement on the developer mailing list which also contains links to the various versions and a reminder to contribute to the ICCF Holland to help children in South Uganda if you like Vim.
  • Wi-Fi SD Hacked : Want to ding into a Wi-Fi SD Card? This blog posting shows how to get into the embedded Linux system on the card all the way to a remote shell. There’s a lot you can pack into an SD card.

Random issues on Android


Random numbers are hard to get right and it appears that faith in the word “Secure” in front of the word “Random” has tripped up developers again, this time with Bitcoin wallets on Android. Those developers have now been alerted to the fact when they are generating a random number to sign Bitcoin transactions, that random number isn’t of high enough quality and make it a lot easier to crack the signing.

These Android apps have been using the Java SecureRandom class as implemented on Android, which in turn took its code from the Apache Harmony project. As shown back in March by Chris Meyer and associates at the RSA Conference 2013, the Apache Harmony SecureRandom implementation is actually not very random at all. The less entropy there is seeding the random number generator, the more likely it is to generate the same random numbers and the more likely someone can use brute force in a reasonable time to crypto that uses those random numbers. With the Android implementation, most cases have an entropy down at 64 bits and in the worst case it goes as low as 31 bits.

But this problem does not apply to other implementations of Java’s SecureRandom: OpenJDK’s version shows “no obvious weaknesses” while GNU Classpath’s version is fine under normal load but does have some issues on heavily loaded systems. Even then, Meyer’s advice is to never use a PRNG (Pseudo Random Number Generator) in critical environments and rely on hardware entropy collectors and random number generators.

Snippets: PyPy.js, reBlink, Patch Tuesday


  • PyPy.js: Have you considered a Python JIT compiler in the browser? Ryan Kelly, a Mozilla developer, has and is porting PyPy, the Python JIT, to the browser using Emscripten and getting the JIT compiler to emit asm.js code. Asm.js is a subset of Javascript which has a specialised optimiser. It’s early days for PyPy.js, but first benchmarking of the proof of concept does show how much impact the Asm.js optimisations have on performance bringing the code to half the speed of the C based JIT.
  • Blink Now: Missing the <blink> tag already after Firefox 23 removed it? Brad Gessler has the answer with his “cooler native HTML tags” like shudder, correction fluid, outline, blur, blurrier, smear, rumble and shudder and even sparkle.
  • Patching: Remember, next Tuesday is your monthly patch day for Microsoft – The advance notification has 3 critical and 5 important holes to be patched in Windows, Internet Explorer, Windows and Windows Server.

Rust now on Rust


Rust, the alternative systems language that’s in development at Mozilla where they are using it to create Servo, a next generation browser, has just hit a huge milestone and entered into some turbulent territory. The runtime system for Rust, including a task scheduler written in C++, has now been replaced by a runtime written in Rust. Brian Anderson on the explained with a mailing list post that this was part of a huge rewrite of how Rust is going to handle I/O using libuv and stopping tasks that are blocked on I/O from blocking other tasks. The long-term aim is to make I/O very scalable in Rust. The task scheduler was in the way though so, they’ve redone that in Rust removing all the foreign function interfaces and making something that will be a lot easier to maintain and enhance.

But as with all big changes, there are ramifications. The work will need to be completed, the IO system fully implemented, regressions deregressed, performance pulled up to previous speeds and bugs fixed.  Anderson details the work that is going to be done in his posting and covers what is already in progress saying he expects it to “validate Rust in the domains it’s aiming for: concurrent and systems programming”.

Google adds patents to pledge but…

PatentsIconGoogle has announced it is adding 79 patents to its open source patent non-assertion pledge. Of course the pledge is limited only to things where the patents infringed are within the open source element … so no mixing a bit of FOSS into your proprietary application and hoping you’ll get coverage. Although there are 79 patents in the new batch, there aren’t 79 ideas in there. The count includes patents in each territory too, so take “Computer network for www server data access over internet” that patent is counted ten times, for Belgium, Canada, Switzerland, Germany, UK, Italy, Japan, Netherlands, Taiwan and the US. And that’s quite an old patent which will expire in the US in June 2015… do read it if you want a blast from the past with its OS/2 Warp systems and RS/6000s.

Anyway, counting out the double counting, I make it 38 actual different patents spread around the globe. The original ten patents in Google’s first pledge were all US patents related to MapReduce so this double counting didn’t occur. Let’s call the total number of different patents 48… out of Google’s estimated (inc Motorola portfolio) of, albeit patents for the same things in different territories, 18,000+ patents. Some folks call it a drip-feed but it’s more akin to open source patent homeopathy. The dilution is so extreme that it will make no difference to the problem and any improvement in the patient’s condition are unlikely to come from this treatment. Google should take a page from Red Hat’s book – their patent promise covers all their software patents, no lists, no donation dramatica.

Snippets: AOSP, Google Cloud, PuTTY, gNewSense and Mozilla updates


  • AOSP – Android’s open source problem: JBQ,  , announced yesterday that he was stepping down as Technical Lead for AOSP, the Android Open Source Project. The problem appears to be a combination of Qualcomm’s desire to keep control of it’s SoC drivers and Google’s inability to shake them of that view despite building Nexus devices which use Qualcomm chips. JBQ has found himself in the middle of this and recent tweets quoted by Android Police seem to bear out that the pressure was getting to the AOSP leader who was being blamed for not getting factory restore images of various Nexus devices out of the door. If Google can’t do it for their own devices, the questions about Android’s open source credentials will come to the fore.
  • Google Cloud: The platforms of the Google Cloud have had some updates. Google Compute Engine now has layer 3 load balancing as an option, with balancing over a set of healthy Compute Engine VMs in a region. Google Cloud Datastore now has an SQL styled Google Query Language, support for metadata queries and how-tos for Ruby developers. Over on Google App Engine, the company has also made improvements to the PHP runtime’s Cloud Storage along with other more general changes.
  • gNewSense: Version 3.0 of the “Free as in freedom” (no non-free elements) GNU/Linux distribution gNewSense is now available. The big change with this release is a switch from Ubuntu to Debian as the base distribution. It supports i386, amd64 and mipsel architectures (the latter being the CPU of the Lemote Yeelong notebook as previously used by Richard Stallman until it was stolen).
  • More Mozilla updates: Firefox ESR 17.0.8 also arrived earlier this week with 2 critical and 6 high severity holes fixed. Details on the advisories page for Firefox ESR and downloads page. Same set of vulnerabilities are also fixed in Thunderbird ESR 17.0.8 (downloads here). Seamonkey, the forgotten browser suite, also got updated to version 2.20 with the same security fixes and enhancements that were applied to Firefox 23. It can be downloadable by anyone who wants to recall the heady days of the all in one browser suite.

Amazon sets up shop for Web Apps

Amazon_120Amazon has announced that it will now be making “HTML5 Web Apps” available through its Appstore. But before you start packaging your web site into a commercial earner, there’s quite a few caveats to the term “Web App”. Firstly, the apps only come down the wire where there’s Appstore apps to sell them to you, so thats Kindle Fires and Android devices. No word on how the rest of the web is supposed to get access to these web apps.

Secondly, on Kindle, there’s a Chromium-based web runtime which apart from offering some of the usual HTML5 components and the ability to debug apps on-device, does seem to be missing out on webgl, ms pointer events, fullscreen API, camera and microphone access, accelerometer, geolocation, gyroscope and network controls on all the Kindle devices. Up front pricing for apps doesn’t seem to be on the agenda, but a JavaScript version of Amazon’s In-App Purchasing API is now available so app developers can slowly relieve the users of their money with funny money, virtual upgrades and subscriptions.

Still, Amazon does seem to be getting a foot in the door of “HTML5 Web App” publishing. The real question is… do customers actually want web apps. Amazon says it takes care of all the content delivery through the Appstore and will be listing the web apps next to the native apps in the store so they may be hoping that customers, not shown the difference, will not notice any difference. Let’s come back to that in three or four months and see how what review scores are like.