Firefox 26, Netflix’s Suro, Vagrants and Dockers and Websockets for all – Snippets


  • Firefox 26 digs in: Today we’ll see the release of Firefox 26, latest in the overly regular Firefox release cycle. From the (currently beta) release notes, we can see the big changes. All but the Flash plug-in are now click-to-play by default, Windows users can update their Firefox without having to write into the Firefox folders, the password manager can handle password fields generated by scripts and on Linux, if the installed gstreamer can handle h264, so can Firefox. A couple of fixes, some developer enhancements and thats about it. There’s also a Firefox for Android update due today. The release notes note some performance improvements, the same password manager enhancement and some fixes. The developer page for Firefox 26 covers changes of interest to developers in more detail. Firefox 26 will be turning up in updates and for download later today.

  • Netfix’s Suro goes open: From the people who brought you a cloud full of monkeys… Netflix’s latest open source release is Suro, an application monitoring system used by the video stream vendor to track the behaviour of their Amazon AWS deployed applications. Originally based on Apache Chukwa and adapted to fit Netflix’s demands, Suro pulls the company’s monitoring data from the various app clusters and pushes it to S3 (for Hadoop based analytics), to Apache Kafka (and on to Storm, Amazon ElasticSearch and Druid and to other event processors. There’s a lot more detail in the announcement including in production stats and how the pipeline is used to analyse errors.

  • Vagrant meets Docker: The latest update to Vagrant, version 1.4 has been announced and the big improvement in system that has traditionally been used to create automatically reproducible development environment is the addition of Docker support. The Docker provisioner can install Docker and then lets Vagrant cirtual machine pull and configure Docker containers within it. There’s also some enhancements to the scriptability of Vagrant itself, the ability to require a particular version of Vagrant and support for standalone file sync plugins.

  • websocketd: And finally, have you wanted to make a shell script or other app into a WebSocket server but lacked a library or access to the code to do it? Websocketd might be the answer as it turns anything with console I/O into a WebSocket server in a style rather reminiscent of CGI. Remember, most command line applications are not suitable for being exposed to the raw web, but the app could get you out of a hole when prototyping.

And, for reference, everything mentioned today is open source software.

Android’s SSL downgrade, Mozilla’s SSL, Linux PRNG and SafeCurves – Security Snippets


  • Android’s Cipher Downgrade: According to this blog posting, Android’s Cipher suite – that is the list of ciphers it uses in order when it is establishing a secure connection – changes in late 2010 and saw AES256-SHA removed and RC4-MD5 put in its place. This means Android 2.2.1 has a better default cipher than Android 2.3.4 and everything that follows. The analysis shows that Google were apparently following Java’s cipher list changes, but that in 2011, Java 7 got a better cipher list and Android, being based on Java 6, didn’t. There’s details in the post of how to fix that and the comments touch on some of the reasons for the oddness.
  • Mozilla SSL: Looking for a place to start when coming up with how to configure your secure server’s SSL/TLS? Check out Mozilla’s Server Side TLS Wiki page which gives their recommended ciphersuites, priorities, forward secrecy hints, OCSP stapling info and a number of recommended server configurations. NGINX gets rated for “best TLS support at the moment” and the page finishes up with a how-to on building with OpenSSL and a run down of all the configuration parameters.
  • SafeCurves: As you may know, Elliptic Curve crypto got a knock in the recent NSA reveals when it appears that the NIST standard curve in use had been believed to be manipulated, probably to make it easier to crack. At research is ongoing into a range of curves from various standards in a quest to find a safe and secure curve. Crypto-wonks will love this paper and there’s code to let folks independently verify the results.
  • Extra: Red Hat’s Security Update: A small reminder came my way that the recent RHEL 6.5 beta release includes lashing of crypto updates as part of the wider refresh of Red Hat’s OS. OpenSSL and NSS are updated and get TLS 1.1 and 1.2 support now.

Game On! with Gameduino 2

beautySay you wanted to build a games machine with an Arduino at its core, you’d might be a trifle stuck with a stock Arduino. You could do a lot of the interfacing to controllers or the logic, but what about the display and sound. Well, previously you may have got a Gameduino which gave you 400×300 512 colour VGA output, hardware sprites and audio in a nifty Arduino shield. It is pure 8 bit epicness.

But that was back in 2011 and now the sequel is being kickstarted, Gameduino 2, and its a little cracker. With a smarter graphics engine, the FT800, it handles full 32 bit colour, JPEG loading in hardware and has what is described as an “OpenGL” style command set. Now it displays 480×272 in 24 bit colour and can handle 2000 sprites, rotated and scaled. It has 256KB of RAM and 6 sizes of font, 8 musical instruments and 10 percussion sounds already loaded into its ROM.

But where would you find a display for this device? As part of the Gameduino 2, there’s a 4.3″ touchscreen so you have that display and control surface you need for a modern game. It also has a 3 axis accelerometer for orientation-oriented gaming, a headphone jack for audio out and a microSD slot. It basically looks splendid and may even be the missing link in getting more kids into Arduinos – show them this playing games, then take it apart and show them how they can take control. Did I mention how the hardware and software is all open source too (BSD licensed), so ripe for hacking!

I’ll admit I’ve already backed the project – it has passed its $6700 goal and still has 28 days of kickstarter time to go. Now, who’s going to make a handheld case and power kit for this beast.

NetBSD 6.1.2, Lua JVM, Meego/Symbian’s long walk and MariaDB/Debian – Snippets


  • NetBSD 6.1.2 released: The second security/bug-fix release for NetBSD 6.1 is now available with one security fix and fixes for KVM shutdown, USB device enumeration, networking with npf, udf file systems and pthreads. There’s also updated timezone data, a corrected regression for some X apps and a fix for some Emacs 24 crashes.
  • A Lua JVM?: An intriguing experiment has appeared in the form of luje, a “toy” Java virtual machine written in Lua. It on-the-fly compiles the Java byte code into Lua scripts and then runs them with LuaJIT. “Right now it excels at anything which involves tight loops and float or doubles in local variables” say the developer, David Given, noting it can beat the Hotspot/JIT in those cases, but it does badly with longs and many other things. The code is a 0.1 release, is fragile and incompletly implemented, but if interesting JIT tricks are your thing, this is one to look at.
  • Crunch time for Meego/Symbian: It looks like the end for Nokia’s support of Meego and Symbian support of devices through the company’s store is coming with the blocking of new app publication from 1 January 2014.
  • MariaDB’s heading to Debian: Colin Charles passes on the news that Debian’s MySQL package team have a plan for MariaDB 5.5, that it’s been uploaded to Debian unstable and should appear in unstable in due course.

Ubuntu 13.10 Betas, Rust 0.8 and Android drive-bys? – Snippets


  • Ubuntu 13.10’s only beta: The “Final Beta” for 13.10’s awfully codenamed “Saucy Salamander” has been announced so those wanting to give it a try before the 17 October final release, this is your chance. There’s an Ubuntu for phones image in among the images for the first time too. The release notes have details on how to upgrade and install. With only a 9 month supported lifespan from its release, you may want to consider waiting for next April’s 14.04LTS release.
  • Rust 0.8: Mozilla’s Rust language moves another step forward with September’s 0.8 release. Lots of details in the release notes; they’ve switched to Iterator based for loops, there’s a new (faster, more i18ny)way to format strings, changes in the FFI so there can be first-class foreign function pointers and importantly, the rewritten runtime and new experimental IO system.
  • Android drive-bys?: Interesting vulnerability in Android described by MWR Infosecurity where embedded ads in apps use WebView and how it would be possible to intercept the code going to these ad windows as its doen in the clear. And because WebView offers JavaScript functionality and because there is is JavaScript bridge, it is possible to execute arbitrary Java code. MWR worries about ad networks and Ad SDKs exposing a vector for infection and shows how they got all the way down to running system commands on the phone. There are a lot of dependencies, and it’ll take a Wifi man-in-the-middle attack to easily inject attack code – the Kismet wireless blog has a look at that problem.

Go 1.2’s Coming, iOS7’s Multipath, RSA’s Aaargh and Tails’ Updates – Snippets


  • Go 1.2’s coming: The first release candidate for Go 1.2 has been released. Lots of changes though the developers say its “a smaller delta from 1.0 to 1.1”. Read up on whats coming in the Go 1.2 Release notes and look out especially for the changes in the use of nil. If you want to test it, downloads are at the project’s Google Code page.
  • iOS7’s Multipath: There’s a difference between having code that works and having code in production and according to NetworkWorld Apple just made that jump with iOS7 and Multipath TCP. MPTCP lets multiple interfaces, such as Ethernet, WiFi and 3G, and different paths work together to get to a connection to a destination. Apple are using MPTCP to talk to their backend services and it’ll be interesting to see how this works out in the field.
  • RSA’s Aaargh: The RSA have reacted to the NIST pulling Dual EC DRBG, the cryptographic algorithm that has been historically dubious and believed to have been compromised by the NSA at specification stage, in for review by issuing an advisory. The advisory’s bad news covers “all versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C”. The really bad news? “The currently released and supported versions of the BSAFE libraries (including Crypto-J 6.1.x and Crypto-C ME 4.0.x) and of the RSA DPM clients and servers use Dual EC DRBG as the default PRNG”. Yes, as a default. Background in this Ars Technica article where one of the comments has the full text of the advisory. If you use RSA crypto, start your audit now.

Feedly API, RenderScript for all, JavaScript database, Node.js openness – Snippets


  • Feedly API opens: Feedly, one of the web-based RSS aggregator replacements that stepped in when Google dropped the Reader ball, has announced its opening up its feedly Cloud API to all. And its quite an extensive API with realtime hubs, read-tracking, personalisation graphs and more. An existing app ecosystem may be about to get a lot bigger and diverse.
  • RenderScript for all: Google has been adding feature to Android’s RenderScript computation framework over the recent releases and says it has been being asked for those features to be evenly available in older versions of Android. Now, a new RenderScript Support Library and updated SDK is available that makes that possible. If you wonder what RenderScript is used for, one example is the Google+ Android app where it helps power the photo editor with C99 based computational effects. The idea with RenderScript is its quicker and cleaner to use than going the full NDK for performance.
  • JavaScript indexed: Looking for a particular JavaScript library or wanting to browse through whats available? Check out JSDB.IO, which indexes, rates and links to nearly 500 JavaScript libraries. A nice idea, cleanly executed.
  • Node.js openness: In a guest post in VentureBeat, Ben Wen, VP of product at Joyent, home of Node.js, goes on the record talking about how Joyent and Node.js interact and how they are avoiding the anti-patterns that many open source projects with corporate backers fall into. It’s also a plug for SmartOS the open source OS they have been developing.

Mozilla, Upsource, SVG.js and Bluetooth LE – Snippets


  • Mozilla updates: Firefox 24 and Thunderbird 24 landed yesterday. The release of Thunderbird sees the ESR version merged back into the main release tree and a couple of new tricks with zooming in compose windows, email supporting IDN based email addresses and ignoring message threads. There’s also six critical fixes in the update too. Firefox gets new Max scrollbars, right-closing tabs and tear off chat windows, SVG improvements, a better browser console and 7 critical fixes.
  • Upsource: The world of collaborative coding platforms is getting more interesting with the news that JetBrains are developing Upsource. JetBrains are the creators of IntelliJ IDEA Java IDE, with its open source community edition along with many other IDEs all based on a common architecture. Upsource is a server platform which looks to bring their IDE’s smarts to a web platform. There’s code browsing, diffing, commit viewing, analysis and more. Plans are unclear for the platform and there’s no early access programme yet but there’s meant to be a Upsource demonstration which will let you browse two of JetBrains projects (but its down at the time of writing).
  • SVG with JavaScript: SVG is still something thats a bit of a bore to generate and deal with. SVG.JS looks to make things easier with a 9K MIT licensed library which can handle animating, positioning and transforming SVG images, create SVG text, create gradients, group elements and bind events to elements.
  • Bluetooth LE: ReelyActive have an interesting blog post about working with BLE (Bluetooth Low Energy) and how they use it in-building location and how, with the arrival of iOS7 and its full BLE support, they’ll be able to swap out physical tags for smartphones. Next month, they present at the IEEE Conference of Local Computer Networks and publish a paper which should shed light on how we’ll be followed around in future.

Linus vs SSDs, FirefoxOS Security, Eloquent JavaScript reboot – Snippets


  • Linus vs SSDs: It appears that Linus Torvalds is now working off his laptop to finish the Linux 3.12 merge after his desktop’s SSD drive died on him. Linus doesn’t have backups though as he’s moved to using “replaceable machines” instead. Oh, and apparently he’d upgraded the rest of the machine ten days ago.
  • FirefoxOS Security: Trend Micro took a look at FirefoxOS’s security model and have some examples of how it could be exploited, via direct attacks on the B2G process in the Gecko layer and what mitigates against that. An interesting short read which leads on to their look at HTML5 attack surfaces.
  • Eloquent JavaScript rebooted: The author of 2007’s freely available JavaScript textbook Eloquent JavaScript has started a crowd-funding campaign to fund a new edition of the book which will not only be modernised, but have new artwork, expanded sections on DOM, a chapter on node.js and more. He’s not using a Kickstarter or similar platform, but his own system which allows you to select which tasks you want your money or bitcoins spent on.

Git Rage, Fedora 20 and Android 4.4 named – Snippets


  • Visualising Code Rage: Chris Hunt’s Git Pissed is an application that tracks words in a git repository over time. It’s preloaded with defaults that track the offensive words from the Linux Kernel Swear Count but can also track happiness or any other thing you can express as a number of words. It’s a Ruby app and it makes graphs too. What more do you need?
  • Fedora 20’s Heisenbug: That bug that exists and then doesn’t exist when you observe it. Yes, following on from Fedora 19’s Schrödinger’s Cat, the Fedora folk have chosen Heisenbug as the name for Fedora 20 beating Eigenstate by 258 votes. The movement to name Fedora 20 “20” got 1 vote.
  • Android 4.4: And Google have announced, in a rather hypey way, that the codename for Android 4.4 is “KitKat” in a branding exercise with Nestlé, well known scourge of environmentalists. There will be Android related prizes in a KitKat give away in the UK too… which is more than developers get because they’ll have to wait until Google releases 4.4 on an as unyet specified date to figure out whats new in it. Still, enjoy the page and KitKat’s own mobile advertising inspired Let the speculation begin for Android 5.0 L…..