Developer Catchup: Bashed, Qubes R2, Linux from Scratch, RethinkDB, Material Bootstrapped and… COBOL?

developercatchupBashed: So the Bash bug is out there and real. These quick notes are still valid. The point is that this hideous feature (really, exporting function definitions through environment variables) is horrid and leaky by design and it’s only this bug in how that feature is implemented thats bringing it to the fore. CGI scripting, Qmail, some SSH and DHCP services are all potentially vulnerable, so patch away but be prepared to patch again because the lid is off this can of worms. Safest end point is, most probably, that the functionality goes away, but thats unlikely and even if it did there’ll still be old bash installs out there. Least helpful response – the FSF statement which fails to apologise and then pats itself on the back that free software let the patches be shared and then rattles the donation tin. Funniest response – Brian J Fox, Bash creator, quoted in the NYT joking his first response was “Aha, my plan worked”.

Security in a Qube too: The Qubes OS developers have been working away steadily on their virtualisation-compartmented desktop operating system and now Joanna Rutkowska has announced Qubes OS Release 2. The OS is now described as “a powerful desktop OS” rather than a proof-of-concept, and to reinforce that, Casper Bowden, is joining the advisory board for Qubes to see if it can be brought to a wider world. If you’ve not met Qubes, imagine a desktop Linux where each app or group of apps are run in their own virtualised sandbox while the OS works to make it easy for the user to not be bothered by that. If you were looking for a “post-Snowden” OS, Qubes should be on your list – check the site for downloads, resources and white papers explaining whats in the OS.

Linux from Scratch: You may, “post-Snowden” want to go through every bit of code is in your running systems. One place to start there is Linux from Scratch which takes you through assembling your own Linux system (and automated or hardened versions) from component parts. It’s just been [updated to LFS version 7.6], along with updated to Beyond Linux From Scratch (BLFS) and systemd editions of LFS and BLFS.

RethinkDB 1.15: NoSQL… no come back… Cool NoSQL database RethinkDB just got updated to version 1.15 getting a huge set of geospatial functions to add to its already interesting suite of functions. There’s also server-side UUID generation and performance boosts through lazy deserialisation.

Material world: Some folks love Google’s Material look and feel. Well, now they can have some of that on thje web with Bootstrap Material Design, a Bootstrap theme what brings the stylings and gives a nice flat look to apps.

Finally: Via Adafruit, a picture of Grace Hopper teaching COBOL.

Codescaling catchup: Android L, MapReduce, Paho, Eclipse IDE, Bootstrap, MacDown, Moment.js, Runtime.js, Dart, Security Notes

CodescalingCatchupAnd catching up with the week just past at Codescaling….

Android L, MapReduce

Google I/O brought us a beta version of Android Studio and a developer preview of Android L with images for emulators and the Nexus 5 and Nexus 7 (Wifi only). A new look and feel, lots more APIs and a general feeling that Google’s pulling their various efforts back into one cohesive while (for good or bad and for who is another discussion). At the other end of the scale though, a more interesting, if obvious, reveal was Urs Hölze, SVP at Google who during the Google I/O keynote pointed out the company has stopped using Map-Reduce based systems for analytics – “It’s great for simple jobs but it gets too cumbersome”. This of course was on the back of announcing Cloud Dataflow, a new pipelined analytics service, but It seems Google are drawing a line where Map-Reduce ends and a self-scheduling and organising analytics system is the future. We shall see if that line holds… Hadoop isn’t endangered despite what some may say mainly because its grown into its own ecosystem and platform for more than Map Reduce work… but the entire analytics world is ripe for disruption, especially on its hardest problem – analysis discovery.

Paho 1.0 for MQTT

Over at Eclipse there’s been a few announcements, like the Paho MQTT project reaching version 1.0. That includes implementations for a C, Python, JavaScript (in the browser) and Java MQTT client. MQTT is one of the protocols in the running to fill the numerous niches in the internet of things and Paho is Eclipse’s umbrella project to make sure it has an open source implementation for all.

Moonrise for Eclipse Luna

The Eclipse release train also turned up for the synonymous IDE with the release of Eclipse Luna – Paho was on the release train along – which also brought us full Eclipse support for Java 8, a workspace with dark themes, split editors and default line numbering (to keep up with the hip editors), updated Equinox, a Java 8 capable memory analyser and a standalone C/C++ debugger. If you like Eclipse, you’ll love the improvements. A couple of bits have been dropped (Agent Modelling, EclipseLink persistence and SCA Tools) but lots more has been added including XWT (a declarative UI project) , Eclipse Sirius for modelling, Business Process Model and Notation (BPMN2) modelling and EMF clients and repositories for modelling.

Bootstrap restrapped

Bootstrap keeps evolving – The latest version of the HTML/CSS framework, Bootstrap 3.2.- has scaling embeds, responsive utility classes, more tools and more bots. You can download it or pull it with npm. It does make for a quick way to get a clean modern looking site or app together.

Markdown on Mac

Love Markdown? You might well have liked Mou, a markdown editor on the Mac. But development on that has stalled. Now in its place comes the open source MacDown which is already in heavy development and already looking quite feature rich. So, check it out. Of course, everyone does Markdown these days; I’m using various editors including WriteDown (very simple with a nice preview toggle) and Atom (good MarkDown preview plugin).

Time for a Moment.js

Moment.js was recently updated to version 2.7.0. The very useful date and time manipulation library for JavaScript has got itself four new languages, configurable relative times and various bug fixes both in general and for specific languages.

Time for a Run…time.js

Maybe you will run it on Runtime.js an OS kernel thats being built in JavaScript only running on a V8 engine. A curious little bit of research – everything runs in ring 0 and relies on software for isolation, has sandboxed and limited resources for apps and V8 to build trusted native code – it also runs one V8 instance per core. You won’t be running it tomorrow, but it does feel like its an idea worth pursuing.

Darting to Mobile

You’re probably more likely to be running Google’s JavaScript alternative Dart. That got an update too with Dart 1.5 which is focussed on mobile devices, bringing better debugging, and an update to the Polymer web components package. Full details in the release notes.

Security Notes

Of course the broken world of security rolls on. An IBM team found a stack buffer overflow in Android’s KeyStore. Thats probably the worst place to find a hole – a bit like finding the clasp on your keyring is faulty. A more controversial bug is the LZO/LZ4 hole. It’s an integer overflow in compression code and yes it could lead to code execution… if you are on a 32-bit system… and you are processing 16MB or greater blocks… and you’ve crafted the exploit to the particular implementation of LZO/LZ4 on the system. It’s a high barrier to jump but there’ll still be plenty of updates to numerous packages to close the door before there’s an exploit crafted to jump the high bar.

And thats it for this week…. thats quite a bit. Do let us know how you are finding the catchups in the comments.

Tails goes 1.0, Debian goes 7.5 and Apache OO goes 4.1

Snippets
Tails 1.0: The developers of Tails, the Linux distro built for anonymity and privacy, have declared the latest version Tails 1.0. Tails wires all its networking through Tor and leaves no traces on machines where its been livebooted. Its ideal in situations where you want your digital footprint minimised. Version 1.0 sees browser updates, Tor patches including a Heartbleed vulnerable blacklist, bug fixes and a new logo for the project. The announcement also lays out plans for 1.1 (A switch to Debian 7), 2.0 (better building for a longer life) and 3.0 (sandboxing and isolation) and invites developers to contribute… it is a project which has got some great reviews.

Debian 7.5: Talking about Debian, the latest bugfix and patch rollup release, Debian 7.5 has just arrived. If you keep your Debian system up to date, you’re already good, but if you install a lot of systems from spinning or stickish media then you may want to take this opportunity to update your images. Full details of the fixes, bug and security, are in the announcement.

Apache OpenOffice 4.1: The Apache OpenOffice project has announced AOo 4.1, the latest iteration in the direct descendent of the original OpenOffice. The release notes highlight the Windows version’s IAccessible2 support for better screen reader integration and the addition of comments and annotations for text ranges. In place field editing, interactive cropping, unified import/drag/drop for images, better vectors and new (Bulgarian, Danish, Hebrew, Hindi, Thai and Norwegian Bokmal) translations and other updated translations and dictionaries. Also, behind the scenes, AOo now uses NSS libraries rather than the older Mozilla networking code so that it is a bit more secure and a lot easier to build.

Linux 3.14, Etherpad 1.4, Pass and an RGB/LED/Pi tutorial – Snippets

snippets07
Linux 3.14 lands: And another ten week dev cycle of Linux ends with the release of Linux 3.14. There’s a new realtime scheduler (deadline), event triggers for tracing, graphics driver updates (stablised Broadwell support, NVIDIA GK110 support, dynamic power management for newer AMD hardware), new TCP autocorking for better small packet handling and the usual gamut of driver improvements, patches and enhancements. For a good list, check LWN.net‘s three part listing (1, 2, 3) (and if you are interested in Linux and don’t subscribe to LWN.net, why not?). As of writing, Kernel Newbies has yet to catch up with its pages, while German speakers can read Thorsten Leemhuis’s Die Neuerungen von Linux 3.14 which is packed full of details.

Etherpad 1.4 arrives: For Etherpad, it’s mostly lots of bugfixes and security patches, but it’s worth noting the arrival of Etherpad 1.4. The Node.js-based collaborative editor’s changelog has the details.

Pass, you may: Pass is an interesting idea – password management using a simple text file (encrypted of course) with a simple (and configurable) file storage heirachy, with simple commands to manipulate them and use them from the keyboard. Now to see if I can get the password manager I use elsewhere to export its contents in Pass format – there’s already scripts for lots of other passwords managers.

Your name in lights: A nice little tutorial from the folks at Adafruit ahows how to use a 16×32 RGB LED matrix panel, which happens to be available over at Phenoptix, with a Raspberry Pi. The matrix usually comes with instructions to use it with an Arduino due to the bit bangy nature of getting stuff onto the display so the Pi instructions offer a whole new set of opportunities for hacking. The next edition of CodeScaling might be in 16×32 format real soon now.

Python upped, Persona non grata, Markdown marked and more – Snippets

Snippets
Python 3.3.5 released: The latest update to Python 3.3 fixes two regressions, in zipimport and executing scripts and alleviates a potential denial of service. Mac users should pay specific attention as this 3.3.5 version now fully support OS X 10.9 fixing a bug which could cause “previous versions of Python to crash when typing in interactive mode”.

Persona (non grata): Mozilla’s Persona is being “transferred to community ownership”. As yet another project is cut adrift from Mozilla in a fuzzy, vaguely friendly way, its worth making a note that you shouldn’t bet on Mozilla projects for the long term, unless they are called Firefox or run on a phone. Mozilla’s habit of creating projects which don’t fulfill one of their needs seems to have created this problem but at least on the plus side, they are not decommissioning it so they aren’t pulling a Google Reader. Which is good given folks like microco.sm use Persona for login.

Markdown editing for the web: Markdown is everywhere there days and whats been missing is a good editor for Markdown formatted plain text which can be embedded in the browser as a replacement for the WYSYWIGto-no-particular-format editors. And here it could well be in the form of EpicEditor, complete with import, export, in-place preview, full screen (with 50/50 edit/preview), custom parsers, extensions, event hooks and theming and more and all invokable from a single line of JavaScript.

Loose bits: Ivan Ristic shows you how to roll your own Apple ‘goto fail’ TLS bug test server though the process is worth noting for future SSL/TLS tests – Or, post GNUtls’s ‘goto cleanup’ fail, you can get your head down and help audit GNUtls with this handy list of “places to look” where unchecked data comes into the library – Or you can kick back with the 6809, a great CPU, and now being emulated in JavaScript.

LXC’s 1.0, Thrift opened again, WhatsApp serving and more – Snippets

Snippets.png

LXC goes 1.0: Linux Containers, LXC, is now at version 1.0, a major milestone which also brings together and completes a lot of things that have been working their way through the Linux kernel, like support for unprivileged containers, long term stuff like a stable API – this’ll be supported for five years, bindings for Lua and Python3 (and Go and Ruby out-of-tree support), backing storage support for directories, btrfs, zfs and more, cloning, snapshotting… and you may wonder “Hey, doesn’t Docker do many of these things” and yes it does, so it’ll be interesting to watch how things all work out. More details at the news post and check out Stephane Graber’s 10 part blog series on LXC 1.0 which is packed full of useful stuff.

Thrift double opened: Facebook brought Thrift(PDF) to the world in 2007 via Apache Thrift and many people found the network/data serialisation framework well handy. Thing is though that Facebook went and forked their own internal version of Thrift as they filled out the features and ramped up performance, something that took major rengineering over time. Now the company has announced fbthrift, available on Facebook’s Github repo, now open sourced under the same Apache 2.0 licence Apache Thrift is under.

Worth reading: WhatsApp’s Serving : From 2012, here’s a presentation on how WhatsApp does scale(PDF) with a combination of FreeBSD and Erlang – A New York Times profile of security reporter Brian Krebs who’s more like an entire security intel op in one person – Enjoy Stephen Colebourne on video presenting the Java 8’s Date and Time API at JAX 2013.

Docker officially for Mac, Tails fixes updates and CoffeeScript’s fresh brew – Snippets

snippets03

Docker 0.8: As Docker, the application-packaging-with-containers platform, switches to a new release schedule, the first of the monthly releases has arrived and Docker 0.8 has couple of new goodies along with the focus on quality and . One item worth mentioning is the official support for Mac OS X. No, they haven’t added containers to OS X, but instead use a daemon as an intermediary between a VirtualBox VM populated with a 24MB Linux image based on Tiny Core. There’s also experimental BTRFS filesystem support which might be very useful in future.

Tails 0.22.1 out: Tails, the Linux distribution for those who want to be secure, private and anonymous, has been updated to version 0.22.1 which has a number of security fixes in the browser and name services, wipes the fingerprinting off its use of some small icons and, probably most importantly, adds an update checker which can offer to install incremental updates when needed.

CoffeeScript updated: A little late to this, but there’s been an update to CoffeeScript with version 1.7.0 (and a typo fixing 1.7.1) landing at the end of last month. Aseem Kishore summarised the changes which include chaining without parenthases, multi-line strings, new ways to destructure an array, new math operators for power, floor and modulo, and more.

LibreOffice and Mercurial update while Firefox steps back – Snippets

snippets03

LibreOffice 4.2: The LibreOffice folks have rolled out their latest release, LibreOffice version 4.2 which includes a decent selection of new features, with the headliners being improved OOXML roundtripping, a GPU/OpenCL utilising Calc engine, enhancements to Windows installation and management and better Windows 7/8 integration, an expert configuration window and a more optimal start screen. Download from the usual place.

Mercurial shines: The other other distributed version control system (DVCS), Mercurial, has just has an update to version 2.9. The update adds infinite scroll to the web interface, hardens up the rebasing process, adds support for git delta hunks and various other fixes and enhancements. Mercurial’s a great DVCS but lacks a mind-share-winning “GitHub” equivalent which has helped push git to the fore. Despite that git-mind-share, Mercurial is the DVCS used by Mozilla and Facebook among others.

Mozilla backtracks Sync: One of the interesting features of Mozilla’s sync service for the Firefox browser was it didn’t need username/password combos, instead going for a pairing approach to use the services. Clever, but… it appears Mozilla are pulling that idea out of service as it tests a new Firefox Accounts strategy which it hopes to harden up with multi-factor authentication and more over time. Which shows, if anything, that users will define, by erosion, your security’s shape, no matter how neat your solution is. The changes are in test now so within a couple of months should be landing in your stable browser.

Node’s new lead, Windows security disappoints, TCL is 25 and Brightbox is dim – Snippets

snippets07

  • New project leader for Node.js: Isaac Schlueter has announced he’s standing down from project leading Node.js and handing the reins to TJ Fontaine who’s been working as “the primary point of contact keeping us all driving the project forward together”. Schlueter is off to create npm Inc, a company focussed on npm products and services; it will be interesting to see how that pans out.

  • Windows Native Isolation inadequate: Joanna Rutokowska, CEO of Invisible Things Labs, had previously said that they would be looking into using Windows Native Isolation (WNI) as a way of bringing their research with Qubes OS and its security isolated application architecture to Windows. Now in a posting Rutokowska says despite the time invested in creating Qubes WNI, the results have been disappointing and adds “today we publish a technical paper about our findings on Windows security model and mechanisms and why we concluded they are inadequate in practice”.

  • Tcl is 25: Tcl (Tool Command Language (often pronounced Tickle)) never really made the major leagues in programming languages but it did lead the way in embeddable scripting languages. A 25th birthday posting at TkDocs picks up on the oddness of syntax and some of the sweet of the ideas in Tcl, like Tk – a GUI language which worked everywhere? Madness!

  • EE’s Brightbox isn’t bright: The EE Brightbox has quite a few holes in its security. In an article by Scott Helme, Scott takes his Brightbox apart in a step by step look at finding vulnerabilities in routers. Guides like this are useful for developers to see so they get a better idea of what people are prepared to do to their code to get access. And get to the end for a 11 second guide on disposal of insecure devices.

Patch Tuesday coming, NTP DDoS here, Ruby 1.9.3 going – Security Snippets

SecuritySnippets

  • Next Tuesday, Patch Tuesday: A friendly reminder that next Tuesday sees 147 Oracle patches (Java (CVSS 10),VirtualBox (6.8), MySQL(10)), 5 Microsoft Bulletins and Adobe Reader and Acrobat priority 1 fixes all rolling out on the same day. The 2014 patch season is open for business.

  • NTP DDoS Mitigation: It seems DNS reflection attacks (getting DNS servers to send unsolicited data at an IP address) are out and the new reflection is NTP reflection. This abuses the Network Time Protocol’s monlist command which sends a list of the last 600 machines an NTP server has talked to to a particular address. Prod enough NTP servers sends that list to a victim and you have your DDoS attack. Cloudflare’s blog has a post on how to mitigate these attacks – It’s worth checking out as over Christmas it seems some big game sites got slapped with the NTP reflection hammer.

  • Ruby 1.9.3 gets a dead date: Pencil February 23 2015 in as the date Ruby 1.9.3 shufffles off its mortal coil. More imminently, February 23 2014 is when Ruby 1.9.3 goes into security fix only mode so get your Ruby 2.x migration plans in order now.