Codescaling Catchup

CodescalingCatchupRegular readers may have noticed a bit of a slow down in postings as I’ve been rearranging the scheduling of things here at Codescaling to allow for other commitments. Hopefully, I’ll be doing a regular Sunday catchup of what would have been snippets and during the week I should, all going well, be looking at a particular thing, be it software or hardware, thats in scope that week. As some may know, I’m curating HackWimbledon and may cover some of the hands on stuff there. But enough of plans… What’s on the catchup this week…

I’ve been doing some work with Eclipse Orion, a web-centric IDE with some interesting attributes, so I was interested to see news of forthcoming language support enhancements coming in Orion 6.0. Lots of interesting bits like syntax highlighting that brings in Arduino files, new documentation generators, the ability to use all the tooling while the JavaScript is embedded in HTML, better tunable JavaScript validation with new rules and so on… worth checking out.

Google landed Go 1.3 this week and it does seem to feel quicker and slicker (I’m getting on with Go code myself and noticed the difference). The experimental support for DragonFly BSD, Plan 9 and Solaris is intriguing… Go on Plan 9 feels like a giant philosophical loop being closed. Also interesting is discussion of Go for Android from one of the Go team… it seems to be on course to start emerging in Go 1.4.

Big news in Python land where the PyPy team landed the first stable release of PyPy3. PyPy is a very compliant Python interpreter with a tracing JIT compiler built in. It had been stable only on Python 2.x but now there’s PyPy3 (libraries are at Python 3.2.5 level, unicode support from Python 3.3). At some point the Python 2.x->3.x transition logjam will be broken and this will be a big help.

Coin cells didn’t immediately strike one as a space for useful research but I was proved wrong on reading How much energy can you really get from a coin cell?, where different makes and models of cell were compared using an ARM controller which systematically loaded each battery. I’m more curious about this now as I just took delivery of PunchThrough’s Light Blue Beans, Arduino style controllers with Bluetooth and powered by a coin cell, but more about those in a future Codescaling post – till then check out the Surf Report Notifier.

The OpenSSL/Heartbleed fallout continues with Google’s latest move, BoringSSL, a bidirectional fork (the codebase’s separate but patches continue to flow in both directions – it needs a term, so bidifork) of the OpenSSL code. Google seem to be using bididforks to allow them to stay plugged into communities but retain control of their destiny; Webkit and Blink seems to be the first bidifork. Whether they work, we don’t know, but I suspect that its an area ripe for research and even formally recognising as an middle course for open source projects between fighting and forking.

On the Todo list – have a look at the Maynard/Wayland desktop on the Raspberry Pi, check out the OEM BeagleBoard Blacks, browse through the undocumented Swift standard library and now it’s a 1.0, checkout the WordPress REST API.

Heartbleed, MongoDB 2.6, Easier BeagleBone Black – Snippets

snippets07

Heartbleeds out: So the Heartbleed OpenSSL vulnerability is out and about and everyone is checking their systems and updating to OpenSSL 1.0.1g (go straight to the (http://www.openssl.org/source/) or wait for your OS distribution to update – it won’t be long and if it is long, consider another distribution). It’s tempting to use the various Heartbleed test sites out there, it is much safer and trustable to test for it yourself. There’s lot to look at in the bug – this diagnosis offers some insight and reminds us, yet again, how bad people are at managing memory.

MongoDB 2.6: Leading light of the NoSQL world, MongoDB has been updated to version 2.6. The release notes cover the details – updated aggregation, newly integrated text search, various order preserving changes to insert and update, a write protocol with support for bulk operations, an enhanced query engine with index intersection support and much more. A big update with lots to take in, lots to test if you are upgrading before going to production and a lot more being added to MongoDB Inc’s proprietary enterprise layer.

Easier BeagleBone Black: Setting up a BeagleBone Black (BBB) immerses you in the full gamut of configuring device trees and more. So it’s good to see a project like beaglebone-univeral-io – it’s scripts and files that configure the BBB so that all the pins (that aren’t being used to drive the HDMI and other built in components) can be used easily. Of course, there’s still more configuration that needs to be done to set what the remaining pins do so the appearance of BB Universal IO Configurator which is a GUI application to help with that. A short video shows it in action. The BBB is a great little board but needs more tools like this to help people really get to grips with it. Think of it as more than the compute power of a Raspberry Pi with much more GPIO. Meanwhile, I just got some Beaglebone collars which make it easier to locate those pins.

Python upped, Persona non grata, Markdown marked and more – Snippets

Snippets
Python 3.3.5 released: The latest update to Python 3.3 fixes two regressions, in zipimport and executing scripts and alleviates a potential denial of service. Mac users should pay specific attention as this 3.3.5 version now fully support OS X 10.9 fixing a bug which could cause “previous versions of Python to crash when typing in interactive mode”.

Persona (non grata): Mozilla’s Persona is being “transferred to community ownership”. As yet another project is cut adrift from Mozilla in a fuzzy, vaguely friendly way, its worth making a note that you shouldn’t bet on Mozilla projects for the long term, unless they are called Firefox or run on a phone. Mozilla’s habit of creating projects which don’t fulfill one of their needs seems to have created this problem but at least on the plus side, they are not decommissioning it so they aren’t pulling a Google Reader. Which is good given folks like microco.sm use Persona for login.

Markdown editing for the web: Markdown is everywhere there days and whats been missing is a good editor for Markdown formatted plain text which can be embedded in the browser as a replacement for the WYSYWIGto-no-particular-format editors. And here it could well be in the form of EpicEditor, complete with import, export, in-place preview, full screen (with 50/50 edit/preview), custom parsers, extensions, event hooks and theming and more and all invokable from a single line of JavaScript.

Loose bits: Ivan Ristic shows you how to roll your own Apple ‘goto fail’ TLS bug test server though the process is worth noting for future SSL/TLS tests – Or, post GNUtls’s ‘goto cleanup’ fail, you can get your head down and help audit GNUtls with this handy list of “places to look” where unchecked data comes into the library – Or you can kick back with the 6809, a great CPU, and now being emulated in JavaScript.

Android’s SSL downgrade, Mozilla’s SSL, Linux PRNG and SafeCurves – Security Snippets

SecuritySnippets

  • Android’s Cipher Downgrade: According to this blog posting, Android’s Cipher suite – that is the list of ciphers it uses in order when it is establishing a secure connection – changes in late 2010 and saw AES256-SHA removed and RC4-MD5 put in its place. This means Android 2.2.1 has a better default cipher than Android 2.3.4 and everything that follows. The analysis shows that Google were apparently following Java’s cipher list changes, but that in 2011, Java 7 got a better cipher list and Android, being based on Java 6, didn’t. There’s details in the post of how to fix that and the comments touch on some of the reasons for the oddness.
  • Mozilla SSL: Looking for a place to start when coming up with how to configure your secure server’s SSL/TLS? Check out Mozilla’s Server Side TLS Wiki page which gives their recommended ciphersuites, priorities, forward secrecy hints, OCSP stapling info and a number of recommended server configurations. NGINX gets rated for “best TLS support at the moment” and the page finishes up with a how-to on building with OpenSSL and a run down of all the configuration parameters.
  • SafeCurves: As you may know, Elliptic Curve crypto got a knock in the recent NSA reveals when it appears that the NIST standard curve in use had been believed to be manipulated, probably to make it easier to crack. At safecurves.cr.yp.to research is ongoing into a range of curves from various standards in a quest to find a safe and secure curve. Crypto-wonks will love this paper and there’s code to let folks independently verify the results.
  • Extra: Red Hat’s Security Update: A small reminder came my way that the recent RHEL 6.5 beta release includes lashing of crypto updates as part of the wider refresh of Red Hat’s OS. OpenSSL and NSS are updated and get TLS 1.1 and 1.2 support now.