Show Notes: coder.show/407

The post Halls of Glowing Apples | Coder Radio 407 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/146

The post Linux Action News 146 first appeared on Jupiter Broadcasting.

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Hoopla / Feedback

NodeJS Gets Forked Over

• Ayo.js: humans Before technology
• io.js
• Malice Ghoulpus on Twitter: “Repeated ToC violations by an authority figure went unaddressed. TSC members left. Node has been forked”
• Node.js forks again – this time it’s a war of words over anti-sex-pest codes of conduct • The Register
• When do personal beliefs collide with open source?

It’s Time to Kill the Web

• Native vs the Web
• The beauty of Cocoa
• Benefits of the Web to desktop Linux
• Pragmatism and Reagonomics

Mike’s IT Automation Tips

• Mike’s IT Automation Tips
• Buccaneer’s Podcast for IT Managers
• Importance of Automation

What’s the deal with Node?

• Technical merits of the platform
• Concurrency story
• Comparisons to Go and Ruby

Wes Talk’s Elixir

• Erlang and the BEAM VM
• The Actor Model and OTP
• WhatsApp’s secret weapon
• https://elixir-lang.org/

Elixir is a dynamic, functional language designed for building scalable and maintainable applications.

Elixir leverages the Erlang VM, known for running low-latency, distributed and fault-tolerant systems, while also being successfully used in web development and the embedded software domain.

To cope with failures, Elixir provides supervisors which describe how to restart parts of your system when things go awry, going back to a known initial state that is guaranteed to work.

• Getting Started
• History of Erlang
• The Mess We’re In

The post Elixir of My Soul | CR 277 first appeared on Jupiter Broadcasting.

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Total Solar Eclipse Meetup

This should be a great view of the action, and hopefully not too busy.

PiCluster: A simplified Docker Swarm or Kubernetes alternative to container scheduling and orchestration

• Move containers to different hosts in the cluster
• Run commands in parallel across Nodes
• Heartbeat for services
• Easily build and orchestrate Docker images across nodes
• Command-line interface
• Web interface
• HTTP interface
• Virtual IP Manager
• Rsyslog Analytics
• Built-in web terminal to easily run commands on nodes
• Integrate the Kibana dashboard into PiCluster
• Integrates with Elasticsearch to store the PiCluster logs.
• Automatic container failover to different nodes
• Pull container images from a registry

Cloud Explorer

Cloud Explorer is a open-source S3 client. It works on Windows, Linux, and Mac. It has a graphical and command line interface for each supported operating system.

Kibana

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers.

jBot on Github

An omnipresent multi-platform bot who’s goal in life is become Skynet

The post Clustered Pi | CR 269 first appeared on Jupiter Broadcasting.

Verizon Enterprise gets breached & the irony is strong with this one, details on the NPM fiasco & why the SAMSAM is holding up the doctor.

Plus some great questions, a packed round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The NPM Fiasco

• NPM is a package manager, for node.js
• The Node.js ecosystem is “special”
• It provides packages that are mostly code snippets, usually individual functions
• Many packages, depend on a number of other packages to work correctly
• For example, the package ‘isArray’, which is a one-line function to tell if an object is an array, is depended upon by 72 other packages
• There was a package called ‘kik’, created by Azer Koçulu
• Kik.com, a mobile messaging app, wanted to create their own new package, called kik, for some new open source project
• Unpleasant discussions occurred
• Eventually kik.com had the NPM managers transfer ownership of the kik package name to the kik.com account
• Azer was offended by this, and deleted all of his packages from NPM (around 250 different packages)
• This fallout had unintended consequences
• One of the modules, left-pad, was a simple 11 line function to left-pad a string or number with spaces or zeros.
• Left-pad had been downloaded 2,486,696 times in the last month
• It was a dependency for a huge number projects, including: Node.js it self, Babel,
• NPM then restored the module to unbreak the other applications
• module’s author’s Medium.com post
• kik.com’s Medium.com post
• Official NPM blog post
• Blog Post: Have we forgotten how to program?
• Left-pad as a service
• “The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish. Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, “left-pad” with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds.”

Verizon Enterprise Customer Data Breached

• “Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned”
• “Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise”
• “The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site”
• “Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
• So it seems to just be contact details from a database on the website, not more intimate details like login credentials for their networks, or other details that Verizon would posses as they administers and investigated the networks of the customers
• It appears the data is in MongoDB format, which suggests that might be the format it was stored in on the Verizon side
• “The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place. I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).”
• “According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.”
• While this attack may have been more targeted in nature. Although it is possible it was just opportunistic, because Verizon failed to secure its database
• Customers of Verizon who’s data was breached are likely targets for various types of spear phishing, including emails pretending to be from Verizon, who provides network security and post-breach investigation services to these customers

Cisco Talos reveals SAMSAM ransom ware

• Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits.
• This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.
• A particular focus appears to have been placed on the healthcare industry.
• Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.
• Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.
• SamSam encrypts various file types (see Appendix A) with Rijndael and then encrypts that key with RSA-2048 bit encryption. This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms.
• One interesting note regarding the samples Talos has observed is that the malware will abort the encryption routine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for compatibility reasons.
• There were a couple of open source tools that were seen being leveraged by the adversaries. The first is JexBoss, which is a testing and exploitation framework for JBoss application servers.
• This was being used as an initial infection vector to gain a foothold in the network to spread the ransomware.
• The second is a component of REGeorg, tunnel.jsp. REGeorg is an open source framework to create socks proxies for communication.
• As we have monitored this activity, we have started to see changes in the amount and types of payment options available to victims. Initially, we saw a payment option of 1 bitcoin for each PC that has been infected.
• Later we saw the price for a single system has been raised to 1.5 bitcoin. It is likely the malware author is trying to see how much people will pay for their files.
• They even added an option for bulk decryption of 22 bitcoin to decrypt all infected systems.

Feedback:

• Peer to Peer Comms
• SNMP vs Syslog
• Backing up a FreeNAS box.

 
HEADS UP Stand ready to patch all of your Windows, Linux, BSD, OS X, iOS, Android, and other servers. And all of your routers, print servers, set-top boxes, smart TVs, IoT devices. And basically anything with a CPU. The “BADLOCK” bug will be releaved on April 12th, 2016 , a critical vulnerability in the SMB protocol, so affects Windows and all other implementations of the protocol (samba, whatever apple uses, whatever android uses, etc)

Round up:

• Docker for Mac and Windows Beta: the simplest way to use Docker on your laptop
• Krebs: Stolen credit cards are now a buyers market, a look inside “Joker’s Stash” to find out
• Microsoft deletes ‘teen girl’ AI after it became a Hitler-loving sex robot within 24 hours
• Spammers and Phishers abusing open redirectors on .GOV domains to hide link destinations
• Once thought safe, DDR4 memory shown to be vulnerable to “Rowhammer”
• Apple suspects server tampering during shipping
• A Government Error Just Revealed Snowden Was the Target in the Lavabit Case
• A proposal for SSTS, a version of HSTS for SMTP — My server claims it will ALWAYS support crypto, if you ever see it not, someone is intercepting the connection
• By boosting the radio signal of your contactless car keys, theives can unlock and start 24 models of car while the owner is 300 feet away, and indoors
• AMEX reveals more about stolen card data
• The firm helping the FBI hack the iPhone may be Cellebrite
• Hackers accidently break into Water Treatment Plant, modify parameters by accident. No one was harmed
• Vulnerability in 70 CCTV DVRs Traced Back to Chinese Firm Who Ignores Researcher
• A cross-site scripting vulnerability, in the national vulnerability database, the site you use to find out about… cross-site scripting vulnerabilities
• Feds arrest man apparently responsible for The Fappening
• Facebook and Wikipedia offer a limited version of the internet in Angola, allowing access to only those two sites. Angola’s embed other sites, and pirated movies into the sites to share access

The post Can You Hack Me Now? | TechSNAP 259 first appeared on Jupiter Broadcasting.

Can’t we all just settle down & focus? Mike’s just about had it with javascript framework madness. Plus could Microsoft be uniquely positioned to take advantage of the eventual die off of some frameworks?

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Feedback

• Ruby Is a Great Linux Citizen, Chris!

• Cyanogen mod

Hoopla

• Xamarin.Forms Review

The post NOde | CR 140 first appeared on Jupiter Broadcasting.

It’s a mailbag special with a hidden message. Mike and Chris discuss burnout a bit more, the pitfalls of bad Q&A, automated UI testing, and the open source projects we’re thankful for this year.

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

• Jupiter Broadcasting 2014 Limited Shirt

• Support Jupiter Broadcasting Page

Feedback

• Burned Out, Pulling apps, and contracts

• Battle of the IDEs

• Software/Code Quality Driven Down by the Man

• Automated UI Testing0

• Node Frustration

• Suggestion Community based CR – Mumble edition

Book of the Week

[asa]B00G8UL474[/asa]

Follow the hosts and the show:

• FingertipTech on Twitter

• Email the show

• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Code Your Enthusiasm | CR 78 first appeared on Jupiter Broadcasting.

We discuss if developers get trapped in callback hell, the role of Javascript on the desktop, Android’s birthday, Windows 8’s potential, and the Ubuntu SDK!

Plus a batch of your feedback and much more!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Show Notes:

Feedback

• Mike is still alive. Score!
• Brandon shares that in his experience colos can be very expensive.
• Jason is striking out on his own but doesn’t know where to find clients.
• Zane would like to know what resources I recommend for learning the basic of designs for a developer.
• Ben would like to know if Chris has a different VM for each client.

This Week’s Dev World Hoopla

• Ubuntu Summit Software Development Kit
• What Programmers Want
• Escape from Callback Hell: Callbacks are the Modern Goto
• Android turns 5 today!

El Ocho

• My MS.Cheese() has been moved!
• Language++
• The future of C#
• The future of JS on MS

Book of the Week

[asa]1449320104[/asa]

Follow the show

• Email the show
• Live Monday 9am PDT
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Callback Coders | CR 22 first appeared on Jupiter Broadcasting.