A quick blog post about the past Thursday at Microsoft conference center where the (French) Azure Days #1 took place. As a previous insider, I was invited to a full day of conferences about the Microsoft cloud platform and I was really impressed how it becomes massive: about 80 services from VM and hosting to database and AI. I won’t make ads here but numbers speak by them self:
During the day, we learned basics of the platform: platform specific wording and concepts, how to prevision VM, deploy applications, setup networking and deal with the resource manager. The speakers, 4 architects, were very motivating and knew how to keep people attention (specific mention for Pierre’s distraction when a live demonstration temporary failed). The event will be repeated each 6 to 8 weeks and, good news, it’s totally free! Except if you have to take a day off like me because your company doesn’t think cloud is important… Anyway, I should be present the 12th of September for the Azure Day #2 and I’m now looking forward to participate to the first Google Cloud summit at Paris this October!
With the latest Raspberry PI zero and Raspberry PI 3, there will be more and more Pi connected to the Internet. As Shodan lights us, there is about several thousands of Pi with Rasbian and SSH server enabled. Most of them still have the default pi user (and maybe some of them still have the default password…). And for those who don’t know, the pi user is allowed to sudo any command. If you planned the let your Raspberry Pi connected on the wild Internet, take some minutes to read this blog post to learn how to create a new and more secured user and remove the old pi one.
It was a long time since the previous post and it’s the opportunity of trying a new format I call « dev story ». A less verbose post format but more based on day-to-day coder life. The story I would like to share is about the port of one of my Firefox add-on: Scroll Up Folder. I recently made big changes for this project on which I could share: first I had to change its hosting then I rewrote the whole add-on using a new SDK.
Guess what? I’m left handed! And I’m sad to see that Google is still not offering a left handed option to theirs users. Until now, one solution is to use a custom rom witch allows you to customize navigation bar. But with the recent Lollipop release, no custom rom is yet ready for daily use… Moreover, ART, the new runtime, breaks Xposed Framework compatibility. Xposed Framework was another solution for stock rooted rom to install a module for navigation bar customization. I recently bought a Nexus 6 (still shipping!) and I don’t want to wait a new solution (Xposed Framework compatibility is not coming soon). Never mind, I’m a developer so let’s do this myself!
The last weeks demonstrate how personal information are sensitive and valuable. Companies like Ebay, Spotify, AVAST have been hacked and stolen of their client databases. Those facts motivate me to host my own Firefox Sync server instead of uploading my data to another big cloud company.
Firefox Sync is a solution to store and keep synchronize Firefox data like bookmarks, history, passwords or preferences. Since Firefox 29, a new version of Sync is available (version 1.5). It uses the new Firefox accounts as authentication mechanism. The service definition and separation between authentication, token and storage allow to change and plug new servers on the fly. So you could host your own Sync server without having to worry about auth. Auth will be provided by Mozilla servers, which don’t store your plain text passwords or encryption keys. You may check the source code of the authentication server on Github or the Sync protocol for more details.
The Sync server installation procedure is quite well described by Mozilla. It explains how to get, build and run and test a custom Sync server on the built-in server (some git and make commands). Once everything works, you could set up your Firefox browser to point at your own server and test with your account and data. For production use, you could bind it on your Apache on Ngnix server throw WSGI or Gunicorn module (the built-in server is not intended to be use in production context).
In conclusion, I run my own Sync server to store my personal data. The server is lightweight and data takes less than 10 mo of storage. I enforced the security with requested client certificate and IP filtering and I could have a look to all access done with the Apache logs. So even if Firefox accounts are leaked (and we should consider they will be), attacker needs to know location of the server, get a certificate, find a valid IP address before getting access to my Sync server. According the interest of my data, the risk is very low.
I encourage your to host as often as possible your data. Nowadays, it is the real people value. So take care of it and thanks the Mozilla company to allow us to do it (hey Google, what about Chrome ?).
Early in the week, I was to the security conferences led by the AFUP about the software security. The main goals of those conferences was to make developers aware of the real dangers of security breaches. The first conference was given by the OWASP organization, a non-profit organization focused on improving security. The main key points of its talk was:
If your application wasn’t attacked yet, it will be,
If your are aware of the most critic security risks and you choose to handle them, you could prevent the bigger part of coming attacks,
You could handle security risk easily with theirs documentations and tools freely available.
The second conference was made by an AFUP member, Christophe Villeneuve, the creator of the elephpant. The talk focused on how to secure you PHP applications. It tooks the most common security risks previously described and explains how to prevent it with PHP language. He deals with subjects like database request escapement, user input cleaning or risky specific language features (PHP-SELF, global, …).
To conclude, the conferences were interesting and networking very pleasant. I would like to thanks talkers for their time and Mozilla for their premises and I end with some picture of the night and the video will be soon online.
This week was released an Android version of Popcorn Time. For those who don’t know the project, it’s similar to Netflix: you select the movie or serie you want to watch and could instantly play it. Unlike Netflix, it’s free, based on user torrent seed and illegal in almost all countries. So don’t use it and go buy you DVD instead !
Existing versions still confine to desktop releases until now. So be happy mobile users, you day is coming ! Except one thing (or two, which career will allow you to download 1080p movie with p2p ?), it’s not the official / legacy team of Popcorn Time which releases the application. What does it means ? An alternative team is releasing the same software under an alternate name « Time4Popcorn ». But what for ?
This week I faced the need to edit commit authors. Thanks to the new LDAP authentication, I need to change the way users log on the server. The side effect is the manually declared users differ from the LDAP user names. To keep consistent, I updated the previous commit authors with their new LDAP names. For those who have the same need, I share my script below:
# Subject: Bash script to update commit authors.
# Author: Bruce BUJON (firstname.lastname@example.org)
# Description: This script use a dictionary (AUTHORS) to replace a Subversion repository commit authors.
# Usage: Edit REPOSITORY_PATH and AUTHORS variables then run the script.
# The repository path
# Get the repository head revision
HEAD=`svn info $REPOSITORY_PATH | grep Revision: | cut -c11-`
# The authors (keys are original authors, values are replaced authors)
declare -A AUTHORS
AUTHORS=( ["olduser1"]="newuser1" ["olduser2"]="newuser2")
# Process each revision up to head
for revision in $(seq 1 $HEAD)
echo -n "Processing revision $revision: "
# Get revision author
author=`svn propget --revprop svn:author -r $revision $REPOSITORY_PATH`
# Check if replacement author is available
if [[ ! -z "$newauthor" ]]; then
# Update commit author
output=$(svn propset --revprop svn:author $newauthor -r $revision $REPOSITORY_PATH 2>&1)
# Check update status
if [ $result != 0 ]; then
# An error occurred
echo "an error occurred!"
# Author replaced
echo "author replaced ($author > $newauthor)."
# Author kept
echo "author kept."
# End of script
echo "$HEAD revisions successfully proceed."
Note that you will the server allows revision property changes. To do that, ensure the pre-revprop-change hook return 0, at least the time of the maintenance. You don’t want your users editing the commit authors and logs to make you a joke.
If like me you use Play Book to store books and manuals, you will be sad to read the great Subversion book: svnbook. PDF format import fails to parse table of content and its navigation links. So I make the epub build of the book and everything works well now.
So for everyone who need it, I share the svnbook under the epub format:
I post today to ask an open question : « Why Flash is still alive ? ». Some days ago I was raging again Flash on some website when I wondered why Flash is always used ? In my computer user life, I lost several hours trying to get Flash work properly. Bad Linux support, browser freezes, oh wait, making a list !
CPU and memory consumptions (for the player itself and browser sandbox),
Bad support for OS other than Windows (only old and vulnerable versions for Linux),
No multiple screens support (start player from one screen, move it to a second one and go fullscreen: player displays content on full first screen),
Freezes and BSOD (under Windows at least),
Invasive updater (does not take care of user update preferences, no proxy settings, deletes itself if download fails, offline installer well hidden in Adobe site),
No more supported on mobile devices (Android, iOS, WP8).
Advanced features for video player (stream quality switch, ads overlay),
Fast and cheap indy game development.
For the video player advanced features, I think web standard evolutions will quickly offer equivalent features (including standard adoption in browsers). Technologies like WebRTC show how browsers evolved into natively supported multimedia platforms. For the Flash browser game, how long could they fight against full web games when you see that Unreal Engine 3 works with JS and WebGL ? Or against the Chrome gamepad API ?
And how long browser developers will let Flash ruin their hard work of speeding up and responsibility increase ? Remember the other Adobe software plugged in browser, Reader, was brushed aside by some lines of fast JS.
Definitely Flash belongs to the past. But for how long will it remain in the present ?