Saturday, July 27, 2013

Swiss Guard - BIND 9 denial of service in the wild

Watch out if you run BIND 9 for domain name services . It appears that if you put together a specially malformed rdata part of a request you can take the DNS server down, and that means a denial of service weapon. It appears to be being used in the wild already.  The news comes via the Internet Storm Center and takes us to an ISC Advisory for CVE-2013-4854. BIND 9 versions are all affected, except for BIND 9.6 and 9.6-ESV, but including BIND 9.7 and later. BIND 10 is unaffected. You should see updates from your repositories soon if you use a distro supplied BIND. If you roll your own, head to the ISC downloads page and get to work.

And if you don't have to worry about it, here's a name related song for you to enjoy.

Cuts off a bit sharpish but you can find the full version on Live Lounge 3.

Thursday, July 25, 2013

Papal Indulgences - Tor, Peak+, Async C#, Android 4.3 and FAQs

  • Want to run a Tor exit node - check your terms and conditions first. Tim Janik explains 

  • Thats more like it - the Geeksphone Peak+ puts a little bit of muscle into a Firefox OS phone doubling the memory but not a lot else. It's no Edge, but then it's €149+taxes and you could have one in September. The change here is that this phone is for consumers rather than developers. 

  • Xamarin shipped out their async support for C# 5.0. Asynchronicity is a powerful tool, but you do have to make the mindset jump to use it well or be forced into it by the nature of the language environment.

Music Break

  • Waiting for Android 4.3 to land on your device ... here's the official What's New list. Feature I like? Pseudo Locales which are locals designed for English speakers to test their UIs in non-English fonts without making the content inaccessible and therefore untestable. Lots of other small improvements too, visible GPU profiling, notification listeners for context aware apps... 

  • And finally... The Government Digital Service's Sarah Richards FAQs as an anti-user pattern.

Wednesday, July 24, 2013

Close to the Edge^H^Hit

The Ubuntu Edge project seems to be a worthy attempt to crowd-source a phone. The "Formula 1" analogy that Shuttleworth uses is broken though; Formula 1 cars are prestige platforms for transporting brands in front of television cameras at carefully regulated speeds. A better analogy would be the production-concepts that car makers put out, in runs of tens at best which contain a lot of new tech and ideas. 

The Edge specs are interesting enough, but not that remarkable - 3GB low power RAM chips are just going into production so 4GBs should be coming on stream early next year. 128GB SSDs are around now, though there'll have to be some squeezing done to get them in and quick; one assumes SSDs being used to move the levelling tech off the CPU and onto hardware but I'm not sure what this buys apart from a device which can run with standard desktop Linux filesystems. 

4 core processor with no other detail, not even architecture; well yes we have quad-cores now... in ARM and in ULV Intel chips (so I wouldn't assume the Edge is ARM yet) thats all possible though no talk of GPU leaves that all vague. 1280x720 display with good colour repro... easy enough. Sapphire glass display - hardly new and in the volumes being talked about, pretty doable, but expensive. 

And then there's the elephant in the room. The battery. The non-removable battery. The non-removable Silicon Anode battery. What is Silicon Anode? Well, your current generation of mobile phone battery uses a graphite anode and thats pretty much what sets how much juice you can squeeze into the battery. Silicon is more juice absorbing, so clever chemists have been working on making anodes of silicon. 

But there's a problem; silicon anode batteries are prone to swell and crack when being recharged. So there are a number of startups working on how to solve this problem and turning out iteratively improved versions of batteries as prototypes in early trials.  Right now, these batteries are only being produced on pilot lines and these are first generation partial silicon batteries. Second generation batteries are scheduled for 2014, but full silicon anode batteries are further out. 

So, the real bet on the Ubuntu Edge is the first generation, new technology battery. I'm not a betting man, but if specifications are subject to change, I'd be putting my money on that specification changing.

Saturday, July 20, 2013

A $59 Billion Myth

For a licence compliance company, Black Duck can sure generate some real nonsense. Take for example their latest ... "Black Duck Unlocks $59B Opportunity for Enterprises Using Open Source"

Here we are told of the terrible number of projects out there that have no explicit licence. Fair enough, modern public repositories have the problem that people can put code up on them with no licence. Black Duck go on then to say there are often "embedded licences" though so if you know that they are, you can comply with the licences and thats how you can use the code because you are complying with the embedded licences. And so Black Duck software unlocks this software because it lets you comply.


So not Numberwang. The problem with this position is that it ignores the fact that the entire project did not have a licence on it. There may well be embedded licences but they (a) probably belong to exisiting standalone components and (b) only in some very particular cases would the embedded licence pull unlicensed code into a licensed form. This is like some sort of open source fracking process.

Now, Black Duck's backup position is probably "Ah but we can tell you when that is". To which I say, firstly it won't be very often, and secondly where's the probity in yanking unlicensed code off the net and working out that because component X is under license Y, then all the code is under licence Y.

Thirdly, the process shows a distinct lack of regard to the author of the unlicensed code,  gaming what possibly could have been an error or an accidental inclusion, to grab their code. There's this thing called email, it lets you contact people. Modern repositories also have ways of contacting the author. Hey, clone the project, add a license and send a pull request... the author will soon get the message.

But lets be blunt. The value of unlicensed code of unknown provenance on the net is $0. No magic wand is going to turn it into money. If you see an unlicensed repository, drop the repo owner a line, and point them at or similar so they can get a better feel for licensing.

Coming back like I was never away


Must turn that alarm off.

Yes, it's back, Codepapacy, the old blog which went into disrepair and bitrottage while I was busy with The H. Well, no more – The H that is – and lots more me, me, me. STOP RUNNING AWAY. Come back. Sit down. Yes, I'll be handling this as gracefully as one man handles a Jaeger in Pacific Rim (not seen it? It's great; it takes all the stereotypes of Japanese anime/manga robot/monster movies and reblends them into the best robot/monster movie... sorry where was I)... anyway yes, handling this as gracefully as I can. 

Here I will be a little more opinionated. So if you are looking for a The H replacement, now you can RUN AWAY.

Ok. Ready. Here we go... oh hang on, there'll be some music too...

Ok. Now here we go.