Install the latest version of libv8 manually, libv8-3.8.9.20 at the time of writing this:
apt-get install libv8-3.8.9.20
Download the nodejs package sources, dependencies and build them:
cd
apt-get source nodejs
apt-get build-dep nodejs
cd nodejs-*
debuild -nc -uc
If you encounter build-dependency errors, you should try first to lower the
dependency in debian/control, both in Build-Depends and in Depends and re-run
debuild. If the build fails (e.g. with undefined reference to 'ev_run') the
previous version is missing required functions. So, you must install the
updated versions of the required dependencies (e.g. libev4) from sid, using
apt-get install name=version e.g. libev4=1:4.11-1. I suggest this because
you’ll have to manually update packages installed from sid, so the lesser, the
best.
So you have a Linux VM you use for development, because you want to mirror the
production environment as closely as possible. You have many applications to
deal with, they have to be running at the same time because they are nifty REST
JSON web services.
You are very tired to remember which one you put on port 8081, and your
configuration files slowly become a real mess. So you set up IP address aliases
in for the network interface and decide to assign even host names –
/etc/hosts is just fine – for each app.
Then, in such a setup, why would you still need to run them on ports higher
than 1024? Wouldn’t be just great to type the application name in the browser
address bar? Indeed it is, but it’s better to not run them as root, anyway.
The solution are Linux
capabilities
(see also here). The one that
interests us is cap_net_bind_service: it gives a process the right to bind
well-known ports (< 1024). If you use an interpreted language, of course you’ll
have to add the capability to the interpreter itself. That’s why there’s
development in the title of this article – you should not set this up on a
production server, if you don’t know what you are doing.
One final quirk: if you happen to dlopen() shared objects that dynamically
link towards libraries outside the canonical paths, you cannot load them via
LD_LIBRARY_PATH (e.g. the SYBASE.sh) as it is ignored for setcap-ped
processes. You should better move the library paths into an /etc/ld.so.conf.d
snippet.
“If it is good, they stop making it”, the
payoff printed on the conference necklaces, distributed to every participant,
along with an über-l33t badge customized with our nickname and the key
hash.
Being my first experience at an international security conf (I’ve only been
to the ccc2k+7 camp), and being a ph outsider ‘cause I never participated
to previous editions, the boot keynote held by FX, staffer and frontman, has been
enlightening: “you ought to be here!”, he yelled while pointing at
the stage, wearing a white shirt with the Phenoelit logo printed on both
arms.
“This conference has never started on time”, he continued,
“so there was no reason to do that for this last one”. the schedule
is straightforward: party, the next days talks from 12.00PM to 7.30PM, then
party, and the last days talks from 12.00PM to 5.30PM. definitely a setup
well-playing with the available alcohol :-D.
Afterwards, another speaker informed us that the wi-fi access keys we
received at the registration allows us to use a 6 APs/3 repeaters beast driven
by an OpenBSD box – they want the audience to hack it because, well,
“you are the Worst Case Scenario.” :-)
Then, the funny Hacker Hacker video was presented:
:-D
After a lousy and not so exciting first night (due to tiredness), we’ll wait
and see what the next day would bring.
High capacity sniffers used in big cos and on border national gateways that
collect user generated traffic on order to find possibly “criminal”
patterns are today generally available for bandwidth to the 10Gbps, there will
be soon appliances that’ll process streams of 100Gbps. Sniffjoke, by vecna and evilaliv3 is a tool that can inject into
TCP connections outsider packets that will fool the
intercepting sniffer but with no remarkable effect on the receiver. these
packets for instance trick the sniffer into thinking that the connection has
been reset even it is not true – by injecting a wrong-checksummed RST or a packet with a TTL less
than 1 of the hop count – or try to consume its processing power by using
known vendor-specific interpretations of the TCP RFC.
Details: website, slides, wireshark
thread.
Thanks to @jodosha efforts and praising the
former Javaday event, now renamed into codemotion
that brought in Rome many Ruby developers from Milan, Padua and other parts of
Italy – the first official Ruby Social Club in Rome has been a great success.
Of course, officialty is measured only in the amount of twitter spam
posted about it! :-): earlier RSCs in Rome go back in time to
2006
organized by current mikamai members and more meetups
promoted by @jekoin
2007.
What matters is that there’s a community, there’s a passion, and there’s love
to share knowledge - no matter who holds the meetings, the important thing is
that they’re being held :-).
The event was simple and direct - some beers first, then my keynote on RVM and
Ruby interpreters, then Luca’s one announcing his
minege.ms project and after real social networking
:-). I met @gravityblast after much time we
didn’t meet, knew the PIP group and met
@svarione,
@punkmanit,
@leonardoperna,
@riggasconi,
@ogeidix and other smart people. Moreover, we
spent quite some nice time together, making up a really lousy and funny
week-end. Of course, huge kudos to @nhaima’s car
- that tirelessly carried us around Rome for two days :-)
Now, looking forward to the next meetup, thanks everyone who participed,
who offered me beers and, last but not least, thanks to
@etapeta for bringing me in time at the meeting -
you’re the real hero :-).
I spent the last two days trying to set up the Aluminium Mac Mini (rev. 4,1)
as a home NAS server with encrypted storage, and I
wanted a BSD system on it. There’s already an
embedded OpenBSD onto the soekris gateway, and another companion would have
been nice. :-)
FreeBSD 8.2-RC1 boots but, due to the same bug, doesn’t recognize any
SATA drive nor any USB
umass device;
NetBSD 5.1 boots fine, handles SATA disks via the generic pciide driver (no DMA, thus quite slow) but, unluckily, doesn’t handle
the BCM57762 ethernet controller. I tried with quick
and dirty patches to bring the
bge driver up to date with -current, but still no luck: the MII link detection works, the card transmits but
doesn’t receive. The sdmmc controller as well works with -current but not
with 5.1-RELEASE. ACPI works correctly;
OpenBSD 4.8 boots, can access the SATA drives
without DMA, and recognizes the bge network card, but
exposes the very same behaviour as NetBSD 5.1 with the -current driver fitted
in;
DragonFlyBSD 2.8.2 doesn’t even enter kernel mode, I suspect
due to ACPI bugs;
PureDarwin didn’t
inspire me too much, due to the many blocking issues.
All of them support encrypted storage, I built up a NetBSD CGD disk flawlessly onto dk wedges; FreeBSD has got the
interesting gbde(8) and
geli(8) GEOM-based tools that I wasn’t able to test, while OpenBSD
supports crypto via a softraid
personality. Unluckily, support for the, nowadays, exotic Apple hardware is
a no-brainer.
Out of curiosity, I was looking how a browser interacts with the Google Instant
backend. While looking at the HTTP exchanges via Firebug, I first asked myself
why they’re encoding HTML and JS with \xYY escape sequences, then why the
very same JS functions are sent back and forth on every request, and later I
stumbled upon the google.com/s?q=QUERY JSONp service.
Give it a query, and it’ll return the suggested related phrases that are used
to build the menu under the search input while using suggestions and/or instant
(didn’t dig too much into all the other parameters).
Anyway, what’s interesting is that, of course, the suggestions are customized
on a per-country basis. To show the differences explicitly, let’s ask the
service the simplest query possible, a:
aer lingus, aib, argos, amazon.co.uk, argos.ie, asos, aa route planner, amazon, aldi, aib internet banking
Lastly, because I’ve been there lately and it has been a profound experience, Cuba:
asus, antonio maceo, amor, amigos, ain, antivirus, avira, alba, aduana, as
I’m sure @nhaima is smiling while seeing these words, because hell yeah, over
there they really google antivirus software (avira is one of them) a lot
because it’s a world without the Internet, thus without free software: you’re
condemned in using Windows stuff, and you take what you pay for. Antonio Maceo
has been an hero of the 19th century revolution, and it’s in the heart of Cuban
people. Amor, Amigos! :-)
On July 22nd 2010, Mikamai hosted a Ruby Social Club in
Milan, where
nearly 50 people attended watching five speeches about Ruby, Web development
and Startups. I was glad to be one of the speakers, and I presented a set of
Rails plugins we spinned off from our latest (and
greatest) project: Panmind (read more on the about
page) and released as Open Source on
GitHub.
The keynote is split in two parts: the first one explains why you should
follow the sane software engineering principle of writing modular and
interest-separated code and then how you could (and should) extract it from
your Rails application by decoupling configuration and then prepare for the
Open Source release, by writing documentation AND presenting to a Ruby
event so, hopefully, someone else will write unit tests! :-)
We released an SSL helper plugin that
implements filters (like Rails’ ssl_requirement) but also named route helpers:
no more <%= url_for :protocol => 'https' %>! You’ll have something like
plain_root_url and ssl_login_url - like they were built into the framework.
Then, a Google Analytics ultra-simple
plugin, with <noscript> support, a couple of test helpers and an
embryo
of a JS Analytics framework - hopefully it’ll evolve into a complete jQuery
plugin. Then, a ReCaptcha interface,
with AJAX validation support and eventually a
Zendesk interface for Rails.
As most of you already know, there are two open, critical
vulnerabilities in iPhone
OS versions from 3.x up. The first one resides in the Compact Font Format
component of the PDF renderer and the second one an error in the kernel,
allowing attackers to bypass the sandbox (SeatBelt) inside which applications
are run on the iPhone.
The two vulnerabilities were discovered by @comex,
@chpwn and other people.
Only few weeks later the .lnk design
flaw on windows (guys, you’re using
LoadLibraryW to load a damn icon!), these iPhone OS vulnerabilities are even
more interesting, because of the way the release is being handled by the
community and the vendor.
I spent 3 hours last night trying to find detalied information about the bug,
and except confused (and propagandistic) blog posts the only bit of
information is in this tweet,
and in the actual pdf exploit running on
jailbreakme.com. Where are the security lists
posts? Where is the CVE? Even the CERT still doesn’t say anything about this
vulnerability.
There’s something terribly wrong going on: the
cat-and-mouse-game that is making
the iphone-dev team researchers not disclose any
of the vulnerabilities they find has become very dangerous for end users: an
exploit that allows remote code execution and jail escape without no
interaction whatsoever by the user, carried via something that’s used to
consider “safe” (a PDF file) is what is called a critical hole; while the
exploit that uses it is called a 0-day. It’s the first time in my life I see
a 0-day packaged and distributed explicitly via a web site.
In a nutshell, it adds support for unmarshaling 1.9 strings, and implements the
last missing type (TYPE_LINK) that was missing from the code. Tests still
lack, can someone help ? :-)
Added TYPE_LINK, needed because of how ruby 1.9 marshals strings.
In 1.9, Ruby marshals the string encoding in the binary output, and
uses an Ivar construct (TYPE_IVAR) to wrap the string and adds an
"encoding" instance variable (notice: without a leading @) whose
value is the encoding itself.
While the Ivar code worked correctly, the values of the encodings
are actually *strings*, that are being reused via the TYPE_LINK
construct, that wasn't implemented.
So, the get() and put() primitives are being used to store not
only tuples {id, sym} for symbols, but now store either
{{symbol, ID}, sym}
OR
{{value, ID}, val}
for the other types that use TYPE_LINK.
By reading the ruby marshal.c source code, it looks like that MANY
data types save their values in the arg->data hashtable, but by
inspecting the binary marshal output of, e.g, an array of floats,
links aren't used.
Thus, in this unmarshaler, links are considered, for now, only for
strings and regexes.
If your CouchDB 0.11 gives you the “Invalid UTF-8 JSON” error on every POST
or PUT you issue to it, make sure that in your
$prefix/usr/lib/couchdb/erlang/lib there aren’t leftovers from previous
installations.
On our dev server, I found there two directories
(“couch-0.10” and “mochiweb-r97”) from the old 0.10 setup that were causing
this issue.
This applies if you upgraded from source, as you’ve probably did, because there
aren’t too many packages of CouchDB 0.11 as of April 2010 :-).
