NewsBits: Cloudbleed, SHAttered, Drones, PostgreSQL and JDBC, Node's async and Rails 5.1 betas

Published

Newsbits for the week ending February 24th - Cloudbleed sees Cloudflare leak secrets, SHA1 collisions made real, Drones vs Airgaps, a big new version number for PostgreSQL's JDBC driver, async comes to Node.js, the next Rails goes into beta and chatops app Cog goes 1.0 but there's a but.

This week, NewsBits leads on security stories because these stories touch everything, followed by database and developer news. It's the essential bits in NewsBits:

Security Bits

Cloudbleed

This week, security has been headlining. Top of the list, now dubbed "Cloudbleed" despite best efforts, is Cloudflare's leaking of private data. Cloudflare runs a content delivery network which works with SSL connections and to do this, it rewrites web pages going through the network. Unfortunately, as Google's Travis Ormandy found, a bug in that rewriting was injecting bits of memory from the rewriting systems which could include passwords and other sensitive information.

Cloudflare reacted quickly to being told and shut down the affected services and set to work to clean caches and search data which had swept up some of this data. Cloudflare's write up has more details. The safest course of action, if you had an account on a Cloudflare delivered site, is that you should change your password anyway - but then you rotate your passwords regularly don't you. For the record, Compose does not use Cloudflare.

SHAttered

While Cloudbleed was an immediate issue, Google and CWI announced a SHA1 collision, something that'll be changing how we secure things over the next decade and beyond. The Google/CWI team managed to create a practical SHA-1 hash collision for two different PDF documents using thousands of hours of CPU and GPU compute time. The collision technique, named SHAttered means it's possible for a bad actor to create a document that could pass security inspection and replace a trusted document. It's been theoretically possible since 2005 that there would be a SHA1 collision created. Now, with it proven, the migration to more secure hashes will really begin and the sun will set, eventually, on SHA1. There are many mitigations and caveats to the collision demonstration, though, from the sheer cost (over half a million dollars of computing time it is estimated) to the fact that some SHA1 uses are already reinforced, like Git's so they aren't as affected.

Drones vs airgaps

In somewhat lighter security news, it seems a team in Israel are proving how viable it is to have a drone hover outside a window and watch an LED blinking out data being transmitted by malware. In a Wired report the team managed about 4000 bits a second which is pretty good going for exfiltration over an air gap. The technique can, of course, also be thwarted with curtains and doors.

Database bits

PostgreSQL JDBC 42

There's a new release of the PostgreSQL JDBC driver which now uses java.util.logging, has batching that works with pgbouncer and drops support for pre-PostgreSQL 8.2 databases. More noticeable though is the jump from version 9.4.1212 to version 42.0.0. The reason for the change? To stop it looking like it was a PostgreSQL server version number among other things. Why 42? Why not...

Developer Bits

Node gets Async

Last October, the V8 JavaScript engine developers published [release 5.5] of the JavaScript engine and now the latest Node release, 7.6.0 incorporates that. The V8 update brings the async functions of ES2017 to JavaScript which means that instead of manually managing promises, chaining callbacks or other techniques you can now make a function async by tagging it as such and use await to wait for the return of values from other functions within it. Two keywords but a much cleaner way to work with promises.

Rails 5.1. beta 1

Over in the world of Rails, version 5.1 has gone into beta. This new version looks to bridge Ruby and JavaScript with support for managed JavaScript dependencies, Webpack JavaScript compilations and the end of jQuery as a dependency. There's also more testing baked into the framework, encrypted secrets management, simpler parameterized mailers and more. It's expected to be released before RailsConf 2017 at the end of April.

Cog 1.0

The folks at Operable announced version 1.0 of their chatops platform Cog. Unfortunately, those same folks had to announce Operable was no more and they were shutting down so Cog is now in search of a new community to maintain it.


If you have any feedback about this or any other Compose article, drop the Compose Articles team a line at articles@compose.com. We're happy to hear from you.

Dj Walker-Morgan
Dj Walker-Morgan is Compose's resident Content Curator, and has been both a developer and writer since Apples came in II flavors and Commodores had Pets. Love this article? Head over to Dj Walker-Morgan’s author page and keep reading.