Newsbits for the week ending February 24th - Cloudbleed sees Cloudflare leak secrets, SHA1 collisions made real, Drones vs Airgaps, a big new version number for PostgreSQL's JDBC driver,
async comes to Node.js, the next Rails goes into beta and chatops app Cog goes 1.0 but there's a but.
This week, NewsBits leads on security stories because these stories touch everything, followed by database and developer news. It's the essential bits in NewsBits:
This week, security has been headlining. Top of the list, now dubbed "Cloudbleed" despite best efforts, is Cloudflare's leaking of private data. Cloudflare runs a content delivery network which works with SSL connections and to do this, it rewrites web pages going through the network. Unfortunately, as Google's Travis Ormandy found, a bug in that rewriting was injecting bits of memory from the rewriting systems which could include passwords and other sensitive information.
Cloudflare reacted quickly to being told and shut down the affected services and set to work to clean caches and search data which had swept up some of this data. Cloudflare's write up has more details. The safest course of action, if you had an account on a Cloudflare delivered site, is that you should change your password anyway - but then you rotate your passwords regularly don't you. For the record, Compose does not use Cloudflare.
While Cloudbleed was an immediate issue, Google and CWI announced a SHA1 collision, something that'll be changing how we secure things over the next decade and beyond. The Google/CWI team managed to create a practical SHA-1 hash collision for two different PDF documents using thousands of hours of CPU and GPU compute time. The collision technique, named SHAttered means it's possible for a bad actor to create a document that could pass security inspection and replace a trusted document. It's been theoretically possible since 2005 that there would be a SHA1 collision created. Now, with it proven, the migration to more secure hashes will really begin and the sun will set, eventually, on SHA1. There are many mitigations and caveats to the collision demonstration, though, from the sheer cost (over half a million dollars of computing time it is estimated) to the fact that some SHA1 uses are already reinforced, like Git's so they aren't as affected.
Drones vs airgaps
In somewhat lighter security news, it seems a team in Israel are proving how viable it is to have a drone hover outside a window and watch an LED blinking out data being transmitted by malware. In a Wired report the team managed about 4000 bits a second which is pretty good going for exfiltration over an air gap. The technique can, of course, also be thwarted with curtains and doors.
PostgreSQL JDBC 42
There's a new release of the PostgreSQL JDBC driver which now uses java.util.logging, has batching that works with pgbouncer and drops support for pre-PostgreSQL 8.2 databases. More noticeable though is the jump from version 9.4.1212 to version 42.0.0. The reason for the change? To stop it looking like it was a PostgreSQL server version number among other things. Why 42? Why not...
Node gets Async
async by tagging it as such and use
await to wait for the return of values from other functions within it. Two keywords but a much cleaner way to work with promises.
Rails 5.1. beta 1
The folks at Operable announced version 1.0 of their chatops platform Cog. Unfortunately, those same folks had to announce Operable was no more and they were shutting down so Cog is now in search of a new community to maintain it.
If you have any feedback about this or any other Compose article, drop the Compose Articles team a line at firstname.lastname@example.org. We're happy to hear from you.