The Heartbleed bug

This morning we found out that OpenSSL has a very serious bug (CVE-2014-0160), potentially exposing private keys used for SSL. From heartbleed.com:

“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

We immediately checked all our servers, updated OpenSSL and replaced all keys and certificates.

Last year I gave a presentation, explaining why you should not use OpenSSL in your Ruby code. Unfortunately OpenSSL is still being used by many parts of a typical *nix stack including Apache, Nginx and OpenSSH.

Are you vulnerable? Use filippo.io/Heartbleed/ to find out. While you’re at it, you might want to check you SSL settings with this handy tool from SSL Labs.

Avdi Grimm has a great post on all the hype surrounding "new" languages vs Ruby:  

“scaling a big system stories” are the supermarket checkout tabloid fodder of the programmer world. Everyone wants to have that amazing scaling story to tell.

...

Meanwhile, I suspect 80% of programmers are still working on problems where their development velocity is a much bigger problem than how many hits their server can take before falling over.

...

Another thing to keep in mind: the most important asset your team has is your shared understanding of the problem.

We are continually looking into new languages and their possibilities (and limitations). That being said, we still find Ruby to be the best fit for almost all problems we encounter.

Nice initiative by Bits Of Freedom and Hackerspaces:

Bij het Privacy Café leer je je persoonlijke gegevens te beveiligen. Zie het als digitale zelfverdediging.

Vrijwilligers van burgerrechtenorganisatie Bits of Freedom en leden van hackerspaces staan je bij tijdens deze praktische cursussen. Ze reizen door Nederland en helpen jong en oud om hun laptop, tablet en smartphone af te schermen. Doe mee, en sta zo steviger tegenover nieuwsgierige bedrijven,  weetgrage overheden en digitale criminelen.

"When you’re picking a data store, the most important thing to understand is where in your data — and where in its connections — the business value lies. If you don’t know yet, which is perfectly reasonable, then choose something that won’t paint you into a corner. Pushing arbitrary JSON into your database sounds flexible, but true flexibility is easily adding the features your business needs.

Make the valuable things easy."

Interesting talk by Jose Valim on concurrency in Ruby and how we can learn from other languages.

Baruco 2013: The Future of JRuby, by Charles Nutter. Includes a great explanation of concurrency differences between MRI, Ruby 2.0 and jRuby.

DenHaag.rb at FourStack

Last night we hosted DenHaag.rb with about 40 attendees. 

We had 3 talks, one on crypto (slides), one about how Go compares to Ruby and one on the Lightning Thunderbolts team that participated in the RailsRumble (vote for them!).

Checkout the pictures on meetup.

See you next time!

After having piggybacked on dev/haag and Rails Girls, again a meetup of our own!

Talks:

Marek de Heus on do's and don'ts in crypto

Harm Aarts on the Go programming language

a third talk still to be announced and/or lightning talks (just five minutes, slides optional): contact us so we can add it here as well!   

This could be huge.

It's a complete new way of doing authentication on the web, designed by Steve Gibson, creator of Spinrite. It combines the best of LastPass/1Password and OTP phone apps like Google Authenticator. 

Some of the features:

unique credentials per site,

out of band authentication,

no third-party involvement,

super user friendly.

"Proposing a comprehensive, easy-to-use, high security replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else.

With Secure QR Login,  your phone snaps the QR code displayed on a website's login page and YOU are securely logged in.

The SQRL system (pronounced “squirrel”) revolutionizes web site login and authentication. It eliminates every problem inherent in traditional login techniques."

Our blog turned 1 today!

Andrew and Adam talk with Sytse Sijbrandij, one of the Co-founders of GitLab, about building GitLab, sustaining open source, community management, and ways to handle a "road map" for your product or project.

TLDR:

UI Changes: toolbar tint, problems with new full-screen navigation, new home screen icon sizes; no <title> usage on iPhone; possible conflicts with new gestures.

New devices: nothing new about them for web developers, same as iPhone 5.

HTML5 markup: video tracks, <progress>, REMOVED support for input type=datetime  

HTML5 APIs: Page Visibility, AirPlay API, canvas enhancements, REMOVED support for Shared Workers, Web Speech Synthesis API, unprefixed Web Audio and Animation Timing, Mutation Observer and other minor additions. BIG PROBLEM with WebSQL using more than 5Mb.

CSS: Regions, Sticky position, FlexBox, ClipPath, unprefixed Transitions and other enhancements

Home Screen webapps: SEVERAL SEVERE PROBLEMS (for example, no alert support!)

Native webapps: Web View Pagination, JavaScript runtime for native apps and video playing new abilities

Last weekend was the first ever Rails Girls The Hague. 

If you missed it, check out the pictures and presentations.

Lyza Danger Gardner on building the web everywhere:

"Instead, I think we need to try to do as little as possible when we build the future web.

This isn’t a rationalization for laziness or shirking responsibility—those characteristics are arguably not ones you’d find in successful web devs. Nor it is a suggestion that we build bland, homogeneous sites and apps that sacrifice all nuance or spark to the Greater Good of total compatibility.

Instead it is an appeal for simplicity and elegance: putting commonality first, approaching differentiation carefully, and advocating for consistency in the creation and application of web standards."

IamTheRealMike writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most b...

Rails Girls The Hague starts tomorrow

This friday RailsGirls The Hague will take off at 6pm with the installation party:

Come get Rails installed by our bunch of pro’s, along with a funky looking terminal, easy-to-use texteditor and more. There’ll be pizza. And drinks.  Sponsors, boyfriends, girlfriends and developers that happen-to-be-in-the-neighborhood are more than welcome to join.

See http://railsgirls.com/thehague for details.

FourStack to sponsor Rails Girls The Hague

Rails Girls will land in The Hague on september 13th and 14th to help aspiring lady techies build an application. 

FourStack is happy to announce that we will sponsor this event.

See RailsGirls.com for details.