I have been accused of censorship on my blog for deleting comments which are seen as criticism of my views on Telkom's technical flaws, and yes, I have been deleting comments. I have felt these comments attack are attacking to me as the author and that they are not discussing the issues at hand and I do not want anger, fighting or hate on this blog. This is a place to help, not a place to break down. If the authors feel they have a point, they are welcome to clearly and calmly rephrase it and post again. Alternatively, they are also welcome to post to Reddit where most of this has already been discussed and I have no control of what appears.
Do you miss TechEd? Do you miss a big conference where the passage conversations with the best presenters in the country and from around the world can happen? Do you miss having too many choices for topics to attend cause they all sound great?
I do. The conference space in SA has shifted a lot in the last few years with niche events happening, but very little broad events focused on networking, skilling up and the challenges faced by the modern developer in South Africa who must wear multiple hats. Together with the Developer User Group we are join to fix that!
Come 8th March, in Johannesburg, we will have a new full day conference called DevConf! It has multiple tracks jammed full of content for you including talks convering programming techniques, tools & frameworks, databases, DevOps and the softer skill stuff (like dealing with teams). The event has over 40 speakers including the best from South Africa and internationally. Personally I am so excited to see Willy-Peter Schaub from Microsoft in Canada come out to share about how they use Agile!
Tickets are on sale right now and all the details can be found at http://www.devconf.co.za
If you have VS 2015 and you have installed Update 2, you may run into a painful bug trying to do builds for the Windows 10 store where they just fail with the following errors:
1>MakeAppx : error : The mapping file can't be parsed. The error occurs at line 3. [app\platforms\windows\CordovaApp.Windows10.jsproj] 1>MakeAppx : error : Package creation failed. [app\platforms\windows\CordovaApp.Windows10.jsproj] 1>MakeAppx : error : 0x8007000b - An attempt was made to load a program with an incorrect format. [app\platforms\windows\CordovaApp.Windows10.jsproj] 1>MDAVSCLI : error : Error code 1 for command: C:\Program Files (x86)\MSBuild\14.0\bin\msbuild with args: app\platforms\windows\CordovaApp.Windows10.jsproj,/clp:NoSummary;NoItemAndPropertyList;Verbosity=minimal,/nologo,/p:Configuration=debug,/p:Platform=x86 1> Command finished with error code 2: cmd /s /c "app\platforms\windows\cordova\build.bat --debug --archs=x86 --win --buildConfig=app\build.json" 1>ERROR building one of the platforms : error : cmd: Command failed with exit code 2 1> You may not have the required environment or OS to build this project 1>MDAVSCLI : error : cmd: Command failed with exit code 2
The solution to this is two fold:
First you need to change the Cordova version to 5.3.1 in the config.xml
Second you need to open the config.xml in the XML editor (select it in Solution Explorer and press F7) and near the bottom you will find the node vs:platformSpecificValues, delete it and all it contains.
You should now be able to do a Windows 10 build that can be uploaded to the store.
The dev tools team recently released update 1 for the Visual Studio Tools for Apache Cordova, however this update can cause VS to hang and/or other issues with Cordova projects. This is a known issue and it is one that impacts early adopters most of all because it is the combination of two things that cause this to happen, one being the update the second being the original Windows 10 SDK. There was an issue with the SDK and it was re-released a few days after the initial release with a fix, but anyone with the original bits will have a problem – this includes anyone installing VS 2015 from the ISO while not connected to the internet (if you are connected, even if you use the ISO, it will get the latest bits).
If you have not yet installed the tools, the check is simple – open the registry and make sure you have the following key:
- For x86: HKLM\Software\Microsoft\VisualStudio\14.0\Setup\VS\JSLS_MSI\Version
- For x64: HKLM\Software\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VS\JSLS_MSI\Version
if you do not have that registry key, you are at risk of this issue and you should do the following:
Ensure you have an internet connection BEFORE you start this.
- Go to Programs and Features, select Visual Studio 2015, click Change.
- In Visual Studio setup, click Modify.
- Deselect the feature Tools for Universal Windows App Development.
- Select Tools for Universal Windows App Development again, and click Update.
(basically forcing the VS installer to get the latest SDK bits and install those which means the issue doesn’t occur)
If you have already uninstalled the Tools for Universal Windows Apps Development
- Reinstall Tools for Universal Windows App Development.
- Download the installer for your edition of Visual Studio, such as, vs_community.exe.
- Open a command window, and run the following command:
- Change directories to C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE
- Run the following commands
(thanks to Paul Chapman on the forums for this information)
This is a follow up to my post on the man-in-the-middle attack that Telkom continues to use, as well as to the Telkom response in the awesome TechCentral article and new thoughts brought about by the Reddit post.
A real threat
Shortly after I posted my article I was contacted by someone (let us call them Person X ) who went snooping based on my post and found that Telkom did indeed have a major security flaw in the system. We agreed to hold on sharing the information publically until Telkom fixed it or enough time had elapsed to show they didn’t care. Telkom appear to have fixed it, as far as I can tell, so let us dig into this major attack vector.
Recapping the content that is served to you is made up of three pieces:
- HTML – bit of HTML is loaded, once again from the same server as above.
- Image – the graph showing you the usage is a static image served from a server which is (oddly) available everywhere: http://images.telkomsa.net/
Person X, realised that the images came from a folder ibn and that folder had directory listing enabled, which isn’t a good practise but, normally, not a major security concern. What the directory listing showed, besides the files, is the version number of the server which was (at the time) 2.0.52.
Apache 2.0.52 was released in November of 2004… 11 years ago and has NUMEROUS security flaws. There is no reason to run this version at all, it is insecure and points out a major security procedure flaw in Telkom. Using one of the flaws, it was possible to replace the specific image on the server with anything you wanted. For example, you could swop the image file with a flash file that would enable you to use one of the recent zero day attacks against flash and leveraging Telkom’s system to deliver said flash file to the user for you thus allowing you to own the target machine.
Remember this popup only shows to people who meet the following three requirements:
- Telkom ISP client
- At or near their limit
- Have not opted out
I would assume that the tech savvy of Telkom's users have opted out, and those near their limit are soft capped, meaning that security patches are slower to get to them. In short, it is the most vulnerable group who would be targeted. Scary right?! Let us hope Telkom fixed all the issues with that server and all the others.
Comments on Telkom’s choice wording
I am really happy Telkom has responded and is fixing things, that is all I wanted. That said, their choice of wording and delay on commenting until they fixed the issue is interesting. Let us break down their response and I am avoiding nit-picking since I could do a lot of that too.
In technical terms, we refer to it as an HTTP redirect
That is true. It is an HTTP redirect, but the manner it is used in is not the traditional sense of an HTTP redirect where the destination server tells the client to go somewhere else. Here a man in the middle (see what I did there ) is doing the telling, and thus I chose the term MITM attack as the description. It is not an exact description, but it is a description that describes the entire scenario and not just one choice aspect.
HTTP redirect is a common mechanism used in service provider networks for content caching and to optimise video streaming
does not alter the Web service content
is not a security risk
See above and then realise it was only true when it was said, not the day before.
will not ‘break’ a website
The web is a big place, it is impossible to know that. I also wonder why break is in quotes – is there more than one definition of break?
I have been asked recently about the ES6 support in VS and I haven’t had a good answer about how much of it is supported right now (i.e. VS 2015 RC) and what is supported. The general feeling from the askers is that VS is far behind in this space, so the only reasonable thing to do is for me to test this and let you know.
Using Luke Hoban’s awesome page on ES6 features gave me a great point to kick off from around the different features. I then tested each feature in VS 2015 RC and also in VS Code (our new lightweight, cross-platform, free IDE) and in the end Visual Studio has 70% implemented and Code has 94% implemented. What does implemented mean though? It means no errors & and the IDE does the right IntelliSense stuff for you. There is on-going work with both IDE’s so this will improve but as a baseline for discussion it is useful.
The way I worked it out is to assign a 1 (works) or zero (doesn’t work) to each feature. In some cases I assigned a middle value because it kinda worked and the footnotes will explain that. The only missing one on here is the reflect API. I don’t have an example I can work with around that yet, so I did not include it. If you find any errors here, please let me know and I will gladly update!
Enhanced Object Literals
Default + Rest + Spread
Let + Const
Iterators + For..Of
Map + Set + WeakMap + WeakSet
Math + Number + String + Array + Object APIs
Binary and Octal Literals
- No issues in the IDE are raised but the IntelliSense is lacking.
- No issues in the IDE are raised but the IntelliSense is lacking.
- There is an odd issue where an extra warning is raised in the wrong place. It doesn’t break anything but isn’t ideal.
- No IntelliSense on the loaders.
- Again lack of IntelliSense is the issue.
- Weird warning appearing, which looks like a bug.
In February this year I was contacted by the team at PACKT Publishing about being a technical reviewer for a book which was underway, in exchange I would get a free copy of the book and be listed in the book as one of the reviewers. I have toyed with the idea of writing a book for ages so this felt like a good idea to see what happens behind the scenes without committing to actually writing a book. I said yup to them, and today that book got published! You can get it at: http://bit.ly/json_cookbook (I am really excited about this)
The book* itself is a very interesting mix of content, from the very basics of JSON to introduction to MongoDB and storing data in it. It very much hits the nail on the head with the description “Quick answers to common problems”. What I think is really awesome about it, is that it really tries to cover a lot of languages & tools. So there is .NET, Java, Node.js, Android, ObjectiveC and more. The examples are really great as all work on a variety of OS’s too, so you can quickly try stuff out. I don’t think it is a book you It isn’t a book you would read end to end but rather give you guidance on where to start with problems related to JSON.
The experience itself of reviewing was interesting, each chapter took a few hours of reading and trying out the code and responding with details of issues found. The people I worked with at PACKT made it really pleasant. I never heard from the author or other reviewers, which in hindsight is odd but I think that maybe helped keep my responses focused and not have a bias in them.
If you do pick it up, let me know what you thought of it!
*Note: I’ve only see the content I reviewed, I haven’t seen the final book which maybe different.
Vorlon.js is an amazing tool for web developers as it brings the browser developer tools, aka F12, out of the limitations of a single browser and to the cloud. While you can run it on your machine, I believe to really get the full power of it, you need to put it on a dev server somewhere. The broader the reach, the more use. So with that mindset here is how to run it on an Ubuntu server and for this example I am use Azure to host that VM. I am using the Basic A2 (2 Cores, 3.5 GB) machine which is more than enough for Vorlon and means I can run the server pretty cheaply.
Step 1: Get NPM
Vorlon uses NPM, Node Package Manager, for distribution so you need that to get started. Before you begin, make sure you are up to date:
sudo apt-get update
Once that is done you can run the following to install NPM:
sudo apt-get install npm
If you didn’t follow my advice on doing the update first, or you ran into issues, you may need to run the command again with extra parameters:
Step 2: Get Node.js
Vorlon is built with Node.js, so you need to get that too. This took me surprisingly long to figure out, but thanks to this page I came right. The commands to run are:
curl --silent --location https://deb.nodesource.com/setup_0.12 | sudo bash - sudo apt-get install --yes nodejs
Step 3: Get Vorlon
Now that the machine is setup correctly, you can get a copy of Vorlon using NPM with the next command:
sudo npm i -g vorlon
Step 4: Run Vorlon
Running Vorlon is easy, just type: vorlon
For Windows users, make sure it is all lower case. It takes about 30secs and you will see the command output pop up
Once that shows up you can access it!
/usr/bin/env: node: No such file or directory
Every time I ran Vorlon originally I got the following error message: /usr/bin/env: node: No such file or directory
This is because I didn’t have Node.js installed. I had npm, which I assumed brought Node.js with it but it doesn’t and so Vorlon won’t run. In hindsight it is obvious, and even the error message tells me that but at the time – well it was an hour to figure out :/
Azure – don’t forget those endpoints
If you are on Azure, you will also need to setup the endpoints to allow access to the VM. To do this, go to the portal and open you VM. Click All Settings, then Endpoints, then Add. From there you need to add an endpoint that maps the public to the private. I keep both the same (1337) but you could make the public something different.
You want to code in TypeScript. You want to code with Sublime Text. Today, that is really really easy to do, thanks to Package Control and Microsoft, who is now providing a first class plug-in for Sublime Text to enable & light up TypeScript.
Step 1: Install Package Control
The installation instructions for it can be found here, but in summary you press Ctrl+` and then paste the following code (for Sublime Text 2, for 3 see their website) into the text box and press enter
import urllib2,os,hashlib; h = 'eb2297e1a458f27d836c04bb0cbaf282' + 'd0e7a3098092775ccb37ca9d6b2e4b7d'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); os.makedirs( ipp ) if not os.path.exists(ipp) else None; urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler()) ); by = urllib2.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); open( os.path.join( ipp, pf), 'wb' ).write(by) if dh == h else None; print('Error validating download (got %s instead of %s), please try manual install' % (dh, h) if dh != h else 'Please restart Sublime Text to finish installation')
It takes a few seconds where nothing happens and then, without much fanfare, the message window will say “Please restart Sublime Text to finish installation” – so do that.
Step 2: Add the TypeScript package
Press Ctrl+Shift+P to bring up the command palette and type in Package Control: Install Package and press enter.
You can use the arrow keys to navigate the list quicker and press enter on the right item rather than typing everything.
In the next command palette window type TypeScript and hit enter.
Once that is done, it is done and you will get glorious TypeScript in Sublime!