|view older items | view newer items|
Thursday November 13, 2014
Announcing .NET 2015 - .NET as Open Source, .NET on Mac and Linux
Announcing .NET 2015 - .NET as Open Source, .NET on Mac and Linux, and Visual Studio Community
It's happening. It's the reason that a lot of us came to work for Microsoft, and I think it's both the end of an era but also the beginning of amazing things to come.
The .NET 2015 wave of releases is upon us. Here's what's happening and we announced it today in New York. There's a lot here, so drink it all in slowly.
Be sure to check out all the blog posts I'm linking to at the end, but here's my personal rollup and take on the situation.
We are serious about open source and cross platform.
.NET Core 5 is the modern, componentized framework that ships via NuGet. That means you can ship a private version of the .NET Core Framework with your app. Other apps' versions can't change your app's behavior.
We are building a .NET Core CLR for Windows, Mac and Linux and it will be both open source and it will be supported by Microsoft. It'll all happen at https://github.com/dotnet.
We are open sourcing the RyuJit and the .NET GC and making them both cross-platform.
ASP.NET 5 will work everywhere.
ASP.NET 5 will be available for Windows, Mac, and Linux. Mac and Linux support will come soon and it's all going to happen in the open on GitHub at https://github.com/aspnet.
ASP.NET 5 will include a web server for Mac and Linux called kestrel built on libuv. It's similar to the one that comes with node, and you could front it with Nginx for production, for example.
Developers should have a great experience.
There is a new FREE SKU for Visual Studio for open source developers and students called Visual Studio Community. It supports extensions and lots more all in one download. This is not Express. This is basically Pro.
Visual Studio 2015 and ASP.NET 5 will support gulp, grunt, bower and npm for front end developers.
A community team (including myself and Sayed from the ASP.NET and web tools team have created the OmniSharp organization along with the Kulture build system as a way to bring real Intellisense to Sublime, Atom, Brackets, Vim, and Emacs on Windows, Linux, and Mac. Check out http://www.omnisharp.net as well as blog posts by team members Jonathan Channon
Even more open source.
Much of the .NET Core Framework 4.6 and its Reference Source source is going on GitHub. It's being relicensed under the MIT license, so Mono (and you!) can use that source code in their .NET implementations.
There's a new hub for Microsoft open source that is hosted GitHub at http://microsoft.github.io.
Open sourcing .NET makes good sense. It makes good business sense, good community sense, and today everyone at Microsoft see this like we do.
This could be a MASSIVE game changer...simply...wow.
Tuesday November 11, 2014
Everything You Need To Start Making Webcomics For Free
The webcomic is the best storytelling medium for hobbyists. Its visual nature hooks readers faster than written form stories. Its serial nature allows for bite-sized consumption without sacrificing long story arcs. And best of all, it’s a heck of a lot cheaper than making films or writing novels.
Given enough time and determination, anyone can make webcomics for free, and that includes you. Here’s how to get started right away.
Read the full story here: http://www.makeuseof.com/...rt-making-webcomics-free/
Wednesday November 05, 2014
The item that caught my attention was the algorithm for splitting a payment among multiple participants in a project, by trying to find a fair way to divide it based on participants assessment of others. The website offers little explanation for the algorithm, but does link to a published paper on the algorithm (written by people other than those who made the website).
Monday October 27, 2014
Super-sized Newsletter for Oct 25, 2014 - Codename: NANY 2015 Preppers
1. Newsletter Editorial
Greetings. It's been a whopping 156 days since the last newsletter, and in that time..
New threads started: 1,300.
New posts: 12,000 (number of those deleted as spam: 468).
New members who joined: 13,600 (number of those banned for spamming: 700).
New donors: 714.
The important news to tell you about is that our big "New Apps for the New Year (NANY) 2015" event is fast approaching. You can read all about it below, in the first section of the newsletter. We'd love to have your participation in it.
See you on the forum!
2. NANY 2015 Event (New Apps for the New Year)
Since 2007 we have held an annual event that we call NANY (New Apps for the New Year), where we ask the coders who hang out on DonationCoder to create some new piece of free software and share it with the world on January 1st of the new year (browse previous year entries here).
There are no winners or losers, it's simply a celebration of programming and creating new software and sharing it with the world. Everyone who participates gets a commemorative mug. You can target any operating system (desktop or mobile) or even make a web-based tool. It can be a game, utility, large application, whatever.
10 Web Application Security Scanners To Monitor Your Internet Activity!
1. Netsparker Community Edition
According to their website, Netsparker is the only false-positive-free web application security scanner. Simply point it at your website and it will automatically discover the flaws that could leave you dangerously exposed.
The Websecurify Suite is a web application security solution designed to run entirely from your web browser. It packs our awesome web application security framework combined with the power of client-side technologies.
This web application security scanner allows you to track the following security vulnerabilities,
- File disclosure
- Database Injection
- XSS (Cross Site Scripting) injection
- Command Execution detection
- CRLF Injection
- XXE (XmleXternal Entity) injection
- Use of know potentially dangerous files
- Weak .htaccess configurations that can be bypassed
- Presence of backup files giving sensitive information
This is a web application security scanner that searches for security loopholes like SQL Injection, XSS and other known attacks.
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly.
Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers.
Exploit-Me Mobile (EMM) is an open source project demonstrating common mobile application vulnerabilities in the iOS and Android platforms. ExploitMe Mobile is a training platform built based on the common mobile application security pitfalls.
WebScarab has a large amount of functionality, and as such can be quite intimidating to the new user. But, for the simplest case, intercepting and modifying requests and responses between a browser and HTTP/S server, there is not a lot that needs to be learned.
10. Acunetix Web Application Security Scanner
According to the company, the features of this security tools includes,
- AcuSensor Technology
- Industry's most advanced and in-depth SQL injection and Cross site scripting testing
- Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer
- Visual macro recorder makes testing web forms and password protected areas easy
- Support for pages with CAPTCHA, single sign-on and Two Factor authentication mechanisms
- Extensive reporting facilities including PCI compliance reports
- Multi-threaded and lightning fast scanner - processes thousands of pages with ease
- Intelligent crawler detects web server type, application language and smartphone-optimized sites.
- Acunetix crawls and analyzes different types of websites including HTML5, SOAP and AJAX
- Port scans a web server and runs security checks against network services running on the server
A Malicious Del.icio.us?
Google blacklisted bit.ly several days ago in a move that caught many publishers off guard. We started seeing spotty reports of del.icio.us being blacklisted over the weekend and it has now gone full-blown with all del.icio.us links apparently being blacklisted by Chrome as hosting malware.
Delicious has changed hands several times over the years and recently was re-sold earlier this year to Science Inc. They also rebranded several years ago to delicious.com which is not blacklisted, but there are likely a large number of legacy .us links out there. [Edit: Thanks Kelson]
Bit.ly has now been removed from Google’s Safe Browsing list which is the list that Google maintains of known malicious websites that engage in malware distribution and phishing. [Edit: Correction, we are still seeing bit.ly links being flagged by Google's GSB and Chrome] It’s also one of the data sources that Wordfence uses to scan your site’s files, posts and comment for malicious activity and infections.
Friday October 24, 2014
In one of the best things I've seen in a long time, especially as an aspiring writer.
from https://www.gitbook.io/about (stripped of pretty formatting)
GitBook makes it easy to publish great books.
Discover gorgeous books from the community.
Publish your books easily thanks to a great workflow.
Monetize your paid books in less than 5 minutes.
Simple to update, publish and update your books easily using Git or the editor.
Responsive, books can be read on all devices, laptops, tablets, phones, kindles, etc.
Editor, use the GitBook editor to write beautiful books, on Mac, Windows or Linux.
Git, books are versionned and collaborative using the GIT scm.
Markdown, books are written using the markdown syntax.
Open Source, built on top of the open source GitBook technology.
o more thanks to powerful integrations.
E-book readers, books are readable on the Amazon Kindle, Nook and other readers.
iBooks, books are readable on iPad, iPhone and Mac using iBooks.
GitHub, write your book on GitHub and publish it in seconds through GitBook.
Monetize your books
Choose your own minimum and suggested prices, from $0 (or free) to $100.
Let everybody buy your book easily. GitBook accepts most credit & debit cards.
You keep the rights to your book, not us. So you can do a deal with a publisher at any time.
GitBook charges 20% per transaction.
I'm cautiously optimistic... could also be a big middle finger to the traditional publishing model...
Update: So, following my own advice to do more investigation on open-source projects I find interesting.
So far, I see that Gitbook is owned by FriendCode. Haven't done a corporate search, but a little cursory searching led me to Codebox (https://www.codebox.io/about). They are owned by FriendCode also, so I assume at this point some correlation.
There is also a concerning bit in their TOS- the use of real names, and the ability to terminate accounts.
Violation of any of the terms below will result in the termination of your Account. While FriendCode prohibits such conduct and Content on the Service, you understand and agree that FriendCode cannot be responsible for the Content posted on the Service and you nonetheless may be exposed to such materials. You agree to use the Service at your own risk.
I wrote an e-mail, and am waiting to hear back.
I'm a prospective user of gitbook.io, and I had a concern. I don't want to write under my real name. I have business concerns that I use my real name for, and don't want any contract or other issues, which is why I don't use my real name for either my hobby coding nor writing concerns.
However, it seems that things published must be connected to my legal name? Or I'm subject to summary termination of account?
I just wanted to make sure of what was actually meant, i.e. was this absolute? Especially in publishing where people ghost write and use pseudonyms, it seems that this is a bit short sighted.
Thanks for your time, and any response!
Update: I received a response today, which I've posted below.
If your book is a paid book, you have to use your legal name, because otherwise we can't legally transfer you the money.
But if the book is a free or private book, feel free to use a pseudonym, we'll suspend the book only if the content is a stolen or illegal content.
You can only signup using twitter or github, so if you want to use a pseudonym, please make sure that your real name is not written on your Twitter/Github user profile.
So it seems that you can publish free content under a pseudonym, but not paid content.
Massive malvertising campaign on Yahoo, AOL and other sites delivers ransomware
Massive malvertising campaign on Yahoo, AOL and other sites delivers ransomware
One of the sites effected is apparently CNet, as one of our customers got nailed by this while trying to download the latest copy of Avast AV (which is hosted on CNet). The customer in question is a hyper vigilant old schooler who doesn't like, trust, or use the internet for anything unless absolutely necessary. So they most likely got burnt by the idiotic marketing practice of having multiple unidentified huge green download buttons that infest CNet.
Wednesday October 15, 2014
Drupal Fixes Highly Critical SQL Injection Flaw
Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks. "Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks," the Drupal advisory says. "A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks."
SSL broken, again, in POODLE attack
From the researchers that brought you BEAST and CRIME comes another attack against Secure Sockets Layer (SSL), one of the protocols that's used to secure Internet traffic from eavesdroppers both government and criminal.
Calling the new attack POODLE—that's "Padding Oracle On Downgraded Legacy Encryption"—the attack allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or e-mail systems. The flaw was documented by Bodo Möller, Thai Duong, and Krzysztof Kotowicz, all of whom work at Google. Thai Duong, working with Juliano Rizzo, described the similar BEAST attack in 2011 and the CRIME attack in 2012.
The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure their communications. Although SSL has been superseded by Transport Layer Security, it's still widely supported on both servers and clients alike and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte and time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.
Tuesday October 07, 2014
Your favorite cartoons of yesterday and today?
A DC member turned me on to one of my favorite new cartoons, Rick and Morty:
I'd say it's an adult cartoon, vs a kids cartoon. Full episodes can be legally watched online here: http://www.adultswim.com/videos/rick-and-morty/
Hilarious and surprisingly faithful to the science behind some of the absurdity.
I was just reading about how the era of Saturday Morning Cartoons for kids has ended.. That's pretty sad. I have very fond memories of waking up early on saturday mornings and planning out what cartoons to watch. There were some wonderful cartoons back then.
What are your favorites?
Friday September 26, 2014
Kevin Mitnick Is Now Selling Zero-Day Exploits
Kevin Mitnick Is Now Selling Zero-Day Exploits
As a young man, Kevin Mitnick became the world’s most notorious black hat hacker, breaking into the networks of companies like IBM, Nokia, Motorola, and other targets. After a stint in prison, he reinvented himself as a white hat hacker, selling his skills as a penetration tester and security consultant.
With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray.
Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.
And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”
Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far. But the website he launched to reveal the project last week offers to use his company’s “unique positioning among security researchers and the hacker community” to connect exploit developers with “discerning government and corporate buyers.”
Thursday September 25, 2014
Linux bash exploit discovered
"Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.
There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details."
|view older items | view newer items|