Planet node.js
New Package Manifestations on undefined

At Nodejitsu we're always looking for a way to make npm better. Our public npm replicas are now serving millions of requests with 99.998% uptime since launching in January. Have you tried it out yet?

npm config set  

But making npm better is more than just about making service more reliable. It's about making everything in your development workflow better. That's why today we're happy to announce the beta of our new package pages! Can't wait to try it out? Sign up today for just $25!

Licenses, Licenses, Licenses

Like so many things around npm determining the correct license for a module is deceptively simple. That is: it is much harder than it seems. Why? Because module authors usually don't include their license in the package.json.

That's why 3rdEden (author of Primus and Lead Front-End Engineer At Nodejitsu) wrote licenses. Now we can bring you all that information in a simple interface:

Not only does it display the list of all licenses for all modules depended on directly, it is also displays the licenses of all modules depended on indirectly. By quickly viewing a list you can be sure what your software license foot print for your application is.

Quickly see what matters

All of the information you need for your packages in a single place.

Readme's rendered as you intended

As module authors we know how important documentation is. We used renderme to ensure that your README files are rendered in the same way as it does on GitHub. No need to change your README files to get them rendered in the way you intended.

As a bonus it also adds line numbers and links to each code snippet so you can easily share them with your team members.

Zero setup time for private modules

If you (or your company) has tried to setup npm-www you know that it can be a bit of a pain to get right on-top of running your own CouchDB server too. You have to setup Redis, and ElasticSearch, getting all the permissions down. The list goes on.

What if you could get all this information for your private modules too? Well you can!

Well. What are you waiting for?!

This is just the first of a lot of new features that have been brewing in our pipeline including:

  • Package notifications: Get an email or first a webhook everytime a module is published
  • Pre-built modules: Get a tarball of your private modules pre-built for your platform of choice including all binary dependencies.
  • ... and More!

So ... what are you waiting for?! Signup today for only $25

Weekend Reading – Bleeding Hearts on undefined

This was big enough to warrant a second Weekend Reading.


Is this a big deal? Should I be concerned?

Yes. If you like to sleep better at night, I suggest not reading the rest of this FAQ.

What was stolen?

We have no idea what was stolen, but we have a good idea what could have been stolen. First, all data between your browser and affected web servers, including secure data like passwords, credit card numbers, bank accounts, etc. Second, server keys (see below).

Is it fixed now?

Yes, no and no. Some web sites were on the ball and fixed the issue in record time, especially the big guns with their dedicated security teams. Not all sites got to it in time, and smaller ones may still be vulnerable.

Also, this issue has been around for a couple of years before it was discovered, so it's possible someone else discovered it and exploited it a while back.

My bank said nothing. Should I worry?

Banks don't respond to consumer concerns, don't expect to hear anything anytime soon. Most banks don't use OpenSSL for their consumer-facing apps, so your passwords and other sensitive data was not affected. But, they may have used OpenSSL for other systems that could gain access to sensitive data. Like any credit card breach, we won't know until it's too late.

Do I need to change my password?

That's always a good idea.

Is the Web secure now?

Unfortunately, no. It's not just passwords that could be stolen, but also server keys. These are use to encrypt any data sent bettern web browser and web servers.

There are three ways those could be used. In the past, before we all learned about the issue and did something to fix it.

Retroactively. If someone recorded encrypted data in the past, and got access the secure keys now, they could decrypt all that data. This is something the NSA is fond of doing, but they're not alone.

Last, it's possible to use these keys in the future to masquarade a web server and pretend the communication is secure, while listening to all the traffic. It's hard to do, but not entirely possible.

Anything else I can do?

Not really, except watch the news.

So this is still a problem?

I told you not to read this FAQ.

What's Vulnerable?

The Heartbleed Hit List: The Passwords You Need to Change Right Now Green checkbox means go change your password right now.

Heartbleed test tests if your server is vulnerable. You can also download the code and run it from the command line.

Testing for "reverse" Heartbleed The team at Meldium checks if you can use Heartbleed to steal data from clients using OpenSSL (e.g curl). Turns out you can. brew upgrade openssl on your Mac.

The Heartbleed Challenge CloudFlare sets up a challenge to determine if you can use Heartbleed to steal SSL keys from the server. Turns out you can.

What Broke?

Diagnosis of the OpenSSL Heartbleed Bug explains the bug and concludes:

  1. Pay money for security audits of critical security infrastructure like OpenSSL
  2. Write lots of unit and integration tests for these libraries
  3. Start writing alternatives in safer languages

Re: FYA: points out its not the language but the practice:

So years ago we added exploit mitigations counter measures to libc malloc and mmap, so that a variety of bugs can be exposed. …

But around that time OpenSSL adds a wrapper around malloc & free so that the library will cache memory on it's own, and not free it to the
protective malloc. …

OpenSSL is not developed by a responsible team.

Anything else?

The bug is fixed in all major distributions of OpenSSL. You may heard that the bug is fixed in the most recent version of OpenSSL (1.0.1g and upcoming 1.2.0). Some distribution still offer older versions of OpenSSL, but updated with the security patch.

Disable Segglemann's RFC520 hearbeat:

I am completely blown away that the same IETF that cannot efficiently allocate needed protocol, service numbers, or other such things when they are needed, can so quickly and easily rubber stamp the addition of a 64K Covert Channel in a critical protocol.

Secure storage of private (RSA) keys Akamai offers a patch offers a "secure arena" for storing RSA keys, so they're not vulnerable to Heartbleed, also locked into memory, kept out of core files.

Weekend Reading – Smart tipping on undefined

Smartcar tipping

Design Objective

The State of In-Car UX TL;DR your $200K ride is fitted with a $50 tablet, designed by people who'll never drive that car.

Generating visual designs with code Examples of programmatic art work at Github.

Design Can Drive Exceptional Returns for Shareholders:

To better understand how design leads to returns, my company, Motiv Strategies, and the Design Management Institute worked together to produce a new tool that tracks the results of design-centric companies against those that are not. Called the Design Value Index, it shows that 15 rigorously-selected companies we believe institutionally understand the value of design beat the S&P by 228% over the last 10 years.

The simple Secret behind wonderful Products:

Underdogs. Naive. Not up for the task. Yet all of them really really cared. A lot. Cared more than others.

RedPen is a service for sharing and commenting on visual designs. The home page is one of the best product demos I've seen. Restrained yet useful use of HTML5 features.

Peter Lyons:

OH "lipstick on a div"

Tools of the Trade

maintenance is an Express.js middleware for easy switching the app to maintenance mode.

The Short Cutts So very helpful: "we've done the hard work and watched every Matt Cutts video to pull out simple, concise versions of his answers."

gulp - The vision, history, and future of the project Everything you need to know about where Gulp is heading.

AnyFont and FondFont let you install additional fonts on your iPhone/iPad.

Express 4 in production I just migrated. Trivial if tedious, and about 30 minutes of work. Love the 20% performance boost, which I can now blow on async/await:

All of our metrics improved on the API node using the new version of Express:

  • response times dropped by 20%
  • memory consumption dropped by 10%

Accessible Web Components - Part 1 Accessible Web components with Polymer.

Estimation Party Use Google Hangouts to get feature estimation from the team.

NoSQL Meets Bitcoin and Brings Down Two Exchanges: The Story of Flexcoin and Poloniex TL;DR separate experiments with new currencies from experiments in concurrency.

gitbrute will brute-force git commit to have a desired SHA prefix.

GIT-OTHER(1) Git Manual Random man git pages that are as understandable as the real deal.

Sad Server:

If you watch a movie of your life backwards, it's about a sysadmin who regains youth/happiness as they forget more and more about computers

Lines of Code

Callable entities in ECMAScript 6

Asynchronous JavaScript Interfaces: callbacks, generators, promises and streams. Deals well with some of the issues and controversies around promises.

ecma262 a Git repository with all the proposals for ECMAScript 7.

JS1k post-mortem Ripping off Threes before it was cool How to fit a Threes game into 1KB of JavaScript.

Patrick Mulder:

one of my favorite debugging tricks: enough sleep

Startup Life

Third life: Flickr co-founder pulls unlikely success from gaming failure. Again The story behind Slack.

Vooza is a mediocre spoof of SV, but the introductory video is a killer:

If you look at how much we fail, it shows how smart we've become.


Why Good Managers Are So Rare:

When you do the math, it’s likely that someone on each team has the talent to lead. But given our findings, chances are that it’s not the manager. More likely, it’s an employee with high managerial potential waiting to be discovered.

Eventbrite's Playbook for Building Amazing Customer Service from Scratch:

In addition to guiding product development in the right direction, good customer service can be a tremendous sales advantage. “As soon as an account executive closes a deal, it makes a huge difference if the customer is passed to someone friendly who really knows their stuff and can initiate them into the product,” Kilian says.

How to Make Better Reference Calls:

The most obvious thing you need to do in order to better reference check people is to get “off list” references. For each person that the candidate gave you that was “on list” ask that person when you speak to them for 2 other people they think you should speak with in order to get a fuller picture of the candidate.

Locked Doors

Why offense is hard to contain Remarkable presentation about the fundamental issue with security: hackers always looking to expand their compromise boundary. You may not be a high value target, but you will get compromised because you're part of the trust graph. That also includes hackers known by their three letters agency name.

Court Says FTC Can Go After Companies Who Get Hacked For Their Weak Security Practices I doubt this will last another round of campaign contributions, but for now cheers to the FTC:

However, a court has shot down that argument and will allow the FTC's case against Wyndham to move forward. Again, Wyndham's security here was egregiously bad. It didn't encrypt payment data, and also used default logins and passwords for its systems.

The Next Big Thing You Missed: A Would-Be Dcontroversialropbox Meant to Thwart the NSA Dropbox have picked controversial side of the fence with their controversial board pick. BitTorrent Sync sounds like an interesting alternative, but did I understand it correctly: it shares your files on the Internet offering security by obscurity?

None of the Above

Your Brain on Bicycling I try to ride 2/3 times a week, that's where some of my best ideas come from.

Why is ketchup so hard to pour? What you need to know about this tomato-based non-Newtonian fluid.

Gingko looks like a fantastic tool for writing. It lets you work on individual paragraphs and manage the outline at the same time.

Bitcoin correlator will scrape any website for data points and correlate them to Bitcoin.

Max Shron:

A/B the change you want to see in the world.

Philips Norelco Laser-Guided Beard Trimmer:

The numbers allegedly represent length in millimeters, but that seems to translate to "short beard", "very short beard", "are you growing a beard?", and 14 more settings of stubble. It's really more of a stubble styler, for stubble length savants.

Geek Out and Get Fit with the Konami Code Workout

What the Tamiflu saga tells us about drug trials and big pharma:

That is a scandal because the UK government spent £0.5bn stockpiling this drug in the hope that it would help prevent serious side-effects from flu infection. But the bigger scandal is that Roche broke no law by withholding vital information on how well its drug works.

The Internet of Springs:

DNS back to the roots on undefined

DNS Server

Mon fournisseur d’accès Internet FREE ne me donnant pas entière satisfaction quant au service DNS (lenteur,problèmes Youtube,…), j’ai décidé d’y remédier de façon simple et efficace, en déployant mon propre serveur cache DNS.

En effet, rien de plus simple pour monter un DNS sur mon réseau LAN. Je connais Bind depuis des années, mais il est complexe, lourd, alors j’ai opté pour UNBOUND, un serveur DNS écrit en Python. J’ai décidé de l’installer sur un de mes serveurs Dockstar, avec la configuration suivante adaptée à mes besoins, que j’ai trouvé sur le site web Calomel.

On va installer le démon UNBOUND sur ma distribution Debian, puis je récupére la liste des serveurs DNS ROOT, sur le site officiel, avec wget.

apt-get install unbound unbound-host
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints

Dans la configuration, vous devez adapter les réseaux (le mien est en Vous pouvez également, renseigner la liste de vos machines internes. Dans les champs DNS du serveur DHCP du FreeBox Serveur, pensez à mettre l’adresse ip de votre nouveau serveur DNS.

## Authoritative, validating, recursive caching DNS
## unbound.conf --
  # log verbosity
    verbosity: 1

  # specify the interfaces to answer queries from by ip-address.  The default
  # is to listen to localhost ( and ::1).  specify and ::0 to
  # bind to all available interfaces.  specify every interface[@port] on a new
  # 'interface:' labeled line.  The listen interfaces are not changed on
  # reload, only on restart.

  # port to answer queries from
    port: 53

  # Enable IPv4, "yes" or "no".
    do-ip4: yes

  # Enable IPv6, "yes" or "no".
    do-ip6: no

  # Enable UDP, "yes" or "no".
    do-udp: yes

  # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
  # quicker to resolve as the functions related to TCP checks are not done.i
  # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
  # due to their size.
    do-tcp: yes

  # control which client ips are allowed to make (recursive) queries to this
  # server. Specify classless netblocks with /size and action.  By default
  # everything is refused, except for localhost.  Choose deny (drop message),
  # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
  # and nonrecursive ok)
    access-control: allow
    access-control: allow

  # Read  the  root  hints from this file. Default is nothing, using built in
  # hints for the IN class. The file has the format of  zone files,  with  root
  # nameserver  names  and  addresses  only. The default may become outdated,
  # when servers change,  therefore  it is good practice to use a root-hints
  # file.  get one from ftp://FTP.INTERNIC.NET/domain/named.cache
    root-hints: "/var/lib/unbound/root.hints"

  # enable to not answer id.server and hostname.bind queries.
    hide-identity: yes

  # enable to not answer version.server and version.bind queries.
    hide-version: yes

  # Will trust glue only if it is within the servers authority.
  # Harden against out of zone rrsets, to avoid spoofing attempts. 
  # Hardening queries multiple name servers for the same data to make
  # spoofing significantly harder and does not mandate dnssec.
    harden-glue: yes

  # Require DNSSEC data for trust-anchored zones, if such data is absent, the
  # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
  # turn it off, failing to validate dnskey data for a trustanchor will trigger
  # insecure mode for that zone (like without a trustanchor).  Default on,
  # which insists on dnssec data for trust-anchored zones.
    harden-dnssec-stripped: yes

  # Use 0x20-encoded random bits in the query to foil spoof attempts.
  # While upper and lower case letters are allowed in domain names, no significance
  # is attached to the case. That is, two names with the same spelling but
  # different case are to be treated as if identical. This means is the
  # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
    use-caps-for-id: yes

  # the time to live (TTL) value lower bound, in seconds. Default 0.
  # If more than an hour could easily give trouble due to stale data.
    cache-min-ttl: 3600

  # the time to live (TTL) value cap for RRsets and messages in the
  # cache. Items are not cached for longer. In seconds.
    cache-max-ttl: 86400

  # perform prefetching of close to expired message cache entries.  If a client
  # requests the dns lookup and the TTL of the cached hostname is going to
  # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
  # host to the client and (2nd) pre-fetch the dns request from the remote dns
  # server. This method has been shown to increase the amount of cached hits by
  # local clients by 10% on average.
    prefetch: yes

  # number of threads to create. 1 disables threading. This should equal the number
  # of CPU cores in the machine. Our example machine has 4 CPU cores.
    num-threads: 2

  ## Unbound Optimization and Speed Tweaks ###

  # the number of slabs to use for cache and must be a power of 2 times the
  # number of num-threads set above. more slabs reduce lock contention, but
  # fragment memory usage.
    msg-cache-slabs: 8
    rrset-cache-slabs: 8
    infra-cache-slabs: 8
    key-cache-slabs: 8

  # Increase the memory size of the cache. Use roughly twice as much rrset cache
  # memory as you use msg cache memory. Due to malloc overhead, the total memory
  # usage is likely to rise to double (or 2.5x) the total cache memory. The test
  # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
    rrset-cache-size: 25m
    msg-cache-size: 12m

  # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
  # the kernel buffer larger so that no messages are lost in spikes in the traffic.
    so-rcvbuf: 1m

  ## Unbound Optimization and Speed Tweaks ###

  # Enforce privacy of these addresses. Strips them away from answers.  It may
  # cause DNSSEC validation to additionally mark it as bogus.  Protects against
  # 'DNS Rebinding' (uses browser as network proxy).  Only 'private-domain' and
  # 'local-data' names are allowed to have these private addresses. No default.

  # Allow the domain (and its subdomains) to contain private addresses.
  # local-data statements are allowed to contain private addresses too.
    private-domain: "home.lan"

  # If nonzero, unwanted replies are not only reported in statistics, but also
  # a running total is kept per thread. If it reaches the threshold, a warning
  # is printed and a defensive action is taken, the cache is cleared to flush
  # potential poison out of it.  A suggested value is 10000000, the default is
  # 0 (turned off). We think 10K is a good value.
    unwanted-reply-threshold: 10000

  # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND  on
  # localhost you will want to allow the resolver to send queries to localhost.
  # Make sure to set do-not-query-localhost: yes . If yes, the above default
  # do-not-query-address entries are present.  if no, localhost can be queried
  # (for testing and debugging). 
    do-not-query-localhost: no

  # File with trusted keys, kept up to date using RFC5011 probes, initial file
  # like trust-anchor-file, then it stores metadata.  Use several entries, one
  # per domain name, to track multiple zones. If you use forward-zone below to
  # query the Google DNS servers you MUST comment out this option or all DNS
  # queries will fail.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

  # Should additional section of secure message also be kept clean of unsecure
  # data. Useful to shield the users of this validator from potential bogus
  # data in the additional section. All unsigned data in the additional section
  # is removed from secure messages.
    val-clean-additional: yes

  # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
  # account for a 70 percent share of all advertising traffic. Block them.
    local-zone: "" redirect
    local-data: " A"
    local-zone: "" redirect
    local-data: " A"
    local-zone: "" redirect
    local-data: " A"
    local-zone: "" redirect
    local-data: " A"
    local-zone: "" redirect
    local-data: " A"
    local-zone: "" redirect
    local-data: " A"

  # Unbound will not load if you specify the same local-zone and local-data
  # servers in the main configuration as well as in this "include:" file. We
  # suggest commenting out any of the local-zone and local-data lines above if
  # you suspect they could be included in the unbound_ad_servers servers file.
  #include: "/usr/local/etc/unbound/unbound_ad_servers"

  # locally served zones can be configured for the machines on the LAN.

    local-zone: "lan." static

    local-data: "dockstar1.      IN A"
    local-data: "dockstar2.      IN A"
    local-data: "haproxy.        IN A"
    local-data: "beaglebone.     IN A"
    local-data: "raspberry.      IN A"

    local-data-ptr: "  dockstar1.lan"
    local-data-ptr: "  dockstar2.lan"
    local-data-ptr: "  haproxy.lan"
    local-data-ptr: "  beaglebone.lan"
    local-data-ptr: "  raspberry.lan"

  # Unbound can query your NSD or BIND server for private domain queries too.
  # On our NSD page we have NSD configured to serve the private domain,
  # "home.lan". Here we can tell Unbound to connect to the NSD server when it
  # needs to resolve a *.home.lan hostname or IP.
  # private-domain: "home.lan"
  # local-zone: "" nodefault
  # stub-zone:
  #      name: "home.lan"
  #      stub-addr:

  # If you do not want to use the root DNS servers you can use the following
  # forward-zone to forward all queries to Google DNS, or your
  # local ISP's dns servers for example. If use use forward-zone you must make
  # sure to comment out the auto-trust-anchor-file directive above or else all
  # DNS queries will fail. We highly suggest using Google DNS as it is
  # extremely fast.
  #  forward-zone:
  #     name: "."
  #     forward-addr:        # Google Public DNS
  #     forward-addr:    # Hurricane Electric
  #     forward-addr:        # Level3 Verizon
## Authoritative, validating, recursive caching DNS
## unbound.conf --

Après avoir changé la configuration DNS de machine qui va faire office de serveur DNS, taper la commande suivante, afin de vérifier que la résolution est bien réalisée :


Et alors, à vous les vidéos Youtube en 1080p avec la FreeBox !!!

DNS back to the roots was originally published by Vincent RABAH at IT-Wars on April 13, 2014.

merlin: daveshumka: The slowed down vocals from “Band on the... on undefined



The slowed down vocals from “Band on the Run” over the sped up instruments from “Imagine.”

No words. This is magical.

How to setup a multi-user Ghost blog on undefined

If you're an avid reader of our blog you may have noticed we switched to Ghost a month ago. Perhaps you've also discovered we seem to have multiple authors. In fact we only have one user! I absolutely love Ghost and how it greatly improves the writing spirit. If it weren't for my lack of time I'd contribute more. For example, by adding multi-user support.

Multi-user Ghost

So, how are we faking it? The browser is in charge displaying the correct author details. All that a blog author has to do is to add the following script element to his post. Which works fine since markdown accepts HTML.

<script type="post/author">  
  { "author": "swaagie" }

The above data is parsed when the browser initializes the javascript. After the author name is cross-referenced with a pre-configured static list, for example:

<script type="author/list">  
  "swaagie": {
    "name": "Martijn Swaagman",
    "gravatar": "c84de3dfe1238dd614278a1e12f4c0ce?d=identicon",
    "github": "swaagie",
    "twitter": "swaagie"

Finally the author element is updated with the configured details and gravatar. This can be done with some simple jQuery or any other library you like. The script below is simplified for demonstration purposes. Note: the configure method and its implementation is explained below.

var list = configure('author/list');  
  , author = list[configure('post/author').author]

$('img').attr('src', ''+ author.gravatar);


// Updates the post author HTML (default author in each post)
<address class="author">  
  <h3>About the author</h3>
  <img src='' >
    <dd id="author" rel="author">Nodejitsu</dd>
    <dd id="location">Worldwide</dd>

Script interpretation

This is how a minimalistic implementation of the configure method might look. The method selects a script element by type and returns the content. Browsers only interpret javascript if the script element has a known type, e.g. text/javascript. So as long as the type is different from text/javascript this feature can be used to provide data to the client.

// Get the content by script type 
function configure(source) {  
  source = document.querySelector('script[type="'+ source +'"]');

  source = source.innerHTML.trim();
  if (!source) return;

  return (new Function('return '+ source)());

We generally use this method for providing data to client-side javascript. Another way is by inserting data directly into the client-side javascript, but that has some drawbacks. One, it interferes with cache and version management. Two, page-specific configurations become difficult. For example, providing author data inside a post would have been impossible. Using script elements might not be the most clean or secure method, but it is workable and flexible.

How can I use this?

You might have noticed that configure does not use JSON.parse. Actually, configure shows the method's flexibility. Why should the content be JSON? It could also be a number and/or string as long as it is valid javascript. For example, a small template would be very useful. You can then use this with any templating system on the client side. Consider changing configure to a simple handlebar templater.

<script type="client/template">  
  <h1>Hi, I'm {{ name }}</h1>
// Exchange 'new Function' with 'Handlebars.compile'
function templater(source) {  
  source = document.querySelector('script[type="'+ source +'"]');

  source = source.innerHTML.trim();
  if (!source) return;

  return Handlebars.compile(source);

In these examples the return logic was changed to keep it simple. Creating more general purpose functions is possible, but I'll leave it to your creativity to find alternative ways that suit your needs.

Patched PaaS Vulnerability on undefined

This is not about Heartbleed. The Nodejitsu PaaS platform was unaffected by this thanks to our mutual friend: node.js.

On March 10th, Maciej Malecki, a former Nodejitsu Engineer, responsibly disclosed a security vulnerability that he found on our PaaS platform. Here's a quick summary:

  • A patch for this vulnerability was deployed within 72 hours (on March 13th, 2014).
  • Based on our evaluation of access logs and all user applications this vulnerability was not exploited by any malicious third parties.
  • IrisCouch databases, along with our private npm registries were not vulnerable or affected in any way.

How did this happen?

Maciej worked at Nodejitsu and led the work to refactor the entire Nodejitsu cloud platform from the ground up writing the first versions of both solenoid and forza. While he (and the rest of the Nodejitsu team) extensively tested these pieces of software two issues were missed:

  1. Access leakage: global read permissions for the /root directory on SmartOS systems are enabled by default on Joyent machines. This is different from most Linux systems where /root only has read write permissions for the root user by default.

  2. Persistent user processes: The new process supervision did not clean any detached child processes started by user applications.

What actions were taken?

We take any and all security disclosures very seriously and swift action was taken upon receiving this disclosure. First and foremost a scan of both our snapshot access logs as well as our entire cloud was taken. We found there was no strange activity with snapshots, just the common PUTs, GETs and DELETEs that take place from our servers. Our cloud scan also found no sign of child processes that were not spawned by the app directly on that host server. This was a great relief but the problem needed to be solved.

After establishing there was no effect from these issues, the root cause of the problem was investigated and the following actions were taken:

  1. March 13th: Fix to set proper permissions for /root directory is deployed out to all drones.
  2. March 13th: Initial fix to solenoid is made and deployed to all drones.

What vulnerabilities did this expose?

The two issues outlined above exposed two potential vulnerabilities for users. Again: based on our analysis of running processes and CloudFiles access logs (correlated to deployment logs) show no sign of malicious exploitation of either of these vulnerabilities.

First by default, the only potentially sensitive file in our /root directory is the configuration file for solenoid. The only sensitive information in that file is our CloudFiles API key for downloading user snapshots to be unpacked. This API key could have been used to list, fetch and modify user applications. Second, detached child processes could have remained running after the target user application was stopped, enabling a malicious attacker to observe the system when they were not supposed to.

What else do I need to know?

The calculus of running arbitrary user code as part of our Platform-as-a-Service product has made us paranoid from the start, but clearly not paranoid enough. We know we missed a potentially serious issue here, but thankfully there were no negative effects from it. All user information went unaffected and we can all sleep easy. It should go without saying (but we still will) that we are sorry and are taking steps to ensure that future changes are more closely vetted in our staging environments.

We know security is an on-going discussion and we welcome responsible disclosures. They can be sent at any time to — please encrypt using our PGP key. Encouraging contributions and knowledge sharing about our platform from former team members was one of our main motivations for making all of our core daemons (solenoid, forza, and module-foundry) Open Source. Clearly, we got that right! A big thanks goes to Maciej for the responsible disclosure and for giving a second look at the system he helped build. If you would like to read a more technical analysis of the vulnerability along with how it was found, you can read Maciej's separate post here. - Learning d3.js by Example on undefined

We’ve been working quite a bit with d3.js here at Bocoup. From working on d3.chart to our work with clients like Climate Central. Regardless of our endeavor, one thing stayed true - we rely on the many examples out there showing off how to use various esoteric features of d3.js.

Many of these examples live on the wonderful built by Mike Bostock, the creator of d3.js and one of the tool’s most prolific users, with over 800+ examples. One of the challenges with bl.ocks is that it is not searchable. Bl.ocks serves as a front-end to github’s gists and as such relies on Github’s API.

After my visit to d3.unconf it became clear that the community as a whole relied heavily on these examples as well and needed a better gateway to finding various uses of the d3 API. Today we’re excited to share, a search and navigation tool to blocks and gists that contain uses of the d3 API.

Blocksplorer logo

Bl.ocksplorer works by scanning the names of github users for their gists. We work off of a master list but we would love for you to help us grow it! Add your github username here.

Bl.ocksplorer is comprised of two parts (which are both open source): The backend searching task called blockscanner and the front-end UI called blocksplorer. The backend is using a redis-based worker that scans the gists of specific users for mentions of d3 APIs and aggregates per-API data into files on S3. The front-end then requests those files based on the search parameters. The front-end is a small Ember.js application. We welcome any improvements and suggestions!

Weekend Reading – Should I deploy on a Friday at 5pm? on undefined

Should I deploy on a Friday afternoon, a handy flowchart

Design Objective

Should “Yes, delete it” be red, or green? When in doubt, remove the text and ask again.

Use autocapitalize to make input faster & format appropriate:

Four things I wish every chart did: annotate the data, annotate the slopes, exclude incomplete periods, and enable projections. Now can we get that in a library with a nice API, pretty please?

No one wants to use your website A honest approach: design your site as though users have no desire to be there.

The Email of Things How an email call to action can affect the real world, and how the real world gets your attention via email.

Glossing Over the UX: Why Do so Many UX Bugs Get Past the QA?

Dedesign The Web invites you to guess the web site from its wireframe.

Tools of the Trade

Redis new data structure: the HyperLogLog Besides being useful, and super cool (read: I still don't understand why HLL works), just the idea of a database server innovating with application-level data structures (compare and contrast).

PlanOut is a Python-based framework for online field experiments: "PlanOut is all about providing randomized values of parameters that control your service."

Introducing CNAME Flattening: RFC-Compliant CNAMEs at a Domain's Root You create a CNAME, the DNS serves a A/AAAA record. Which is how things should have been. So who's the next DNS provider to offer that? Got any deprecated projects you're no longer maintaining? Move them to the deprecate org.

JavaScript OCR lets your browser capture images and OCR them. For some background.

John Resig:

I frequently get accused of “hacking” web sites because someone views source and sees my name on jQuery.

Michael Garvin:

If you think about it, a core dump is just a process taking a selfie.

Lines of Code

Web Reflection: What Books Didn't Tell You About ES5 Descriptors Oh, JavaScript, how I love your numerous idiosyncrasies.

Reginald Braithwaite:

Critical: “DRY” is about a single source of knowledge, not about removing duplicate implementations.

Enabling Transactions in Node.js using Domains in which domains are used as ThreadLocal. (Nothing about error handling or using event emitters to coordinate resource managers)

Christian Gloddy:

@izs First they ignore you, then they laugh at you, then they realize you're the only language that runs in the browser.

More Efficienter JavaScript: "Basically all of JavaScript is approximately 8 jQueries. Do the math."

None of the Above

NPR Pulled a Brilliant April Fools' Prank On People Who Don't Read The rare time you do want to read the comments.

Low Vitamin D Levels Linked to Disease in Two Big Studies But, taking supplements only linked to improvement in older adults.

This Is What the GOP's War On Science Looks Like Our government at work!

How Rare Are Anti-Gay-Marriage Donations in Silicon Valley?

GitBook for building programming books and exercises using Git(hub) and Markdown.

npmawesome: Progress reporting in CLI applications on undefined

This is a guest post from Alex Gorbatchev and Nodejitsu loved what Alex was doing at and is now supporting the project. Like what you see here? Why don't you contribute on Github?

Lets talk about long running CLI (command line interface) applications. When you have a finite process that is expected to take some time, the best thing to do is to let your users know about it. A typical application that for example downloads a file might look like this

  request = require('request'),
  fs = require('fs')

process.stdout.write('Downloading... ');

  .pipe(fs.createWriteStream(__dirname + '/node.tar.gz'))
  .on('close', function (err) {

The user experience is hardly a great one. It's clear that something is happening, or at least expected to be happening.

It's not really clear if it's still happening. Is it time for ctrl+c yet? How about an indicator that something is actually going on?

intervalId = setInterval(function() { process.stdout.write('.'); }, 1000);

  .pipe(fs.createWriteStream(__dirname + '/node.tar.gz'))
  .on('close', function (err) {
    process.stdout.write(' done!\n');

A little better. But still, there's no way of telling how long the process will actually take. Lets just do a real progress bar, shall we? This is where progress module that was originally started by TJ Holowaychuk comes into play! Due to the awesomeness of open source, progress is now pretty much a community effort.

npm install progress


progress supports a wide range of options via the format string and options. In the end will get a good looking ASCII progress bar and that will let everyone know about the true progress in your CLI application.

These are the tokens you can use to format your progress bar:

  • :bar the progress bar itself
  • :current current tick number
  • :total total ticks
  • :elapsed time elapsed in seconds
  • :percent completion percentage
  • :eta estimated completion time in seconds


Lets modify our original example and put progress to a good use:

  request = require('request'),
  ProgressBar = require('progress'),
  fs = require('fs')

  req = request(''),

  .on('data', function (chunk) {
    bar = bar || new ProgressBar('Downloading... [:bar] :percent :etas', {
      complete: '=',
      incomplete: ' ',
      width: 25,
      total: parseInt(req.response.headers['content-length'])

  .pipe(fs.createWriteStream(__dirname + '/node.tar.gz'))
  .on('close', function (err) {
    bar.tick( - bar.curr);

We even get ETA estimate for free. That's what I'm talking about!

Other modules to checkout

Here are a few other modules to check out:

Closing thoughts

It's really cool to see a CLI application giving meaningful progress feedback. Please don't forget about user experience when building tools.