More IoT stuff, the release of Yarn, and the chatbot competition results. Other interesting things like VMWare on AWS I’ll leave for next week.
IoT follow up
When describing the IoT attacks, I mentioned briefly that the source code for the attack against Krebs on Security had been released as open source. There wasn’t much more to say about it at the time, as it had just happened. By now the results of this are starting to crop up and this article by Cloudflare shows what is happening. While they haven’t recorded attacks as heavy and sustained as those against Krebs or OVH, the attacks they have recorded are very big indeed.
More interesting to me however, is the apparent change in how the attacks are carried out. It seems that these new attacks take place in the form of L7 (HTTP) attacks instead of the “traditional” L3/L4 attacks. The result of this is that while that means that the targeted site is bombarded with less data it requires more work to handle this. Additionally, most mitigations are focused on L3/L4 type attacks. Because of this, the article uses a different metric to explain the scale of the attacks, HTTP requests per second. I’m not going to try to explain everything else about it, as the author of the article does a far better job than I possibly can, so instead I just recommend you read it.
Related to these botnets is that it seems my assertions about the security were indeed correct and that there are already clear cases of 10-year old SSH vulnerabilities that don’t get patched. In the meantime, while companies like Cloudflare are doing their best to stop these attacks (and judging by the results are doing a pretty good job) I can’t help but feel that a long-term solution should be at the starting point of the attacks instead of the target.
Yarn
If you’ve done any frontend development work, you will most likely have encountered the joy that is package management for Javascript. Especially when you work with a team on the same project, npm can become quite messy, involve a lot of downloading, and you can still end up with different versions of dependencies across your team. Facebook, with the help of others, tried to resolve this issue by releasing Yarn.
The first important thing to note here is that it doesn’t replace npm. Or rather, it replaces the client but uses the same repository to pull the code from. So in a way it’s just a different interface for the same things you’re already familiar with. A smart choice as otherwise we’d end up with the same code needing to be hosted in two places.
So, what’s better about Yarn? And is it actually better? The main differences between Yarn and the regular npm client are the things I mentioned in the first paragraph: more focus on efficiency and consistency. Additionally there are a number of other choices they’ve made. For example, for security reasons installing an npm package with Yarn won’t automatically run any of the commands it may have defined. While these can be useful, they’re also a security risk and Facebook therefore decided against them.
Similar choices have been made across the board, and depending on what your preferences are it’s therefore very possible that using Yarn isn’t the right choice for you. Nonetheless, regardless of whether it will turn out to be the best interface for npm it’s still good to have a second interface. The source is on GitHub, and it will be interesting to see where it will go from here.
Chatbot winners (and losers)
So, the results for the serverless chatbot competition have come in. Unfortunately it seems the judges made a mistake and forgot to give Igor a prize. Oh well, too bad so sad. There are some interesting ones among the winners though, so go take a look. One of the winners was written by a friend of mine, so definitely check out CLIve.