25 Aug 2015

Visual Studio 2015 + Cordova Update 1 can lead to broken Cordova projects

cordova toolsThe dev tools team recently released update 1 for the Visual Studio Tools for Apache Cordova, however this update can cause VS to hang and/or other issues with Cordova projects. This is a known issue and it is one that impacts early adopters most of all because it is the combination of two things that cause this to happen, one being the update the second being the original Windows 10 SDK. There was an issue with the SDK and it was re-released a few days after the initial release with a fix, but anyone with the original bits will have a problem – this includes anyone installing VS 2015 from the ISO while not connected to the internet (if you are connected, even if you use the ISO, it will get the latest bits).

Workaround

If you have not yet installed the tools, the check is simple – open the registry and make sure you have the following key:

  • For x86: HKLM\Software\Microsoft\VisualStudio\14.0\Setup\VS\JSLS_MSI\Version
  • For x64: HKLM\Software\Wow6432Node\Microsoft\VisualStudio\14.0\Setup\VS\JSLS_MSI\Version

if you do not have that registry key, you are at risk of this issue and you should do the following:

Ensure you have an internet connection BEFORE you start this.

  1. Go to Programs and Features, select Visual Studio 2015, click Change.
  2. In Visual Studio setup, click Modify.
  3. Deselect the feature Tools for Universal Windows App Development.
  4. Select Tools for Universal Windows App Development again, and click Update.

(basically forcing the VS installer to get the latest SDK bits and install those which means the issue doesn’t occur)

If you have already uninstalled the Tools for Universal Windows Apps Development

  1. Reinstall Tools for Universal Windows App Development.
  2. Or, take the following steps to reinstall the JavaScript project system and language service:
    1. Download the installer for your edition of Visual Studio, such as, vs_community.exe.
    2. Open a command window, and run the following command:
      vs_community.exe /modify /installselectableitems JavaScript_Hidden /passive
    3. Change directories to C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE
    4. Run the following commands
      devenv /updateconfiguration
      devenv /clearcache

(thanks to Paul Chapman on the forums for this information)

Tags: 
03 Aug 2015

Visual Studio ❤ JavaScript

I recently presented at the fantastic JSinSA conference about some of my favourite JavaScript tools that Microsoft is offering. Below are the slides & my demo notes! I also recorded a video the night before of the session so check it out on YouTube.

Video

Slides

Demo Notes

AttachmentSize
jsinsa script - public.docx19.52 KB
Tags: 
15 Jul 2015

Stop deleting my comments

I have been accused of censorship on my blog for deleting comments which are seen as criticism of my views on Telkom's technical flaws, and yes, I have been deleting comments. I have felt these comments attack are attacking to me as the author and that they are not discussing the issues at hand and I do not want anger, fighting or hate on this blog. This is a place to help, not a place to break down. If the authors feel they have a point, they are welcome to clearly and calmly rephrase it and post again. Alternatively, they are also welcome to post to Reddit where most of this has already been discussed and I have no control of what appears.

Tags: 
09 Jul 2015

Telkom & the Man-in-the-middle attack - ROUND 2

Telkom_logoThis is a follow up to my post on the man-in-the-middle attack that Telkom continues to use, as well as to the Telkom response in the awesome TechCentral article and new thoughts brought about by the Reddit post.

A real threat

Shortly after I posted my article I was contacted by someone (let us call them Person X ) who went snooping based on my post and found that Telkom did indeed have a major security flaw in the system. We agreed to hold on sharing the information publically until Telkom fixed it or enough time had elapsed to show they didn’t care. Telkom appear to have fixed it, as far as I can tell, so let us dig into this major attack vector.

Recapping the content that is served to you is made up of three pieces:

  • JavaScript – this is appended to other JavaScript to ensure it runs and the entire modified JavaScript is returned from a specific server. This server is only visible on the Telkom ISP network.
  • HTML – bit of HTML is loaded, once again from the same server as above.
  • Image – the graph showing you the usage is a static image served from a server which is (oddly) available everywhere: http://images.telkomsa.net/

Person X, realised that the images came from a folder ibn and that folder had directory listing enabled, which isn’t a good practise but, normally, not a major security concern. What the directory listing showed, besides the files, is the version number of the server which was (at the time) 2.0.52.

Apache 2.0.52 was released in November of 2004… 11 years ago and has NUMEROUS security flaws. There is no reason to run this version at all, it is insecure and points out a major security procedure flaw in Telkom. Using one of the flaws, it was possible to replace the specific image on the server with anything you wanted. For example, you could swop the image file with a flash file that would enable you to use one of the recent zero day attacks against flash and leveraging Telkom’s system to deliver said flash file to the user for you thus allowing you to own the target machine.

Remember this popup only shows to people who meet the following three requirements:

  1. Telkom ISP client
  2. At or near their limit
  3. Have not opted out

I would assume that the tech savvy of Telkom's users have opted out, and those near their limit are soft capped, meaning that security patches are slower to get to them. In short, it is the most vulnerable group who would be targeted. Scary right?! Let us hope Telkom fixed all the issues with that server and all the others.

Comments on Telkom’s choice wording

I am really happy Telkom has responded and is fixing things, that is all I wanted. That said, their choice of wording and delay on commenting until they fixed the issue is interesting. Let us break down their response and I am avoiding nit-picking since I could do a lot of that too.

In technical terms, we refer to it as an HTTP redirect

That is true. It is an HTTP redirect, but the manner it is used in is not the traditional sense of an HTTP redirect where the destination server tells the client to go somewhere else. Here a man in the middle (see what I did there Smile with tongue out) is doing the telling, and thus I chose the term MITM attack as the description. It is not an exact description, but it is a description that describes the entire scenario and not just one choice aspect.

HTTP redirect is a common mechanism used in service provider networks for content caching and to optimise video streaming

True again. That said, in those scenarios the service providers are not changing the content merely the destination to be better for the user. Telkom is changing the JavaScript content, there is a fundamental difference there.

does not alter the Web service content

In my previous post, I showed they are changing the JavaScript content, so that is pretty wrong.

is not a security risk

See above and then realise it was only true when it was said, not the day before. 

will not ‘break’ a website

The web  is a big place, it is impossible to know that. I also wonder why break is in quotes – is there more than one definition of break?

Performance impact

How bad is the download size issue really? It is 200k of data, it is all local so latency is low and the image URLs are constant so caching can happen to them. Also if Telkom is smart, then they are not counting this towards your cap. You will likely find that if the JavaScript is loaded in the header of the HTML page it could slow down rendering more than it could slow down network I/O. My gut says that it is insignificant in the grand scheme of things and I don’t believe I got that across well before. I personally feel, Telkom as an ISP, should be squeezing every drop of performance out and this would be a great start. Enough drops will fill a bucket.

Tags: 
02 Jul 2015

Visual Studio + ES6

JavaScript-Programming-2014I have been asked recently about the ES6 support in VS and I haven’t had a good answer about how much of it is supported right now (i.e. VS 2015 RC) and what is supported. The general feeling from the askers is that VS is far behind in this space, so the only reasonable thing to do is for me to test this and let you know.

Using Luke Hoban’s awesome page on ES6 features gave me a great point to kick off from around the different features. I then tested each feature in VS 2015 RC and also in VS Code (our new lightweight, cross-platform, free IDE) and in the end Visual Studio has 70% implemented and Code has 94% implemented. What does implemented mean though? It means no errors & and the IDE does the right IntelliSense stuff for you. There is on-going work with both IDE’s so this will improve but as a baseline for discussion it is useful.

The way I worked it out is to assign a 1 (works) or zero (doesn’t work) to each feature. In some cases I assigned a middle value because it kinda worked and the footnotes will explain that. The only missing one on here is the reflect API. I don’t have an example I can work with around that yet, so I did not include it. If you find any errors here, please let me know and I will gladly update!

  VS Code
Arrows 1 1
Classes 0,51 1
Enhanced Object Literals
1 1
Template Strings
1 1
Destructuring
0 1
Default + Rest + Spread
0,52 1
Let + Const
1 0,83
Iterators + For..Of
1 1
Generators 0 1
Unicode 0 1
Modules 0 1
Module Loaders 0,54 0
Map + Set + WeakMap + WeakSet
1 1
Proxies 1 1
Symbols 1 1
Subclassable Built-ins
0,55 1
Math + Number + String + Array + Object APIs
1 1
Binary and Octal Literals
1 1
Promises 1 0,96
Tail Calls
1 1
Total 70% 94%

Footnotes:

  1. No issues in the IDE are raised but the IntelliSense is lacking.
  2. No issues in the IDE are raised but the IntelliSense is lacking.
  3. There is an odd issue where an extra warning is raised in the wrong place. It doesn’t break anything but isn’t ideal.
  4. No IntelliSense on the loaders.
  5. Again lack of IntelliSense is the issue.
  6. Weird warning appearing, which looks like a bug.
Tags: 
01 Jul 2015

The JavaScript JSON Cookbook

6902OS_JavaScript%20JSON%20Cookbook.jpgIn February this year I was contacted by the team at PACKT Publishing about being a technical reviewer for a book which was underway, in exchange I would get a free copy of the book and be listed in the book as one of the reviewers. I have toyed with the idea of writing a book for ages so this felt like a good idea to see what happens behind the scenes without committing to actually writing a book. I said yup to them, and today that book got published! You can get it at: http://bit.ly/json_cookbook (I am really excited about this)

The book* itself is a very interesting mix of content, from the very basics of JSON to introduction to MongoDB and storing data in it. It very much hits the nail on the head with the description “Quick answers to common problems”. What I think is really awesome about it, is that it really tries to cover a lot of languages & tools. So there is .NET, Java, Node.js, Android, ObjectiveC and more. The examples are really great as all work on a variety of OS’s too, so you can quickly try stuff out. I don’t think it is a book you It isn’t a book you would read end to end but rather give you guidance on where to start with problems related to JSON.

The experience itself of reviewing was interesting, each chapter took a few hours of reading and trying out the code and responding with details of issues found. The people I worked with at PACKT made it really pleasant. I never heard from the author or other reviewers, which in hindsight is odd but I think that maybe helped keep my responses focused and not have a bias in them.

If you do pick it up, let me know what you thought of it!

*Note: I’ve only see the content I reviewed, I haven’t seen the final book which maybe different.

Tags: 
29 Jun 2015

Running Vorlon.js on Ubuntu

Vorlon.js is an amazing tool for web developers as it brings the browser developer tools, aka F12, out of the limitations of a single browser and to the cloud. While you can run it on your machine, I believe to really get the full power of it, you need to put it on a dev server somewhere. The broader the reach, the more use. So with that mindset here is how to run it on an Ubuntu server and for this example I am use Azure to host that VM. I am using the Basic A2 (2 Cores, 3.5 GB) machine which is more than enough for Vorlon and means I can run the server pretty cheaply.

Step 1: Get NPM

Vorlon uses NPM, Node Package Manager, for distribution so you need that to get started. Before you begin, make sure you are up to date:

sudo apt-get update

Once that is done you can run the following to install NPM:

sudo apt-get install npm

If you didn’t follow my advice on doing the update first, or you ran into issues, you may need to run the command again with extra parameters:

Step 2: Get Node.js

Vorlon is built with Node.js, so you need to get that too. This took me surprisingly long to figure out, but thanks to this page I came right. The commands to run are:

curl --silent --location https://deb.nodesource.com/setup_0.12 | sudo bash -
sudo apt-get install --yes nodejs

Step 3: Get Vorlon

Now that the machine is setup correctly, you can get a copy of  Vorlon using NPM with the next command:

sudo npm i -g vorlon

Step 4: Run Vorlon

Running Vorlon is easy, just type: vorlon

For Windows users, make sure it is all lower case. It takes about 30secs and you will see the command output pop up

image

Once that shows up you can access it!

image

/usr/bin/env: node: No such file or directory

Every time I ran Vorlon originally I got the following error message: /usr/bin/env: node: No such file or directory

This is because I didn’t have Node.js installed. I had npm, which I assumed brought Node.js with it but it doesn’t and so Vorlon won’t run. In hindsight it is obvious, and even the error message tells me that but at the time – well it was an hour to figure out :/

Azure – don’t forget those endpoints

If you are on Azure, you will also need to setup the endpoints to allow access to the VM. To do this, go to the portal and open you VM. Click All Settings, then Endpoints, then Add. From there you need to add an endpoint that maps the public to the private. I keep both the same (1337) but you could make the public something different.

Clipboard02

Tags: 
29 Jun 2015

How to use TypeScript in Sublime Text!

You want to code in TypeScript. You want to code with Sublime Text. Today, that is really really easy to do, thanks to Package Control and Microsoft, who is now providing a first class plug-in for Sublime Text to enable & light up TypeScript.

Step 1: Install Package Control

The installation instructions for it can be found here, but in summary you press Ctrl+` and then paste the following code (for Sublime Text 2, for 3 see their website) into the text box and press enter

import urllib2,os,hashlib; h = 'eb2297e1a458f27d836c04bb0cbaf282' + 'd0e7a3098092775ccb37ca9d6b2e4b7d'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); os.makedirs( ipp ) if not os.path.exists(ipp) else None; urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler()) ); by = urllib2.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); open( os.path.join( ipp, pf), 'wb' ).write(by) if dh == h else None; print('Error validating download (got %s instead of %s), please try manual install' % (dh, h) if dh != h else 'Please restart Sublime Text to finish installation')

image

It takes a few seconds where nothing happens and then, without much fanfare, the message window will say “Please restart Sublime Text to finish installation” – so do that.

Step 2: Add the TypeScript package

Press Ctrl+Shift+P to bring up the command palette and type in Package Control: Install Package and press enter.

You can use the arrow keys to navigate the list quicker and press enter on the right item rather than typing everything.

image

In the next command palette window type TypeScript and hit enter.

image

In the status bar it will start to download and install TypeScript: image

Once that is done, it is done and you will get glorious TypeScript in Sublime!

image

Tags: 

Pages