Typosquatting Package Managers

Fascinating attack on unmoderated package managers for programming libraries (via former TimeDoctor contributor, Vogon)  that would work just as well on unmoderated app stores:

In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems

[…]

So basically we create a fake package that has a similar name as a famous package on PyPi, Npmjs.com or rubygems.org. For example we could upload a package named reqeusts instead of the famous requests module.

It ends up being very successful:

In two empirical phases, exactly 45334 HTTP requests by 17289 unique hosts (distinct IP addresses) were gathered. This means that 17289 distinct hosts executed the program above and sent the data to the webserver which was analyzed in the thesis. The number of HTTP requests is for various reasons higher than the number of distinct IP addresses. The main reason is that pip executes the setup.py file twice on installation. Don’t ask me why.

We’re All Doomed: Part LXVII

Chris DiBona announces the shutdown of Google Code:

When we started the Google Code project hosting service in 2006, the world of project hosting was limited. We were worried about reliability and stagnation, so we took action by giving the open source community another option to choose from. Since then, we’ve seen a wide variety of better project hosting services such as GitHub and Bitbucket bloom. Many projects moved away from Google Code to those other systems. To meet developers where they are, we ourselves migrated nearly a thousand of our own open source projects from Google Code to GitHub.

As developers migrated away from Google Code, a growing share of the remaining projects were spam or abuse. Lately, the administrative load has consisted almost exclusively of abuse management. After profiling non-abusive activity on Google Code, it has become clear to us that the service simply isn’t needed anymore.

Beginning today, we have disabled new project creation on Google Code. We will be shutting down the service about 10 months from now on January 25th, 2016.

There are a ton of abandoned but still useful projects on Google Code, most of which will be lost after 2016 if nobody clones them and puts them online somewhere else. Fortunately there is at least an Export to GitHub button on every Google Code site now, .

This is your continued reminder that Google, and start-ups funded by VC money, are not a safe place to store your work. Own your shit before GitHub starts inserting malware into downloads or sells out in some original and disruptive way. Get a domain, some shared hosting, maybe a Linux or BSD VPS if you’re rich. With git it is easy enough to move a project if you have cloned the project locally and have established a web presence that people can check for updates. At the very least, don’t make the GitHub page the public-facing home for your project.

Even Google isn’t stupid enough to put their most important projects on another company’s servers:

Google will continue to provide Git and Gerrit hosting for certain projects like Android and Chrome. We will also continue maintaining our mirrors of projects like Eclipse, kernel.org and others.

You can be sure their internal code for things like search aren’t hosted on GitHub, either.

Donate to the Internet Archive.

ABC Linuxu interview w/icculus

Lots of interesting stuff including Ryan discussing OS/2 at length. This portion is especially compelling:

I find if you’re targeting Windows, Linux, and Mac OS X right from the start, your code will probably work anywhere else that you might try it later.

Not to long ago, people would say, “why bother? Everyone runs Windows!”

But then the consoles became important.

And smaller shops might still say, “well, I’m not targeting those anyhow!”

But now they wish they had an iPad port.

You never know what will be important tomorrow!

via Interview: Ryan C. Gordon.

The English version of the interview is unfortunately lacking this great picture so I have provided it for reference.

 

How the App Store was won

[Various points of data showing how iPhone OS app, iTeleport generates a ton of revenue despite being priced at $25 snipped…]

We also hope this demonstrates that you can build a business on the App Store.  That doesn’t mean it’s easy, or that you’ll automatically make more money if you raise your price, or that every app should be priced at $25.  It’s just another perspective, albeit one that we haven’t heard in all the discussions of the iPhone developer ecosystem.  This may be because we’re the only ones, but we don’t believe that’s the case.  And we’d like to encourage others to add their voices to the chorus, in the hope that we can change the perception of the App Store.

via Quality over Quantity: How We Built iTeleport into a Profitable Business on the App Store – The iTeleport Blog.

What the heck is cloud computing?

There is a lot of talk these days about “cloud computing”. Not many people know what cloud computing is, there has been much confusion around the topic. Cloud computing is what has been hailed as the next step: Automatic or transparent, dynamic provisioning, as needed by one’s application.

Hello, I’m Eric Windisch, a new editor here at Time Doctor Dot Org.  I consider myself to be a Unix/Linux systems administrator, business owner, industry analyst, and in other words: a geek.  I’ve been asked to bring some technical content to this site, which I hope I can do in a way that will be both interesting and informative.  My first article is “What the heck is cloud computing?”, please enjoy. – Regards, Eric Windisch

Continue reading “What the heck is cloud computing?”