Tech News

For security’s sake update WordPress to version 3.8.2

On April 8, 2014 WordPress released a security update to version 3.8.2. The announcement that accompanied the release states “this is an important security release for all previous versions and we strongly encourage you to update your sites immediately.”

WP 3.8.2 addresses two potentially serious security vulnerabilities, includes three security hardening changes, and addresses nine “other bugs.” Most notably the following security issues are addressed:

  • Potential authentication cookie forgery. CVE-2014-0166. (Very serious vulnerability!)
  • Privilege escalation: prevent contributors from publishing posts. CVE-2014-0165.

  • Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.

  • Fix a low-impact SQL injection by trusted users.

  • Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.

Additionally: JetPack – the wordpress.com feature-rich plugin suite – was updated to version 2.9.3 to address similar issues.

If your site is currently operating a WordPress version below 3.8.2 or Jetpack version below 2.9.3, you may be at risk and should consider upgrading as soon as possible. 

Filed under Tech News, Technology

Heartbleed bug security alert: Your web server/data may be vulnerable – test your domains

On Monday evening, a security firm announced a new vulnerability in a key internet technology that can result in the disclosure of user passwords. This vulnerability is widespread and affects more than two-thirds of the web servers on the planet including top-tier sites like Yahoo and Amazon. If you have a secure (https) website hosted on a Linux/Unix servers using Apache or Nginx or any other service using OpenSSL, you are likely vulnerable.

For a detailed breakdown of this vulnerability, please see this site. This security vulnerability may affect up to two-thirds of all web servers. We urge you to assess your vulnerability immediately, and reach out for help.

How can I get help to fix this problem?

How can I see if my servers are vulnerable?

You can use this site to test your domains for the vulnerability. Enter the domain of your HTTPS web site. If you get a red positive result, you are vulnerable.

In addition, you can execute the following command on your servers to see if they are running a vulnerable version of OpenSSL: openssl version -a

If the version returned is 1.0.1, and its build date is before April 7th, 2014, you are vulnerable.

How can I fix it if I am vulnerable?

You will need to obtain a patched version of OpenSSL and install it on all vulnerable servers. Updated packages should be available for Debian, RedHat, Ubuntu, and CentOS via their package managers. If a package is not available for your platform, you can recompile the OpenSSL package (version 1.0.1g) with the NO_HEARTBEAT flag, which will disable this vulnerability. After updating, restart any services that are using SSL and re-test your domain using the link above (http://filippo.io/Heartbleed/).

For information on your specific Linux distribution see:

Additionally, you should strongly consider changing passwords and/or resetting SSL certificates, but only after OpenSSL has been updated.

What is the vulnerability?

With the vulnerability, called Heartbleed, attackers can obtain sensitive information from servers running certain versions of OpenSSL. Examples of sensitive information include private encryption keys for SSL certificates, usernames/passwords, SSH private keys on those servers and more. Attackers which obtain the keys to your SSL certificates can then set up a man-in-the-middle attack between you and your customers and obtain secure information, such as credit card numbers and authentication credentials. The vulnerability was publicly disclosed Monday, 4/7/2014.

If you have any questions, please contact us, or ping your own go-to Nerdery contact right away. We’ll help analyze your risk and protect your data. If The Nerdery can be a resource to you in any way, we will.

Filed under Tech News, Technology

What is Android Wear, and Why Should You Care?

google-android-wearGoogle rocked boats recently by announcing Android Wear. “What is Android Wear?” you ask? It’s a specialized version of Android designed to run on wearable computers. Right now, we’ve already seen two Android Wear devices slated for release in Q2 of 2014 – the square LG G Watch and the round Moto 360.  These watches will pair with any Android handset running Android 4.3 or greater. This is a refreshing change from smart watches such as the Galaxy Gear which restrict the owners to pairing with the few compatible Galaxy devices. Right now, both of the Android Wear devices publicly announced are currently considered “smart watches.” However, the name “Wear” means more product form factors will be explored in the near future according to the lead designer of Moto 360.

screen-image-pointerSo what do we know about what these smart watches can do? We know they’ll do what all watches do – tell time – but there’s a lot more as well. Wear devices will have a voice-input button that will trigger a launcher somewhat like Google Now.

Click the image to the right or follow this link for a quick animated example of the Android Wear user-interface.

They’ll also be able to display a number of different notifications to the user at the flick of a wrist. We as app developers will be able to make these notifications deliver a user’s response back to an app on your phone. For example, we can present the user with a notification from a messenger app that lets the user click a button to open the associated app on a phone. There’s also a “Remote Input” feature that offers the user the ability to speak a message to the Wear device that will be sent to the app on the phone.

Notifications are just the start. According to Google, down the road we’ll be able to do the following:

  • Create custom card layouts and run activities directly on wearables.
  • Send data and actions between a phone and a wearable with a data replication APIs and RPCs.
  • Gather sensor data and display it in real-time on Android wearables.
  • Register your app to handle voice actions, like “OK Google, take a note.”

What’s more, Google is working with an impressive list of hardware partners including Fossil, Samsung, HTC, Asus, and Intel. With all of the work they’re doing, one might wonder why they focused on notifications first. The most pressing reason is that this will affect every existing and upcoming Android device that offers notifications. Because this will affect so many apps, Google is trying to give us time to get our apps ready for the wrist. Regardless of whether your app was built with Wear in mind, users with Wear will be able to get your app’s notifications on their wrist. It’s in every app developer’s best interest to make sure that notifications are making their way to Wear.

Because this is so important for so many apps, we need to focus on how to interface with Android Wear correctly. Keep in mind that notifying users on their wrist is a powerful way to get information to the user, but it cannot be taken for granted. The goal is to give users information they need right when they need it. Users don’t want to be spammed with too many notifications. Instead, the focus should on maximizing signal and minimizing noise. For example, notifications shouldn’t vibrate unless they need the user’s urgent attention or action. A couple of examples that Google offers are a time-based reminder or a message from a friend. Similarly, a notification shouldn’t have sound unless there’s a good reason to. The goal with Wear is to make notifications glance-able. This means doing things like collapsing multiple notifications into a more compact view. There are five different priority buckets – Max, High, Default, Low, and Min. It’s important to know how to use these correctly. For more information on designing great notifications, read The Official Wear Design Guidelines.

We’re only scratching the surface of cool things that can be done to display information quickly while brushing disruptions aside conveniently. I’m excited to see what we can come up with next.

Filed under Tech News, Technology

A Developers Perspective on The Whirlwind of Announcements From GDC 2014

Growing up with the game industry has truly been a great pleasure. One of the coolest things about my time with the industry has been the recent years of incredible growth and the industry’s emergence as a leader in the entertainment industry. In that growth, conferences like E3, PAX, and GDC have only gotten bigger and crazier. GDC (Game Developer Conference) has a couple of different iterations (such as GDC Europe, GDC Asia, and GDC Next), but GDC ‘Prime’ (Simply known as ‘GDC’) is where all stops are pulled and vendors show off their latest and greatest.

This year’s GDC just wrapped and it has been a whirlwind week. There is so much to talk about in the way of technology and game announcements, but the focus of this article is going to be around core game engines and virtual reality technology. But before I switch to that, a quick shout out to Lucas Pope (@dukope) for pretty much sweeping the Independent Game Developer awards with his game ‘Papers, Please’. So great to see an amazing game recognized for its brilliance.

Two housekeeping items before I launch into full nerd mode here – two terms I would like to define for you, that is. The first is “Game Engine.” Game Engines are the final assembling point in the game-creation pipeline. It is where you pull in all of your art assets, where you create your level scenarios, and where you code (‘script’) events to happen in the game. Things to consider when a developer selects a game engine are points like how light is rendered in the engine, the ability for different dynamic visuals, and what the cross-platform abilities of the engine are. The second term I want to make you familiar with is “Virtual Reality.” Sure, you may have heard that term before and eye-roll at the very sound of the words together, but it’s making a resurgence in a massive way. Kickstarter birthed the Oculus Rift project, a goggle set that puts the wearer into a game placing two monitors right in front of their eyes in an oddly comfortable way (in a nutshell, I have not gone ‘full nerd’ here yet). In any case, they paired the ability to create a super emmersive visual scenario in the hands of many developers by allowing purchasable to Developer kits and pairing it up with the Unity3D game engine, common in the game-development community as a whole.

Alright, so lets go full nerd now. The week kicked off with Unity3D announcing its 5th iteration of its Indie affordable game engine. While it was not released, it was announced in a grand way. Historically, there has been a division between Unity and the “Triple A” game engines because of the type of game developer they were targeting and the resources required to make a great game engine. Unity 5 has the promise of some pretty impressive features, such as the ability to publish full 3D game experience to the web without the requirement of a plug-in through the WebGL technology. Also included is impressive Real Time Global Illumination and Physics based shaders. Which is nerd speak for “Gorgeous Graphics,” shortening the divide between Unity and the big guys.

Personally, I have gotten the opportunity to watch Unity grow from the four-person team I met out at Austin, Texas at the historic GDC Online (which has since been scrapped in favor of the GDC Next Conference help in LA). At the time, they were exclusive to the Web through their plug-in but walked over to our booth as they were all setting up and said to me, “Want to see 3D on a phone?” To which I replied, “No way!” Since then, they have built their technology  to be able to export to Web (through plug-ins), iOS, Android, Windows Mobile, and even Blackberry. And now they have returned to their roots to make their engine capable of exporting to the web without the use of a plug in. Which has been kind of the Holy Grail for Game Engines, given the current market.

Not to be outdone, the next day Epic’s Unreal announced Unreal 4, and its release. Now, this is a product I have been talking about for almost two years, when they first started showing some impressive video of the development environment. While there were rumblings that it may be released to the game development community, it certainly was not on my radar because I assumed it was just buzz talk to steal some of Unity’s momentum. But a few of us where stunned to see the word “Released” associated to Unreal 4. The engine features some crazy-impressive elements of lighting and physics (more so than even the Unity 5 updates), but one of the most interesting parts of their showcase is their recent switch in how they present themselves.

Previously, Unreal had a bit of a confusing pricing model which they have recently switched to $19/month + 5% revenue-share, which is much more Indie Development-friendly. So if the mission was to offer a high-end, affordable option to the ever-growing Indie Game Development community, mission accomplished.

You have been following my blog posts through out the years, you know that another engine that I often reference is the Crytek engine (we game developers get all the cool tool names!). This is the engine behind the gorgeous graphics of the Crysis and Farcry series. While there were no super-exciting technology updates to this engine (which is still impressive by the way), Crytek did switch over to the EaaS (engine as a service) model, undercutting Unreal significantly at $10/month without revenue sharing. It will be interesting to track the disruption this has on Unity and Unreal users over the next year.

Finally in my engine discussion is something that I (along with many other people) were not expecting at all, the announcement of Ubisoft’s Snowdrop Engine. This engine is about as impressive and beefy as they come. First showcased in the announcement of Tom Clancy’s ‘The Division’, the engine has gone relatively under the radar. When Ubisoft announced the Snowdrop engine, it was unclear about whether or not it will be made available to the open development community, but given one of the release videos there is a indication that it may be after the release of the first game using it. The engine offers some crazy tools such as procedural geometry creation and other features like procedural destruction, stunning volumetric lighting, and jaw-dropping dynamic material shaders (personal favorite). While a huge fan of game development tools, I have never considered myself the guy to get a tool the minute it is available, but I can tell you that if Ubisoft makes this tool available, I am going to take a week off.

We  now come to the Virtual Reality hardware portion of this blog post. This is easily one of the hardest things to discuss, because it is one of those “seeing is believing” topics. I cannot put into words what it is to experience the current VR hardware. The Nerdery however is showcasing a Oculus Rift lab experiment that myself and teammate Chris Figueroa tackled using the Oculus Rift Developer Kit I.

But the big news here is Sony’s announcement of ‘Project Morpheus’. While much of the community remained skeptical of Sony’s play to move into the VR space (given their track record of “pick up and put down” of different technologies), the results are actually rather impressive. The first generation of their Development Kit touts “bigger and better” than the first generation Oculus Rift. That, coupled with the support of engine creators like Unity and Unreal, and it looks like Morpheus could make some waves. Initial reports of those who waited in line at GDC to give it a try are also promising.

But in typical GDC fashion, Oculus Rift brought their response to the show. They showed off a more polished version of their Crystal Cove prototype and announced the second iteration of their developer kit. Overall, the technology is super impressive and in short, tracks every movement the brain expects to see when moving the head, creating an even more realistic VR experience. Getting to use and develop for the Oculus Rift first hand, I can tell you that the future of VR is very promising indeed.

To wrap this up, what happened at the conference is a promising nod at the game development community as a whole, not just top-end developers. The tools being made available to newb developers are vast and great. It is this writer’s opinion that this shift in attention is due to the recent boom of Indie Game Development (caused by many factors that are beyond the scope of this blog post). More tools of better quality  available at a reasonable price-point means a lot of things. You will start to see really impressive titles being released for your computers, Playstation 4’s, and Xbox Ones. Additionally, mobile technology will be pushed in ways you never thought possible.

But one of the things I am most excited about is that these technologies are so affordable, I can’t wait to see what this does beyond the game market, and how these new impressive engines – paired with exciting and engaging virtual reality hardware – will change other experiences, like going to the museum, the zoo, or even how consumers make decisions about products. There will soon be a day when you can walk into a Home Depot, put on a VR headset, see your house loaded into a simulated experience, and make paint decisions based on how the light hits the wall at 5 p.m. in the evening.

Filed under Tech News, Technology

NerdCast #85: Targeted Cyber Crime – Discussing BlackPOS

NerdCast Album ArtOn this episode of the NerdCast we interview security experts Chris Wade and Jason Herbst from the Nerdery QA team. We look at the malware that was used to target high profile retail companies in a massive case of stolen data. The software called BlackPOS is a brilliant piece of software and in another context is genius in its design. Hear more about how the malware works, what it can reportedly do based on security research firms, and what Jason and Chris think of our current state of security.

Host: Ryan Carlson (Tech Evangelist)

Guests: Chris Wade and Jason Herbst (QA Department)

Listen Now: Running Time: 0:23:13 / Subscribe on iTunes

Play

Bitcoin Wallet Development Using Javascript and HTLM5 with Kyle Drake

Kyle Drake came to The Nerdery to share with our developers (and former co-workers) his next big venture into the world of Bitcoin development. Kyle tells the story about how the idea came about for Coin Punk (coinpunk.com), a new way of managing a Bitcoin wallet with browser-based Javascript and HTLM5 for handling crypto. He proposes this as a safer and more secure way of managing public and private Bitcoin keys after centralized Bitcoin wallet services suffered from millions of dollars in theft due to security breaches on the centralized servers.

So, who is ready to invest in Bitcoin?

Filed under Tech News, Tech Talk

iOS App Submissions After February 1st Will Require iOS 7 Compatibility

Building a new App for iOS or planning on submitting an update to your existing iOS App? The clock is ticking if you are not already fully iOS 7 compatible. According to Apple, starting February 1, new apps and app updates submitted to the App Store must be built with the latest version of Xcode 5 and must be optimized for iOS 7.

This could cause some waves for organizations with an App that requires included support legacy iOS devices. Rebuilding everything in Xcode 5 has it’s advantages with access to new APIs and code libraries. This shift in development environments may not be an option right now if your App has a substantial number of legacy iPhone 3 and iPhone 3S devices in circulation.

How do I know what version of the SDK was used to build my App?

ProTip: If your App has the option to enter text with the onscreen keyboard you can identify whether or not it is using the latest SDK based on the keyboard user interface.

Below is an image of the new keyboard-style:

image of the new keyboard compiled with the new SDK

Below is the keyboard compiled under the older versions of the iOS SDK:

image of the old iOS keyboard style

Why is upgrading to the latest SDK so important?

After February 1st Apps using the older versions of the iOS SDK will be unable to:

  • Make fixes to typos
  • Make bug fixes
  • React to 3rd party platforms like Facebook that makes a change to their API
  • Update an App that falls out of compliance for payment acceptance, accessibility, and other legal issues
Filed under Tech News, Tech Tips

Why Developers and Consumers Should Care About The Android 4.4 (KitKat) Announcement

android-kitkat-google-surprise-chocolate-key-lime-pie-370x229Google quietly revealed the latest version of Android (4.4) today almost two months after announcing that this version would be nicknamed KitKat. Unlike the latest version of Jelly Bean (4.3), which didn’t introduce many new features features for consumers and developers, KitKat brings along a huge variety of improvements to the operating system.

The good news for developers and businesses with Android apps is that the vast majority of apps on the Play Store will not break in 4.4, and there are no major design changes that will make your current applications look out of place on a device running KitKat.

Let’s dive in and examine some of the new features!

For Android Users:

Fighting Fragmentation

The biggest change that Google is touting for KitKat is its ability to run on a wide array of devices. Thanks to a focus on slimming down the operating system and introducing new memory management techniques, Android can run on devices with as little as 512MB of RAM. This means that you will start seeing Android on more devices. Manufacturers have been making a big push with smart watches lately, and Google has been working on Google Glass for a while now, so we already have an idea of what low-memory devices running Android might look like.

Updated System UI

A more obvious change that users will start seeing as KitKat begins to roll out is that the system UI is getting out of the way. The status bar at the top of every Android device is now translucent, putting a bigger focus on your content and applications. KitKat also introduces a new “Immersive mode” for application that allow application to hide both the status bar and the navigation buttons. Videos, photos, games, and books can all take up 100% of your device’s screen.

Magic-Enhanced Search

Though consumers are using their smartphones as actual phones less and less these days, Google has given the boring dialer a push into the future with some Google search magic. Contacts are now sorted in the dialer by who you talk to the most and who is nearby, and local businesses will also be included in your search. When you receive a call from an unknown number, Google will use Google Maps listings to try to pair the caller with a name.

Integrated Messaging

Finally, Google has taken a page from Apple’s popular iMessage service by integrating SMS and MMS in the hangouts application. All your chats, SMS, MMS, and hangouts will be in one place on your phone.

Check out the complete introduction Android 4.4 for consumers here.

For businesses and developers:

The first new feature that businesses can leverage is the new printing framework. The printing framework allows applications to send content to printers that users have connected to their devices via WiFi or cloud printing services. If you are taking your application to a trade show, maybe you want to set up your application to print customized brochures, name tags, or other such items. Apps that allow users to create their own content (such as painting applications or photo-editing applications) can leverage these APIs to allow their users to print their content at home.

Animation Support

One area that Android has been consistently lagging behind iOS is in supporting animations. Though the animation APIs improved a lot in Android 3.0, Android has taken another huge step forward in 4.4. Developers can now define animation “scenes” that will make grouping animations for UI changes simple. Android 4.4 also provides default animations for scene changes, so developers may not even need to worry about creating their own animations.

Cross-Platform Solutions

Cross-platform solutions for mobile applications are very popular due to their ability to lower development time in some cases by keeping a single codebase for multiple mobile platforms. These applications typically run in a WebView in Android, which is essentially a miniature web browser in your application. These can be difficult to debug, and do not always conform to the same web standards that your desktop browsers follow. This is changing in KitKat with WebViews based on Chromium. These new WebViews provide support for HTML5, CSS3, and most modern JavaScript APIs, along with an updated JavaScript engine for better performance. Even better, WebViews are now debuggable remotely with Chrome DevTools.

Debugging

Debugging all applications for businesses has become easier thanks to screen recording. You can now take a video of your screen and send it to the developer to help demonstrate how to reproduce bugs. Businesses can also leverage this tool to help create promotional videos for the Play Store, giving users valuable insight into how the app looks while running.

As a part of KitKat’s focus on support for low-memory devices, developers also now have access to powerful memory diagnostic tools to see how much memory their app is consuming over time. This should lead to better app performance and fewer crashes.

This is just the tip of the iceberg for new developer features in 4.4. You can find the complete list of new features for developers here.

Potentially breaking changes:

There are a few changes that could cause some applications to behave unexpectedly in Android 4.4.

  • If your application reads from the public external storage directories, your application will need to request a new permission from 4.4 devices.
  • Applications that use WebViews will want to ensure that everything looks and behaves as expected with the new Chromium-based WebViews.
  • AlarmManager alarms may not fire quite when you expect them to, as alarms are now batched together with all apps that have alarms set to fire within a reasonably similar time frame.
  • Similarly, ContentResolvers that sync periodically will sync within 4% of the period you specify, so you shouldn’t rely on the sync occurring at a specific time.
Filed under Tech News, Technology

Popular Recommendations Service Outbrain Was Hacked – Check Your Settings

outbrain1The popular content recommendation service Outbrain (outbrain.com) was hacked this morning, affecting sites as large as the Washington Post as well as sites on the WordPress VIP Hosting Service. If your site uses Outbrain, please take a moment to disable the service until the “All Clear” has been given from the vendor.

Outbrain is a service that provides websites with related content from across the web via a Javascript implementation. The service indexes your site and provides links via a script loads from outbrain.com. This morning’s hack allowed links provided by Outbrain to redirect to an offshore website.

Again, if a site you own or manage was affected by this hack, simply removing the service will resolve the issue. WordPress core files and services have not been effected.

Since the hack was first discovered this morning, the folks at Outbrain have addressed the system problem and are working to bring everything back online. You can check their twitter feed for the very latest updates.

Filed under Tech News, Tech Tips

Discussing Chromecast At Last: This Week on K-TWIN

kwin-studio

KTWIN Logo 96.3

Nerdery Tech Evangelist Ryan Carlson recapped the latest product from Google called Chromecast on Monday morning, July 29th for the Cane & Company morning show on K-TWIN radio. He talks about how Chromecast is the writing on the wall about a big shift in how people will be consuming their content and how the web could be impacted as a result.

Ryan is reporting on technology every monday morning on K-TWIN radio (96.3 FM) at 7:45 AM.

Play