LINUX Unplugged - Episode 186: AWS Loses Its ShIOT | LUP 186
Episode Date: March 1, 2017The worst smart device hack we’ve ever heard of, dreams of the Pi Zero W, the AWS outage that savaged the Internet of Things & more! ...
Transcript
Discussion (0)
So it doesn't really fit in with the show, but does anybody have a way they've been impacted by this Amazon AWS outage that's going on right now?
As we record, AWS and its related services are down for many people.
Chairman's been talking about it for the whole show, pre-show.
I have my customers.
Who had customers? What happened?
I have a bunch of customers that use AWS to host their PBXs or dialers or CRMs.
Yeah, I think that happened to Ting. Ting was knocked off. Their call center was knocked offline for a bit.
They're still able to do web chat and email support.
For a bit. They're still able to do web chat and email support.
Yeah, it's interesting. You can actually see, you know, 5,000 calls drop down to about 3,000 calls.
And you're just like, what just happened? Is it me? And find out AWS is down.
You realize how many customers depend on Amazon.
Yeah, every time this happens, I really am just sort of shocked at the massive dependence on Amazon.
It is the underlying infrastructure for a lot of the services I use.
I mean, just before the show started,
I was trying to get a screenshot for the show notes,
and I tried two different imaging sites that were offline because of AWS being down.
We get asked all the time why we don't host our switch
because our switch is all cloud-based and Amazon,
and this is why we actually have our own data centers
and our own cloud infrastructure we run ourselves because...
Really? Even though this only happens like once every year,
couple years, you still feel like it's worth it, huh?
So if your telecom went down once or twice a year because of this
or had problems routing to the customer...
Yeah, telecom, boy, that's a tough choice.
Yeah, you're right.
Telecom and medical, just the cost differential there is,
I've got to imagine, I mean, thousands and thousands of dollars a month
just for a data center.
Not really.
Shut your face.
I'm serious.
When you map it out for the amount of bandwidth,
I mean, we're talking 10-gig connections. Sure. You just, you just can't compare AWS. If I went to them and said, I want
30 or right now it takes about 30 to 40 images to run each site. I want 30 images and I want a 10
gig connection. It doesn't, you know, one to one, even buying a hard $40,000 worth of hardware every
year. Yeah. You know the, yeah going to – Yeah, that does add up.
I agree.
That does make sense.
Hmm.
I wonder every time this happens, I think to myself, is this the time that people are going to start looking at other options?
You have to think too, like even just differentiating a bit.
So not going all crazy and just saying like no more Amazon.
I'm done with Amazon forever. But just saying, well, I'm going to put some backup resources on DigitalOcean,
or I'm going to put some additional storage on Scale Engine.
It just seems like this is, every time this happens, I have this conversation,
and everybody goes, mm-hmm, yep, yep, that's the way to do it.
Yep, yep, yep, mm-hmm.
And then another AWS outage happens, and here we are.
Nobody's done it.
This is Linux Unplugged, episode 186 for February 28, 2017.
Welcome to Linux Unplugged, your weekly Linux talk show that has so much breaking news this week, you might as well just call me Shep Smith.
My name is actually Chris.
Hey, Shep.
This is Wes.
Thanks, Wes. Thanks for going with it.
That's your new name now.
I kind of lost steam and then I realized if I go as Shep, do I have to try to do an accent?
Oh, yeah.
Maybe I'll spare everybody that then.
We do have a really great episode.
Maybe I'll spare everybody that then We do have a really great episode
So much stuff has happened
Literally as we're recording today
And I'm not even talking about the big AWS outage
No, no
No, we have big news stories on items and gadgets and projects
That we love
Oh my
Yeah, really
And all of them are like
Things that everybody's been buzzing about this week
So we'll jump into that
Get those all banged out for you guys right away
so you'll get your veggies right up front.
Ooh, tasty.
Then we're going to reignite the debate.
Is swap on modern systems actually necessary?
I kind of felt like we had this settled
and then Red Hat released this big old document.
Red Hat weighs in with their official documentation and advisories.
Those guys.
Oh my goodness.
Then later on in the show, Telegram.
Some, perhaps, shenanigans afoot.
It looks like what was once promised to be open source may actually be closed up.
Now, they haven't said anything officially, but the tea leaves look bad.
We'll cover that if you're a Telegram user.
It's going to be relevant to your interest.
And then Noah warned us all,
but an internet-connected teddy bear
has leaked millions of voice messages and passwords.
We'll tell you what went wrong,
what the fundamental issue is
with this particular type of approach,
and the details,
and also the horribly awkward video
that walks users through setting up the worst security ever.
Oh, I'm excited.
And then, Wes, I think this might all just be for me.
So I hope the audience enjoys this.
But at the end of the show, we're going to have some fun with GStreamer.
I recently just went on a big GStreamer purge on my main Arch box.
Get it out of here.
It was given.
I'll talk about the problems it's causing.
I'll talk about how you can fix it if you're having your G-Streamer woes on Arch right now.
And then Wes has been playing around with some really cool stuff powered by G-Streamer,
which maybe, maybe will make me kick that dirty old FFM peg to the curb.
I'm kidding.
I love FFM.
Everyone does.
All right.
Before we get into all of our breaking news, let's bring in that mumble room.
Time appropriate greetings, mumble room.
Hello.
Woo.
Wow.
Yeah.
That's how you do it.
I like that.
Nice one.
That was really good.
All right, guys.
Let's start off with our breaking news.
This is the one that people have been talking about maybe almost number two in the chat room today.
It is the Raspberry Pi Zero W.
A $10 computer with Wi-Fi and Bluetooth built right in.
The Raspberry Pi Zero W.
The W signifies exactly what is new.
Wireless connectivity.
I thought it was for Wes.
I'm sorry, buddy.
One gigahertz single core Broadcom like the old one.
512 megabytes of RAM, a 40-pin header,
just like its predecessor, but it adds an 802.11n and Bluetooth 4.0 to the existing Zero design.
Now, that's pretty nice because the original Zero will stay cheap at $5.
And then the W, with its fancy Wi-Fi and Bluetooth, $10.
The Raspberry Pi Foundation is also offering a new injection-molded case,
and I got a picture of it here.
It does look really slick, actually.
Oh, yeah, look at that.
Yeah, so just to recap, the new features are a 1-gigabit single-core CPU,
512 megabytes of RAM, a mini-HDMI port, a micro-USB on-the-go port,
micro-USB power, HAT-compatible 40-pin header.
Is that hat?
Do you actually say it hat?
Is it pronounced hat?
I don't know.
Yeah, composite video and reset headers and a CSI camera connector, as well as now 802.11n,
wireless LAN, and Bluetooth 4.0.
And then, of course, the official case to accompany it.
That is really great.
This is, for me, I've been recently
discussing with Mr. Michael Dominick on the Coder Radio program about different use cases for
embedded devices like this. And I've come up with a few that just require something really simple
that could connect to a couple of sensors, have a web server, and this could be perfect for what
I have in mind. I'm really tempted to order one even though I don't actually have the use case yet.
Yeah, right. Totally.
I'm wondering if I just find it.
For $10, what's the harm?
And then you have it when you have a spare Saturday or something.
Not that that ever happens.
But if you do, you can actually work on it.
True.
And Mr. Go-Go in the chat room points out that this is great for digital signage.
Oh, yeah.
I can think of a lot of things where it's less work.
You can put it on Wi-Fi, put it somewhere, and just be done. They rolled out new distributors, yeah. I can think of a lot of things where it's less work. You put it on Wi-Fi, put it somewhere, and just be done.
They rolled out new distributors, too.
So it sounds like there's actual availability for this, which is nice.
Remember how it used to be different?
Yeah.
They've really kind of gotten their act together when it comes to availability.
Like, you can get this stuff.
You don't have to, like, go to weird providers that you're uncomfortable giving them their credit card number.
And you're like, is this ever going to show up in my house?
Right.
Yeah, boy.
This is really great.
Anybody in the mobile room have any thoughts on this story before we move on?
Elf into the room.
The Pi 3 is getting Wi-Fi.
So is the Wi-Fi.
Oh.
So is the Pi 3 getting Wi-Fi finally?
That's.
Yeah.
If this was getting Wi-Fi, why does the Pi 3 not have Wi-Fi?
Maybe the update's coming soon.
Maybe the.
Ooh.
Rotten Corpse's Red Book prediction right there.
Good job.
Right at the end.
Mm-hmm.
Mm-hmm.
So everybody, mark it in your minds.
Episode 186, producer Michael says that the Raspberry Pi 3 update is imminent with Wi-Fi.
Bold prediction, sir.
All right.
So XMetal says that he agrees.
For $10, it's an order now, find use later device.
Not bad.
Not bad.
Pi 3 has Wi-Fi with Arch ARM, Chris Lass.
Alright, there you go. Thanks.
Boom. Live updates from the chat room.
And this is the story that sort of had
me sort of sit back in my chair and go,
what is going on here? Like,
is this a bad sign?
Is this a good sign?
Mozilla has made its first
strategic acquisition and it's acquired
Pocket.
Now, Pocket is the read-it- it later service that they bundled into Firefox.
It's some controversy.
Yes, definitely.
And when I first – my cynical take on this story when I first saw it was, well, this is Mozilla trying to save face.
They didn't want to back down.
They didn't want to pull it. They didn't want to pull it.
They probably had a contract in place.
Yeah, probably.
So this was their way of saving face.
But then I sort of rethought it a little bit.
And I actually think this could be a pretty clever purchase for them because Pocket has supposedly 10 million monthly active users.
10 million is not a – that's not a good number.
That's our peanuts.
That includes advertising deals, existing deals, premium subscriptions with credit cards attached, analytics for publishers.
It seems to me like that could be a good business for Mozilla to have for revenue generation.
Yeah.
And I'm certainly more comfortable with it as something under them as compared with this other party that may or may not share their values that they're working with. Yeah. And I'm certainly more comfortable with it as something under them as compared with this other party that may or may not share their values that they're working with.
Yeah. And Mozilla says they're going to open source the bits and pieces.
They say that it's going to run as a wholly owned subsidiary of the Mozilla Corporation.
So they're going to – and they'll continue at least for the next year to run things sort of as they have been, as they are.
I used to use Pocket.
Yeah. For a while. I used to use Pocket. Yeah.
For a while.
I mean, it was a fine service.
It's a good, you know, the read it later functionality is good to have.
Yes, and I enjoy their, they do pretty good little, like,
translations for easy reading, mobile view or whatever.
You know, I wonder, W.W.,
do you have any thoughts on this before I get into the Verge coverage specifically?
I'm hoping that this is a way to mitigate any kind of yahoo buyout that could
possibly be taking place so we'll we'll we'll see because i know firefox has a clause to get out
if they don't agree so this may be a way to diversify and you know have more cash flow if they need to. What do you mean buy out from Yahoo?
Yahoo has
been long in talks
of being bought out and since
Firefox is primarily
dependent upon them for cash
flow and
yeah. Verizon be buying
Verizon be buying Yahoo.
It sounded like you were saying Yahoo was buying
Firefox or Mozilla.
No, no, no.
Now here's what I want to just really – because this has been – this is a trend that I've been noticing from The Verge recently.
We covered it a couple of weeks ago too.
There are routine jabs at open source anything in The Verge coverage.
So this is from Casey Newton, at Casey Newton on Twitter,
posted at the Verge. And here's a couple of things that I highlighted in the article that felt like
they didn't need to be there and just simply are there to attack and disparage Mozilla.
And I'm trying to think of the motivation behind that, because even if you're a devout Chrome user
or Microsoft Edge user or Safari user, it benefits the web.
And it's pretty easy to understand how an open source browser that's always pushing
for web standards is beneficial to the entire web.
Even if it's not the browser for you.
Right.
Yeah.
And so either this is a super shallow technologist who doesn't properly understand the technology
they're writing about, or there's some sort of fanboy that is biased against open source,
and I see this a lot at The Verge.
So here's a piece, here's like a little paragraph.
Best known, speaking about Mozilla, for its Firefox web browser,
Mozilla has faltered in the mobile era,
spending years on its failed Firefox phone project
and waiting until 2016 to release
Firefox and iOS globally.
Meanwhile, the slow decline of
desktop web, which is just stated
as a fact, has made Mozilla's
broader future uncertain.
They have millions of
active users.
That is an
unfounded statement that is just speculation on the part of the author.
The author later writes, after talking about the purchase of Pocket, and unlike Mozilla's
existing mobile products, people seem to actually enjoy using Pocket.
The implication being that people don't enjoy using any of Mozilla's products.
And that's why they had to buy Pocket.
Because, you see, nobody likes to use Mozilla stuff according to this author.
And then he takes in a quote that kind of implies that by a Mozilla person.
It's – what was it?
Do you remember like a week or two ago we covered something else from The Verge that was taking just unnecessary pot shots at open source?
Yeah, what was it?
It's escaping me.
We'll have to check.
If anybody in the chat remembers, maybe mention it.
But I don't understand why this coverage has to be like this.
I mean there's parts of the article that are fine.
You just don't need to just report on it as a neutral reporting agency.
Especially the stinger like unlike Mozilla's existing mobile products, people seem to enjoy using it.
First of all, you're projecting people's enjoyment of Pocket versus Firefox.
And the two are so incomparable it is not even funny
because Firefox is competing, especially on iOS,
which is what this author is referring to.
Firefox is competing against the incumbent Safari,
which will always be the default web browser.
No other app can launch Firefox
unless the developer has specifically programmed their application
to send URL links to Firefox,
which is not ever going to be
in the default iOS system.
It's never going to be in any of Apple's apps, and it's never going to be in any of the trendy
apps either that are all in with Apple.
So it is such an unfair comparison to compare the usage of mobile Firefox and iOS to Pocket,
which is a completely different category of application, and it only competes with Safari's
Read It Later service, which has only been around for one application, and it only competes with Safari's Read It Later service,
which has only been around for one iOS version and is lightly used.
It is such an incomprehensible comparison,
but yet this author, this author takes the time to draw the comparison.
After taking a shot at Firefox for failing in the mobile era,
which the mobile era would seem to imply the last eight years,
perhaps nine years.
So Firefox has been in a state of failure for nine years, according to this author.
And they waited.
They, quote, unquote, waited until 2016 to release Firefox on iOS, which is, guess what?
Shocker, everybody, not using the Gecko rendering engine.
It's not a real product. That's why
they waited, because they didn't want
to water down their brand. They didn't want to water
down their product. But eventually, they
bowed to the user base on iOS
and released something that sits around the WebKit
engine. Surprise,
surprise. Apple
didn't even allow you to make a separate browser
other than Safari for like five years.
Anyway. I actually think Chrome, for example, on iOS is pretty great.
It's pretty great.
So I can understand that you could say it's not a success on iOS,
but to compete against Safari and Chrome,
it's a ridiculous comparison to make it to the read it later service.
And I don't get why the Verge is like doing this more and more.
It seems odd to me because it's the two things that I find odd about, and then we're going to wrap up on this topic. And I don't get why The Verge is like doing this more and more.
It seems odd to me because it's the two things that I find odd about and then we're going to wrap up on this topic.
It's odd to me that they're taking unnecessary pot shots perhaps just to fill out the article.
But then at the same time, why are the authors choosing to cover these subject materials that they appear to loathe in the first place. They're choosing to cover open source related stories,
but yet they apparently loathe it at the same time.
So they understand perhaps that there is some sort of demand
and they can get a certain click through threshold
by covering these news stories,
but yet they almost resent having to do it.
I hate this.
All right, there you go.
That's hopefully the only rant for this show. We'll see.
But geez, it just gets me fired up. The Verge these days.
Gets me fired up. You're on the Verge,
Verge. You're on the Verge.
So this has me excited.
AMD's Ryzen
really looks great.
I can't wait to see some people
posting Linux builds
based around this. And
there is something that I think is interesting to
note. If you're looking at pre-ordering, getting ready to do a new build, you're going to want to
run a distribution that'll have a newer version of Linux, version 4.10 specifically. Now, this
is posted by Michael Larrell over at Foronix, and he sets it up like this. Maybe I'm reading too much into this, but he says, I haven't received any communication
from AMD about any review samples or the like.
Okay.
I don't need to know that as the reader.
You don't need to communicate.
Guess what?
Jupiter Broadcasting has not been in communication with AMD about review samples.
They haven't offered to send us things.
Should I disclose that for every company that I haven't been in communication about?
That implies to me that he's been trying
and not getting the recognition that he thinks he deserves.
So then he goes on to say, after a comma,
so I'm not under any NDA for the upcoming AMD Ryzen launch on 2nd March.
And thankfully received some information from a reliable source this weekend
regarding Ryzen support Linux requirements.
Jeez, is he drunk when he wrote this?
Sorry, Michael, but jeez.
I mean, good on you if you were, actually.
So he says, here they are.
Like, because they are not working with me and giving me a review unit,
because they haven't given me a review unit, I haven't had to sign an NDA,
and because I don't have an NDA, I'm going to spill the beans on what I know.
But if you had given me a review unit and I had signed the NDA, I wouldn't be posting this right now is essentially what he's saying.
So is he saying that his news coverage can be bought simply with free product reviews?
Because, Michael, that's not really the message you want to send, man, as somebody who does product reviews.
So he goes on to say.
It kind of sounds like extortion.
Yeah, it does, right?
It's like public shaming a little bit.
Come on, dude.
So he says – but here's the good juicy bits.
You need Linux 4.10 because according to this trusted confidant, a good point for AMD testing and usage was 4.10.
So the Linux 4.11 cycle is going to have some updates.
But 4.10, I guess, has some code that AMD... I can't really decipher the hint, but
essentially it says if you're using Ubuntu 16.10,
if you want to go by this marker,
or 16.04.2,
so you're on the LTS, but you have the new
hardware enablement and all that jazz,
you'll have a good base state for AMD Ryzen.
So either, if you're going by the Ubuntu releases,
that's what you need to be in, or you just need to be
on a distro running kernel 4.10.
Easy peasy, right?
Easy peasy.
By the time the hardware ships, that'll be easier said than done.
I mean, wait, is that, it'll be, it'll actually, no, because if you've got 16.10, 16.04.2,
and you're on Fedora, I think 25, 26 is going to have kernel 4.10 soon by the time the product's
shipping.
So a lot of the, a lot of the major distros are going to be close to 4.10 or on 4.10 if you the time the product's shipping. So a lot of the major distros
are going to be close to 4.10 or on 4.10 if you're on a current distro. And hey, if you're like
chomping at the bit to buy the processor on release day, then just compile a new kernel,
you'll be fine. I kind of am. I'm not going to, but I am actually fairly impressed with what AMD
has to offer here. I think they've actually got a pretty good product that's going to be
really competitive in a way that AMD, in my personal opinion, has not been competitive to the i7 and i5.
I feel like we're at an inflection point where like things are kind of questionable for Intel.
They've had some slowness.
This is Intel's Firefox moment and this is AMD's Chrome moment.
Yeah.
It may not go that way at all, but it's interesting.
I kind of want it to because the competition in this space is critical for really competitive laptops and desktop PCs.
It can be high performance.
And Intel has – I mean they're really pushing like the die size and all of that.
I mean they've really done a lot of work there.
But at the same time, they just announced like the next couple of releases, there's not going to be a die size change.
If I'm correct, I'm not sure.
But it hasn't gone the way they expected.
And maybe a little kick in the arse might lube up the machinery there at Intel.
Anybody in the Mom Room have thoughts on Ryzen before we move on?
Because I've seen a lot of people talking about it on the subreddit and the chat room.
So I've got to figure somebody in here has a thought on it.
I'm still waiting for actual benchmarks from like PCPurr and other tech places that don't just do pure synthetic benchmarks before I decide.
I'm really excited for, you know, I'm hesitantly excited about the stuff I hear that I want real proof before I decide.
You know what?
Unfortunately, I can't provide any information because I received a review unit and I'm under NDA.
Such a tease.
Also, hey, you know, I could do some rising parts, please.
I there is. You're right. I totally agree with you, W.W.
I haven't seen a lot of the non-synthetic stuff yet.
But what does give me sort of like a positive indicator is they're being really responsive to other reviewers besides Michael.
They are letting them get in and dig into the systems.
They're not doing the whole, oh, we can't talk about that yet.
We can't show you that yet.
And they're honestly like letting people get hands-on with the hardware in certain cases in a way that in the past they haven't.
They've been a little more hands-off, a little more distant.
And I think that's a good indicator.
Hopefully they've really got something exciting to show.
I hope so, Wes.
I hope so.
Speaking of things that are exciting, Linux Academy, linuxacademy.com slash unplugged.
Go there and sign up for a free seven-day trial and support this here show.
Do it.
Wes, what's the most important asset?
What's your most valuable asset? What's your most valuable
asset?
It's your mind. Oh, I have
one of those. Yeah, you know what? I was just sitting here
thinking about this too, Wes. What if you go out into space
one day and you're out there for
years and years and years?
Your body would shrivel away.
Sure. Be like a jellyfish.
You'd still have your mind, right?
Yep. Linuxacademy.com slash unplugged. You'd still have your mind, right? Yep.
Linuxacademy.com slash unplugged.
You go there, you sign up for a free seven-day trial, you enrich your mind.
You know what Jellyfish Wes is excited to learn about?
What's that?
Chef.
Oh, yeah. Very important in space.
And, you know, I'll tell you, especially when you've got a lot of systems to keep running.
Yep.
And they have been...
Like life support.
They've been partnering directly with chefs for a great new set of courses.
And you have instructor mentoring when you need it.
They've got labs to give you hands-on training.
They have a great community stacked full of Jupyter Broadcasting members.
Whether you're an experienced sysadmin or new to the world of Linux, Azure, and AWS, OpenStack, and DevOps,
a sharp skill set is an absolute necessity to succeed.
Meet Linux Academy, an online Linux and cloud training platform
that uses self-paced video courses
and hands-on labs
to give you real-world experience
for a wide range of skills.
Train for your certification,
learn the latest DevOps tools,
and grow your skill set to do better work.
Linux Academy is not just a video library.
Our scenario-based server labs and quiz system allow you to learn hands-on.
We also have full-time human instructors who answer questions and help you earn that certification or promotion at work.
We add new training every week, so you'll always be up to date on the latest tech.
Sysadmins of every experience level use Linux Academy to stay on the bleeding edge of the Linux ecosystem.
You should, too.
Yeah, that's legit right there.
That bleeding edge part is legit.
Even when I'm not out in the quote-unquote industry, I'm still hoping for that day that Elon comes on, knocks on my door, and says, I'd like to take you to Mars.
And I need your mind.
And I'm going to go invest in my mind at LinuxAcademy.com slash unplug.
Sign up for a free seven-day trial.
Dig around in there.
Even if you're busy, they have course schedulers that will work with your time frame.
They'll customize some work, customize some lessons.
And I think one of the other things you could probably dig into, even if you're like me,
I run my own business and I got three kids.
I understand that you can be busy.
But you know what's great is these nuggets, just little tiny bits of wisdom.
You jump in.
It's one topic.
You do a deep dive, and you're done.
In the time you could have watched a few silly videos on YouTube, you could learn something completely new about Linux.
LinuxAcademy.com.
Slash unplugged and a big thank you to Linux Academy for sponsoring the Unplugged program.
The debate rages on like disney franking.
Do we really need a swap partition on modern systems?
And I thought we'd kind of – here was my advice.
If you're on a desktop with lots of RAM, you probably don't.
If you're on a laptop and you want to hibernate, you probably do.
That was sort of my –
Those are the obvious kind of corner edge cases on the spectrum.
Yeah, yeah.
And then these guys, maybe you've heard of them over at this company called Red Hat.
I don't know if you're familiar with this.
This Red Hat company comes along.
Noobs, I think.
I think they compete with Canonical.
And they came in here and they said, well, ha, ha, ha.
Well, here's a couple of caveats.
They actually wrote this whole article telling you about how you should and why you should use Swap.
And then it says at the bottom, but can I run without swap, Red Hat?
Can I do it?
Is further tuning possible?
And Red Hat's official stance, systems without swap can make sense and are supported by Red Hat.
Just be sure the behavior of such a system under memory pressure is what you want in most environments.
A little bit of swap does make sense.
Yeah, I can see that.
Yeah, that's where I've kind of come at too.
So are you running swap on that system you're on right now?
I don't actually know.
That's a good question.
Let's, uh, yes.
So there you go.
There you go.
And I can do swap off.
I could do swap off right now,
and I think I'd be fine because
I've still got 3.6 gigabytes of RAM.
Nice.
Yeah.
But the reason why I actually wanted to link to this in the show notes for those of you at home is they've essentially done 1, 2, 3, 4, 5, 6, 7, 8, 9 or so, 8 bullet points, really 8, that tell you the parameters and where swap might or
might not work for you. And this one I thought was
interesting. If you
design your applications to regularly use swap,
make sure to use faster
devices, like SSDs
starting with Red Hat
Enterprise 7.1. You can
do swap on dash dash discard,
which can be used to send trimmed
SSD devices to discard the device contents on swap on. Looks like which can be used to send trimmed ssd devices to discard the device
contents on swap on it's like some good tips there too so i don't know you thought what do you think
when you're building a system swap yeah i usually do um but i could see doing it on a desktop but
it would probably depend on you know maybe you do some tests if you uh feel adventurism i could
see like i wouldn't care here you know if, if like, all right, well, the out-of-memory killer
comes by and kills my Chrome session,
which is probably one of the things, you know.
I'm generally not doing anything.
I habitually, you know, colon W and vim all the time.
So I'm not that worried about programs being killed
and things dying.
But say if you're like, you know, you're the beard
and you're working on editing the show.
Yeah, yeah.
It might be worth just a couple gigs of swap
to make sure that
that situation doesn't really happen.
One of the things I think about, too, is how fast certain types of storage you've gotten
now where you can get nearly a gigabit or 900 megabytes or even 300 megabytes of throughput.
Swap is a little less expensive than it used to be.
Somebody in the moment wanted to jump in with their thoughts on the swap.
You know, one of the things you could do, too, is you – go ahead.
I've never – okay, so ever since, like, elementary 12.04 and other, like, going to KDE Plasma,
I've never seen swap used on, like, the swap partition or swap file used at all.
Zero.
And I have never tweaked it.
And I'm like,
maybe you just don't have enough to do.
You're not working hard enough.
Yeah.
You're just not swapping.
Right.
The thing is,
it's like,
I'm going to be redoing my system really soon.
And I'm going to be putting an SSD in and i want that to last me as
as long as i can for several different reasons so i don't want to use swap on that drive if it's
going to be wearing it out causing problems or or should i just be moving it and i can never find an answer to any good swap like questions like okay is the
double thing still valid like double your ram size you know there needs no no i don't think
it depends on what your ram is if you have like four gigs of ram maybe but you can even get away
with that i would say like 100 what your ram is until you get to like 16 or more then you can
just do half of that and just stay at eight.
Yeah, I actually just do like two gigs these days really.
And I'll tell you the only time I would do more is if I wanted to be able to hold the contents of RAM.
Right.
During hibernation or something like that.
I tell you, really, I have it mostly out of legacy.
I have it so that way – for me, it feels like it's my bumper in the bowling lane.
Yeah, sure.
If I go a little crazy, which I sometimes do, I'm not going to.
The GNOME desktop, and I haven't hit it with Plasma yet, but boy, is it crap when you run out of memory and you don't have swap.
It is not, especially if you're using Chrome.
It just is the most frustrating.
You're right in the middle of work.
Everything starts locking up.
Clicks are taking forever to get registered.
It becomes practically, everything starts timing out.
This tab's died, this tab's died, this tab's died.
This application's not responding.
It is a train wreck.
It's a dumpster fire.
So should we get an option where, you know, you hit that memory ceiling instead of like out of memory killer it just reboot you know what you know and and and i yeah really you know what
i think is faster you know with an ssd we have an option uh it's called swap
is it uh isn't ubuntu switching to swap files instead of a swap partition so this is another
thing you can do is uh instead of dedicating like a whole partition to it you could switch to a swap partition? So this is another thing you can do, is instead of dedicating, like, a whole partition to it,
you could switch to a swap file,
which more and more distros are doing.
And it might make sense,
because then you have sort of the best of both worlds.
You don't necessarily lose a lot of hard drive space.
You make a swap file.
I'm not sure if you have to pre-allocate the space
with a swap file or not.
I don't know exactly how that works.
Okay, well, that definitely seems like that could be the way to go.
Yeah, that's what I use.
I don't know about hibernation with a swap file.
Good question.
No.
Poby in the chat room says no.
So that's sort of a bummer.
But on the desktop, it might be.
Well, he says no and yes.
Oh.
If only there was some sort of communication method we could use in which we could speak more clearly and rapidly.
I don't know. I don't think that's a thing.
Oh, okay. Wait, have you tried IRC?
Hmm.
Alright, so
that's something we'll have to leave a bit of.
I was hoping we could just finally stop talking about this,
but like with the disk defragging topic too,
it just keeps coming back.
There's a good chat, I mean a good
thread in the subreddit though
if you kind of want some guidelines to follow.
Do you have any other thoughts on it?
No, I think that's it.
All right.
All right.
Well, then, I suppose, without other people inputting, it is time to move on.
Wink, wink.
I think isn't POBI like at Mobile World Congress or something right now?
What's going on right now?
The canonical folks are over there doing all—there's an interview with Mark Schultz.
I hear they are in the mobile space sometimes.
From time to time.
Yeah, from time to time.
Now, we have a story coming up that – I don't know.
I don't want us to get all riled up because we got a lot of fans of Telegram in the audience.
So I know this is a big deal.
I know this can get people upset. So before we jump into the Telegram story, I want to talk about this 11-year-old flaw that has been patched, but I just want to put it out there so people know what's up.
A security researcher at Google found a use-after freehole within Linux, speaking of memory usage.
This particular flaw is of interest because it appears to be situational.
It only showed up in kernels built with a certain configuration option, which was
config ip dccp enabled. Unfortunately, many people, or I'm sorry, popular Linux distributions
have enabled this option by default. A new Linux update has since patched the vulnerability,
although the exploit is present in Linux kernels since 2005.
It uses heap spraying methods
to execute arbitrary code inside the kernel,
which allows the attacker to escalate permissions.
So you can think of it like this.
An attacker could hijack a low permissions account,
maybe a remote service that's listening
that has limited privileges,
like a database service or a web server,
you know, your NGINX user, something like that,
if there's a flaw in NGINX, or it just takes one other piece of software
that's perhaps on your system running in the background under a less privileged user,
or even your own user account on your desktop that is a standard user,
and maybe something happens inside the web browser,
the attacker can use your basic privileges of that account and then escalate from there.
That's, by very definition definition a local escalation bug.
When you combine it with other types of attacks, it's sort of the island hopping approach that
you guys and we used to talk about in TechSnap.
And it is definitely worth patching, but you don't really have to worry because some distributions
don't really need to be patched.
Most distributions that do,
Debian 7, Debian 8, for example, have been fixed. Stretch and Sid have yet to be patched.
Only one version of SUSE is affected. And if you have SELinux, well, you can mitigate this
problem pretty much altogether. So it's not like it's a huge problem, but it's been around for 11
years, so it probably does by just the very nature impact a lot of people.
So I just wanted to give a little breaking news PSA update before we got into this whole Telegram thing because the Telegram thing is not exactly breaking news.
That kind of ends our breaking news section of the show.
And thanks, Shep, for stopping by.
I really – I've enjoyed Telegram for – I don't know, since it was an early, early beta stage.
It's a great chat application for collaborating with groups or individuals.
One of the things that I really appreciate is a very serviceable desktop Linux client.
They have great mobile clients, good bot support, lots of fun features like stupid stickers and whatnot.
And a big part of using Telegram is using it on mobile.
In fact, you have to have a freaking mobile number to even use it.
I hate that.
And this is where we run into a problem.
Essentially, it looks like Telegram for Android is essentially a closed-sourced application now.
is essentially a closed-sourced application now.
According to the repository in the Telegram website,
the Android client is covered by the GPL license.
However, since early October 2016,
there has been many releases,
but no updates of the source code.
Everyone involved so far is pretty much not responding.
The original author hasn't responded,
the Telegram chat support doesn't respond.
The Twitter account doesn't respond to the questions.
Other individuals like the face of Telegram, the spokesperson of Telegram doesn't respond.
And there's really no other contact method for Telegram other than a physical mailing address.
Is it time to really start seriously considering wire?
Does this concern you or is this... Wire or signal, I guess.
You concerned about this at all?
I mean, it's very disheartening.
I have not investigated it very much.
I know like Telegram has never been like the perfect messenger, at least in my eyes.
I agree. We've talked about the problems before, but it has been that mix of like, it's not stagnant
like Hangouts and wrapped up in this you
know it does feel like stagnation is beginning to set in because when i first picked it up it was
like changing all the time and it's always been very snappy fast supports file uploads very well
all those kinds of things plus all the stickers and the fun part of me is grateful that they
haven't gone down the rabbit hole of video and audio and trying to be like all another snapchat
clone yeah because it you know focus on text chatting there's there's other applications rabbit hole of video and audio and trying to be like all in all. Another Snapchat clone.
Yeah, because, you know, focus on text chatting.
There's there's other applications that can do video and audio.
But I don't when I say stagnation at the same time, like there are still things about it that kind of bug me that I'm surprised they haven't fixed.
Like my my big my big one is freaking global status.
Allow me to set my status to DND for goodness sakes.
And the more things I have coming in Telegram, I have a bot that sends me something in Telegram.
I check it, but now all of a sudden I'm shown online
and I get 15 Telegrams.
Literally, that's what happens to me.
And if I could just go in there and say DND
for a little while and let me read through my Telegrams
and just catch up, it would just be very useful
for somebody like myself.
Those kinds of things are,
there are companies out there like Slack
who've really nailed D&D.
Yes. I mean, it's like the best implementation
I have found. And Telegram could just wholesale
rip that off.
And they just don't.
Mr. Tunnell, you were going to say something.
Yes, I was going to say that Wire is already
a good alternative now
and it's even gotten better from a recent announcement.
What do you mean by good?
It's a good option because...
Like, how's the desktop app for Linux?
It's fine.
Is it better than Telegram?
Is it worse?
Does it do the audio and video stuff on the desktop?
Yes, it does.
It has the audio and video stuff.
And the video stuff is actually surprisingly well made.
I expect it to kind of underperform
because of the WebRTC approach,
but it's almost
flawless. Hey, it's got an app image.
I'm installing it right now. Are you?
They got an app image and they also got
a regular tar.
My hesitation here is
for example,
LinuxFest Northwest, just around the corner,
when everybody is working, everybody
we're working with has Telegram.
And it's not even just like our team.
It's people that we meet up with
or other people that are coming to LinuxFest
and all of a sudden we want to start coordinating with.
Everybody has Telegram.
And for a while it was in that spot, right?
It was like, hey, open source, yeah, not perfect.
They have their own crypto.
There's problems.
But it was that beautiful combination of functional,
we have people who use it,
and open source.
Interacting with a network, you can still build your
own client.
There's Qtgram on the desktop and others.
The protocols,
the APIs are open for
the client side, but
the server's never been open.
I'm not really surprised
that this is happening.
I'm more surprised that people are being bothered by it
rather than, you know, questioning, oh, this is happening.
Like, well, their server's also been proprietary the entire time.
True, and their encryption's weird and homebrew.
Yeah, exactly.
And no one's audited it because they've not allowed it to be audited.
There's the wire, though.
Like, wire uses already audited um there's uh the wire though like wire uses uh already audited uh encryption
algorithms they are actually announced recently that they're going to be open sourcing their
server so they're going to be completely open source and they haven't set a license yet but
they everything other than the everything that you can check the license on is GPL. Yeah, here's my problem.
This is me becoming more salty in my old age.
I've been around long enough to know that you can have the best technology
and still not succeed at all.
I mean look at Linux versus Windows for so many years.
Really what I feel like the issue is is user base.
It is user adoption and user base,
and it is simpler for people not to care,
and it is simpler for companies to slowly add the features
that their competitors have.
Telegram is so entrenched
that we really need almost to reboot this whole problem.
And I think Google is working on something called RCS messaging.
Are you familiar with RCS messaging, Wes?
No, I'm not.
Yeah, I'm not either.
But it's a messaging system that's designed to move beyond like SMS to take advantage of more modern cellular networks.
It's more of a standard.
Google is a big part behind it.
You can go to jibe.google.com.
RCS stands for Rich Communication Services.
RCS stands for Rich Communication Services.
And the idea is to standardize a way to have messaging across phones and across carriers that allow you to do things like high-resolution photos, videos, large files, group chat,
know when messages have been read.
You can make video calls.
And it's not like a Hangouts app.
It would be literally built into the text messaging application of all of the phones.
So it would be a new standard that carriers and other type of telcos could have.
And Google is, while not, like it's weird.
Google is like all in in some cases because they've got their management layer talking to the other management layers of carriers.
Like they've managed to convince Sprint and some other carriers outside the U.S. to take on RCS.
At the same time, they're not really pushing it very hard on a software front.
Now, they're going to be eventually, I suppose,
and they're going to update the Android messages client to be the RCS client for Android.
But I don't really understand how that plays into their greater messaging strategy
with Allo and Hangouts, and it's just very confusing.
But if the industry can sort this out out and Apple and Google and everybody in Microsoft and Android and everybody can – Samsung and get along with RCS, we may have something that's more sophisticated.
But you know it's not going to be encrypted like the way we need.
It's not going to be end-to-end.
It might be encrypted, but the carriers are going to have the keys, guaranteed.
We know how much we love those carriers.
So it could help the average user, but for us, like users that want something beyond that.
Wire has got a – I think we as a technical community are exceedingly bad at estimating how much of an uphill climb a company like Wire has because we look at it from – we weigh the technical merits heavier than we should because the average user doesn't even consider the technical merits.
They literally are not even a consideration in their decision process.
They are absolutely irrelevant to them.
But we can't get beyond it because we understand technically this is a superior thing and so we should be using this thing.
And yet the market continues to use things like Skype and Telegram and all the other messaging platforms.
I would really love to see people switch over to wire.
I could see maybe a revolution taking over here at JB.
But I look at somebody like Noah.
He puts his entire life in Telegram. I cannot
describe to you. You just have to you just have to be around Noah and witness how Telegram is
integrated with his task list, his to do items, all of his family, all of his friends, all of his
work. Everything goes through Telegram. When Noah has to take notes for a show, he sends it to himself in a telegram message.
When Noah has to remember to do something for a client,
he sends it to himself in a telegram message.
When somebody needs tech support from Noah,
he gets them to install telegram first so they can chat.
I mean, so there are people out there.
That is quite the adoption.
Yeah.
Yeah, and then he's in like a dozen group chats.
I don't know how you manage that.
I think he's insane.
Yeah.
Well, we know that to be true.
All right.
Mumble room.
Any final thoughts before we move on from messaging?
Yeah.
I don't think Google is going to get the cellular carriers to switch over to a new standard in lieu of SMS in the back end because it would require such a massive hardware update.
They're going to have to do it over the IP side.
Yeah, well, I think that is exactly what the intent is.
SMS messaging, the way it is distributed and routed between carriers is very much a hack.
I don't know enough anymore, but it was explained to me by a friend of mine that works for a
carrier how crazy they have to set this up to get messaging to work between the different
carriers.
And it's out of bound messaging gateways and it's so limited.
Oh, yeah.
Monkey, you probably actually be kind of familiar with it.
Yeah.
I mean, do you want to expand on that at all?
Yeah.
I mean, the whole SMS craze.
I mean, even iPhone isn't using SMS anymore.
And, you know, we get subpoenas all the time for messaging in the back end.
It doesn't exist
because they were on an iPhone using the iMessenger, which doesn't use SMS. It uses
iMessenger, which is an IP-based solution. And so when you start having conversations with people,
yeah, I'm using SMS. No, you're not. You're using a third-party application, which is going over the
IP. And that's maybe coming up with new standard from Google's perspective is a good idea.
I just think it's a waste of time.
That kind of bums me out.
But maybe long-term, something like Wire can be something that at least a larger percentage of users adopt.
If you're thinking about ditching Telegram and trying out something like Signal or Wire or something else,
Facebook Messenger,
obviously.
This is a project that may be of interest to you.
It's the Telegram History Dump.
It backs up your Telegram chat logs.
It just kind of requires a few things to be installed, like the Telegram CLI client, which
is actually kind of cool.
Have you ever used that?
Yeah, it is cool.
One of the things that's creepy about it is it constantly logs who's in and out.
So you can constantly see who's coming on and offline if people turn that status on.
It supports incremental backups, which sounds pretty nice.
That is nice.
Wow.
And it has a separate YAML formatted configuration file.
So Popey could geek out on that all the time.
You know, I just need to get a snap of this.
Just need to snap it up.
Just need to snap it up.
Just got to snap it up.
Yeah.
So it's on GitHub.
So I'll just link to it in the show notes.
Or it's telegram-history-dump on the GitHub.
There you go, Wes.
So how's it going over there?
Pretty well.
Yeah?
Did you get your app image of Wire?
Yeah, I'm running.
At NoblePain on Wire.
Can I see what the UI looks like?
Do you mind sharing with the class?
I haven't.
Wow, that's quite the background over there on the side.
So it's, is it an electron app?
Why is your webcam on?
Oh, I was testing.
Oh, okay.
It's for later.
Oh, look at you, really?
Oh, yeah, that's going to be a fun demo.
We got to get moving, huh?
All right, well, I'll play with that after.
So you're playing with a bot right now in the wire?
Yeah, that was the first thing.
Auto the bot.
Hey, I'm Auto, a robot sent by Wire to talk
to you through the app. That's okay. Hi, Otto.
You know what? You know what?
I'm getting kind of excited about Wire. I'm getting kind
of excited. If you're thinking about
switching up the whole thing, maybe you're ready
to try messaging on a mobile device
and you're going to be using data. You're not
going to be using text messages. You're going to use something
like Wire or Telegram. Ting is such a
great carrier for you because if you don't use text
messages, you just don't pay for them.
It's so awesome. It's pay for what you
use wireless.
$6 for a line and then
your minutes, your messages, and your megabytes.
Add that up and that's pretty much
just what you pay. You go in there, they have
a, go to, do me a favor
actually, go to linux.ting.com.
Not only does that save you $25 either either in service credits or off a device,
but it lets them know you heard about it here, which kind of keeps us on the air.
Anyways, you go to Linux.ting.com, click on What Would You Save?
And you can dig around on this chart and get a really good idea of what your Ting cost is going to be.
Your Ting cost.
Right now, I think even with the beard traveling,
even with the beard traveling, because he has a JB phone with him that's on Ting.
We have three lines, and his is one of them.
I mean, we have – gosh, maybe we actually have more than that now.
Now that I think about it, wow.
You know, it really doesn't up our nominal cost because I think our cost this month was like $45 or something.
And that's with – I think now we have four lines active all the time,
and we turn some lines on and off too.
So that's another nice thing about Ting.
You would have a hard time finding a plan for one person for that much.
I know.
Another carrier.
I know.
I know.
It's really great.
It's so nice too, especially like in a company where we're all kind of technical.
We're always on Wi-Fi all the time.
I also thought it was kind of nice that Ting did a blog post that
kind of resonated with me. Why buying last year's flagship phone is the smarter choice? And I've
been thinking too about people that have been emailing into the show about their phones, which
we don't really talk about much on the show anymore, but I've been thinking that more and more
like the 5X, as that price point gets to where the 5X is at, you get something like the 5x is that price point gets to where the 5x is at you get something like the 5x
directly from google play you get android updates in fact you get unbelievably you get more
functionality with the 5x than you do with the 6p right now i don't know if you know know about this
but yeah the latest the latest if you're in the beta channel the latest android updates coming
down to the 5x give you uh those the gesture swipes that you can do on the fingerprint reader
to like check notifications and stuff.
So you can, yeah, there's different finger gestures on the fingerprint reader
that will interact with your display, which is really nice when you're holding the phone in your hand
and the fingerprint reader's on the back.
You can just whoop.
It's very nice.
6P doesn't get it.
No fair.
The 5X gets it.
There's something to be said for that 5X.
It's a sturdy phone.
It's not metal.
That also means that when you drop it, it doesn't dent.
That's kind of nice.
It's a great price.
The back comes off.
You can replace the battery.
I don't know if you're supposed to do that, but I've done it.
It happened.
Don't question it.
I used to do it on my 5.
It's just kind of a nice sweet spot because then you also get the updates directly from the Googs and you go over to Ting you bring a device
like that you get it from the Play Store you can put
it on GSM or CDMA so you
get to take advantage of either one of Ting's networks
and if you bring a device you just get $25
in service credit and if you don't use
a lot of text messages or mobile minutes
or data if you're on Wi-Fi that
$25 service credit would
potentially get you for a couple of months
it's ridiculous.
It's such a nice setup.
So check them out.
Go to linux.ting.com.
That lets them know you heard about it here and saves you some monies.
linux.ting.com.
How's that pixel working out?
Still pretty happy?
Yeah, actually I'm very happy with it.
Hmm.
Hmm.
Hmm.
Pretty nice.
Hmm.
It's not quite like I said it is now.
It's last year's.
The only thing that kind of makes me... I don't know.
What is it?
I don't know, man.
I just, you know, basically I've been on the iPhone.
It's fine. It's fine.
But every mobile operating system starts to get on my nerves after a while.
Yeah, that is...
This time around, I just haven't invested that much.
Like, I haven't super customized it.
I just use it for, like, core things. because I get that same point where I'm like, this is just not the platform for me.
Yeah, and it's interesting because I'm going further and deeper in.
Now it's like there is maybe a handful of applications that in the past I'd have to re-log into. And now it's probably a good solid 15 applications.
Like just an example, all my TP-Link power adapters, the DJI Phantom, the Amazon Echo, the Harmony Logitech remote that I have, the Wemo power adapters.
All of those, all of the information, all of the configuration for all of those stupid things is on this stupid phone.
And it makes switching harder and harder and harder.
You're bought in.
It almost makes me want to get out just because now they've tried to get me in.
Like I almost, a visceral response, I want to get out of here.
I want to get out of here.
But I should focus on more dramatic things.
These Internet of Things devices, they're not just part of a lock-in
system. They're not just
making me more dependent on apps.
They're also making us more vulnerable.
And there's one that's sort of like
the worst case scenario.
Because it affects the children.
And to set
up this product for you,
I'm going to play their commercial. It's called
Cloud Pets.
Saying goodbye can be hard.
The ones you love seem so far.
Now, staying in touch is easy and fun with Cloud Pets.
Just record a message.
Hope you had a good day at school.
I miss you.
And send to the cloud.
You know, let's stop right here.
Before we go any further, yes, this company was hacked.
All of their users' information was exposed online, including their actual conversations when they use this product.
What?
Full-fledged, not by one attacker, not by two, not by three, but by at least four separate attackers that can be identified, potentially more.
The company was notified not once, not twice, not three times,
four times the company was notified and they did nothing.
No password on their database.
Their Amazon Web Services was left wide open with public URLs for all of the files.
No.
Yeah.
So as we watch this, bear that in mind.
With CloudPads, just record a message.
Hope you had a good day at school.
I miss you. Let's stop right there. You know what
drives me crazy about this type of advertising?
The only time daddy is away from
his little girl is when he is
out at a hotel bringing
home the bacon and mommy and the little
girl are at home. This type of
advertising is so
basic. It's so insulting.
And this, already, this company's got me upset.
I hope you had a good day at school. I miss you. And send to the cloud. In just seconds,
it floats down to the app on your smart device, allowing you to send the message to the cloud pet.
I hope you had a good day at school. I miss you. It's a message you can hug.
If you didn't catch that, that message you can hug doesn't even
get sent directly to the bear.
They couldn't put a Raspberry Pi Zero
in this thing. You have to
separately, like... You have to, so the mom in the
background, of course, she's at home with the little girl
because dad's at home. She's the caring parent.
She has to download it on her
iPad and then upload it to this stupid
bear.
It's not even, it's amazing.
And then the little girl hugs the message out of the bear.
Now, squeeze puppy's paw to send one back.
Night, Daddy, I love you.
Night, Daddy, I love you.
CloudPets makes you feel like the ones you love are always near.
See you real soon.
The CloudPets app uses Bluetooth technology to send your messages. Hi, this is Grandma. See you real soon. The Cloud Pets app uses Bluetooth technology to send your messages. Hi, this is
Grandma. See you real soon.
In other words,
some parent or caretaker
has to be near the damn bear and constantly
uploading these files when they could
just play the message on
the iPad. Hi,
Grandma.
Hi, Grandma.
Whether you're all the way on the other side of the world.
I'll be home soon.
Now, this is the most insulting because it's a service member and he's all earnest and he's all sad.
And I'll be home soon.
And, of course, it's stereotypical white family, moms in the middle, two kids next to what looks like the fakest fireplace.
It's faker than my green screen fireplace.
And it's the perfect family, which is an impossible standard, which then service members look
at these types of advertising and they look at this impossible standard and they judge
themselves by this and go, oh, geez, we really don't have our shit together.
Again, this kind of basic advertising is so insulting.
To have then expose everybody's information is just...
Yes, you guys.
I'll be home soon.
Or very close by.
Good morning, sunshine.
Make sure you eat your breakfast.
Good morning, sunshine.
Make sure you eat your breakfast.
The last thing I want, a lecture to wait.
I know, I know.
So this is the really dirty details about this.
It is definitely the worst case scenario cloud device ever.
This is more than 2 million voice recordings exposed of children and their parents,
along with email addresses and passwords of over 820,000 user accounts.
Cloud's, not only that, but Cloud Pet's data was also held for ransom.
The customer data was left unprotected from December 25th, 2016 to January 8th in a publicly available database that wasn't protected by any password or firewall.
The creator of I've Been Pwned said that its exposed data was accessed multiple times by many third parties, including hackers, who used and stole customer emails and hash passwords from CloudPets database.
In early January, cyber criminals were actively scanning the internet for badly configured Mongo databases.
And guess what?
CloudPets was one of them.
Their database was actually overwritten twice.
They didn't fix it then.
The toy maker was allegedly notified four times that its customer data was online and available for anyone to have their hands on.
Yet the data remained up for almost a week with evidence suggesting the data was stolen on multiple occasions.
Cloud Pet's blog has not been updated to reflect this.
In fact, it hasn't even been updated since 2015.
So if you're a Cloud Pet's customer, you essentially have, unless you're listening to the show or reading these blogs, have no idea this has happened.
So can we hack them again, but get all the bears to spit out a security warning?
So it's kind of funny because AWS is out today, right?
And that's part of AWS is part of the story.
So you had the MongoDB database.
And that's where you got like the URLs and session IDs and user information.
But Spiral Toys, the parent company, used Amazon hosted services that required no authorization
to store any of the recordings or profile pictures or the children's names and the relations
to the parents and friends and family and pets and all of that.
This is like a worst case scenario Internet of Things hack.
And it's such a stupid product.
And the other problem is, not only is the company unresponsive,
but check out their tutorial video on getting started.
Hi, I'm Sybil, and this is Bentley.
Sybil looks like she is deeply,
and I'm just saying,
she looks like she's a deeply tortured woman.
I don't know what's going on,
but watch how Sybil tells us to set up a password.
Now watch this.
And your email.
You ready?
And choose a password.
Now watch this.
Q-W-E and good.
Q-W-E confirmed and good.
In their official tutorial video with Sybil, the tutorial host, they recommend a three-character password, QWE.
And in fact, tested by some security researchers, their application allows a single-digit password, if you so choose.
Well, I mean, the children, you know.
Got to think of the children.
Oh, this makes me sick.
And it's funny because we're recording this in the middle of an AWS outage.
And as part of this outage, people on Twitter are really going on and on about how their Internet of Things devices are not responding right now, which is just –
My bear is broken.
Yeah, because if this, then that.
It depends on AWS.
And if – it's just – it's incredible.
It is incredible that it is 2017 and a company like this exists where they just throw this crap online and
don't bother securing it but what's to stop them if they can get manufacturing that's crazy cheap
if they can take advantage of people's smart devices that have wi-fi and bluetooth they just
have to throw together some web services it's a lot cheaper if you don't bother to secure your
things properly you don't have to even hire a sysadmin. No, right? You know what? Put a Docker image up
online. What's the big deal?
Pretty bad.
Pretty bad. Pretty bad.
So you think there's like a market niche
after this for like super secure
CloudBear? Because maybe we should go
into business. I don't like being
a
naysayer of all cloud things because you're looking at a man who is pretty satisfied with the Echo product.
I just today set up another smart thing.
You're a cloud child.
I've been using the Harmony remote with the Echo to turn my television and soundbar on and off since our last episode.
It's actually pretty great. I don't have any
idea where some of those remotes are right now. I think I just put them away in a
drawer. It's the best thing ever.
It is literally the best thing ever. When you sit
down on your couch and you bark at the Echo
to just turn on your television and it turns on the television
and the soundbar and the NVIDIA Shield,
mind-blowing. Great.
That's been fun. And today I put a heater on it.
I put a heater in the RV
so now I can just tell the Echo when to turn the heater on or off.
I'm cold.
I can actually tell this Echo to turn it off at the RV at home.
So before I leave, I can have the heater turn on, which saves power.
I don't have to leave it running all day.
But it's toasty warm when you get home.
So I don't want to be like this, all cloud, all innovative things.
I'm not all Noah on this.
I'm not all Alan Jude on this.
I have a middle ground where I think there's room for products that are well-maintained.
There's room for a product like the transactional update products from Canonical.
There's room for that kind of stuff.
But you see this, and it's just so disheartening.
In the majority, I feel like we're never going to get it right.
Yeah, right, and that's the thing.
It's like the more things we have like this, then the less faith we have in the entire marketplace.
And there's unfortunately not enough pressure
to make companies behave good.
And they can just disappear.
They sell a product and they disappear.
You got to do it right.
You got to do it right.
Go to digitalocean.com and do it right.
Use our promo code D-O-N-Plugged after you create an account
and you get a $10 credit.
Digitalocean.com.
Sign up.
Then use the promo code DLUnplugged.
Simple cloud hosting provider.
And they have, if you are totally a noob,
they have a fantastic, beautiful, easy-to-use interface.
And they have one-click deployments of systems that are updated.
They partner with upstream providers.
They make sure it's configured right.
And then they back it up with really clear,
really, really well-done documentation.
So you can deploy a system that is configured properly, that does get updated.
Or you can build it from scratch.
Go to digitalocean.com and try it.
One of the things I love about their web UI is the HTML5 console.
Not only is that just a handy feature to have,
but the way DigitalOcean has implemented it,
there is some quote-unquote power user features that you can take advantage of that really up the flexibility of a DigitalOcean droplet.
Try it out.
Use our promo code DL1plug.
They got data centers all over the world.
They got an API that will make you fall in love with the concept of APIs.
You're like, Chris, you always talk about APIs.
And I say, where the hell have you been?
Seriously, what?
Where have you been?
But if you want to see an API done well,
you go over to DigitalOcean.
They have an intuitive API.
They have utilities where you can just get right to work with it.
They have libraries and frameworks,
and they got everything up the wazoo.
I mean, they got a wazoo even for it.
It's incredible.
I actually, I don't know for sure,
but I suspect that their own tools,
like the interface to their website
and all of that shenanigans, must use the API.
It's so well done.
We use it every single day here at Jupiter Broadcasting for our DigitalOcean droplets.
We turn on the things and we turn off the things all day long using the API.
Even though their website's great, I don't even have to log in.
I do it with a bot in our IRC chat room.
You can deploy a new machine in seconds. All
of their systems use SSDs from the
$5 a month rig all the way
up to the ones with gigabytes of RAM.
They have 40 gigabit connections coming into the
hypervisor. You can have team accounts.
They have highly available block storage
and the pricing is ridiculous. For $0.03
an hour. And remember, we'll give you a $10
credit when you use the promo code DLUMPLUG. For $0.03
an hour,
2 gigs of RAM, a 2-core processor,
40 gigabyte SSD, and 3 terabytes
of transfer. They've also just launched
their new load balancer service, which
is online and working right now.
And it makes you look like a boss.
Load balancers by DigitalOcean, integrated in with
their control panel, $20
a month. Boo yeah.
Ridiculous. DigitalOcean.com.
Use our promo code DUNPLUGGED after you sign up.
And a big thank you to DigitalOcean for sponsoring the Unplugged program.
I like the idea of those coin machines.
You throw your coins in, they sort them and give you money back.
What about those, but you just get an AWS credit card?
You're like, hey, I took my change and now I've got servers.
I love it. So I've been grousing off the air for the last couple of weeks that the fine folks that package up GStreamer for Arch Linux move the old buggy unsupported GStreamer 0.10 into the AUR.
And that means every time I do an update, I'm sitting there trying to build GStreamer.
It makes my AUR updates take way longer.
I'm sitting there trying to build GStreamer.
It makes my AUR updates take way longer.
On most of my systems, not all, but most of my system, it fails to build anyways.
Depending on your AUR client, sometimes that stops the entire update process.
It's a bad experience.
And if you've been running into this, and I've seen people grousing about it in our chat room,
check to see if anything actually depends on GStreamer 0.10 because it's old, it's buggy, it's unmaintained.
You might just want to uninstall all of it.
I have the uninstall command just to take it all out in the show notes if you do and you have yours or substitute your own package manager.
And after I did this purge, things were running much better in my updates, much smoother.
And it made me think about GStreamer a little bit as something that I've been following now for almost a decade, I think.
It has sort of a reputation as, well, that's how I watch videos on GNOME.
Why do I need GStreamer building an AR?
It's that thing I use to watch my video.
But it actually has some pretty, pretty, as they say, dope functionality, Wes.
And I'm kind of curious about some of the playing you've done recently
because it sounds like you've been kicking things around using GStreamer
and winning victories and pressing the ladies
and showing friends how it's done.
Tell me all about it.
I was just kind of rekindled.
I've been playing with it maybe six months ago, eight months ago,
and I've been playing with it more recently.
It works just because it has do it has first class support for
RTP and other things, so you can use it to receive
media from, say, a SIP call.
Oh, really? But it also does
RTMP, which is something we do a lot here
in the studio. Yeah, we do. Yeah. In fact, that's
how we...
That's how we send our
video stream up to
DigitalOcean, from DigitalOcean to ScaleEngine
and YouTube.
And it just impresses me.
Like, there are some issues.
We've seen some security things where, you know, like,
hey, GStreamer runs and it supports these weird things,
and then that can cause, you know, it's not well-tested or you have a bunch of, like, the bad set of plugins
that aren't good quality.
But, and I'm also a big fan of FFmpeg,
but I love that it has this, like...
Server-side component to it.
Well, it has a server-side component,
and it has, like, this notion of pipelines,
which is very powerful and composable.
So, like, FFmpeg works great.
There's a lot of options,
but it's not quite as composable
or as clear, concise.
Well, it's more concise, but it's less, like...
GStreamer really has this,
much like a Unix command line model,
where you can just take different pieces, stick them together, build complex pipelines.
Hey, maybe you want to do like a video wall with four pictures up on a screen and a timestamp.
Yeah.
GStreamer does it all.
I have a graphic up on the screen that kind of attempts to illustrate this a little bit because you can have like one of the pipes could be to a media player.
The other pipe could be to a streaming server.
The other pipe could be to a real-time video editor, which is kind of a cool concept.
The other thing with the latest GStreamer, I think it's like 1.10 or something like that.
They support Microsoft Smooth Streaming.
Are you familiar with Smooth Streaming?
No, I'm not.
So this is interesting to anybody who's on sort of a crappy connection.
Smooth Streaming is adaptive bit rate in real time.
So as your connection goes up, it can stream a higher bit rate.
And it's not just bit rate.
It can also adapt resolution.
So it can change to an HD picture down, you know, way down to whatever you have support for.
And GStreamer has added support for that.
And that kind of got my attention because that's something I know that the live stream, they've been looking for that.
Scale Engine is working on that.
YouTube offers that somehow, but I think you have to manually choose it kind of.
Yeah, right.
That makes sense.
So this is interesting.
GStreamer is so much more.
It's kind of like – and boy, this is a risky comparison to make.
But it has elements of QuickTime.
People really commonly think of QuickTime as just that really shitty video player, especially on Windows.
I never really fought with it on Windows, but I've heard horror stories.
And it's just – that's like – that's the tip of the iceberg.
That's like the totem or the movie player on GNOME. The QuickTime plumbing and pipe system is what makes video editing on OS X better than pretty much all of the other platforms.
QuickTime and core animation and the accelerated graphics capabilities that plug into the QuickTime pipeline system are really the secret sauce of video editing and motion compositing and work like
that on OS X, that if you don't use GStreamer on Linux, you have to cobble together with
different libraries yourself, and each editor and each, or maybe Splendor, whatever, has
to either find another stack, create their stack out of a collection of libraries, or
use GStreamer.
Pretty much.
What kind of stuff were you streaming around with?
I was doing...
Screencasts or what? Yeah, doing that. I've seen some
projects that I've played with a little bit, like doing a video
wall where you decompose a video into
different segments and then send those each to a different
computer attached, like a Pi attached to different
TVs. So are you streaming right now from this machine?
Because I saw your webcam was on earlier. It was earlier,
but I can be. What is going on over there?
So what are you using?
What software do you use on the desktop there to start the stream?
G-Streamer.
Okay, so it's just a command line?
Yeah.
Boom.
And you just say G-Streamer, grab my webcam.
Yeah.
And then send my webcam to?
Yeah, I have a URL if you want.
Oh, really?
Where do I find this URL?
All right.
Go to, well, open up maybe MPV because it'll be an RTMP stream. All right. Oh, all right. All right find this URL? All right. Go to... We'll open up maybe MPV, because it'll be an RTMP stream.
All right. Oh, all right.
Let's do this right now.
Is it okay to put up on the...
You okay with the URL being public?
Yeah, it's just westpain.com.
Oh, look at you!
I was just a droplet that I had a DNS name for.
HTTP first?
RTMP.
Oh, right. Of course.
RTMP.
Wes dot... Anything? westpain.com course. RTMP. Wes.
Anything?
WesPain.com slash live slash test.
Slash live slash test.
Okay.
Let's see if it works.
All right.
Video stream discovered after having already parsed.
Oh, I like that.
I don't know what that means, but I like it.
Survey says.
Oh, some red.
Some red. Uh-oh.
Uh-oh.
Oh, there it is. Hey, that's me. There's Wes's face. There it is. We're in a dimly lit studio some red, some red. Uh-oh. Uh-oh. Oh, there it is.
Hey, that's me.
There's Wes's face.
There it is.
We're in the dimly lit studio.
Yeah, we are.
But like at the same time, if I want, I could switch it to sending my desktop.
We could be sending this.
So does the desktop show up as a virtual camera or how does that...
Hold on.
I'm going to try lighting you.
Whoa, boom.
Whoops.
There we go.
So now you're lit.
Let's see if that looks better on the stream here.
Let's see what the delay is.
It looks like about...
It's probably...
And then I hit cancel because I was going to switch it.
Oh, okay.
Here, let's do this.
All right, this is fast.
Oh, boom, and it's down.
So it's about a seven-second, eight-second delay there.
Yeah.
And probably some of that is I'm doing a ton of things,
and this is doing H.264 conversion.
Yeah, yeah.
I believe you can get it to do the QuickSync
or other types of hardware offloading,
but I did not do that.
Do you have the IRC on this?
Yeah.
I'd be curious to see if you paste it with the command.
You don't have to put the whole URL for your server in there,
but I'd be curious to see what the command looks like
just so I can get an idea of how complicated that is
because that's pretty nice, Wes,
just to have that built into GStreamer right there.
Yeah.
Seems like someone can...
And I mean, you can do the same thing with FFmpeg.
There's a lot of overlap there.
So if that's your preferred tool, that's usually what I use.
But it's neat and exposes some options that you might not otherwise have.
And it makes it really neat to see.
Like you saw some of those diagrams there.
Like if you want to do like a whole bunch of multiplexing into one thing and then mux it and send it.
GStreamer is a nice tool.
I was just thinking about how I would have maybe used this back when I was working in IT.
And I could totally see setting up like a link on an intranet
and I would say, at this time, let's go
here and it would be a stream of my desktop
and we could do like a tutorial or a walkthrough.
Yeah, totally. Could you also, is it pretty straightforward
to set up audio capture? Yes.
I don't have that working right now, but yes.
So that seems like another. So you could do like a headset.
It'd be a really nice way to do like tutorials
internally or something. It really would. Oh, that's a great idea.
I might have to play more with that.
Way of the future.
Way of the future.
I'm going to look more into it because I'm curious about SmoothStream.
I mean, I know it's a Microsoft technology, but if it's something...
If it works well.
Yeah.
I mean, I really like the idea of...
Why not?
Why can't the player in the server talk and say, okay, this looks like what you can...
So it's like a first-rate support for what people do with, like, Dash or HLS. Yes. But without it just having to, like, actually switch. looks like what you do. So it's like a first rate support for what people do with like Dash or HLS.
Yes.
But without it just having to like actually switch.
I don't know exactly.
I don't know if exactly like with HLS it's kind of a hack
because what you essentially do is have all of these different bit rate streams
and you encapsulate them in a playlist
and then you throw them at somebody as fast as possible.
And it's possible to jump from one playlist stream to the other,
but most clients don't get that right.
And it all depends on how good the client is.
If this is like you get one stream, and this is my understanding,
because I was looking at how Flowsoft has this implemented,
and the way they do it is it's one stream, and you connect to this stream,
and it adjusts the resolution and bit rate in a range that they have set up for that stream.
So they predefine a range of what the smooth stream can fluctuate between,
and then you just connect to that one URL. Interesting.
Does sound like a nice client experience.
Yes. Could be a game changer. Maybe something we'll have to play
with some more. Game changer, as they
say, Wes. Well, interesting. So where did you
learn all these shenanigans about
GStreamer? You can find they have a GStreamer
cheat sheet. There's a lot of blog posts. One thing I will
say is the documentation could be improved.
There's a lot of stuff. There's a lot of documentation for that old 0.10 release.
So some things have changed.
There's different command line options, different parameters to the plugins.
Watch out for that.
But the 1.0, 1.10 version can pretty much do all the same stuff.
So you just have to tweak it a little bit.
Very nice. Very nice. Thanks, Wes.
Also, Mr. Go-Go in the chat room points out that the blog post about that teddy bear breach is really good, including more details about the company's response.
And I have that linked in the show notes.
If you want to read more and they have other videos that are also just as horrible, all of that's linked up in the show notes.
You can go check that out.
Go to jupiterbroadcasting.com and look for episode 186 of your Unplugged program.
Thank you for joining us.
You know, if you'd like to attend live,
head over to jblive.tv on a Tuesday.
When?
My friend, visit jupiterbroadcasting.com
slash calendar to get that converted to your local time.
And yes, you can participate in our virtual lug.
You just need a working microphone, a headset's preferred.
And Mumble, an open source chat client.
What?
Yep, you join our chat room do bang mumble to get
all the info feedback
jupiter broadcasting
dot com slash contact
or linux action show
dot reddit dot com a
great place for stories
to find more of Wes on
the tech snap program
find more of me
youtube.com slash
Chris Fisher I'm going
to have a behind the
scenes edition of this
year's show there see
you next week! So you know what's a real son of a bitch last week is I said Australia instead of Austria.
That's a real son of a bitch.
And I think the problem is that –
I think the same thing.
So it's fine.
It's fine.
I think in part the problem is that I'm probably dyslexic.
But I think the other thing is that I'm not – when I'm on the air, my primary focus isn't reading.
It's talking. Yeah, right. It's a different thing. And it's talking about what isn't reading. It's talking.
Yeah, right.
It's a different thing.
And it's talking about what I'm reading.
And it gets me more often than I'd like.
And then the other thing that compounds is we don't edit very heavily.
So it's not like I go back and edit for content.
Like if it was user error, I would probably have fixed that
because I did do that in user error.
You would have caught it, yeah.
But in this show, I'm like, no, it's live to tape.
Oh, man, it gets me to tape. Oh, man.
It gets me.
You know, the thing is, is then you also have to multiply it by volume because I do so many shows and I've been doing them for so long.
Like this just there's so many out there where I've done this.
You can't win.
I cannot win.
Nope.
I cannot.
Don't even try.
So as long as everybody sets their expectations, remembers that I am a simple man who can only do so many things.
The things he say, they'll probably start with the right letters.
And you know what else? You know what else?
It's theater of the mind.
It's Mad Libs podcasting, everybody.
And you know, it might be fun for the viewer. We'll just try to
make more mistakes and just see if you guys
can catch them. Watch out!