Posts tagged ‘code’

Four Principles To Improve Your Social Video Strategy

October 7, 2014 12:10 pm


Finding a way to unleash the power of video in social can be essential to your brand’s long-term success. In fact, according to Cisco, social video will account for 69% of consumer Internet traffic by
2017. However, cracking the code to video success on social networks can be mind-boggling: from allocating budgets to measuring results, to finding the right audience on the right platforms. So what
might be helpful for you to know before your next campaign? Here are some tips to help you win in one of the most competitive advertising landscapes.

Shellshock CVE-2014-6277 and CVE-2014-6278 Details Released

October 2, 2014 4:46 am


Yesterday, we released an article on Akamai’s security site detailing all of the CVE advisories now in circulation for Shellshock, and how they relate to Akamai’s mitigation strategies. At the time we published, details had not yet been released for two of the six advisories — CVE-2014-6277 and CVE-2014-6278.

Late yesterday, those details were finally released.

Here are the details as written on MITRE Corp.’s CVE site:

CVE-2014-6277: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

CVE-2014-6278: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Security researcher Michal Zalewski, author of “The Tangled Web: A Guide to Securing Modern Web Applications,” wrote about the latest advisories in his blog. A fuzzer he set up “spewed out a crash” illustrated by this snippet of code:

HTTP_COOKIE='() { x() { _; }; x() { _; } <<a; }’ bash -c :

That is part of the flaw outlined in -6277. Zalewski wrote:

The actual fault happens because of an attempt to copy here_doc_eof to a newly-allocated buffer using a C macro that expands to the following code:
strcpy(xmalloc(1 + strlen(redirect->here_doc_eof)), (redirect->here_doc_eof))

This appears to be exploitable in at least one way: if here_doc_eof is chosen by the attacker to point in the vicinity of the current stack pointer, the apparent contents of the string – and therefore its length – may change between stack-based calls to xmalloc() and strcpy() as a natural consequence of an attempt to pass parameters and create local variables. Such a mid-macro switch will result in an out-of-bounds write to the newly-allocated memory.

The fuzzer kept going, and, few hours later, isolated a test case that, after minimization, yielded code outlined in -6278. Zalewski wrote:

A sequence of nested $… statements within a redirect appears to cause the parser to bail out without properly resetting its state, and puts it in the mood for executing whatever comes next. The test case works as-is with bash 4.2 and 4.3, but not with more ancient releases; this is probably related to changes introduced few years ago in bash 4.2 patch level 12 (xparse_dolparen()), but I have not investigated if earlier versions are patently not vulnerable or simply require different syntax.

The CVE-2014-6278 payload allows straightforward “put-your-commands-here” remote code execution on systems that are protected only with the original patch – something that we were worried about for a while, and what prompted us to ask people to update again over the past few days.

Shellshock Update

October 1, 2014 1:59 pm

The Shellshock vulnerability, originally announced as one critical issue in bash that allowed an adversary to execute arbitrary code, has grown from one vulnerability to six in the last week. For background on Shellshock, we’ve collected an overview and list of the vulnerabilities; for some history on Akamai’s initial responses, read our original blog post.
Shellshock raised a lot of questions among our customers, peers, auditors, and prospects. This post addresses some of the most frequently asked questions, and provides an update on how Akamai is handling its operations during this industry-wide event.
Are Akamai production servers vulnerable? What is the status of Akamai mitigation?
Akamai’s HTTP and HTTPS edge servers never exposed any vulnerability to any of the six currently available CVEs, including the original ShellShock vulnerability. Our SSH services (including NetStorage) were vulnerable post-authentication, but we quickly converted those to use alternate shells. Akamai did not use bash in processing end-user requests on almost any service. We did use bash in other applications that support our operations and customers, such as our report generation tools. We switched shells immediately on all applications that had operated via bash and are deploying a new version of bash that disables function exporting.
Akamai’s Director of Adversarial Resilience, Eric Kobrin, released a patch for bash that disables the Shellshock-vulnerable export_function field. His code has aggregated additional upstream patches as available, meaning that if you enable function import using his code, the same behaviors and protections available from the HEAD of the bash git tree are also available. His patch is available for public review, use, and critique.
We do not believe at this time that there is any customer or end user exposure on Akamai systems as a result of Shellshock.
What about Akamai’s internal and non-production systems?
Akamai has a prioritized list of critical systems, integrated across production, testing, staging, and enterprise environments. Every identified critical system has had one or more of the following steps applied:
  • Verify that it the system/application is not using bash (if so, we disabled the vulnerable feature in bash or switched shells);
  • Test that the disabled feature/new shell operates seamlessly with the application (if not, we repeated with alternate shells);
  • Accept upstream patches for all software/applications where available (this is an ongoing process, as vendors provide updates to their patches); and
  • Review/Audit system/application performance to update non-administrative access and disable non-critical functions.
Can we detect if someone has attempted to exploit ShellShock? Has Akamai been attacked?
Because the ShellShock Vulnerability is a Remote Code Execution vulnerability at the command shell, there are many possible exploits available using the ShellShock vulnerability. Customers behind our Web Application Firewall (WAF) can enable our new custom rules to prevent exploits using legacy CGI systems and other application-level exploits. These WAF rules protect against exploits of four of the six current vulnerabilities, all that apply to our customers’ layer seven applications.
However, because ShellShock was likely present for decades in bash, we do not expect to be able to find definitive evidence — or lack thereof — of exploits.
There have been news reports indicating that Akamai was a target of a recent ShellShock-related BotNet attack. (See information about WopBot). Akamai did observe DDOS commands being sent to a IRC-controlled botnet to attack us, although the scale of the attack was insufficient to trigger an incident or need for remediation. Akamai was not compromised, nor were its customers inconvenienced. We receive numerous attacks on a daily basis with little or no impact to our customers or the services we provide.
Akamai’s Cloud Security Research team has published an analysis of some attack traffic that Akamai has seen across its customers for Shellshock. As the authors note in that article, the kinds of payloads being delivered using the ShellShock vulnerability have been incredibly creative, with Akamai’s researchers seeing more than 20,000 unique payloads. This creativity, coupled with the ease of the ShellShock vulnerability, is one of the many reasons that Akamai is keeping a close eye on all of the associated CVEs and continuing to update its systems and developing better protections for its customers, including custom WAF rules.
Where can I find updates on Akamai’s WAF rules?
Information about our WAF rules can be found on our security site.
How will Akamai communicate updates?
We will maintain this blog with interesting news from Akamai.
As the list of CVEs and implications of ShellShock expand, we do our best to only deliver verified information, sacrificing frequency of updates for accuracy.
Akamai is maintaining additional materials for the public on its security site at , including a running tally of the bash-related vulnerabilities.
If you have questions that aren’t addressed by one of these vehicles, please feel free to contact your account team.
Amazon Elastic Transcoder Now Supports Smooth Streaming

October 1, 2014 1:50 pm


Amazon Elastic
is a scalable, fully managed media (audio and video)
transcoding service that works on a cost-effective, pay-per-use
model. You don’t have to license or install any software, and you
can take advantage of transcoding presets for a variety of popular
output devices and formats, including H.264 and VP8 video and AAC,
MP3, and Vorbis audio formatted into MP4, WebM, MPEG2-TS, MP3, and
OGG packages. You can also generate segmented video files (and the
accompanying manifests) for HLS video streaming.

Earlier this year we improved Elastic Transcoder with an increase in the
level of parallelism and
support for captions.

Today we are adding support for
Smooth Streaming (one of
several types of
adaptive bitrate streaming)
over HTTP to platforms such as XBox, Windows Phone, and clients that make use of
Microsoft Silverlight players.
This technology improves the viewer experience by automatically switching to data streams of
higher and lower quality that are based on local network conditions and CPU utilization on the playback
device. In conjunction with Amazon CloudFront, you can now distribute high-quality audio and video
content to even more types of devices.

New Smooth Streaming Support
Adaptive bitrate streaming uses the information stored in
a manifest file to choose between alternate
renditions (at different bitrates) of the same content. Although
the specifics will vary, you can think of this as low, medium, and high
quality versions of the same source material. The content
is further segmented into blocks, each containing several seconds
(typically two to ten) of encoded content. For more information about
the adaptation process, you can read my recent blog post,

Amazon CloudFront Now Supports Microsoft Smooth Streaming

Each transcoding job that specifies Smooth Streaming as an output format generates
three or more files:

  • ISM — A manifest file that contains links to each rendition along
    with additional metadata.
  • ISMC — A client file that contains information about each rendition and
    each segment within each rendition.
  • ISMV — One or more movie
    files (sometimes known as Fragmented MP4).

The following diagram shows the relationship between the files:

Getting Started
If you are familiar with Elastic Transcoder and already have your
pipelines set up, you can choose the Smooth playlist format during the job
creation process. For more information, see
Creating a Job in Elastic Transcoder.
If you are new to Elastic Transcoder, see
Getting Started with Elastic Transcoder.

After you create an Elastic Transcoder job that produces the files that are needed for
Smooth Streaming, Elastic Transcoder will place the files in the designated Amazon Simple Storage Service (S3) bucket. You can use the
Smooth Streaming support built in to Amazon CloudFront (this is the simplest and best
option) or you can set up and run your own streaming server.

If you embed your video player in a web site that is hosted on a different domain from
the one that you use to host your files, you will need to create a
clientaccesspolicy.xml or
crossdomainpolicy.xml file, set it up to allow the appropriate level
of cross-domain access, and make it available at the root of your CloudFront distribution.
For more information about this process, see
On-Demand Smooth Streaming
. For more information about configuring Microsoft
Silverlight for cross-domain access, see
Making a Service
Available Across Domain Boundaries

Get a Smooth Start with Smooth Streaming
This powerful new Elastic Transcoder feature is available now and you can start using it today!


You can now tinker with the code of ‘Commander Keen’s’ lost episode

September 17, 2014 10:16 pm

Keen Dreams in DOS

It’s easy to indulge your Commander Keen nostalgia with most of the game series, but the “lost” Keen Dreams episode has proven elusive outside of less-than-official copies. As of now, though, you can do something about recreating those adventures through Tuberia — Javier Chavez and team have fulfilled a crowdfunding promise by publishing legal source code for Keen Dreams‘ original DOS version. If you want, you can now port the game to newer platforms and otherwise tweak the code to your heart’s content. Chavez and crew have yet to get their own ready-to-play edition going, but it’s already up for consideration on Steam Greenlight. Consider giving it a thumbs-up if you want to resume your fight against the spud soldiers.

[Image credit: Steve Hall, MobyGames]

Filed under: Gaming, Software


Via: Hacker News

Source: GitHub, Indiegogo

Search and Interact With Your Streaming Data Using the Kinesis Connector to Elasticsearch

September 11, 2014 11:08 am


My colleague
Rahul Patil
wrote a guest post to show you how to build an application that loads streaming data
from Kinesis into an Elasticsearch cluster in real-time.


The Amazon Kinesis team is excited to release the Kinesis connector to Elasticsearch!
Using the connector, developers can easily write an application that loads streaming data from Kinesis into an
Elasticsearch cluster in real-time and reliably at scale.

Elasticsearch is an open-source search and analytics engine. It
indexes structured and unstructured data in real-time.
Kibana is
Elasticsearch’s data visualization engine; it is used by dev-ops and
business analysts to setup interactive dashboards. Data in an
Elasticsearch cluster can also be accessed programmatically using
RESTful API or application SDKs. You can use the CloudFormation
template in our
sample to quickly create an
Elasticsearch cluster on Amazon Elastic Compute Cloud (EC2), fully managed by Auto Scaling.

Wiring Kinesis, Elasticsearch, and Kibana
Here’s a block diagram to help you see how the pieces fit together:

Using the new Kinesis Connector to Elasticsearch, you author an
application to consume data from Kinesis Stream and index the data
into an Elasticsearch cluster. You can transform, filter, and buffer
records before emitting them to Elasticsearch. You can also finely
tune Elasticsearch specific indexing operations to add fields like
time to live, version number,
type, and id on a per record
basis. The flow of records is as illustrated in the diagram below.

Note that you can also run the entire connector pipeline from within your Elasticsearch
cluster using River.

Getting Started
Your code has the following duties:

  1. Set application specific configurations.
  2. Create and configure a KinesisConnectorPipeline with a Transformer, a Filter, a Buffer, and an Emitter.
  3. Create a KinesisConnectorExecutor that runs the pipeline continuously.

All the above components come with a default implementation, which can easily be
replaced with your custom logic.

Configure the Connector Properties
The sample comes with a .properties file and a configurator. There are many settings and you can leave most
of them set to their default values. For example, the following settings will:

  1. Configure the connector to bulk load data into Elasticsearch only after you’ve
    collect at least 1000 records.
  2. Use the local Elasticsearch cluster endpoint for testing.
bufferRecordCountLimit = 1000
elasticSearchEndpoint = localhost

Implementing Pipeline Components
In order to wire the Transformer, Filter, Buffer, and Emitter, your
code must implement the IKinesisConnectorPipeline interface.

public class ElasticSearchPipeline implements

public IEmitter<ElasticSearchObject> getEmitter
    (KinesisConnectorConfiguration configuration) {
    return new ElasticSearchEmitter(configuration);

public IBuffer<String> getBuffer(
    KinesisConnectorConfiguration configuration) {
    return new BasicMemoryBuffer<String>(configuration);

public ITransformerBase <String, ElasticSearchObject> getTransformer 
    (KinesisConnectorConfiguration configuration) {
    return new StringToElasticSearchTransformer();

public IFilter<String> getFilter
    (KinesisConnectorConfiguration configuration) {
    return new AllPassFilter<String>();

The following snippet implements the abstract factory method, indicating the pipeline you wish to use:

public KinesisConnectorRecordProcessorFactory<String,ElasticSearchObject> 
    getKinesisConnectorRecordProcessorFactory() {
         return new KinesisConnectorRecordProcessorFactory<String, 
             ElasticSearchObject>(new ElasticSearchPipeline(), config);

Defining an Executor
The following snippet defines a pipeline where the incoming Kinesis records are strings and outgoing records are an

public class ElasticSearchExecutor extends 

The following snippet implements the main method, creates the Executor and starts running it:

public static void main(String[] args) {
    KinesisConnectorExecutor<String, ElasticSearchObject> executor 
        = new ElasticSearchExecutor(configFile);;

From here, make sure your
AWS Credentials are provided correctly. Setup the project dependencies using
ant setup. To run the app, use ant run and watch it go!
All of the code is on GitHub, so you can get
started immediately. Please post your questions and suggestions on the
Kinesis Forum.

Kinesis Client Library and Kinesis Connector Library

When we
launched Kinesis
in November of 2013, we also introduced the
Kinesis Client Library.

You can use the client library to build applications that
process streaming data. It will handle complex issues such as
load-balancing of streaming data, coordination of distributed
services, while adapting to changes in stream volume, all in a
fault-tolerant manner.

We know that many developers want to consume and process incoming
streams using a variety of other AWS and non-AWS services. In order
to meet this need, we released the
Kinesis Connector Library late
last year with support for Amazon DynamodB, Amazon Redshift, and
Amazon Simple Storage Service (S3). We then followed up that with a
Kinesis Storm Spout
EMR connector

earlier this year. Today we are expanding the
Kinesis Connector Library with support for Elasticsearch.

— Rahul

The Code Behind Our New Video Homepage

September 9, 2014 12:01 pm


We recently released a brand new homepage that includes a fullscreen video background with a single call-to-action to watch a fullscreen video.

On our previous homepage, we placed our product videos below the fold and mixed them in with lots of other content. For this new version, we really wanted to show off our product and put video front and center since it’s so important to us (as a video company).

In this post, we’re going to show how you can achieve the same fullscreen effect with your Wistia-hosted video, along with some considerations to be aware of for using a background video like this one.

The code for our homepage is pretty much like the code for any other webpage you’ve ever created. It’s a series of HTML elements layered on top of each other with a bit of Javascript magic. The homepage can be in three different states during a visitor’s visit.

When a visitor first loads the page, we try to load all the assets as quickly as possible. Since videos don’t load right away, we load the video thumbnail first so the visitor has something to see. A simple image file can load on the page more quickly than a full video embed. You can see an example of this in the diagram below. The green areas are transparent, so in this first state, the visitor cannot see the background video or the overlay video because the video thumbnail blocks their view. This gives us time to load the video and then move on to state two.

In state two, we switch the positions of the background video and video thumbnail. Once the video switches positions to be in front of the thumbnail, we start playing the video. This creates the effect that the video was just paused during loading. Without these two steps, our visitors would only see a white background until the video loads.

In state three, the visitor has clicked the play button, and we bring the overlay video to the front of the stack. This blocks the view of the text and play button and makes only the overlay video viewable. When the visitor exits the video, the page returns to state two.

Now that we’ve outlined the different states our page can be in, let’s talk about the code that you’ll need to make things happen.


If you are not comfortable with HTML, Javascript, and CSS, this next section will be confusing. Please seek the help of an experienced developer if you are having trouble.

### Wistia setup: configuring your embeds

To get started, you’ll need to create a new project in your Wistia account. Upload a video that has no sound for your background video. In the Controls section of Customize, enable “Autoplay video on page load”, with video behavior at the end set to “Loop the video”.

The second video you need is the overlay video, which will appear when your visitor clicks on the play button. The overlay video does not need any special customization.

The second task you’ll need to take care of in Wistia is making note of your video IDs. These video IDs will be needed in some of the steps below, and can be found in the following location:

Last, download the thumbnail for your background video and save it to the images folder. You can do that by clicking “Download” under the “Video Actions” menu on your video’s page in Wistia, and selecting the Image file. Your videos are now ready to be embedded in the page template. Next, we’ll add these videos to the HTML template so your visitors can view them.

### HTML: the basic container

If you want to make your life a little easier, the Github repository below holds the sample code you need to get this project going fast:

First, you’ll need a basic container to hold the two videos, text, and play button. I’ve laid it out very similarly to this:



The background video is contained within the `div` with the class “backgroundVideo”, and the video that takes over the screen in the popup is contained by the `div` with the class “overlayVideo”. To make this snippet work for your videos (instead of Wistia’s), you need to replace the sample video IDs with the video IDs that you took note of earlier. Look at the embed code for your videos to find the IDs you will need.

Last, add the normal Wistia embed Javascript, which will power the videos on your new page along with the Crop Fill plugin from Wistia Labs. Add the following lines to your code in the following position to allow the embeds to work:



As you can see, there isn’t really much to the HTML. Next, we’ll talk about the complex Javascript that controls the videos’ appearance on your site.

### Javascript: adding complex interactions

The Javascript is really what makes this background video effect possible, and it also adds some complexity to your project. I’ve made sure that the code is well-commented, but I’ll try to walk through each major piece in more depth here to demonstrate what’s going on.

The first thing you should notice is a set of 4 variables that you’ll need to change and define with your video IDs and the containers that hold those videos. The code snippet you need to change looks like this:

overlayVideo: ‘fji9juvptr’,
overlayVideoDiv: ‘#wistia_fji9juvptr’,
backgroundvideo: ‘z1ggfo8f86’,
backgroundideoDiv: ‘#wistia_z1ggfo8f86’,

With that change, you shouldn’t have to touch the rest of the Javascript unless you want to customize it for your use. Now that the simple stuff is out of the way, let’s start talking about what the rest of the Javascript is doing.

embedVideo: function()
var videoOptions = {};

// Add the crop fill plugin to the videoOptions
Wistia.obj.merge(videoOptions, {
plugin: {
cropFill: {
src: “//”

// Video in the background
wistiaEmbed = Wistia.embed(fullScreenVideo.backgroundvideo, videoOptions);
// Video to be shown in the overlay
overlayEmbed = Wistia.embed(fullScreenVideo.overlayVideo, videoOptions);

* We load the thumbnail in the background while we wait
* for the video to load and play. Once loaded, we pause, reset to
* frame zero, show the video then play it.
wistiaEmbed.bind(“play”, function(){
$(fullScreenVideo.backgroundideoDiv).css(‘visibility’, ‘visible’);;
return this.unbind;

The embedVideo function does a few different things that are important to this page. First, it sets up the videoOptions, which contains the Crop Fill plugin from Wistia Labs. This plugin will ensure that your video fills the window of the browser.

// Add the crop fill plugin to the videoOptions
Wistia.obj.merge(videoOptions, {
plugin: {
cropFill: {
src: “//”

Next, we initialize the two embeds that we have on the page, making sure to include the options we just defined with the Crop Fill plugin.

// Video in the background
wistiaEmbed = Wistia.embed(fullScreenVideo.backgroundvideo, videoOptions);
// Video to be shown in the overlay
overlayEmbed = Wistia.embed(fullScreenVideo.overlayVideo, videoOptions);

Last, we wait for the background video to be loaded and start playing. Since that video is behind the thumbnail image, we need to rearrange the divs so the video is playing. We do this by binding to the play action of the background video which is set to autoplay. When the video starts to play, we pause it, reset the frame to zero, make the video visible, and then play the video. If we don’t pause the video and reset it back to frame zero you would see a strange jerking motion when we switch to the video. Pausing the video will allow the visitor to not notice the switch from thumbnail to video because they are an exact match.

wistiaEmbed.bind(“play”, function(){
$(fullScreenVideo.backgroundideoDiv).css(‘visibility’, ‘visible’);;
return this.unbind;

The playVideo function is called when the visitor clicks on the play button. We make sure the video is visible and that it fills the browser window. After we check that the text and play button are hidden, we play the overlay video.

playVideo: function()
$(fullScreenVideo.overlayVideoDiv).css(“left”, 0).css(“visibility”, “visible”);
$(“#text”).css({ opacity: 0 });
$(“#ex”).css(“right”, 24);;

The exitVideo function does the exact opposite of the playVideo function. We pause the video, hide the video, and make the text and play button visible. Since we paused the video, it will start in the same place if the visitor decides to hit play again.

exitVideo: function()
$(fullScreenVideo.overlayVideoDiv).css(“left”, -3000).css(“visibility”, “hidden”);
$(“#ex”).css(“right”, -3000);
$(“#text”).css({ opacity: 1 });
overlayEmbed._keyBindingsActive = false;

The fixTextPosition function makes sure that the play button and text included in that container are centered vertically and horizontally on the page. We also have a hook later on that will bind this function to when the visitor resizes the page. This function is responsible for the video and play button always being centered in the window.

Overall, this Javascript takes care of a large number of tasks that really make the page come together. Now that the elements are in place that control how the videos work, we’ll focus on how the page is styled with CSS.

### CSS: styling

The CSS code is something you won’t have to change at all, unless you add some of your own text or adjust the IDs or classes of the divs.

The one thing you may have to change is the name of your background image. If you changed the file name, change the CSS located here:

.hello #main-image {
position: absolute;
top: 0;
left: 0;
z-index: 3;
background-image: url(../images/main.jpg);
background-repeat: no-repeat;
background-position: 50% 50%;
background-size: cover;

An important thing to remember is that we are putting divs on top of divs using positioning and z-indexes. That is where the diagram in the introduction comes into to play in understanding how those divs are being shuffled by the Javascript.

With the adjustments of this CSS, you should have a complete page that loads your videos.

### Considerations

Along the way, we have encountered a few different considerations and tricks that we wanted to bring to your attention to help make the experience for you and your visitors a great one.

#### Load time
Videos on the web don’t load immediately, so before the video plays, you need to load a still image of the first frame so viewers don’t encounter a white background while the video loads. This will create the illusion that the video is just paused while it renders.

#### Short background videos
When your visitor loads your page, the complete background video will be loaded from Wistia. If you are using a long and large background video, you will consume a large amount of bandwidth in your account. To decrease the amount of bandwidth each visitor consumes, select a video that is no longer than 30 seconds.

#### Prepare for cutoff
Always try to keep your main subjects within the middle 40% of the frame, as the areas in red below are sections that could be clipped. This will ensure that your video makes sense across a large variety of window sizes.

#### Mobile visitors
The implementation described here does *not* work with mobile devices like iPhones, Android devices, and iPads. Many mobile device manufacturers (like Apple) do not allow videos to autoplay, in order to help people maintain control over how much data they use on wireless data plans. For the Wistia site, we detect whether the viewer is using a mobile device and load a similar version of the page as a backup, using a static background image in place of the video. When a visitor clicks on the call to action, a Wistia popover embed is shown instead of the fullscreen video.

The code samples I shared above don’t include how to create a mobile fallback, since it depends on your codebase and how your application is built. Seek out the help of a developer if you want to try something similar!

#### Test, test, test
While video backgrounds can add a cool effect to your website, they may also distract from the end goal you have for your visitors.

If you have any calls to action on the pages with your new video background, please be sure to test them against a static non-video background page. The last thing you want to do is launch something that gets a lot of buzz but reduces the conversion rate or effectiveness of your page.

I’d also suggest testing the video background to see if different videos have different effects on your visitors. Just like any page on your website, you should always continue to tweak and test.

Background videos can add a unique touch to your website and put your product front and center for visitors. With the code samples and tips above, you should be on your way to creating a distinct experience for your visitors.

Have you seen anyone using a fullscreen or background video well lately? Share it with us in the comments!

Use AWS OpsWorks & Ruby to Build and Scale Simple Workflow Applications

September 8, 2014 1:28 pm


From time to time, one of my blog posts will describe a way to make use of two AWS products or services
together. Today I am going to go one better and show you how to bring the following trio of items in to play

All Together Now
With today’s launch, it is now even easier for you to build, host, and scale SWF applications in
Ruby. A new, dedicated layer in OpsWorks simplifies the deployment of workflows and activities written
in the AWS Flow Framework for Ruby. By combining AWS OpsWorks and SWF, you can easily set up a
worker fleet that runs in the cloud, scales automatically, and makes use of advanced Amazon Elastic Compute Cloud (EC2) features.

This new layer is accessible from the AWS Management Console. As part of this launch, we are also releasing
a new command-line utility called the runner. You can use this utility to test
your workflow locally before pushing it to the cloud. The runner uses information provided in a
new, JSON-based configuration file to register workflow and activity types, and
start the workers.

Console Support
A Ruby Flow layer can be added to any OpsWorks stack that is running version 11.10 (or newer)
of Chef. Simple add a new layer by choosing AWS Flow (Ruby) from the menu:

You can customize the layer if necessary (the defaults will work fine for most applications):

The layer will be created immediately and will include four Chef recipes that are specific
to Ruby Flow (the recipes are available on

The Runner
As part of today’s release we are including a new command-line utility,
aws-flow-ruby, also known as the runner. This utility
is used by AWS OpsWorks to run your workflow code. You can also use it to test your
SWF applications locally before you push them to the cloud.

The runner is configured using a JSON file that looks like this:

  "domains": [{
      "name": "BookingSample",
      "retention_in_days": 10

  "workflow_workers": [{
     "number_of_workers": 1,
     "domain": "BookingSample",
     "task_list": "workflow_tasklist"
  "activity_workers": [{
    "number_of_workers": 1,
    "domain": "BookingSample",
    "number_of_forks_per_worker": 5,
    "task_list": "activity_tasklist"

Go With the Flow
The new Ruby Flow layer type is available now and you can start using it today. To learn more
about it, take a look at the new OpsWorks section of the
AWS Flow Framework for Ruby User Guide.


How bfw Advertising Protects Its Web Apps

September 8, 2014 12:00 pm


By Cliff Turner, Sales Engineer, Alert Logic

bfw Advertising is a full service advertising agency with expertise in building websites. However, bfw Advertising does not have expertise in cloud or Web Application Firewall (WAF) technologies. In order to focus on its business, bfw Advertising turned to Rackspace Managed Cloud and Alert Logic.

The south Florida-based agency boasts a strong client list that spans industries from aerospace to healthcare to travel and more. It also has a strong interactive department that offers website design and development; and in-house Microsoft certified web developers to build websites, intranets, extranets, applications and more for multiple clients.

A Rackspace customer for years, bfw Advertising recently moved its infrastructure to the Rackspace Managed Cloud, to take advantage of new functionality and to reduce costs, while also remaining in a fully managed environment. Moving to the managed cloud gave bfw Advertising an opportunity to take a fresh look at security technology that could further protect its customers’ websites and applications.

Web Application Firewall (WAF) Basics

Since bfw Advertising hosts many of the websites and web applications it develops for clients, one of the first technologies that Rackspace suggested bfw Advertising evaluate to protect its clients was a Web Application Firewall (WAF). A WAF examines web traffic, looking for suspicious activity and filtering out bad traffic, based on rules set by the user or by the WAF itself, which learns normal website behavior over time and blocks abnormal behavior.

WAF Example – SQL Injection

To better understand how a WAF works, let’s look at a quick example. While there are countless ways to try to breach websites, according to the Open Web Application Security Project (OWASP), the most popular method is SQL injection. In a SQL injection attack, malicious SQL statements are inserted into an entry field to do something like dump the database contents if the attacker is looking to access the data or erase the data if the attacker is simply out to cause trouble.

Here’s an example where someone is using a shopping cart application to buy a new winter coat. In the entry boxes, the buyer selects their category and item and the web application would translate their selections into SQL code and make a database request.

The SQL code would go to the database looking something like this:

In a SQL injection, an attacker adds some malicious SQL code to the URL in hopes of finding a vulnerability that enables them to do some damage, like the example here of dropping a table from the database which would remove some information.

A WAF would stop that from happening by examining the URL request, and if it contains anything malicious (like the example above), the WAF would simply not pass the request on to the website.

Alert Logic Web Security Manager at bfw Advertising

A well-documented challenge with WAFs is tuning them. WAFs require expert tuning and management to be effective; otherwise, they can impact site availability by blocking legitimate traffic or are tuned down to a level where they are no longer effective. And to be a WAF tuning expert, you typically have to be an expert in web application, security and WAFs. So, to protect their clients’ web applications, bfw Advertising chose to work with Alert Logic Web Security Manager. Web Security Manager offered the WAF capabilities they needed, but even more important to bfw Advertising is that the Alert Logic WAF comes fully managed, so it could get the benefits of a WAF without having to become WAF experts themselves.

If you want to read more about bfw Advertising, you can read the case study on the Alert Logic website. To learn more about Alert Logic Web Security Manager, visit the Rackspace Marketplace.

Robin Williams gets the World of Warcraft tribute gamers asked for

September 7, 2014 1:57 pm

Robin Williams' genie character in the Warlords of Draenor beta

Blizzard promised gamers a tribute to the late, great Robin Williams in one of his favorite titles, World of Warcraft, and it looks like the studio has been quick to act on its word. Just days after Wowhead found hidden character code paying homage to the actor, that persona is live in the game. If you’re in the Warlords of Draenor expansion’s beta, you can visit an island with a familiar-looking lamp; rub it and a genie pops out flaunting his “infinite cosmic power,” directly referencing Williams’ beloved role in Aladdin.

Filed under: Gaming


Via: Washington Post

Source: Wowhead, WoW Insider

MySQL Cache Warming for Amazon RDS

September 3, 2014 3:19 pm


Among many other responsibilities, a relational database system must make efficient
use of main memory (RAM) for buffering and caching purposes. RAM is far faster and
easier to access than SSD or magnetic storage; a properly sized and tuned cache
or buffer pool can do wonders for database performance.

Today we are improving
Amazon RDS for MySQL with support
for InnoDB cache warming. When an Amazon RDS DB instance that is running MySQL is
shut down, it can now be configured to save the state of its buffer pool, for
later reloading when the instance starts up. The instance will be ready to
handle common queries in an efficient fashion, without the need for any
warm up.

This feature is supported for RDS DB instances that are running version
5.6 (or later) of MySQL. To enable it, simply set the
innodb_buffer_pool_dump_at_shutdown and
innodb_buffer_pool_load_at_startup parameters to 1 in the
parameter group for your DB instance.

Users of MySQL version 5.6.19 and later can manage the buffer pool using the
mysql.rds_innodb_buffer_pool_load_now, and
mysql.rds_innodb_buffer_pool_load_abort stored procedures.

Once enabled, the buffer pool will be saved as part of a normal
(orderly) shutdown of the DB instance. It will not be saved if the
instance does not shut down normally, such as during a failover. In
this case, MySQL will load whatever buffer pool is available when
the instance is restarted. This is harmless, but possibly less
efficient. Applications can call
procedure on a periodic basis if this potential innefficiency is a
cause for concern.

DB Instances launched or last rebooted before August 14, 2014, will
need to be rebooted to gain access to this new feature. However, no
action is required for DB Instances launched or rebooted on or after
August 14, 2014. To learn more, take a look at
InnoDB Cache Warming
in the Amazon RDS User Guide.


New Resources APIs for the AWS SDK for Java

August 28, 2014 1:20 pm


We are launching a preview of a new, resource-style API model for the AWS SDK for Java. I will summarize
the preview here, and refer you to the AWS Java Blog for full information!

The new resource-oriented APIs are designed to be easier to understand and simpler to use. It
obviates much of the request-response verbosity present in the existing model and presents a
view of AWS that is decidedly object-oriented. Instead of exposing all of the methods of the
service as part of a single class, the resource-style API includes multiple classes, each
of which represents a particular type of resource for the service. Each class includes the
methods needed to interact with the resource and with related resources of other types.
Code written to the new API will generally be shorter, cleaner, and easier to comprehend.

Here is the old-school way to retrieve an AWS Identity and Access Management (IAM) group using the
GetGroup function:

AmazonIdentityManagement iam = new AmazonIdentityManagementClient();

GetGroupRequest getGroupRequest = new GetGroupRequest("NeedNewKeys");
GetGroupResult getGroupResult = iam.getGroup(getGroupRequest);

And here is the new way:

IdentityManagement iam = ServiceBuilder.forService(IdentityManagement.class)

Group needNewKeys = iam.getGroup("NeedNewKeys");

The difference between the old and the new APIs becomes even more pronounced when more
complex operations are used. Compare the old-school code for marking an outdated
access key (oldKey) for an IAM user as inactive:

UpdateAccessKeyRequest updateAccessKeyRequest = new UpdateAccessKeyRequest()

With the new, streamlined code, the intent is a lot more obvious. There’s a lot less in the way
of setup code and the method is invoked on the object of interest instead of on the service:


The new API is being launched in preview mode with support for
Amazon Elastic Compute Cloud (EC2), AWS Identity and Access Management (IAM), and Amazon Glacier. We plan to introduce resource APIs for
other services and other AWS SDKs in the future.


PS – To learn more about Resource APIs, read the

full post on the AWS Java Development Blog

Video.js v4.7.0 – Built mostly by NEW contributors! Also Google chooses Video.js

August 6, 2014 11:42 am


We’re continuing to work hard on improving the contributor experience around the Video.js project and it’s paying off. Over half of the changelog is thanks to brand new contributors! Issues and pull requests are getting addressed faster than ever, and I was even allowed to give a talk at OSCON on some of the strategies we’re using. If you’re instersted in getting involved, join the #videojs IRC room or post an issue to let us know.

Google Chooses Video.js for Google Media Framework

Google recently announced a new framework for building video experiences and monetization. There are versions of the framework for native iOS and Android apps, and for the browser they chose to use Video.js. Check out their video.js plugin, and as it says in their announcement, “Stay tuned as well for a deeper dive into Video.js with IMA soon!”


In this release we’ve built the infrastructure for displaying text in other languages. Examples of text include error messages and text used for accessibility. This feature can extend to plugins as well.

Today you can include other languages by including the JSON translations object from the language you want with the player, like in this example for Spanish (es).

videojs.options.languages['es'] = { [translations object] }

You can find translations files in the lang folder of the project. We don’t have many translations yet, but we’re looking for translators if you’d like to help!

Multiple buffered regions

With HTML5 video you can skip ahead in the video and the browser will start downloading the part of the file needed for the new position, which is different from how Flash video works by default. Flash will download from the start to the end of the file so you can only skip ahead once it has download that part of the video.

In the HTML5 video API we’re given the buffered property which returns a list of time ranges that the browser has downloaded data for. Early on in HTML5 video, browsers only ever reported one time range, but now we have a direct view of what’s been downloaded.

In the newest version of the video.js skin you can see the specific regions.

We’ve kept it subtle so it’s not too big of a change. We’d love to hear your thoughts on it.

DASH Everywhere-ish

If you haven’t seen it yet, check out the post on Tom Johson’s work getting DASH supported in Video.js, using Flash or the new Media Source Extensions. MPEG-DASH is an adaptive streaming format that Netflix and YouTube are using to stream video to cutting-edge browsers. It has the potential to replace Apple’s HTTP Live Streaming format as the main format used for adaptive streaming.

Video.js on Conan!

Conan O’Brien’s TeamCoco site is using Video.js with a nicely customized skin and ads integration. Check it out!

New Skin by Cabin

The team at Cabin put together a simple and clean new skin for video.js.

New Plugins

A lot of great new plugins have been released!

  • videojs-ima: Easily integrate the Google IMA SDK into Video.js to enable advertising on your video content.
  • videojs-brightcoveAnyaltics: Allow tracking of views/impressions & engagement data in videojs for Brightcove videos
  • videojs-logobrand: Add a logo/brand image to the player that appears/disappears with the controls. (also useful as a basic plugin template for learning how Video.JS plugins work.)
  • videojs-seek: Seeks to a specific time point specified by a query string parameter.
  • videojs-preroll: Simple preroll plugin that displays an advertisement before the main video
  • videojs-framebyframe: Adds buttons for stepping through a video frame by frame
  • videojs-loopbutton: Adds a loop button to the player
  • videojs-ABdm: Use CommentCoreLibrary to show comments (which is called as DanMu) during playing.
  • videojs-hotkeys: A plugin for Video.js that enables keyboard hotkeys when the player has focus.

New Release Schedule

As part of improving the contributor experience we’re moving to scheduled releases. We’ll now put out a release every other Tuesday as long as there’s new changes to release. This will help give everyone a better idea of when specific features and fixes will become available.

Full list from the change log

  • Added cross-browser isArray for cross-frame support. fixes #1195 (view)
  • Fixed support for webvtt chapters. Fixes #676. (view)
  • Fixed issues around webvtt cue time parsing. Fixed #877, fixed #183. (view)
  • Fixed an IE11 issue where clicking on the video wouldn’t show the controls (view)
  • Added a composer.json for PHP packages (view)
  • Exposed the vertical option for slider controls (view)
  • Fixed an error when disposing a tech using manual timeupdates (view)
  • Exported missing Player API methods (remainingTime, supportsFullScreen, enterFullWindow, exitFullWindow, preload) (view)
  • Added a base for running saucelabs tests from grunt (view)
  • Added additional browsers for saucelabs testing (view)
  • Added support for listening to multiple events through a types array (view)
  • Exported the vertical option for the volume slider (view)
  • Fixed Component trigger function arguments and docs (view)
  • Now copying all attributes from the original video tag to the generated video element (view)
  • Added files to be ignored in the bower.json (view)
  • Fixed an error that could happen if Flash was diposed before the ready callback was fired (view)
  • The up and down arrows can now be used to control sliders in addition to left and right (view)
  • Added a player.currentType() function to get the MIME type of the current source (view)
  • Fixed a potential conflict with other event listener shims (view)
  • Added support for multiple time ranges in the load progress bar (view)
  • Added vjs-waiting and vjs-seeking css classnames and updated the spinner to use them (view)
  • Now restoring the original video tag attributes on a tech change to support webkit-playsinline (view)
  • Fixed an issue where the user was unable to scroll/zoom page if touching the video (view)
  • Added “sliding” class for when slider is sliding to help with handle styling (view)


Discuss on Twitter | Discuss on Hacker News