Yaler.net Blog

Security Review

You might have noticed that changing your account password now requires you to re-enter your old one. This helps to prevent cross-site request forgey. CSRF attacks are possible because Javascript code is allowed to post an HTML form to sites of a different origin without violating the browser's same origin policy. If you are signed in, the browser happily adds a valid authentication cookie of the targeted site to the malicious post request. All this was pointed out to us during a security review of the Yaler relay and Web site. Of course, Yaler.net is not Facebook and the chances of such an attack are rather small. Still, we immediately fixed the vulnerability to keep access to your data and devices as safe as possible.

IoT Zürich Meetup

Christine Perey, who founded Mobile Monday Switzerland, has started an Internet of Things meetup group in Zürich, IoT ZH. The first event was held in the context of MoMo in Bern and featured presentations by AutoID Labs, Swisscom, Ericsson, SilentSoft and Koubachi. This week's meetup in Zürich took place at ETH, and we were invited to give a presentation alongside Cuno Pfister, our boss at Oberon, and Simon Mayer of the Distributed Systems Group at ETH. With over forty attendees the turnout was quite nice for an informal meetup. We met old friends from various corners, made new contacts and had a good time. If you happen to be in the region make sure to sign up for future events – we'll definitely be there again.

Yaler v2.0 Released

The full source code of Yaler as it is running on our servers is now available at the project repository. In addition to the high performance of the previously published version the new code supports clustering multiple relay instances which is essential for scalability and high availability. Note, that the current license only permits non-commerical use; however, we hope that this level of transparency strengthens trust in our hosted service and thus results in an advantage for you and your customers.

Web of Things

Vlad Trifa and Dom Guinard both recently finished their PhD. Their work at ETH Zürich, SAP Research and MIT helped to establish the Web of Things (WoT) as a proper field of research. We are honored that both reference Yaler in their theses.

Here is a quote from Dom's thesis (ellipses are mine):

Dealing with Firewalls and NATs

...This issue is not inherent to RFID readers but is a general issue when deploying WoT systems in the real-world and in particular in corporate environments.

A common practical solution to these problems is the use of the Reverse HTTP protocol where a service on the Internet acts as a public proxy for devices behind firewalls and/or NATs on a private network...

...As an example, the open-source Yaler project is providing a service implementing the Reverse HTTP protocol.

And an excerpt from Vlad's thesis:

Even though push solutions are known as more reactive, but less scalable, recent work has shown that Web push notifications on embedded devices are not only possible (for example Yaler uses ReverseHttp on Arduinos), but also present various advantages.

Thanks and congrats to both!

Programming Your Home

As big fans of the DIY movement's bottom-up approach to building the Internet of Things, we're glad to see that Yaler is mentioned in Mike Riley's forthcoming book published by the Pragmatic Programmers, Programming Your Home:

The projects in this book should work perfectly fine in a home local area network. However, obtaining sensor data outside of this local network is a challenge. How do you check on the status of something like a real-time temperature reading without going through the hassles of opening and forwarding ports on your router (not to mention the potential security risks that entails)?

Fortunately, several companies have begun to aggressively offer platforms accessible via simple web service API’s to help overcome these hassles. Three of these gaining momentum are Pachube, Exosite, and Yaler. Configuring and consuming their services is a fairly straight-forward process. I encourage you to visit these sites to learn more about how to incorporate their messaging capabilities into your own projects.

Take control of your home! Get this book.

Moved to Amazon Linux AMI

To host a service on Amazon's EC2, you need an Amazon Machine Image (AMI). Either you create your own, or you simply pick one from the list of pre-configured images. In the past, our Yaler instances were hosted on the popular Alestic images, i.e. on the AMI of a third party provider. But lately Amazon announced the general availability of their own Amazon Linux AMI, which is

designed to provide a stable, secure, and high performance execution environment for applications running on Amazon EC2.

A core advantage in our case is the pre-installed Java runtime. The small footprint of the image is also a benefit, as by minimizing the number of non-critical packages you reduce exposure to potential security vulnerabilities. So we swiftly updated our automated deployment scripts to use the Amazon Linux AMI. The scripts allow us to start an entire new cluster in less than three minutes and lets us provide you with a truly flexible service.

Yaler On Twitter

Yaler is now finally on Twitter, as @yaler. The name was unused but taken, so we had to enforce our trademark. Anyway – we'll use the account to keep you updated on the Yaler project and company and as an additional channel to communicate the status of our hosted service in the case of an unexpected outage.

Swissnet4.biz Presentation

Last week we were invited by swissnet4.biz, a local business group initiated by the charismatic Noldi Sieber, to give a short presentation on Yaler. Here are the slides.

Humble Doers

Our friend Dom Guinard of the Web of Things Blog in an interview by Postscapes:

Personally, I'm always most inspired by meeting humble doers, actually building the IoT in the commercial world, rather than talking about it...

...platform-wise I was impressed by the folks at Sen.se, ioBridge (and their ThingSpeak platform), ThingWorx, Paraimpu or Yaler. They all contribute to make the IoT ecosystem grow significantly.

Read the interview.

EU, US Trademark Granted

Yaler™ is now an international trademark registered in the EU and US (WIPO No. 1085720 based on Swissreg No. 599392). This helps our customers to be sure they get the original and allows us to protect our intellectual property.

Introducing Yaler.net

Yaler is a simple, open and scalable relay infrastructure enabling secure Web access to embedded systems behind a firewall or NAT. We started developing Yaler in late 2008 at Oberon microsystems and introduced it to the public at WoT 2010, the first international workshop on the Web of Things. Since then, Yaler has been released for non-commercial use with full source at http://yaler.org/.

From developing a Yaler-based product for an enterprise customer we learned that adding an Internet connection to a device can be disruptive for the company producing it. Web-enabling a device means that the device is now a representation of a service. And users judge the end-to-end experience rather than the individual device. If a device cannot be accessed, it simply does not work. This holds for the final product as much as for the first field trial. Therefore, providing a service with high availability becomes a core requirement from day one.

To help our customers face the challenge of providing a service that just works, we founded Yaler GmbH, spin-off number two of Oberon microsystems. The new company now owns and develops Yaler. And Yaler GmbH offers Yaler as an easy-to-integrate, hosted, pay-per-use service together with premium enterprise support. For inquiries, please contact me (tamberg@yaler.net) or visit http://yaler.net/.