Windows 10 都市傳說的佐證…

續上篇「Windows 10 的都市傳說…」,先不管微軟內部的 code 如何,以及跳過 Windows 9 的真正原因,但 open source 專案的確有不少人這樣判斷 Windows 95 與 Windows 98:

還有各種變形的:

		} else if (osName.startsWith("Windows")) {
 			if (osName.indexOf("9") != -1) {
 				jvm = WINDOWS_9x;

這該怎麼說呢…

Posted in Computer, Joke, Murmuring, OS, Programming, Recreation, Software, Windows | Tagged , , , , | 1 Comment

關於 Shellshock (Bash) 問題

因為 Bash 太多人用,找到安全漏洞的成本效益太高,看起來最近會有大量的人力跳進去 code review,接下來應該是 CVE 滿天飛,跟當初 OpenSSL 的情況類似。

目前建議是直接看維基百科的說明:「Shellshock (software bug)」,裡面直接列出了目前發現的 CVE 以及 attack vector。

會讓管理者想要抱頭痛哭,無止盡的 patch…

Posted in Computer, Murmuring, Network, Security, Software | Tagged , , , , | 1 Comment

WordPress 的安全性資訊

在「WPScan Vulnerability Database WordPress Security Resource」這邊看到「WPScan Vulnerability Database」這個站台,直接列出了 WordPress 相關的安全性漏洞。

列出的漏洞包括了 WordPress 本身以及 Plugin、Theme 的部份。不過 WordPress 在有更新時自己應該會提醒才對?

這樣看起來主要是確認一直沒更新的安全性漏洞?

Posted in Blog, Computer, Murmuring, Network, Security, Software | Tagged , , , | Leave a comment

Windows 10 的都市傳說…

這大概也只有在 n 年後被解密才會知道是不是真的 XDDD

Update:Open Source 專案裡已經發現一堆這種寫法了:「Windows 10 都市傳說的佐證…」。

Posted in Computer, Joke, Murmuring, OS, Programming, Recreation, Software, Windows | Tagged , | 1 Comment

CloudFlare 的擴張計畫

在 CloudFlare 的「One More Thing: Keyless SSL and CloudFlare’s Growing Network」這篇文章裡提到了 CloudFlare 的擴張計畫,其中藍色是已經有的點,而橘色是計畫的點:

雖然是說打算在 12 個月內搞定上面的計畫:

The map above shows all the locations where CloudFlare is actively working to turn up data centers over the next 12 months.

但不知道多久才會把這些點都設完,尤其這是有規劃進入中國大陸的情況?

另外看起來台灣也會有點,不知道會放到哪裡… (以及 routing 會怎麼繞)

Posted in CDN, Cloud, Computer, Murmuring, Network, Security, WWW | Tagged , , | Leave a comment

Amazon 的 Xen 安全性更新

AWS 上租一卡車機器的人最近應該都有收到重開機的通知,目前雖然沒有明講編號,但看起來是 10/01 會公開的 XSA-108:「EC2 Maintenance Update」。

不過 Slashdot 上的「Amazon Forced To Reboot EC2 To Patch Bug In Xen」這篇的第一個 comment 很精彩:

It’s funny for me to read that Amazon is notifying its users of an impending reboot.

I’ve been suffering with Azure for over a year now, and the only thing that’s constant is rebooting….

My personal favorite Azure feature, is that SQL Azure randomly drops database connections by design.

Let that sink in for a while. You are actually required to program your application to expect failed database calls.

I’ve never seen such a horrible platform, or a less reliable database server…

這要怎麼說呢… 就使用雲端服務的人,設計上的確要這樣沒錯,但就提供雲端服務的供應商,應該還是要保持 VM 的穩定性吧… XDDD

Posted in AWS, Cloud, Computer, Murmuring, Network, Security, Software | Tagged , , , , , , , | 2 Comments

Backblaze 再次發表各家硬碟耐用程度…

今年年初 (一月) 的時候發表過一次「各家硬碟的耐用程度…」引起爭議厚的最新力做,九月再發表一次:「Hard Drive Reliability Update – Sep 2014」。

灰色部份是一月的數據,其他顏色是九月的數據。文中有考慮是否要換成企業級的硬碟 (enterprise drives),但兩個評估的答案是否定的。

第一個評估是成本考量,就算一般硬碟以三年保固期有 15% 的 failure rate,相較於企業級 0% failure rate 計算 (於是直接算成 10 年),成本是不划算的:

Today on Amazon, a Seagate 3 TB “enterprise” drive costs $235 versus a Seagate 3 TB “desktop” drive costs $102. Most of the drives we get have a 3-year warranty, making failures a non-issue from a cost perspective for that period. However, even if there were no warranty, a 15% annual failure rate on the consumer “desktop” drive and a 0% failure rate on the “enterprise” drive, the breakeven would be 10 years, which is longer than we expect to even run the drives for.

更何況企業級硬碟的情況根本沒什麼差:

The assumption that “enterprise” drives would work better than “consumer” drives has not been true in our tests. I analyzed both of these types of drives in our system and found that their failure rates in our environment were very similar — with the “consumer” drives actually being slightly more reliable.

Posted in Computer, Hardware, Murmuring | Tagged , , , , , , , | 1 Comment

用 Tesseract OCR 解 CAPTCHA

在「python 乌云账号暴力猜解工具」這邊看到 Tesseract OCR 這個 command line 工具,比想像中的簡單很多…

Tesseract OCR 最新版是 2012 年出的,所以也不需要另外用 ppa 安裝,在 Ubuntu 下可以直接用 apt-get 安裝到 3.02 版:

# apt-get install tesseract-ocr

隨便抓張 CAPTCHA 後直接跑就可以了,像是這張:

跑出來的結果:

$ tesseract a.gif a
Tesseract Open Source OCR Engine v3.02 with Leptonica
$ cat a.txt
8308

預設的輸出檔名會加上 .txt 是比較討厭的地方,不然就可以用 /dev/stdout 當作輸出檔名處理掉…

Posted in Computer, Murmuring, Programming, Security, Software | Tagged , , | 3 Comments

jQuery 官網疑似被攻陷…

起因在「jQuery.com Malware Attack Puts Privileged Enterprise IT Accounts at Risk」這篇,RiskIQ 的人偵測到 jQuery 官方網站異常,帶有惡意軟體。檢查後發現在官網的 html 裡面出現了 jquery-cdn.com 這個非官方的 domain:

這個 domain 可以看到是全新建立的:

   Domain Name: JQUERY-CDN.COM
   Registrar: NAMESILO, LLC
   Whois Server: whois.namesilo.com
   Referral URL: http://www.namesilo.com
   Name Server: NS1.DNSOWL.COM
   Name Server: NS2.DNSOWL.COM
   Name Server: NS3.DNSOWL.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 18-sep-2014
   Creation Date: 18-sep-2014
   Expiration Date: 18-sep-2015

透過這個 domain 一路穿出去將惡意程式導進來。

jQuery 官方收到 RiskIQ 的人通之後也開始調查發生什麼事情:「Was jquery.com Compromised?」、「Update on jQuery.com Compromises」。

就官方的調查看起來,還有好幾波不同的攻擊,故事還沒完結?

Posted in Computer, Murmuring, Network, Security, Software | Tagged , , , , , | Leave a comment

Bash 遠端執行安全漏洞

這讓人無言了,Bash 的遠端執行安全漏洞,CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

可以在 oss-sec 上面看到說明「Re: CVE-2014-6271: remote code execution through bash」:

Debian and other GNU/Linux vendors plan to disclose a critical, remotely exploitable security vulnerability in bash this week, related to the processing of environment variables. Stephane Chazelas discovered it, and CVE-2014-6271 has been assigned to it.

透過環境變數打進去… Redhat 的「Bash specially-crafted environment variables code injection attack」這篇也給了不少例子。

Linux 下通常最常用的 shell 應該還是 Bash 吧?(雖然也看到不少人用 Zsh…)

然後 Twitter 上看到非常邪惡的 Google Hack:

大家可以自己加上 site: 去掃…

Posted in Computer, Murmuring, Security, Software | Tagged , , , , , , , | 4 Comments