Recent Comments
Archives
- February 2012 (2)
- January 2012 (5)
- December 2011 (13)
- November 2011 (12)
- October 2011 (10)
- September 2011 (7)
- August 2011 (5)
- July 2011 (11)
- June 2011 (21)
- May 2011 (22)
- April 2011 (36)
- March 2011 (43)
- February 2011 (23)
- January 2011 (24)
- December 2010 (34)
- November 2010 (19)
- October 2010 (16)
- September 2010 (15)
- August 2010 (10)
- July 2010 (12)
- June 2010 (3)
- May 2010 (3)
- April 2010 (4)
- March 2010 (8)
- February 2010 (14)
- January 2010 (13)
- December 2009 (16)
- November 2009 (28)
- October 2009 (24)
- September 2009 (12)
- August 2009 (7)
- July 2009 (10)
- June 2009 (11)
- May 2009 (22)
- April 2009 (21)
- March 2009 (18)
- February 2009 (7)
- January 2009 (32)
- December 2008 (19)
- November 2008 (12)
- October 2008 (15)
- September 2008 (14)
- August 2008 (15)
- July 2008 (18)
- June 2008 (20)
- May 2008 (19)
- April 2008 (27)
- March 2008 (22)
- February 2008 (21)
- January 2008 (15)
- December 2007 (22)
- November 2007 (17)
- October 2007 (29)
- September 2007 (31)
- August 2007 (34)
- July 2007 (31)
- June 2007 (36)
- May 2007 (23)
- April 2007 (22)
- March 2007 (30)
- February 2007 (50)
- January 2007 (75)
- December 2006 (48)
- November 2006 (59)
- October 2006 (89)
- September 2006 (29)
- August 2006 (48)
- July 2006 (14)
- June 2006 (35)
- May 2006 (62)
- April 2006 (63)
- March 2006 (72)
- February 2006 (83)
- January 2006 (56)
- December 2005 (46)
- November 2005 (60)
- October 2005 (27)
- September 2005 (54)
- August 2005 (83)
Tags
Categories
- Anime (24)
- AWS (46)
- BBS (17)
- Blog (200)
- Book (18)
- Bridge (1)
- Browser (281)
- CDN (19)
- Cloud (61)
- CMS (33)
- Comic (17)
- Computer (1945)
- Computer and Network Center (31)
- CSS (31)
- Database (129)
- DNS (49)
- Editor (11)
- Financial (37)
- Firefox (148)
- Food (10)
- FreeBSD (114)
- Game (21)
- GoogleChrome (23)
- Hardware (137)
- IE (64)
- Joke (131)
- Lab (3)
- Linux (68)
- MacOS (3)
- Mail (68)
- Movie (18)
- Murmuring (2018)
- Music (37)
- MySQL (95)
- NCTU (62)
- NetBSD (7)
- Network (1466)
- OpenBSD (3)
- Opera (21)
- OS (198)
- P2P (85)
- Photo (57)
- Political (46)
- Programming (306)
- Recreation (365)
- RSS (65)
- Safari (22)
- Science (28)
- Search Engine (126)
- Security (333)
- SMS (5)
- Social (59)
- Software (1040)
- Spam (86)
- Sport (4)
- Telephone (61)
- Television (35)
- Usenet (13)
- Vim (3)
- Wiki (25)
- Windows (46)
- WWW (775)
Blogroll
Meta
Category Archives: Security
儲存密碼的方式
Tweet 主要是參考「Cryptographic Right Answers」這篇給的建議: Password handling: As soon as you receive a password, hash it using scrypt or PBKDF2 and erase the plaintext password from memory. Do NOT store users’ passwords. Do NOT hash them with MD5. Use a real … Continue reading
請更新 HP 印表機的韌體…
Tweet HP 發了安全通告「HPSBPI02728 SSRT100692 rev.2 – Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default」,在安全通告內列出的印表機都有安全問題,「允許遠端安裝未經授權的印表機韌體」,攻擊者可以遠端直接安裝有木馬的韌體: A potential security vulnerability has been identified with certain HP printers and HP digital senders. The vulnerability could be exploited remotely … Continue reading
如果要自己寫 TOTP 的幾個要看的東西…
Tweet 整理下來: HOTP: An HMAC-Based One-Time Password Algorithm TOTP: Time-Based One-Time Password Algorithm KeyUriFormat – google-authenticator – The format of URIs containing encoded keys – Two-step verification – Google Project Hosting 有玩過 HMAC 的人,讀這些文件應該不難… TOTP 在預設的情況下,其實就是 HMAC-SHA-1 後取後面 32bits,然後轉成數字取 100000 … Continue reading
Posted in Computer, Murmuring, Network, Programming, Security, Software Tagged authenticator, cpan, google, hotp, oath, otp, qrcode, totp Leave a comment
Firefox 11 將會支援 SPDY Protocol
Tweet Firefox 預定在 11 (現在是 8) 支援 SPDY Protocol:「(SPDY) Implement SPDY protocol」,除了 Google Chrome 自家瀏覽器支援外,總算有個大的也要支援了… 所以現在除了 Chrome、Kindle Fire 以外,又多了 Firefox 支援… 不過 Apache 與 F5 什麼時候會支援呢… mod-spdy 看起來… 呃…
維基百科全面支援 HTTPS (SSL)
Tweet 維基百科在官方的 Blog 上宣佈,所有的服務都支援 HTTPS (SSL):「Native HTTPS support enabled for all Wikimedia Foundation wikis」,也就是說,像是「https://zh.wikipedia.org/wiki/Wikipedia:首页」這樣的網址都支援了。 除了 *.wikipedia.org 以外,*.wikimedia.org 也支援了,於是包括像是 upload.wikimedia.org 也都可以使用 HTTPS:(圖片取自 File:Minori-Chihara-Animelo-Summer-Live-2011-08-27-21-41.jpg) 當然,還是有一些 script 寫死用 http,接下來應該都會被修正…
RSA Security 被攻破的途徑
Tweet 今年三月的時候,RSA Security 被攻破,攻擊者順利取得 SecurID 的資料,這些資料很有可能降低 SecurID 的安全性。也因此有了 Lockheed Martin 被攻擊的事情。 在官方的說明「Anatomy of an Attack」中,有提到「2011 Recruitment plan.xls」是使用 Excel 檔案,加上 Adobe Flash vulnerability (CVE-2011-0609) 攻入,而這是個 0-day attack (在當時)。 防毒軟體專家一直試著找出該份 Excel 檔。經過五個月,終於被找出來三月時寄到 RSA Security 的檔案,由某個可能是 EMC 的人在 3/19 上傳到 VirusTotal 試著掃描:「How we … Continue reading
PHP 長期計畫:廢除 ext/mysql,改用 pdo_mysql 或 mysqli
Tweet 在 Hacker News 上看到的長期計畫,要廢除 ext/mysql:「deprecating ext/mysql」。 主要的原因是 security 習慣問題。因為 ext/mysql 不支援 prepare 與 execute 這類不需要自己處理 escape 的函式,所以使用 ext/mysql 的人必須自己處理 escape 的問題,也就是透過 mysql_escape_string 或是 mysql_real_escape_string。而很多書籍為了讓初學者容易了解,會給出很糟的範例,像是: mysql_query(“SELECT * FROM `user` WHERE `username` = ‘$username’;”); 而 $username 沒有先檢查過。 依照提議,目前只會在文件上建議改用 PDO 或是 mysqli,不會對目前版本有任何改變。接下來是 … Continue reading
PuTTY 0.61
Tweet 昨天看到 PuTTY 出 0.61 了:「PuTTY version 0.61 is released」,相隔四年多的另外一個新版。 看 New features 裡面,我看到一點還蠻有趣的: On Windows: the Appearance panel now includes a checkbox to allow the selection of non-fixed-width fonts, which PuTTY will coerce into a fixed-width grid in its … Continue reading
來份 John Doe 的廣編稿吧…
Tweet 剛剛收到來自 John Doe 的信件 (依要求移除,另外出外景取材):
Posted in Computer, Murmuring, Network, Security, WWW Tagged conference, hitcon, security 2 Comments
WordPress plugins 安全性問題
Tweet 在 TechCrunch 上看到 WordPress.org 強制所有 WordPress.org 的使用者更新密碼 (不是 WordPress.com):「WordPress.org Forces Password Resets Due To Compromised Plugins」。 起因是 AddThis、WPtouch 以及 W3 Total Cache 這三個 plugin 有異常 commit 塞入 backdoor code。(瞬間就中兩槍) 這幾天有更新 plugin 的人最好趕快看一下… 慘啊 :/