GitHub 推出軟體版的 U2F Authenticator (目前只有 macOS)

用軟體實做 U2F,目前是開發在 macOS 上:「Introducing Soft U2F, a software U2F authenticator for macOS」。

實在是不愛這種方式,由於是軟體式的,安全性低了不少... (機器被入侵後就都沒有防護了)

不過 U2F 是目前少數可以在 protocol 層抵抗 phishing 的方式,相較於一般 OTP 的方式還是得很注意網址,所以站在推廣的立場的確是希望能多一點人用...

Posted in Computer, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , | Leave a comment

Firefox Nightly 的 Stylo

Firefox 的 Nightly 納入 Stylo 了,一個用 Rust 開發的套件,可以將 Servo 的 CSS style system 整進 Gecko 內:「Stylo is ready for community testing on Nightly!」。

Stylo (a.k.a. Quantum CSS) will integrate Servo's CSS style system into Gecko, such that the style system code can be shared by Gecko and Servo.

Quantum CSS, aka Stylo, aims to integrate Servo’s parallelized CSS style system written in Rust into Gecko.

Mozilla 把愈來愈多的東西都改用 Rust 寫了...

Posted in Browser, Computer, CSS, Firefox, Murmuring, Network, Software, WWW | Tagged , , , , , , , , , , , | Leave a comment

在飯店裡攻擊企業的高階主管

算是為什麼企業要提供 Full Routing VPN 的一個攻擊管道的說明...

這篇介紹了在飯店裡透過 WiFi 攻擊企業的高階主管,想辦法塞木馬取得資訊,或是滲透進企業內部的網路:「Hackers are using hotel Wi-Fi to spy on guests, steal data」。

Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.

有點介於 APT 與一般性的攻擊中間...

Posted in Computer, Murmuring, Network, Security, VPN | Tagged , , , , , , , , , , | Leave a comment

Adobe Flash 將在 2020 年 End of Life

Adobe 發出的公告,將在 2020 年中止所有對 Flash 的支援:「Flash & The Future of Interactive Content」。

Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.

然後 GoogleMicrosoft 也來補刀講兩句話:「So long, and thanks for all the Flash」、「Saying goodbye to Flash in Chrome」、「The End of an Era – Next Steps for Adobe Flash」。

Posted in Browser, Computer, GoogleChrome, IE, Murmuring, Network, Security, Software, WWW | Tagged , , , , , , , , , , , , | Leave a comment

Telegram 使用 CDN 加速下載

Telegram 說明他們將會使用 CDN 加速:「More Speed and Security!」。

資料在 CDN 的節點上是加密的,金鑰需要透過 Telegram 的 key server 提供:

While these caching nodes are only used to temporarily store public media (imagine Telegram versions of superpopular YouTube hits), all data that goes through them is encrypted with a key unknown to the caching nodes. In other words, we treat these CDN caching nodes just like we treat your internet provider – they only ever get encrypted junk they can't decipher.

但這表示 Telegram 本身有能力解開這些資料?不知道這邊講的是什麼行為...

使用者如果選擇願意公開的話當然沒問題,但這種情況下也不需要 CDN 加密;而當使用者不願意公開時,應該是期望 Telegram 也無法解開這些資料?再來看看到底是怎麼樣的功能要上 CDN?

Posted in CDN, Computer, Murmuring, Network, Privacy, Security, Service, Software, WWW | Tagged , , , , , , , , , , , , , | 1 Comment

歡樂的 md5crypt 密碼...

作者寫了一篇關於以前在 WHOIS 記錄上看到一串 $1$ 開頭的 md5crypt 密碼 XDDD:「I mean, why not tell everyone our password hashes?」。

Now the fields are filtered but this is a reasonably recent change. Prior to July 2015 the hashed passwords were shown to anyone who whois’d the maintainer object and used md5 passwords. Which was nearly all of them in my experience.

Mntner:         DTAG-NIC
Descr:          Deutsche Telekom Internet Services NIC
Admin-c:        KK281-RIPE
Tech-c:         HI56-RIPE
Auth:           MD5-PW $1$KQ3NSRfS$/bcvLAz2BKyf5HF4VkPMh/
Mnt-by:         DTAG-NIC
Referral-by:    RIPE-DBM-MNT

不知道有沒有人去跑看看... XD

話說 md5crypt 已經被認為不安全 (當初的發明人 phk 也有出來建議大家換掉了:「Md5crypt Password scrambler is no longer considered safe by author」),從目前 Hashcat 的攻擊速度就可以看出來... 找個最近的例子來說,可以參考「8x Nvidia GTX 1080 Hashcat Benchmarks」這篇。

Hashtype: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5

Speed.Dev.#1.:  9918.1 kH/s (97.10ms)
Speed.Dev.#2.:  9830.1 kH/s (97.70ms)
Speed.Dev.#3.: 10017.4 kH/s (97.36ms)
Speed.Dev.#4.:  9986.5 kH/s (96.92ms)
Speed.Dev.#5.:  9976.8 kH/s (97.74ms)
Speed.Dev.#6.:  9889.2 kH/s (97.29ms)
Speed.Dev.#7.: 10010.5 kH/s (97.40ms)
Speed.Dev.#8.: 10083.0 kH/s (96.94ms)
Speed.Dev.#*.: 79711.6 kH/s

而隔壁的 bcrypt 對 Hashcat 的防禦性完全在不同等級:

Hashtype: bcrypt, Blowfish(OpenBSD)

Speed.Dev.#1.:    13094 H/s (47.51ms)
Speed.Dev.#2.:    13076 H/s (47.63ms)
Speed.Dev.#3.:    13292 H/s (46.88ms)
Speed.Dev.#4.:    13250 H/s (47.17ms)
Speed.Dev.#5.:    13296 H/s (46.86ms)
Speed.Dev.#6.:    13160 H/s (47.30ms)
Speed.Dev.#7.:    13260 H/s (46.98ms)
Speed.Dev.#8.:    13280 H/s (46.80ms)
Speed.Dev.#*.:   105.7 kH/s

直接相除是 754 倍左右。

以 85 個字元的組合計算 ([0-9A-Za-z] 62 個,特殊字元 22 個,加上空白 1 個),抗性多了 1.5 個字 (log85(754) 大約是 1.49)?如果以 62 個字元來看也有 1.6 個字,強了不少...

Posted in Computer, Murmuring, Network, Security | Tagged , , , , , , , , , , | Leave a comment

Ubuntu 下雙螢幕進入省電模式後再起不能的問題

Update:後來還是有狀況,這篇的方法沒有完全解決... 等找出解法後再回來更新。

前陣子把家裡的 Ubuntu 桌機多塞了一顆 Dell 的 P2317H,打直拿來看程式碼,大致上是沒什麼問題,不過螢幕進入省電模式後就再起不能... (NVIDIA 的顯卡,一顆接 DisplayPort,另外一顆接 HDMI)

後來找到這一串討論:「DP1.2 connected monitor cannot be turned on again with DPMS」。

這串討論裡官方的人有給不少方式,後來試到第二頁的發法,是在 /etc/modprobe.d/disable-nouveau.conf 裡設定一些參數,重開機後就解決了:

blacklist nouveau
options nouveau modeset=0

看起來是 nouveau 的關係,現在總算是可以比較正常的使用了... (還有不少眉眉角角的地方要再找方法解...)

Posted in Computer, Hardware, Linux, Murmuring, OS, Software | Tagged , , , , , , , | Leave a comment

對 Open Data 的攻擊手段

前陣子看到的「Membership Inference Attacks against Machine Learning Models」,裡面試著做到的攻擊手法:

[G]iven a data record and black-box access to a model, determine if the record was in the model's training dataset.

也就是拿到一組 Open Data 的存取權限,然後發展一套方法判斷某筆資料是否在裡面。而驗證攻擊的手法當然就是直接攻擊看效果:

We empirically evaluate our inference techniques on classification models trained by commercial "machine learning as a service" providers such as Google and Amazon. Using realistic datasets and classification tasks, including a hospital discharge dataset whose membership is sensitive from the privacy perspective, we show that these models can be vulnerable to membership inference attacks. We then investigate the factors that influence this leakage and evaluate mitigation strategies.

透過 NN 攻擊 NN,而目前的解法也不太好處理,但有做總是會讓精確度降低。論文裡提到了四種讓難度增加的方法:

  • Restrict the prediction vector to top k classes.
  • Coarsen precision of the prediction vector.
  • Increase entropy of the prediction vector.
  • Use regularization.

另外一個值得看的資料是 2006 年發生的「AOL search data leak」,當年資料被放出來後有真實的使用者被找出來,也是很轟動啊...

Posted in Computer, Murmuring, Privacy, Programming, Search Engine, Security | Tagged , , , , , , , , , , | 2 Comments

Apache Foundation 宣佈禁止使用 Facebook BSD+Patents 的軟體

在「RocksDB Integrations」這邊討論到 RocksDBFacebook 所使用的 Facebook BSD+Patents License。

不過因為 RocksDB 最近在換 license (從 Facebook BSD+Patents 換到 Apache License, Version 2.0),移除了 PATENTS 內的限制,需要看 PATENTS 的舊檔案可以在 PATENTS 這邊看到。

Chris Mattmann 正式發出決議禁用 Facebook BSD+Patents License。(參考最後)

另外也提到了 Facebook 是故意埋下這些限制:

Note also Roy's comment that he has discussed the matter with FB's counsel and the word is that the FB license is intentionally incompatible. It is hard to make the argument that it is compatible after hearing that. Pragmatically speaking, regardless of any semantic shaving being done, having a statement like that from the source of the license is very daunting. If they think it is incompatible, we need to not try to wheedle and convince ourselves it is not.

這個 license 之後應該會有更多挑戰...

Hi,

As some of you may know, recently the Facebook BSD+patents license has been
moved to Category X (https://www.apache.org/legal/resolved#category-x).
Please see LEGAL-303 [1] for a discussion of this. The license is also referred
to as the ROCKSDB license, even though Facebook BSD+patents is its more
industry standard name.

This has impacted some projects, to date based on LEGAL-303
and the detective work of Todd Lipcon:

Samza, Flink, Marmotta, Kafka and Bahir

(perhaps more)

Please take notice of the following policy:

o No new project, sub-project or codebase, which has not
  used Facebook BSD+patents licensed jars (or similar), are allowed to use
  them. In other words, if you haven't been using them, you
  aren't allowed to start. It is Cat-X.

o If you have been using it, and have done so in a *release*,
  you have a temporary exclusion from the Cat-X classification thru
  August 31, 2017. At that point in time, ANY and ALL usage
  of these Facebook BSD+patents licensed artifacts are DISALLOWED. You must
  either find a suitably licensed replacement, or do without.
  There will be NO exceptions.

o Any situation not covered by the above is an implicit
  DISALLOWAL of usage.

Also please note that in the 2nd situation (where a temporary
exclusion has been granted), you MUST ensure that NOTICE explicitly
notifies the end-user that a Facebook BSD+patents licensed artifact exists. They
may not be aware of it up to now, and that MUST be addressed.

If there are any questions, please ask on the legal-discuss@a.o
list.

Thanks.

Cheers,
Chris Mattmann
VP Legal Affairs

[1] https://issues.apache.org/jira/browse/LEGAL-303
Posted in Computer, Database, Library, Murmuring, Programming, Software | Tagged , , , , , , , , , | 1 Comment

Amazon Route 53 將會加緊支援 DNS CAA

看到 Amazon Route 53 要支援 DNS CAA 的消息:「Announcement: Announcement: CAA Record Support Coming Soon」。

裡面有提到 CA/Browser Forum 的決議,要求各瀏覽器支援 DNS CAA:

On March 8, 2017, the Certification Authority and Browser Forum (CA/Browser Forum) mandated that by September 8, 2017, CA’s are expected to check for the presence of a CAA DNS record and, if present, refuse issuance of certificates unless they find themselves on the whitelist <https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/>.

DNS CAA 可以設定哪些 SSL certificate 可以發出你的證書,除了自己以外,也可以讓第三者比較容易確認是否有誤發的行為:

We have seen a lot of interest in Amazon Route 53 support for Certification Authority Authorization (CAA) records, which let you control which certificate authorities (CA) can issue certificates for your domain name.

Posted in AWS, Cloud, Computer, DNS, Murmuring, Network, Security | Tagged , , , , , , , , , , , , , | Leave a comment