DynamoDB 也可以透過 VPC Endpoint 存取了

Posted on August 21, 2017 by Gea-Suan Lin

Amazon DynamoDB 也可以透過 VPC Endpoint 存取了:「New – VPC Endpoints for DynamoDB」。

這樣一來,除了 Amazon S3 可以在 private network 內存取外,DynamoDB 也可以直接存取了...

VPC Endpoint 主要是解決對於安全性與頻寬的需求,不過什麼時候會出一般性的 VPC Endpoint 啊,而非個別服務個別設計打洞...

Posted in AWS, Cloud, Computer, Murmuring, Network, Security, Service | Tagged , , , , , , , , , , , | Leave a comment

Debian 對 Reproducible Build 的討論

Posted on August 21, 2017 by Gea-Suan Lin

Debian 在討論 package 的可重製性:「debian-policy: Packages should be reproducible」。本來的討論其實還好,在 2017/08/12 的 DebConf17 後,看起來有一些人取得共識,於是討論熱了起來... 有興趣的人可以從 Message #107 開始看。

Debian 社群想做的事情是「給足夠的資訊以及 source code,就能產生出一模一樣的 binary package」,這樣就不需要盲目信任 Debian 官方。

Debian 官方的 Wiki 上有「ReproducibleBuilds Howto」可以參考,然後也看到「reproducible-builds.org」這個站。

Posted in Computer, Linux, Murmuring, OS, Security, Software | Tagged , , , , , | Leave a comment

透過 DMCA takedown notice 非法下掉 Easylist 內的過濾條件

Posted on August 17, 2017 by Gea-Suan Lin

參考「Ad blocking is under attack」這邊,有業主 functionalclam.com 透過 DMCA takedown notice 發信要求 Easylist 移除過濾條件 (參考「2017-08-02-LevenLabs.md」),對應的 commit 參考「M: Removed due to DMCA takedown request」) 這邊。

這件事情再次證實了 DMCA takedown notice 被濫用的情況,明明不是侵權的情況卻被拿來濫用 (因為對原提出者唯一的處罰必須過反過來提告,然後要得自己舉證因為這樣受損)。

目前看起來 EFF 願意介入,就來看看後續了。

Posted in Computer, Murmuring, Network, Social, Software, Spam, WWW | Tagged , , , , , , , , , , | Leave a comment

打數學式子的工具

Posted on August 17, 2017 by Gea-Suan Lin

看到 Mathcha 這個網站,除了可以輸入 TeX 的公式外,也有 WYSIWYG 的方式輸入,而最後可以輸出成各種格式 (包括 TeX),或是直接丟連結給其他人:

輸入的部份,對於不知道的符號葉可以用畫的 XD

然後網站上的標示寫沒有支援 IE 與 Edge,不知道是真得不支援還是沒列上去而已... XD

Posted in Computer, Murmuring, Network, Science, Service, Software, WWW | Tagged , , , , , , , , | Leave a comment

在 Git/Mercurial/Subversion 上 "-" 發生的問題

Posted on August 16, 2017 by Gea-Suan Lin

在「[ANNOUNCE] Git v2.14.1, v2.13.5, and others」這邊看到 - 開頭產生的問題:

These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116 are assigned to these systems, respectively, for issues similar to it that are now addressed in their part of this coordinated release.

這算是老問題了,Git 對應的修正主要是朝 filter input 的方向修正,包括了禁用 - 開頭的 hostname,以及禁止 GIT_PROXY_COMMAND- 開頭,另外是禁止開頭是 - 的 repository name:

  • A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage).
  • Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash "-" as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage).
  • In the same spirit, a repository name that begins with a dash "-" is also forbidden now.

然後中華電信的 DNS server (168.95.1.1 & 168.95.192.1) 都查不到 marc.info,改用 Google 的 8.8.8.8 才查得到... =_=

Posted in Computer, Murmuring, Network, Security, Software | Tagged , , , , , , , , , , , , , | Leave a comment

Cloudflare 看這次 815 斷電的網路使用變化

Posted on August 16, 2017 by Gea-Suan Lin

Cloudflare 分析了這次 815 停電對網路造成的影響:「Power outage hits the island of Taiwan. Here’s what we learned.」。

以 Cloudflare 在是方機房的 QPS 來看,停電後反而沒有太大變化:

把裝置種類拆開來看,可以看到桌機的使用量下降,但手機的使用量上升:

這點從 HiNet 的使用頻寬也可以看出來,頻寬使用量降了 25% (從光世代與 ADSL/VDSL 換到行動網路上?):

Posted in CDN, Cloud, Computer, Murmuring, Network, Telephone | Tagged , , , , , , , , , , | Leave a comment

AWS CloudHSM 支援 FIPS 140-2 Level 3 了

Posted on August 15, 2017 by Gea-Suan Lin

AWS CloudHSM 推出了一些新功能:「AWS CloudHSM Update – Cost Effective Hardware Key Management at Cloud Scale for Sensitive & Regulated Workloads」。

其中比較特別的是從以前只支援 Level 2 變成支援 Level 3 了:

More Secure – CloudHSM Classic (the original model) supports the generation and use of keys that comply with FIPS 140-2 Level 2. We’re stepping that up a notch today with support for FIPS 140-2 Level 3, with security mechanisms that are designed to detect and respond to physical attempts to access or modify the HSM.

在維基百科裡面有提到 Level 2 與 Level 3 的要求:

Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper-detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened.

主動式偵測以及銷毀算是 Level 3 比 Level 2 安全的地方。

另外就是計價方式的修正,先前有一筆固定的費用,現在變成完全照小時計費了:

Pay As You Go – CloudHSM is now offered under a pay-as-you-go model that is simpler and more cost-effective, with no up-front fees.

Posted in AWS, Cloud, Computer, Hardware, Murmuring, Network, Security, Service | Tagged , , , , , , , , , , , , | Leave a comment

Amazon EFS 也能加密了

Posted on August 15, 2017 by Gea-Suan Lin

Amazon EFS 也支援使用 KMS 加密了,這對於一些要求「落地要加密」的 certification 方便不少:「New – Encryption of Data at Rest for Amazon Elastic File System (EFS)」。

不過東京還沒有 EFS 啊... (繼續敲碗)

Posted in AWS, Cloud, Computer, Murmuring, Network, Service | Tagged , , , , , , , , | Leave a comment

加州的手機防竊提案讓失竊率下降不少...

Posted on August 14, 2017 by Gea-Suan Lin

2013 的時候提過「加州的手機防竊提案...」,後來在 2015 年生效:

In a press release sent to reporters on Thursday, George Gascón said that since the law went into effect on July 1, 2015[,]

在兩大陣營都有類似的功能:

Such a kill switch has become standard in all iPhones ("Activation Lock") and Android phones ("Device Protection") since 2015.

而執行到現在已經兩年了,手機的失竊率下降不少:「San Francisco DA: Anti-theft law results in huge drop in stolen phones」。

[S]martphone-related robberies have fallen 22 percent from 2015 to 2016. When measured from the peak in 2013, "overall robberies involving smartphones have declined an astonishing 50 percent."

變成要找人殺肉才能處理,增加被竊後的處理難度與成本...

Posted in Computer, Hardware, Murmuring, Security, Social, Telephone | Tagged , , , , , , , , , , , , , , | 2 Comments

nginx 的 mirror 功能

Posted on August 14, 2017 by Gea-Suan Lin

nginx 1.13.4 出的新功能,ngx_http_mirror_module

The ngx_http_mirror_module module (1.13.4) implements mirroring of an original request by creating background mirror subrequests. Responses to mirror subrequests are ignored.

範例其實就講的還蠻清楚的:

location / {
    mirror /mirror;
    proxy_pass http://backend;
}

location /mirror {
    internal;
    proxy_pass http://test_backend$request_uri;
}

如果拿 nginx 當 load balancer 的人,可以用這個功能做些事情...

Posted in Computer, Murmuring, Network, Service, Software, WWW | Tagged , , , , , , , | Leave a comment