參考「Ad blocking is under attack」這邊,有業主 functionalclam.com 透過 DMCA takedown notice 發信要求 Easylist 移除過濾條件 (參考「2017-08-02-LevenLabs.md」),對應的 commit 參考「M: Removed due to DMCA takedown request」) 這邊。
這件事情再次證實了 DMCA takedown notice 被濫用的情況,明明不是侵權的情況卻被拿來濫用 (因為對原提出者唯一的處罰必須過反過來提告,然後要得自己舉證因為這樣受損)。
目前看起來 EFF 願意介入,就來看看後續了。
在「[ANNOUNCE] Git v2.14.1, v2.13.5, and others」這邊看到 - 開頭產生的問題:
These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116 are assigned to these systems, respectively, for issues similar to it that are now addressed in their part of this coordinated release.
這算是老問題了,Git 對應的修正主要是朝 filter input 的方向修正,包括了禁用 - 開頭的 hostname,以及禁止 GIT_PROXY_COMMAND 是 - 開頭,另外是禁止開頭是 - 的 repository name:
- A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage).
- Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash "-" as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage).
- In the same spirit, a repository name that begins with a dash "-" is also forbidden now.
然後中華電信的 DNS server (168.95.1.1 & 168.95.192.1) 都查不到 marc.info,改用 Google 的 8.8.8.8 才查得到... =_=
Cloudflare 分析了這次 815 停電對網路造成的影響:「Power outage hits the island of Taiwan. Here’s what we learned.」。
以 Cloudflare 在是方機房的 QPS 來看,停電後反而沒有太大變化:
把裝置種類拆開來看,可以看到桌機的使用量下降,但手機的使用量上升:
這點從 HiNet 的使用頻寬也可以看出來,頻寬使用量降了 25% (從光世代與 ADSL/VDSL 換到行動網路上?):
AWS CloudHSM 推出了一些新功能:「AWS CloudHSM Update – Cost Effective Hardware Key Management at Cloud Scale for Sensitive & Regulated Workloads」。
其中比較特別的是從以前只支援 Level 2 變成支援 Level 3 了:
More Secure – CloudHSM Classic (the original model) supports the generation and use of keys that comply with FIPS 140-2 Level 2. We’re stepping that up a notch today with support for FIPS 140-2 Level 3, with security mechanisms that are designed to detect and respond to physical attempts to access or modify the HSM.
在維基百科裡面有提到 Level 2 與 Level 3 的要求:
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.
In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper-detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened.
主動式偵測以及銷毀算是 Level 3 比 Level 2 安全的地方。
另外就是計價方式的修正,先前有一筆固定的費用,現在變成完全照小時計費了:
Pay As You Go – CloudHSM is now offered under a pay-as-you-go model that is simpler and more cost-effective, with no up-front fees.
Amazon EFS 也支援使用 KMS 加密了,這對於一些要求「落地要加密」的 certification 方便不少:「New – Encryption of Data at Rest for Amazon Elastic File System (EFS)」。
不過東京還沒有 EFS 啊... (繼續敲碗)
2013 的時候提過「加州的手機防竊提案...」,後來在 2015 年生效:
In a press release sent to reporters on Thursday, George Gascón said that since the law went into effect on July 1, 2015[,]
在兩大陣營都有類似的功能:
Such a kill switch has become standard in all iPhones ("Activation Lock") and Android phones ("Device Protection") since 2015.
而執行到現在已經兩年了,手機的失竊率下降不少:「San Francisco DA: Anti-theft law results in huge drop in stolen phones」。
[S]martphone-related robberies have fallen 22 percent from 2015 to 2016. When measured from the peak in 2013, "overall robberies involving smartphones have declined an astonishing 50 percent."
變成要找人殺肉才能處理,增加被竊後的處理難度與成本...
在 nginx 1.13.4 出的新功能,ngx_http_mirror_module:
The ngx_http_mirror_module module (1.13.4) implements mirroring of an original request by creating background mirror subrequests. Responses to mirror subrequests are ignored.
範例其實就講的還蠻清楚的:
location / {
mirror /mirror;
proxy_pass http://backend;
}
location /mirror {
internal;
proxy_pass http://test_backend$request_uri;
}
如果拿 nginx 當 load balancer 的人,可以用這個功能做些事情...
文章的作者試了很多家 VPN 服務,然後文章的標題有點長,有種輕小說的感覺...:「I tested the most recommended VPN providers using my credit card to find the best ones — and which ones you should avoid.」。
不過這種文章有很多東西很主觀,大家心裡有個底就是了...
作者比較滿意的是 TunnelBear 與 OVPN 這兩家,也許等手上 PIA 到期的時候再試看看要怎麼選好了,畢竟 PIA 還是目前最便宜的方案。
其實是我拿 Docker 跑 rTorrent 遇到的問題... (在 gslin/rtorrent-docker 這包裡面)
因為平常都是用 tmux 掛著,有時候是使用桌機接起來,有時候是使用 Mac 接起來,就會遇到 resize 的問題了 :o
在 GitHub 上其實有討論這個問題:「SIGWINCH attached processes · Issue #5736 · moby/moby」(Docker 改名叫 Moby 了,如果你看到網址不是很確定的話,提醒一下... XD)。
在 resize 的機制上是透過 SIGWINCH 這個 signal 傳進去,所以就一層一層檢查... 然後發現是 su 不會把 SIGWINCH 傳下去,改用 sudo 就解決了,這樣就不用每次切換時還要重跑 rTorrent...