Home » 2014 » September

CloudFlare 的擴張計畫

在 CloudFlare 的「One More Thing: Keyless SSL and CloudFlare's Growing Network」這篇文章裡提到了 CloudFlare 的擴張計畫,其中藍色是已經有的點,而橘色是計畫的點:

雖然是說打算在 12 個月內搞定上面的計畫:

The map above shows all the locations where CloudFlare is actively working to turn up data centers over the next 12 months.


另外看起來台灣也會有點,不知道會放到哪裡... (以及 routing 會怎麼繞)

Amazon 的 Xen 安全性更新

AWS 上租一卡車機器的人最近應該都有收到重開機的通知,目前雖然沒有明講編號,但看起來是 10/01 會公開的 XSA-108:「EC2 Maintenance Update」。

不過 Slashdot 上的「Amazon Forced To Reboot EC2 To Patch Bug In Xen」這篇的第一個 comment 很精彩:

It's funny for me to read that Amazon is notifying its users of an impending reboot.

I've been suffering with Azure for over a year now, and the only thing that's constant is rebooting....

My personal favorite Azure feature, is that SQL Azure randomly drops database connections by design.

Let that sink in for a while. You are actually required to program your application to expect failed database calls.

I've never seen such a horrible platform, or a less reliable database server...

這要怎麼說呢... 就使用雲端服務的人,設計上的確要這樣沒錯,但就提供雲端服務的供應商,應該還是要保持 VM 的穩定性吧... XDDD

Backblaze 再次發表各家硬碟耐用程度...

今年年初 (一月) 的時候發表過一次「各家硬碟的耐用程度...」引起爭議厚的最新力做,九月再發表一次:「Hard Drive Reliability Update – Sep 2014」。

灰色部份是一月的數據,其他顏色是九月的數據。文中有考慮是否要換成企業級的硬碟 (enterprise drives),但兩個評估的答案是否定的。

第一個評估是成本考量,就算一般硬碟以三年保固期有 15% 的 failure rate,相較於企業級 0% failure rate 計算 (於是直接算成 10 年),成本是不划算的:

Today on Amazon, a Seagate 3 TB “enterprise” drive costs $235 versus a Seagate 3 TB “desktop” drive costs $102. Most of the drives we get have a 3-year warranty, making failures a non-issue from a cost perspective for that period. However, even if there were no warranty, a 15% annual failure rate on the consumer “desktop” drive and a 0% failure rate on the “enterprise” drive, the breakeven would be 10 years, which is longer than we expect to even run the drives for.


The assumption that “enterprise” drives would work better than “consumer” drives has not been true in our tests. I analyzed both of these types of drives in our system and found that their failure rates in our environment were very similar — with the “consumer” drives actually being slightly more reliable.

用 Tesseract OCR 解 CAPTCHA

在「python 乌云账号暴力猜解工具」這邊看到 Tesseract OCR 這個 command line 工具,比想像中的簡單很多...

Tesseract OCR 最新版是 2012 年出的,所以也不需要另外用 ppa 安裝,在 Ubuntu 下可以直接用 apt-get 安裝到 3.02 版:

# apt-get install tesseract-ocr

隨便抓張 CAPTCHA 後直接跑就可以了,像是這張:


$ tesseract a.gif a
Tesseract Open Source OCR Engine v3.02 with Leptonica
$ cat a.txt

預設的輸出檔名會加上 .txt 是比較討厭的地方,不然就可以用 /dev/stdout 當作輸出檔名處理掉...

jQuery 官網疑似被攻陷...

起因在「jQuery.com Malware Attack Puts Privileged Enterprise IT Accounts at Risk」這篇,RiskIQ 的人偵測到 jQuery 官方網站異常,帶有惡意軟體。檢查後發現在官網的 html 裡面出現了 jquery-cdn.com 這個非官方的 domain:

這個 domain 可以看到是全新建立的:

   Domain Name: JQUERY-CDN.COM
   Registrar: NAMESILO, LLC
   Whois Server: whois.namesilo.com
   Referral URL: http://www.namesilo.com
   Name Server: NS1.DNSOWL.COM
   Name Server: NS2.DNSOWL.COM
   Name Server: NS3.DNSOWL.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 18-sep-2014
   Creation Date: 18-sep-2014
   Expiration Date: 18-sep-2015

透過這個 domain 一路穿出去將惡意程式導進來。

jQuery 官方收到 RiskIQ 的人通之後也開始調查發生什麼事情:「Was jquery.com Compromised?」、「Update on jQuery.com Compromises」。


Bash 遠端執行安全漏洞

這讓人無言了,Bash 的遠端執行安全漏洞,CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

可以在 oss-sec 上面看到說明「Re: CVE-2014-6271: remote code execution through bash」:

Debian and other GNU/Linux vendors plan to disclose a critical, remotely exploitable security vulnerability in bash this week, related to the processing of environment variables. Stephane Chazelas discovered it, and CVE-2014-6271 has been assigned to it.

透過環境變數打進去... Redhat 的「Bash specially-crafted environment variables code injection attack」這篇也給了不少例子。

Linux 下通常最常用的 shell 應該還是 Bash 吧?(雖然也看到不少人用 Zsh...)

然後 Twitter 上看到非常邪惡的 Google Hack:

大家可以自己加上 site: 去掃...

GitHub 升級到 Rails 3 了...

GitHub 從 2.3.github 特製版升級到 Rails 3:「Upgrading GitHub to Rails 3 with Zero Downtime」,其中切換的原因之一是維護成本:

This choice has bitten us in the form of gem incompatibility, having to manually backport security patches, missing out on core framework performance and feature improvements, and being unable to easily contribute back to the open source rails project.


Over the last six months, we’ve had a team of 4 engineers working full time on upgrading to Rails 3.

接下來不知道是不是繼續切換到 Rails 4...

Google Noto 字型出新版了

Zite 上看到的:「Noto Fonts Update」。

如同預期的,逗點的問題解決掉了。然後剛剛另外測試 LibreOffice + Noto 時的中文字,本來會變成方塊字的問題也解了...

Update 2014/10/01:我搞錯了... 我的設定還是用到原來的字型檔,LibreOffice 開起來還是爛的...