前幾天 Twitter 伺服器時間大爆炸的原因...

前幾天 Twitter 伺服器的時間大爆炸,跳到 2015 年:

剛剛在 Hacker News Daily 上看到原因:「If you're using YYYY in your JVM service or %G in anything, fix it now」,原因是這樣:

The single character G instead of Y took down Twitter's API today.
If you're using YYYY in your JVM service or %G in anything, fix it now. You're very likely using the wrong year format.

date
Mon Dec 29 00:44:45 EST 2014
date -u "+%G"
2015

ISO 8601 week numbering has 2015 start this week.

在自己電腦上也可以重製出來:

gslin@home [~] [01:22/W4] date 
Wed Dec 31 01:27:00 CST 2014
gslin@home [~] [01:27/W4] date +%Y
2014
gslin@home [~] [01:27/W4] date +%G
2015

依照說明,%G 的用途是:

year of ISO week number (see %V); normally useful only with %V

用錯好慘啊...

JavaScript 混淆工具

看到「12 Days of HaXmas: Improvements to jsobfu」這篇文章裡提到 JSObfu 這個工具...

文章裡的範例:

$ echo "console.log('Hello World')" | jsobfu

window[(function () { var E="ole",d="ons",f="c"; return f+d+E })()][(String.fromChar
Code(108,111,0147))](String.fromCharCode(0x48,0x65,0154,0154,111,32,0127,0x6f,114,01
54,0x64));

如果要他滾三次,就變成:

$ echo "console.log('Hello World')" | jsobfu 3

window[(function(){var T=String[(String.fromCharCode(102,114,0x6f,109,0x43,104,97,0x
72,0x43,0157,0x64,0145))](('j'.length*0x39+54),('h'.length*(3*('X'.length*024+8)+9)+
15),(1*('Q'.length*(1*0x40+14)+19)+4)),Z=(function(){var c=String.fromCharCode(0x6e,
0163),I=String.fromCharCode(99,0x6f);return I+c;})();return Z+T;})()][(String[(Strin
g[((function () { var r="de",t="mCharCo",M="f",_="ro"; return M+_+t+r })())]((0x6*0x
f+12),(01*('J'.length*('z'.length*(4*0x9+4)+27)+1)+46),(0x37*'Bw'.length+1),('K'.len
gth*(0x3*0x1a+17)+14),(02*(1*(1*(05*'RIZ'.length+2)+6)+3)+15),('X'.length*('zzJA'.le
ngth*021+15)+21),(0x1*0111+24),('FK'.length*0x2b+28),('z'.length*0x43+0),(03*33+12),
('AZa'.length*('NKY'.length*(02*4+3)+0)+1),(1*0x5c+9)))](('u'.length*(01*('KR'.lengt
h*('av'.length*0x7+3)+5)+19)+(01*('j'.length*056+0)+4)),('z'.length*(String.fromChar
Code(0x67,85,0155,0156,75,84,0114,0x4c)[((function () { var f="ngth",F="e",x="l"; re
turn x+F+f })())]*((function () { var n='m',a='Q'; return a+n })()[(String.fromCharC
ode(0154,101,110,0x67,0x74,104))]*(function () { var w='d',A='tMf'; return A+w })()[
((function () { var yG="ngth",q5="e",J="l"; return J+q5+yG })())]+'SX'.length)+'crFi
Kaq'.length)+(1*026+2)),('p'.length*(06*15+10)+'nnU'.length)))]((function(){var En=S
tring[(String.fromCharCode(0146,0x72,0x6f,0x6d,0103,104,97,0x72,67,0x6f,0144,101))](
(3*041+9),('eHUOhZL'.length*(0x1*(01*9+1)+3)+9)),Y=(function(){var z=(function () {
var Sf='r'; return Sf })(),Z=(function () { var N='o'; return N })(),C=String.fromCh
arCode(0x57);return C+Z+z;})(),k=String[((function () { var b="e",s="od",p="fromCha"
,H="rC"; return p+H+s+b })())](('C'.length*('H'.length*('Ia'.length*0xf+3)+12)+27),(
'G'.length*(01*('Wv'.length*25+10)+27)+14),('Q'.length*077+45),('MXq'.length*30+18),
(1*('B'.length*(0x1*29+20)+24)+38),(0x2*020+0));return k+Y+En;})());

嘖嘖... (趕快裝起來玩)

MozJPEG 3.0 的改善...

這陣子 image format 又被拿出來討論,無論是拿 HEVC 出來用的 BPG,還是 Daala,剛剛又在「MozJPEG 3.0」這邊看到了 MozJPEG 3.0 預計有的改善。

其中第一個是對白底時的高反差的 workaround,這是一般 libjpeg 壓出來的結果:

而這是 MozJPEG 壓出來的結果:

可以看到邊界的部份改善非常多。

另外是漸層的改善,一樣是 libjpeg 版本與 MozJPEG:

這兩個改善看起來頗不錯啊?

Ruby 2.2.0:放假前的新版本

Ruby 2.2.0 在假期前釋出:「Ruby 2.2.0 Released」。

在「Notable Changes since 2.1」的部份有提到新的 GC algorithm (Incremental GC) 以及讓 Symbol 可以被 GC (Symbol GC),而且提到了 Rails 5.0 會受益於此:

Recent developments mentioned on the Rails blog suggest that Rails 5.0 will take advantage of Incremental GC as well as Symbol GC.

在 Rails 這邊的說明:

Rails 5.0 will target Ruby 2.2+ exclusively. There are a bunch of optimizations coming in Ruby 2.2 that are going to be very nice, but most importantly for Rails, symbols are going to be garbage collected.

GitHub 預定再兩個星期後廢止 HTTPS 連線的 RC4

GitHub 在「Improving GitHub's SSL setup」這邊開頭就提到要拔掉 RC4

To keep GitHub as secure as possible for every user, we will remove RC4 support in our SSL configuration on github.com and in the GitHub API on January 5th 2015.

看了一下日曆,算一算其實意思就是「放完假的星期一我們就來拔 RC4」XDDD

雖然 GitHub 的人說了 Windows XP + IE8 會沒辦法用,不過翻了「Qualys SSL Labs - Projects / User Agent Capabilities: IE 8 / XP」這頁,手動打開 TLS 1.0 後應該還有 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) 這兩個用 3DES 的 cipher 可以掙扎才對?

不過看 GitHub 目前的 HTTPS 設定,看起來沒打算支援這兩個:「Qualys SSL Labs - Projects / SSL Server Test / github.com」以及「Qualys SSL Labs - Projects / SSL Server Test / github.com」。

不過順便把 3DES 踢出清單也是比較安全啦...

Apple 首次自動強制更新:NTP 安全問題

Apple 第一次的自動強制更新就給了這次的 ntpd 安全性問題 CVE-2014-9295:「Apple pushes first ever automated security update to Mac users」。

A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

這次的問題比較刺激...

對 Tor 的攻擊開始了...

先前幾天 Tor 官方才猜測會被攻擊 (Tor 官方預測將會被攻擊),在今天的 Hacker News Daily 就看到有機器被扣:「[tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation」。

Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.

偵測到機器被打開,並且插入 USB device,接下來失去對機器的控制權。

Flash 的 crossdomain.xml 架構問題

在「"Lax" Crossdomain Policy Puts Yahoo Mail At Risk」這篇裡面看到不安全的 Flash 造成的問題:「Seizing Control of Yahoo! Mail Cross-Origin... Again」。

找有問題的 swf 檔案 (hosting 在 crossdomain.xml 允許的網段下),然後利用 injection 或是根本就沒檢查權限來打趴... 把 swf 當跳板用就是了 :p

文章後面那個 Disclosure Timeline 看起來頗心酸 :o

Tor 官方預測將會被攻擊

Tor 官方預測將會被攻擊:「Possible upcoming attempts to disable the Tor network」。

透過扣押機器的方式降低 Tor 對 client bootstrap 的承載能力:

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities.

挑弱點打...

中國的關鍵字審查

Slashdot 的「New Compilation of Banned Chinese Search-Terms Reveals Curiosities」這篇引用了「Some curious search terms denied to the Chinese」這篇文章,在 GitHub 上面有個 repository 試著蒐集這些關鍵字:「jasonqng/chinese-keywords

不過看到報導第一件事情注意到的事情是他用的圖片:

還是說其實台灣已經高度審查了?hmmm...