Monthly Archives: December 2014

前幾天 Twitter 伺服器時間大爆炸的原因...

前幾天 Twitter 伺服器的時間大爆炸,跳到 2015 年: I MITMed Twitter for Android's login to see why it was failing. The Twitter servers think it's 2015. Amazing. pic.twitter.com/iEu4rEUub9 — Ninji the [REDACTED] (@_Ninji) December 29, 2014 剛剛在 Hacker News Daily 上看到原因:「If you're using YYYY … Continue reading

Posted in Computer, Murmuring, Programming | Tagged , , , , , | Leave a comment

JavaScript 混淆工具

看到「12 Days of HaXmas: Improvements to jsobfu」這篇文章裡提到 JSObfu 這個工具... 文章裡的範例: $ echo "console.log('Hello World')" | jsobfu window[(function () { var E="ole",d="ons",f="c"; return f+d+E })()][(String.fromChar Code(108,111,0147))](String.fromCharCode(0x48,0x65,0154,0154,111,32,0127,0x6f,114,01 54,0x64)); 如果要他滾三次,就變成: $ echo "console.log('Hello World')" | jsobfu 3 window[(function(){var T=String[(String.fromCharCode(102,114,0x6f,109,0x43,104,97,0x 72,0x43,0157,0x64,0145))](('j'.length*0x39+54),('h'.length*(3*('X'.length*024+8)+9)+ 15),(1*('Q'.length*(1*0x40+14)+19)+4)),Z=(function(){var c=String.fromCharCode(0x6e, 0163),I=String.fromCharCode(99,0x6f);return … Continue reading

Posted in Computer, Murmuring, Programming, Security, Software | Tagged , , | 2 Comments

MozJPEG 3.0 的改善...

這陣子 image format 又被拿出來討論,無論是拿 HEVC 出來用的 BPG,還是 Daala,剛剛又在「MozJPEG 3.0」這邊看到了 MozJPEG 3.0 預計有的改善。 其中第一個是對白底時的高反差的 workaround,這是一般 libjpeg 壓出來的結果: 而這是 MozJPEG 壓出來的結果: 可以看到邊界的部份改善非常多。 另外是漸層的改善,一樣是 libjpeg 版本與 MozJPEG: 這兩個改善看起來頗不錯啊?

Posted in Computer, Murmuring, Photo, Recreation, Software | Tagged , , , , , , | Leave a comment

Ruby 2.2.0:放假前的新版本

Ruby 2.2.0 在假期前釋出:「Ruby 2.2.0 Released」。 在「Notable Changes since 2.1」的部份有提到新的 GC algorithm (Incremental GC) 以及讓 Symbol 可以被 GC (Symbol GC),而且提到了 Rails 5.0 會受益於此: Recent developments mentioned on the Rails blog suggest that Rails 5.0 will take advantage of Incremental GC as … Continue reading

Posted in Computer, Murmuring, Programming, Software | Tagged , , , , , , | Leave a comment

GitHub 預定再兩個星期後廢止 HTTPS 連線的 RC4

GitHub 在「Improving GitHub's SSL setup」這邊開頭就提到要拔掉 RC4: To keep GitHub as secure as possible for every user, we will remove RC4 support in our SSL configuration on github.com and in the GitHub API on January 5th 2015. 看了一下日曆,算一算其實意思就是「放完假的星期一我們就來拔 RC4」XDDD 雖然 GitHub … Continue reading

Posted in Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , | Leave a comment

Apple 首次自動強制更新:NTP 安全問題

Apple 第一次的自動強制更新就給了這次的 ntpd 安全性問題 CVE-2014-9295:「Apple pushes first ever automated security update to Mac users」。 A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting … Continue reading

Posted in Computer, MacOS, Murmuring, Network, OS, Security, Software | Tagged , , , , , , , | Leave a comment

對 Tor 的攻擊開始了...

先前幾天 Tor 官方才猜測會被攻擊 (Tor 官方預測將會被攻擊),在今天的 Hacker News Daily 就看到有機器被扣:「[tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation」。 Tonight there has been some unusual activity taking place and I have now lost control of all servers under … Continue reading

Posted in Computer, Hardware, Murmuring, Network, P2P, Political, Security, Software, WWW | Tagged , , | Leave a comment

Flash 的 crossdomain.xml 架構問題

在「"Lax" Crossdomain Policy Puts Yahoo Mail At Risk」這篇裡面看到不安全的 Flash 造成的問題:「Seizing Control of Yahoo! Mail Cross-Origin... Again」。 找有問題的 swf 檔案 (hosting 在 crossdomain.xml 允許的網段下),然後利用 injection 或是根本就沒檢查權限來打趴... 把 swf 當跳板用就是了 :p 文章後面那個 Disclosure Timeline 看起來頗心酸 :o

Posted in Computer, Network | Tagged , , , , , , , | Leave a comment

Tor 官方預測將會被攻擊

Tor 官方預測將會被攻擊:「Possible upcoming attempts to disable the Tor network」。 透過扣押機器的方式降低 Tor 對 client bootstrap 的承載能力: The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized … Continue reading

Posted in Cloud, Computer, Murmuring, Network, P2P, Security, Software, VPN, WWW | Tagged , , , , , , | 1 Comment

中國的關鍵字審查

Slashdot 的「New Compilation of Banned Chinese Search-Terms Reveals Curiosities」這篇引用了「Some curious search terms denied to the Chinese」這篇文章,在 GitHub 上面有個 repository 試著蒐集這些關鍵字:「jasonqng/chinese-keywords。 不過看到報導第一件事情注意到的事情是他用的圖片: 還是說其實台灣已經高度審查了?hmmm...

Posted in Computer, Murmuring, Network, Political, Search Engine, Social, WWW | Tagged , , , , | 2 Comments