Monthly Archives: October 2015

Square 申請 IPO

Square 丟出 IPO 申請:「Square Files Registration Statement for Proposed Initial Public Offering」,其中參與的單位包括:

Goldman, Sachs & Co., Morgan Stanley, and J.P. Morgan are acting as lead joint book-running managers for the proposed offering. Barclays, Deutsche Bank Securities, Jefferies, RBC Capital Markets, and Stifel are acting as additional book-running managers for the proposed offering, and LOYAL3 Securities, Inc. is acting as a co-manager.

維基百科上的「Square, Inc.」有整理過的歷史資料。2009 年創立,2010 年五月上線的公司,從 Series A 跑到 Series E。

巴黎廢棄的地鐵站的游泳池計畫...

Imgur 上看到「Paris is reusing some abandoned subways as swimming pools.」:

但下面第一個 comment 的連結:

We did the same thing in New York http://imgur.com/qGd3QLw

點進去:

笑噴 XDDD

PS:可以參考「巴黎廢棄地鐵站 “Ghost Stations” 再利用計劃,月台變身餐廳、劇院、游泳池」這篇文章。

在攻擊時總是挑最弱的一環:NSA 對 DH 的攻擊

在「How is NSA breaking so much crypto?」這邊提到了 2012 年有文章說明 NSA 有能力解開部份的加密通訊,而後來 Snowden 所提供的資料也證實了這點:

In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.

但在這之前一直都不清楚是怎麼解出來的,直到最近才猜測應該是 Diffie-Hellman 的強度以及實作問題:「Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice」。

而成果其實非常驚人,由於強度不夠以及實作問題,有相當可觀的數量是可被攻擊的:

We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.

作者群給的建議有三個方向,一個是把長度加長到 2048 bits,另外一個是改用 ECDH,而最差的情況 (如果還是需要使用 1024 bits DH) 則是避免使用固定的 prime number。

USD$75 解 RSA 512bits

Cryptology ePrint Archive 上面剛好是 2015 年編號 1000 號的論文:「Factoring as a Service」。透過 Amazon EC2 服務以及 CADO-NFS 的幫助,四小時內就可以解出 512bits RSA,而如同作者說的,雖然已經很不安全了,但在許多地方仍然被使用著:

The difficulty of integer factorization is fundamental to modern cryptographic security using RSA encryption and signatures. Although a 512-bit RSA modulus was first factored in 1999, 512-bit RSA remains surprisingly common in practice across many cryptographic protocols. Popular understanding of the difficulty of 512-bit factorization does not seem to have kept pace with developments in computing power. In this paper, we optimize the CADO-NFS and Msieve implementations of the number field sieve for use on the Amazon Elastic Compute Cloud platform, allowing a non-expert to factor 512-bit RSA public keys in under four hours for $75. We go on to survey the RSA key sizes used in popular protocols, finding hundreds or thousands of deployed 512-bit RSA keys in DNSSEC, HTTPS, IMAP, POP3, SMTP, DKIM, SSH, and PGP.

另外也有專案網站:「Factoring as a Service」,程式碼也有放上 GitHub:「Factoring as a Service」。

Apache 2.4.17:內建支援 HTTP/2

Zite 上突然看到 mod_h2 的文章,想說不是早就放出來很久了嗎... 仔細看才發現是 Apache HTTP Server 2.4.17 發行了:「how to h2 in apache」。

Support for HTTP/2 is finally being released with Apache httpd 2.4.17! This pages gives advice on how to build/deploy/configure it. The plan is to update this as people find out new things (read: bugs) or give recommendations on what works best for them.

另外在「Apache HTTP Server 2.4.17 Released」這邊可以看到公告,不過官方每次改版都直接改掉這個檔案 (沒有存檔),如果要看歷史紀錄的話到 Internet Archive: Wayback Machine 的頁面上看吧:「https://web.archive.org/web/*/https://www.apache.org/dist/httpd/Announcement2.4.html」。

這樣兩個主流 web server 都支援 HTTP/2 了,接下來最主要的問題是 Android 對 HTTP/2 的支援度:「HTTP/2 protocol」,要等舊版逐漸淘汰掉...

ScyllaDB:用 C++ 改寫相容於 Cassandra 的系統

Scylla 是出自希臘神話,維基百科對應的連結:「斯庫拉」、「Scylla」。而在 ScyllaDB 官網副標題寫著:

Fully compatible with Apache Cassandra at 10x the throughput and jaw dropping low latency

JVM 的 GC 老問題在 Cassandra 中帶來的 latency 不穩定本來就是個痛苦的問題,要花很多力氣去調整,而用 C++ 改寫等於是自己處理這一塊。

這帶來的效能提昇可以從各種測試結果看出來,像是單機的測試:「Scylla vs. Cassandra benchmark」,以及多機的測試:「Scylla vs. Cassandra benchmark (cluster)」(可以參考下圖)。

而 Latency 的改善也是極為明顯:「Latency benchmark」。

其中另外一個重要的技術是 IntelDPDK,可以大幅降低現有 Linux Kernel 在網路架構上的損耗:「Dedicated fast network stack for modern hardware」。

很有趣的專案,好久沒碰 Cassandra 了...

Redis 的 Secondary Indexing

Redis 官方說明 Secondary Indexing 的文件:「Secondary indexing with Redis」。

Secondary Indexing 算是 RDBMS 最底層基礎功能,如果有了這個功能已經可以做非常多事情... 查了文章裡提到的 Z* 系列指令是在 3.0.2 支援的 (目前是 3.0.4),看起來這個功能很新,不知道實際上跑起來跟 PostgreSQL 拼的效能如何... (因為 PostgreSQL 也可以自訂 Index 的內容)

在 iOS 上不使用 Facebook App 時要完全砍掉 process

在「The Background Data and Battery Usage of Facebook’s iOS App」這邊提到 Facebook AppiOS 上使用了非常吃電的技巧來強制背景更新。

作者猜測,如果你把 Facebook App 設定成不允許背景更新,那麼 Facebook App 會利用 iOS 在「播放音樂」可以在背景執行來進行更新:(所以只是打開播放的 channel,但是沒有聲音)

My guess is that Facebook is hijacking audio sessions on iOS by keeping silent audio in the background whenever a video plays in the app. And because, by default, videos on Facebook auto-play on both Wi-Fi and Cellular and few people ever bother to turn it off, that means there's a high chance the Facebook app will always find a way to play a video, keep audio in the background, and consume energy to perform background tasks.

而且有些人也發現了類似的現象:

I'm not alone in noticing the mysterious "Facebook audio" background consumption, and video auto-play seems to me the most likely explanation at this point. I don't know if turning off auto-play may fix the problem, but I'd recommend doing that anyway to save data.

印象中我們家的 zonble 也有提過類似的事情,當時他好像還有抱怨不知道 Facebook App 在搞什麼鬼... Anyway,這就可以理解作者提到為什麼這麼吃電:

On my girlfriend's iPhone, for instance, iOS 9 reports 5 hours of on-screen usage for the last 7 days, and another 11 hours of background audio usage with Background App Refresh turned off.

我的想法是,如果不用的時候就按兩下 home 鍵把 Facebook App 整個踢出去,或者就如同作者建議用 Safari 開行動版本:

I wonder if Apple should consider additional battery controls to take action against shady practices like invisible background audio. What Facebook is doing shows a deep lack of respect for iOS users. I continue to recommend using Safari instead.

HAProxy 1.6 的兩個大功能:Quote 以及 Lua

HAProxy 1.6.0 出版的公告文章:「[ANNOUNCE] HAProxy 1.6.0 released」。

兩個大功能,第一個是「It’s 2015, let’s use QUOTE in configuration file」,可以用引號了... 另外一個是「Lua Scripting」,需要 Lua 5.3+。

還有提到一些改進,像是支援 SNI,以及對 HTTP/2 的計畫。

在 LAN 裡把 TCP timestamps 關閉擠出頻寬

由於 TCP timestamps 會使得封包多 12 bytes,關掉後可以在 LAN 裡面擠出頻寬,是個小孩子不要亂學的方法:「Save Some Bandwidth By Turning Off TCP Timestamps」。

文章裡是在 10Gbps 網路上測試,看測出來的圖片也只是一點點 (不到 1%),但仍然是有提昇:

Results show that it's reasonable to turn off timestamps on 10GE interfaces, but keep in mind that it should be performed only in low latency networks.

沒必要就不要亂動 :o