Home » 2015 » November (Page 3)

利用極高頻的音波跨裝置侵犯使用者隱私

在這篇看到現在已經有跨裝置的追蹤機制:「Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC」。

電視廣告利用超高頻 (人類聽不到) 與手機或平板裝置上的應用程式配對,進而組合使用者的行為:

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

難以被關閉的追蹤機制,看起來就是 NSAFBICIA 之類超愛的技術。

Gmail 將會針對沒有加密傳輸收到的信件標示警告

前陣子在「STARTTLS 的不完整性以及大規模監控電子郵件」提到現有的標準無法確保 ESMTP 一定會啟用 STARTTLS。所以 Google 正在跟 M3AAWG 研究標準來保護這類攻擊:

First, we found regions of the Internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen “opportunistic TLS” using technologies that we pioneered with Chrome to protect websites against interception.

另外一方面,Google 之後也會將未透過 STARTTLS 傳輸的信件標示出來:

To notify our users of potential dangers, we are developing in-product warnings for Gmail users that will display when they receive a message through a non-encrypted connection. These warnings will begin to roll-out in the coming months.

Google 的文章可以在「New Research: Encouraging trends and emerging threats in email security」這邊看到。

我的想像是 DNSSEC + TXT record 標示,不知道會不會走這條...

PostgreSQL 9.5 將會有 Parallel Sequential Scan

在「Parallel Sequential Scan is Committed!」這邊看到 PostgreSQL 9.5 (還沒出) 將會有 Parallel Sequential Scan 的功能。

文章的作者直接拿了一個大家超常用的惡搞來示範,也就是經典的 LIKE '%word%'

rhaas=# \timing
Timing is on.
rhaas=# select * from pgbench_accounts where filler like '%a%';
 aid | bid | abalance | filler
-----+-----+----------+--------
(0 rows)

Time: 743.061 ms
rhaas=# set max_parallel_degree = 4;
SET
Time: 0.270 ms
rhaas=# select * from pgbench_accounts where filler like '%a%';
 aid | bid | abalance | filler
-----+-----+----------+--------
(0 rows)

Time: 213.412 ms

這功能真不錯 XD

0.1 + 0.2 = 0.30000000000000004

看到「http://0.30000000000000004.com/」這個網站對經典的 0.1 + 0.2 問題整理了各語言的結果。這個網址名稱也很機車啊 XD

開頭的說明講述 IEEE 754 二進制表示法的問題:

Your language isn't broken, it's doing floating point math. Computers can only natively store integers, so they need some way of representing decimal numbers. This representation comes with some degree of inaccuracy. That's why, more often than not, .1 + .2 != .3.

It's actually pretty simple. When you have a base 10 system (like ours), it can only express fractions that use a prime factor of the base. The prime factors of 10 are 2 and 5. So 1/2, 1/4, 1/5, 1/8, and 1/10 can all be expressed cleanly because the denominators all use prime factors of 10. In contrast, 1/3, 1/6, and 1/7 are all repeating decimals because their denominators use a prime factor of 3 or 7. In binary (or base 2), the only prime factor is 2. So you can only express fractions cleanly which only contain 2 as a prime factor. In binary, 1/2, 1/4, 1/8 would all be expressed cleanly as decimals. While, 1/5 or 1/10 would be repeating decimals. So 0.1 and 0.2 (1/10 and 1/5) while clean decimals in a base 10 system, are repeating decimals in the base 2 system the computer is operating in. When you do math on these repeating decimals, you end up with leftovers which carry over when you convert the computer's base 2 (binary) number into a more human readable base 10 number.

這邊主要是討論 IEEE 754-1985 這個標準,後來在 IEEE 754-2008 提出了新的表示方法,支援十進位的表示法來解這個問題 (雖然還沒普及)。

Comcast 的 300GB/month 限制

Comcast 的 300GB/month 限制在 Comcast 的內部文件表示對於解決網路壅塞問題無關,只是商業考量 (或者說「找個理由想收更多的錢」):「Leaked Comcast docs prove 300GB data cap has nothing to do with network congestion」。

最下方的:

Don’t Say: “The program is about congestion management.” (It is not.)

這讓我想到 2000 年的時候,計中對交大宿舍網路做的每日流量限制,反而造成整體流量不斷上升,因為大家都覺得沒用完浪費掉了,雖然把本來 bandwidth distribution 的右半段砍掉,但左半段全部爬上來,結果積分起來整體流量增加超多 XDDD

從那時候第一次在實戰驗證,在某些情境下,假性的公平上反而會造成整體成本的提昇... 相關的討論還是可以用 Google Groups 在 nctu.talk 或是 tw.bbs.campus.nctu 上找到。

突然想到好久沒找老師出來吃飯了?也許十二月該來約一約了...

Google 工程師在 Amazon 上對 Type C USB 線的評論

先前提到「Google 工程師在 Amazon 上留下對 USB-C 線的精彩評價...」,後來這位工程師 Benson Leung 寫了更多的評價出來,在「Amazon.com: Profile for Benson Leung」這邊可以看到。

可以看到大量的線被打了兩顆星,不過還是少數有幾條線測過了:

35 條只過了 6 條,看起來狀況不太好啊 XDDD

TPP (The Trans-Pacific Partnership) 對 GPL 的影響

TPP (The Trans-Pacific Partnership跨太平洋戰略經濟夥伴關係協議) 的黑箱作業在 Wikileaks 揭露後 (TPP Treaty: Intellectual Property Rights Chapter - 5 October 2015) 才被大量解讀,而與預期的一樣,既然會黑箱當然就是見不得人,違反公眾利益的事情。

EFF 有導讀專欄分析,有興趣的可以從這邊下手:「Trans-Pacific Partnership Agreement」。

這邊要講的是 TPP 裡對 GPL 的影響:「TPP has provision banning requirements to transfer of or access to source code of software」。

其中這組條款對原始程式碼 (source code) 的約束直接衝擊 GPL 類強制要求 open source 的約束:

Article 14.17: Source Code

  1. No Party shall require the transfer of, or access to, source code of software owned by a person of another Party, as a condition for the import, distribution, sale or use of such software, or of products containing such software, in its territory.
  2. For the purposes of this Article, software subject to paragraph 1 is limited to mass-market software or products containing such software and does not include software used for critical infrastructure.
  3. Nothing in this Article shall preclude:
    (a) the inclusion or implementation of terms and conditions related to the provision of source code in commercially negotiated contracts; or
    (b) a Party from requiring the modification of source code of software necessary for that software to comply with laws or regulations which are not inconsistent with this Agreement.
  4. This Article shall not be construed to affect requirements that relate to patent applications or granted patents, including any orders made by a judicial authority in relation to patent disputes, subject to safeguards against unauthorised disclosure under the law or practice of a Party.
  5. libpng 漏洞...

    libpng 的安全性問題,CVE-2015-8126

    Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.

    一堆軟體要更新啊...

    Archives