Month: March 2016

NASA 的 JPL 回答「你們用的圓周率是 3.14 嗎?」的問題

NASAJPL 回答了他們所使用的圓周率:「How Many Decimals of Pi Do We Really Need?」。

答案是小數下十五位:

For JPL's highest accuracy calculations, which are for interplanetary navigation, we use 3.141592653589793.

先拿目前離地球最遠的人造物 Voyager 1 來舉例,約 201 億公里 (125 億英里) 的距離,使用這個小數下 15 位的圓周率,與實際的圓周率算出來的誤差只有 3.81 公分 (1.5 英寸):

The most distant spacecraft from Earth is Voyager 1. It is about 12.5 billion miles away.

It turns out that our calculated circumference of the 25 billion mile diameter circle would be wrong by 1.5 inches. Think about that. We have a circle more than 78 billion miles around, and our calculation of that distance would be off by perhaps less than the length of your little finger.

另外還舉了地球與整個宇宙的數字來計算,需要的精確度沒有想像中那麼大 XD

吉卜力將放出作畫所使用的軟體原始碼

在「造福同人,吉卜力使用的动画制作软件宣布开源化」這邊看到的,搜了一下相關的新聞,可以在「Open-Source Animation Production Software OpenToonz Available March 26」看到說明。

而「アニメーション制作ツールの オープンソースプロジェクト」這邊也有相關的消息,預定在 3/26 舉辦的 AnimeJapan 2016 有進一步的發表,到時候再來追進度...

Google 推出 BinDiff 分析惡意軟體

看到 Google 推出 BinDiff 時以為是某種對 binary 檔案產生類似 diff 結果的軟體 (像是 bsdiff 這樣的東西),仔細看才發現是跟資安有關的東西:「BinDiff now available for free」。

可以用在只有 binary 的情況下,快速找出有哪些 assembly code 有差異,進而讓人可以更快的分析。資安分析可以透過這個工具加速。相同的,也可以透過這個工具看出 vendor patch 實際上修了什麼東西:

BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary.

而另外一個用途則是快速分類,把相同的 malware 集合起來,降低重複分析的時間:

Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries.

目前支援的 assembly 指令集包括了這些:

Compare binary files for x86, MIPS, ARM/AArch64, PowerPC, and other architectures.

從原始文章可以看到還有 flowchart 分析:

不過這是配合其他 Hex-Rays IDA 的 Professional 版本產生的結果分析,官網報價一套是 USD$1129。

To use it, you also need the commercial Hex-Rays IDA Pro disassembler, 6.8 or later.

Apple 打算把 iCloud 加密用的 Key 放到用戶端

在經過最近 FBIApple 的戰鬥中 (FBI–Apple encryption dispute),Apple 正規劃把 iCloud 加密所使用的 key 放到用戶端裝置上,而非放在伺服器端:「Apple to Hand iCloud Encryption Key Management to Account Holders」:

In effect, Apple is following the lead of secure cloud services such as SpiderOak which has been offering what it calls “Zero Knowledge” cloud storage. By that, SpiderOak retains no information about whatever is stored in its cloud service, nor the means of gaining access to it.

也就是加解密都放在 client 端處理,server 端只是 storage。

這類型最大的問題是 server 端沒辦法運用資料,但 iCloud 的確可以放掉這些功能 (搜尋之類的),純粹當 storage 使用,藉以讓使用者自己裝置保護。

而蘋果在使用者的裝置上把類似於 HSM 的系統做的頗強大... 不知道 Android 有沒有機會也跟進。(雖然我自己是用 Apple 家的東西...)

Stack Overflow 做的 Developer Survey 2016

Stack Overflow 對開發者發問卷後把結果整理出來了:「Stack Overflow Developer Survey 2016 Results」,約 56k 個樣本數:

This year, 56,033 coders in 173 countries answered the call.

整個問卷分成五塊區域:Overview、Developer Profile、Technology、Work、Community,其中 Overview 的部份是給時間不多的人看的,整理了一些比較特別或是有趣的重點:

Most developers prefer dogs to cats. (But not developers in Germany.)

(唔?)

要注意的是,問卷只有英文版本,所以這份問卷明顯對於英文非母語的開發者會有比較低的填寫意願,會造成統計偏差問題,所以在讀之前要注意到:

Surveys aren’t perfect. While our large sample size helps offset some biases, it’s still biased against devs who don't speak English, or who don't like taking English-language surveys.

另外是有女性對這份問卷表示不滿:「Stack Overflow’s developer survey analysis hurts women」,尤其是 Stack Overflow 標示了只有 5.8% 的女性,這會導致女性樣本數在答案細分族群時的統計偏差的問題會很嚴重。

另外這篇文章的作者也對 Stack Overflow 裡的結論很不滿意。

回到原來文章,有些東西還蠻有趣的:

其中 Salary 這段應該是很多人都有動力去讀一讀了解的,裡面還包括了各地區與麥當勞的大麥克指數的相對數值分析,讓你有個參考值可以感覺。

PostgreSQL 對 Vacuum 效能的改善

在「No More Full-Table Vacuums」這邊提到了 PostgreSQL 在 vacuum 時效能的大幅改善,尤其是大型資料庫在 vacuum 時需要對整個表格從頭到尾掃一次以確保 transaction id 的正確性:

Current releases of PostgreSQL need to read every page in the database at least once every 2 billion write transactions (less, with default settings) to verify that there are no old transaction IDs on that page which require "freezing".

這動作在資料量大的機器上就會吃大量資源導致各種討厭的現象:

All of a sudden, when the number of transaction IDs that have been consumed crosses some threshold, autovacuum begins processing one or more tables, reading every page. This consumes much more I/O bandwidth, and exerts much more cache pressure on the system, than a standard vacuum, which reads only recently-modified page.

而作者送了 patch 改成只會讀還沒搞定的部份:

Instead of whole-table vacuums, we now have aggressive vacuums, which will read every page in the table that isn't already known to be entirely frozen.

要注意的是,agreesive vacuum 相較於 vacuum 會多吃很多資源,但可以打散掉 (有點像一次大 GC 導致 lag 與多次 minor GC 讓程式反應時間變得比較順暢的比較):

An aggressive vacuum still figures to read more data than a regular vacuum, possibly a lot more. But at least it won't read the data that hasn't been touched since the last aggressive vacuum, and that's a big improvement.

這個功能預定在 PostgreSQL 9.6 出現,不知道會不會變 default...

GitHub 支援 HTTP Code 451 了...

GitHub 宣佈支援 HTTP Code 451 了:「The 451 status code is now supported」。也就是 RFC 7725 的「An HTTP Status Code to Report Legal Obstacles」。

目前會把因為 DMCA takedown notice 下架的內容以 HTTP Code 451 標出:

The GitHub API will now respond with a 451 status code for resources it has been asked to take down due to a DMCA notice.

HTTP Code 451 的點子出自「華氏 451 度」這本書,表示紙的燃點。

AWS Database Migration Service

AWS 正式向所有使用者開放「AWS Database Migration Service」了:「AWS Database Migration Service」。

AWS 把前置作業 (setup & initial backup) 與 replication 的部份都包好,讓使用者可以很輕鬆的轉移。

支援的來源資料庫種類包括了這五種:

Supported database sources include: (1) Oracle, (2) SQL Server, (3) MySQL, (4) Amazon Aurora and (5) PostgreSQL. All sources are supported on-premises, in EC2, and RDS except Amazon Aurora which is available only in RDS.

支援的目的資料庫種類也包括了這五種:

Supported database targets include: (1) Amazon Aurora, (2) Oracle, (3) SQL Server, (4) MySQL, and (5) PostgreSQL. All Oracle, SQL Server, MySQL and Postgres targets are supported on-premises, in EC2 and RDS.

所以不只可以搬進 AWS,也透過在 EC2 instance 上架 Proxy 的方式搬出 AWS。比較特別的是可以不同 database 互轉?這好像可以玩玩看...

轉移的機器包括 t2.* 與 c4.* 兩種,一般來說 t2 系列的機器應該夠用,但如果要拼轉移速度的話可以拿 c4 出來撐場面。

OpenSSL 1.1.0 的 Release Notes 先放出來了 (現在是 Beta 1)

雖然才 Beta 1,但 OpenSSL 先放出 1.1.0 的 Release Notes 了:「OpenSSL 1.1.0 Series Release Notes」。

有幾個新的功能以及重大的改變,包括了對 ChaCha20Poly1305 的支援,並且把 SSLv2、RC4、所有 40bits 與 56bits 的 cipher 拔掉,然後支援 Certificate Transparency

讓人頗期待... 不知道來不來得及跟上 Ubuntu 16.04

Google 加倍對 Chromebook 訪客模式的攻擊獎金

Google 決定加倍對 Chromebook 訪客模式下攻陷系統的獎金:「After 0 successful submissions, Google doubles top reward for hacking a Chromebook to $100,000」。

原先是五萬美金:

Last year, Google introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. The company’s security team says it hasn’t received a single successful submission.

提升到十萬美金:

As such, Google has doubled the bounty, which was already the top Chrome reward, to $100,000. The company really wants someone to hack Chrome OS to pieces. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool,” Google declared.