Mutt 最近更新的好快啊 XDDD (相較於富奸的速度)：「mutt 1.7.0 released」。看一下官網上這一波的更新記錄：
- Mutt 1.7.0 was released on August 18, 2016. This release has several new features. Please see the UPDATING file for details.
- Mutt 1.6.2 was released on July 6, 2016. This is a bug-fix release, fixing two issues found with 1.6.1.
- Mutt 1.6.1 was released on May 1, 2016. This is a bug-fix release, fixing three issues found with 1.6.0.
- Mutt 1.6.0 was released on April 4, 2016. This stable release has an enormous number of changes compared to the 1.4 series. Please review the changes file for an overview of changes since the 1.4 series, or the UPDATING file for a more detailed breakdown by each previous development release.
- Mutt 18.104.22.168 was released on June 9, 2007. This release fixes CVE-2007-2683 (gecos overflow) and CVE-2007-1558 (APOP MD5 collision attack).
- Mutt 22.214.171.124 was released on July 14, 2006. This release fixes CVE-2006-3242, a buffer overflow that could be triggered by a malicious IMAP server.
2016 開始更新的速度快好多... XD
NSA 使用這些漏洞來大量監聽企業的流量：「Leaked Exploits are Legit and Belong to NSA: Cisco, Fortinet and Snowden Docs Confirm」。
Cisco 已經確認這個安全性漏洞了，全系列包括已經停產的 Cisco PIX、上個世代的 Cisco ASA 5500 (但還有些型號還在賣)，以及目前主力的 Cisco ASA 5500-X，另外還包括了安全模組系列也中獎：「Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability」。
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 4100 Series
- Cisco Firepower 9300 ASA Security Module
- Cisco Firepower Threat Defense Software
- Cisco Firewall Services Module (FWSM)*
- Cisco Industrial Security Appliance 3000
- Cisco PIX Firewalls*
Cisco Firewall Service Modules and Cisco PIX Firewalls have passed the last day of software support milestone as stated in the published End of Life (EoL) documents. Further investigations into these devices will not be performed, and fixed software will not be made available.
這次 Cisco 的安全性問題是 SNMP 的洞造成的：
Administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the snmp-server host command.
這個洞被 NSA 用來寫 exploit 植入系統：
This flaw was included inside two NSA exploits, dubbed EPICBANANA as well as JETPLOW, which is an enhanced version of EPICBANANA, but with better persistence capabilities, Cisco's Omar Santos said in a blog post.
在 NSA 洩漏出來的文件裡可以看到
而且不只是 Cisco，其他幾家也中獎了，可以參考「The NSA Leak Is Real, Snowden Documents Confirm」這邊更多的資訊 @_@
華盛頓郵報整理出來了 Facebook 的廣告所使用的 98 個個人資訊：「98 personal data points that Facebook uses to target ads to you」。
基本的個人資訊 (甚至是朋友的)，以及使用什麼瀏覽器都可以預期；而 Like 或是參加的 Group 都會被計算也是意料中的事情，不過連信用卡的種類也都在內就頗特別的...
來檢視一下自己的防禦機制有哪些... 瀏覽器預設擋下第三方 cookie：
用 Ghostery 預設把所有外部元件擋下來，再用白名單開想要看的部份。用 uBlock Origin 擋下所有廣告。
另外用「Force Facebook Most Recent」強制 Facebook 轉到 Most Recent 的 Timeline 上。
最後來列出這 98 個條件：
- Education level
- Field of study
- Ethnic affinity
- Income and net worth
- Home ownership and type
- Home value
- Property size
- Square footage of home
- Year home was built
- Household composition
- Users who have an anniversary within 30 days
- Users who are away from family or hometown
- Users who are friends with someone who has an anniversary, is newly married or engaged, recently moved, or has an upcoming birthday
- Users in long-distance relationships
- Users in new relationships
- Users who have new jobs
- Users who are newly engaged
- Users who are newly married
- Users who have recently moved
- Users who have birthdays soon
- Expectant parents
- Mothers, divided by “type” (soccer, trendy, etc.)
- Users who are likely to engage in politics
- Conservatives and liberals
- Relationship status
- Job title
- Office type
- Users who own motorcycles
- Users who plan to buy a car (and what kind/brand of car, and how soon)
- Users who bought auto parts or accessories recently
- Users who are likely to need auto parts or services
- Style and brand of car you drive
- Year car was bought
- Age of car
- How much money user is likely to spend on next car
- Where user is likely to buy next car
- How many employees your company has
- Users who own small businesses
- Users who work in management or are executives
- Users who have donated to charity (divided by type)
- Operating system
- Users who play canvas games
- Users who own a gaming console
- Users who have created a Facebook event
- Users who have used Facebook Payments
- Users who have spent more than average on Facebook Payments
- Users who administer a Facebook page
- Users who have recently uploaded photos to Facebook
- Internet browser
- Email service
- Early/late adopters of technology
- Expats (divided by what country they are from originally)
- Users who belong to a credit union, national bank or regional bank
- Users who investor (divided by investment type)
- Number of credit lines
- Users who are active credit card users
- Credit card type
- Users who have a debit card
- Users who carry a balance on their credit card
- Users who listen to the radio
- Preference in TV shows
- Users who use a mobile device (divided by what brand they use)
- Internet connection type
- Users who recently acquired a smartphone or tablet
- Users who access the Internet through a smartphone or tablet
- Users who use coupons
- Types of clothing user’s household buys
- Time of year user’s household shops most
- Users who are “heavy” buyers of beer, wine or spirits
- Users who buy groceries (and what kinds)
- Users who buy beauty products
- Users who buy allergy medications, cough/cold medications, pain relief products, and over-the-counter meds
- Users who spend money on household products
- Users who spend money on products for kids or pets, and what kinds of pets
- Users whose household makes more purchases than is average
- Users who tend to shop online (or off)
- Types of restaurants user eats at
- Kinds of stores user shops at
- Users who are “receptive” to offers from companies offering online auto insurance, higher education or mortgages, and prepaid debit cards/satellite TV
- Length of time user has lived in house
- Users who are likely to move soon
- Users who are interested in the Olympics, fall football, cricket or Ramadan
- Users who travel frequently, for work or pleasure
- Users who commute to work
- Types of vacations user tends to go on
- Users who recently returned from a trip
- Users who recently used a travel app
- Users who participate in a timeshare
之前的 GitHub Pages 都只能吃
gh-pages 這個 branch，而 GitHub 改善了這個部份：「Simpler GitHub Pages publishing」。
在「Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]」這邊看到這個歷史悠久的 bug：
Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.
就這樣的行為，對於自己用的機器應該是還好... 不過得到 4640 bits 後就可以預測接下來的 160 bits，這個 RNG 有點囧 @_@
A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest _not to_ overhasty revoke keys.
不過如果你有絕對的安全需求的話還是可以考慮 revoke 再重新生一把...
原來這個叫做 Delayed Queue，難怪之前用其他關鍵字都找不到什麼資料... (就不講其他關鍵字了 XD)
Netflix 發表了他們自己所開發的 Delayed Queue：「Distributed delay queues based on Dynomite」。
本來的架構是用 Cassandra + Zookeeper 來做：
Traditionally, we have been using a Cassandra based queue recipe along with Zookeeper for distributed locks, since Cassandra is the de facto storage engine at Netflix.
但可以馬上想到不少問題，就如同 Netflix 提到的：
Using Cassandra for queue like data structure is a known anti-pattern, also using a global lock on queue while polling, limits the amount of concurrency on the consumer side as the lock ensures only one consumer can poll from the queue at a time.
所以就改放到 Netflix 另外開發的 Dynamite 上：
Dynomite, inspired by Dynamo whitepaper, is a thin, distributed dynamo layer for different storage engines and protocols. Currently these include Redis and Memcached. Dynomite supports multi-datacenter replication and is designed for high availability.
後端是 Redis 與 Memcached 的系統，可以對抗整個機房從 internet 上消失的狀態。
在設計上則是「保證會跑一次」，也就是有可能會有多次的情況，用 Dyno Queues 系統的人必需要考慮進去：
4. At-least-once delivery semantics
雖然整篇講的頗輕鬆，但實際看起來還是很厚重... 暫時還是不會用吧 :o
Golang 1.7 主打更小的 binary size：「Smaller Go 1.7 binaries」：
Typical programs, ranging from tiny toys to large production programs, are about 30% smaller when built with Go 1.7.
由於現代 CPU 的速度與 L1/L2/... cache 有緊密關係，當 binary size 變小時，常常會伴隨著 memory access 變快 (因為 hitrate 提昇)，所以 binary size 也是效能指數蠻重要的一環。
Bitcoin.org 發出了有點摸不著頭緒的警告：「0.13.0 Binary Safety Warning」。
Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre.
We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
由於 Bitcoin.org 全站走 HTTPS，這是在暗示會出現「不小心發出 Bitcoin.org 的 SSL certificate」的事情？另外官方也建議使用 PGP public key 驗證：
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.
來拿板凳蹲著看，順便拉一張目前 certificate 看到的資訊，目前是從 RapidSSL SHA256 CA - G3 簽出來：
看到有人用 Markdown 寫電子書：「How I wrote and published my novel using only open source tools」。
電子書的部份主要是透過 Pandoc 轉換，然後用 Dublin Core Metadata Element Set 提供 metadata。
實體書的部份也還是用 Pandoc 轉換成 ODT，而後面還是拿出 LibreOffice 對 page format 調整：
LibreOffice has many page formatting options that are non-obvious but incredibly important. For example, I wanted the first page of each chapter to be a right page, and to exclude the page header. I defined my chapter heading style to have a “page break before” and set a page style of “first page” (which is a right page without a header), which is followed by “right page”, which is followed by “left page”, which goes back to “right page”.
主要還是 Pandoc 這個工具，找機會來轉些東西看看效果...
在「A Conflict-Free Replicated JSON Datatype」這邊看到有趣的東西。(arXiv 說 2016/08/18 會有一個小時的 downtime，台灣時間剛好是 2016/08/18 的 20:20 開始：「Maintenance scheduled for Aug 18 8:20 a.m. EDT」)
作者們設計這個架構是想要在 JSON 結構上找出一個演算法，在 P2P 架構上 (而不需要靠 server) 可以同步並且產生一致的結果，另外要求當 conflict 時不要掉資料：
In this paper we present an algorithm and formal semantics for a JSON data structure that automatically resolves concurrent modifications such that no updates are lost, and such that all replicas converge towards the same state.
作者提出來的想法不是很複雜，而且 merge 保留姿的方法也頗... 特別，但總是給大家一個想法，各何況很多情況下都是有 server 架構，就簡單多了...