Amazon CloudFront 又增加東京機房了...

CloudFront 又增加東京的點了,這是第四個點:「Amazon CloudFront adds new Edge Locations in Tokyo, Japan and Dallas/Fort Worth, Texas」。

This is our fourth edge location in the Tokyo area and our third in Dallas, bringing the total number of CloudFront locations to 87 (including 76 points of presence and 11 regional edge cache locations).

不愧是亞洲的交換中心...

OpenSSL 1.1.1 將支援 TLS 1.3

OpenSSL 的文章「Using TLS1.3 With OpenSSL」提到了:

The forthcoming OpenSSL 1.1.1 release will include support for TLSv1.3.

另外也提到了 TLS 1.3 的標準是 blocker,在 TLS 1.3 沒出來前不會出 OpenSSL 1.1.1:

OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is finalised.

OpenSSL 實做的 TLS 1.3 支援了這些 cipher:

  • TLS13-AES-256-GCM-SHA384
  • TLS13-CHACHA20-POLY1305-SHA256
  • TLS13-AES-128-GCM-SHA256
  • TLS13-AES-128-CCM-8-SHA256
  • TLS13-AES-128-CCM-SHA256

GCM 的部份不算意外,比較特別的是包括了 ChaCha20Poly1305 (喊很久了),另外包括了 CCM mode 的實做...

PHP 的主力版本進入 7.0 與 7.1 了...

在「PHP Versions Stats - 2017.1 Edition」這邊分析了 Packagist 上的 access log 而得到的:

可以看到 PHP 7.0 與 7.1 總算是慢慢爬上來了... 另外一個頗有趣的數字是在 comment 提到的 HHVM

@ocramius: These numbers ignore Travis CI and other CI systems that set the "CI" env var in their workers. Without excluding those HHVM is around 0.95% so it's still low but those .36% is probably actual usage.

還是有人在用...

MP3 專利全數過期

看到有人提到,查了維基百科上面的 MP3 條目,看起來在 4/16 就全部都過期了:

The basic MP3 decoding and encoding technology is patent-free in the European Union, all patents having expired there by 2012 at the latest. In the United States, the technology became substantially patent-free on 16 April 2017 (see below).

If the longest-running patent mentioned in the aforementioned references is taken as a measure, then the MP3 technology became patent-free in the United States on 16 April 2017 when U.S. Patent 6,009,399, held by and administered by Technicolor, expired.

The three exceptions are: U.S. Patent 5,878,080, expired February 2017; U.S. Patent 5,850,456, expired February 2017; and U.S. Patent 5,960,037, expired 9 April 2017.

算是可喜可賀?

分析聲音模擬其他人講話...

這種黑科技愈來愈成熟啦:「Lyrebird - An API to copy the voice of anyone」。

Record 1 minute from someone's voice and Lyrebird can compress her/his voice's DNA into a unique key. Use this key to generate anything with its corresponding voice.

Demo 的地方直接拿這三個人惡搞:(這樣做沒問題嗎 XDDD)

Please note that those are artificial voices and they do not convey the opinions of Donald Trump, Barack Obama and Hillary Clinton.

而且是有能力做到即時轉換:

Our GPU clusters generate 1000 sentences in less than half a second.

肥大的 DISQUS

在「Replacing Disqus with Github Comments」這邊看到作者抱怨 DISQUS 的肥大,然後作者自己寫了一個用 GitHub 當後端的 comment system XDDD

先看沒有 DISQUS 的:

然後把 DISQUS 掛進來 XDDD:(不得不說 uBlock OriginDisconnect 是你的好朋友...)

利用手機的 sensor 取得 PIN 碼

把 side-channel information 配合上統計方法就可以達到 74% 的正確率:「Phone Hack Uses Sensors To Steal PINs」。

透過 browser 的 javascript 就可以拉出這些資料,然後利用這些資料去猜你的手機 PIN 碼:

Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the phone’s sensors, including GPS, camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer and NFC protocols.

而且當可以多抓到更多資訊時 (像是第二次輸入) 準確度就更高了:

Using a sample set of 50 PINs, researchers found that their script was able to correctly guess a user’s PIN 74 percent of the time on the first try, which increases to 86 and 94 percent success rates on the second and third attempts.

有些瀏覽器有做一些修正,讓 side-channel information 變少,於是難度變高:

As for Firefox, starting from version 46 (released in April 2016), the browser restricts JavaScript access to motion and orientation sensors. Apple’s Security Updates for iOS 9.3 (released in March 2016), suspended the availability of motion and orientation data when the web view is hidden, according to researchers.

Google 則是沒修:

As for Google, it’s unclear what measures have been taken. “Our concern is confirmed by members in the Google Chromium team, who also believe that the issue remains unresolved,” the report stated. Google did not reply to a request to comment for this report.

這攻擊方式頗不賴... @_@

加快 Ubuntu 上 Firefox 的速度...

新版的 Firefox 已經支援 Multi-processes 架構 (Electrolysis),但 Ubuntu 上會因為預設值的關係而被關閉,這篇文章就是講原因以及怎麼打開:「Enabling This Makes Firefox More Responsive On Ubuntu」。

由於大家都會裝一堆套件,看起來得用 Force Enable 這邊提到的方法打開,也就是手動在 about:config 內加入 browser.tabs.remote.force-enable,並設為 true

Firefox 的轉換還有很長一段時間要走...

BitTorrent 對 SHA-1 的改善計畫?

最新一版的 Tails 不再支援透過 BitTorrent 下載,會被導去「Biterrant attack」這邊的連結,裡面有一些關於在 SHA-1 打穿後要怎麼判斷。

BitTorrent 的討論 (包括 BitTorrent 發明人 Bram Cohen 的參與) 則是在 GitHub 上:「Transitioning to stronger hash function · Issue #58 · bittorrent/bittorrent.org」,不過看起來連要用什麼 hash algorithm 的定案都還沒有啊... 而且二月底比較熱鬧一點,三月後都沒什麼動作了。

看起來短時間也不會有動作了...