Amazon Route 53 支援 CAA record 了

Amazon Route 53 宣佈支援 CAA record 了:「Announcement: Announcement: Amazon Route 53 now supports CAA records」、「Amazon Route 53 now supports CAA records」。

這是一個被動性的 workaround,要求 CA 本身要支援 DNS CAA,所以他沒辦法防止 CA 本身作惡誤簽,但因為負作用與技術債的可能性不高,在 CA/Browser Forum 上被通過強制要求支援了。(參考「未來 CA 將會強制要求檢查 DNS CAA record」)

Gandi 的 DNS 服務也支援了 (要透過 export mode,參考「How can I add a CAA record?」),不過 Linode 還沒做...

DynamoDB 也可以透過 VPC Endpoint 存取了

Amazon DynamoDB 也可以透過 VPC Endpoint 存取了:「New – VPC Endpoints for DynamoDB」。

這樣一來,除了 Amazon S3 可以在 private network 內存取外,DynamoDB 也可以直接存取了...

VPC Endpoint 主要是解決對於安全性與頻寬的需求,不過什麼時候會出一般性的 VPC Endpoint 啊,而非個別服務個別設計打洞...

Debian 對 Reproducible Build 的討論

Debian 在討論 package 的可重製性:「debian-policy: Packages should be reproducible」。本來的討論其實還好,在 2017/08/12 的 DebConf17 後,看起來有一些人取得共識,於是討論熱了起來... 有興趣的人可以從 Message #107 開始看。

Debian 社群想做的事情是「給足夠的資訊以及 source code,就能產生出一模一樣的 binary package」,這樣就不需要盲目信任 Debian 官方。

Debian 官方的 Wiki 上有「ReproducibleBuilds Howto」可以參考,然後也看到「」這個站。

透過 DMCA takedown notice 非法下掉 Easylist 內的過濾條件

參考「Ad blocking is under attack」這邊,有業主 透過 DMCA takedown notice 發信要求 Easylist 移除過濾條件 (參考「」),對應的 commit 參考「M: Removed due to DMCA takedown request」) 這邊。

這件事情再次證實了 DMCA takedown notice 被濫用的情況,明明不是侵權的情況卻被拿來濫用 (因為對原提出者唯一的處罰必須過反過來提告,然後要得自己舉證因為這樣受損)。

目前看起來 EFF 願意介入,就來看看後續了。


看到 Mathcha 這個網站,除了可以輸入 TeX 的公式外,也有 WYSIWYG 的方式輸入,而最後可以輸出成各種格式 (包括 TeX),或是直接丟連結給其他人:

輸入的部份,對於不知道的符號葉可以用畫的 XD

然後網站上的標示寫沒有支援 IE 與 Edge,不知道是真得不支援還是沒列上去而已... XD

在 Git/Mercurial/Subversion 上 "-" 發生的問題

在「[ANNOUNCE] Git v2.14.1, v2.13.5, and others」這邊看到 - 開頭產生的問題:

These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116 are assigned to these systems, respectively, for issues similar to it that are now addressed in their part of this coordinated release.

這算是老問題了,Git 對應的修正主要是朝 filter input 的方向修正,包括了禁用 - 開頭的 hostname,以及禁止 GIT_PROXY_COMMAND- 開頭,另外是禁止開頭是 - 的 repository name:

  • A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage).
  • Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash "-" as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage).
  • In the same spirit, a repository name that begins with a dash "-" is also forbidden now.

然後中華電信的 DNS server ( & 都查不到,改用 Google 的 才查得到... =_=

Cloudflare 看這次 815 斷電的網路使用變化

Cloudflare 分析了這次 815 停電對網路造成的影響:「Power outage hits the island of Taiwan. Here’s what we learned.」。

以 Cloudflare 在是方機房的 QPS 來看,停電後反而沒有太大變化:


這點從 HiNet 的使用頻寬也可以看出來,頻寬使用量降了 25% (從光世代與 ADSL/VDSL 換到行動網路上?):

AWS CloudHSM 支援 FIPS 140-2 Level 3 了

AWS CloudHSM 推出了一些新功能:「AWS CloudHSM Update – Cost Effective Hardware Key Management at Cloud Scale for Sensitive & Regulated Workloads」。

其中比較特別的是從以前只支援 Level 2 變成支援 Level 3 了:

More Secure – CloudHSM Classic (the original model) supports the generation and use of keys that comply with FIPS 140-2 Level 2. We’re stepping that up a notch today with support for FIPS 140-2 Level 3, with security mechanisms that are designed to detect and respond to physical attempts to access or modify the HSM.

在維基百科裡面有提到 Level 2 與 Level 3 的要求:

Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.

In addition to the tamper-evident physical security mechanisms required at Security Level 2, Security Level 3 attempts to prevent the intruder from gaining access to CSPs held within the cryptographic module. Physical security mechanisms required at Security Level 3 are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic module. The physical security mechanisms may include the use of strong enclosures and tamper-detection/response circuitry that zeroes all plaintext CSPs when the removable covers/doors of the cryptographic module are opened.

主動式偵測以及銷毀算是 Level 3 比 Level 2 安全的地方。


Pay As You Go – CloudHSM is now offered under a pay-as-you-go model that is simpler and more cost-effective, with no up-front fees.

Amazon EFS 也能加密了

Amazon EFS 也支援使用 KMS 加密了,這對於一些要求「落地要加密」的 certification 方便不少:「New – Encryption of Data at Rest for Amazon Elastic File System (EFS)」。

不過東京還沒有 EFS 啊... (繼續敲碗)


2013 的時候提過「加州的手機防竊提案...」,後來在 2015 年生效:

In a press release sent to reporters on Thursday, George Gascón said that since the law went into effect on July 1, 2015[,]


Such a kill switch has become standard in all iPhones ("Activation Lock") and Android phones ("Device Protection") since 2015.

而執行到現在已經兩年了,手機的失竊率下降不少:「San Francisco DA: Anti-theft law results in huge drop in stolen phones」。

[S]martphone-related robberies have fallen 22 percent from 2015 to 2016. When measured from the peak in 2013, "overall robberies involving smartphones have declined an astonishing 50 percent."