Windows 10 將支援 AF_UNIX (Unix Socket)

在「Unix sockets come to Windows」這邊看到微軟的說明文「AF_UNIX comes to Windows」,Windows 10 將要引入 AF_UNIX 了:

Beginning in Insider Build 17063, you’ll be able to use the unix socket (AF_UNIX) address family on Windows to communicate between Win32 processes. Unix sockets allow inter-process communication (IPC) between processes on the same machine.

所以這讓跨 process 溝通的方式又多了一種,而 Unix 的程式如果要移植到 Windows 上,至少這塊有相容... (相容性與 bug 還不知道情況 XD)

ExpressVPN 在土耳其的 VPN server 被抄...

ExpressVPN 在土耳其的 VPN server 被抄,為了調查大使的刺殺案件:「VPN Server Seized to Investigate Russian Ambassador’s Assassination」。

A VPN server operated by ExpressVPN was seized by Turkish authorities to investigate the assassination of Andrei Karlov, the Russian Ambassador to Turkey. Authorities hoped to find more information on people who removed digital traces of the assassin, but the server in question held no logs.

ExpressVPN 官方的回覆在「ExpressVPN statement on Andrey Karlov investigation」,主要的部份是:

As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.


Facebook 自己找人研究,Social Media 是否對人類有害 XDDD

之前看到「Hard Questions: Is Spending Time on Social Media Bad for Us?」這篇,一直不知道要怎麼吐槽... 然後看到 Twitter 上的這則 tweet XDDD


真的不知道怎麼吐槽 XDDD

用 Composer 的 require 限制,擋掉有安全漏洞的 library...

查資料的時候查到的,在 GitHub 上的 Roave/SecurityAdvisories 這個專案利用 Composerrequire 條件限制,擋掉有安全漏洞的 library:

This package ensures that your application doesn't have installed dependencies with known security vulnerabilities.

看一下 composer.json 就知道作法了,裡面的 description 也說明了這個專案的用法:

Prevents installation of composer packages with known security vulnerabilities: no API, simply require it

這方法頗不賴的 XDDD

兩個 gperf...


一個是 GNUgperf,給定字串集合,產生 C 或 C++ 的 perfect hash function (i.e. no collision):

GNU gperf is a perfect hash function generator. For a given list of strings, it produces a hash function and hash table, in form of C or C++ code, for looking up a value depending on the input string. The hash function is perfect, which means that the hash table has no collisions, and the hash table lookup needs a single string comparison only.

另外一個是 Google 弄出來的 gperftoolsmalloc() 的替代品以及效能分析工具:

gperftools is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools.

Windows 10 自動安裝 Keeper 產生安全漏洞,然後 Keeper 決定告記者...

Ars Technica 報導了 Windows 10 自動安裝了 Keeper 這個密碼管理程式,然後這個管理程式被 Tavis Ormandy 發現有安全漏洞,可以讓惡意網站直接存取密碼 (參考「keeper: privileged ui injected into pages (again)」):「For 8 days Windows bundled a password manager with a critical plugin flaw」。

發現漏洞的作者在 16 個月前有抓到 Keeper 的漏洞 (參考「Keeper: Trusted UI is injected into untrusted webpage」),於是他就拿同樣的方法打一打,結果就爆了:

I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.

漏洞後來被修正了,但是 Keeper 也對 Ars Technica 的記者提告:「Security firm Keeper sues news reporter over vulnerability story」。

Keeper said in its lawsuit that Goodin and his employer, tech site Ars Technica, also named as defendant, "made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords."

這樣就清楚知道 Keeper 這家公司的調性了,之後看到他們家的東西要小心。



在「elttam - Remote LD_PRELOAD Exploitation」這邊看到的技巧,記得以前有被提過 (還有 IFS 變數被拿來玩),但這幾年純 CGI 程式比較少了 (像是 nginx 不支援 CGI),所以有種新鮮感... (雖然不是新東西 XD)

這次中獎的是 GoAhead 這套 web server,被發 CVE-2017-17562,然後作者用 Shodan 翻了一下,Internet 上有不少肉雞可以玩:

當年 CGI 架構的餘孽 XDDD

CPU 成為現代網站的速度瓶頸

在「Tracking CPU with Long Tasks API」這邊提到的現象,雖然是在提新的 API,不過裡面提到了很重要的問題。

以前的網站因為 js 都沒有用的那麼多,所以主要的瓶頸在於網路速度。所以大家最佳化的方向都是往「如何讓傳輸量變小」的方式進行,像是各類 js 的 minify,甚至是對 Gzip 演算法的暴力改善 (維持相容的 Zopfli,以及新的 Brotli):

In the old days, delivering a fast user experience depended primarily on download speed. One reason why the network was the main bottleneck back then is that JavaScript and CSS weren’t used as much as they are now, so CPU wasn’t a critical factor.

而現代網站使用 js 的情況已經是來到了新的境界 (甚至很多網站是沒有 js 就不會動),於是對於 CPU 的能力就愈來愈要求:

According to the HTTP Archive, the top 1000 websites download five times more JavaScript today compared to seven years ago.

而手機也愈來愈普及,CPU 的能力相較起來就更嚴峻了...

Google 發表新的 TTS (Text-to-Speech) 技術 Tacotron 2

Tacotron 是 Google 發表的 TTS 技術 (i.e. 輸入文字,請電腦發音),而前一版的 Tacotron 的錄音可以參考「Audio samples from "Tacotron: Towards End-to-End Speech Synthesis"」,論文則是在「Tacotron: Towards End-to-End Speech Synthesis」這邊可以看到。

這一版的則是在 Twitter 上看到有人提到:

這一版叫做 Tacotron 2,錄音可以參考「Audio samples from "Natural TTS Synthesis by Conditioning WaveNet on Mel Spectrogram Predictions"」,論文在「Natural TTS Synthesis by Conditioning WaveNet on Mel Spectrogram Predictions」。

這次在錄音頁面的最下面提供了盲測 (人類與 Tacotron 2 的錄音),基本上已經分不出哪個是真人了...