Category Archives: Network

GitHub 的 Webhook IP 增加網段

GitHub 發出的 Webhook 的來源位置增加網段了:「Webhook IP addresses are changing」。

目前是 192.30.252.0/22,在 2019/04/09 後將會增加 140.82.112.0/20,如果有用防火牆的人需要修改設定,把多的這段加上去。

去年就把這個網段放進 API 裡,但一直都還沒啟用,所以如果你有透過 API 動態更新防火牆規則的話就沒問題,現在是最後登機廣播了:

This block of IPs has been in the /meta API endpoint since May 2018, but we wanted to announce this update in case you missed it.

AWS 推出更便宜的儲存方案 Glacier Deep Archive

AWS 推出的這個方案價錢又更低了:「New Amazon S3 Storage Class – Glacier Deep Archive」。

在這之前在 us-east-1S3 最低的方案是 Glacier Storage,單價是 USD$0.004/GB (也就是 $4/TB)。

而這次推出的 Glacier Deep Archive Storage 在同一區則是直接到 USD$0.00099/GB ($0.99/TB),大約是 1/4 的價錢。

Glacier Deep Archive 在取得時 first byte 的保證時間是 12 小時,另外最低消費是 180 天:

Retrieval time within 12 hours

先前就有的 Glacier Storage 則是可以在取用時設定取得的 pattern (會影響 first byte 的時間),而最低消費是 90 天:

Configurable retrieval times, from minutes to hours

Pricing for each of these metrics is determined by the speed at which data is requested based on three options. "Expedited" queries <250 MB are typically returned in 1-5 minutes. "Standard" queries are typically returned in 3-5 hours. "Bulk" queries are typically returned in 5-12 hours.

多一個更便宜的選擇可以用。

Amazon Aurora with MySQL 5.7 支援 GTID

雖然在 AWS 上服務的 HA 大多都不需要自己管理,但備份機制 (甚至異地備援) 還是要自己規劃,Amazon Aurora with MySQL 的 GTID 功能算是讓這塊多了一個選擇:「Amazon Aurora with MySQL 5.7 Compatibility Supports GTID-Based Replication」。

公告裡面有提到 Aurora 自己的 replication 還是用自己的機制,而非透過 GTID 做的:

This provides complete consistency when using binlog replication between an Aurora database and an external MySQL database. Your replication won’t miss transactions or generate conflicts, even after failover or downtime. (Note that replication within an Aurora cluster doesn't use binlog files, so the GTID feature doesn't apply.)

不過就 Aurora 的架構來說,整個 cluster 比較像是看作一個整體,用 binlog + position 應該是夠用的?也不會有 failover 時的 conflict 問題?不確定用 GTID 的好處會在哪邊,還得再想看看...

FTC 找了七家 ISP 業者要研究隱私問題...

FTC 要研究 ISP 手上有哪些客戶的資料,然後提供給誰:「FTC Seeks to Examine the Privacy Practices of Broadband Providers」。

The Federal Trade Commission issued orders to seven U.S. Internet broadband providers and related entities seeking information the agency will use to examine how broadband companies collect, retain, use, and disclose information about consumers and their devices.

包括了這七家,裡面的六家都算大業者,被 FTC 納入不算意外,第七家包括了 Google Fiber Inc.,到時候不知道會有什麼資訊出來:

The orders were sent to: AT&T Inc., AT&T Mobility LLC, Comcast Cable Communications doing business as Xfinity, Google Fiber Inc., T-Mobile US Inc., Verizon Communications Inc., and Cellco Partnership doing business as Verizon Wireless.

看了一下 PDF,應該是 45 天後要回覆,加上整理的時間,應該是下半年會看到一些整理?

Zoom 也要 IPO 了...

最近的資訊網路圈子 IPO 案子好多,其中一個比較值得注意的是 Zoom:「Zoom, a profitable unicorn, files to go public」。

這家公司不像 PagerDutyPinterest,這兩家是沒賺過錢就丟單子出來了,而 Zoom 是有賺錢還打算出來 IPO:

Zoom, which raised a total of $145 million to date, posted $330 million in revenue in the year ending January 31, 2019, a remarkable 2x increase year-over-year, with a gross profit of $269.5 million. The company similarly more than doubled revenues from 2017 to 2018, wrapping fiscal year 2017 with $60.8 million in revenue and 2018 with $151.5 million.

啊不過 Zoom 真的蠻好用的,一群人在不同地方要討論事情時,用電子白板或是分享畫面都還不錯... 這幾天跟不是資訊圈子的人在用也都有很正面的 feedback。

Cloudflare 自己用 Rust 寫了一套相容 WireGuard 協定的軟體

Cloudflare 發現目前符合他們條件的 WireGuard 軟體效能不夠好,所以就用 Rust 寫了一套出來:「BoringTun, a userspace WireGuard implementation in Rust」,軟體在「BoringTun」這邊可以看到。

Cloudflare 的條件是 userspace 以及多平台,市面上有 wireguard-go 符合這兩個條件,但效能不太好,所以就下去寫了。

GitHub 的頁面上可以看出還在剛開始的階段,很多頁面都還只有個雛型... 等這幾天陸陸續續更新後再回來看好了。

將本機開發網站展示給外部看的工具 inlets

要講 inlets 前要先講 ngrok 這個服務。這個服務可以在開發機上主動建立連線到外部伺服器,接著透過這個連線與本機的 web server 溝通,讓外部的客戶可以很方便的進行測試 (通常會開個 Zoom 之類的工具邊討論邊修改),算是 reverse proxy as a service 的服務。

類似機制的服務還有 CloudflareArgo Tunnel,不過產品定位不太一樣。

而 inlets 就是 open source 版本的 ngrok,你只要在外部租一台主機就可以用了。左邊是自己的開發機 (像是 Macbook),右邊則是外部的主機 (租用 VPS):

不過這個跟開發模式也有關...

AWS 推出了 Live 時全自動上字幕的功能

AWS 推出了在直播時就自動上字幕的功能:「Introducing Live Streaming with Automated Multi-Language Subtitling」,其實就是把現有的服務兜出來:「Live Streaming with Automated Multi-Language Subtitling」。

The solution deploys Live Streaming on AWS which includes AWS Elemental MediaLive, MediaPackage, Amazon CloudFront. The solution also deploys AWS Lambda, Amazon Simple Storage Service, Amazon Transcribe, and Amazon Translate.

對於比較沒那麼要求翻譯品質的情況也許可以玩看看...?

Facebook 員工爆料內部密碼存了明碼

Krebs on Security 這邊看到的:「Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years」,Facebook 官方的回應在「Keeping Passwords Secure」這邊。

幾個重點,第一個是範圍,目前已經有看到 2012 的資料都有在內:

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

另外的重點是這些資料已經被內部拿來大量搜尋 (喔喔):

My Facebook insider said access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

另外是 Legal 與 PR 都已經啟動處理了,對外新聞稿會美化數字,降低傷害:

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source said. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

另外也會淡化後續的程序:

Renfro said the company planned to alert affected Facebook users, but that no password resets would be required.

去年的另外一則新聞可以交叉看:「Facebook’s security chief is leaving, and no one’s going to replace him」:

Instead of building out a dedicated security team, Facebook has dissolved it and is instead embedding security engineers within its other divisions. “We are not naming a new CSO, since earlier this year we embedded our security engineers, analysts, investigators, and other specialists in our product and engineering teams to better address the emerging security threats we face,” a Facebook spokesman said in an email. Facebook will “continue to evaluate what kind of structure works best” to protect users’ security, he said.

看起來又要再換一次密碼了... (還好已經習慣用 Password Manager,所以每個站都有不同密碼?)

喔對,另外補充一個概念,當他們說「我們沒有證據有人存取了...」的時候,比較正確的表達應該是「我們沒有稽核這塊... 所以沒有證據」。

用 jiracli 做一些基本常見的操作

公司用 Jira 在管理事情,但眾所皆知的是 Jira 的速度實在太慢 (而且沒改善過),只好找些工具來避免使用 web interface...

翻了 GitHub 後看到 toabctl/jiracli 這個用 Python 開發的軟體,可以在 command line 上對 Jira 做些簡單常見的操作 (對我最主要是 issue 與 comment 的操作),另外工具也支援使用 JQL 搜尋,所以可以透過工具拉下來後再用 grep 或是 awk 過濾...

比較需要注意的是,在第一次執行需要設定的三個參數中,password 的部分其實應該使用 API token (我這邊是 Google SSO,所以不確定一般帳號能不能用自己的密碼登入),這個部分可以在個人設定頁面裡面產生 API token。

設定檔會在 ~/.jiracli.ini 裡面,程式應該會設為 0600,不過可以檢查一下就是了...