Home » Archive by category "Computer" (Page 2)

Cloudflare 推出 Spectrum:65535 個 TCP Port 都可以轉的 Proxy...

Cloudflare 推出了 Spectrum,文章標題提到的 65533 應該是指 80 & 443 以外其他的 port:「Introducing Spectrum: Extending Cloudflare To 65,533 More Ports」。

然後因為 TCP proxy 不像 HTTP proxy 與 WebSocket proxy 可以靠 Host header 資訊判斷,在 TCP proxy 需要獨占 IP address 使用 (i.e. 一個 IP address 只能給一個客戶用),而因為 IPv4 address 不夠的關係,這個功能只開放給 Enterprise 客戶用:

Today we are introducing Spectrum, which brings Cloudflare’s security and acceleration to the whole spectrum of TCP ports and protocols for our Enterprise customers.

雖然現在限定在 Enterprise 客戶,但 Cloudflare 還是希望看看有沒有其他想法,目前提出來的選項包括了開放 IPv6 address 給所有人用,或是變成獨立付費項目:

Why just Enterprise? While HTTP can use the Host header to identify services, TCP relies on each service having a unique IP address in order to identify it. Since IPv4 addresses are endangered, it’s quite expensive for us to delegate an IP per application and we needed to limit use. We’re actively thinking about ways to bring Spectrum to everyone. One idea is to offer IPv6-only Spectrum to non-Enterprise customers. Another idea is let anyone use Spectrum but pay for the IPv4 address. We’re not sure yet, but if you prefer one to the other, feel free to comment and let us know.

類似的產品應該是 clean pipe 類的服務,但一般 clean pipe 是透過 routing 重導清洗流量,而非像 Cloudflare 這樣設計... 不知道後續會有什麼樣的變化。

FTC 警告 Nintendo 與 Sony「拆封喪失保固」違反聯邦法

在「FTC Warns Companies ‘Warranty Void if Removed’ Stickers Are Flatly Illegal」這邊看到的新聞。FTC 的新聞稿則可以在「FTC Staff Warns Companies that It Is Illegal to Condition Warranty Coverage on the Use of Specified Parts or Services」這邊看到。

主要是因為美國的聯邦法 Magnuson–Moss Warranty Act (在 STATUTE-88-Pg2183.pdf 這邊可以看到條文 PDF,雖然看起來是掃描的圖檔,但有透過 OCR 處理讓大多數的文字都可以搜尋)。

這套聯邦法保護消費者在接受保固時不受嚴苛的限制。法條裡面並沒有強制規定一定要有保固,但規定了如果有保固時,有哪些行為是受到規範的,以避免消費者受到不平等的對待:

The law does not require any product to have a warranty (it may be sold "as is"), but if it does have a warranty, the warranty must comply with this law. The law was created to fix problems as a result of manufacturers using disclaimers on warranties in an unfair or misleading manner.

其中這段條文讓 FTC 認為「拆封喪失保固」違法:

(c) No Warrantor of a consumer product may condition his written or implied warranty of such product on the consumer's using, in connection with such product, any article or service (other than article or service provided without charge under the terms of the warranty) which is identified by brand, trade, or corporate name; except that the prohibition of this subsection may be waived by the Commission if—
(1) the warrantor satisfies the Commission that the warranted product will function properly only if the article or service so identified is used in connection with the warranted product, and
(2) the Commission finds that such a waiver is in the public interest.

在 FTC 的新聞稿中提到他們發給六家警告,列出了其中三家的文字,在媒體的報導裡面也都找出來這些文字分別是從哪些公司出來的,包括了 Hyundai (現代)、Nintendo (任天堂) 以及 Sony (索尼):

“The use of [company name] parts is required to keep your… manufacturer’s warranties and any extended warranties intact.” = Hyundai.

“This warranty shall not apply if this product… is used with products not sold or licensed by” = Nintendo.

“This warranty does not apply if this product… has had the warranty seal on the [product] altered, defaced, or removed” = Sony.

不過在另外一邊,Reddit 上 Nintendo 區的討論也蠻有趣的:「FTC Staff Warns Companies that it is Illegal to Condition Warranty Coverage on the Use of Specified Parts or Services : nintendo」,裡面就稍微扯遠了一些,提到了改機之類的保固問題...

另外值得一提的是,同一家媒體在 2016 年的時候就有報導類似的事情了,不過看起來當時沒什麼改善:「Microsoft, Sony, and other companies still use illegal warranty-void-if-removed stickers」,這次由 FTC 出手應該會再更有力道一些。

Netflix 的 FrameScope,將效能資料轉成 2D 圖片

Netflix 丟出了 FlameScope,另外一種顯示效能的工具,將效能資料轉成 2D 圖片:「Netflix FlameScope」。

We’re excited to release FlameScope: a new performance visualization tool for analyzing variance, perturbations, single-threaded execution, application startup, and other time-based issues.

然後這個工具同樣是發明火焰圖的 Brendan Gregg 與他的同事 Martin Spier 的作品:

FlameScope was developed by Martin Spier and Brendan Gregg, Netflix cloud performance engineering team. Blog post by Brendan Gregg.

火焰圖 (flame graph) 就是這個:

這次推出的是這樣的圖:

其實是每秒切一次 offset 做出來的圖:

就可以很簡單的看出來哪些區塊以及 pattern 是熱點:

HTTPS Everywhere 改變更新 Ruleset 機制,變成定時更新...

HTTPS Everywhere 是我很喜歡的一個套件,裡面有 Ruleset,會將 Ruleset 表內認定有支援 HTTPS 網站的 HTTP request 都改成 HTTPS,這可以降低被攔截的風險。像是網站雖然有 HSTS 但第一次連線時走 HTTP 的情況,以及網站本身有支援 HTTPS 但沒有設定 HSTS 時,在網址列上誤打 HTTP 版本的情況。

先前版本的 Ruleset 是隨著軟體更新時,包在軟體內一起更新。這樣的缺點是更新速度比較慢,但好處是不需要伺服器端,而且隱私性也比較高。而現在 EFF 決定還是要推出線上更新的版本,以加速 Ruleset 更新的速度:「HTTPS Everywhere Introduces New Feature: Continual Ruleset Updates」。

We've modified the extension to periodically check in with EFF to see if a new list is available.

而頻寬的部份由 Fastly 贊助:

If you haven't already, please install and contribute to HTTPS Everywhere, and consider donating to EFF to support our work!

如果對這點有疑慮的,也還是可以關掉 auto updater 避免洩漏資訊給 EFF 或是 Fastly。

把 git log 用得很開心...?

看到「git log – the Good Parts」這篇文章,裡面研究了 Gitgit log 的各種好用的功能,然後整理出來... (所以是 good parts XD)

作者用的參數是一個一個加上去,所以可以一個階段一個階段了解用途。除了可以用作者推薦的 repository 測試外,我建議大家拿個自己比較熟悉的 open source 專案來測 (有用到比較複雜的架構):

git log
git log --oneline
git log --oneline --decorate
git log --oneline --decorate --all
git log --oneline --decorate --all --graph

看到喜歡的部份可以在 ~/.gitconfig 裡設 alias 使用,像是用 git l 之類的?保留 git log 本身可以避免一些 script 用到這個指令時因為輸出格式跟預期不一樣而爛掉 XD

TWCA 不在 Java Trust Store 裡...

SSL Labs 上翻資料的時候發現看到台灣有些網站的 SSL 憑證在 Java Trust Store 內是不會取得信任授權的,但其他的都支援,像是這樣:

翻了幾個後發現都是 TWCA 的,在其他家都是這樣授權出來的 (Mozilla/Apple/Android/Windows):(TWCA Root Certification Authority -> ) TWCA Global Root CA -> TWCA Secure SSL Certification Authority -> Final,也就是 TWCA 的兩個 Root CA 都在 trust store 內,走任何一條授權都可以拉出來。

印象中之前應該都是支援的... 先前是 cross sign 嗎?@_@

gron:把 JSON 結構轉成條列式的資料,方便後續的文字處理...

在「gron makes JSON more greppable」這邊看到 gron 這個工具,可以將 JSON 轉成條列式的資料 (或是反過來,將條列式的資料轉回 JSON)。

像是網站上給的範例之一:

▶ gron testdata/two.json 
json = {};
json.contact = {};
json.contact.email = "mail@tomnomnom.com";
json.contact.twitter = "@TomNomNom";
json.github = "https://github.com/tomnomnom/";
json.likes = [];
json.likes[0] = "code";
json.likes[1] = "cheese";
json.likes[2] = "meat";
json.name = "Tom";

這讓 grep 或是 sed 之類的工具會更好操作,不然得用 jq 盧半天...

Cloudflare 推出 Argo Tunnel

Cloudflare 推出了 Argo Tunnel,可以將內部網路與 Cloudflare 之間打通:「Argo Tunnel: A Private Link to the Public Internet」。

Cloudflare 在去年推出了 Wrap (可以參考「Cloudflare 推出的 Wrap 讓你不用在本地端開對外的 Port 80/443」這篇),這次其實只是改名:

During the beta period, Argo Tunnel went under a different name: Warp. While we liked Warp as a name, as soon as we realized that it made sense to bundle Warp with Argo, we wanted it to be under the Argo product name. Plus, a tunnel is what the product is so it's more descriptive.

看起來沒有什麼新的玩意... 純粹改名字 :o

AWS Certificate Manager 提供 Private CA

AWS Certificate Manager 推出了 Private CA,讓使用者可以在不接觸到 CA 的 Private Key 就可以操作 CA 行為:「AWS Certificate Manager Launches Private Certificate Authority」。

支援的演算法除了標準的 RSA 外,還包括了 ECC 的 (雖然是 NIST 的 P-256 與 P-384):

然後直接內建了 CRL 服務,透過 Amazon S3 做:

要注意的是價錢有點奇怪:

Private CAs cost $400 per month (prorated) for each private CA. You are not charged for certificates created and maintained in ACM but you are charged for certificates where you have access to the private key (exported or created outside of ACM). The pricing per certificate is tiered starting at $0.75 per certificate for the first 1000 certificates and going down to $0.001 per certificate after 10,000 certificates.

中間省掉 1k 到 10k 是 USD$0.35/cert (可以在 pricing 頁面看到)。

不管如何,這計價模式有點怪怪的... 收了固定的費用,每個 certificate 的費用要到 USD$0.75,這看不太懂。另外是 10k 後的單價明顯與前面比例不太合。

看起來像是跟某個 partner 合作談出來奇怪的 pricing model,但也不知道是哪家... :o

Archives