Category Archives: Security

歡樂的 md5crypt 密碼...

Posted on July 21, 2017 by Gea-Suan Lin

作者寫了一篇關於以前在 WHOIS 記錄上看到一串 $1$ 開頭的 md5crypt 密碼 XDDD：「I mean, why not tell everyone our password hashes?」。 Now the fields are filtered but this is a reasonably recent change. Prior to July 2015 the hashed passwords were shown to anyone who … Continue reading →

Posted in Computer, Murmuring, Network, Security | Tagged bcrypt, crypt, cryptography, hash, hashcat, md5, md5crypt, nic, password, security, whois | Leave a comment

對 Open Data 的攻擊手段

Posted on July 18, 2017 by Gea-Suan Lin

前陣子看到的「Membership Inference Attacks against Machine Learning Models」，裡面試著做到的攻擊手法： [G]iven a data record and black-box access to a model, determine if the record was in the model's training dataset. 也就是拿到一組 Open Data 的存取權限，然後發展一套方法判斷某筆資料是否在裡面。而驗證攻擊的手法當然就是直接攻擊看效果： We empirically evaluate our inference techniques on classification models … Continue reading →

Posted in Computer, Murmuring, Privacy, Programming, Search Engine, Security | Tagged attack, data, dataset, learning, machine, model, network, neural, open, privacy, security | 1 Comment

Amazon Route 53 將會加緊支援 DNS CAA

Posted on July 17, 2017 by Gea-Suan Lin

看到 Amazon Route 53 要支援 DNS CAA 的消息：「Announcement: Announcement: CAA Record Support Coming Soon」。裡面有提到 CA/Browser Forum 的決議，要求各瀏覽器支援 DNS CAA： On March 8, 2017, the Certification Authority and Browser Forum (CA/Browser Forum) mandated that by September 8, 2017, CA’s are … Continue reading →

Posted in AWS, Cloud, Computer, DNS, Murmuring, Network, Security | Tagged amazon, aws, ca, caa, certificate, cloud, dns, https, privacy, root, route53, security, ssl, tls | Leave a comment

直接接管整個 .io 的網域...

Posted on July 11, 2017 by Gea-Suan Lin

在「The .io Error – Taking Control of All .io Domains With a Targeted Registration」這邊看到的 XDDD 其實就是這樣： ;; AUTHORITY SECTION: io. 172800 IN NS ns-a1.io. io. 172800 IN NS ns-a2.io. io. 172800 IN NS ns-a3.io. io. 172800 IN NS ns-a4.io. io. … Continue reading →

Posted in Computer, DNS, Murmuring, Network, Security, Service | Tagged dns, domain, io, name, security, server, service, tld | 2 Comments

BoringSSL 的 FIPS 140-2 驗證

Posted on July 10, 2017 by Gea-Suan Lin

看到由 Google 主導的 BoringSSL 有計劃將其中一塊申請 FIPS 140-2 的驗證計畫 (BoringCrypto 的部份)：「FIPS 140-2」。其中 FIPS 140-2 最有名的後門應該是 Dual_EC_DRBG (定義於 NIST SP 800-90A，被 FIPS 140-2 引用)，所以特地講清楚他們選擇哪個演算法： FIPS 140-2 requires that one of its PRNGs be used (which they call DRBGs). In BoringCrypto, we … Continue reading →

Posted in Computer, Library, Murmuring, Privacy, Security, Software | Tagged aes, boringssl, cryptography, ctr, drbg, dual_ec_drbg, fips, google, nist, prng | Leave a comment

AWS 的 Patch Manager 支援 Linux

Posted on July 9, 2017 by Gea-Suan Lin

在「Amazon EC2 Systems Manager Patch Manager now supports Linux」這邊 AWS 宣佈了 Patch Manager 支援 Linux 的消息。目前支援的包括了： Amazon Linux 2014.03 and later (2015.03 and later for 64-bit) Ubuntu Server 16.04 LTS, 14.04 LTS, and 12.04 LTS RHEL 6.5 and later … Continue reading →

Posted in AWS, Cloud, Computer, Murmuring, Network, Security, Service, Software | Tagged amazon, aws, cloud, ec2, linux, manager, patch, rhel, security, ubuntu, update | Leave a comment

Google Chrome 對 WoSign 與 StartCom 的白名單要完全移除了

Posted on July 7, 2017 by Gea-Suan Lin

在 Twitter 上看到的： Chrome will fully distrust WoSign and StartCom in Chrome 61; beta in July, stable in September. https://t.co/5fnda6aUQw — Ivan Ristic (@ivanristic) July 7, 2017 對 WoSign 與 StartCom 的移除會發生在 61 版，而依照「Final removal of trust in WoSign and … Continue reading →

Posted in Browser, Computer, GoogleChrome, Murmuring, Network, Security, Service, Software, WWW | Tagged ca, certificate, chrome, google, https, privacy, root, security, ssl, startcom, tls, wosign | Leave a comment

用照片打鑰匙的服務

Posted on July 7, 2017 by Gea-Suan Lin

在 Bruce Schneier 的 blog 上看到 KeyMe 這個服務：「Now It's Easier than Ever to Steal Someone's Keys」。你把鑰匙的照片拍下來，透過 app 上傳付款後，他就把鑰匙寄給你 XDDD 查了一下資料，在五年前 (2012) 的時候就有人做遠距離攻擊的研究了：「60 公尺外，拍照攝影就可以重製鑰匙...」，所以有好的方面，也有邪惡的方面...

Posted in Computer, Murmuring, Privacy, Security | Tagged digital, image, key, photo, security | 1 Comment

Let's Encrypt 決定要規劃 Wildcard SSL Certificate 了

Posted on July 7, 2017 by Gea-Suan Lin

Let's Encrypt 把時間表喊出來了，預定在 2018 年年初開放使用：「Wildcard Certificates Coming January 2018」。 Wildcard SSL Certificate 會需要走新的 ACME v2 協定認證： Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via … Continue reading →

Posted in Computer, Murmuring, Network, Privacy, Security, Service | Tagged acme, api, ca, certificate, domain, endpoint, https, letsencrypt, privacy, security, ssl, tls, wildcard | Leave a comment

AWS 支援跨帳號丟 CloudWatch Events 了

Posted on July 2, 2017 by Gea-Suan Lin

以前要記錄行為會透過 AWS Lambda 轉丟到其他帳號下記錄，有一堆眉眉角角的東西要注意，現在則是直接支援了：「New – Cross-Account Delivery of CloudWatch Events」。文章裡有提到兩種用途，其中一種就是做安全性的記錄： Separation of Concerns – Customers would like to handle and respond to events in a separate account in order to implement advanced security schemes. 另外一種則是為了將記錄丟到同一個地方： Rollup – Customers are … Continue reading →

Posted in AWS, Cloud, Computer, Murmuring, Network, Security | Tagged account, amazon, aws, cloud, cloudwatch, cross, delivery, event | Leave a comment

Category Archives: Security

歡樂的 md5crypt 密碼...

對 Open Data 的攻擊手段

直接接管整個 .io 的網域...

BoringSSL 的 FIPS 140-2 驗證

Google Chrome 對 WoSign 與 StartCom 的白名單要完全移除了

用照片打鑰匙的服務

Let's Encrypt 決定要規劃 Wildcard SSL Certificate 了

Recent Comments

Archives

Categories

Blogroll

Meta

Category Archives: Security

Recent Comments

Archives

Tags

Categories

Blogroll

Meta