Home » Computer » Archive by category "Security" (Page 119)

把 NoScript 移除

對,我把 移除了,幾個理由:

  • 幾個有 問題的 site 我都沒有使用 (也就是沒有 login cookie 或其他可以利用的東西)
  • 由於 Javascript 關閉的情況很容易造成 Media Player 爛掉,使得 就跟著爛...
  • 有很多 Web 2.0 Application 使用 Javascript,三不五時就要按右下角選擇 temporily enable 很麻煩 :/

所以我移除掉了 XD

Race Condition

看到 惡搞 DISPLAY (for screen) 這篇的 Shell Script:

echo $DISPLAY > /tmp/display
chmod 600 /tmp/display

我第一個想到的是 Race Condition,再來想到的是用 symbolic link 破壞 XD

教育單位的 SSL Certificate

(原文發表於 tw.bbs.comp.386bsd)

跟 BSD 沒關係,不過跟許多 BSD/Linux admin 應該有關係。

SSL Certificate 如果是自己用自己做的 Root Certificate 簽的,在使用前必須要先安裝自己做的 Root Certificate,否則會出現警告訊息。

為了避免這個警告訊息,就要到外面找 CA 幫你簽。這個簽的價錢有高有低,貴的到約 USD$1000/year,便宜的可以在特價時找到 USD$10/year。當然,兩者連線的品質 (註) 有差。

不過對於教育單位來說,只是為了要避免那個警告視窗。(以及加密... 廢話!)

(註:舊的 Browser 只支援 Verisign 以及少數幾家 Root CA,所以,如果這些用古董的人對於你很重要的話,你應該要考慮 Verisign 或是其他老牌子的 Root CA...)

回頭來說教育單位 (*.edu 或 *.edu.tw,能從 Domain Name 直接確認是學校單位之類的) 的 SSL Cert 政策,如果能找到免費的,而且申請起來不太困難的是最好的了:

這個單位提供教育單位申請 SSL Certificate,以 e-mail 認證,一次簽兩年。我們也實際申請過,而且正常運作,你可以試看看:

Digg Effect 與 DDoS Attack

這篇 www.WikiTree.org 刊登出來沒多久後,原網站就因為 Digg Effect 而掛掉...

不過,值得寫的原因不是因為掛掉,而是在原網站上面這樣公告 XD

WikiTree.org Has Been Badly Cut!

Wikitree.Org has suffered a DoS attack on 20060306-7 and had to be suspended to protect the webserver.

Shame on anybody responsible for the attack!

Be sure, however, that Wikitree.Org will be up and running again as soon as humanly possible...

It may take some hours, but also several days.

WordPress 2.0.2

[wp-testers] 2.0.2 on Tuesday 這篇裡宣佈將在星期二發佈 2.0.2,看起來是因為一個未公開的安全性問題:

We need to release 2.0.2 to address a security bug. No, not the security bug that caused all of the commotion recently, another one.

We'll get a package out shortly. In the meantimes, pull the latest from the 2.0 branch.

http://svn.automattic.com/wordpress/branches/2.0/

This contains fixes for both security issues as well as a handful of non-security bugs. Here's the list of bugs, sans the security issues.

http://trac.wordpress.org/query?action=view&status=closed&resolution=fixed&milestone=2.0.2&order=priority

Look over the bug list and target your testing on the effected areas. I'll add the security issues to the list when we release.

Tuesday is just a target. If we can't make it we can delay a bit, but we need to get this out soon.

Ryan

安全性問題 - 事先告知的義務

一般在發現 Security Issue 後都會以 mail 先通知負責的單位 (Vendor),直到提供 patch 或是修正問題後才會將 Security Issue 公諸於世。

不過,有時候也會遇到不想鳥你的單位... 這時候就光明正大的給他一腳吧 XD

IV. HISTORY
30th Jan, 2006 -Bug originally discovered
2nd Feb, 2006 - Vendor Notified
...
...
No vendor response
...
...
22nd Feb, 2006 -Vendor Notified again
22nd Feb, 2006 -Public Disclosre

請參考:Gmail Security Flaw Fixed

Norton 的誤判

Symantec Users, Start Your Keyloggers 看到的,當你在 irc channel 上輸入 "startkeylogger" 或 "stopkeylogger" 時,使用 Norton Internet Security 或 Norton Personal Firewall 的人就會自動離線 XD

原始的報導在 Malware-Speak Spooks Symantec 這裡:

Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning.

Archives