美國媒體的偏好 (味道)

找資料的時候發現維基百科上面有一個條目是在說明美國媒體的偏好:「Media bias in the United States」,不過上面講的還是比較描述性,另外找了其他的研究來翻。

首先是在「"Fake News," Lies and Propaganda: How to Sort Fact from Fiction」這邊翻到的資料,是出自於「Ideological Placement of Each Source’s Audience」這邊,這是 2014 年的分析:

接著是翻到「News Literacy: News Views & Fact Checking Resources: Media Bias」這篇,出自「Media Bias Chart 4.0: Downloadable Image and Standard License」,這是 2018 年的分析:

再來是「Detecting Bias」,出自「Media Bias Ratings」,這是 2019 年的分析,原網站目前則是更新到 2021 年了:

透過這些資料可以很粗糙的抓一下這些媒體的 Political spectrum,在讀新聞的時候會更清晰一點。

Amazon Route 53 對地區的微調功能

Amazon Route 53 推出新功能,針對地區微調資源的比重:「Amazon Route 53 Traffic Flow Announces Support For Geoproximity Routing With Traffic Biasing」。

範例大致上說明了這個功能的能力,假設你在兩個點都有服務可以提供,你可以利用這個功能微調某個比率到某個點:

For example, suppose you have EC2 instances in the AWS US East (Ohio) region and in the US West (Oregon) region. When a user in Los Angeles browses to your website, geoproximity routing will route the DNS query to the EC2 instances in the US West (Oregon) region because it's closer geographically. If you want a larger portion of users in the middle of the United States to be routed to one region, you can specify a positive bias for that region, a negative bias for the other region, or both.

有點 CDN 的想法在裡面...

Facebook 操弄 Trending 裡的新聞

看了 GizmodoFacebook 的對話,就有種之前某長輩常說的「沒被抓到就不算犯罪喔~」的感覺:「Former Facebook Workers: We Routinely Suppressed Conservative News」。

Gizmodo 接到前員工的線報後,再加上透過關係問到其他的前員工,證實了標題的消息:

Facebook workers routinely suppressed news stories of interest to conservative readers from the social network’s influential “trending” news section, according to a former journalist who worked on the project. This individual says that workers prevented stories about the right-wing CPAC gathering, Mitt Romney, Rand Paul, and other conservative topics from appearing in the highly-influential section, even though they were organically trending among the site’s users.

Several former Facebook “news curators,” as they were known internally, also told Gizmodo that they were instructed to artificially “inject” selected stories into the trending news module, even if they weren’t popular enough to warrant inclusion—or in some cases weren’t trending at all. The former curators, all of whom worked as contractors, also said they were directed not to include news about Facebook itself in the trending module.

當然 Facebook 對於這種沒辦法證實的事情是全盤否認,不過再重複一次某長輩的「沒被抓到就不算犯罪喔~」的經典台詞...

Uber 這類服務在北美的商務交通支出超越一般租車

Bloomberg 上看到的新聞,Uber 這類服務在北美的商務交通支出的佔有率已經超越一般租車了:「Uber Overtakes Rental Cars Among Business Travelers」。

資料來源是來自 Certify,北美第二大的雲端管理服務。所以這份資料其實還是有 bias 存在,但還是可以看出大趨勢:

所以不只有一般計程車行業受到影響,在商務客也受到衝擊。

新的 RC4 攻擊:實戰化

Twitter 上看到對 RC4 的新攻擊,可以直接攻擊 TLS 與 WPA-TKIP,沒有 workaround:「All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS」。

TKIP 可以在一個小時內打下來:

In practice the attack can be executed within an hour.

對於 TLS 則是 75 個小時有 94% 成功率,實際測試時只用了 52 個小時就順利攻下來:

We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94% using 9·227 ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin's ABSAB bias, and brute-forcing the cookie by traversing the plain-text candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.

When we tested the attack against real devices, it took merely 52 hours to successfully perform the attack.

看起來唯一的解法是停用...

NSA 付錢給 RSA 放後門的事件...

Edward Snowden 再次丟出 NSA 內部文件,表示 NSA 付錢給 RSA 在演算法裡面放後門:「Exclusive: Secret contract tied NSA and security industry pioneer」。

RSA 的回應則是完全不想提到這筆錢是做什麼用的:「RSA Response to Media Claims Regarding NSA Relationship」。

現在一般在猜測,這個後門應該就是 RSA BSAFE 的預設偽隨機數產生器 Dual_EC_DRBG

對於 Dual_EC_DRBG 的攻擊,2006 年的「Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator」就這樣寫:

Our experimental results and also empirical argument show that the DEC PRG is insecure. The attack does not imply solving the ECDLP for the corresponding elliptic curve. The attack is very efficient.

在 2007 年,Bruce Schneier 寫了一篇「Did NSA Put a Secret Backdoor in New Encryption Standard?」,提到這個弱點並沒有大到使得這個演算法不堪用,但看了總是不爽:

Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn't large enough to make the algorithm unusable -- and Appendix E of the NIST standard describes an optional work-around to avoid the issue -- but it's cause for concern. Cryptographers are a conservative bunch: We don't like to use algorithms that have even a whiff of a problem.

並且建議不要用 Dual_EC_DRBG:

My recommendation, if you're in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.

現在回頭看這件事情... hmmm...