SWEET32:攻 Blowfish 與 3DES

最新的攻擊算是實戰類的攻擊,理論基礎以前都已經知道了,只是沒有人實際「完成」。算是近期少數直接對演算法的攻擊,而這些演算法剛好還是被用在 TLSOpenVPN 上,所以嚴重性比較高:「SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN」。

攻擊的條件是 block cipher 的 block size,而非 key length,所以就算是 256 bits 的 Blowfish 也一樣也受到影響。

這次順利打下 Blowfish3DES。這兩個 cipher 的 block size 都是 64 bits,所以對於 birthday attack 來說只要 232 就可以搞定:

This problem is well-known by cryptographers, who always require keys to be changed well before 2n/2 blocks. However it is often minimized by practitioners because the attacks require known plaintext, and reveal only little information. Indeed, standard bodies only recommend to change the key just before 2n/2 blocks, and many implementations don't enforce any limit on the use of a key.

在 OpenVPN 打 Blowfish 的部份 (Blowfish 是 OpenVPN 預設的 cipher):

In our demo, it took 18.6 hours and 705 GB, and we successfully recovered the 16-byte authentication token.

以及 HTTPS 打 3DES 的部份 (為了相容性問題):

Experimentally, we have recovered a two-block cookie from an HTTPS trace of only 610 GB, captured in 30.5 hours.

都是有可能的等級。也該來拔掉對 IE8 的支援了... orz

DigitalOcean 也推出類似於 Amazon EBS 的東西了:Block Storage

DigitalOcean 也提供類似 Amazon EBS 的服務了:「Block Storage: More Space to Scale」。

只提供 SSD 型態的 Block Storage,價位跟 Amazon EBS 類似,USD$0.1/GB/month。有幾個限制,一個是服務的地區目前只有 NYC1 與 SFO2,下一個會是 FRA1:

You can create Block Storage volumes right now in NYC1 and our new SFO2 region. FRA1 is next in line and will be available in the coming weeks. We’re working quickly to expand to other regions. More updates to come.

另外一個是最大 16TB,也是跟 Amazon EBS 一樣:

You can easily scale up and resize your Storage volumes from 1GB to 16TB and move them between Droplets via the control panel or API.

多了個選擇可以用...

Reddit 在規劃要禁止「阻擋 Adblock 的網站」

如標題所說的,Reddit 在規劃這些阻擋 Adblock 的網站:「Mod Announcement: We're considering banning all domains that require users to disable ad blockers and we'd like your input」。

這些網站要求使用者將網站列入 Adblock 白名單,然後這些網站就會「不小心」推送 malware 給使用者:

It has come to our attention that many websites such as Forbes and Wired are now requiring users to disable ad blockers to view content. Because Forbes requires users to do this and has then served malware to them we see this as a security risk to you our community. There are also sites such as Wall Street Journal that have implemented pay-walls which we were are also considering banning.

戰爭愈來愈激烈了...

EC2 Spot Blocks:固定時間的 Spot Instances

EC2 設計 Spot Instances 提供某些應用程式可以用比較低廉的價錢租用機器,但缺點是隨時可能會中斷,所以程式必須定時記錄進度。

但不是每種應用程式都有辦法這樣做,所以一般遇到不能中斷的還是會用 On-Demand Instances 來處理。而現在 EC2 則提供了 Spot Blocks 來解決這個問題:「New – EC2 Spot Blocks for Defined-Duration Workloads」。

你可以設定 1 到 6 個小時的執行時間,時間到就會自動結束:

In order to make EC2 an even better fit for this type of defined-duration workload, you can now launch Spot instances that will run continuously for a finite duration (1 to 6 hours).

Spot Instances 與 Spot Blocks 是分開競價,大約比 On-Demand 便宜 30%~45%,同時在非尖峰時間另外會有 5% 的優惠:

Pricing is based on the requested duration and the available capacity, and is typically 30% to 45% less than On-Demand, with an additional 5% off during non-peak hours for the region. Spot blocks and Spot instances are priced separately; you can view the current Spot pricing to learn more.

在 iOS 9 裡安裝 Crystal 擋掉全版廣告

蘋果的 iOS 9 在今天放出來了,更新完以後可以用 Content Blocking 擋廣告,剛剛測過可以擋下全頁式的廣告。

這篇要介紹了的是「Crystal」這個目前限時免費的 app,你可以在「Crystal - Block Ads, Browse Faster.」這邊下載安裝。

iOS 9 的 Content Blocking 功能必須要應用程式支援,而目前只有 Safari 有支援,所以以下的測試是用 Safari 打開行動版的 Facebook (https://m.facebook.com/) 測試的,就拿這篇先來測試:(這張圖片是後來抓的,所以時間是 06:20)

直接打開會先出現全版廣告 (第一張圖),關掉後還會有大量的廣告 (第二張圖):

接著我們打開 Crystal,可以看到什麼都沒得設,因為這套軟體已經做完了:(這張圖片是剛裝完就裝的,所以是 06:00)

接著到「設定」裡面打開 Safari 的阻擋功能:

改完後就會是乾淨而且沒有廣告的版本了:

uBlock 的改版:交接後再 fork 成 uBlock Origin (uBlock₀)

原先的 µBlock 改名成 uBlock₀,並且把 uBlock 的名字交出去給了 Colorado SpringsuBlock

原因可以在「Please clarify uBlock₀ vs. uBlock」這邊看到,由於這不是 full time job (他也不想要成為 full time job),所以他決定 freeze 目前的功能,僅維持 bugfix (因為對他來說夠用了,他自己平常也在用)。

依照這個原因,我的感覺是 uBlock 會成圍下一個肥大的 ABP,就乖乖留守 uBlock Origin (uBlock₀) 吧。

AWS 推出 SSD EBS

EBSAWS 上的 block-level storage,除了空間本身要收費以外,I/O 本身也要收費。到今天為止,EBS 只提供 Magnetic volume,也就是與傳統硬碟性質接近的 EBS。

而今天 AWS 推出了 SSD 的 EBS:「New SSD-Backed Elastic Block Storage」,價錢上當然就比傳統硬碟建立的 EBS 貴,但看起來是個可以接受的數字?

另外傳統硬碟的 Provisioned IOPS volume 也降價了,約 35% off:

We are also announcing that we are reducing the price of IOPS for Provisioned IOPS volumes by 35%.

需要效能的應用又多了一項武器...

php.net 被擋的後續分析...

昨天一整天 php.net 網域下的網站都被擋掉:

Twitter 上也有看到 Rasmus Lerdorf 在抱怨:

Rasmus 說是 false positive (誤判),不過我是不太直接相信他講的話...

剛剛看到 Netcraft 整理了一些資料出來「PHP.net blocked by Google: False positive or not?」,裡面有不少東西可以看...

其中最後這段:

However, a short moment ago, a Hacker News user posted some obfuscated JavaScript that was found appended to a possibly cached version of the userprefs.js script, suggesting that the PHP.net website may have been compromised recently.

The obfuscated JavaScript inserts an iframe into the webpage, which loads content from an external site known for distributing malware. Google Chrome blocks the inclusion of any content from known malware domains, although the injected content in this case no longer appears to be accessible.

這段有問題的 javascript code 的解讀可以在這裡看到說明。

如果的確是 compromise,那這事就沒完了,接下來還要找是從哪個洞進來的... 不過以 php.net 的情況,(消音)...

法國 ISP「Free」主動更新上機盒韌體,主動擋掉廣告...

出自「French ISP blocks online ads by default – just a beta feature glitch?」與「France’s second-largest ISP deploys ad blocking via firmware update」。

Freebox

法國第二大的 ISP「Free」在最近一次的韌體更新裡,增加了「過濾廣告 (adblock)」的功能,並標為 beta:「Mise à jour Freebox Server 1.1.9」,不過,有很多人發現這個 beta 功能預設是開啟的... 然後就看到所有以網路廣告為生的科技新聞網站一面負評... XDDD

前幾天 Free 才爆出擋 YouTube 的新聞「YouTube sucks on French ISP Free, and French regulators want to know why」,ARCEP (法國的電信監管組織) 喊說要查網路中立性問題,結果馬上就來個下馬威 xDDD

話說回來,中華電信色情守門員的名單改一改,應該也可以推出類似的服務?XDDD