繼四月出 DynamoDB 推出的 PITR 後 (參考「Amazon DynamoDB 的 Point-In-Time Recovery」這篇),Amazon Aurora for MySQL 也宣佈支援 PITR 了:「Amazon Aurora Backtrack – Turn Back Time」。
從截圖可以看到支援到秒層級:
然後最多 72 小時,會有額外費用:
這樣又讓 DBA 少了一些事情 XD
Tag: in
Amazon DynamoDB 的 Point-In-Time Recovery
Amazon DynamoDB 在 3/26 發出來的功能,以秒為單位的備份與還原機制:「New – Amazon DynamoDB Continuous Backups and Point-In-Time Recovery (PITR)」。
先打開這個功能:
打開後就會開始記錄,最多可以還原 35 天內的任何一個時間點的資料:
DynamoDB can back up your data with per-second granularity and restore to any single second from the time PITR was enabled up to the prior 35 days.
這時候就算改變資料或是刪除資料,實際上在系統內都是 Copy-on-write 操作,所以需要另外的空間,這部份會另外計價:
Pricing for continuous backups is detailed on the DynamoDB Pricing Pages. Pricing varies by region and is based on the current size of the table and indexes. For example, in US East (N. Virginia) you pay $0.20 per GB based on the size of the data and all local secondary indexes.
有這樣的功能通常是一開始設計時就有考慮 (讓底層的資料結構可以很方便的達成這樣的效果),現在只是把功能實作出來... 像 MySQL 之類的軟體就沒辦法弄成這樣 XDDD
最後有提到支援的地區,是用條列的而不是說所有有 Amazon DynamoDB 的區域都支援:
PITR is available in the US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Mumbai), Asia Pacific (Singapore), Asia Pacific (Sydney), Canada (Central), EU (Frankfurt), EU (Ireland), EU (London), and South America (Sao Paulo) Regions starting today.
比對一下,應該是巴黎與美國政府用的區域沒進去... 一個是去年年底開幕的區域,另一個是本來上新功能就偏慢的區域。
Twitter 支援 HOTP-based 2FA 登入了
在 Twitter 上看到他們自家更新了 2FA 的機制,除了本來的 in-app verification 外,也提供常見的 HOTP 了:(掃 QR code,然後會產生六碼數字的那種)
We’re rolling out an update to login verification.
You’ll now be able to use a third party app for two-factor authentication instead of SMS text messages.https://t.co/UXl3xKLEaG
— Twitter Safety (@TwitterSafety) December 20, 2017
在上面的「How to use login verification」連結可以看到 HOTP 的設定方式:
- [...]
- You will see a pop-up window displaying a QR code. Follow the instructions listed.
- To set up the third-party authenticator app, you will need to scan the QR code. You will then see a 6-digit numeric security code.
- Enter this code in the Security code text field in the pop-up window.
- Click Done.
還是可以選擇本來的方式以及簡訊,現在則是多了個選擇...
重設密碼 + Social Engineering
在「The password reset MitM attack」這邊看到 PRMitM (Password Reset Man-in-the-Middle) 這樣的攻擊,原始論文在「The Password Reset MitM Attack」這邊可以取得。
用圖說明基本版的攻擊方式:
另外列出了各大站台的狀態:
以及各家簡訊的文字,可以發現不是每一家都有把產品的名稱寫上去:
這方法好有趣啊... XD
V8 對 for-in 的最佳化
V8 引擎的人對 for-in 的最佳化寫了一篇解釋「Fast For-In in V8」,比較直接的結果就是維基百科與 Facebook 都變快了:
For example, in early 2016 Facebook spent roughly 7% of its total JavaScript time during startup in the implementation of for-in itself. On Wikipedia this number was even higher at around 8%.
可以看得出來是挑比較大的來改,而下一版的 Google Chrome (57) 將會對 for-in 會到另外一個極致:
The most important for-in helpers are at position 5 and 17, accounting for an average of 0.7% percent of the total time spent in scripting on a website. In Chrome 57 ForInEnumerate has dropped to 0.2% of the total time and ForInFilter is below the measuring threshold due to a fast path written in assembler.
主要是因為 spec 對 for-in 的定義寫得很模糊,所以就有很多實作的空間可以調整:
When we look at the spec-text of for-in, it’s written in an unexpectedly fuzzy way,which is observable across different implementations.
Amazon SQS 支援 FIFO 了
Amazon SQS 支援 FIFO 了:「FIFO (First-In-First-Out) Queues」。新的 FIFO Queue 有保證順序,但也因此效能上有限制:
In addition to having all the capabilities of the standard queue, FIFO (First-In-First-Out) queues are designed to enhance messaging between applications when the order of operations and events is critical, or where duplicates can't be tolerated. FIFO queues also provide exactly-once processing but are limited to 300 transactions per second (TPS).
可以看到舊版的 FAQ 對於 FIFO 的回答是 Standard Queue 會盡力做到 FIFO,但不保證:(出自 2016/08/26 的版本)
Q: Does Amazon SQS provide first-in-first-out (FIFO) access to messages?
Amazon SQS provides a loose-FIFO capability that attempts to preserve the order of messages. However, we have designed Amazon SQS to be massively scalable using a distributed architecture. Thus, we can't guarantee that you will always receive messages in the exact order you sent them (FIFO).
If your system requires the order of messages to be preserved, place sequencing information in each message so that messages can be ordered when they are received.
而現在則是名正言順的說有提供 FIFO 了:
Q: Does Amazon SQS provide message ordering?
Yes. FIFO (first-in-first-out) queues preserve the exact order in which messages are sent and received. If you use a FIFO queue, you don't have to place sequencing information in your messages. For more information, see FIFO Queue Logic in the Amazon SQS Developer Guide.
Standard queues provide a loose-FIFO capability that attempts to preserve the order of messages. However, because standard queues are designed to be massively scalable using a highly distributed architecture, receiving messages in the exact order they are sent is not guaranteed.
用 Pushover 當簡訊...
法國政府 ANSSI 偽造 Google 的 SSL 憑證被抓到...
Google 在 Google Chrome 裡面有放一段 SSL 白名單 (transport_security_state_static.json),針對某些特定 domain 只允許特定的 CA 所發出來的 SSL 憑證,另外當發現異常時也會回報。
這個機制可以保證在白名單內的網域比較不容易被 CA 搞到。
前幾天 Google 偵測到法國政府 ANSSI 的一個中介憑證發行單位 (Intermediate certificate authorities) 發出 Google 所擁有網域的 SSL 憑證:「Further improving digital certificate security」。
這也是繼一年前 TURKTRUST 發出的 *.google.com 以來再次被這個機制抓到的案例:「這次 TURKTRUST 誤發 *.google.com SSL 憑證...」。
同時,這也是首次政府機關相關的 CA 搞 MITMA (Man-in-the-middle attack)。
ANSSI 官方的說法是「誤發」:「Revocation of an IGC/A branch」,不過可信度... XD
Google 後來在 12/12 再次更新公告文章,決定把 ANSSI 的 CA 信任範圍限縮到法國相關的網域,共 13 個。(*.fr、*.gp、*.gf、...)
另外可以參考 Mozilla 在收到 Google 通知後的公告:「Revoking Trust in one ANSSI Certificate」。