Ruby 上使用 DynamoDB 的函式庫:aws-record

AWS 正式發表了在 Ruby 上使用 DynamoDB 的 library:「Announcing General Availability of aws-record」。

GitHub 連結在「aws/aws-sdk-ruby-record」,而 Ruby Gems 的連結在「aws-record」。

這樣用起來更簡單了...

舊 bug 新名字:httpoxy

依照慣例,security issue 都會取個名字,這次叫做 httpoxy:「A CGI application vulnerability for PHP, Go, Python and others」。

事情發生在兩個命名變數上的衝突:

  • RFC 3875 (The Common Gateway Interface (CGI) Version 1.1) 定義了 CGI 環境會把 Header 裡的 Proxy 欄位放到環境變數裡的 HTTP_PROXY
  • 而很多程式會拿環境變數裡的 HTTP_PROXY 當作 proxy 設定。

這件事情 2001 年在 libwww-perl 就有發生過 (並且修正),curl 也發生過 (然後修正),2012 年在 Ruby 的 Net::HTTP 也發生過 (也修正了)。

然後在 2016 年還是被發現有很多應用程式會中獎... 這頭好痛啊 :o

在 C 裡 Concurrency 的 Library

看到「libdill: Structured Concurrency for C」這個東西,在 C 裡實作了兩個不同種類的 concurrency,一個是 proc (process-based) 一個是 go (corouting-based)。

支援的 function 算是蠻清晰的,範例也很清楚:

#include <libdill.h>
#include <stdio.h>
#include <stdlib.h>

coroutine int worker(const char *text) {
    while(1) {
        printf("%s\n", text);
        msleep(now() + random() % 500);
    }
    return 0;
}

int main() {
    go(worker("Hello!"));
    go(worker("World!"));
    msleep(now() + 5000);
    return 0;
}

也有 channel 的觀念可以用,之後需要寫玩具的話應該是個好東西...

用 JavaScript 寫的 NLP Library

nlp-compromise/nlp_compromise 是一個 JavaScript 寫的 NLP library,網頁上給的用法也很特別...

過去式:

nlp.text('She sells seashells').to_past()
// She sold seashells

複數形:

nlp.noun("dinosaur").pluralize();
// "dinosaurs"

還有這種用法:

nlp.statement('She sells seashells').negate().text()
// She doesn't sell seashells

也有這種用法:

nlp.sentence('I fed the dog').replace('the [Noun]', 'the cat').text()
// I fed the cat

抓人出來:

nlp.text("Tony Hawk did a kickflip").people();
// [ Person { text: 'Tony Hawk' ..} ]

不定冠詞:

nlp.noun("vacuum").article();
// "a"

還可以猜性別?

nlp.person("Tony Hawk").pronoun();
// "he"

str2num:

nlp.value("five hundred and sixty").number;
// 560

好像是好玩的東西... XD

OpenSSL 1.1.0 的 Release Notes 先放出來了 (現在是 Beta 1)

雖然才 Beta 1,但 OpenSSL 先放出 1.1.0 的 Release Notes 了:「OpenSSL 1.1.0 Series Release Notes」。

有幾個新的功能以及重大的改變,包括了對 ChaCha20Poly1305 的支援,並且把 SSLv2、RC4、所有 40bits 與 56bits 的 cipher 拔掉,然後支援 Certificate Transparency

讓人頗期待... 不知道來不來得及跟上 Ubuntu 16.04

Google Analytics 推出 Autotrack 工具幫助整合

Google Analytics 推出了 Autotrack 工具,讓開發者更容易整合:「Introducing Autotrack for analytics.js」。

可以看到有些地方是將 Unobtrusive JavaScript 的概念拿出來用,像是 Declarative event tracking 這邊用 data attribute:

<button data-event-category="Video" data-event-action="play">Play</button>

對於還沒有針對 Google Analytics 客製化整合的人都會有幫助:

While anyone could use and benefit from autotrack, the library is primarily geared toward sites that do not customize their current analytics implementation and would like to take advantage of the features described in this article.

GitHub 上的說明可以看到預設了非常多常用的功能,像是 socialTracker 預設就有提供 FacebookTwitter (咦,你們自己家的 Google Plus 呢?)

不過這個軟體有免責條款,不屬於 GA 的正式產品:

The autotrack library is not an official Google Analytics product and is not covered by Google Analytics Premium support. Developers that choose to use this library are responsible for ensuring that their implementation meets the requirements of the Google Analytics Terms of Service and the legal obligations of their respective country.

看起來先進很多,之後自己開發東西拿出來用用...

Decentraleyes:避免從 Public CDN 取得檔案

先前看到的,一個 Firefox 的 Extension,在本地端存了一份常用的 library,當瀏覽器想要去 CDN 取得的時候改從本地端的資料提供:「Decentraleyes」。

Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.

另外一個說明是:

A Firefox add-on that emulates Content Delivery Networks locally by intercepting requests, finding the required resource and injecting it into the environment. This all happens instantaneously, automatically, and no prior configuration is required.

原始程式碼在 GitHub 上:「Decentraleyes - Local emulation of Content Delivery Networks.」。

紐約公共圖書館放出十八萬張數位高畫質的數位資料

紐約公共圖書館這次放出了十八萬張數位資料,包括歷史照片、地圖以及信件:「The New York Public Library Lets You Download 180,000 Images in High Resolution: Historic Photographs, Maps, Letters & More」,圖書館官方的公告在「Free for All: NYPL Enhances Public Domain Collections For Sharing and Reuse」這邊:

The release of more than 180,000 digitized items represents both a simplification and an enhancement of digital access to a trove of unique and rare materials: a removal of administration fees and processes from public domain content, and also improvements to interfaces — popular and technical — to the digital assets themselves.

除了可以在「NYPL Digital Collections」這邊搜尋下載外,還有 API 可以用:「The New York Public Library Digital Collections API」,在 GitHub 上也有工具可以使用:「Digital Collections Public Domain Item Data and Tools」。

而且這 18 萬張資料是完全的開放,不需要事先取得館方授權:

No permission required, no hoops to jump through: just go forth and reuse!

將 public domain 的文物數位化,傳遞與保存變的更便利... (也讓做研究的人更容易取得資料)

Amazon 之前放出的 s2n 的安全性問題

Amazon 之前放 s2n 出來當作 TLS protocol 的方案,於是就有人摸出東西來:「Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS」。

即使是經過外部資安檢證,仍然還是有找到問題。這次找到的問題是 timing attack 類在 CBC-mode 下的 plaintext recovery:

At the time of its release, Amazon announced that s2n had undergone three external security evaluations and penetration tests. We show that, despite this, s2n - as initially released - was vulnerable to a timing attack in the case of CBC-mode ciphersuites, which could be extended to complete plaintext recovery in some settings.

攻擊分成兩個階段:

Our attack has two components. The first part is a novel variant of the Lucky 13 attack that works even though protections against Lucky 13 were implemented in s2n. The second part deals with the randomised delays that were put in place in s2n as an additional countermeasure to Lucky 13. Our work highlights the challenges of protecting implementations against sophisticated timing attacks.

最後還是酸了一下 Amazon:

It also illustrates that standard code audits are insufficient to uncover all cryptographic attack vectors.

Amazon 的官方說明則在「s2n and Lucky 13」這邊可以看到。