Microsoft Authenticator 的長年 bug

在「Flaw has Microsoft Authenticator overwriting MFA accounts, locking users out (csoonline.com)」這邊看到的,原文在「Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out」,在講 Microsoft Authenticator (Android 版iOS 版) 這個支援 TOTP 的 MFA 程式的長年 bug... (對一般人比較好理解的,這是六位數字的動態密碼 app)

會造成無法登入的 bug 是因為透過 QR code scan 加入新的帳號時,會蓋掉既有的帳號資料,所以產生的 QR code 就無法在舊的帳號/網站上面使用了:

That’s because, due to an issue involving which fields it uses, Microsoft Authenticator often overwrites accounts when a user adds a new account via QR scan — the most common method of doing so.

原因是因為 username 相同就會蓋掉,而大多數人在不同的地方都會用同樣的 username (像是我的 gslin):

The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users’ apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer — such as a bank or a car company — to avoid this issue. Microsoft only uses the username.

然後 workaround 是不要用 Microsoft Authenticator,或是不要用 QR code scan:

There are multiple workarounds. The easiest is for companies to use any other authentication app. Not using the QR code scan feature — and manually entering the code — will also sidestep the issue, which doesn’t appear to arise when the authenticated accounts belong to Microsoft.

然後這個問題可以找到 2020 年開始有人抱怨,但作者測試看起來 2016 年的版本就已經是這樣了:

CSO Online found complaints of this problem dating back to 2020, but it appears to have been in place since Microsoft Authenticator was released in June 2016. (For historical context, Google was the first Authenticator app, having been launched in 2010.)

然後 Microsoft 確認有這樣的行為,但不認為是 bug 而是 feature (怎麼梗圖突然從腦袋裡冒出來...):

Microsoft confirmed the issue but said it was a feature not a bug, and that it was the fault of users or companies that use the app for authentication.

然後專欄作者找了其他專家測試其他的 app,可以發現只有 Microsoft Authenticator 的處理是 override 然後炸掉:

By the way, I’ve tested this behavior in 14 other authenticator apps so far. None of them exhibit the same collision behavior that Microsoft Authenticator does,” he added. “I gave up at 14 because at that point, it’s obvious Microsoft are the ones who are doing things poorly here.

大概是大家都懶得吵了,反正可以用 Google Authenticator 或是其他 TOTP app...

ARM 版的 Windows 宣稱要改善 x86 轉譯速度

在「Microsoft gives Windows new compiler, kernel, scheduler, and x86 translation layer on ARM」這邊看到的:

Microsoft also unveiled the name for its new x86 translation layer for Windows on ARM: Prism. Microsoft told Ars Technica that Prism is as fast as Apple’s Rosetta 2, which is interesting because Apple’s M series chips contain special silicon to speed up the translation process, making me wonder if Qualcomm has done the same, or is just brute-forcing it.

看起來之前 Windows 平板上跑 x86 應用程式很慢的痛點有機會改善?另外不知道技術相似度如何,有沒有機會看到細節分析...

Gitea 1.22 預定會有的改變

Gitea 1.22.0 出了 RC:「Gitea 1.22.0 Release Candidate」,裡面整理出 1.22 會有的重大改變。

一個是之前提到的 UI 架構改變:「Gitea 預定淘汰掉 jQuery + Fomantic-UI + Semantic-UI,改用 Tailwind CSS」。

另外看到放掉舊版資料庫的消息,放掉 MySQL 5.7 與 PostgreSQL 10 & 11,這兩個都是 EoL 的版本。

Support for MySQL 5.7, PostgreSQL 10 and 11, and MSSQL 2008 is dropped.

其中 MSSQL 2008 的部分,維基百科的 Microsoft SQL Server 說還有支援 (補一下是 oldid=1220997610 這個版本),不過從微軟官方網站上查「Extended Security Updates for SQL Server and Windows Server」可以看到 2022 年就已經收掉了...

整體上看起來這個版本的重心就是放在 UI,其他的功能比較少一些...

MS-DOS v4.0 的程式碼以 MIT license 釋出

Hacker News 上的消息「Open Sourcing DOS 4 (hanselman.com)」,原文在「Open Sourcing DOS 4」。

Hacker News 裡面的討論有拉出一些有趣的 source code 註解,不過我比較好奇為什麼是挑 v4.0 而不是其他版本,看說明應該是剛好遇到對的人與對的團體?

A young English researcher named Connor "Starfrost" Hyde recently corresponded with former Microsoft Chief Technical Officer Ray Ozzie about some of the software in his collection. Amongst the floppies, Ray found unreleased beta binaries of DOS 4.0 that he was sent while he was at Lotus. Starfrost reached out to the Microsoft Open Source Programs Office (OSPO) to explore releasing DOS 4 source, as he is working on documenting the relationship between DOS 4, MT-DOS, and what would eventually become OS/2. Some later versions of these Multitasking DOS binaries can be found around the internet, but these new Ozzie beta binaries appear to be much earlier, unreleased, and also include the ibmbio.com source.

這些程式碼主要都是考古分析用了,不知道什麼時候 MS-DOS 6.22 的 code 會冒出來...

Windows 98 安裝的三階段

看到「Why does part of the Windows 98 Setup program look older than the rest? (2020) (retrocomputing.stackexchange.com)」這個,原文是 2020 的討論:「Why does part of the Windows 98 Setup program look older than the rest?」。

問題是 Windows 98 的安裝過程中段可以看出來有 Windows 3.1 介面的感覺,像這樣:

而到了後段又是 Windows 98 的感覺,作者覺得 UI 介面風格不一致的問題...

回答的人則是解釋得很清楚,第一階段是 DOS 階段,會把 Windows 3.1 環境疊出來:

The first, which can run from the setup floppies and/or CD-ROM, uses a DOS program (DOSSETUP.BIN) to set up disk partitions, run various checks etc.:

This phases finishes by copying a minimal version of Windows 3.1 to the target installation drive, in a temporary directory (normally WININST0.400), containing DOSX.EXE, USER.EXE, GDI.EXE, KRNL386.EXE, LZEXPAND.DLL etc. (see MINI.CAB).

第二階段則是 Windows 3.1 環境,把 Windows 98 大多數的東西都複製到硬碟上:

The second uses this minimal Windows 3.1 to run a Windows 3 program, W98SETUP.BIN (specified as the “shell” in SYSTEM.INI):

This starts by copying more files to support all the information-gathering during setup, and various other niceties including the 3D look shown in your screenshot (the contents of the PRECOPY CABs); it ends by copying most of Windows 98, setting the system up so that it will boot Windows 98 from the target drive, and rebooting.

第三階段則是 Windows 98 環境,執行後續的設定程式:

The third runs after the first boot into Windows 98, from Windows 98:

而且也提到了當年可以升級作業系統的情況 (雖然我自己偏好重裝):

It is also possible to initiate the setup process from any of the above environments, which is how Windows 98 handles upgrades (from MS-DOS, or Windows 3, or Windows 95).

是個解釋遺跡的現場 XDDD

微軟 Phi-2 model 的授權改成 MIT License

Hacker News 的「Microsoft Phi-2 model changes licence to MIT (huggingface.co)」這邊看到的消息,連結是改成 MIT License 的 commit:「Upload 3 files · microsoft/phi-2 at 7e10f3e」。

看了一下 model 的參數是 2.7B,宣稱在 13B 以下 model 中是前段班:

Phi-2 showcased a nearly state-of-the-art performance among models with less than 13 billion parameters.

再回頭查一下這段宣稱的時間,當初發表的時間是 2023/12/12:「Phi-2: The surprising power of small language models」。

應該是希望在行動裝置上用更少的運算量達到效果...

另外找了一下 GGUF 格式,看起來 TheBloke/phi-2-GGUF 這邊已經有轉好的了,可以直接上 llama.cpp 跑。

microsoft.com 的 DNS 出包

Hacker News Daily 上的「Tell HN: Microsoft.com added 192.168.1.1 to their DNS record」這邊看到的,看起來是某種 misconfiguration 造成 microsoft.comA record 除了給正常的 IPv4 address 外,還給出了 192.168.1.1192.168.1.0 的 IPv4 address。

不過裡面比較有趣的是 id=38704301 這個,提到他反而查不到,看 log 發現被 dnsmasq 認定是 DNS rebinding 的攻擊而擋下來不回應任何 IP address:

I was getting an empty answer for microsoft.com. Turns out my dnsmasq is blocking it:

  $ dig microsoft.com. | grep EDE
  ; EDE: 15 (Blocked)

  resolver.log:Dec 20 00:43:57 router dnsmasq[8172]: possible DNS-rebind attack detected: microsoft.com

翻了 dnsmasq 的 manpage,可以看到這個功能:

--stop-dns-rebind

Reject (and log) addresses from upstream nameservers which are in the private ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network. For IPv6, the private range covers the IPv4-mapped addresses in private space plus all link-local (LL) and site-local (ULA) addresses.

id=38704159 這邊也有類似的情況,不過這邊是提到 OpenWrt

microsoft.com is currently IPv6-only on my network, because OpenWrt's DNS rebinding protection filters out the A records:

  $ ping -4 microsoft.com
  ping: microsoft.com: Address family for hostname not supported

  $ ping -6 microsoft.com
  PING microsoft.com(2603:1030:c02:8::14 (2603:1030:c02:8::14)) 56 data bytes
  64 bytes from 2603:1030:c02:8::14 (2603:1030:c02:8::14): icmp_seq=1 ttl=112 time=68.4 ms

微軟出手直接讓 Sam Altman 與 Greg Brockman 成立新團隊

不算太意外的一步,Satya Nadella (微軟的 CEO) 直接宣佈讓 Sam AltmanGreg Brockman 加入微軟,包含了其他的 team member,另外還特別講了一句會儘快提供需要的資源:

X (Twitter) 上的全文:

We remain committed to our partnership with OpenAI and have confidence in our product roadmap, our ability to continue to innovate with everything we announced at Microsoft Ignite, and in continuing to support our customers and partners. We look forward to getting to know Emmett Shear and OAI's new leadership team and working with them. And we’re extremely excited to share the news that Sam Altman and Greg Brockman, together with colleagues, will be joining Microsoft to lead a new advanced AI research team. We look forward to moving quickly to provide them with the resources needed for their success.

微軟與 Satya Nadella 在這次爆炸後,災難處理接近最完美的劇本了?

讓 Sam Altman 回去 OpenAI 大概不是好方案,很明顯已經有嫌隙了,尤其是直接被 Greg Brockman 點名過的 Ilya Sutskever

把 Sam Altman 與 Greg Brockman 放出去找 VC 開新的公司,不如還是讓直接微軟吃下來。

現在變成全部都還是在微軟的帝國裡面。

這個方法 Satya Nadella 完全可以對董事會交代,也能對微軟自家內部合作的團隊交代。

另外推文裡有提到 Emmett Shear 接手 Interim CEO,這樣看起來 Mira Murati 應該也是會過去 Sam Altman 那邊了。

後續應該就是看團隊元氣大傷後可以恢復多快了,少掉的 Ilya Sutskever 這塊要怎麼補?

SQLite 官方自己搞的 Cloud Backed SQLite

SQLite 自己搞了一套使用雲端空間為儲存空間的技術:「Cloud Backed SQLite」,對應的 Hacker News 討論可以看「Cloud Backed SQLite (sqlite.org)」這邊。

他說目前支援 Azure Blob StorageGoogle Cloud Storage,這點比較有趣,沒有提到 Amazon S3

The system currently supports Azure Blob Storage and Google Cloud Storage. It also features an API that may be used to implement support to other cloud storage systems.

跟之前的 sql.js 專案不太一樣,sql.js 的作法是用 HTTP range 存取現有的 SQLite 資料庫檔案,而這次的這個專案則是改變底層架構,去配合雲端環境的特點。

雲端的 storage 因為每個 access 都會有很高的 latency (相比於本地的空間),所以要避免太多 random access,儘量以 sequential access 為主,這個特性像是以前在處理傳統磁頭硬碟時的技巧。

另外一個特點是雲端空間有多檔案的概念,所以也可以利用這個方式設計資料結構。

還蠻有趣的計畫,而且是官方搞的...

Windows 95/NT 4.0/98/ME/2000/XP 的 Windows Update

看到「Project restores Windows Update for Windows 9x」這篇在介紹「Windows Update Restored: Fix Windows Update On Windows 95. 98, ME, 2000, and XP」這個幫這些古董 OS 裝 Windows Update 的專案。

看起來只是把官方的 security patch 整理起來而已,並不處理 EoL 後的安全性問題。

但對於要弄個老環境的人來說算是方便的工具,至少把有公開過的 security patch 都打進去。