Amazon Aurora (MySQL) 的 Stored Procedure 可以跑 AWS Lambda...

查了資料才發現去年十月 Amazon Aurora (MySQL-Compatible Edition) 就支援用 AWS Lambda 當 stored procedure 了,只是當時只支援 async mode,能做的事情比較有限:「Amazon Aurora New Features: AWS Lambda Integration and Data Load from Amazon S3 to Aurora Tables」。

Now you can invoke Lambda functions directly from within an Aurora database via stored procedures or user-defined functions. Lambda integration allows you to extend the capabilities of the database and invoke external applications to act upon data changes. For example, you can create a Lambda function that sends emails to customers whenever their address in the database is updated.

前幾天發表的則是支援 sync mode,可以等到:「Amazon Aurora with MySQL Compatibility Natively Supports Synchronous Invocation of AWS Lambda Functions」。

Starting with version 1.16, we are extending this feature to be able to able to synchronously invoke Lambda functions.

Use the native function lambda_sync when you must know the result of the execution before moving on to another action.

這解掉了 MySQL 的 stored procedure 一直很殘的問題...

這次 PKCS #1 1.5 的 ROBOT 攻擊,Cisco 沒打算修...

1998 年就發現的 security issue 因為 workaround 也很複雜,所以不是每一家都修對方法,於是 19 年後又被爆破了。這次叫做 ROBOT:「1998 attack that messes with sites’ secret crypto keys is back in a big way」。

可以看到中獎的表:

這次的攻擊在 client 端無法修正,只能在 server 端修正:

Do I need to update my browser?
No. This is an implementation bug in servers, there is nothing clients can do to prevent it.

如果 server 端無法盡快修正的話,想辦法避開 RSA encryption 可以躲開這個問題,而且因為現代瀏覽器都有非 RSA 的替代方案,這樣做應該都還有退路,可以維持連線的可能性:

Disable RSA encryption!
ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.

但使用 Cisco ACE 就哭了,因為 Cisco ACE 只支援 RSA encryption,而 Cisco 官方以產品線已經關閉,不再提供維護而沒有提供更新的計畫,所以就進入一個死胡同...

不過 Cisco 自己也還在用 Cisco ACE 就是了,不在意就不會痛的感覺 XD

I have a Cisco ACE device.
Cisco informed us that the ACE product line was discontinued several years ago and that they won't provide an update. Still, we found plenty of vulnerable hosts that use these devices.

These devices don't support any other cipher suites, therefore disabling RSA is not an option. To our knowledge it is not possible to use these devices for TLS connections in a secure way.

However, if you use these products you're in good company: As far as we can tell Cisco is using them to serve the cisco.com domain.

AWS 推出 Cloud Native Networking,在每個 Container 內都有自己獨立的網路卡

AWSAmazon ECS 變得更好用了:「Introducing Cloud Native Networking for Amazon ECS Containers」。

Today, AWS announced task networking for Amazon ECS. This feature brings Amazon EC2 networking capabilities to tasks using elastic network interfaces.

awsvpc 模式下會給每個 container 一個獨立的網路卡 (Elastic Network Interface,ENI):

這樣有兩個好處。第一個是 port 就不需要拆開,所有 container 如果都是跑 nginx,都可以跑在同一個 port (80 或是 443),這對於前端應用程式會簡單一些。第二個整合了 AWS 的 security group,這對在 AWS 上本來就會使用 security group 的大多數人來說就可以輕鬆整合了。

Firefox 的 Headless 模式

Google Chrome 推出 Headless 模式後,Firefox 也推出了:「Headless mode」。

目前正式版是 55 版,只有 Linux 版本有支援,下一個版本 56 版就會包括 Windows 與 Mac 了:

Headless Firefox works on Fx55+ on Linux, and 56+ on Windows/Mac.

然後大家也都是以 Selenium 為重心,所以使用上應該不會是大問題...

Vim 的 Easy Mode

Twitter 上看到 Vim 的 Easy Mode 是無法直接用 :q! 直接離開的,對於用 Vim 用很久的人反而不知道怎麼辦 XDDD:

因為知道是 -y,所以查了 manual 後發現是 easy mode。有了關鍵字後解法就很好找了,是「How to quit vim's easy mode (vim -y)」這篇,先用 Ctrl-L 回到 Normal Mode 再用 :q! 離開...

Firefox 在 56 也要支援 Headless 模式

Google Chrome 出了以後 Firefox 決定要跟著出的感覺?慢了好幾拍...:「Support headless mode on Windows」。

目前 stable 版是 54.0,所以再兩個 release cycle 就會看到了... 這樣就有兩個有支援 headless 模式的瀏覽器 (而且底層 engine 不一樣) 可以測試了。現在要測的人可以在 nightly 裡看到了。

OpenSSL 1.1.1 將支援 TLS 1.3

OpenSSL 的文章「Using TLS1.3 With OpenSSL」提到了:

The forthcoming OpenSSL 1.1.1 release will include support for TLSv1.3.

另外也提到了 TLS 1.3 的標準是 blocker,在 TLS 1.3 沒出來前不會出 OpenSSL 1.1.1:

OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is finalised.

OpenSSL 實做的 TLS 1.3 支援了這些 cipher:

  • TLS13-AES-256-GCM-SHA384
  • TLS13-CHACHA20-POLY1305-SHA256
  • TLS13-AES-128-GCM-SHA256
  • TLS13-AES-128-CCM-8-SHA256
  • TLS13-AES-128-CCM-SHA256

GCM 的部份不算意外,比較特別的是包括了 ChaCha20Poly1305 (喊很久了),另外包括了 CCM mode 的實做...

Google Chrome 的 Headless 模式與 PhantomJS 的歷史

瀏覽器的 headless 模式讓開發者可以透過 command line 或是 API 界面操作,對於自動化開發測試很有用。而 Google Chrome 將在 59 版 (目前 57 版) 引入 headless 模式:「Headless mode」。

Headless mode allows running Chromium in a headless/server environment. Expected use cases include loading web pages, extracting metadata (e.g., the DOM) and generating bitmaps from page contents -- using all the modern web platform features provided by Chromium and Blink.

To use headless, start Chrome with a command line flag:

$ chrome --headless --remote-debugging-port=9222 https://chromium.org

PhantomJS 則是因為 Google Chrome 決定要支援 headless 模式,主要的貢獻者 Vitaly Slobodin (參考 Contributors to ariya/phantomjs 這邊) 決定退出維護:「[Announcement] Stepping down as maintainer」。

是個功成身退的感覺...

Mac 上的 Cleartext

看到 Mac 上的「Cleartext」這個軟體:

A text editor that only allows the 1,000 most common words in English

限制你使用比較簡單的英文,這樣可以讓讀的人比較容易了解 (尤其是非母語的人)。

有種跟 Simple English Wikipedia 的想法很像的感覺:

The project uses around 2,000 common English words, and is based on Basic English, an 850-word auxiliary international language created by Charles Kay Ogden in the 1920s.

另外還有提供 Trump mode XDDD:

Trained with a few of Trump's best known speeches, the app is now ready to help you write like a billionaire.

這好壞 XDDD

Google 加倍對 Chromebook 訪客模式的攻擊獎金

Google 決定加倍對 Chromebook 訪客模式下攻陷系統的獎金:「After 0 successful submissions, Google doubles top reward for hacking a Chromebook to $100,000」。

原先是五萬美金:

Last year, Google introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. The company’s security team says it hasn’t received a single successful submission.

提升到十萬美金:

As such, Google has doubled the bounty, which was already the top Chrome reward, to $100,000. The company really wants someone to hack Chrome OS to pieces. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool,” Google declared.