這次 PKCS #1 1.5 的 ROBOT 攻擊,Cisco 沒打算修...

1998 年就發現的 security issue 因為 workaround 也很複雜,所以不是每一家都修對方法,於是 19 年後又被爆破了。這次叫做 ROBOT:「1998 attack that messes with sites’ secret crypto keys is back in a big way」。

可以看到中獎的表:

這次的攻擊在 client 端無法修正,只能在 server 端修正:

Do I need to update my browser?
No. This is an implementation bug in servers, there is nothing clients can do to prevent it.

如果 server 端無法盡快修正的話,想辦法避開 RSA encryption 可以躲開這個問題,而且因為現代瀏覽器都有非 RSA 的替代方案,這樣做應該都還有退路,可以維持連線的可能性:

Disable RSA encryption!
ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.

但使用 Cisco ACE 就哭了,因為 Cisco ACE 只支援 RSA encryption,而 Cisco 官方以產品線已經關閉,不再提供維護而沒有提供更新的計畫,所以就進入一個死胡同...

不過 Cisco 自己也還在用 Cisco ACE 就是了,不在意就不會痛的感覺 XD

I have a Cisco ACE device.
Cisco informed us that the ACE product line was discontinued several years ago and that they won't provide an update. Still, we found plenty of vulnerable hosts that use these devices.

These devices don't support any other cipher suites, therefore disabling RSA is not an option. To our knowledge it is not possible to use these devices for TLS connections in a secure way.

However, if you use these products you're in good company: As far as we can tell Cisco is using them to serve the cisco.com domain.

Walmart 在賣場要導入機器人取代人類的工作了...

在「Walmart will soon have robots roaming the aisles in 50 stores」這邊看到 Walmart 要導入機器人取代人類的工作了,像是架上沒貨或是標籤錯誤或沒標的:

The robots go up and down the aisles, scanning for out-of-stock items, incorrect prices, and wrong or missing labels.

像是這樣的機器:

或是在掃描時更明顯的照片:

如果一直讓機器來換掉人類能做的事情,是不是有機會到後來就沒有工作需要做?如果當全世界都實行「無條件基本收入 (Unconditional Basic Income)」時,會不會愈來愈接近 Star Trek 裡面講到未來的經濟體系,沒有貨幣時情況?不曉得兩百年後會是什麼樣子...

用程式 (機器人) 自動寫運動新聞

TechCrunch 看到一個全新的嘗試,用程式 (機器人) 自動寫運動新聞:「Automated News Comes To Sports Coverage Via StatSheet」,網站是「StatSheet Network: Team-centric news, stats, analysis for college basketball」。

其實可讀性還不算差耶?如果要保持中立性,這類型的新聞就是調出之前的資料合併成一篇?