幹壞事是進步最大的原動力
看到 Amazon CloudFront 宣佈在東京開到第八個點了:「Amazon CloudFront launches eighth Edge location in Tokyo, Japan」。
Amazon CloudFront announces the addition of an eighth Edge location in Tokyo, Japan. The addition of another Edge location continues to expand CloudFront's capacity in the region, allowing us to serve increased volumes of web traffic.
這個成長速度有點驚人,一月才加了兩個,現在又要再加一個... 不過大阪還是維持一個。
主要是記錄下來,完全不靠 Google 目前還是有點難度:「De-Googling my phone」。
主要是刷機成 LineageOS (還是 Android),然後上面不裝 OpenGApps,而是靠其他軟體來補足... 在英文版維基百科的「List of free and open-source Android applications」也有不少資訊可以看。
另外一個蠻重要的應該是 microG Project,不過在文章裡沒提到...
Twitter 上看到了 Amazon CloudFront 宣佈了台北的第二個 PoP:
Amazon CloudFront announces 2 new Edge Locations, adding a second location in Taipei & a third location in Singapore. https://t.co/pU5gDbJWBT pic.twitter.com/9U4ZLBSXmk
— Amazon Web Services (@awscloud) April 25, 2018
這個也是喊好久了,從去年就有消息一直到現在... 這樣台灣多了一個 backup,比較不會導去香港或是日本了。不過新 PoP 的代碼找不到,試著找 tsa 與 tpe 以及後面接數字,還是只有找到 tpe50,不知道是不是後來不露出代碼了...
在看 CPU credit 時發現 EC2 上有台 t2.micro CPU credit 一直掉,但是上面沒有跑什麼東西,所以先在內部的 Trac 上開張 ticket 追蹤... 然後這種事情都是一開 ticket 就馬上想到了 @_@
首先發現這些 CPU credit 是超出 max quota 144 的限制 (參考 AWS 的文件「CPU Credits and Baseline Performance」),就馬上想到是因為 t2 系列的機器在開機時會贈送 CPU credit 以避免開機時太慢 (參考文件「T2 Standard」),而贈送的這塊會優先使用,但不吃 max quota:
Launch credits are spent first, before earned credits. Unspent launch credits are accrued in the CPU credit balance, but do not count towards the CPU credit balance limit.
另外系統對每個帳號有限制,每個帳號每 24 小時在每區有 100 次的贈送限制:
There is a limit to the number of times T2 Standard instances can receive launch credits. The default limit is 100 launches or starts of all T2 Standard instances combined per account, per region, per rolling 24-hour period.
新帳號可能會更低,隨著使用情況調昇:
New accounts may have a lower limit, which increases over time based on your usage.
所以就知道為什麼會緩緩下降了,在到 144 之前都應該是下降的趨勢...
Cloudflare 推出了 Argo Tunnel,可以將內部網路與 Cloudflare 之間打通:「Argo Tunnel: A Private Link to the Public Internet」。
Cloudflare 在去年推出了 Wrap (可以參考「Cloudflare 推出的 Wrap 讓你不用在本地端開對外的 Port 80/443」這篇),這次其實只是改名:
During the beta period, Argo Tunnel went under a different name: Warp. While we liked Warp as a name, as soon as we realized that it made sense to bundle Warp with Argo, we wanted it to be under the Argo product name. Plus, a tunnel is what the product is so it's more descriptive.
看起來沒有什麼新的玩意... 純粹改名字 :o
看到「South Korea fines Facebook $369K for slowing user internet connections」這則新聞,裡面提到 Facebook 的 reroute 行為:
The Korea Communications Commission (KCC) began investigating Facebook last May and found that the company had illegally limited user access, as reported by ABC News. Local South Korean laws prohibit internet services from rerouting users’ connections to networks in Hong Kong and US instead of local ISPs without notifying those users. In a few cases, such rerouting slowed down users’ connections by as much as 4.5 times.
沒有告知使用者就導去香港或是美國的伺服器,聽起來像是 GeoDNS 的架構,以及 Facebook 的 CDN 架構幹的事情?不過在原報導裡面,另外一個指控是:
The KCC probed claims that Facebook intentionally slowed access while it negotiated network usage fees with internet service providers.
另外南韓官方也不承認使用者條款內的告知有效的:
Facebook said it did not violate the law in part because its terms of use say it cannot guarantee its services will operate without delays or interference. KCC officials rejected that argument, saying the terms were unfair. It recommended the company amend its terms of use.
現在看起來應該是要打官司?
AWS 宣佈了 Amazon ECS 也支援 Route 53 提供的 Service Discovery 了:「Introducing Service Discovery for Amazon ECS」。
也就是說現在都整合好了... 比較一下先前需要自己包裝起來套用的方式會少不少功夫:
Previously, to ensure that services were able to discover and connect with each other, you had to configure and run your own service discovery system or connect every service to a load balancer. Now, you can enable service discovery for your containerized services with a simple selection in the ECS console, AWS CLI, or using the ECS API.
AWS 在 2016 年的時候有寫一篇「Service Discovery for Amazon ECS Using DNS」在講怎麼透過事件的觸發配合 AWS Lambda 把服務掛上去或是移除掉:
Recently, we proposed a reference architecture for ELB-based service discovery that uses Amazon CloudWatch Events and AWS Lambda to register the service in Amazon Route 53 and uses Elastic Load Balancing functionality to perform health checks and manage request routing. An ELB-based service discovery solution works well for most services, but some services do not need a load balancer.
現在看起來都可以改用 Auto Naming API 了...
Mozilla 對 Alexa Top 1M Sites 偏安全面向的分析:「Analysis of the Alexa Top 1M Sites」。
對一般情況比較有用的應該是看絕對數字,也就是哪些功能是大家都優先採用了... 然後可以看出 HPKP 跟 SRI 果然是大家都懶得上的功能 (事倍功半 XDDD)。
另外也可以當作是安全性確認的 list,把 HTTP header 類的安全性設定都放上去了。
GitHub 在 2/28 遭受 DDoS 攻擊,蠻快就把事故報告丟出來了:「February 28th DDoS Incident Report」。
不過跟 GitHub 其他文章不太一樣,這篇算是 PR 稿吧,簡單來說就是花錢買 Akamai Prolexic 的過濾服務解決... Akamai 方的 PR 稿則是在「Memcached-fueled 1.3 Tbps attacks - The Akamai Blog」這邊可以看到。
17:21 UTC 發現問題,然後判斷超過 100Gbps,所以 17:26 決定讓 Akamai Prolexic 接管過濾:
At 17:21 UTC our network monitoring system detected an anomaly in the ratio of ingress to egress traffic and notified the on-call engineer and others in our chat system. This graph shows inbound versus outbound throughput over transit links:
Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai. Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge.
就這樣而已,完全就是 PR 稿 XDDD
在「Italian Anti-Corruption Authority (ANAC) Adopts Onion Services」這邊看到,義大利政府因為法令要求必須保護告密者,而不只是在需要提供身份的階段才保護:
Many national laws (such as Italian Dlgs. 231/2001) require companies to adopt corporate governance structures and risk prevention systems, which can include allowing whistleblowing submissions. However, most whistleblowing laws only protect whistleblowers when their identity is disclosed, which can put the person reporting corruption at risk.
In 2016, the International Standards Organization (ISO) released a new model for organizations setting up and operating anti-bribery management systems, ISO 37001:2016. To meet ISO standards, organizations or companies implementing anti-corruption procedures must allow anonymous reporting, as explicitly indicated in point 8.9 of section C of ISO 37001:2016.
Furthermore, national laws (such as recent Italian 179/2017) require the adoption of IT systems for whistleblowing, leading to the practical integration and use of Tor for its technological anonymity features.
而義大利政府的系統選擇用 Tor 的 Onion (Hidden Service) 提供服務接受檢舉:
To comply with these standards, the Italian Anti-Corruption Authority (ANAC), an administrative watchdog, just launched their national online whistleblowing platform using onion services, giving whistleblowers who come forward a secure way to report illegal activity while protecting their identities.
這使用了 hidden service 的特性,讓伺服器端完全無法得知 client 的位置,對於使用有足夠保護的 browser 來說 (像是 Tor Browser),這可以完全讓 server 端無法得知身份,即使政府的伺服器都入侵也沒辦法知道告密者是誰。
這點頗先進的...
