幹壞事是進步最大的原動力
先前 Kagi 限制只有註冊的使用者可以搜尋,但這次更新可以分享結果了 (在 Changelog 上可以看到):
Enable sharing of search results pages with people who lack a Kagi account #23 @ivan
這邊連結的是「Enable sharing of search results pages with people who lack a Kagi account」這個功能,看起來也算是個推銷其他人用 Kagi 的功能,所以就被做出來了。
我用無痕模式模擬沒有登入的情況,測了「Kalafina」這個關鍵字,確認可以看到這頁的結果了。
看到「Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data」這篇,講 Zoom 在分享螢幕時的安全性問題,發現問題的德國資安團隊所寫的 security advisory 可以在「SYSS-2020-044.txt」這邊看到,對應的 CVE 號碼是 CVE-2021-28133。
安全問題出在,分享者要分享某個應用程式的畫面,但有可能會先分享到其他畫面,再切回來:
However, “under certain conditions” if a Zoom presenter chooses to share one application window, the share-screen feature briefly transmits content of other application windows to meeting participants, according to German-based SySS security consultant Michael Strametz, who discovered the flaw, and researcher Matthias Deeg, in a Thursday disclosure advisory (which has been translated via Google).
而目前的版本還是有一樣的問題:
The current Zoom client version, 5.5.4 (13142.0301), for Windows is still vulnerable to the issue, Deeg told Threatpost.
這個問題是去年十二月就通報了,過了三個月沒有回應,所以團隊公開出來:
Disclosure Timeline: 2020-12-02: Vulnerability reported to manufacturer 2020-12-02: Manufacturer acknowledges receipt of security advisory 2020-12-02: Manufacturer asks for more information 2020-12-03: SySS provides more information concerning the security issue 2020-12-03: Manufacturer confirms reproducing the security issue in both the Windows and the Linux client and asks further questions 2020-12-04: SySS answers open questions 2020-12-04: Manufacturer responds and will look into the reported security issue 2021-01-21: SySS asks for status update 2021-02-01: SySS asks for status update 2021-03-18: Public release of security advisory
不知道什麼時候會修正
在 OnionShare 官網上的說明是這樣寫:
OnionShare is an open source tool that lets you securely and anonymously share a file of any size.
Wiki 的說明比較清楚,實際上是在本機開一個 Hidden Service,而使用者必須透過 Tor Browser 這類的服務下載,這樣可以達成提供者與下載者都彼此匿名:
OnionShare lets you securely and anonymously share files of any size. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable URL to access and download the files. It doesn't require setting up a server on the internet somewhere or using a third party filesharing service. You host the file on your own computer and use a Tor onion service to make it temporarily accessible over the internet. The other user just needs to use Tor Browser to download the file from you.
用法的部份就更清楚了:
Open OnionShare, drag and drop files and folders you wish to share into it, and click Start Sharing. After a moment, it will show you a .onion URL such as http://asxmi4q6i7pajg2b.onion/egg-cain. This is the secret URL that can be used to download the file you're sharing.
如果下載者不是那麼在意匿名性的話,Tor2web 這類的服務應該也可以用...
感覺以現在提供的功能來看還是不夠便利,實驗性質居多 XD
tl;dr:Facebook 認為這個功能是 feature,不是 bug。
在「Why you shouldn’t share links on Facebook」這邊作者發現在 Facebook 上貼的「任何一個連結」都會產生 object id,而任何一個 object id 都可以直接取得 url,無論權限設定,像是這樣:
而 Facebook 認定這是 feature 而非 bug:
可以想像 NSA 之類的單位與地下組織開始狂掃...
在「More Concurrency: Improved Locking In PostgreSQL」這邊提到 PostgreSQL 的 Row Locking 的改善,也就是 SELECT ... FOR UPDATE 與 SELECT ... FOR SHARE。
查了一下 SELECT 的文件,在 7.2 開始提供 FOR UPDATE (PostgreSQL: Documentation: 7.2: SELECT),在 8.1 開始提供 FOR SHARE (PostgreSQL: Documentation: 8.1: SELECT),以維基百科上的紀錄來看,7.2 是 2002 年二月,8.1 是 2005 年十一月,都是已經提很久的功能了。
用 FOR UPDATE 與 FOR SHARE 可以降低對 transaction 的依賴程度,PostgreSQL 的預設值是 READ COMMITTED,配合 Row Locking 就已經可以做到不少效果了,不需要用到 SERIALIZABLE 等級。
而在最新的 PostgreSQL 9.5 (目前還是開發版),則又多提供了 FOR UPDATE SKIP LOCKED 功能,以官方提供的範例來說,就可以直接避開選位造成的 lock 問題了:
This makes sense because 100 users checking for a free seat concurrently will get 100 different rows. The consequence is that you are not stuck with 1 CPU but you can nicely scale out to all CPUs in the system. As conflicts cannot happen anymore, nobody has to wait on somebody else.
對 locking 控制的更細微。
Vagrant 1.5 出了:「Vagrant 1.5 and Vagrant Cloud」。
最大的亮點是前陣子就有寫「Feature Preview: Vagrant Share」的 Vagrant Share,可以讓其他人很方便的連到自己的 Vagrant 機器上。
Vagrant Cloud 則是產品面上的整合,算是社群功能?
最近拿 Vagrant 與 Docker 測試的次數愈來愈頻繁了,之前拿 Amazon EC2,但開機速度太慢,而 DigitalOcean 開機速度雖然快很多,但不是很容易透過 cli 操作...
而這兩套各有優缺點。Docker 速度快,但環境相容性沒有 Vagrant 好,另外 Vagrant 畢竟是包著 VirtualBox 這種全虛擬化環境,除了 Linux 以外也可以測其他的作業系統。
反正都是熱門的軟體,之後看社群發展出什麼功能再看要怎麼用 :p