Home » Posts tagged "vendor"

Badlock 安全性問題同時影響 Windows 與 Samba

前幾天發佈了 Windows 與 Samba 共同有的安全性問題,叫做 Badlock:「Hype Around the Mysterious ‘Badlock’ Bug Raises Criticism (WIRED)」。但這個 bug 在 4/12 前不會公佈:

On April 12th, 2016, a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock.

長達三個禮拜的時間可以讓其他人找出問題是很罕見的,主要是因為這已經提供足夠多資訊去挖掘。名稱叫做 Badlock,看起來是某種 lock + race condition 造成的,而 Windows 與 Samba 同時都有問題,應該是 Microsoft 與 Samba 合作後的程式碼,或是某種 protocol workflow 的問題造成的。

It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person.

我預期這三個禮拜內應該就會有人公佈,目前的資訊真的太多了。更糟糕的有可能不是發 0-day exploit,而是這個漏洞進入黑市被利用。

先發表有漏洞,再給三個禮拜讓 vendor patch 的行為,看起來就是研究團隊為了出名造勢,而搞砸真正的資安問題。

為 Open Source Hardware 發放 USB Product ID 的 pid.codes

pid.codes 的說明就很清楚了:「Welcome to pid.codes」。

由於 USB-IF 對每個 vendor 收 USD$5000,而且不可以跟其他單位共用:

If you’re a maker, hobbyist, or startup company producing your own USB device, you’ve probably discovered that you need a USB Vendor ID and Product ID to uniquely identify your device to computers. The USB-IF’s position is that the only way to do this is for each organisation to pay $5000 for a unique Vendor ID, which they may not share with other individuals or organisations.

所以就造成很多人惡搞 Vendor ID 與 Product ID:

For many makers and small companies, this is a prohibitive amount of money, and forces them to resort to workarounds, such as using other organisations' VIDs without permission, or simply making up a VID and PID. These solutions make things worse for everyone, by damaging the assumption that a VID/PID combination is unique to a given device.

而他們尋求解決方案,取得了一份在 USB-IF 禁止共用前的 Vendor ID,從而解決這個問題:

pid.codes seeks to solve this issue for anyone producing open-source hardware. We have been gifted a Vendor ID by a company that was issued one by USB-IF and has since ceased trading; they obtained the Vendor ID before the USB-IF changed their licensing terms to prohibit transfers or subassignments.

對於現在的瀏覽器,CSS 是否還需要加上 vendor prefix...

在「Do we need box-shadow or border-radius prefixes anymore?」這篇文章開頭就先給懶人包:

  • 如果沒有圓角 (border-radius) 或是陰影 (box-shadow) 會造成使用者不順。
  • 如果這四個平台 (以及瀏覽器) 的量夠大的話:Firefox 3.6-、Safari 4-、iOS 3.2-、Android 2.3-。

在這兩種情況下,你仍然需要加上 vendor prefix...

而比較長的說明,可以參考原文後半段,把這兩個效果分開說明。

如果是 Sass (SCSS) 使用者,就直接加吧,反正程式都幫你做好了... 雖然 validator 會叫 CSS 不合法,但也沒印象看過哪家瀏覽器會因為 css vendor prefix 就罷工... (真的有嗎?XD)

Archives