在南極洲收銀行 OTP 簡訊的方式

看到「SMS Multifactor Authentication in Antarctica」這篇,講在南極洲收銀行 OTP 簡訊的方式 (one-time password,常見的形式是六碼或是七碼數字)。

很明顯的,南極洲沒有什麼電信商可以讓你漫遊 XD

一開始是試著用 Verizon Messages Plus,這個服務可以在電信商直接把簡訊改成 e-mail 寄出來,但作者發現所有的簡訊都會轉送,就是銀行的不會轉送 XDDD

接著是試著用 Google Voice 的號碼,但銀行會判定為 VoIP 電話而不送。

另外的方式是「Wifi Calling」,看起來應該是 VoWiFi 這個台灣更常見的詞,透過 internet 連到電信商的網路掛進去,而不需要透過電信商的基地台。

McMurdo 的網路目前還是有很多不一樣的限制與問題:

At McMurdo, phones have access to a wifi network only for wifi calling and texting, not for general Internet access. It’s just a prototype at this time. It doesn’t work in all cases or in all areas, and for one reason or another it doesn’t work for some people, even if they’ve followed all the steps for enabling wifi calling.

看起來作者遇到的問題是 latency 過高以及頻寬不穩定的問題:

Also, the protocol assumes terrestrial broadband with reasonable latency and bandwidth. At McMurdo, as of this writing, latency to terrestrial locations is in excess of 700 milliseconds. Usable bandwidth for any given end user can vary widely, down to a few dozen kilobits per second.

然後也很難 troubleshooting:

The protocol also doesn’t expose any useful diagnostic info to the end user in order to troubleshoot. You just have to cross your fingers that the magic “wifi calling” icon lights up.

接下來作者嘗試的是 Voice MFA,但不存在這樣的電話號碼可以轉接之類的:

Direct inward dialing to US Antarctic stations isn’t generally available, so you probably can’t configure your cell phone number to forward to a number you can directly answer on-station. (I’m aware of some exceptions to this.)

作者最後提了兩個方法,第一個是想辦法找一個銀行不會擋的虛擬號碼註冊,但這個方法基本上是個貓抓老鼠的遊戲。第二個是作者實做的方法,自己搞 relay,透過 IFTTT 或是其他類似的工具來轉:

轉出來像是這樣:

也許等基礎建設好一點之後,VoWiFi 應該就有機會通?

VirtualBox 7.0.0 出了

LWN 看到 VirtualBox 7.0.0 出了:「VirtualBox 7.0.0 released」,其中 Changelog 可以在「Changelog-7.0」這邊翻到。

Ubuntu 下的更新還算方便,先把 VM 都關掉,移除 virtualbox-6.1 後再裝 virtualbox-7.0,然後把 VM 開起來看看有沒有什麼問題。

在 Changelog 裡面看到這個,這些 3D support 不知道有支援到什麼程度:

Devices: Implemented new 3D support based on DirectX 11 (and DXVK on non Windows hosts)

我把 Enable 3D Acceleration 的選項打開後變成只能跑 1600x1200,本來 1920x1200 不能跑,所以只好又關掉...

另外是支援了 virtual TPM 可以掛進去:

Devices: Added virtual TPM 1.2 and 2.0 devices

然後以前 USB 裝置的支援是 proprietary software,現在放到 open source 版本裡面了:

Devices: The EHCI and XHCI USB controller devices are now part of the open source base package

目前用起來沒什麼大問題,繼續觀察看看。

軟體模擬 FIDO2 裝置

看到「Virtual FIDO」這個專案,用軟體模擬 FIDO2 裝置:

Virtual FIDO is a virtual USB device that implements the FIDO2/U2F protocol (like a YubiKey) to support 2FA and WebAuthN.

就安全性來說有點本末倒置,畢竟硬體確保了 secret 無法被軟體直接搬走,而這個軟體模擬的方式就沒辦法了,這個專案比較像是實驗示範性質...

翻了一下 Hacker News 上也有人提到這個問題:「Show HN: A virtual Yubikey device for 2FA/WebAuthN (github.com/bulwarkid)」,但也有提到「tpm-fido」這個專案,用 TPM 來保護:

tpm-fido is FIDO token implementation for Linux that protects the token keys by using your system's TPM. tpm-fido uses Linux's uhid facility to emulate a USB HID device so that it is properly detected by browsers.

這個至少有一點保護,但還是不像實體的 YubiKey 那樣會需要碰一下才認證。

Akamai 併購 Linode

目前在 Hacker News 首頁第一名,Akamai 併購 Linode:「Akamai To Acquire Linode to Provide Businesses with a Developer-friendly and Massively-distributed Platform to Build, Run and Secure Applications」,Linode 的新聞稿則是在「Linode and Akamai」,Hacker News 上的討論在「Akamai to Acquire Linode (akamai.com)」這邊。

併購金額與預期的時間表:

Under terms of the agreement, Akamai has agreed to acquire all of the outstanding equity of Linode Limited Liability Company for approximately $900 million, after customary purchase price adjustments. As a result of structuring the transaction as an asset purchase, Akamai expects to achieve cash income tax savings over the next 15 years that have an estimated net present value of approximately $120 million. The transaction is expected to close in the first quarter of 2022 and is subject to customary closing conditions.

好像會有記者會... 應該會有更多說明。

Amazon VPC 支援純 IPv6 的網段了

Amazon VPC 支援純 IPv6 的網段了:「Amazon Virtual Private Cloud (VPC) customers can now create IPv6-only subnets and EC2 instances」。

先前機器都還是要設一個 IPv4 位置,所以網段都必須有 IPv4 network space,這次推出使得機器可以跑在 IPv6-only network 上了,不過 Linux 裡面應該還是會有個 lo127.0.0.1...

短時間應該用不到,不過可以先玩看看感覺一下...

Amazon VPC 允許直接把整個網段配到某台 EC2 Instance 上了

看到「Amazon Virtual Private Cloud (VPC) customers can now assign IP prefixes to their EC2 instances」這邊的消息,VPC 可以把整個網段配到某台 EC2 Instance 上了。

之前也有其他方法可以做到類似的事情:

  • 用 VPC 提供的 Routing Table 把網段指到某台 EC2 的機器上。
  • 把這台 EC2 機器的「Enable Source/Destination Check」關閉。

目前就是用這個方法搞定 VPN server 的:我們希望機器連上 VPN 後拿到 10.x.x.x 的 IP address,而且可以被 VPC 內直接存取,而不要被 NAT 掉。

好像該開張票轉移過去...

繞過 Screensaver Lock 的有趣話題...

Hacker News Daily 上看到「Screensaver lock by-pass via the virtual keyboard」這篇,裡面這邊題到了 screensaver lock 的有趣話題。

先講嚴肅一點的,這個 bug 被編號為 CVE-2020-25712,問題出在 xorg-x11-server 上:

A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

比較有趣的事情是,這個 bug 是小朋友在亂玩時拉出 virtual keyboard 觸發的:

A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play... when the screensaver core dumped and they actually hacked their way in! wow, those little hackers...

然後他說他自己搞不出來:

I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard.

另外一個人也說他家小朋友也弄出 segfault 了:

My kids came upon a similar cinnamon-screensaver segfault! I've emailed details of how to reproduce the problem to root@linuxmint.com.

小朋友超強 XDDD

AWS 推出了 AWS Network Firewall

AWS 推出了 AWS Network Firewall,可以在 VPC 層做更多細緻的設定了:「AWS Network Firewall – New Managed Firewall Service in VPC」。

本來的 Network ACLs 的設計也是對 VPC 做過濾,但就是很標準的 stateless filtering:

Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

而這次推出的 AWS Network Firewall 引入了 stateful filtering 的能力:

另外介紹裡面也提到支援 Suricata 的語法,不過太久沒碰 IDS 這塊了,我只知道 Snort

A stateful rule group with Suricata compatible IPS rules has all settings defined within the Suricata compatible specification. For example, as following is to detect SSH protocol anomalies. For information about Suricata, see the Suricata website.

目前支援的區域很少,只有 us-east-1us-west-2eu-west-1 可以用:

AWS Network Firewall is now available in US East (N. Virginia), US West (Oregon), and Europe (Ireland) Regions. Take a look at the product page, price, and the documentation to learn more.

另外價錢上不算便宜:「AWS Network Firewall Pricing」,比較特別的是用 AWS Network Firewall 的話,包含了免費的 NAT Gateway 額度可以用...

印象中 Network ACLs 不用另外付費 (找了一下沒找到收費的標準?),如果可以用 Network ACLs 解決就用 Network ACLs,不能的再考慮用 AWS Network Firewall 吧...

自幹 VR 眼鏡

Hacker News Daily 上看到「Relativty‍ an open-source VR headset」這個自幹 VR 眼鏡的專案,專案可以在 GitHub 的「relativty/Relativty」這邊看到。

看起來是使用 3D 印表機生出配件,然後用 ArduinoCore-sam 開發軟硬體的部份,目前的系統可以在 2K 解析度下跑 120fps:

The Relativty firmware, which powers the actual physical device, is based on ArduinoCore-sam. So in addition to the Relativty Motherboard, it is compatible with Arduino Due or any other board equipped with a processor that supports the ArduinoCore.

Relativty headset runs a 2K dual-display at 120FPS. However, because of the open nature of Relativty you can use any display as long as your computer is able to handle it. From more affordable 90Hz 1080p screen to 4K panels.

不過不知道反應延遲有多高,偏高的話會有 3D 暈的問題,在網站裡面沒提到,我猜應該會是痛點... 另外看起來是想要商業化,頁面下面有 hiring 的資訊,先觀望看看好了?

Vim 的 virtualedit 與 GNU Make 內的 .PHONY

在「Writing a Book with Pandoc, Make, and Vim」這邊看到作者在講他怎麼用 Pandoc + GNU Make + Vim 寫書,不過我這邊看到兩個有趣的東西 (標題提到的那兩個),拉出來寫一下...

一個是 Vim 的 set virtualedit=all,可以不受限制的移動,等到實際編輯時再產生出對應需要的空白,這對於畫表格會方便不少:

另外一個是 GNU Make 的用法,平常我們都是在 .PHONY 裡指定實際上不會存在的 target:

.PHONY: clean
clean:
        rm -rf ./output

這邊作者提供的方式是產生一個叫做 phony 的 target,然後就不需要在 .PHONY 裡條列,而是各自在自己的 target 裡面引用 phony

.PHONY: phony
clean: phony
        rm -rf ./output

不過作者有提到效能問題:

Note that this trick can slow down huge Makefiles.

另外作者又提醒我 draw.io 這個好用的工具,之前用過幾次後就忘記了...