跨瀏覽器追蹤的方式

看到「Exploiting custom protocol handlers for cross-browser tracking in Tor, Safari, Chrome and Firefox」這個方式,跨瀏覽器收集 fingerprint 追蹤。

這次用的方式是透過 handler 追:

The scheme flooding vulnerability allows an attacker to determine which applications you have installed. In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not. On average, the identification process takes a few seconds and works across desktop Windows, Mac and Linux operating systems.

最近大家比較常使用到的應該就是 Zoom 從網頁把應用程式帶起來的方式:

而要怎麼偵測的部份,用到了不同瀏覽器的 side channel。

Chromium 系列的部份對應的 ticket 在「Issue 1096610: External Protocol handler anti-flood protection is ineffective and flaky」這邊有被提出來。主要用到的方法是,在遇到有 handler 時,連打兩次時會被擋下:

被擋下後再打都會失敗,所以需要一個方式重設 flag,而內建的 Chrome PDF Viewer 剛好可以重設 flag:

The built-in Chrome PDF Viewer is an extension, so every time your browser opens a PDF file it resets the scheme flood protection flag. Opening a PDF file before opening a custom URL makes the exploit functional.

Firefox 的 side channel 則是可以透過 same-origin policy 測試當作 side channel,對應的 ticket 在「Scheme flooding technique for reliable cross-browser fingerprinting」這邊:

Every time you navigate to an unknown URL scheme, Firefox will show you an internal page with an error. This internal page has a different origin than any other website, so it is impossible to access it because of the Same-origin policy limitation. On the other hand, a known custom URL scheme will be opened as about:blank, whose origin will be accessible from the current website.

Safari 上的問題與 Firefox 一樣,不過沒登入看不到 ticket (也懶的註冊了):

You are not authorized to access bug #225769. To see this bug, you must first log in to an account with the appropriate permissions.

另外,雖然 Tor Browser 底層是 Firefox,但因為有改變預設值,所以攻擊者也得換方法:

Tor Browser is based on the Firefox source code, so the Same-origin policy trick was used here as well. But because Tor Browser does not show pop-ups, we used the same-origin policy trick with iframe elements instead.

這個方法還蠻暴力的...

EC2 的大記憶體機器又推新規格了...

這次 Amazon EC2 的機器又推出一些新規格了:「Amazon EC2 High Memory Instances now available for on-demand usage」。

然後每次推這些機器的時候都會提到 SAP HANA,都沒有其他的例子可以說... 話說業界就只剩下這套系統是完全都沒在考慮分散式架構嗎 XDDD (完全沒用過)

SAP customers continue to leverage AWS as their platform of choice and innovation. Some are in the early stages of their SAP cloud journeys and are focused on executing their migration. Others have hardened their SAP systems on AWS and are innovating around their core business processes with advanced AWS services.

另外他有提到 24TB 的機器,在 Amazon EC2 Instance Types 這邊可以翻到 u-24tb1.metal

In 2018, we released High Memory Instances in response, which now offer up to 24TB of memory in a single instance.

不過你會發現在 Amazon EC2 On-Demand Pricing 這邊翻不到 24TB 的價錢,先前在「EC2 推出 18TB 與 24TB 的機器...」這邊有過這些機器買三年 RI 才能用,所以這次推出來 12TB 的機器算是隨時租用的機器裡面記憶體最多的了...

u-12tb1.112xlargeus-east-1 的價錢是 USD$109.2/hour,想要玩的人可以測試看看,至少應該玩的動 XD

AWS 推出 Incident Manager 服務

AWS 推出了 Incident Manager 服務,掛在 AWS Systems Manager 下,這類似於 PagerDuty 這類的服務:「Resolve IT Incidents Faster with Incident Manager, a New Capability of AWS Systems Manager」。

比較特別的是費用的部份,可以參考「AWS Systems Manager pricing」這邊的資料,他是依照 incident 的次數算錢,每個 incident 算 USD$7,另外加上對應的 SMS 或是 voice message 費用。

回頭來看 PagerDuty 的部份,費用的部份是以人頭計算,Business Plan 是 USD$39/user/month,然後已經包括括無限數量的 SMS 通知了。

功能上看起來 PagerDuty 還是比較好,Incident Manager 如果要把外部服務拉進來的話看起來得透過 EventBridge 去接,麻煩不少...

GitHub 支援 SSH 使用 Security Key 了

GitHub 宣佈支援使用 security key 的 SSH key 操作了:「Security keys are now supported for SSH Git operations」。

也就是需要 SSH key + security key 才有辦法認證,只有拿到 SSH key 或是 security key 都是沒有辦法認證過。

目前官方支援 ecdsa-sked25519-sk

Now you can use two additional key types: ecdsa-sk and ed25519-sk, where the “sk” suffix is short for “security key.”

不過在 Ubuntu 20.04 下用預設的系統只能支援 ecdsa-sk,因為 ed25519-sk 會遇到類似「ed25519 problem with libressl」這邊的問題,就算你用的是 OpenSSL

然後生完 key 後在 ~/.ssh/config 裡面指定對 github.com 使用這把 key:

Host github.com
    IdentityFile ~/.ssh/id_ecdsa_sk

接下來操作的時候就會需要碰一下 security key 了。

AWS us-east-1 的 Local Zone 開了:波士頓、邁阿密與休士頓

AWS 開了 us-east-1 的 Local Zone 了,包括波士頓、邁阿密與休士頓:「AWS Local Zones Are Now Open in Boston, Miami, and Houston」。

Last December I told you about our plans to launch a total of fifteen AWS Local Zones in 2021, and also announced the preview of the Local Zones in Boston, Miami, and Houston. Today I am happy to announce that these three Local Zones are now ready to host your production workloads, joining the existing pair of Local Zones in Los Angeles.

The parent region for all three of these zones is US East (N. Virginia).

在「AWS Local Zones features」這邊可以看到 local zone 並不是所有服務都有,主要是提供 computing 能力,不過連 ELB 都沒有就有點...

不清楚是不是因為 us-east-1 真的很大,所以要透過 local zone 提供擴張... 這些區域對 us-east-1 北維吉尼亞的 latency 不算低,找機會玩一下確認 local zone 的情況好了...

CVE-2021-32471 發了一個 1967 年電腦的安全性漏洞?

Hacker News 首頁上看到好幾則都在講 CVE-2021-32471

Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."

等下,今天不是四月第一天啊,現在已經五月多了啊...

Rocky Linux 放出 RC1 了

Red Hat 實質上廢掉 CentOS 後,原來 CentOS 的人決定要再 fork 一次,弄了 Rocky Linux,前幾天放出 RC1 了:「Rocky Linux 8.3 RC1 Available Now」。

還沒下載下來測試,但我猜應該跟當初的 CentOS 差不多...

文章裡面提到的贊助商不少大公司,包括 AWS 也在列表內,好像可以理解為什麼...

另外翻到「Public active mirrors」這頁,看到 Fastly 居然有贊助頻寬,看起來也不需要擔心頻寬問題了。

等晚點再進去看看情況... 話說回來,官網上對 Rocky Linux 的介紹真是隱晦,完全不提到 Red Hat 看起來是避免被告 (以及被搞):

Rocky Linux is a community enterprise operating system designed to be 100% bug-for-bug compatible with America's top enterprise Linux distribution now that its downstream partner has shifted direction. It is under intensive development by the community. Rocky Linux is led by Gregory Kurtzer, founder of the CentOS project. Release Candidate 1 is now available for testing. Contributors are asked to reach out using the communication options offered on this site.

Twitter 推出打賞功能

Twitter 推出了 Tip Jar,也就是打賞功能:「Introducing Tip Jar」。

支援多種支付方式,包括 BandcampPatreon 這種創作者平台,另外也支援 Cash AppPayPalVenmo 這些一般性的金流平台。也因為實際上的金流不通過 Twitter 本身,所以就只有金流平台會收取的手續費:

The services* you can add today include Bandcamp, Cash App, Patreon, PayPal and Venmo. Twitter takes no cut.

看起來像是帶去其他 app 而已,所以不會有 iOSAndroid 的 30% 或是 15% 的問題。

CloudFront 的印度與亞太區降價

AWS 宣佈 CloudFront 在印度與亞太區降價:「Amazon CloudFront announces price cuts in India and Asia Pacific regions」,回朔至這個月月初生效:

Amazon CloudFront announces price cuts of up to 36% in India and up to 20% in the Asia Pacific region (Hong Kong, Indonesia, Philippines, Singapore, South Korea, Taiwan, & Thailand) for Regional Data Transfer Out to Internet rates. The new CloudFront prices in these regions are effective May 1st, 2021.

比了一下現在的「Amazon CloudFront Pricing」與 Internet Archive 上的「Amazon CloudFront Pricing」,看起來 First 10TB、Next 40TB、Next 100TB 與 Next 350TB 的部份都有降,更多的部份則是維持原價。

對一般簡單用的人來說,主要是落在 First 10TB 這個區間,亞太區的每 GB 單價從 USD$0.14 降到 USD$0.12,不無小補,而有夠大的量的單位應該都去談 commit & discount 了...