Bojie Li

Most of the data on the websites we use is stored on servers in plaintext, and server-side programs authenticate users’ identities and grant user access permissions. However, as business logic becomes more complex, there are always various vulnerabilities, even sensitive applications like Alipay are no exception. In addition, more and more websites are being built on public cloud platforms, a major concern is: Will the owner of the cloud platform steal my confidential data?

Therefore, it is best to encrypt data stored on the server, and the decryption key is in the user’s hands, that is, only the user can see the plaintext, and the website owner, cloud service provider, and possible server intruders can only see the ciphertext. Building web applications on top of encrypted data using Mylar, which will be published at the top conference in the network field NSDI 2014, is such a solution.

A few days ago, I gave an internal technical sharing session, and the opinions of my colleagues were diverse, so I decided to discuss it with everyone. This article will discuss Google’s network infrastructure plans—Google Fiber and Google Loon, as well as Google’s exploration in network protocols—QUIC, with the ambition to turn the Internet into its own data center.

Wired Network Infrastructure—Google Fiber

The goal of Google Fiber is to bring gigabit internet into thousands of households. With gigabit speed, downloading a 7G movie only takes one minute (if you are still using a mechanical hard drive, you probably won’t have time to store it). Currently, this project is only piloted in two cities in the United States, Kansas and Provo. Google Fiber in these two cities offers three packages, taking Kansas as an example: [1]

1. Gigabit network + Google TV: $120/month
2. Gigabit network: $70/month
3. Free monthly network: 5Mbps download, 1Mbps upload, free monthly rent, but a $300 initial installation fee is required.
   The third plan is not as fast as the services provided by most telecom operators in the United States, and most households have already purchased TV services from cable TV operators, so for families that can afford it economically, the comparison of the three packages highlights the “value for money” of the second package ($70/month gigabit network).

There are two points worth arguing here:

1. Can everyone have such a fast gigabit network technically?
2. Can the $70/month fee recover the cost of Google building a gigabit network?

Today, I grabbed a router, which took me an hour to get, and I was always in a “crowded” queue before. I couldn’t help but think of the ticketing system I made for Beautiful Encounter last year. Someone asked, why can’t I get a ticket with the script I wrote? The mystery will be revealed in this article.

The conditions that the ticketing system must meet are:

1. One person, one ticket, a person cannot get two tickets;
2. The tickets to be issued every day must be issued exactly, neither more nor less (assuming there are enough people to grab tickets);
3. The probability of successfully grabbing tickets with a program should not be significantly higher than the probability of manually grabbing tickets.

DNS service is an important basic service of the Internet, but its importance is often underestimated. For example, in August 2013, the .cn root domain server was attacked by DDoS, causing .cn domains to be inaccessible; on January 21, 2014, the root domain server was polluted by a famous firewall, causing all international domains to be inaccessible. Many internationally renowned websites cannot be accessed in mainland China, partly because they have suffered DNS pollution, that is, the wrong IP address is returned for the domain name.

Building an anti-pollution DNS is not as simple as using a VPN to resolve all domain names. There are mainly two problems:

I helped a friend with port mapping and encountered two pitfalls since I haven’t touched iptables for a few months. I’d like to share them with you.

Network Virtualization is the creation of a virtual network that differs from the physical network topology. For example, a company has multiple offices around the world, but wants the company’s internal network to be a whole, which requires network virtualization technology.

Starting from NAT

With the improvement of computer processing capabilities and the increasing complexity of software, performance is often not the most important criterion for measuring software. But sometimes we do need to squeeze the performance of the computer. Especially when doing research, in order to make the performance indicators surpass the opponent, not only the algorithm (asymptotic complexity) needs to be optimized, but also the implementation (the constant in the complexity) needs to be optimized. This article tries to summarize some rules and hopes to discuss with everyone:

Do not use open source software

Open source software often considers a general problem, so there are many configuration parameters and conditional judgments that are almost never used; open source software often requires code readability and maintainability higher than performance, so it generally does not use so-called “tricks”.

Bitcoin, after experiencing two drastic rises and falls in April and November last year, has become more than just a toy for IT guys, but a focus of debate among all sectors of society. However, most articles about the technical principles of Bitcoin are superficial. During the New Year’s chat with good friends, we raised these questions, hoping to understand after reading this article:

1. How to verify a Bitcoin transaction to make it undeniable?
2. How to avoid spending a Bitcoin twice?
3. If I alone have 10% of the network’s computing power, is it possible to rewrite history?
4. Why do Bitcoin transactions have to wait for tens of minutes?
5. How does Bitcoin ensure a limited quantity (21 million)?
6. How to ensure exactly one Bitcoin is mined every 10 minutes?
7. What does it mean to mine 0.1 Bitcoin at a time?
8. Does a transaction of 10,000 Bitcoins require generating 10,000 transaction information?
9. With such a large volume of Bitcoin transactions, how are transaction records transmitted and stored?

Many embedded devices such as smartphones and routers have a “factory reset” function. According to the “backup” practice that everyone is used to on PCs, it seems necessary to back up the entire system at the factory in read-only ROM. If this is the case, every time you restore the factory settings, the content in the ROM has to be copied to the Flash storage, wasting a lot of storage space, and restoring the factory settings takes a long time. But in fact, restoring the factory settings is just a restart, and the Flash storage in the newly restored system is basically empty.

(Thanks to BW’s comment, the factory reset of the Android system does not use differential technology, but simply clears the data partition. The modification of the /system partition has not been restored, I got it wrong)

Sometimes, we need to remotely access websites that can only be accessed from the server’s network, such as the router’s Web control panel. Using links on the server is obviously unreliable. We can establish a tunnel between the local machine and the server using ssh, allowing the local browser to access restricted websites through the tunnel.

First, use ssh -D to establish a socks5 tunnel between the local machine and the server: (60000 is an arbitrary integer greater than 1024 and less than 65536)

1

ssh -C2qTnN -D 60000 user@remote-host

Then, let Chrome access through the socks5 tunnel. The Chrome plugin ProxySwitchy no longer works because Chrome no longer supports NPAPI, and ProxySwitchySharp sometimes doesn’t work. Some articles online say that chrome –proxy-server is enough, but in fact, it doesn’t work when you have another Chrome instance open, because Chrome will automatically find the open instance.

A more reliable method is to open Incognito mode and use a non-existent Chrome user data directory to prevent it from finding open instances. After use, it is best to delete the newly created user data directory (in the following example, it is C:\Temp\Chrome). Note that the following socks5 cannot be replaced with http, as they are different protocols.

1

PS C:\Program Files (x86)\Google\Chrome\Application> .\chrome.exe --proxy-server="socks5://127.0.0.1:60000" -incognito -user-data-dir=C:\Temp\Chrome