Profile cover photo
Profile photo
Steven Yang
Steven Yang's posts

Who says you cant be both at the same time? Programmers are great at keeping their progress with others asynchronous, and their programs completely synchronous.

Post has shared content
Martin Odersky talks about future plans for Scala in 2016 (and beyond...?). Slides are here:

For me, the highlights are:

* Dotty's compiler speed
* Union / Intersection types

Other cool points mentioned in the slides:

* Re-design of the Collections
* Modularization of the SDK
* Improvements to Scala.j
* New LLVM backend (Scala goes native!)
* "Scala Center" announcement

Overall I think these are great news for the evolution of the Scala language and platform.

Post has shared content
DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.

Operators of vulnerable servers need to take action. There is nothing practical that browsers or end-users can do on their own to protect against this attack.

Modern servers and clients use the TLS encryption protocol. However, due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.

DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

A server is vulnerable to DROWN if:

It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings. Our measurements show that 17% of HTTPS servers still allow SSLv2 connections.


Its private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. When taking key reuse into account, an additional 16% of HTTPS servers are vulnerable, putting 33% of HTTPS servers at risk.

Also, a lot more in depth discussion of this issue, by people who understand this much better than I do can be found here -

Post has attachment

Post has attachment
This is true, and this is where most ppl find helpless about.

Post has shared content
Need to watch
So for those of you who enjoyed the #JavaScript #security challenge I posted earlier, this is the talk for you which goes through that and a whole bunch more.

Post has shared content
great, learnt more new things
Great video on JavaScript WTFs by +Kyle Simpson 

Post has shared content
So many standards and frameworks. What is your way to evaluate the best for your customers?

Post has shared content

Post has attachment
Wait while more posts are being loaded