原文已经无法访问了,特意搬运过来,英文吃力的同学,可以用google翻译,当然你要会科  学  上  网


  • 明文传输
  • 采用简单的用户名和密码验证,方法过于简单



PPTP Client

Protocol Security


by James Cameron


by Peter Mueller

PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead.

(Posted on 2005-08-10 to the mailing list)

Why not use PPTP?

by James Cameron

The point to point tunneling protocol (PPTP) is not secure enough for some information security policies.

It's the nature of the MSCHAP V2 authentication, how it can be broken trivially by capture of the datastream, and how MPPE depends on the MSCHAP tokens for cryptographic keys. MPPE is also only 128-bit, reasonably straightforward to attack, and the keys used at each end are the same, which lowers the effort required to succeed. The obvious lack of two-factor authentication, instead relying on a single username and password, is also a risk. The increasing use of domestic wireless systems makes information capture more likely.

However, that doesn't mean people don't accept the risks. There are many corporations and individuals using PPTP with full knowledge of these risks. Some use mitigating controls, and some don't.

Many people seem to judge the security of a protocol by the availability of the implementation, the ease of installation, or the level of documentation on our web site. Improving the documentation is the purpose of this web site, and we aren't doing that in order to say anything about the risks of the software! Any judgement of security should be rigorously applied to the design and implementation alone.

PPTP on Linux, and Microsoft's PPTP, both implement fixes for vulnerabilities that were detected years ago in Microsoft's PPTP. But there remain the design vulnerabilities that cannot be fixed without changing the design. The changes needed would break interoperability. We can't change the Linux PPTP design, because it would stop working with Microsoft PPTP. They can't change their design, because it would stop working with all the other components out there, such as Nortel and Cisco, embedded routers, ADSL modems and their own Windows installed base.

The only option then is to deprecate the product and promote the replacement. Microsoft promote something else. Our choice for Open Source systems is OpenVPN or IPsec.

Level of acceptance isn't a good indicator of risk either. Some have said that the shipping of MSCHAP V2, MPPE and PPTP in Linux distributions is an indication of design security, but that's not the reason. It's for interoperability. As an example, see how Linux distributions still ship telnet, ftp, and rsh, even though these components are insecure because they reveal the password in cleartext in the network packets. The same can be said of many other components and packages.

Our recommendations are;

  1. do not implement PPTP between open source systems, because there's no justification, better security can be had from OpenVPN or IPsec,
  2. do not implement PPTP servers unless the justification is that the clients must not have to install anything to get going (Microsoft PPTP is included already), and be aware of the risks of information interception,
  3. do not implement PPTP clients unless the justification is that the server only provides PPTP, and there's nothing better that can be used, and again be aware of the risks of information interception.

(Posted on 2005-08-10 to the mailing list)


  1. CODE: 密码工具。进去后,每条密码是明文,特点是每条记录按用户名和密码分开存储显示     评价 :一般
  2. keeper:密码工具。记录是明文存储,支持  faastfill ,支持 keeper DNA    评价:中
  3. 隐私卫士:app隐私锁 评价:高
  4. 私密锁:app锁,评价:一般
  5. 应用程序锁:评价:一般
  6. 隐私应用锁:app锁。评价低
  7. 密码本:密码工具,每个字段分开存储。 评价 :中
  8. NS Wallet :分文件夹-item 对字段做了详细的分类。 :一般
  9. safeincloud :有详细的模板 ,支持云同步 评价:高
  10. SSE  功能强大,支持密码管理 ,文件本加密 ,文件加密  评价 :高
  11. password keepox: 简单的字段记录,支持同步到dropbox ,评价:低
  12. 秘密管理器:简单的字段记录:评价:极低
  13. sis密码管理:同上


nginx 做反向代理分发时,为了提高效率,最好使用长连接,以下是nginx 支持的几种后端长连接配置方案:

Nginx从 1.1.4 开始,实现了对后端机器的长连接支持,这是一个激动人心的改进,这意味着 Nginx 与后端机器的通信效率更高,后端机器的负担更低。

例如,对一个没有长连接支持的后端机器,会出现大量TIME_WAIT 状态的连接,使用以下命令验证之:

netstat -n | grep TIME_WAIT

经过查阅官方文档,其目前已经实现了http, fastcgi, memcache 协议的长连接支持。而之前的版本中仅支持memcache 协议。


启用到 memcache 服务器的长连接 在upstream 配置段中增加 keepalive N 指令即可:

upstream memcached_backend {
     keepalive 32;

server {
     location /memcached/ {
         set $memcached_key $uri;
         memcached_pass memcached_backend;


启用fastcgi 长连接支持 除了需要在upstream 中配置 keepalive N 外,还需要在 location 中增加

fastcgi_keep_conn on;

upstream fastcgi_backend {
    keepalive 8;

server {
     location /fastcgi/ {
         fastcgi_pass fastcgi_backend;
         fastcgi_keep_conn on;


启用对后端机器HTTP 长连接支持

upstream http_backend {
    keepalive 16;

server {
     location /http/ {
         proxy_pass http://http_backend;
         proxy_http_version 1.1;
         proxy_set_header Connection \;

注意:需要设置nginx 代理请求的 http 协议版本号为 1.1, 以及清除掉 Connection 请求header, 官方文档描述:

For HTTP, the proxy_http_version directive should be set to “ 1.1 ” and the “ Connection ” header field should be cleared .

The connections parameter should be set low enough to allow upstream servers to process additional new incoming connections as well.

即是说:keepalive N 指令中 , N 的值应该尽可能设置小一些,以便后端机器可以同时接受新的连接。

Too many connections

mysql_connect(): Too many connections

mysql> show variables;

mysql> set global wait_timeout=10;
Query OK, 0 rows affected (0.01 sec)

mysql> set GLOBAL max_connections=1024;
Query OK, 0 rows affected (0.00 sec)

注意 interactive_timeout  和 wait_timeout,根据不同场景,修改不同的参数。

还可以修改 my.cnf , 然后 重启 mysqld 服务。


1)DB是innodb 还是myisam

2)  高频查询的表的index创建是否合理

3)业务的mysql 语句写的是否合理

如果以上还搞不定,就需要考虑 分库分表 , 加proxy 做集群来分流了。


openshift是免费的云平台,适合搞个公司网站或者个人blog。最近想把博客从openshift上迁移出去,wordpress本身有插件可以导出文章内容。但是对应的附件和图片利用导入工具,会有导入不完整的问题,简单的办法就是用ssh访问,将整个 uploads文件下载下来。要支持ssh,openshift有一套安全机制。通过 rhc 上传key,实现无密码登录。



如果不使用git,可以跳过 git的步骤。

ruby是从 www.rubygems.org/gems/rhc  下载的,需要自己搞定 vpn的问题,否则提示ssl失败




no such file dl/import


中间会提示输入openshift的账号和密码,成功后,会在本地.ssh 目录生成公私钥。并提示上传服务器。

这里要关注 .ssh的路径,后面客户端登录时要用到


登录你的openshift账号,点击application ,进去就能看到详细的信息:


根据右侧的账号和地址 ,用ssh就可以登录了


ssh key







  • 安装mysql
yum install -y mysql-server mysql mysql-deve


chkconfig mysqld on


mysqladmin -uroot password 'newpassword'
  • 安装nginx

设置 yum源

vi /etc/yum.repos.d/nginx.repo
name=nginx repo


yum install nginx

如果需要添加www 用户和组

groupadd -f www
useradd -g www www
  • 安装apache

安装apache 主要是因为wordpress的静态url路由需要相应的组件。

yum install httpd
chkconfig httpd on






1. 进程退到后体后,只有3-10的时间,如果没有进一步处理,处于功耗考虑,socket就会被系统关闭。 2. ios8后,允许后台,ios8之前的版本,只能通过设置后台模式 Required background modes来实现,但如果本身没有voip功能,苹果审查会遭拒。 ①打开info.plist,添加下面的键值对: Required background modes = App provides Voice over IP services ②配置XMPPStream的enableBackgroundingOnSocket属性为YES: _xmppStream.enableBackgroundingOnSocket = YES; 3. 参考 http://my.oschina.net/bankofchina/blog/281233 voip的方法,理论上定位消息也可以实现 4. 网上大段都是voip的例子,但按照苹果的审查规范,用voip实现后台keepalive 而没有实现voip是会被拒的。 综上所述,ios8以后,直接支持后台。ios8以前的,理论上gps位置信息也是可以在后台触发,从而通过策略实现长连接的,目前没有看到验证的例子,可以在这个方向下尝试下,毕竟所有的app都是需要位置服务器的,不属于伪造服务


1. gcc

yum -y install gcc automake autoconf libtool make


yum install gcc gcc-c++

2. protobuf


./configure --prefix=/usr/local/protobuf
 make check
 make install
sudo vim /etc/profile
export PATH=$PATH:/usr/local/protobuf/bin/
export PKG_CONFIG_PATH=/usr/local/protobuf/lib/pkgconfig/
source /etc/profile

3. google 库文件,将google的库文件路径添加到gcc 编译路径



我们选择直接拷贝protobuf 生成的目录 includegoogle  到 /usr/local/include 下

4. zlib

编译时提示:"/usr/bin/ld: cannot find -lz"

解决:去lib64目录下看是有libz  相关库的,根据好使的环境比对,猜测是缺少特定的连接

# ln -s libz.so.1 libz.so




  1. 开放端口
    确认自己本地的iptable 或者firewalld,打开对应的端口。
    UDP 137-138
    TCP:139 445
  2. 确认SELinux的相关权限设置
  3. 安装 samba
yum install samba
systemctl enable smb
systemctl start smb
  1. 创建用户

- 创建用户组
groupadd dev
- 创建用户
useradd -g dev aaa
- 设置用户的密码
passwd aaa
- 将用户添加到samba账号中
smbpasswd -a aaa
5. 配置samba

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        map to guest = Bad User
        log file = /var/log/samba/log.%m
        comment = Home Directories
        browseable = no
        writable = yes
        comment = Public Stuff
        path = /data/share
        public = yes
        comment = developer
        path = /dev
        valid users = @dev
  1. 参考

使用Sublime Text3+Ctags+Cscope替代Source Insight


说明:以Windows系统下查看C++代码为例。因为Source Insight(以下简称SI)是收费软件,且界面丑陋,所以考虑其替代方案,发现Sublime Text3(以下简称ST3) + Ctags + Cscope 可以取得很好的效果。使用ST3基本可以实现全键盘操作,同时它又没有学习Vim的陡峭曲线。


1. 安装Package Control for ST3


2. 安装Ctags插件

(1) 通过 Preference -> Package Control -> Install Package安装Ctags插件
(2) 下载 Ctags.exe, 通过 Preference -> Package Settings -> Ctags -> Settings Default 中的内容拷贝到 Setting User中,将 command": "" 中的 "" 填入Ctags.exe的路径位置
(3) 在工程根目录上点击右键,选择Ctags:Rebuild tags

3. 安装Cscope插件

(1) 通过 Preference -> Package Control -> Install Package安装Cscope插件
(2) 下载 Cscope.exe, 并在工程根目录下生成cscope.out文件
(3) 打开CscopeSublime.sublime-settings文件(可能需要添加到 Package -> User 目录下),将 "executable": "" 中的"" 填入Cscope.exe的路径位置,将 "database_location": "" 中的 ""填入cscope.out的路径位置


(1) 对于symbol函数的定义查询,ST3自带此功能Go to Definition,且搜索结果有多个时可以预览,不用跳转到另一个文件。Ctags也有此功能navigate_to_definition,搜索结果比ST3要准确一些,但多结果时不支持预览。Csope也有此功能 Cscope: look up function defintion,但搜索结果不支持双击点开。因此实际中多用ST3和Ctags来实现此功能
(2) 对于symbol变量的定义查询,ST3不支持,Ctags有此功能,方法同其查询symbol函数的定义一致。Cscope也可以用查询symbol函数定义的方法实现此功能,搜索结果不支持双击点开。因此实际中多用Ctags来实现此功能
(3) 对于函数caller的查询,只有Cscope有此功能Cscope: look up function calling this function
(4) 全局搜索, ST3可通过Ctrl+Shift+F实现,但搜索耗时较长。Cscope可通过Cscope: look up symbol实现,因为已经通过cscope.out建立了索引,所以结果很快,但结果不一定全面


比较:ST3 + Ctags + Cscope的方案基本可以实现Source Insight的常用有效功能(除了查看类继承关系的Relation Windows),且其速度更快,界面也更为清爽。ST3相比于SI的其他优点还包括:


(1) Alt+O可以实现头文件和源文件之间的快速切换
(2) 通过 View -> Side bar 可在左侧显示当前打开的文件列表
(3) ST3虽然不像notepad++可以在sidebar上显示函数列表,但是可通过Ctrl+R查看
(3) 通过 Preference -> Key binding user 可根据个人操作习惯自定义快捷键(包括ST3自带的和插件的)
(4) 双击可选中光标所在单词,三击可选中光标所在行
(5) Ctrl+Shift+T可以打开之前关闭的tab页,这点同chrome是一样的

RVCT 远程license 问题


Error: C9932E: Cannot obtain license for Compiler (feature compiler) with licens
e version >= 3.1:
Terminal Server remote client not allowed.
Feature: compiler
License path: D:ARMLicenseslicense.lic
FLEXnet Licensing error:-103,577
For further information, refer to the FLEXnet Licensing End User Guide,
available at "www.macrovision.com".


Hanging Sockets and Power Consumption – Basics, Part 3

很好的文章,就mobile 空socket 的耗电状态做了深入的分析.



Continuing our series on mobile apps and their effect on battery drain, I’ll pick up where the three guidelines in Wayne Lee’s last post left off, especially #3: “Know what your app is doing with the hardware and when it’s doing it.”

One common way that mobile apps use too much power is through hanging sockets –network connections that the app is no longer using, but which the server thinks are still alive because the app has not closed them. The subsequent query from the server results in needless battery drain.

Here’s more background on the problem and how you can deal with it.

“Wake up. It’s time to go to sleep.”

Applications often “forget” to close their socket after they are done with it. Then, after some amount of time without data activity, the server times the socket out and closes it.

Socket termination in TCP requires a four-way handshake, so the server has to send a FIN packet to the device, which usually takes the device from the low-power dormant state to the higher-power active state. The device goes idle for a bit, then back to dormant. It’s like waking somebody up to tell them that it’s time to go to sleep.

Look at the example in the diagram. The red (1) shows the device jumping from dormant to active mode to send and receive data normally for a few seconds. Once finished, the cellular radio drops to a power-saving idle mode (2) in case that it’s needed again. After about 15 seconds of inactivity, the radio goes dormant (3).

    The diagram shows inefficiencies in Socket Termination activity on a device, the multiple steps it goes through to send/receive data and why it’s important to close sockets.

But the app has left the socket open (hanging). The server doesn’t like loose ends, so it sends its FIN packet to the device. This rouses the radio from dormant to active again (4), the same as if it were sending/receiving data for the app. Worse yet, the radio follows the normal curve back down to idle for another 15 seconds, wasting more power (5).

Begin to get the idea?

The phone has to bring up the radio for a simple, easily avoidable handshake because the server has asked the device for something that the app should have provided in the first place. If no other traffic moves between the device and the network, the connection is a complete waste of several hundred milliamperes.

Assuming that the app uses the network four times in an hour, the simple fix of having the app close the socket when finished can reduce network power consumption by about 20 percent, which would be the difference between eight and ten hours of standby power.

The lesson is: Program your app to close sockets when it has finished with them. Otherwise, the phone consumes power to bring up the radio for a needless handshake with the server.

Next Steps

So, to paraphrase Wayne, you need to know what your app is doing with the cellular radio, when it’s doing it and how to turn it off when the app no longer needs it.

Questions? Visit the Trepn Profiler Support Forum or let me know in the comments below.