Signal 的簡訊花費在 $6m/year

Signal 的「Privacy is Priceless, but Signal is Expensive」這篇 PR 稿裡面提到了各項支出,Hacker News 上的討論在「Privacy is priceless, but Signal is expensive (signal.org)」這邊可以翻到。

裡面可以看到目前的數字 (以 2023 年十一月推算):

Storage: $1.3 million dollars per year.
Servers: $2.9 million dollars per year.
Registration Fees: $6 million dollars per year.
Total Bandwidth: $2.8 million dollars per year.
Additional Services: $700,000 dollars per year.

Current Infrastructure Costs (as of November 2023): Approximately $14 million dollars per year.

我比較感興趣的有幾塊,一個是標題提到的簡訊,在「Registration Fees」這個段落的說明裡可以看到列了兩個項目,一個是下載 Signal 的費用,另外一個是簡訊 SMS 認證的費用:

Signal incurs expenses when people download Signal and sign up for an account, or when they re-register on a new device. We use third-party services to send a registration code via SMS or voice call in order to verify that the person in possession of a given phone number actually intended to sign up for a Signal account.

這邊有些要確認的,下載軟體的頻寬應該是包括在 Total Bandwidth... 而且推敲起來,金額應該不算大:

  • 手機上的應用應該是由 AppleApp StoreGooglePlay 平台提供,不需要 Signal 提供頻寬下載。
  • 桌面應用端的部分,無論是 Windows、Mac 還是 Linux 的平台,看起來是透過 updates.signal.org 下載,這個名稱目前是指到 Cloudflare 上面,透過 traceroute 看起來不是 premium account (HiNet 用戶是導去美西的 SFO 機房),也許是 Cloudflare 的贊助帳號?

所以我會先假設這邊 $6m/year 的費用應該都是 SMS,在後面這段看起來也有提出來:

The cost of these registration services for verifying phone numbers when people first install Signal, or when they re-register on a new device, currently averages around $6 million dollars per year.

另外會這麼高也是因為現在 SMS pumping 很流行,也就是攻擊者與電信商合作 (或是同一組人),透過假造大量的認證需求,讓 app 後面的公司需要付大量的簡訊費用:

另外一個感興趣的是頻寬的部分,裡面有提到有一個比較吃頻寬的項目,是處理不在通訊錄上面的通話或是視訊。這邊 Signal 為了避免 IP address 的洩漏,會避免直接讓兩邊接通,而是透過 relay 接通:

To take one example, Signal always routes end-to-end encrypted calls from people who aren’t in your contacts through a relay server that obscures IP address information.

光這部份大約是 20PB/year 的量,費用約 $1.7m/year (上面有提到整個頻寬費用約 $2.8m/year):

At current traffic levels, the amount of outbound bandwidth that is required to support Signal voice and video calls is around 20 petabytes per year (that’s 20 million gigabytes) which costs around $1.7 million dollars per year in bandwidth fees just for calling[.]

而最大的費用還是各種人事支出的部分 (i.e. 經濟規模還沒有大到反過來),佔 $19m/year:

In total, around 50 full-time employees currently work on Signal[.]

To sustain our ongoing development efforts, about half of Signal’s overall operating budget goes towards recruiting, compensating, and retaining the people who build and care for Signal. When benefits, HR services, taxes, recruiting, and salaries are included, this translates to around $19 million dollars per year.

在 Hacker News 上有人貼了「Signal Technology Foundation - Nonprofit Explorer - ProPublica」這個,這邊有申報資料可以翻,比 PR 稿上面細。

「SMS 認證」被電信商 (以及第三方) 拿來套利的市場

Hacker News 上看到「Twitter Lost $60M a Year Because 390 Telcos Used Bot Accounts to Pump A2P SMS (commsrisk.com)」這篇,內文報導是這裡:「Elon Musk Says Twitter Lost $60mn a Year Because 390 Telcos Used Bot Accounts to Pump A2P SMS」。

簡訊的實際成本極低,但利潤超級高,發送方與接收方都有極大的獲利空間。

而這邊提到的 SMS pumping 的方式就是電信商自己做,或是電信商與第三方合作,利用各種發簡訊的方式 (內容不重要),讓 app 端要付出大量的簡訊成本,進而產生出大量的利潤。

Twilio 的「SMS Traffic Pumping Fraud」這頁就有這張圖:

簡訊的特點是很好 scale,你無法同時間接大量的電話,但可以同時間收大量的簡訊。在「SMS Fraud is costing you more than you realize」這邊也有提到這個問題。

這個問題在去年年底在我們自家的服務上就有看到跡象 (東南亞市場頗明顯),當時搜尋有一些討論,而現在看起來 Elon Musk 這次吵應該又會有更多熱度...

話說這樣演化下去,SMS 認證的退場又多了一個理由,除了 SS7 在資安上的安全問題外,看起來成本問題也會跑進來。

在南極洲收銀行 OTP 簡訊的方式

看到「SMS Multifactor Authentication in Antarctica」這篇,講在南極洲收銀行 OTP 簡訊的方式 (one-time password,常見的形式是六碼或是七碼數字)。

很明顯的,南極洲沒有什麼電信商可以讓你漫遊 XD

一開始是試著用 Verizon Messages Plus,這個服務可以在電信商直接把簡訊改成 e-mail 寄出來,但作者發現所有的簡訊都會轉送,就是銀行的不會轉送 XDDD

接著是試著用 Google Voice 的號碼,但銀行會判定為 VoIP 電話而不送。

另外的方式是「Wifi Calling」,看起來應該是 VoWiFi 這個台灣更常見的詞,透過 internet 連到電信商的網路掛進去,而不需要透過電信商的基地台。

McMurdo 的網路目前還是有很多不一樣的限制與問題:

At McMurdo, phones have access to a wifi network only for wifi calling and texting, not for general Internet access. It’s just a prototype at this time. It doesn’t work in all cases or in all areas, and for one reason or another it doesn’t work for some people, even if they’ve followed all the steps for enabling wifi calling.

看起來作者遇到的問題是 latency 過高以及頻寬不穩定的問題:

Also, the protocol assumes terrestrial broadband with reasonable latency and bandwidth. At McMurdo, as of this writing, latency to terrestrial locations is in excess of 700 milliseconds. Usable bandwidth for any given end user can vary widely, down to a few dozen kilobits per second.

然後也很難 troubleshooting:

The protocol also doesn’t expose any useful diagnostic info to the end user in order to troubleshoot. You just have to cross your fingers that the magic “wifi calling” icon lights up.

接下來作者嘗試的是 Voice MFA,但不存在這樣的電話號碼可以轉接之類的:

Direct inward dialing to US Antarctic stations isn’t generally available, so you probably can’t configure your cell phone number to forward to a number you can directly answer on-station. (I’m aware of some exceptions to this.)

作者最後提了兩個方法,第一個是想辦法找一個銀行不會擋的虛擬號碼註冊,但這個方法基本上是個貓抓老鼠的遊戲。第二個是作者實做的方法,自己搞 relay,透過 IFTTT 或是其他類似的工具來轉:

轉出來像是這樣:

也許等基礎建設好一點之後,VoWiFi 應該就有機會通?

用 Amazon SNS 送簡訊可以固定發送號碼了

Amazon SNS 的簡訊功能可以申請固定發送號碼了:「Amazon SNS now supports selecting the origination number when sending SMS messages」。

固定的號碼包括了短碼與長碼:「Requesting dedicated short codes for SMS messaging with Amazon SNS」、「Requesting dedicated long codes for SMS messaging with Amazon SNS」。

短碼是三到七碼,依照地區而有差異:

A short code typically contains between three and seven digits, depending on the country or region that it's based in.

要注意的是短碼的部份需要開 support case 申請,而不是直接在 web console 上操作:

Open a case with AWS Support by completing the following steps.

長碼則是有可能到 12 碼,依照不同地區的設計有所不同:

A long code (also referred to as a long virtual number, or LVN) is a standard phone number that contains up to 12 digits, depending on the country that it's based in.

不過現在長碼的部份只有美國可以用,而且有速率限制:

Support for long codes is restricted to the United States only. Sending rates for long codes are restricted to 1 message per second. This restriction is set by the telecom carriers, and isn't a limitation of Amazon SNS. If you send a large volume of messages from a long code, wireless carriers might begin to block your messages. Your applications that use Amazon SNS should limit the number of messages that they send each second.

說道 Amazon SNS 送簡訊的費用,實在不怎麼好看,量小加減用 (包在 AWS 費用裡,省人力另外跑請款的單子),量大還是要找其他家接比較划算...

Amazon SNS 可以發簡訊到全世界了...

Amazon SNS 的新進展,簡訊可以發到全世界了 (之前應該是只能發到美國?):「New – Worldwide Delivery of Amazon SNS Messages via SMS」。

拉台灣的數字出來可以看到即使是最便宜的台灣大哥大 (Taiwan Mobile) 每通也要 NTD$1.35 左右,其他家就貴翻了... (所以應該是跟台哥大合作對接?)

不過對於本來就有用 AWS 服務的人來說,帳單是在同一張,報起來比較省事...

用 Raspberry Pi 自幹一台 3G 手機...

在「DIY Smartphone」這邊看到用 Raspberry Pi 做出一台手機:

DIY Smartphone using Raspberry Pi A+ Pi, Camera, PiTFT, and Adafruit FONA with custom mobile OS.

然後 FAQ 的部份 XDDD

The thing is a inch thick! Why would you build something so useless when you can buy a cheap phone for less that can do much much more?

No reason.

可以看到超大隻超陽春:

蘋果的 Two-Factor Authentication...

在「Apple Adds Two-Factor Authentication to iTunes Accounts」看到蘋果支援 Two-Factor Authentication。蘋果官方的 KB 在「Apple ID: Frequently asked questions about two-step verification for Apple ID」這邊。

看說明是透過簡訊進行認證,類似於 Facebook 的方式。不過拿了自己的帳號測試發現還看不到這個選項,應該是全球逐步開放?

「詐騙電話」...

24h 上買完東西後會有個提示頁面,最下面會列出常見詐騙手法:(常常買但都沒看 XD 這次停下來看一下...)

其中正看到這條:

來電顯示開頭為「+」者,是國際電話,有可能就是詐騙電話!

然後就收到簡訊就送來:

...............................