Apple 在歐盟 DMA 的法規下被強制開放 App Store 與各種限制

昨天科技圈最熱門的消息應該是 Apple 公開了在歐盟區開放 App Store 限制的計畫:「Apple announces changes to iOS, Safari, and the App Store in the European Union」,Hacker News 上的討論也很熱鬧,也提出了很多蘋果想盡辦法讓你不要換過去所設定的障礙:「Apple announces changes to iOS, Safari, and the App Store in the European Union (apple.com)」。

從文章可以看出 Apple 不斷的用 FUD 在擋,而且從文章裡面就可以看出來 Apple 極度不情願開放這塊肥肉。

除了文章的不情願態度外,Apple 也試著要建立各種機制讓 developer 無法轉移,其中目前最毒的是 Core Technology Fee 的設計,即使 app 後續會透過第三方的 app marketplace 下載,你仍然要付給 Apple 一筆很貴的費用:

Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.

不確定現有的 DMA 是否有阻止的能力,但這個是目前已經看到的重點項目,歐盟應該會有動作...

另外看一些群組討論,Apple 很不願意放 App Store 出來,看起來這個功能是被鎖到 countryd 層級的,無法單純註冊歐盟 App Store 的帳號就能安裝。

反正先坐著等一兩個月看新聞消化...

用 Astrometa DVB-T2 收數位無線電視台 (DVB-T)

以前用的 USB 電視棒壞掉了,去網拍上找了一隻新的來用,翻了一下跟 LinuxTVWiki 上的 Astrometa DVB-T2 這頁的圖片一樣 (2014 版本的圖):

先講一下重點,如果你買到的 USB 電視棒跟我一樣,應該可以看到兩個 source 可以收 DVB-T,而這兩個 source 都可以測試看看,在我家裡測試 Sony CXD2837ER 的收訊明顯好很多:

另外順便一提無關緊要的事情,本來在查資料的時候以為是 2013 的古董版本,但研究了一會兒發現 2013 版的「DVBT2」字比較大,所以不是 2013 版的:

插入到 Ubuntu 的時候可以看到幾個有趣的東西:

[Sat Dec 30 11:59:49 2023] usb 1-6.3: DVB: registering adapter 0 frontend 0 (Realtek RTL2832 (DVB-T))...
[Sat Dec 30 11:59:49 2023] dvbdev: dvb_create_media_entity: media entity 'Realtek RTL2832 (DVB-T)' registered.
[Sat Dec 30 11:59:49 2023] usb 1-6.3: DVB: registering adapter 0 frontend 1 (Sony CXD2837ER DVB-T/T2/C demodulator)...
[Sat Dec 30 11:59:49 2023] dvbdev: dvb_create_media_entity: media entity 'Sony CXD2837ER DVB-T/T2/C demodulator' registered.

意外的發現有兩個支援 DVB-T 的晶片,首先是 Realtek RTL2832 有被抓到,然後被註冊到 /dev/dvb/adapter0/frontend0 這邊。

Realtek 官網上只翻到了 RTL2832U 的資料,裡面比較有趣的是支援了 ISDB-T,不過如果在日本的話還需要 B-CAS 才能解:

Includes ISDB-T(SBTVD-T) 1-Seg

另外 RTL2832U 也支援 FM:

Includes Radio Support (FM/DAB/DAB+)

而第二個的 Sony CXD2837ER 被註冊到 /dev/dvb/adapter0/frontend1 這邊,另外在 LinuxTVWiki 可以看到 CXD2837ER 只被用在了 2018 版本,而且在外觀的部分提到了「or same as 2014 or 2017 revision」,所以看起來手上的版本應該是 2018 版的,但是殼長得跟舊的一樣。

翻了 Sony CXD2837ER 的 datasheet,可以看到支援 DVB-{T2,T,C}:

The Sony CXD2837ER is a combined DVB-T2 (incl.T2-Lite), DVB-T and DVB-C demodulator

看起來是為了 DVB-T2 而放進來的?不過台灣目前還是用 DVB-T 就是了。

Anyway,目前用起來唯一的缺點是看電視的時候同時跑 dvb-fe-tool --femon -f 1 會造成畫面破格,這點要再看看怎麼解決,不過不是大問題...

跑 ArchiveTeam Warrior

Archive Team 是一個致力於保存數位資料的組織,而 ArchiveTeam Warrior 則是他們提供的軟體,可以讓你很方便直接跑 worker 加入他們的 cluster,幫忙抓資料並且保存到 Internet Archive 上。

他們提供三種方法跑 ArchiveTeam Warrior,第一種是 VM 的方式,文件裡面有介紹怎麼用 VirtualBox 或是 VMware Player 跑起來。

第二種與第三種都是 container 類的方式,DockerPodman 都能跑起來。

跑起來後可以連進 http://127.0.0.1:8001/,然後選擇想要加入的項目,或是接受指令選擇目前團隊主打的項目。

在「Projects」這頁可以看到目前主力是備份 Enjin 上的資料。

丟了兩台 VPS 的機器上去用 Docker 跑,CPU 使用率看起來很低,但網路流量看起來會因為所在的地點而差蠻多的,一台大約是 300KB/sec 到 400KB/sec,換算後大約是 1TB/mo,另外一台則只有 1/10 的量。

歐盟通過 Digital Markets Act 與 Digital Services Act

Hacker News Daily 上翻的時候看到的大消息,歐盟通過了 Digital Markets Act (DMA) 與 Digital Services Act (DSA):「EU Approves Landmark Legislation to Regulate Apple and Other Big Tech Firms」,這兩個法案會直接衝擊大企業壟斷的情況。

找了一下中文的資料,iThome 有報導:「歐洲議會通過《數位服務法》與《數位市場法》!傳訊服務必須互通,不得禁止使用者採用第三方App Store」。

其中 MacRumors 上的文章整理的蠻清楚的,DMA 包括了:

  • Allow users to install apps from third-party app stores and sideload directly from the internet.
  • Allow developers to offer third-party payment systems in apps and promote offers outside the gatekeeper's platforms.
  • Allow developers to integrate their apps and digital services directly with those belonging to a gatekeeper. This includes making messaging, voice-calling, and video-calling services interoperable with third-party services upon request.
  • Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."
  • Ensure that all apps are uninstallable and give users the ability to unsubscribe from core platform services under similar conditions to subscription.
  • Give users the option to change the default voice assistant to a third-party option.
  • Share data and metrics with developers and competitors, including marketing and advertising performance data.
  • Set up an independent "compliance function" group to monitor its compliance with EU legislation with an independent senior manager and sufficient authority, resources, and access to management.
  • Inform the European Commission of their mergers and acquisitions.

可以看出來除了最後兩項是針對 EU 的監管機制外,其他的包括了安裝來自第三方的軟體、可以使用第三方的付款系統、可以整合系統服務、可以整合硬體功能、可以使用第三方的語音工具、可以反安裝所有的 app 以及提供平台蒐集到的資料給開發者,都是針對現在 AppleApp StoreGoogle Play 所限制的條件。

另外 DMA 也禁止了這些行為:

  • Pre-install certain software applications and require users to use any important default software services such as web browsers.
  • Require app developers to use certain services or frameworks, including browser engines, payment systems, and identity providers, to be listed in app stores.
  • Give their own products, apps, or services preferential treatment or rank them higher than those of others.
  • Reuse private data collected during a service for the purposes of another service.
  • Establish unfair conditions for business users.

而 DSA 的部份則是針對網路上的非法內容處理:

The Digital Services Act (DSA), which requires platforms to do more to police the internet for illegal content, has also been approved by the European Parliament.

其中 DMA 的生效日看起來會在 2023 年年中生效?應該是 六個月加上六個月...

Once formally adopted, the Act, which takes the legal form of a Regulation, will enter into force 20 days after publication in the EU Official Journal and will apply six months later. The designated gatekeepers will have a maximum of six months after the designation decision by the Commission to ensure compliance with the obligations laid down in the Digital Markets Act.

而 DSA 至少要到 2024 年才有機會會實施:

Once adopted, the DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024, whichever later, after entry into force.

歐盟的市場夠大,這個應該會帶來足夠大的衝擊...

PayPal 也要提供加密貨幣服務

先是看到「PayPal to allow cryptocurrency buying, selling and shopping on its network」這篇,另外翻到了 PayPal 的新聞稿:「PayPal Launches New Service Enabling Users to Buy, Hold and Sell Cryptocurrency」。

幾個比較重要的地方是,這次會提供的是 BitcoinEthereumBitcoin Cash 以及 Litecoin 這四種:

To increase consumer understanding and adoption of cryptocurrency, the company is introducing the ability to buy, hold and sell select cryptocurrencies, initially featuring Bitcoin, Ethereum, Bitcoin Cash and Litecoin, directly within the PayPal digital wallet.

會先提供美國 PayPal 的使用者使用,然後再展到其他服務以及地區:

The service will be available to PayPal accountholders in the U.S. in the coming weeks. The company plans to expand the features to Venmo and select international markets in the first half of 2021.

另外這次的服務也不是自己跳進去搞,而是透過 Paxos Trust Company 建立起防火牆,所以當加密貨幣那邊出包的時候大概就會切割出來:

The service is enabled in the U.S. through a partnership with Paxos Trust Company, a regulated provider of cryptocurrency products and services.

比較像是個嘗試,只是這個主題很適合發新聞稿...

法國法院判決 Steam 上的遊戲可以轉賣

Valve 不允許轉賣 Steam 上的遊戲,結果就被告上法院,並且判決違反歐盟法律:「French court rules Steam games must be able to be resold」。

French website Next Inpact reports the Paris Court of First Instance ruled on Tuesday that European Union law allows Steam users to resell their digital games, just like they can any physical product.

看起來 Steam 會上訴,再等幾個月看看...

美國政府發行的字型 Public Sans

Public Sans 是一套美國政府出資而產生的無襯線字型,專案放在 GitHub 上 (uswds/public-sans)。這套自行不是全部都自己刻,而是改自於 Libre Franklin Font (以 SIL Open Font License v1.1 授權,而 Public Sans 沿用同樣授權)。

第一個目標是授權:

Be available as a free, open source webfont on any platform.

另外是使用的廣度:

Have a broad range of weights and a good italic.
Perform well in headlines, text, and UI.

Have good multilingual support.
Allow for good data design with tabular figures.

在 GitHub 頁面上有整理與 Libre Franklin 的差異,可以看到配合現在的呈現媒體而做了不少調整。

用照片打鑰匙的服務

Bruce Schneier 的 blog 上看到 KeyMe 這個服務:「Now It's Easier than Ever to Steal Someone's Keys」。

你把鑰匙的照片拍下來,透過 app 上傳付款後,他就把鑰匙寄給你 XDDD

查了一下資料,在五年前 (2012) 的時候就有人做遠距離攻擊的研究了:「60 公尺外,拍照攝影就可以重製鑰匙...」,所以有好的方面,也有邪惡的方面...

用手勢在會議中表達意思

英國內閣辦公室中的英國政府數位服務 (Government Digital Service) 發展了一套手勢 (六個),可以在不用打斷發言過程下表達出一些簡單的意見或是表示想要有進一步的討論:「Platform as a Service team takes even-handed approach to meetings」(網站好像有點熱門,讀取速度變慢不少 XD)。

提高會議溝通的效率...

NIST 新的密碼規範

NIST 所提出來的規範 (Special Publication 800-63-3: Digital Authentication Guidelines),雖然還在 Draft 階段,但可以看出目前密碼規範的趨勢跟以前的不同:「NIST’s new password rules – what you need to know」。

整份規範可以在 GitHub 上讀到,不過 markdown 好像沒處理好,直接在 GitHub 上看到的有點亂,不過還算看得懂就是了...

在 NIST 網站上有 html 版本「Digital Authentication Guideline: Public Preview」可以讀,應該會好一些。

整份 guideline 很長,密碼的部份主要是在「DRAFT NIST Special Publication 800-63B Digital Authentication Guideline」這份裡面關於「Memorized Secrets」的部份。

先講對一般業者最不能理解的事情:

  • 有「安全問題」反而會讓系統安全變弱。
  • 要求使用者有大小寫、特殊符號這種讓使用者更難記密碼的限制,反而會讓使用者選出更差的密碼。讓使用者自由選擇密碼,同時用黑名單機制把常見的密碼擋下來會是比較好的選擇。
  • 定期換密碼反而會讓使用者選擇更差的密碼 (因為要花力氣記,所以會選擇簡單的密碼),不如讓使用者選一個強一點的密碼一直用。同時要合理設計限制登入錯誤的機制。
  • 絕對不可以存明碼。

下面開始 copy & paste 然後給簡單的註釋...

首先是對最低長度的定義,至少要八碼。而對最大長度的限制是「至少你要讓使用者可以輸入 64 碼」:

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHALL permit user-chosen memorized secrets to be at least 64 characters in length.

密碼不應該限制特殊字元,只要可以印出來的 ASCII 與空白都應該被允許,而 Unicode 也應該要被允許:

All printing ASCII [RFC 20] characters as well as the space character SHALL be acceptable in memorized secrets; Unicode [ISO/ISC 10646:2014] characters SHOULD be accepted as well.

空白可以被濾掉來判斷,但其他的字元都應該被當作強密碼的一部分來判斷:

Verifiers MAY remove space characters prior to verification; all other characters SHALL be considered significant.

要注意的是,為了強度,每一個 Unicode 應該只算一個有效字元:

For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.

當密碼是隨機被系統設定時,可以是六個字元的強隨機數字:

Memorized secrets that are randomly chosen by the CSP (e.g., at enrollment) or by the verifier (e.g., when a user requests a new PIN) SHALL be at least 6 characters in length and SHALL be generated using an approved random number generator.

另外很重要的是,不應該有提示存取的功能,也就是「安全問題」不安全,所以要被禁止:

Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers also SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.

然後針對已知的弱密碼 (像是字典單字,以及之前被洩漏出來的密碼) 都應該擋下來:

When processing requests to establish and change memorized secrets, verifiers SHOULD compare the prospective secrets against a dictionary of known commonly-used and/or compromised values. This list SHOULD include passwords from previous breach corpuses, as well as dictionary words and specific words (such as the name of the service itself) that users are likely to choose. If the chosen secret is found in the dictionary, the subscriber SHOULD be required to choose a different value. The subscriber SHOULD be advised that they need to select a different secret because their previous choice was commonly used.

另外不應該要求使用者要特殊字元或是大小寫這種限制,而且也不應該要求使用者定期換密碼 (除非確認被破了):

Verifiers SHOULD NOT impose other composition rules (mixtures of different character types, for example) on memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically) unless there is evidence of compromise of the authenticator or a subscriber requests a change.

另外禁止用明碼存密碼,必須用 PBKDF2 這類可以防禦快速離線計算的演算法:

Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Secrets SHALL be hashed with a salt value using an approved hash function such as PBKDF2 as described in [SP800-132]. The salt value SHALL be a 32 bit (or longer) random value generated by an approved random number generator and is stored along with the hash result. At least 10,000 iterations of the hash function SHOULD be performed. A keyed hash function (e.g., HMAC), with the key stored separately from the hashed authenticators (e.g., in a hardware security module) SHOULD be used to further resist dictionary attacks against the stored hashed authenticators.