Tag: information

瑞士最大的線上購物平台 Digitec Galaxus 公開維修相關資訊

前幾天的 Hacker News 上看到的消息:「Refreshingly honest – Digitec Galaxus now displays warranty score and return rate」,瑞士最大的線上購物平台 Digitec Galaxus 決定公開維修相關的資訊,討論在「Digitec Galaxus now displays warranty score and return rate (galaxus.ch)」這邊可以看到。

從文章裡面可以看到說明的圖片,主要是公開了一些數字,第一個是 return rate (退貨率):

再來是故障的資訊:

然後是維修時間:

這邊隨便抓了「ASUS ROG Strix GeForce RTX 4070 Ti OC Edition」這個看,可以看到這三個資訊:

另外在 Hacker News 討論裡面看到一些有趣的資訊,像是歐盟強制降價需要提供至少三十天價錢的歷史記錄 (但要注意瑞士不是歐盟成員國):

This is now a law enforced in European Union to display such history (at least the lowest price in last 30 or more days so customer knows if the price was not fake rised just before lowering it and calling it a sale). WooCommerce has a plugin for that now.

搜尋後可以找到應該是出自「EUR-Lex - 52021XC1229(06) - EN - EUR-Lex」這邊的 Article 6a:

1. Any announcement of a price reduction shall indicate the prior price applied by the trader for a determined period of time prior to the application of the price reduction.

2. The prior price means the lowest price applied by the trader during a period of time not shorter than 30 days prior to the application of the price reduction.

3. Member States may provide for different rules for goods which are liable to deteriorate or expire rapidly.

4. Where the product has been on the market for less than 30 days, Member States may also provide for a shorter period of time than the period specified in paragraph 2.

5. Member States may provide that, when the price reduction is progressively increased, the prior price is the price without the price reduction before the first application of the price reduction;

台灣的話因為沒有法令強制,目前需要透過第三方服務去追,像是 twbuyer.info 之類的服務,但就只有大平台才有提供了。

Banner blindness

前幾天的 Hacker News Daily 上看到「Why do people not notice our enormous, prominent, clear and contrasting purple banner?」這篇 2018 年的討論,裡面在講為什麼使用者會常態性忽略 banner 的內容。

在答覆區裡面有人提到了維基百科上面的 Banner blindness 這個條目,題到了網站的使用者會刻意或是非刻意的忽略掉像 banner 的資訊:

Banner blindness is a phenomenon in web usability where visitors to a website consciously or unconsciously ignore banner-like information. A broader term covering all forms of advertising is ad blindness, and the mass of banners that people ignore is called banner noise.

開頭也提到了 banner 廣告 CTR 的變化:

The first banner ad appeared in 1994. The average click-through rate (CTR) dropped from 2% in 1995 to 0.5% in 1998. After a relatively stable period with a 0.6% click-through rate in 2003, CTR rebounded to 1% by 2013.

所以這個現象有個專有名詞來形容...

DeepMind 的 Player of Games

前幾天在 Hacker News Daily 上看到的消息,DeepMind 發了一篇新的論文,講 Player of Games 這個新的演算法:「Player of Games」,Hacker News 上的討論在這:「Player of Games (arxiv.org)」。

照留言上的討論,Player of Games 的名字由來應該是取自科幻小說《The Player of Games》。

這是一個更一般性的演算法,可以同時駕馭 perfect information 與 imperfect information:

We introduce Player of Games, a general-purpose algorithm that unifies previous approaches, combining guided search, self-play learning, and game-theoretic reasoning. Player of Games is the first algorithm to achieve strong empirical performance in large perfect and imperfect information games -- an important step towards truly general algorithms for arbitrary environments.

論文裡面也提到以前的各種演算法 (包含 DeepMind 自家的一些演算法)。在 perfect information 的例子來說,可以看到沒有 AlphaZero 強 (西洋棋與圍棋),但也已經有一定水準了,算是個起頭的感覺:

主要的成就在於一般性,但論文後面也有提到,目前這個演算法需要的資源還是過大,還有改善的空間...

PostgreSQL 上去識別化的套件

在「PostgreSQL Anonymizer 0.5: Generalization and k-anonymity」這邊看到的套件,看起來可以做到一些常見而且簡單的去識別化功能:

The extension supports 3 different anonymization strategies: Dynamic Masking, In-Place Anonymization and Anonymous Dumps. It also offers a large choice of Masking Functions: Substitution, Randomization, Faking, Partial Scrambling, Shuffling, Noise Addition and Generalization.

看起來可以把欄位轉成 range 這件事情半自動化處理掉 (還是需要 SQL 本身呼叫這些函數),之後遇到 PII 的時候也許會用到...

Trac 關票時的資訊...

Trac 關票時一般都是由開票的人關 (i.e. Reporter),今天遇到的情況是這樣,在關票時的畫面上你會不知道是誰開的:

只要往上一點拉就會看到 Reporter 資訊 XD 這通常會發生在螢幕沒打直的人,直接拉到最下方的情況 XD

試著用 CSS 的 position: sticky 但抓不太到要的效果,決定還是開 jQuery 下去解決 XD

        // Copy reporter information to action section
        if ($('#action_resolve_resolve_resolution').length > 0) {
            var reporter = $('#h_reporter').parent().find('.trac-author, .trac-author-user')[0].outerHTML;

            $('#action_resolve_resolve_resolution').each(function(){
                $(this).parent().append('<span class="hint">(This ticket is created by ' + reporter + ')');
            });
        }

當下寫得很隨性,之後也許會再改... (會更新到「Trac - Gea-Suan Lin's Wiki」這邊)

Seam Carving (接縫裁剪)

看到有人實做 Seam Carving (接縫裁剪) 了,用 Golang 寫的,放在 GitHubesimov/caire 這邊,副標題「Content aware image resize library」。實做了「Seam Carving for Content-Aware Image Resizing」這篇論文。

Seam Carving 指的是知道內容的 resize,像是把上面這張變成下面這張:

或是變大:

馬上可以想到的應用是需要保留資訊內容,但又想要大量提供資訊的地方,像是 Nuzzle 的縮圖 (或是以前的 Zite),或是網路新聞媒體的首頁所用的縮圖。不知道還有沒有其他地方可以用...

Tinder 的漏洞

在「Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes」這篇看到 Tinder 的實作問題,主要是兩個問題組合起來。第一個是圖片沒有用 HTTPS 傳輸:

On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos.

第二個是透過 side channel information leaking:即使是 HTTPS 傳輸,還是可以透過 size 知道是哪種類型的操作:

Tinder represents a swipe left to reject a potential date, for instance, in 278 bytes. A swipe right is represented as 374 bytes, and a match rings up at 581.

這兩個資訊就可以把行為組出來了。

接下來應該會先把圖片上 HTTPS 吧?然後再來是把各種類型的 packet 都塞大包一點?

各家 Session Replay 服務對個資的處理

Session Replay 指的是重播將使用者的行為錄下來重播,市面上有很多這樣的服務,像是 User Replay 或是 SessionCam

這篇文章就是在討論這些服務在處理個資時的方式,像是信用卡卡號的內容,或是密碼的內容,這些不應該被記錄下來的資料是怎麼被處理的:「No boundaries: Exfiltration of personal data by session-replay scripts」,主要的重點在這張圖:

後面有提到目前防禦的情況,看起來目前用 adblock 類的軟體可以擋掉一些服務,但不是全部的都在列表裡。而 DNT 則是裝飾品沒人鳥過:

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

At least one of the five companies we studied (UserReplay) allows publishers to disable data collection from users who have Do Not Track (DNT) set in their browsers. We scanned the configuration settings of the Alexa top 1 million publishers using UserReplay on their homepages, and found that none of them chose to honor the DNT signal.

Improving user experience is a critical task for publishers. However it shouldn’t come at the expense of user privacy.

美國政府暗中介入好萊塢的劇本,影響大眾對戰爭的看法

透過 Freedom of Information Act (FOIA) 取得的資料顯示美國政府 (包括了五角大廈、CIA、NSA) 如何介入好萊塢,影響大眾對於戰爭的看法:「EXCLUSIVE: Documents expose how Hollywood promotes war on behalf of the Pentagon, CIA and NSA」。

灰標「US military intelligence agencies have influenced over 1,800 movies and TV shows」可以看出影響的層面。

The documents reveal for the first time the vast scale of US government control in Hollywood, including the ability to manipulate scripts or even prevent films too critical of the Pentagon from being made — not to mention influencing some of the most popular film franchises in recent years.

從很意想不到的地方介入... 引用其中一個說明:

Jon Voight in Transformers — in this scene, just after American troops have been attacked by a Decepticon robot, Pentagon Hollywood liaison Phil Strub inserted the line ‘Bring em home’, granting the military a protective, paternalistic quality, when in reality the DOD does quite the opposite.

又是 ImageMagick 出包...

ImageMagick 的 information leaking,然後 Yahoo! 很無奈的中獎,所以被稱為 Yahoobleed:「Yahoo! retires! bleeding! ImageMagick! to! kill! 0-day! vulnerability!」。發現問題的作者把問題寫在「*bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images」這邊。

作者利用 ImageMagick 的不當處理,取得 uninitialized memory 的資訊,藉以取得可能是上次轉檔的記憶體內容。而這個 jpeg 只有 18bytes (所以作者戲稱每個 byte 價值 USD$778):

A robust bounty of $14,000 was issued (for this combined with a similar issue, to be documented separately). $778 per byte -- lol!

目前的 workaround 也很簡單 (官方採用了),呼叫 ResetMagickMemory 避免 leaking (咦,這方法好像哪邊怪怪的):「Reset memory for RLE decoder (patch provided by scarybeasts)」。