從 Android (AOSP) fork 出來的 /e/

上個禮拜在 Hacker News 看到的「Review of /e/ – An Android Alternative For Mobile Phones」,在講 /e/ 這個從 AOSP 改出來的作業系統,主力在於「unGoogled」這件事情,避免任何資料傳回給 Google。Hacker News 上對應的討論在「Review of /e/ – Android-based alternative for mobile phones (thenewleafjournal.com)」這邊。

先看了一下運作方式,/e/ 的後面是 e Foundation,以非營利組織的方式經營。

LineageOS 的經驗來看,看起來有蠻多東西預先包好了,像是預掛了 microG 來模擬 Google Play Services 的服務與 API,這樣可以讓一些需要 Google Play Services 的服務可以跑 (但可以預期不會是完全相容)。

另外也有一些商業合作,所以市場上可以買到出廠就已經安裝 /e/ 的手機,讓一般使用者更容易上手。另外一條可以預期的路是自己刷 /e/,從「Smartphone Selector」這邊可以看到 /e/ 支援很多型號。

文章裡另外題到了其他的 AOSP fork,走不同的路線:

In addition to LineageOS, there are two forks focused primarily on security – GrapheneOS and CalyxOS. There is also Replicant, which appears to mostly support older devices at this time.

看起來弄個 Pixel 5a 或是舊一點的 Pixel 4a 應該是個還可以的方向,Google 自家牌的手機通常都是這些 distribution 優先支援的機種...

Apple 在 iOS 16、iPadOS 16 與 macOS Ventura 上推出 Lockdown Mode

AppleiOS 16、iPadOS 16 與 macOS Ventura 上推出了 Lockdown Mode:「Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware」。

Lockdown Mode 主要是透過降低被攻擊的面積以提昇安全性,依照 Apple 的預想,主要是針對被政府單位盯上的族群:

Apple is previewing a groundbreaking security capability that offers specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware.

在 Lockdown Mode 下目前列出來的限制:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

列出來的這些的確都是之前 0-day 常被拿來打的東西,把攻擊面積縮小的確會有不少幫助。

這應該是業界第一個大咖跳進來做這個 (也就兩個大咖?),第一次搞未必會完美,但算是個開始,後面應該會有更多的面積被考慮進去...

Google 在南韓開放 app 裡面使用其他付款機制了

先前在「南韓對 Apple 與 Google 的 In-App 付款機制的提案」這邊提到南韓的法案將會強迫 AppleGoogle 開放 IAP 的通路,前幾天 Google 正式發出公告會支援其他通路了:「Enabling alternative billing systems for users in South Korea」。

不免俗的,還是會放話說一些 FUD

Alternative billing systems may not offer the same protections or payment options and features of Google Play's billing system—such as parental controls, family payment methods, subscription management, Google Play gift cards, and Play Points.

然後拖一下時間,說正在開發這些功能中:

In the coming weeks and months, we will share implementation details for developers, including instructions for submitting security and customer service verifications and a set of user experience guidelines so users can make an informed choice.

但這應該是第一個強制開放的市場?來等後續 payment gateway 給的數字...

繞過 Web 上「防機器人」機制的資料

這兩天的 Hacker News 冒出一些討論在講 Web 上「防機器人」機制要怎麼繞過:

第一篇主要是從各種面向都一起討論,從大方向的分類討論 (「Where to begin building undetectable bot?」),另外介紹目前有哪些產品 (在「List of anti-bot software providers」這邊)。

在文章裡有提到一個有意思的工具「puppeteer-extra-plugin-stealth」,主要是在 Node.js 類的環境,查了一下在 Python 上也有 pyppeteer-stealth,不過 Python 版本直接講了不完美 XDDD

Transplanted from puppeteer-extra-plugin-stealth, Not perfect.

第二篇文章在開頭就提到他不是很愛 Proxy,因為 Proxy 很容易偵測。在文章最後面則是提到了兩個方案,第一個是用大量便宜的 Android 手機加上 Data SIM 來跑,另外一個是直接用 Android 模擬器加上 4G 網卡跑。

依照這些想法,好像可以來改善一下手上的 RSS 工具...

不使用 Google 服務的 Android 手機

一樣是在 Lobsters Daily 上翻到的,去 Google 服務的 Android 系統搞法:「Lineage with microG on a Sony XA2」。

主要是看關鍵字的部份,TWRP 換掉 recovery image,然後 LineageOS 是系統底,microG 是 open source 版本的 Google 專屬 API 的相容層,Magisk 則是負責 root 相關的事情,F-Droid 是 open source 軟體的 app store,可以用他來裝 Aurora Store,就可以裝 Play Store 裡的 app。

會這樣搞的人主要還是考慮到 privacy,可以預期有不少應用程式是不會動的...

jQuery UI 與 jQuery Mobile 進入維護模式

OpenJS Foundation (先前的 jQuery Foundation) 宣佈 jQuery UIjQuery Mobile 進入維護模式:「jQuery maintainers update and transition jQuery UI as part of overall modernization efforts」、「jQuery maintainers continue modernization initiative with deprecation of jQuery Mobile」。

jQuery UI is in maintenance-only mode. Users should not expect any new releases, though patches may be issued to resolve critical security, interoperability, or regression bugs.

The team announced that the cross-platform jQuery Mobile project under its umbrella is fully deprecated as of October 7, 2021.

應該就是沒有足夠的動能繼續開發了,維持個窗口在有 security issue 時處理...

很久沒出新版的 mosh...

在今天的 Hacker News Daily 上看到 mosh 的連結,看了一下 Hacker News 上的討論,發現原作者有上去跟大家討論一些目前的情況:「Mosh: The Mobile Shell (mosh.org)」。

原作者是 Keith Winstein,在 Hacker News 上的帳號名稱是 keithwinstein,可以用 Ctrl-F 翻一下他回應的東西。

關於四年沒有新版的原因,一方面是他覺得已經將後續的開發與維護交棒出去,不應該因為接手的人太忙就冒出來;另外一方面是目前的版本也沒有安全問題,沒有迫切需要丟出一個新版本:

I think the truth is that we don't feel like we need a release. We've never had a security hole, our track record speaks for itself, and I wouldn't really want us to rush anything and blow that. There are some features that it would be really nice to have in a release (like 24-bit color support, and working around a recent MacOS clock bug), but I handed over the maintainership to somebody else about six years ago and that person is currently, I think, dealing with a bunch of stuff (look around the world the last year...). I'm not eager to step back in and bigfoot them -- especially when I'm no longer particularly familiar with the codebase (and recent commits) as I used to be.

Mosh works as advertised and has never had a security hole -- we're pretty proud of that! We'll probably cut a release at some point to add those features (24-bit colors, the MacOS clock workaround) but I'm not feeling like it's urgent enough to upset what I had hoped was a transition plan.

It would feel arrogant to compare Mosh to TeX, but it doesn't seem that crazy to imagine that some software might reach a point where it has accomplished 95% of its goals, and the benefit from adding further features has to be weighed against the risk of introducing a security hole or other regression through further churn. If the TCP specification, or OpenSSH, or TeX, or GNU bash had canonical GitHub repositories, they would probably be full of a bunch of user support issues and inactive PRs too. :-)

看了一下 GitHubContributors 這頁,可能是 cgull

的確是一個很穩定的軟體,在桌機與筆電上面都用了八九年了,解決了網路切換 (或是不穩定) 的問題:「把 SSH 換成 Mosh」。

這大慨是我在 2021 年最想不到的事情:Google Chrome 加入 RSS 功能

看到「Google revives RSS」這篇,這大概是我在 2021 年最想不到的事情了:Google Chrome 加入 RSS reader 功能 (雖然很陽春)。

Google 的說明文在「An experiment in helping users and web publishers create deeper connections on Chrome」這邊。

目前只有美國的 Google Chrome Canary 用戶才有機會看到這個功能,依照官方的截圖應該是行動版?

把當年的 Google Reader 吐出來啊...

T-Mobile US 打算要賣使用者的瀏覽記錄了

全美第二大的 T-Mobile US 打算要賣使用者的瀏覽記錄了,除非你登入進去選擇退出:「T-Mobile to Step Up Ad Targeting of Cellphone Customers」,Hacker News 上的討論則可以看「T-Mobile to share customers' data with advertisers unless they opt out (thehill.com)」這邊。

The No. 2 U.S. carrier by subscribers said in a recent privacy-policy update that unless they opt out it will share customers’ web and mobile-app data with advertisers starting April 26.

這次的改變包括了 2020 年併購 Sprint 的使用者:

T-Mobile’s new policy will also cover Sprint customers acquired through the carriers’ 2020 merger. Sprint had previously shared similar data only from customers who opted into its third-party ad program.

所以連在美國都有 DNS over HTTPS (或是 DNS over TLS) 與 ESNI 需求了...

LastPass 開始進入「殺」的階段,免費使用者只能在一個平台上使用

LastPass 進入了「套養殺」最後一個階段「殺」,宣佈縮減 LastPass Free 的可用範圍。在 2021/03/16 開始 (一個月後),LastPass Free 的使用者只能選擇一個平台使用,像是「桌機平台」,或是「行動平台」:「LastPass’ free tier will become a lot less useful next month」,官方的新聞稿則是在「Changes to LastPass Free」這邊。

官方有提供第一年的限時優惠 (換算起來應該是一年 USD$27),但不給既有用戶,現有的用戶如果要的話得自己換帳號 export & import,不然就是用原價殺 (一年 USD$36):

If you’d like unlimited device type access and email support, you can upgrade from Free to LastPass Premium for a limited time, for $2.25 per month (billed annually). *

*Additional Terms and Conditions: Advertised price valid for new users on their first year of LastPass Premium. Price not valid for renewals or existing customers and cannot be used for other LastPass plans, products or services.

不過這個優惠連結發現點下去是爛的:

話說回來,這種東西我自己還是偏好用 open source 方案,然後自己搭同步機制,不過目前看到的方案在跨桌機平台與行動平台的確是痛點... 有需求的人應該還是會選 LastPass 或是 1Password 這樣的方案。