幹壞事是進步最大的原動力
Twitter 上看到的:「第4の携帯電話会社 楽天が来年申請へ」。
IT大手の「楽天」は、NTTドコモ、KDDI、ソフトバンクのようにみずから基地局を備える携帯電話会社を近く設立し、来年、総務省に電波の割り当てを申請することが明らかになりました。認可を受ければ、国内に“第4の携帯電話会社”が誕生することになります。
丟出申請建立基地台的執照,現在是審核的狀態... 在台灣有點像是「第一類電信事業經營者」中行動相關的部份 (參考維基百科「臺灣電信業者列表」這邊的說明)。
這樣可以看看會端出什麼方案跟現有三家競爭... 對觀光客應該也有影響。
LINE 將內部的座位表由 Excel 管理,改用 Web 界面了:「Excel管理の座席表をLeafletでWeb化した話」,這邊不確定是全球的 LINE,還是只有日本的 LINE...
如果跟日本人有過業務合作的話,就會知道他們對 Excel 的用法只能用
出神入化
來形容啊... 所以看到 LINE 特地寫了一篇來說明他們開發內部系統的事情,覺得還蠻有趣的...
起因是今年四月換辦公室,所以就順便換系統,把本來用 Excel 管理的座位表改用 Web 管理 (然後用了 Leaflet 這個 JavaScript Library):
人員の増加に対応するために、今年の4月、LINEはJR新宿ミライナタワーに移転しました。移転に伴い、IT支援室ではいくつかの新しい社内システムを導入しましたが、今日はその1つである「座席表」についてお話させていただきます。
這是 Excel 版本的樣子:
這是新版本的樣子,UI 上有更多互動的界面可以操作:
然後文末提到了總務業務量減少,而且因此變更座位變自由了而大受好評 (大概是不會讓總務煩死,所以就可以更自由換來換去 XDDD):
今回開発した座席表は総務の業務軽減に始まったプロジェクトでした。そして実際に導入後には、座席表の管理にかけていた総務の業務を大幅に削減することに成功しました。また、利用者からもかなり好評で、「これを待っていたんですよ!」といった声もあり、社内コミュニケーションの円滑化に一役買うことができているようです。誰の席でも自由に変更できるという点についても、これまでのところトラブルの報告を受けることなく運用できています。
翻了一下英文版的 blog,好像沒有提到這件事情?XDDD
就如標題所寫的,Quartz 獨家刊出來的新聞,即使你關掉 Google 的定位服務,Google 還是會蒐集你的位置 (而且跟 Google 發言人確認後也證實):「Google collects Android users’ locations even when location services are disabled」。
而且是全背景作業,在你沒有開定位服務,沒有插 SIM 卡,也沒有跑任何 app,他就會將定位資訊傳出去:
Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?
從今年年初開始這樣搞的,Google 發言人只宣稱這個資料並沒有被用來整合到「network sync system」,並且會立即丟掉 (所以你還是不知道被用到什麼地方):
“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said in an email. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”
這句話的意思其實代表著是丟掉 raw data,改以統計的方式轉移存到其他系統。
另外 John Gruber 在「Google Collects Android Users' Locations Even When Location Services Are Disabled」其實寫的更直接:
If they were “never used or stored”, why did they start collecting them in the first place? This is like a kid caught with their hand in the cookie jar saying they weren’t going to eat any cookies. Sure.
白話一點就是「你當我傻逼啊」。
應該會促進 microG 的發展... (參考「microG 的進展...」)
前陣子的報料,美國的電信商提供 API 給第三方,讓第三方可以用 IP address 查出你的真實身份:「Want to see something crazy? Open this link on your phone with WiFi turned off.」,像是這樣:
These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required).
目前所有的網站都已經被下架了,但可以從當時的截圖看到有多少資訊。AT&T 的新聞稿在「AT&T Helps Businesses Improve Mobile Transaction Security with New Mobile Identity API Toolkit」,新聞稿沒被下掉我猜可能是因為上市公司受法令限制的關係?
這其實是一個警示,說明了美國的電信商開始把大家一直認為極為隱私的資料賣給第三方:
But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services — not just federal law enforcement officials — who are then selling access to that data.
而且作者在 GitHub 上看到有程式碼針對韓國電信商提供的 API 呼叫,所以韓國也有類似服務:
I found what looks like a third-party API implementation for a Korean Danal API on GitHub. The author wrote the code for South Korean telcos, so there may be differences with US carriers. The query parameters in the HTTP requests are similar to what I remember seeing in the Danal demo. It’s unclear from my reading of the code whether or not this API requires operation inside of e.g. a Danal Inc. hosted-iframe for identity confirmation. The diagram on page 4 of this documentation describing the Korean “Danal Pay” service appears to show the client interacting with the customer’s servers only.
台灣呢,嘿嘿...
Amazon Device Farm 推出這樣的功能又朝著設備租賃服務更進一步了:「Amazon Device Farm Launches Direct Device Access for Private Devices」。
Now, with direct device access, mobile applications developers can use individual devices in their private test set as if they were directly connected to their local machine via USB. Developers can now test against a wide array of devices just like they would as if the devices were sitting on their desk.
這樣就可以使用更底層的東西了...
tl;dr:真的很慢 +_+
b-mobile おかわり 是先前因為 eplus 需要手機簡訊認證而辦的日本門號,想說剛好進日本也可以拿來用...
可以參考「Re: [問題] 日本旅遊有低門檻手機認證的方式嗎」與「b-mobile おかわりSIMの速度実測・レビュー・評価まとめ【9月】」。
實際跑了 n 次測速,除了深夜與清晨的速度比較快以外,其他時間下載大多都在 1.x Mbps 左右,拿來跑 Line (包括 Line 語音) 還可以,刷有圖片的服務就頗慢了... (像是 Twitter 或是 Facebook),如果是影音服務的話就很慘了 XDDD
是剛好可以拿來練習 Git 離線作業啦 XDDD 但之後如果要來玩的話,應該還是會辦張吃到飽不限速的 SIM 卡吧...
在「Apps with hardware: enabling run-time architectural customization in smart phones」這邊看到去年就有論文在討論在手機上使用 FPGA 的想法...
的確現在 FPGA 的價錢其實是蠻平價的了... 除了透過 GPU 加速外,FPGA 聽起來也是個不錯的方向 @_@
最直接的例子就是 AES 運算來看,可以看到比現在最快的實做快了半個數量級,大約三倍?(跟支援硬體加速的 OpenSSL 比,看格子大約是半格,也就是 100.5,約 3.16 倍)。
而如果是純軟體的應用,有些會差到四個數量級... (萬?)
把 side-channel information 配合上統計方法就可以達到 74% 的正確率:「Phone Hack Uses Sensors To Steal PINs」。
透過 browser 的 javascript 就可以拉出這些資料,然後利用這些資料去猜你的手機 PIN 碼:
Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the phone’s sensors, including GPS, camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer and NFC protocols.
而且當可以多抓到更多資訊時 (像是第二次輸入) 準確度就更高了:
Using a sample set of 50 PINs, researchers found that their script was able to correctly guess a user’s PIN 74 percent of the time on the first try, which increases to 86 and 94 percent success rates on the second and third attempts.
有些瀏覽器有做一些修正,讓 side-channel information 變少,於是難度變高:
As for Firefox, starting from version 46 (released in April 2016), the browser restricts JavaScript access to motion and orientation sensors. Apple’s Security Updates for iOS 9.3 (released in March 2016), suspended the availability of motion and orientation data when the web view is hidden, according to researchers.
Google 則是沒修:
As for Google, it’s unclear what measures have been taken. “Our concern is confirmed by members in the Google Chromium team, who also believe that the issue remains unresolved,” the report stated. Google did not reply to a request to comment for this report.
這攻擊方式頗不賴... @_@
然後錢就...:「After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts」。
O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.
利用手機螢幕上的餘熱分析可能的 PIN 碼:「Heat traces left by fingers can reveal your smartphone PIN」,在輸入完 PIN 碼的 30 秒內的準確度都還是很高 (80%):
The report further revealed that if the thermal image is collected within 15 seconds of a PIN being entered, the technique is accurate almost 90% of the time. At 30 seconds, this accuracy decreased slightly to 80%. At 45 seconds or more, the accuracy dropped to 35% and below.
