美國大麥克的價錢

Hacker News 上看到「A site that tracks the price of a Big Mac in every US McDonald's (pantryandlarder.com)」這個,追蹤美國麥當勞裡的大麥克價錢:「McCheapest」。

這個明顯跟「大麥克指數」有關,而且因為美國不同州會有不同的稅務結構,所以可以預期不同地區的麥當勞價位不同,不過沒有預期到同一個州裡面也是各家店自行定價的...

目前網站上列出來最便宜的是奧克拉荷馬州的 US$3.49,最貴的在麻薩諸塞州的 US$8.09,價差到一倍以上... 順便提一下,目前在台灣大麥克的價錢是相同的 NT$75,約 US$2.4。

另外一個感到驚訝的是麥當勞東半部的密度比西半部高好多?還是這張資料沒顯示出來而已?

美國成立公司的成本

前幾天在 Hacker News 上看到這則:「Is Delaware the cheapest place to incorporate?」,當初只是瞄過去,但突然注意到提到 Taiwan:

I am living in Taiwan and want to create a startup. The business will be mostly open source and likely to have low to no revenue.

I see that US states like Colorado have no franchise tax. But I also saw posts here that Delaware is usually ultimately cheaper.

What is the recommendation for a company to manage an open source project? Sure it might be worth money, but likely not, so I would like to keep money tight.

thanks!

翻了使用者資料,似乎是在台灣的美國人問的問題,希望在美國成立一個公司...

然後目前最上面的留言給的答案給了很多 if-else 條件告訴你怎麼選:

I'm an attorney.

Delaware is definitely not the cheapest or even in contention for the cheapest.

Still, if you want to raise capital, the correct answer is DE C Corp. If you're not looking for external funding, any state will do. If you care about anonymity, do Nevada or Wyoming. If you don't care about anonymity, Colorado is actually a very good choice. Very simple, intuitive online filing system that accepts filings instantaneously. Filing fees as cheap as anywhere in the country. No need for an attorney (or LegalZoom or some other random service) unless you just don't feel like dealing with it.

Costs will likely be $50 to file, Registered Agent (as cheap as $30 per annum), and $10 periodic report fee annually every year you're in business. Colorado is even nice enough to send plenty of reminders on when to file that report if you give them an email address.

Since you're a US citizen, my instinct would be LLC taxed as an S corp. But confirm with your accountant!

Good luck!

下面其他的留言也差不多,另外剛好也有人問這位律師為什麼打算要募資的話,會選擇 Delaware:

It's just industry standard for capital raises. All corporate attorneys learn DE law when they go to law school and are expected to know it if they practice corporate law. A Colorado attorney doesn't know California law and a California attorney doesn't know New York law, but if they do corporate legal work, they're all expected to know how to deal with DE law.

因為學校裡教過,大家都知道要怎麼搞 XDDD

另外維基百科也有提到因為對企業友善,有很多公司是掛在 DE,甚至連 NYSE 都掛在 DE:

66% of the Fortune 500, including Walmart and Apple (two of the world's largest companies by revenue) are incorporated (and therefore have their domiciles for service of process purposes) in the state. Over half of all publicly traded corporations listed in the New York Stock Exchange (including its owner, Intercontinental Exchange) are incorporated in Delaware.

算是個有趣的知識...

紐約州在推動電子產品的維修權

在清 Hacker News Daily 的時候看到「New York could become first state with a ‘Right to Repair’ law for electronic devices」這篇,在講紐約州有團體在推動電子產品的維修權。

先前有提過歐盟對電子產品的維修權有在推動法案 (參考「歐盟在推動的設備維修權...」這篇),確保十年內有料可以維修,後來這個法案已經生效了:「New EU ‘right to repair’ laws require technology to last for a decade」。

可以觀察一下會不會過...

白宮宣佈由政府資助的研究,都必須馬上公開

一樣是 Hacker News 上看到的:「Guidance to make federally funded research freely available without delay (whitehouse.gov)」,白宮的公告在「OSTP Issues Guidance to Make Federally Funded Research Freely Available Without Delay」這邊。

開頭有重點,不得限制以及收費。所以 paywall 是一定不行,另外要註冊才能看也算是一種限制,應該也會被這次的政策要求改善:

In a memorandum to federal departments and agencies, Dr. Alondra Nelson, the head of OSTP, delivered guidance for agencies to update their public access policies as soon as possible to make publications and research funded by taxpayers publicly accessible, without an embargo or cost.

時間表的部份,短期是 2023 年中更新 policy,並且在 2025 年年底前全部施行:

In the short-term, agencies will work with OSTP to update their public access and data sharing plans by mid-2023. OSTP expects all agencies to have updated public access policies fully implemented by the end of 2025.

這次的算政府方面的政策,至少這些論文會有地方可以公開下載。

找了一下之前寫下來跟 open access 有關的消息,從學校方面給壓力的也不少,不過我記錄下來的主要都是跟 Elsevier 的中止合約:

看起來不同角度都有一些推進...

美國人使用社群媒體的情況

在「Social Media Usage by Age」這邊看到的文章,把美國人使用社群媒體的情況做成圖,資料來源是 Pew Research Center 的「Social Media Fact Sheet」這裡。

很明顯的可以看到 Google (Alphabet) 基本上就是 YouTube 一個產品吃天下,而 Facebook (Meta) 有三個產品在滲透,包括 Facebook、InstagramWhatsapp

LinkedIn 在出社會後會開始用,另外 Pinterest 這麼多老人家在用到是很驚奇 XDDD

美國聯邦政府推動的 Zero Trust 架構

看到美國總統行政辦公室發佈的「Moving the U.S. Government Toward Zero Trust Cybersecurity Principles」這個備忘錄,在講 Zero trust security model,算是讓其他聯邦單位可以依循的指引,從比較高的角度來說明聯邦政府對系統安全設計的方向。

裡面有提到「Phishing-resistant MFA」,一般的 MFA 無法防止 phishing (像是軟體 TOTP 類的 Google Authenticator 或是硬體式 TOTP 的 RSA SecurID,或是透過簡訊輸入收到的字串那種),要能夠對抗 phishing 的應該只有 U2F 或是後續的 WebAuthn 這種有把網站位置也放進 protocol 的協定。

另外提到了 RBACABAC 兩種設計,而且更偏好用 ABAC 得到更多彈性:

Currently, many authorization models in the Federal Government focus on role-based access control (RBAC), which relies on static pre-defined roles that are assigned to users and determine their permissions within an organization. A zero trust architecture should incorporate more granularly and dynamically defined permissions, as attribute-based access control (ABAC) is designed to do.

另外因為 zero trust 的設計,內部網路其實只能當作是一個傳輸媒介,不能當作是一個安全的傳輸層,任何的傳輸都需要有另外的驗證機制確保 CIA,所以從 DNS 的流量必須是透過 DNS over HTTPS 或是 DNS over TLS 的保護:

Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. This means that agency DNS resolvers must support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS), and must use them to communicate with upstream DNS resolvers.

任何 HTTP 傳輸都需要使用 HTTPS 保護,甚至是把 .gov 直接放進 HTTPS-only 清單 (應該是指 HSTS preload?):

More generally, the .gov top-level domain has announced an intent to eventually preload the entirety of the .gov domain space as an HTTPS-only zone.

不過裡面也有提到 email 的 encryption 到目前為止沒有好的方法可以確保 encryption 的使用,尤其是跟外部的人溝通:

Unlike HTTP and DNS, there is not today a clear path forward for guaranteeing that Federal emails are encrypted in transit, particularly for emails with external parties.

然後提到安全漏洞的測試與回報機制也蠻有趣的,像是鼓勵外部測試:

In addition to their own testing programs, agencies must increase their reliance on external perspectives to identify vulnerabilities that internal staff may not identify

以及鼓勵安全回報的制度:

Public vulnerability disclosure programs, which allow security researchers and other members of the general public to report security issues safely, are used widely across the Federal Government and many private-sector industries. These programs are an invaluable accompaniment to existing internal security programs and operate as a reality check on an organization’s online security posture.

拿來翻一翻讀一讀...

印度威脅要逮捕 Facebook、WhatsApp 與 Twitter 的員工

The Wall Street Journal 上看到的,印度政府威脅 FacebookWhatsAppTwitter,如果不配合政府的要求提供資料並將內容下架,將會逮捕他們在印度的員工:「India Threatens Jail for Facebook, WhatsApp and Twitter Employees」。

這應該是透過上個月才剛過的法令:「Facebook, WhatsApp and Twitter Face New Rules in India」。

印度的市場太大,各家社群網站都想要進去,造就了政府的有足夠的能力跟這些大公司談判,而且是具有壓制性的力量。

在去年殺完 Tiktok 後,上個月擴權然後這個月反過來殺這些美國的企業。

美國政府不知道會幫到什麼程度...

Elon Musk 退訂美國總統的 Twitter 帳號

先前因為 cjin 的這則推,跑去追蹤了 @BigTechAlert 這個帳號:

@BigTechAlert 這個帳號會把名人以及大企業的 Twitter 帳號所追蹤與推追蹤的行為找出來,然後發表在 Twitter 上面。

平常 @BigTechAlert 所抓出來的追蹤與退追大家也都習以為常,你去看 @BigTechAlert 的帳號也可以發現沒什麼 retweet & like。

但前幾天這則退訂通知讓不少人 retweet & like,因為是 Elom Musk 退追了 @POTUS 帳號 (也就是 President of the United States):

退追的真實原因不知道,但看到純粹覺得很有趣...

Firefox 在美國將預設開啟 DNS over HTTPS

看到 Mozilla 在「Firefox continues push to bring DNS over HTTPS by default for US users」這邊的公告,另外也可以參考 Hacker News 上的討論:「Mozilla’s DNS over HTTPs (blog.mozilla.org)」。

這次的改變是將美國的 Firefox 使用者自動啟用 DNS over HTTPS (DoH),而預設是丟給 Cloudflare

By default, this change will send your encrypted DNS requests to Cloudflare.

這個作法非常粗暴而且侵犯使用者的隱私。

  • 對於進階而且有在跟重大消息的使用者,他們如果不信任 Cloudflare 的話,會主動關掉 DoH 的選項。
  • 但對於一般使用者,他們不知道這件事情,而他們本來也不會預期他們上網的 hostname 部份會被 Cloudflare 知道。

相較於 Google Chrome 是確認你現在用的 DNS 是不是在有支援 DoH 的清單內,如果是的話就會切過去使用 DoH,但不會因此改變 DNS provider,也就是不會有突然冒出來的第三者知道你瀏覽的網站。

來繼續看...