FTC 出手告 Adobe 的退租機制

在「FTC sues Adobe for hiding fees and inhibiting cancellations (ftc.gov)」這邊看到的,FTC 的稿子在這邊:「FTC Takes Action Against Adobe and Executives for Hiding Fees, Preventing Consumers from Easily Cancelling Software Subscriptions」。

FTC 的標題就講差不多了,然後第一段再更細節一點:

The Federal Trade Commission is taking action against software maker Adobe and two of its executives, Maninder Sawhney and David Wadhwani, for deceiving consumers by hiding the early termination fee for its most popular subscription plan and making it difficult for consumers to cancel their subscriptions.

後面有提到法源依據 Restore Online Shoppers' Confidence Act

The complaint charges that Adobe’s practices violate the Restore Online Shoppers’ Confidence Act.

然後 FTC 內是 3-0 通過,然後在加州北區聯邦地院打官司:

The Commission vote to refer the civil penalty complaint to the DOJ for filing was 3-0. The Department of Justice filed the complaint in the U.S. District Court for the Northern District of California.

這個也是值得期待的案子,會是 dark pattern 在法律上的攻防戰...

美國正在立法禁用大疆的產品

在「DJI ban passes the House and moves on to the Senate (dronedj.com)」這邊看到的,原文在「DJI ban passes the House and moves on to the Senate」這邊。

目前眾議院已經過過了,裡面提到 H.R.2864 (Countering CCP Drones Act):

One of these sections, H.R. 2864, or the Countering CCP Drones Act, was added to the bill and can be found under Section 1722. For those who are just hearing about this for the first time, it would remove DJI’s ability to get approval from the FCC, banning any future drones from being imported and possibly grounding current drones.

在官方的官面上則是直接列出大疆 (DJI):

Countering CCP Drones Act

This bill requires the inclusion of telecommunications and video surveillance equipment or services produced or provided by Shenzhen Da-Jiang Innovations Sciences and Technologies Company Limited (a Chinese drone maker commonly known as DJI Technologies) on a list of communications equipment or services determined by the Federal Communications Commission (FCC) to pose an unacceptable risk to U.S. national security. Current law prohibits the use of federal funding available through specified FCC programs for purchasing or maintaining listed equipment or services.

現在是在聯邦禁用,看起來打算提升警戒列為國安等級,打算全國禁用?

南極洲使用 Internet 的痛點

在「Engineering for Slow Internet (brr.fyi)」這邊看到的,這幾天還蠻紅的文章,在講網路受限的情況下要怎麼想辦法:「Engineering for Slow Internet」,作者是南極洲計畫 (USAP) 的 IT (目前已經回美國本土)。

主要的技術限制有幾個,第一個是對外網路的時間是有限的,因為受限於經過上空的衛星是有限的,這是 2023 年十月的一些資料:

可以看到主要是 DSCS (五顆服役中,但不是每科都有經過南極上空) 與 TDRS-6

這個是物理限制,沒有 workaround 可以做,所以所有人都得照著對應的時段安排傳輸。不過應該有其他的衛星可以隨時聯絡 (emergency channel),畢竟算是半個軍事計畫?

Hacker News 上也有人討論到 Starlink 好像還是有一些衛星會飛過南極洲,但不確定是否有 relay 的能力,如果有的話似乎也能考慮看看?(不過可能會需要客製天線,畢竟緯度的關係,設備需要的工作溫度區間不太一樣)

另外一個大問題是 latency,平均的 latency 是 750ms,而且 jitter 會到數秒:

Round-trip latency averaging around 750 milliseconds, with jitter between packets sometimes exceeding several seconds.

第三個是速度,一般使用者的平均網路速度大約是個位數的 kbps 到狀況好的時候大約是 2mbps,差不多是 1990 年代數據機的速度:

Available speeds, to the end-user device, that range from a couple kbps (yes, you read that right), up to 2 mbps on a really good day.

文章基本上就是圍繞這些問題在討論。

因為 latency 過高,而很多應用程式 (web 或是 app) 寫死 timeout,所以造成網路明明就有慢慢在傳輸資料,你放著慢慢傳遲早會傳完,但卻因為超時而失敗。

另外因為頻寬有限的問題,沒有提供續傳機制 (app 裡面沒做,或是沒有提供檔案直接讓有技術能力的人下載,像是 wget -c 這樣的工具) 就很容易因為失敗浪費頻寬。

另外是遇到軟體更新機制 (像是安全性更新) 無法下載檔案後直接安裝,都會有裝到一半中間要連網的事情。

另外一塊是現在太多工具太肥大,一個簡單的功能要先下載一包 20MB javascript 之類的 (然後換算一下前面提到的頻寬,在網路最好的情況下得花 80 秒下載這包 javascript)。

如果你的使用者族群包括了這類網路狀況不是很好的地區,這篇提到的蠻多東西都還蠻值得參考的。

美國大麥克的價錢

Hacker News 上看到「A site that tracks the price of a Big Mac in every US McDonald's (pantryandlarder.com)」這個,追蹤美國麥當勞裡的大麥克價錢:「McCheapest」。

這個明顯跟「大麥克指數」有關,而且因為美國不同州會有不同的稅務結構,所以可以預期不同地區的麥當勞價位不同,不過沒有預期到同一個州裡面也是各家店自行定價的...

目前網站上列出來最便宜的是奧克拉荷馬州的 US$3.49,最貴的在麻薩諸塞州的 US$8.09,價差到一倍以上... 順便提一下,目前在台灣大麥克的價錢是相同的 NT$75,約 US$2.4。

另外一個感到驚訝的是麥當勞東半部的密度比西半部高好多?還是這張資料沒顯示出來而已?

美國成立公司的成本

前幾天在 Hacker News 上看到這則:「Is Delaware the cheapest place to incorporate?」,當初只是瞄過去,但突然注意到提到 Taiwan:

I am living in Taiwan and want to create a startup. The business will be mostly open source and likely to have low to no revenue.

I see that US states like Colorado have no franchise tax. But I also saw posts here that Delaware is usually ultimately cheaper.

What is the recommendation for a company to manage an open source project? Sure it might be worth money, but likely not, so I would like to keep money tight.

thanks!

翻了使用者資料,似乎是在台灣的美國人問的問題,希望在美國成立一個公司...

然後目前最上面的留言給的答案給了很多 if-else 條件告訴你怎麼選:

I'm an attorney.

Delaware is definitely not the cheapest or even in contention for the cheapest.

Still, if you want to raise capital, the correct answer is DE C Corp. If you're not looking for external funding, any state will do. If you care about anonymity, do Nevada or Wyoming. If you don't care about anonymity, Colorado is actually a very good choice. Very simple, intuitive online filing system that accepts filings instantaneously. Filing fees as cheap as anywhere in the country. No need for an attorney (or LegalZoom or some other random service) unless you just don't feel like dealing with it.

Costs will likely be $50 to file, Registered Agent (as cheap as $30 per annum), and $10 periodic report fee annually every year you're in business. Colorado is even nice enough to send plenty of reminders on when to file that report if you give them an email address.

Since you're a US citizen, my instinct would be LLC taxed as an S corp. But confirm with your accountant!

Good luck!

下面其他的留言也差不多,另外剛好也有人問這位律師為什麼打算要募資的話,會選擇 Delaware:

It's just industry standard for capital raises. All corporate attorneys learn DE law when they go to law school and are expected to know it if they practice corporate law. A Colorado attorney doesn't know California law and a California attorney doesn't know New York law, but if they do corporate legal work, they're all expected to know how to deal with DE law.

因為學校裡教過,大家都知道要怎麼搞 XDDD

另外維基百科也有提到因為對企業友善,有很多公司是掛在 DE,甚至連 NYSE 都掛在 DE:

66% of the Fortune 500, including Walmart and Apple (two of the world's largest companies by revenue) are incorporated (and therefore have their domiciles for service of process purposes) in the state. Over half of all publicly traded corporations listed in the New York Stock Exchange (including its owner, Intercontinental Exchange) are incorporated in Delaware.

算是個有趣的知識...

紐約州在推動電子產品的維修權

在清 Hacker News Daily 的時候看到「New York could become first state with a ‘Right to Repair’ law for electronic devices」這篇,在講紐約州有團體在推動電子產品的維修權。

先前有提過歐盟對電子產品的維修權有在推動法案 (參考「歐盟在推動的設備維修權...」這篇),確保十年內有料可以維修,後來這個法案已經生效了:「New EU ‘right to repair’ laws require technology to last for a decade」。

可以觀察一下會不會過...

白宮宣佈由政府資助的研究,都必須馬上公開

一樣是 Hacker News 上看到的:「Guidance to make federally funded research freely available without delay (whitehouse.gov)」,白宮的公告在「OSTP Issues Guidance to Make Federally Funded Research Freely Available Without Delay」這邊。

開頭有重點,不得限制以及收費。所以 paywall 是一定不行,另外要註冊才能看也算是一種限制,應該也會被這次的政策要求改善:

In a memorandum to federal departments and agencies, Dr. Alondra Nelson, the head of OSTP, delivered guidance for agencies to update their public access policies as soon as possible to make publications and research funded by taxpayers publicly accessible, without an embargo or cost.

時間表的部份,短期是 2023 年中更新 policy,並且在 2025 年年底前全部施行:

In the short-term, agencies will work with OSTP to update their public access and data sharing plans by mid-2023. OSTP expects all agencies to have updated public access policies fully implemented by the end of 2025.

這次的算政府方面的政策,至少這些論文會有地方可以公開下載。

找了一下之前寫下來跟 open access 有關的消息,從學校方面給壓力的也不少,不過我記錄下來的主要都是跟 Elsevier 的中止合約:

看起來不同角度都有一些推進...

美國人使用社群媒體的情況

在「Social Media Usage by Age」這邊看到的文章,把美國人使用社群媒體的情況做成圖,資料來源是 Pew Research Center 的「Social Media Fact Sheet」這裡。

很明顯的可以看到 Google (Alphabet) 基本上就是 YouTube 一個產品吃天下,而 Facebook (Meta) 有三個產品在滲透,包括 Facebook、InstagramWhatsapp

LinkedIn 在出社會後會開始用,另外 Pinterest 這麼多老人家在用到是很驚奇 XDDD

美國聯邦政府推動的 Zero Trust 架構

看到美國總統行政辦公室發佈的「Moving the U.S. Government Toward Zero Trust Cybersecurity Principles」這個備忘錄,在講 Zero trust security model,算是讓其他聯邦單位可以依循的指引,從比較高的角度來說明聯邦政府對系統安全設計的方向。

裡面有提到「Phishing-resistant MFA」,一般的 MFA 無法防止 phishing (像是軟體 TOTP 類的 Google Authenticator 或是硬體式 TOTP 的 RSA SecurID,或是透過簡訊輸入收到的字串那種),要能夠對抗 phishing 的應該只有 U2F 或是後續的 WebAuthn 這種有把網站位置也放進 protocol 的協定。

另外提到了 RBACABAC 兩種設計,而且更偏好用 ABAC 得到更多彈性:

Currently, many authorization models in the Federal Government focus on role-based access control (RBAC), which relies on static pre-defined roles that are assigned to users and determine their permissions within an organization. A zero trust architecture should incorporate more granularly and dynamically defined permissions, as attribute-based access control (ABAC) is designed to do.

另外因為 zero trust 的設計,內部網路其實只能當作是一個傳輸媒介,不能當作是一個安全的傳輸層,任何的傳輸都需要有另外的驗證機制確保 CIA,所以從 DNS 的流量必須是透過 DNS over HTTPS 或是 DNS over TLS 的保護:

Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. This means that agency DNS resolvers must support standard encrypted DNS protocols (DNS-over-HTTPS or DNS-over-TLS), and must use them to communicate with upstream DNS resolvers.

任何 HTTP 傳輸都需要使用 HTTPS 保護,甚至是把 .gov 直接放進 HTTPS-only 清單 (應該是指 HSTS preload?):

More generally, the .gov top-level domain has announced an intent to eventually preload the entirety of the .gov domain space as an HTTPS-only zone.

不過裡面也有提到 email 的 encryption 到目前為止沒有好的方法可以確保 encryption 的使用,尤其是跟外部的人溝通:

Unlike HTTP and DNS, there is not today a clear path forward for guaranteeing that Federal emails are encrypted in transit, particularly for emails with external parties.

然後提到安全漏洞的測試與回報機制也蠻有趣的,像是鼓勵外部測試:

In addition to their own testing programs, agencies must increase their reliance on external perspectives to identify vulnerabilities that internal staff may not identify

以及鼓勵安全回報的制度:

Public vulnerability disclosure programs, which allow security researchers and other members of the general public to report security issues safely, are used widely across the Federal Government and many private-sector industries. These programs are an invaluable accompaniment to existing internal security programs and operate as a reality check on an organization’s online security posture.

拿來翻一翻讀一讀...

印度威脅要逮捕 Facebook、WhatsApp 與 Twitter 的員工

The Wall Street Journal 上看到的,印度政府威脅 FacebookWhatsAppTwitter,如果不配合政府的要求提供資料並將內容下架,將會逮捕他們在印度的員工:「India Threatens Jail for Facebook, WhatsApp and Twitter Employees」。

這應該是透過上個月才剛過的法令:「Facebook, WhatsApp and Twitter Face New Rules in India」。

印度的市場太大,各家社群網站都想要進去,造就了政府的有足夠的能力跟這些大公司談判,而且是具有壓制性的力量。

在去年殺完 Tiktok 後,上個月擴權然後這個月反過來殺這些美國的企業。

美國政府不知道會幫到什麼程度...