美國成立公司的成本

前幾天在 Hacker News 上看到這則:「Is Delaware the cheapest place to incorporate?」,當初只是瞄過去,但突然注意到提到 Taiwan:

I am living in Taiwan and want to create a startup. The business will be mostly open source and likely to have low to no revenue.

I see that US states like Colorado have no franchise tax. But I also saw posts here that Delaware is usually ultimately cheaper.

What is the recommendation for a company to manage an open source project? Sure it might be worth money, but likely not, so I would like to keep money tight.

thanks!

翻了使用者資料,似乎是在台灣的美國人問的問題,希望在美國成立一個公司...

然後目前最上面的留言給的答案給了很多 if-else 條件告訴你怎麼選:

I'm an attorney.

Delaware is definitely not the cheapest or even in contention for the cheapest.

Still, if you want to raise capital, the correct answer is DE C Corp. If you're not looking for external funding, any state will do. If you care about anonymity, do Nevada or Wyoming. If you don't care about anonymity, Colorado is actually a very good choice. Very simple, intuitive online filing system that accepts filings instantaneously. Filing fees as cheap as anywhere in the country. No need for an attorney (or LegalZoom or some other random service) unless you just don't feel like dealing with it.

Costs will likely be $50 to file, Registered Agent (as cheap as $30 per annum), and $10 periodic report fee annually every year you're in business. Colorado is even nice enough to send plenty of reminders on when to file that report if you give them an email address.

Since you're a US citizen, my instinct would be LLC taxed as an S corp. But confirm with your accountant!

Good luck!

下面其他的留言也差不多,另外剛好也有人問這位律師為什麼打算要募資的話,會選擇 Delaware:

It's just industry standard for capital raises. All corporate attorneys learn DE law when they go to law school and are expected to know it if they practice corporate law. A Colorado attorney doesn't know California law and a California attorney doesn't know New York law, but if they do corporate legal work, they're all expected to know how to deal with DE law.

因為學校裡教過,大家都知道要怎麼搞 XDDD

另外維基百科也有提到因為對企業友善,有很多公司是掛在 DE,甚至連 NYSE 都掛在 DE:

66% of the Fortune 500, including Walmart and Apple (two of the world's largest companies by revenue) are incorporated (and therefore have their domiciles for service of process purposes) in the state. Over half of all publicly traded corporations listed in the New York Stock Exchange (including its owner, Intercontinental Exchange) are incorporated in Delaware.

算是個有趣的知識...

Backblaze 開 US East 區域

Backblaze 宣佈有 US East 區域了:「Backblaze Adds US East Region, Expanding Location Choices and Cloud Replication Options」。

從圖可以看到本來是 US West + EU Central,當初開歐洲區比較像是歐洲客戶會需要遵守歐盟規範之類的需求,但這次宣佈美國開第二個區域,應該是代表規模夠足夠大到可以開第二區了?

機房在維吉尼亞州:

Data stored in U.S. East will reside in Backblaze’s newest data center, IAD 1, located in Reston, Virginia.

這樣算是不錯的訊號?

T-Mobile US 打算要賣使用者的瀏覽記錄了

全美第二大的 T-Mobile US 打算要賣使用者的瀏覽記錄了,除非你登入進去選擇退出:「T-Mobile to Step Up Ad Targeting of Cellphone Customers」,Hacker News 上的討論則可以看「T-Mobile to share customers' data with advertisers unless they opt out (thehill.com)」這邊。

The No. 2 U.S. carrier by subscribers said in a recent privacy-policy update that unless they opt out it will share customers’ web and mobile-app data with advertisers starting April 26.

這次的改變包括了 2020 年併購 Sprint 的使用者:

T-Mobile’s new policy will also cover Sprint customers acquired through the carriers’ 2020 merger. Sprint had previously shared similar data only from customers who opted into its third-party ad program.

所以連在美國都有 DNS over HTTPS (或是 DNS over TLS) 與 ESNI 需求了...

EU-US Privacy Shield 被歐盟法院拒絕

在「EU rejects US data sharing agreement over privacy concerns」這邊看到的新聞,引用自「EU rejects US data sharing agreement over privacy concerns」這邊的新聞報導。

歐盟最高法院的新聞稿則是在「The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield」這邊可以看到,雖然 EU-US Privacy Shield 被推翻,但本來在 2010 年的框架仍然有效:

However, it considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.

維基百科上的條目寫的比較簡單,主要是協議裡美國的保護機制不到歐盟的標準:

A final CJEU decision was published on 16 July 2020. The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping.

記得這個戰了好久,最後在最高法院定案了...

Firefox 在美國將預設開啟 DNS over HTTPS

看到 Mozilla 在「Firefox continues push to bring DNS over HTTPS by default for US users」這邊的公告,另外也可以參考 Hacker News 上的討論:「Mozilla’s DNS over HTTPs (blog.mozilla.org)」。

這次的改變是將美國的 Firefox 使用者自動啟用 DNS over HTTPS (DoH),而預設是丟給 Cloudflare

By default, this change will send your encrypted DNS requests to Cloudflare.

這個作法非常粗暴而且侵犯使用者的隱私。

  • 對於進階而且有在跟重大消息的使用者,他們如果不信任 Cloudflare 的話,會主動關掉 DoH 的選項。
  • 但對於一般使用者,他們不知道這件事情,而他們本來也不會預期他們上網的 hostname 部份會被 Cloudflare 知道。

相較於 Google Chrome 是確認你現在用的 DNS 是不是在有支援 DoH 的清單內,如果是的話就會切過去使用 DoH,但不會因此改變 DNS provider,也就是不會有突然冒出來的第三者知道你瀏覽的網站。

來繼續看...

美國政府發行的字型 Public Sans

Public Sans 是一套美國政府出資而產生的無襯線字型,專案放在 GitHub 上 (uswds/public-sans)。這套自行不是全部都自己刻,而是改自於 Libre Franklin Font (以 SIL Open Font License v1.1 授權,而 Public Sans 沿用同樣授權)。

第一個目標是授權:

Be available as a free, open source webfont on any platform.

另外是使用的廣度:

Have a broad range of weights and a good italic.
Perform well in headlines, text, and UI.

Have good multilingual support.
Allow for good data design with tabular figures.

在 GitHub 頁面上有整理與 Libre Franklin 的差異,可以看到配合現在的呈現媒體而做了不少調整。

台美之間的租稅協定 (還在橋)

看到「因應美稅改 賴揆:加速洽簽台美租稅協定」這則消息,如果沒記錯的話,有不少服務都是美國公司出帳... (像是 AWSSlackGitHub 這類在公司裡很常用的服務)

參考「我國股利、利息及權利金扣繳率(%)一覽表」這邊的資料,應該有機會從 20% 降到 10%?也就是說實付 100 萬的金額本來要多繳 25 萬 (帳要做成 100 萬 / (1 - 0.2) = 125 萬,其中的 20% 是 25 萬萬稅,100 萬實際支付),現在只要繳 11.1 萬 (100 萬 / (1 - 0.1) = 111.1 萬)?

不過有些特殊情況本來就有更優惠的稅務方式 (像是使用國外平台提供服務 (e.g. AWS),而服務的對象也是境外使用者的情況),這些組合可以研究看看要怎麼搞...

IEEE P1735 漏洞,又是 Padding Oracle Attack...

在「IEEE P1735 Encryption Is Broken—Flaws Allow Intellectual Property Theft」這邊看到 US-CERT 發表的「IEEE P1735 implementations may have weak cryptographic protections」,裡面提到的主要漏洞:

The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP.

主要應該是第一包:

CVE-2017-13091: improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle.

又是 CBCpadding oracle attack 啊... 看起來是標準沒有強制定義好造成的?

The main vulnerability (CVE-2017-13091) resides in the IEEE P1735 standard's use of AES-CBC mode.

Since the standard makes no recommendation for any specific padding scheme, the developers often choose the wrong scheme, making it possible for attackers to use a well-known classic padding-oracle attack (POA) technique to decrypt the system-on-chip blueprints without knowledge of the key.

去年 Cloudflare 寫的「Padding oracles and the decline of CBC-mode cipher suites」這邊有提到 padding oracle attack 的方式,比較一般性的解法是避開要自己決定 Encrypt-then-MAC (IPsec;也是數學上證明安全性) 或 Encrypt-and-MAC (SSH) 或是 MAC-then-Encrypt (SSL),而是用 AEAD 類的加密元件直接躲開 padding oracle attack 的某些必要條件 (像是 AES-GCM 或是 ChaCha20-Poly1305)。

不過這也是這幾年大家才了解這樣做的重要性,當年在訂規格的時候都比較沒在在意這些...

俄羅斯展現「錢要花在刀口上」的功力?

TechCrunch 這篇「Trump and Clinton spent $81M on US election Facebook ads, Russian agency $46K」講到 Facebook 目前階段所判斷出來,能夠識別是俄羅斯政府投入的資金,只有 USD$46K,相較於美國兩黨投入了 USD$81M 差了 1760 倍:

While there might have been other Russian disinformation groups, the IRA spent $46,000 on pre-election day Facebook ads compared to $81 million spent by Clinton and Trump together, discluding political action committees who could have spent even more than that on the campaigns’ behalf.

而俄羅斯投入的廣告散佈率超過 1.26 億的 Facebook 使用者,以及 2000 萬 Instagram 的使用者:

Facebook today said that the Russians still reached 126 million Facebook users, as well as 20 million Instagram users.

俄羅斯這團隊的水準真不賴... 只可惜大概沒辦法寫在 resume 上。

聽證會的資料可以從「Hearings」這邊看到。

AWS 的 us-east-1 開放第六個 AZ

AWSus-east-1 上次加第五個 AZ 不知道是什麼時候了,找資料找不太到... 這次宣佈加第六個 AZ 進去了:「Sixth AZ in US East (N. Virginia) Region」。

依照 AWS 之前有提出來的架構,所有 AZ 之間都是有互向連接的... 所以 us-east-1 加 AZ 都會比其他區域辛苦不少...