Snowy Day with Peter

A place for posts too short for the blog and too long for social media, by Peter Cai. Mostly just unedited brain dump that I somehow thought I should publish. WARNING: May contain hot takes. Likely ill-formed / ill-supported ideas.


As you probably can see, I have been firmly in the self-hosting crowd since a few years ago. To say the least, I have my own self-hosted "cloud" storage, music streaming server, Git frontend, email server, social network (Mastodon, Misskey), and messaging apps (XMPP, Matrix). One main reason of doing so was, of course, for privacy, just like many others who are on the same boat. I just can no longer trust my personal data to big companies, especially if the product handling said information is free.

Of course, as a long-time full-suite Google services user myself (before starting to self-host), I completely understand why self-hosting is not for everyone. To begin with, it is understandable that big companies are just not in the threat model of many people. As much as I would like to argue against it, one has to admit that incidents related to privacy, at least those that have been publicized, are no more than a minority. For 90% of users in 90% of the times, it may simply not be a concern whatsoever. There is always the risk of practices that have not been publicized, of course, but for 90% of users, it might simply not be a good investment of their time to delve into the complicated world of self-hosting.

What I have started to realize in the recent one or two years is that the benefits or reasons to self-host goes far beyond just privacy. Even under the assumption that one does not consider the service provider companies as a threat, there have been countless cases where people get locked out of everything they depend on due to (true or false) accusations of violations of the terms of just one of the company's services. For example, you may be locked out of Gmail, your only main email address, due to a payment in Google Play being flagged at fraudulent. Or your phone service may be terminated due to a photo in your Drive account being falsely flagged as child abuse by the AI algorithms.

When we start to depend on one company for everything we have, whether it is for our digital life or not, something like these cases is bound to happen at some point. As the number of services we use go up, it is increasingly, or even overwhelmingly likely that we would run into terms violations even if we do not mean to do it. If all the essential services are connected via a single company, then each single one of them may become their own single point of failure that can knock out one's entire online presence. And self-hosting is just one among many ways to reduce such dependence and thus to minimize such a risk.

This also reminds me that self-hosting on its own is never the solution to everything. When you host everything on one server or at one location without backups or standbys, you are again effectively creating a single point of failure. It might not be as bad as, say, with Apple or Google accounts, but it is still a huge risk of losing everything due to one single incident. On the flip side, you can definitely eliminate many of the points of failures without self-hosting -- by simply using more than one service providers, so that you always have something to fall back upon. The old saying that goes, "don't put all your eggs in one basket", is still a rock-solid piece of truth even in the information age.

Imposter Syndrome

Having started several popular projects since I was in the 9th grade or so, I, to some that I know, have always been one of the "successful" people in the circle, at least in terms of visibility and the number of projects that have received public / media attention. For all the privileges and opportunities I have gained through all of these experiences, I have never felt being truly "worthy" for what I have "achieved". I understand that saying this tends to leave a sour taste in some people, and others would tell me that the culprit here is simply imposter syndrome. But I have never felt that it is really the case, or even if it is, it does not sound like something that I should think myself of.

Recognizing oneself as being affected by imposter syndrome, to me, sounds a bit self-contradictory. For one thing, literally everyone could do the same, whether they are actually having it or not. How would I know if I am the one who truly has imposter syndrome, or I am the true "imposter"? It sounds like one of the things that are impossible to observe as oneself. On the other hand, by blaming all thoughts of self-deprecation on imposter syndrome, it might in turn make me exactly the imposter that I feared I would be. I may or may not really be good at what I do at this moment in time, but in any case, statistically, there are almost always a lot of people who are way better than me in all aspects, many of whom may not have had the same great chances as I did. Whether I am worthy of what I have or not, it seems very pretentious to assume that those are what I "deserve" -- and without a feeling of insecurity, I doubt if I would have any motivation to try to become better.

I personally attribute most of the "achievements" I have had up to this point to one thing -- luck. It was pure luck that I am even alive at this age in the first place -- I was born in a family with generational medical background, where my tumor, which developed when I was only about 3, was recognized and diagnosed early and caused only some disability as a minor inconvenience (compared to, you know, unaliving). It was pure luck that my parents were supportive of me pursuing knowledge and education in computer science, as opposed to not considering it a proper career path. It was pure luck that I was able to ride the wave quite a few times in the past for "personal fame" -- SwipeBack, BlackLight, Shelter, or really, most of my projects, only became popular through, really, chance. BlackLight became popular due to the demise of a few other clients that happened to be the same time as when I released BlackLight. Shelter became a thing only because Island happened to have raised some privacy concerns at that specific time only. In terms of my Android contributions, I also piggy-backed on quite a few others' work to make myself into the news, such as the time when I did a OnePlus 3T build. Heck, had I not somehow believed the stupid claim that Xiaomi is "better than Apple" when I was still a kid in junior high, I would not have even got myself into the whole world of Android system (or app) development. Everything I have done are really not a result of me being better than others -- it's just that I somehow had better chances than a lot of people who might be similar or better than me.

I am not even sure what I am trying to say at this point. In any case, I am not saying that one should delve into the endless abyss of self-deprecation as a result of imposter syndrome that may or may not be real. But I do think it is somewhat helpful in reminding me of where my "achievements" actually came from, and that I need to keep learning, to make myself actually not an imposter, instead of being satisfied with what I have done.

Why Write

When I restarted my blog (again) this year, I, like all the times I did before, had a resolution to start writing regularly -- probably not every single day, but maybe every other day, or at least once a week. And, also like all the previous attempts, my frequency of writing peaked around the moment when I first restarted the blog(s). Just look at the post frequency on this blog: I created this "shorts" blog around April 24, 2022, specifically so that I can "dump" some of my random ideas without worrying about structuring a full blog post. In the first 3 days after creation, I posted 3 times, while the next entire month, May, saw 5 posts in total. In June, I made only 3 posts, and this month, July, there was only one post at all before this one.

It is ironic that every time I stop writing for an extended period of time, it always seems like I have way more ideas for writing than what I could ever write. Every idea I ponder, every question I ask, or even every situation I get myself into, starts to look like missed writing opportunities. This is the reason I am so prone to fall into the cycle of starting a blog, abandoning the blog, and then restarting it again some time later. In the past, I thought that the reason of abandoning my blogs is a mental standard of writing that is set way too high, such that it imposes too much pressure on me when trying to write, so as to discouraging myself from writing anything whatsoever. But as the situation of this blog has clearly shown, it is not the case, or at least not the sole reason why I fall in such a cycle.

Yet another case of over-confidence before learning how hard something really is. We as humans just tend to forget the real difficulty of doing something, even if it has been done before by ourselves. My "abundance" of writing ideas is definitely one example -- it is true that I tend to have a lot of random thoughts, but how many of them are actually worth, or even suitable for writing? Without trying to come up with an article for it, even just a "short" one like I have here on this secondary blog, it is simply not possible to tell. Thoughts that pop out in my mind are just that -- thoughts. There is no reasoning behind them, and there is no guarantee that they even make any sense at all. Other times, they do turn out to be reasonable ideas, but the reasoning stretches too far into my very personal background, which I may not be comfortable revealing. But without attempting to write them down, they always seem to be the best idea ever.

Maybe, after all, that is where the benefit of writing, or rather, the process of organizing thoughts into a feasible product as a post, ultimately lies. Through the process of writing, I gain insight into my very own mind, insight into which thoughts are purely impulse-driven "anger thoughts", which of them are distinctively "me", inseparable from who I am, and which of them are both well-supported and suitable for publishing. Of course, given these facts, not all of what I write will end up being published, but all that I did not publish do not just go to waste. Without the process of attempting to write them down, I would have never known how bad some of my takes were, or how naïve I could be as a person. That, and not just the product, should be the reason to keep me writing.

I am, of course, losing motivation on blogging after so many failed attempts of posting articles from my random thoughts, just like the many times I did before. But at least this time, I have something different. I have this secondary blog, where I can dump my less-completed posts and even just ideas. For all the drafts that never made into either of my blogs, I now have a diary sub-folder in my Standard Notes workspace to archive them all. They serve as reminders of pitfalls I tend to slip into when my mind is wandering around, snapshots of who I am at the moment I created them, and, more importantly, reasons for carrying on with writing, even if no visible "products" are produced.


(Or: How to be totally unprepared for the worst)

On July 8, the past Friday, I woke up in the morning as usual, with the sun shining directly into my eyes. I let out a long yawn, blamed the sun, proceeded to check my phone, and realized that it has somehow lost the cell signal. Weird, I thought, at least I still have Wi-Fi -- but none of my chat apps showed any updates past around 4 am that morning. I opened my browser to check, only to be confronted with a connection failure message. As a first instinct, I thought that there must be something wrong with my router, or my Ethernet cable might have been pulled out for whatever reason. Too lazy to get up from my bed, I rebooted the router from the web interface on my phone and waited. When the router came back up, nothing changed. I then suspected that it was either the cable or the building's internet routing, thus I checked the DHCP status on my router, which showed up as online with an assigned local IP address.

At this point, I was still very confused, and had no idea the absolute chaos I was in. I had to get up to do more checking, when I realized that one of my phones, which was using a roaming data plan from an eSIM provider, had signal. That one provider was able to roam on Bell, while all the other SIMs I had are on Rogers either natively or by roaming. This is when I started to realize maybe something was wrong with the carrier Rogers, but I still believed that the issue was probably local. However, I then tried to reach out to a few friends in Canada, and whether they live near or far from me, they all reported the same issue with their Rogers uplink.

It can't be a nation-wide Rogers outage, right? Such a large carrier cannot just go out at once across the entire country, right? Or so I thought. But typing in "Rogers outage" in Google resulted in dozens of news articles about an ongoing outage that started around 3 - 4 am that morning. That was when I started to realize how bad things are on that Friday. Though, I was still under the impression that such a critical failure cannot last for more than a few hours, but as time passed, there was no sign of a recovery, and it was soon time for a lunch. But wait -- aren't the PoS machines at the restaurants and shops also usually connected with the Rogers network? If everything are down on Rogers, then those machines would likely not be working either.

If PoS stop working, then I could at least get some cash, but wait, the ATMs also operate on mobile networks, don't they? In fact, after a bit of digging around using my only backup data connection, it seems to be even worse: the entire Interac system, the inter-bank network that handles transaction between Canadian banks, runs exclusively on the Rogers network. Consequently, everything that goes through Interac, including debit card transactions and online money transfer (e-Transfer), is impossible when Rogers was completely down. This, of course, also includes all ATM transactions. In fact, even if Interac was still working, it would still be kind of problematic to access funds in banks, because many banks require 2FA based on SMS, which in turn is sent through the Rogers network. This happened to all of my bank / credit card accounts, except one which supports 2FA through email.

After a bit of searching, I managed to find a few CA$10 bills lying around somewhere below a bunch of miscellaneous items, and was able to grab a lunch outside. It turned out that some of the shops also still had a backup connection running, which could support transactions via non-Interac providers, such as Visa and Mastercard. But some of them were not so lucky, and some even had to close down for the entire day because of the inability to process payments or the over-dependence on internet-based services for ordering.

I was lucky that payment was basically the only somewhat major inconvenience the outage has caused me. I was lucky that I had a bit of cash lying around, which allowed me to grab a lunch and purchase a bit of grocery items on the way back. I was lucky that I had a backup data plan, which enabled me not to be completely radio silent during that day. I was lucky that I had no emergencies that required a call to 911, whose service was also spotty due to the nonfunctional cell towers. We were lucky that it was only Rogers who had issues on that day, and the other carriers did not end up crumbling under the drastically increased load as one other big carrier broke down. But others are not so lucky, and if this happens for a second time, I cannot guarantee that I would still be this lucky.

Rogers was mostly brought back online by the end of that day in my area. However, with a series of bad luck, things much worse than this could have happened. Imagine if one more carrier succumbed to the increased load, or the outage lasted much longer with the cell towers completely nonfunctional, or that this was caused by a natural disaster rather than human error. Even though I did not have a lot of inconvenience to speak of, this still made me realize how unprepared I was to this kind of events. How could I have only so little cash available at hand? How could I have only one working backup data plan (note: these are actually kind of cheap due to them being roaming eSIMs)? How could I not have enough grocery at home to last a few days? And how could I not have any backup communication plans other than the internet?

I'll have to be way better prepared even if this will never happen again.

Recent Updates 06/30

The past two weeks or so have been a little bit hectic for me, and that's part of the reason why I have not updated this blog in a while. In the mean time, I thought it would be appropriate for this semi-diary formatted blog to have some sort of a miscellaneous update on what has been happening to me recently. This would not be a short post, but due to its miscellaneous nature, I felt that it belongs to this blog more than the main one.

Of course, school has been the majority of what I am doing. Research, teaching assistant work, and so on. Two weeks ago, I actually had a bit of a panic attack with regard to the research topic I was doing in the hope that it could become my thesis -- it was not going well at that point, and I was really scared that I might have to throw everything out and start over. Later I had a talk with my supervisor, and by changing the goal a little bit, it seemed again that this project could end up with something good -- and I really, really hope that I could graduate on time next year with this project as my thesis. On the other hand, because it is near the middle of the current Spring term, the course I am TA-ing this term had a mid-term exam, which I (with a bunch of other TAs) had to mark and release the grades. It was somewhat of a pain due to me forgetting a lot of what I really should know and have learned during my own undergrad years. Nevertheless, I managed to refresh my own memory on the spot and finish the marking (hopefully I have not messed up).

In other news, I have had the absolute pleasure of dealing with wheelchair providers for the first time in Canada due to an unexpected puncture in one of the tires on my wheelchair. I was, and I am not joking, in a panic when I realized the presence of the puncture, because now my entire chair was slanted towards the flat one and it was extremely uncomfortable, and, frankly, kind of dangerous to go anywhere on. It was on a weekend, so I had to wait until Monday, but that was not the issue. On Monday, I called up a wheelchair repair shop in my area, and got notified that they do not even fix punctured tires or replace inner tubes at all, and they wanted me to provide the exact manufacturer, model, and style of that wheel on the wheelchair so that they could source a wheel and replace the original one for me. They did not tell me how long it would take, but from the looks of it, I would assume minimum a week or so for the sourced wheel to even arrive at all, for which I don't have the leisure of waiting since I have to rely on the single wheelchair I currently have.

What I ended up doing is just showing up to a bike shop and ask them if they could attempt to patch it up, since the tire is basically a smaller bike tire (similar in size to a kid's bike tire). They agreed, and promptly fixed it for free -- yes, they did not even ask for me to pay for the patch they used. Turns out, the puncture was so small that we had a hard time even finding where it was, and we had to drop it in some water to rely on bubbles to locate the hole. This only made dealing with the wheelchair store seem more ridiculous -- I really cannot imagine waiting for weeks to replace (and pay for) an entire wheel, when it can simply be fixed with one patch on the inner tube.

That was a bit of a bad luck for me, but it also prompted me to really look into the possibility of driving an adapted vehicle, because if my wheelchair broke in a more catastrophic way, say, the motors broke, and the only place I could fix it in is somewhat far away (because wheelchair stores are far from being everywhere), then I will be kind of stranded without something like a car. Well, I had already started looking into adaptive driving before the incident, but that only made me want to get it figured out soon. I was looking around online for rules and procedures, but they are somewhat confusing and often conflicting with each other. After the incident, I decided that I should just call the Ministry of Transportation and ask them to clarify the procedure to me, which they did promptly. Apparently, I should just go and get the written test done first, and they will provide information on the next steps to me after that.

Those are the major updates I would like to talk about, but a bunch of other minor events also did happen. Right after the last blog post here, I made up my mind to finally debug and figure out why AOSP kept locking up on my new Xperia device -- it was a deadlock in android framework, which somehow did not happen on any other device I had but this one. Maybe it was the scheduler doing something funny. But anyway, I had it fixed and submitted the patch to AOSP, which is now waiting to be merged. Later, I almost got involved into a drama between some open-source projects and developers, but as I didn't have a Twitter account, and I really did not see the point of it, I refrained from saying anything public about it -- which I still see as the right decision. I have been on the Internet long enough to realize that this kind of drama never really result in anything helpful. The eSIM manager project I was working on is now a bit stalled due to everything that has been happening, but hopefully I should be able to get back to it somewhat soon-ish.

On the topic of blogging, I have been losing interest, again, in writing blogs, possibly due to the hectic past two weeks, but more likely due to the general trend of me giving up on things quickly after a while of obsession. I, however, knowing what has happened to my previous blogs, do still want to keep writing and keep my current two blogs alive. I have been forcing myself to keep writing diary entries regularly, so that when I finally decide to produce a blog post, I would have something to refer to. I am somewhat forgetful, so having an archive of my own memory would also be very helpful. Let's hope that I could keep this going for a long while.

Right to Repair and Software Freedom

Recently, the right to repair movement has been gaining a lot of momentum around the world, which I absolutely support and am extremely happy to see. But as people are cheering over the passage of some of the pro-right to repair regulations, I cannot help but fear that all of this would end up stopping short of its actual full promise of "owning what you own" and reducing planned obsolescence. In my mind, to achieve its goal in its fullest form, the right to repair is not at all separable from having fully functional free software, or at least open-source and user modifiable software, running on most of our devices.

The problem with right to repair without FOSS software is very simple, at least to me -- it does not address modern products in their fullest forms. Sure, the phones, computers, or cars you buy today are still made from mostly the same physical materials they used to be made of 20 years ago. But the software side of these devices has evolved a lot, by that I mean, a real LOT, in recent years. Nowadays, basically everything is running a full-fledged computer operating system kernel, like Linux or Darwin, with some maybe even containing multiple OS kernel-capable chips, like the Apple T2 security chips. The nature of modern software and the internet means constant maintenance is needed for basically everything for security except fringe cases where the device is intended to operate fully offline and isolated from wireless communication.

Requiring manufacturers to provide spare parts and repair manuals only fixes one side of the problem. As a simple example, even if you can physically fix your phone, if it has an insecure piece of unmaintained software as its only available operating system infested with bloatware that have been discontinued years ago or even outright malware, it would still not be very useful past its originally intended obsolescence date. Sure, one could introduce legislation to force manufacturers to provide software support, and by software support I mean real updates, for at least a certain duration, but that, aside from potentially increasing the cost of consumer devices, ignores the fact that the manufacturer can obsolete your phone without even officially discontinuing software support -- a nonfree operating system can do arbitrary things to old devices, such as intentionally slowing them down, without having to public admit to anything. Lawmakers could absolutely make this illegal as they like, but in practice it would be very hard to prove such practices, let alone suing the multi-billion-dollar corporations.

Without owning the software, you still do not actually own your device. This unfortunately is still very much the case nowadays, even on Android, where you are supposed to have more options for customization. There are the TEE blackbox, the secure elements, and even a full-fledged hypervisor on Qualcomm platforms. These non-free software quickly become antiquated and even dangerous in the ever-changing security landscape. Without access to the source code and the ability to run your own version of such code, even the best you can do will be very limited. As an example, even though LineageOS provides after-market support for new Android versions on very old phones, such a port still runs very much upon the same old binary blobs that were extracted from the device years ago. However much effort they put in fixing the OSS-side bugs, whatever is in those binaries stay the same forever, since they are out of official support.

And that, my friend, is why I think the next step of right to repair movements should be software freedom. To be clear, even the most basic forms of right to repair are not yet a reality, so I do not expect anyone to actually pursue it as the next step any time soon. Nevertheless, it is always good to keep in mind what we as users and consumers actually want, and what we ultimately want to take back from the billion-dollar corporations.

Attention Span

I've always wondered whether my attention span is normal. Like, probably since my high school years. Right before I entered high school, I first became interested, and more importantly, engaged, in the Android community, both as an open-source app developer and a third-party ROM developer, which was basically my introduction into the world of systems and mobile development. That interest of course carried over into high school, where the course workload was significantly higher than before. This was the reason why I started noticing maybe my attention span is not as long as others -- I simply could not, say, do my homework, in one go without being distracted onto other tasks. And that distraction is often programming and developing for my Android phone, but again, as interesting as it was to me at that time, I could not keep doing it for longer than half an hour or so at a time. The pattern that I end up falling into is basically interlacing everything I had to do -- 10 - 20 minutes of homework, then 10 - 20 minutes of coding, and then doing nothing or goofing around in a few chat groups, etc.

This was not a problem for me, because although I might be a bit slower than others, I still got all of my tasks done, for both my study and development. However, context-switching between tasks so frequently does cause some issues for me, such as being confused about what I was doing just 20 minutes ago, or forgetting very important things that need to be done after switching to another task and back. As time went on, I continued doing the exact same sort of "multiplexing" throughout my undergraduate study. Because CS undergraduate curriculum was not exactly hard for me with such a background, this was even less of an issue, and I basically stopped even worrying about any of it as I went through 4 years of being an undergraduate student.

Things got worse nearing and after graduation, when most of the course workload came to an end. I opted for a gap year before going to graduate study -- not exactly a great choice, as COVID came right after that, but that was the best choice I could have done nevertheless. As there was nothing better to do, I decided I should spend the time on my own personal projects, but then quickly realized that I was simply not able to keep working on the same project without being distracted. This manifests in two ways, actually: firstly, on a short time scale, I could not keep developing code without being distracted by a YouTube video, and then start to wander around on Reddit or in a Wikipedia / Google rabbit hole, completely forgetting what I was supposed to do; on a slightly longer time scale, I quickly lose interest in projects I started myself, even though I was full of passion when I started said project. Throughout that year, I had five or more "things" to work on, none of which actually came to any sort of completion.

Going into graduate school did not help in this regard. In fact, the same thing is happening right now, both with my open source projects and with my actual study. For the first part, I am still doing the same interlacing while doing basically anything -- in fact, I am stopping to write this article as I am trying to finish a Minecraft YouTube video. It has gotten even worse, I think, because now I could not even watch an episode of anime without pausing a lot in the middle, not being able to hold back the urge to check or do something else. On the other hand, my projects have not been going exactly well. I was to play with PinePhone Pro earlier this year, with the intention to contribute something, but then it has just been sitting there collecting dust after an initial week of obsession. I started the OpenEUICC project quite recently, but now I am already losing the motivation to work on it. Same with my research, which I proposed to my supervisor with a lot of passion, and now the progress has become very slow.

Is this necessarily a bad thing overall? Maybe not, because actually, a lot of my projects were started while I was distracted or unmotivated from another one, and many of these have been at least somewhat influential in my circle. It is a problem, though, when I need to get something done quickly. But throughout the years, I have learned to cope with it, as otherwise I would not be able to manage to do a lot of things. For example, I'd always start working on something long before the deadline, knowing that I will be distracted in the process and calculating that into the time I need for said task. I also learned to remember what my main task for the time is, even if I get distracted to something else. As curious as I could be sometimes about whether this is normal, I do not really feel the need to completely change how I behave, since it does actually help sometimes. It is just among the things I wonder from time to time that all boil down to the same topic -- am I the weird one?

2022-05-24 Web Applications

The web should be allowed to be way more capable than it is right now. Seriously. I know a lot of people who grumble about how the web today is way too capable than it should be and that creates a lot of privacy or security issues from overly capable web applications, but I just fail to see a convincing argument on why it is the case. On the contrary, I am pretty sure that the popularity of web applications actually reduces the attack surface of average home PCs and the fact that web applications today can replace many or even most of native applications is a net plus to security.

My core observation leading to the conclusion above is that on the web, applications (sites) are untrusted by default. Aside from cases where browsers may grant special privileges to sites owned by their makers, web applications have only access to their own little sandbox created by the browser, isolated by at least virtual machines and process sandboxes. Anything not available through JavaScript or WebAssembly APIs are simply impossible to access by an application except through direct or side-channel security vulnerabilities. Even in the case where something outside the sandbox is specifically made available, such access almost always require explicit user interaction to proceed. For example, in the case of file system access, the user must be prompted with a dialog to grant access to specific files / directories before they are read and passed through to the web application. Compare this to a hypothetical native application running on a traditional operating system, such as Windows or desktop Linux, who can basically access anything owned under the same user account, it is not hard to see that your typical native applications are just a security (and privacy) nightmare.

Can native applications be sandboxed? Sure, and there are countless solutions to do exactly that. However, because the base assumption of most desktop platforms is that all applications are trusted by default, it is very hard to properly sandbox desktop applications without breaking at least some functionalities. A proper sandbox requires the application itself to be aware of the fact that its access is limited, and ask for permissions to be granted by user interaction when needed. This would necessitate a complete redesign of the platform -- for example, Android, although based on Linux, enforces a sandbox on all of its applications. But, surprise-surprise, we already have such a new redesigned platform -- it is called the web. Web applications were originally very, very limited and can basically only serve information instead of providing any useful functionality. Nowadays, through the addition of APIs that grant more permissions based on user interaction, many native applications no longer even need to exist. We have more code running in limited sandboxes today than we used to do.

Will adding new capabilities to web applications open up possibilities for more attacks? Definitely. However, even in the worst cases, the attack surface of a web-based application is still dozens of times smaller than an equivalent native desktop application. When we think about extending the capabilities of the web, we need to keep in mind that they have to be compared with their equivalent desktop counterparts, instead of with their past selves, because of course a simple plaintext web page is way, way more secure than a modern web application, but that comparison is not useful, to put it nicely. It is like comparing a modern internet-connected PC to the first mechanical computers that cracked Enigma -- of course ours have more security vulnerabilities. What we do by enabling the web to replace native applications is not making the web insecure, but rather, replacing insecure native components with more secure web counterparts. Of course, this is all under the assumption that newly developed web APIs adhere to the same sandboxing and security standards as before.

In a perfect world, all applications should be free software, with source openly available and properly audited periodically for potential vulnerabilities. In this case, having an intermediate layer called the web may only be a waste of resources. But we do not live in such a perfect world. There are proprietary applications we have to use on a daily basis, for example, your banking account, and it is not like everyone can really live like Richard Stallman who does not even carry a mobile phone. Proper sandboxing is the way to go when a strict free software-only policy is not possible, and for that, I will stand for the web.

2022-05-17 初恋

多少人一生都怀念自己的初恋,认为初恋是最纯洁、最好的恋情,以至于无数漫画、电影都以初恋为主题。然而我一直不曾理解初恋究竟好在哪里 —— 也许是因为我没有经历过真正的、双向的初恋吧。


一个例子是高中毕业上大学之后,我曾经尝试过认真地和当时(高中毕业之前)「喜欢」的女孩子打交道。结果并不乐观 —— 开始经常聊天以后才意识到,我们双方的三观的差距有多么的大,甚至连找一个共同的话题都是一件难事。我不想贬低别人的三观 —— 恰恰相反,我认为我自己当时的三观是幼稚、不成熟的 —— 但事实是我们的聊天次次都是「尬聊」。现在去翻当时的聊天的历史,我完全无法抑制住自己 cringe 的冲动。没有共同的话题,没有共同的价值观,连任何稍微深入一点点的闲聊都做不到,「喜欢」从何谈起?我当时经常在半夜思考这个问题。我以为我喜欢这位女孩子,实际上只是喜欢她的外观,喜欢她的长相,对她曾经有过这样那样的想法罢了。这在我的辞典里不是「喜欢」的定义。我不了解中学时期谈过恋爱的情侣的经历,但是就(我认识的)这类情侣大多数在毕业的那一刻分手来看,我也非常怀疑这类人之间真正的「喜欢」的成分有多少;虽然能成为确定关系的情侣至少意味着这类关系不单纯是青春期生理冲动的体现。当然,一切都可能可能只是我没有过真正的、双向的初恋,所以在这里吃不到葡萄说葡萄酸罢了。


一段时间之后,我像漫画中标准的败犬一样,在半夜通过某 IM 向她表白。不出意料地,结果是我被拒绝。也许仅仅是出于好意,不想过于伤害我,也许是她也觉得我虽然不能作为恋人,但至少可以作为一个朋友,我们在那之后还保持着比较频繁的联系,直到毕业之后。到现在,我们还会每隔(较长的)一段时间互相 update 一次最近的生活。


2022-05-15 生きる理由








2022-05-08 eSIM, and the Sad State of AOSP

The current state of AOSP (Android Open-Source Project) is sad. Or rather, sad from a user / third-party developer perspective. I'm sure this same opinion has been reiterated a million times across the Internet, but my recent endeavor with eSIM only proved this point even more.

For the longest time, I thought eSIM was a huge threat to user freedom on Android devices, because I believed all of them had proprietary interfaces that can only be operated through a proprietary vendor app, which often depends on Google services. On Pixel devices (and a few from other vendors), this is the EuiccGoogle app, which is part of the GMS stack. As a result, I became increasingly worried about the future of mobile devices, as carriers move to eSIM or even eSIM-only models, and I can't say I haven't put the blame on GSMA, the GSM Association, at least mentally.

Turns out, this worry is completely unnecessary, or at least not for the reason I started with. The GSMA publishes the complete standard for consumer profile eUICC (eSIM) chips, GSMA SGP.22, which includes full specification of the protocol to communicate with said chips and the protocol to download new eSIM profiles over the internet from carriers. At first, I did not believe that this standard is actually followed and I thought there must be some proprietary stuff on every single one of these chips preventing an open-source implementation of a eSIM management app. However, from my attempt to dig into the internals of the eSIM.me app, I discovered an open-source library from Truphone, which claims to implement the ES9+ and ES10x protocol to communicate with both eUICC chips and carriers' servers (RSP servers).

I, of course, did not believe this would actually work for eUICC chips embedded in consumer devices. However, because I knew phhusson has an interest in SIMs, I pinged him anyway for this discovery, saying that if this is what eSIM.me used, it might work for other eUICC chips, but I wasn't too motivated to put a lot more time into it. He, though, was excited. The very same night, he seemed to have stayed up very late to play with this library, and told me that it worked on his Samsung devices to successfully provision new eSIM profiles. I saw his message the next day, and immediately became intrigued. I pulled out my dust-collecting Pixel 4a, and tested phhusson's proof-of-concept, and confirmed that the library was able to communicate with the eUICC chip on my Pixel as well.

What prevents me from just making an open-source version of EuiccGoogle, then? I thought. At that point, I already realized that it is totally possible to make an open-source eSIM Local Profile Assistant (LPA) app that replaces EuiccGoogle. As I had some free time that day, I figured there was no better time to start the OpenEUICC project. I was able to finish a basic UI that day, and was able to manage and provision eSIM profiles on my Pixel 4a from my open-source app. I later decided to make it a full LPA implementation by integrating with the system EuiccService API, which is still an ongoing effort.

Why does AOSP not include an eUICC management app, then, as it seems that there is nothing proprietary about the management API / protocol itself? I don't know. One of the reason could be the need for proprietary firmware updates, but that is not really different from any other hardware that needs firmware, and I don't think it is a valid reason to keep the entire app closed-source only. Not to mention that EuiccGoogle does not even handle firmware updates itself -- it is delegated to another device support app. The only reason I could think of is laziness and the lack of "importance" of the open-source Android community -- just look at the current state of AOSP in general. The AOSP Dialer, SMS, Calender, and Clock apps are all stuck in their Android 6-era style. It is no wonder that nobody wants to introduce an entire new open-source component given that they do not even want to update the existing ones.

I would also like to make it clear that I do not want to put the blame on Google, or anyone else in the Android community. I could go on for days to talk about this, but at the end of the day, no single person or even company is responsible for this situation. All I want to say is that the current state is sad for an operating system that boasted openness and geek-friendliness, and I hope that my project, OpenEUICC, can contribute its tiny bit of help in alleviating this sadness.

2022-05-01 Two-step Login Pages

Nothing annoys me more than websites that force a two-step login flow. Seriously. Typical examples include Google, Microsoft, or most Big Tech companies -- when logging into their service, you have to first enter your account ID, and then wait for a (fake) progress bar to load, only after which can you start to enter your password.

I don't know what is the principle behind such a design. Maybe it is for security, by which I mean maybe they can go through some heuristics in the backend after you only entered your account ID to decide whether to even let you try a password, reducing possible attack surface. But I seriously doubt how much information can you extract from just entering the account ID in the browser. Besides, a well-designed password authentication system should be resistant to brute-force attempts in the first place.

The reason I hate such a flow so much is that it breaks the flow of password manager usage. Normally, when a website allows you to enter both the account and password in the login page, there is just one click and maybe a master password prompt, and then you are done logging into that service. Not in this case. I have to bring up my password manager, find my account ID for said website, click next, wait, and then bring up the password manager again for the password. Under stricter security policies in the password manager, this would mean entering my master password or whatever credential twice for one login session. That is purely annoying.

I am fully aware that not everyone uses a password manager -- but more and more are adopting this arguably more secure option online, and it seems weird to me so many services are still hostile to such solutions. Some websites and apps even disallow pasting into / invoking password manager plugins on the password field. But again, maybe I am just ignorant about all the benefits of doing two-step login pages, or maybe using password managers is just a false sense of security. If any reader knows a deeper reason why, I'd be happy to have a more detailed discussion, which may result in an actual blog post :)

2022-04-27 Contemporary Google-fu

Google-fu has been important since the dawn of the modern internet. Except nowadays, simply knowing how to search for answers is in no way enough. It could even be dangerous sometimes -- this article shows an example of how Google search results are filled with questionable health advice produced by marketing teams -- and without the ability to filter them out in your brain, it is very hard to extract anything useful from such searches.

It is not limited to just health-related queries. Even when I try to enter programming-related search terms, a large part of the result would be websites that do nothing other than copying content from legitimate websites like GitHub and StackOverflow, and somehow they rank higher among the results than the real deals. What's worse is that one wrong answer would echo through all of these copycats (or "content farms") to generate pages upon pages of nonsense. Granted, a wrong programming answer will probably not kill anyone, at least not immediately, but others can, such as the aforementioned health-related case. Imagine how many people have been robbed of their life savings or even their lives due to questionable search results.

What's the most infuriating for me is that Google made an attempt to make retrieving useful information from the atrocious search results easier by showing a "People also ask" for answers to related questions commonly asked, which sounds great as it saves a lot of manual filtering... But of course SEO people found their way again. From my anecdotal experience, most of the time, answers in this section do not even actually answer the given question at all, but rather they are filled with nothing but vague marketing speech -- just like the rest of the results.

I, of course, understand that all of this is due to SEO -- the only way for companies to gain visibility on search engines among millions of search results. But if useless and harmful information end up benefiting the most from the algorithms, I would argue that the algorithms used in modern search engines are fundamentally flawed. When a metric becomes the target of optimization, it ceases being a good metric, and the search engines are no exception to this rule. I could talk shit on people who fall for these SEO-oriented content farms for days, but at the end of the day, I think it's just sad that we need to learn how SEO works to discern SEO content from "real" content. But again, I have no idea on how to design an algorithm that cannot be exploited this way. As long as the algorithm has any slight trace of stability, someone somewhere will eventually start to exploit it for their own benefit. Maybe this is the price we have to pay to live in the information age, or maybe there is a way -- it's just that we are too busy with our own benefits to find out.

2022-04-26 Introduction

I have had multiple blogs at different points in time, but every time they seem to end up being neglected, torn down and rebuilt eventually, just to repeat the same cycle again. One of the reason is that a "proper" blog post takes so much effort to write -- from coming up with the idea, to deciding what type of article to write, to laying out the post, to writing and proof-reading. Even though I slowly relaxed my standards of writing in order to make better use of my blogs, it still feels kind of "wrong" to write haphazardly on my main blog. I still want my actual blog posts to be laid out properly and free of stupid errors, at the very least.

Although, in a lot of cases, I am simply not motivated enough to turn an idea into an actual blog post due to time constraints or a lack of "too much" interest in one topic. These ideas may never see the light of day on my blog, which is sad because a lot of topics deserve being talked about more. I could post them on my social media accounts, but sometimes the character limit is just too low to say anything of substance. On Mastodon, I can technically post however many words I want, but the reading experience of social media platforms is simply not designed for anything beyond around 100 words in length. Even if I don't want to spend too much time on one topic, 100 words is still too little for anything.

And, my friends, that is where this "short blog" format comes in. From now on, whenever I feel that I do not want to devote too much effort into a blog idea, but I would still like to say something about it, the post will likely end up here. Because this blog has a much lower "standard" than my main blog, there might be hot takes and stupid mistakes. Some of them may eventually turn into an actual blog post if healthy discussion happened and resulted in a change worth talking about in my original blog idea. But in any case, I expect this blog to be posted to way more often than the main blog.

The name, snowy.day, is sort of a complaint of the snowy Canadian winter. In such a winter, everything I could do as a wheelchair-bound person is to stay inside as much as possible. With the warmth of indoor heating and a blizzard outside, it sometimes makes just the right mood to write something down, like a friendly chit-chat across a dancing campfire while taking shelter from an ongoing storm. I do not necessarily love snow storms, but I do like writing and talking, and I will try to make this blog the best place for that when I do not cough have a real-life friend to talk to.

2022-04-25 Twitter

Woke up from a nap, and suddenly everyone is talking about Elon's acquisition of Twitter. And suddenly everyone is scrambling to migrate to the Fediverse (Mastodon, Misskey, Pleroma, etc.). I'm certainly not against the idea that more people should be using free and federated social platforms, but the reason they suddenly migrate seems not well-supported at best.

What I mean here is that Twitter was not, in any way, a better platform before this deal. I'm not even talking about what Elon Musk wants to do with Twitter here. I simply do not care -- what is the difference between one group of extremely wealthy individuals controlling a platform for public speech and another group / individual doing the same thing? Sure, the current moderation policy or whatever may agree with your specific political ideals more, but keep in mind that what they care about is not anything about you. They care about their returns on their investment. This equally applies to Elon Musk, as well. However much you believe he is going to "destroy" the platform, or, on the opposite side, "free" you from "woke" politics, remember that he does not care about you, or "open-sourcing" the algorithm, or even his proclaimed "freedom of speech".

The saddest thing to me is that for some reason, the online speech of the entire world is dependent upon one single company. To different groups of people, a change in the leadership of this company means the difference between night and day. This is not what the internet should be. However Elon Musk or any of the previous owners says about this deal, remember that all of them are trying to absorb everyone's content under the control of a single entity. This is what we should fight against, not the specific design, moderation policy, or political ideals of one single company that controls everything.