S

Snowy Day with Peter

A place for posts too short for the blog and too long for social media, by Peter Cai. Mostly just unedited brain dump that I somehow thought I should publish. WARNING: May contain hot takes. Likely ill-formed / ill-supported ideas.

Why Write

When I restarted my blog (again) this year, I, like all the times I did before, had a resolution to start writing regularly -- probably not every single day, but maybe every other day, or at least once a week. And, also like all the previous attempts, my frequency of writing peaked around the moment when I first restarted the blog(s). Just look at the post frequency on this blog: I created this "shorts" blog around April 24, 2022, specifically so that I can "dump" some of my random ideas without worrying about structuring a full blog post. In the first 3 days after creation, I posted 3 times, while the next entire month, May, saw 5 posts in total. In June, I made only 3 posts, and this month, July, there was only one post at all before this one.

It is ironic that every time I stop writing for an extended period of time, it always seems like I have way more ideas for writing than what I could ever write. Every idea I ponder, every question I ask, or even every situation I get myself into, starts to look like missed writing opportunities. This is the reason I am so prone to fall into the cycle of starting a blog, abandoning the blog, and then restarting it again some time later. In the past, I thought that the reason of abandoning my blogs is a mental standard of writing that is set way too high, such that it imposes too much pressure on me when trying to write, so as to discouraging myself from writing anything whatsoever. But as the situation of this blog has clearly shown, it is not the case, or at least not the sole reason why I fall in such a cycle.

Yet another case of over-confidence before learning how hard something really is. We as humans just tend to forget the real difficulty of doing something, even if it has been done before by ourselves. My "abundance" of writing ideas is definitely one example -- it is true that I tend to have a lot of random thoughts, but how many of them are actually worth, or even suitable for writing? Without trying to come up with an article for it, even just a "short" one like I have here on this secondary blog, it is simply not possible to tell. Thoughts that pop out in my mind are just that -- thoughts. There is no reasoning behind them, and there is no guarantee that they even make any sense at all. Other times, they do turn out to be reasonable ideas, but the reasoning stretches too far into my very personal background, which I may not be comfortable revealing. But without attempting to write them down, they always seem to be the best idea ever.

Maybe, after all, that is where the benefit of writing, or rather, the process of organizing thoughts into a feasible product as a post, ultimately lies. Through the process of writing, I gain insight into my very own mind, insight into which thoughts are purely impulse-driven "anger thoughts", which of them are distinctively "me", inseparable from who I am, and which of them are both well-supported and suitable for publishing. Of course, given these facts, not all of what I write will end up being published, but all that I did not publish do not just go to waste. Without the process of attempting to write them down, I would have never known how bad some of my takes were, or how naïve I could be as a person. That, and not just the product, should be the reason to keep me writing.

I am, of course, losing motivation on blogging after so many failed attempts of posting articles from my random thoughts, just like the many times I did before. But at least this time, I have something different. I have this secondary blog, where I can dump my less-completed posts and even just ideas. For all the drafts that never made into either of my blogs, I now have a diary sub-folder in my Standard Notes workspace to archive them all. They serve as reminders of pitfalls I tend to slip into when my mind is wandering around, snapshots of who I am at the moment I created them, and, more importantly, reasons for carrying on with writing, even if no visible "products" are produced.

Disconnected

(Or: How to be totally unprepared for the worst)

On July 8, the past Friday, I woke up in the morning as usual, with the sun shining directly into my eyes. I let out a long yawn, blamed the sun, proceeded to check my phone, and realized that it has somehow lost the cell signal. Weird, I thought, at least I still have Wi-Fi -- but none of my chat apps showed any updates past around 4 am that morning. I opened my browser to check, only to be confronted with a connection failure message. As a first instinct, I thought that there must be something wrong with my router, or my Ethernet cable might have been pulled out for whatever reason. Too lazy to get up from my bed, I rebooted the router from the web interface on my phone and waited. When the router came back up, nothing changed. I then suspected that it was either the cable or the building's internet routing, thus I checked the DHCP status on my router, which showed up as online with an assigned local IP address.

At this point, I was still very confused, and had no idea the absolute chaos I was in. I had to get up to do more checking, when I realized that one of my phones, which was using a roaming data plan from an eSIM provider, had signal. That one provider was able to roam on Bell, while all the other SIMs I had are on Rogers either natively or by roaming. This is when I started to realize maybe something was wrong with the carrier Rogers, but I still believed that the issue was probably local. However, I then tried to reach out to a few friends in Canada, and whether they live near or far from me, they all reported the same issue with their Rogers uplink.

It can't be a nation-wide Rogers outage, right? Such a large carrier cannot just go out at once across the entire country, right? Or so I thought. But typing in "Rogers outage" in Google resulted in dozens of news articles about an ongoing outage that started around 3 - 4 am that morning. That was when I started to realize how bad things are on that Friday. Though, I was still under the impression that such a critical failure cannot last for more than a few hours, but as time passed, there was no sign of a recovery, and it was soon time for a lunch. But wait -- aren't the PoS machines at the restaurants and shops also usually connected with the Rogers network? If everything are down on Rogers, then those machines would likely not be working either.

If PoS stop working, then I could at least get some cash, but wait, the ATMs also operate on mobile networks, don't they? In fact, after a bit of digging around using my only backup data connection, it seems to be even worse: the entire Interac system, the inter-bank network that handles transaction between Canadian banks, runs exclusively on the Rogers network. Consequently, everything that goes through Interac, including debit card transactions and online money transfer (e-Transfer), is impossible when Rogers was completely down. This, of course, also includes all ATM transactions. In fact, even if Interac was still working, it would still be kind of problematic to access funds in banks, because many banks require 2FA based on SMS, which in turn is sent through the Rogers network. This happened to all of my bank / credit card accounts, except one which supports 2FA through email.

After a bit of searching, I managed to find a few CA$10 bills lying around somewhere below a bunch of miscellaneous items, and was able to grab a lunch outside. It turned out that some of the shops also still had a backup connection running, which could support transactions via non-Interac providers, such as Visa and Mastercard. But some of them were not so lucky, and some even had to close down for the entire day because of the inability to process payments or the over-dependence on internet-based services for ordering.

I was lucky that payment was basically the only somewhat major inconvenience the outage has caused me. I was lucky that I had a bit of cash lying around, which allowed me to grab a lunch and purchase a bit of grocery items on the way back. I was lucky that I had a backup data plan, which enabled me not to be completely radio silent during that day. I was lucky that I had no emergencies that required a call to 911, whose service was also spotty due to the nonfunctional cell towers. We were lucky that it was only Rogers who had issues on that day, and the other carriers did not end up crumbling under the drastically increased load as one other big carrier broke down. But others are not so lucky, and if this happens for a second time, I cannot guarantee that I would still be this lucky.

Rogers was mostly brought back online by the end of that day in my area. However, with a series of bad luck, things much worse than this could have happened. Imagine if one more carrier succumbed to the increased load, or the outage lasted much longer with the cell towers completely nonfunctional, or that this was caused by a natural disaster rather than human error. Even though I did not have a lot of inconvenience to speak of, this still made me realize how unprepared I was to this kind of events. How could I have only so little cash available at hand? How could I have only one working backup data plan (note: these are actually kind of cheap due to them being roaming eSIMs)? How could I not have enough grocery at home to last a few days? And how could I not have any backup communication plans other than the internet?

I'll have to be way better prepared even if this will never happen again.

Recent Updates 06/30

The past two weeks or so have been a little bit hectic for me, and that's part of the reason why I have not updated this blog in a while. In the mean time, I thought it would be appropriate for this semi-diary formatted blog to have some sort of a miscellaneous update on what has been happening to me recently. This would not be a short post, but due to its miscellaneous nature, I felt that it belongs to this blog more than the main one.

Of course, school has been the majority of what I am doing. Research, teaching assistant work, and so on. Two weeks ago, I actually had a bit of a panic attack with regard to the research topic I was doing in the hope that it could become my thesis -- it was not going well at that point, and I was really scared that I might have to throw everything out and start over. Later I had a talk with my supervisor, and by changing the goal a little bit, it seemed again that this project could end up with something good -- and I really, really hope that I could graduate on time next year with this project as my thesis. On the other hand, because it is near the middle of the current Spring term, the course I am TA-ing this term had a mid-term exam, which I (with a bunch of other TAs) had to mark and release the grades. It was somewhat of a pain due to me forgetting a lot of what I really should know and have learned during my own undergrad years. Nevertheless, I managed to refresh my own memory on the spot and finish the marking (hopefully I have not messed up).

In other news, I have had the absolute pleasure of dealing with wheelchair providers for the first time in Canada due to an unexpected puncture in one of the tires on my wheelchair. I was, and I am not joking, in a panic when I realized the presence of the puncture, because now my entire chair was slanted towards the flat one and it was extremely uncomfortable, and, frankly, kind of dangerous to go anywhere on. It was on a weekend, so I had to wait until Monday, but that was not the issue. On Monday, I called up a wheelchair repair shop in my area, and got notified that they do not even fix punctured tires or replace inner tubes at all, and they wanted me to provide the exact manufacturer, model, and style of that wheel on the wheelchair so that they could source a wheel and replace the original one for me. They did not tell me how long it would take, but from the looks of it, I would assume minimum a week or so for the sourced wheel to even arrive at all, for which I don't have the leisure of waiting since I have to rely on the single wheelchair I currently have.

What I ended up doing is just showing up to a bike shop and ask them if they could attempt to patch it up, since the tire is basically a smaller bike tire (similar in size to a kid's bike tire). They agreed, and promptly fixed it for free -- yes, they did not even ask for me to pay for the patch they used. Turns out, the puncture was so small that we had a hard time even finding where it was, and we had to drop it in some water to rely on bubbles to locate the hole. This only made dealing with the wheelchair store seem more ridiculous -- I really cannot imagine waiting for weeks to replace (and pay for) an entire wheel, when it can simply be fixed with one patch on the inner tube.

That was a bit of a bad luck for me, but it also prompted me to really look into the possibility of driving an adapted vehicle, because if my wheelchair broke in a more catastrophic way, say, the motors broke, and the only place I could fix it in is somewhat far away (because wheelchair stores are far from being everywhere), then I will be kind of stranded without something like a car. Well, I had already started looking into adaptive driving before the incident, but that only made me want to get it figured out soon. I was looking around online for rules and procedures, but they are somewhat confusing and often conflicting with each other. After the incident, I decided that I should just call the Ministry of Transportation and ask them to clarify the procedure to me, which they did promptly. Apparently, I should just go and get the written test done first, and they will provide information on the next steps to me after that.

Those are the major updates I would like to talk about, but a bunch of other minor events also did happen. Right after the last blog post here, I made up my mind to finally debug and figure out why AOSP kept locking up on my new Xperia device -- it was a deadlock in android framework, which somehow did not happen on any other device I had but this one. Maybe it was the scheduler doing something funny. But anyway, I had it fixed and submitted the patch to AOSP, which is now waiting to be merged. Later, I almost got involved into a drama between some open-source projects and developers, but as I didn't have a Twitter account, and I really did not see the point of it, I refrained from saying anything public about it -- which I still see as the right decision. I have been on the Internet long enough to realize that this kind of drama never really result in anything helpful. The eSIM manager project I was working on is now a bit stalled due to everything that has been happening, but hopefully I should be able to get back to it somewhat soon-ish.

On the topic of blogging, I have been losing interest, again, in writing blogs, possibly due to the hectic past two weeks, but more likely due to the general trend of me giving up on things quickly after a while of obsession. I, however, knowing what has happened to my previous blogs, do still want to keep writing and keep my current two blogs alive. I have been forcing myself to keep writing diary entries regularly, so that when I finally decide to produce a blog post, I would have something to refer to. I am somewhat forgetful, so having an archive of my own memory would also be very helpful. Let's hope that I could keep this going for a long while.

Right to Repair and Software Freedom

Recently, the right to repair movement has been gaining a lot of momentum around the world, which I absolutely support and am extremely happy to see. But as people are cheering over the passage of some of the pro-right to repair regulations, I cannot help but fear that all of this would end up stopping short of its actual full promise of "owning what you own" and reducing planned obsolescence. In my mind, to achieve its goal in its fullest form, the right to repair is not at all separable from having fully functional free software, or at least open-source and user modifiable software, running on most of our devices.

The problem with right to repair without FOSS software is very simple, at least to me -- it does not address modern products in their fullest forms. Sure, the phones, computers, or cars you buy today are still made from mostly the same physical materials they used to be made of 20 years ago. But the software side of these devices has evolved a lot, by that I mean, a real LOT, in recent years. Nowadays, basically everything is running a full-fledged computer operating system kernel, like Linux or Darwin, with some maybe even containing multiple OS kernel-capable chips, like the Apple T2 security chips. The nature of modern software and the internet means constant maintenance is needed for basically everything for security except fringe cases where the device is intended to operate fully offline and isolated from wireless communication.

Requiring manufacturers to provide spare parts and repair manuals only fixes one side of the problem. As a simple example, even if you can physically fix your phone, if it has an insecure piece of unmaintained software as its only available operating system infested with bloatware that have been discontinued years ago or even outright malware, it would still not be very useful past its originally intended obsolescence date. Sure, one could introduce legislation to force manufacturers to provide software support, and by software support I mean real updates, for at least a certain duration, but that, aside from potentially increasing the cost of consumer devices, ignores the fact that the manufacturer can obsolete your phone without even officially discontinuing software support -- a nonfree operating system can do arbitrary things to old devices, such as intentionally slowing them down, without having to public admit to anything. Lawmakers could absolutely make this illegal as they like, but in practice it would be very hard to prove such practices, let alone suing the multi-billion-dollar corporations.

Without owning the software, you still do not actually own your device. This unfortunately is still very much the case nowadays, even on Android, where you are supposed to have more options for customization. There are the TEE blackbox, the secure elements, and even a full-fledged hypervisor on Qualcomm platforms. These non-free software quickly become antiquated and even dangerous in the ever-changing security landscape. Without access to the source code and the ability to run your own version of such code, even the best you can do will be very limited. As an example, even though LineageOS provides after-market support for new Android versions on very old phones, such a port still runs very much upon the same old binary blobs that were extracted from the device years ago. However much effort they put in fixing the OSS-side bugs, whatever is in those binaries stay the same forever, since they are out of official support.

And that, my friend, is why I think the next step of right to repair movements should be software freedom. To be clear, even the most basic forms of right to repair are not yet a reality, so I do not expect anyone to actually pursue it as the next step any time soon. Nevertheless, it is always good to keep in mind what we as users and consumers actually want, and what we ultimately want to take back from the billion-dollar corporations.

Attention Span

I've always wondered whether my attention span is normal. Like, probably since my high school years. Right before I entered high school, I first became interested, and more importantly, engaged, in the Android community, both as an open-source app developer and a third-party ROM developer, which was basically my introduction into the world of systems and mobile development. That interest of course carried over into high school, where the course workload was significantly higher than before. This was the reason why I started noticing maybe my attention span is not as long as others -- I simply could not, say, do my homework, in one go without being distracted onto other tasks. And that distraction is often programming and developing for my Android phone, but again, as interesting as it was to me at that time, I could not keep doing it for longer than half an hour or so at a time. The pattern that I end up falling into is basically interlacing everything I had to do -- 10 - 20 minutes of homework, then 10 - 20 minutes of coding, and then doing nothing or goofing around in a few chat groups, etc.

This was not a problem for me, because although I might be a bit slower than others, I still got all of my tasks done, for both my study and development. However, context-switching between tasks so frequently does cause some issues for me, such as being confused about what I was doing just 20 minutes ago, or forgetting very important things that need to be done after switching to another task and back. As time went on, I continued doing the exact same sort of "multiplexing" throughout my undergraduate study. Because CS undergraduate curriculum was not exactly hard for me with such a background, this was even less of an issue, and I basically stopped even worrying about any of it as I went through 4 years of being an undergraduate student.

Things got worse nearing and after graduation, when most of the course workload came to an end. I opted for a gap year before going to graduate study -- not exactly a great choice, as COVID came right after that, but that was the best choice I could have done nevertheless. As there was nothing better to do, I decided I should spend the time on my own personal projects, but then quickly realized that I was simply not able to keep working on the same project without being distracted. This manifests in two ways, actually: firstly, on a short time scale, I could not keep developing code without being distracted by a YouTube video, and then start to wander around on Reddit or in a Wikipedia / Google rabbit hole, completely forgetting what I was supposed to do; on a slightly longer time scale, I quickly lose interest in projects I started myself, even though I was full of passion when I started said project. Throughout that year, I had five or more "things" to work on, none of which actually came to any sort of completion.

Going into graduate school did not help in this regard. In fact, the same thing is happening right now, both with my open source projects and with my actual study. For the first part, I am still doing the same interlacing while doing basically anything -- in fact, I am stopping to write this article as I am trying to finish a Minecraft YouTube video. It has gotten even worse, I think, because now I could not even watch an episode of anime without pausing a lot in the middle, not being able to hold back the urge to check or do something else. On the other hand, my projects have not been going exactly well. I was to play with PinePhone Pro earlier this year, with the intention to contribute something, but then it has just been sitting there collecting dust after an initial week of obsession. I started the OpenEUICC project quite recently, but now I am already losing the motivation to work on it. Same with my research, which I proposed to my supervisor with a lot of passion, and now the progress has become very slow.

Is this necessarily a bad thing overall? Maybe not, because actually, a lot of my projects were started while I was distracted or unmotivated from another one, and many of these have been at least somewhat influential in my circle. It is a problem, though, when I need to get something done quickly. But throughout the years, I have learned to cope with it, as otherwise I would not be able to manage to do a lot of things. For example, I'd always start working on something long before the deadline, knowing that I will be distracted in the process and calculating that into the time I need for said task. I also learned to remember what my main task for the time is, even if I get distracted to something else. As curious as I could be sometimes about whether this is normal, I do not really feel the need to completely change how I behave, since it does actually help sometimes. It is just among the things I wonder from time to time that all boil down to the same topic -- am I the weird one?

2022-05-24 Web Applications

The web should be allowed to be way more capable than it is right now. Seriously. I know a lot of people who grumble about how the web today is way too capable than it should be and that creates a lot of privacy or security issues from overly capable web applications, but I just fail to see a convincing argument on why it is the case. On the contrary, I am pretty sure that the popularity of web applications actually reduces the attack surface of average home PCs and the fact that web applications today can replace many or even most of native applications is a net plus to security.

My core observation leading to the conclusion above is that on the web, applications (sites) are untrusted by default. Aside from cases where browsers may grant special privileges to sites owned by their makers, web applications have only access to their own little sandbox created by the browser, isolated by at least virtual machines and process sandboxes. Anything not available through JavaScript or WebAssembly APIs are simply impossible to access by an application except through direct or side-channel security vulnerabilities. Even in the case where something outside the sandbox is specifically made available, such access almost always require explicit user interaction to proceed. For example, in the case of file system access, the user must be prompted with a dialog to grant access to specific files / directories before they are read and passed through to the web application. Compare this to a hypothetical native application running on a traditional operating system, such as Windows or desktop Linux, who can basically access anything owned under the same user account, it is not hard to see that your typical native applications are just a security (and privacy) nightmare.

Can native applications be sandboxed? Sure, and there are countless solutions to do exactly that. However, because the base assumption of most desktop platforms is that all applications are trusted by default, it is very hard to properly sandbox desktop applications without breaking at least some functionalities. A proper sandbox requires the application itself to be aware of the fact that its access is limited, and ask for permissions to be granted by user interaction when needed. This would necessitate a complete redesign of the platform -- for example, Android, although based on Linux, enforces a sandbox on all of its applications. But, surprise-surprise, we already have such a new redesigned platform -- it is called the web. Web applications were originally very, very limited and can basically only serve information instead of providing any useful functionality. Nowadays, through the addition of APIs that grant more permissions based on user interaction, many native applications no longer even need to exist. We have more code running in limited sandboxes today than we used to do.

Will adding new capabilities to web applications open up possibilities for more attacks? Definitely. However, even in the worst cases, the attack surface of a web-based application is still dozens of times smaller than an equivalent native desktop application. When we think about extending the capabilities of the web, we need to keep in mind that they have to be compared with their equivalent desktop counterparts, instead of with their past selves, because of course a simple plaintext web page is way, way more secure than a modern web application, but that comparison is not useful, to put it nicely. It is like comparing a modern internet-connected PC to the first mechanical computers that cracked Enigma -- of course ours have more security vulnerabilities. What we do by enabling the web to replace native applications is not making the web insecure, but rather, replacing insecure native components with more secure web counterparts. Of course, this is all under the assumption that newly developed web APIs adhere to the same sandboxing and security standards as before.

In a perfect world, all applications should be free software, with source openly available and properly audited periodically for potential vulnerabilities. In this case, having an intermediate layer called the web may only be a waste of resources. But we do not live in such a perfect world. There are proprietary applications we have to use on a daily basis, for example, your banking account, and it is not like everyone can really live like Richard Stallman who does not even carry a mobile phone. Proper sandboxing is the way to go when a strict free software-only policy is not possible, and for that, I will stand for the web.

2022-05-17 初恋

多少人一生都怀念自己的初恋,认为初恋是最纯洁、最好的恋情,以至于无数漫画、电影都以初恋为主题。然而我一直不曾理解初恋究竟好在哪里 —— 也许是因为我没有经历过真正的、双向的初恋吧。

在我的印象里,作为一个男孩子,中学时代萌生的「喜欢」,无非是青春发育期的性欲罢了。说得难听点,这叫做「发情」,而不是「暗恋」。当然,原因可能是当时的我不甚受欢迎,导致我并没有和很多异性打过交道。我所「喜欢」的女孩子,往往不过是长得好看,或者说是刻板印象中的可爱的女孩子的长相;而我往往甚至完全没有跟我号称「喜欢」的人说过一句话,甚至连偶然的搭讪都完全没有过。我可以用一万个理由为自己的「社恐」开脱,但事实是,我并没有真的把对方当成恋爱对象的想法;最多只是当作妄想的对象而已。这样的所谓「初恋」,称得上「纯洁」「美好」吗?我能想到的只有相反方向的形容词。

一个例子是高中毕业上大学之后,我曾经尝试过认真地和当时(高中毕业之前)「喜欢」的女孩子打交道。结果并不乐观 —— 开始经常聊天以后才意识到,我们双方的三观的差距有多么的大,甚至连找一个共同的话题都是一件难事。我不想贬低别人的三观 —— 恰恰相反,我认为我自己当时的三观是幼稚、不成熟的 —— 但事实是我们的聊天次次都是「尬聊」。现在去翻当时的聊天的历史,我完全无法抑制住自己 cringe 的冲动。没有共同的话题,没有共同的价值观,连任何稍微深入一点点的闲聊都做不到,「喜欢」从何谈起?我当时经常在半夜思考这个问题。我以为我喜欢这位女孩子,实际上只是喜欢她的外观,喜欢她的长相,对她曾经有过这样那样的想法罢了。这在我的辞典里不是「喜欢」的定义。我不了解中学时期谈过恋爱的情侣的经历,但是就(我认识的)这类情侣大多数在毕业的那一刻分手来看,我也非常怀疑这类人之间真正的「喜欢」的成分有多少;虽然能成为确定关系的情侣至少意味着这类关系不单纯是青春期生理冲动的体现。当然,一切都可能可能只是我没有过真正的、双向的初恋,所以在这里吃不到葡萄说葡萄酸罢了。

直到大二的时候,我才第一次遇到一位真正让我有把对方当成恋爱对象的想法的异性。我无法否认她的长相是吸引到我的重要的理由之一;但真正让我萌生「喜欢」的想法的,是在与她经常交流过一段时间之后。我们并没有完全相同的爱好,毕竟我是一位非常刻板印象的理科生,而她则走上了设计和艺术的路;但我们互相都对对方所喜欢的东西抱着一定的兴趣。更重要的是,我们都愿意互相分享自己的生活琐事,倾听对方的开心的事情和不顺利的遭遇。我知道她并不会喜欢我,毕竟我也有自知之明,知道我这样的存在配不上那样优秀的对方;但与她的相遇让我意识到了什么叫「契合」,什么叫「喜欢」。

一段时间之后,我像漫画中标准的败犬一样,在半夜通过某 IM 向她表白。不出意料地,结果是我被拒绝。也许仅仅是出于好意,不想过于伤害我,也许是她也觉得我虽然不能作为恋人,但至少可以作为一个朋友,我们在那之后还保持着比较频繁的联系,直到毕业之后。到现在,我们还会每隔(较长的)一段时间互相 update 一次最近的生活。

她绝对不是我的初恋,但是我会一直清晰地记得的自己的第一段单恋只会是这一段,而不是我中学时代的所谓「初恋」。

2022-05-15 生きる理由

一年前のこの時期、僕のとある知り合いが病気でこの世に離れることになった。ネットだけの知り合いだが、僕みたいな引きこもりにとって大事な友達の一人だった。彼女は普段体が弱い人だと思われていたけど、いきなりこんなことになるって誰も思わなかった。平日話している同じ年の人がいきなりもう目覚められないなんて、僕にとってそれは初めてだった。

突然のことですが、当時の僕はカナダに留学する準備の色々で忙しいので、あんまり悲しさを感じていなかった。たぶん、悲しさを処理する脳力がなかったから、考えることを避けていただけ。ただ、僕の友人が一人減った事実に避けなくて、心の何処かで空っぽだった。一年後の今、カナダに落ち着く住んでいる僕は彼女を思い出し、ものすごく強い悲しさに襲われている。当時の感じなかった分の悲しさも今一気に来たみたいに。

もう一年か。そう思っている僕は、久しぶりに深く思考に沈んだ。もしかして明日、僕も彼女みたいに覚められなかったら、僕の友達や親族の間にどんなことになるんでしょう。僕も素晴らしい人と覚えられるのか、それとも嫌がる記憶ばっかり残るのか。そして一年後、これみたいな僕を追悼する文章を書く人もいるんですか、それとも一年間で忘れられるのか。

「僕はなんのために生きてるだろう」のようなベタな問題も考えた。理想とか夢とか、叶う前死んだら全部水の泡になる。それを生きる理由にしたら、一年前の旅立った彼女の人生も無駄でしょう。しかし、彼女の人生は決して無駄じゃないと信じている。彼女自身がいなくなっても、彼女がいるの日々はまだ僕たちの記憶に鮮明に生きている。彼女はみんなを笑わせたり、慰めたり、そして自信を立てたり、そんな思い出は数え切れないほど多いだった。僕は詳しくしれないですが、そんなに優しい彼女に救われた人もきっとあると思う。これは全部、彼女の生きる証でしょう。

「生きる証」っか。漫画みたいな言葉も僕は書いた。だが、僕の生きる証は何でしょうか。優しくないし、人を慰めることも下手だし、人を傷つく思い出が楽しい思い出より多いかもしれない。それより、どんな「生きる証」を残しても、消え去る日がいつか来るでしょう。彼女の生きる証は今僕たちの記憶に残っているけど、僕たちも不老不死ではないのでいつかこの世から旅立つ。その時、この世に残っている「生きる証」もだんだん消えるでしょう。それで、彼女の人生が無駄じゃないかどうかも僕たちの生きる限りですか。もちろん、有名人になったら、「生きる証」がこれより何倍も長く残れる。だが、書籍や文化でも滅ぼすことがある。そんな証も永遠ではないでしょう。

いろいろ考えた結果、全く結論ができなかった。どんな理想、夢、もしくは「生きる証」を追っても、きっといつか水の泡になる。生きることはそもそも自分の選択じゃないだから、本来は特に意味がないでしょう。生命に意味を付けるなんて、まるで人類の妄想だ。

どうせ死ぬことが怖いので、とりあえず生き続きましょうか。遅かれ早かれ彼女と再会する日が来るんでしょう。

2022-05-08 eSIM, and the Sad State of AOSP

The current state of AOSP (Android Open-Source Project) is sad. Or rather, sad from a user / third-party developer perspective. I'm sure this same opinion has been reiterated a million times across the Internet, but my recent endeavor with eSIM only proved this point even more.

For the longest time, I thought eSIM was a huge threat to user freedom on Android devices, because I believed all of them had proprietary interfaces that can only be operated through a proprietary vendor app, which often depends on Google services. On Pixel devices (and a few from other vendors), this is the EuiccGoogle app, which is part of the GMS stack. As a result, I became increasingly worried about the future of mobile devices, as carriers move to eSIM or even eSIM-only models, and I can't say I haven't put the blame on GSMA, the GSM Association, at least mentally.

Turns out, this worry is completely unnecessary, or at least not for the reason I started with. The GSMA publishes the complete standard for consumer profile eUICC (eSIM) chips, GSMA SGP.22, which includes full specification of the protocol to communicate with said chips and the protocol to download new eSIM profiles over the internet from carriers. At first, I did not believe that this standard is actually followed and I thought there must be some proprietary stuff on every single one of these chips preventing an open-source implementation of a eSIM management app. However, from my attempt to dig into the internals of the eSIM.me app, I discovered an open-source library from Truphone, which claims to implement the ES9+ and ES10x protocol to communicate with both eUICC chips and carriers' servers (RSP servers).

I, of course, did not believe this would actually work for eUICC chips embedded in consumer devices. However, because I knew phhusson has an interest in SIMs, I pinged him anyway for this discovery, saying that if this is what eSIM.me used, it might work for other eUICC chips, but I wasn't too motivated to put a lot more time into it. He, though, was excited. The very same night, he seemed to have stayed up very late to play with this library, and told me that it worked on his Samsung devices to successfully provision new eSIM profiles. I saw his message the next day, and immediately became intrigued. I pulled out my dust-collecting Pixel 4a, and tested phhusson's proof-of-concept, and confirmed that the library was able to communicate with the eUICC chip on my Pixel as well.

What prevents me from just making an open-source version of EuiccGoogle, then? I thought. At that point, I already realized that it is totally possible to make an open-source eSIM Local Profile Assistant (LPA) app that replaces EuiccGoogle. As I had some free time that day, I figured there was no better time to start the OpenEUICC project. I was able to finish a basic UI that day, and was able to manage and provision eSIM profiles on my Pixel 4a from my open-source app. I later decided to make it a full LPA implementation by integrating with the system EuiccService API, which is still an ongoing effort.

Why does AOSP not include an eUICC management app, then, as it seems that there is nothing proprietary about the management API / protocol itself? I don't know. One of the reason could be the need for proprietary firmware updates, but that is not really different from any other hardware that needs firmware, and I don't think it is a valid reason to keep the entire app closed-source only. Not to mention that EuiccGoogle does not even handle firmware updates itself -- it is delegated to another device support app. The only reason I could think of is laziness and the lack of "importance" of the open-source Android community -- just look at the current state of AOSP in general. The AOSP Dialer, SMS, Calender, and Clock apps are all stuck in their Android 6-era style. It is no wonder that nobody wants to introduce an entire new open-source component given that they do not even want to update the existing ones.

I would also like to make it clear that I do not want to put the blame on Google, or anyone else in the Android community. I could go on for days to talk about this, but at the end of the day, no single person or even company is responsible for this situation. All I want to say is that the current state is sad for an operating system that boasted openness and geek-friendliness, and I hope that my project, OpenEUICC, can contribute its tiny bit of help in alleviating this sadness.

2022-05-01 Two-step Login Pages

Nothing annoys me more than websites that force a two-step login flow. Seriously. Typical examples include Google, Microsoft, or most Big Tech companies -- when logging into their service, you have to first enter your account ID, and then wait for a (fake) progress bar to load, only after which can you start to enter your password.

I don't know what is the principle behind such a design. Maybe it is for security, by which I mean maybe they can go through some heuristics in the backend after you only entered your account ID to decide whether to even let you try a password, reducing possible attack surface. But I seriously doubt how much information can you extract from just entering the account ID in the browser. Besides, a well-designed password authentication system should be resistant to brute-force attempts in the first place.

The reason I hate such a flow so much is that it breaks the flow of password manager usage. Normally, when a website allows you to enter both the account and password in the login page, there is just one click and maybe a master password prompt, and then you are done logging into that service. Not in this case. I have to bring up my password manager, find my account ID for said website, click next, wait, and then bring up the password manager again for the password. Under stricter security policies in the password manager, this would mean entering my master password or whatever credential twice for one login session. That is purely annoying.

I am fully aware that not everyone uses a password manager -- but more and more are adopting this arguably more secure option online, and it seems weird to me so many services are still hostile to such solutions. Some websites and apps even disallow pasting into / invoking password manager plugins on the password field. But again, maybe I am just ignorant about all the benefits of doing two-step login pages, or maybe using password managers is just a false sense of security. If any reader knows a deeper reason why, I'd be happy to have a more detailed discussion, which may result in an actual blog post :)

2022-04-27 Contemporary Google-fu

Google-fu has been important since the dawn of the modern internet. Except nowadays, simply knowing how to search for answers is in no way enough. It could even be dangerous sometimes -- this article shows an example of how Google search results are filled with questionable health advice produced by marketing teams -- and without the ability to filter them out in your brain, it is very hard to extract anything useful from such searches.

It is not limited to just health-related queries. Even when I try to enter programming-related search terms, a large part of the result would be websites that do nothing other than copying content from legitimate websites like GitHub and StackOverflow, and somehow they rank higher among the results than the real deals. What's worse is that one wrong answer would echo through all of these copycats (or "content farms") to generate pages upon pages of nonsense. Granted, a wrong programming answer will probably not kill anyone, at least not immediately, but others can, such as the aforementioned health-related case. Imagine how many people have been robbed of their life savings or even their lives due to questionable search results.

What's the most infuriating for me is that Google made an attempt to make retrieving useful information from the atrocious search results easier by showing a "People also ask" for answers to related questions commonly asked, which sounds great as it saves a lot of manual filtering... But of course SEO people found their way again. From my anecdotal experience, most of the time, answers in this section do not even actually answer the given question at all, but rather they are filled with nothing but vague marketing speech -- just like the rest of the results.

I, of course, understand that all of this is due to SEO -- the only way for companies to gain visibility on search engines among millions of search results. But if useless and harmful information end up benefiting the most from the algorithms, I would argue that the algorithms used in modern search engines are fundamentally flawed. When a metric becomes the target of optimization, it ceases being a good metric, and the search engines are no exception to this rule. I could talk shit on people who fall for these SEO-oriented content farms for days, but at the end of the day, I think it's just sad that we need to learn how SEO works to discern SEO content from "real" content. But again, I have no idea on how to design an algorithm that cannot be exploited this way. As long as the algorithm has any slight trace of stability, someone somewhere will eventually start to exploit it for their own benefit. Maybe this is the price we have to pay to live in the information age, or maybe there is a way -- it's just that we are too busy with our own benefits to find out.

2022-04-26 Introduction

I have had multiple blogs at different points in time, but every time they seem to end up being neglected, torn down and rebuilt eventually, just to repeat the same cycle again. One of the reason is that a "proper" blog post takes so much effort to write -- from coming up with the idea, to deciding what type of article to write, to laying out the post, to writing and proof-reading. Even though I slowly relaxed my standards of writing in order to make better use of my blogs, it still feels kind of "wrong" to write haphazardly on my main blog. I still want my actual blog posts to be laid out properly and free of stupid errors, at the very least.

Although, in a lot of cases, I am simply not motivated enough to turn an idea into an actual blog post due to time constraints or a lack of "too much" interest in one topic. These ideas may never see the light of day on my blog, which is sad because a lot of topics deserve being talked about more. I could post them on my social media accounts, but sometimes the character limit is just too low to say anything of substance. On Mastodon, I can technically post however many words I want, but the reading experience of social media platforms is simply not designed for anything beyond around 100 words in length. Even if I don't want to spend too much time on one topic, 100 words is still too little for anything.

And, my friends, that is where this "short blog" format comes in. From now on, whenever I feel that I do not want to devote too much effort into a blog idea, but I would still like to say something about it, the post will likely end up here. Because this blog has a much lower "standard" than my main blog, there might be hot takes and stupid mistakes. Some of them may eventually turn into an actual blog post if healthy discussion happened and resulted in a change worth talking about in my original blog idea. But in any case, I expect this blog to be posted to way more often than the main blog.

The name, snowy.day, is sort of a complaint of the snowy Canadian winter. In such a winter, everything I could do as a wheelchair-bound person is to stay inside as much as possible. With the warmth of indoor heating and a blizzard outside, it sometimes makes just the right mood to write something down, like a friendly chit-chat across a dancing campfire while taking shelter from an ongoing storm. I do not necessarily love snow storms, but I do like writing and talking, and I will try to make this blog the best place for that when I do not cough have a real-life friend to talk to.

2022-04-25 Twitter

Woke up from a nap, and suddenly everyone is talking about Elon's acquisition of Twitter. And suddenly everyone is scrambling to migrate to the Fediverse (Mastodon, Misskey, Pleroma, etc.). I'm certainly not against the idea that more people should be using free and federated social platforms, but the reason they suddenly migrate seems not well-supported at best.

What I mean here is that Twitter was not, in any way, a better platform before this deal. I'm not even talking about what Elon Musk wants to do with Twitter here. I simply do not care -- what is the difference between one group of extremely wealthy individuals controlling a platform for public speech and another group / individual doing the same thing? Sure, the current moderation policy or whatever may agree with your specific political ideals more, but keep in mind that what they care about is not anything about you. They care about their returns on their investment. This equally applies to Elon Musk, as well. However much you believe he is going to "destroy" the platform, or, on the opposite side, "free" you from "woke" politics, remember that he does not care about you, or "open-sourcing" the algorithm, or even his proclaimed "freedom of speech".

The saddest thing to me is that for some reason, the online speech of the entire world is dependent upon one single company. To different groups of people, a change in the leadership of this company means the difference between night and day. This is not what the internet should be. However Elon Musk or any of the previous owners says about this deal, remember that all of them are trying to absorb everyone's content under the control of a single entity. This is what we should fight against, not the specific design, moderation policy, or political ideals of one single company that controls everything.