Start up: explaining XcodeGhost, Monument Valley goes VR, will Venice sink BlackBerry?, and more


What’s the common factor in iOS devices bricked by trying to update to iOS 9? Photo by marc falardeau on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Use them wisely. I’m charlesarthur on Twitter. Observations and links welcome.

Monument Valley’s creators just made a stunning VR game » WIRED

Liz Stinson:

Like most early VR games, Land’s End is in many ways an experiment designed to discover what does and doesn’t work in the medium. Ustwo’s Ken Wong, Peter Pashley and Dan Gray spent more than a year developing the game, with many stops and starts and do-overs along the way. “It took a long long time to reinvent all these fundamental things about how you move around a world and how you interact,” says Wong.

Things like navigation took some toying with. “We spent a lot of time trying to figure out the best way to let people move around these worlds in a way that felt kind of almost subconscious,” says Pashley. You make your way through the levels by glancing at “lookpoints,” shimmering spheres of light that burst open and propel you forward when you look at them. The motion is slow and controlled; it feels almost like a moving sidewalk at the airport.

This looks terrific. Presently for Samsung Gear VR + Oculus only. I’d happily buy the soundtrack.
link to this extract


BlackBerry Venice » YouTube

A pretty much full-size touchscreen Android phone sort of running some sort of BlackBerry software. With a big keyboard that slides out from below. See for yourself.

Notice that he never actually tries to type anything. This may be significant: the top end of the phone would have to be very light to stop it overbalancing.

I wonder (with @charlesknight) whether this is John Chen’s last attempt at hardware; if this flops – which seems pretty likely – there’s little point carrying on. In a few quarters, BlackBerry should have swallowed Good Technology completely and can live on software and services revenues, which are much more profitable.
link to this extract


What you need to know about iOS malware XcodeGhost » Mac Rumors

The story so far (which I did notice over the weekend; I apologise for not including it in Monday’s Start Up): impatient iOS developers in China downloaded hacked copies of Xcode from Baidu servers because the ones from Apple came over slow-as-snails links from the US. The hacked copies included malware libraries that were included by default in any apps developed with them. The apps got through Apple’s approval process – and were then noticed by Palo Alto Networks, which itself noticed it on Weibo after analysis by Alibaba researchers.

Q How does XcodeGhost put my iOS devices at risk?
iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes:

• Current time
• Current infected app’s name
• The app’s bundle identifier
• Current device’s name and type
• Current system’s language and country
• Current device’s UUID
• Network type

Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions:

Prompt a fake alert dialog to phish user credentials; hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps; read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

Q Can XcodeGhost affect users outside of China?
Yes. Some of the iOS apps infected with XcodeGhost malware are available on the App Store in countries outside of China. CamCard, for example, is a popular business card reader and scanner app available in the United States and several other countries, while WeChat is a popular messaging app in the Asia-Pacific region.

Q Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple’s servers in China, leading some developers to download Xcode from unofficial sources.

Q How are Apple and Chinese developers dealing with XcodeGhost?
Palo Alto Networks claims that it is cooperating with Apple on the issue, while multiple developers have updated their apps to remove the malware.

There’s a list of affected apps.

This is a significant attack, but it’s also a remarkably hard one to do more than once. I suspect the next attack will involve some sort of man-in-the-middle on security certificates that Apple will surely enforce on Xcode downloads.

Rich Mogull has a great writeup in which he says it’s about the economics of security:

Apple doesn’t believe all attacks can be stopped, and certainly not those from governments or well-funded criminal organizations, but if you make the cost of attack higher than the benefits, you knock out entire categories of bad guys and reduce the impact on users.

link to this extract


French regulator rejects Google appeal on scope of ‘right to be forgotten’ » WSJ

Sam Schechner:

France’s Commission Nationale de l’Informatique et des Libertés, or CNIL, said that Google must now adhere to a formal order in May directing it to apply Europe’s right to be forgotten to “all domain names” of the search engine, including google.com—or face possible sanctions proceedings.

Established just over a year ago by the European Union’s Court of Justice, the right to be forgotten gives European residents the ability to request that search engines remove links that appear in searches for their own name. Google has applied the ruling, but insisted on only removing results from European domain names, such as google.fr, not from google.com.

Google on Monday reiterated that it doesn’t believe the French regulator has the authority to expand the scope of the rule. “As a matter of principle we respectfully disagree with the idea that one national data protection authority can assert global authority to control the content that people can access around the world,” a spokesman said.

Ever so tricky. The US has claimed jurisdiction over sites that are hosted and authored elsewhere in the world that use the “.com” suffix; is that the same?

One suspects that Google will – if it loses in any appeal – work around this by offering filtered content to any IP address identified as being in France, just as it does to identify who to serve .fr content to.
link to this extract


Apple iPhones, iPads BRICKED by iOS 9’s ‘slide-to-upgrade’ bug » The Register

Shaun Nichols:

Reg reader Carlton told us today: “I have just updated my iPad to iOS 9 and found to my horror that once it has ‘successfully’ installed and then gone through the initial setup phase, I cannot progress past the second request to ‘slide to upgrade’ page.

“The setup order is ‘passcode’ – ‘slide to upgrade’ – ‘select Wi-Fi’ – ‘slide to upgrade’ at which point no further actions are possible.”

He was eventually able to upgrade his device to the new iOS using Apple’s suggested clean install procedure, though he said it took multiple attempts to accomplish.

Other fans reported similar problems when they tried to get the latest and greatest version of iOS on their iPads, iPhones and iPod Touch players.

While the issue appeared to be largely relegated to devices running iOS 7 skipping over to iOS 9, Apple would not confirm if that was in fact the case. No word yet on when a fix for the bug will be released.

Apple already has its hands full patching flaws with its firmware updates.

Commenters seem to concur: works fine if you’re just going from iOS 8, kills the device if you’re trying to skip upwards from iOS 7. An Apple support note says “This will be resolved soon in an upcoming iOS update”. Let’s see. (Meanwhile, Apple said in an aside in its press release about the release on Friday of the new iPhone that 50% of devices contacting the App Store as of September 19 were using iOS 9. In less than a week?!)
link to this extract


How to record a phone call on your iPhone – no additional kit of apps required » BBC College of Journalism

Marc Settle discovered (via Mashable) a terrific way to record a call:

A statement is never as good as an interview, which is where the ‘advanced’ function comes in, even if it needs a little willingness from your guest.

Call them from your iPhone and explain what you plan to do. Press ‘add call’ and then call the phone number you’re ringing them from. Yes, you did read that correctly: you need to call your own number from your own phone. As you’re on the phone, your answerphone will kick in. At this point tap ‘merge calls’: you and your interviewee will now be recording your conversation on your answerphone. End the call and then proceed as above to access the recording.

This reminds me of the “huh??” method that used to exist for running (old, old) pre-OSX Macs entirely from RAM, no disk access required, which meant gigantic battery life: you loaded a minimal OS, and then dragged your hard drive into the Trash. Honest. You just had to remember not to empty it.
link to this extract


Why we need a competition inquiry into the UK broadband market » TalkTalk BlogBlog

Dido Harding, TalkTalk chief executive:

Over 500 telecoms companies exist in the UK, but most depend on a shared set of wires that connect individual homes to our networks. When BT was privatised, it was allowed to keep control of this network on behalf of the whole industry, and it is managed today by Openreach, a BT company. It’s like one gas supplier owning the national grid, or one airline owning Heathrow.

Unfortunately, that system isn’t working because BT has used its sole control over the network to its advantage, rather than to benefit the network or customers. Openreach makes a lot of money, but it hasn’t invested enough in maintaining the network, leaving customers suffering from poor quality of service and facing long waits to repair faults or install new lines. It allows BT to abuse its control to restrict choice for customers. It also makes it harder for the regulator to enforce the rules and be a powerful consumer champion. Put simply, it’s a tired model not fit for a superfast future.

Openreach is TalkTalk’s biggest supplier; we couldn’t operate as a business without it. So naturally, I’ve got a vested interest in this debate. But what matters about today’s letter is the breadth of the coalition calling for change. It includes some of the biggest companies in the industry who have tried – and failed – for years to improve the system, as well as smaller players battling to bring innovation and choice to the market, but let down by Openreach.

Agree. Where do I sign up too?
link to this extract


600 ad companies blacklist The Pirate Bay » Music Week

Coral Williamson:

The Pirate Bay has been blacklisted by more than 600 advertisers.

The blacklist, comprising 10 sites so far, is the result of a partnership between anti-piracy group Rights Alliance and Swedish Advertisers, an association of advertisers with more than 600 member companies.

Swedish Advertisers has published a list of  recommendations designed to keep advertisers away from unlicensed sites, including observing good ethics, avoiding advertising contracts that include bulk sales, and considering where ads are ultimately placed.

OK, I have to ask. Is it unethical to use adblockers on torrent sites?
link to this extract


The number of people using search engines is in decline » Business Insider

Lara O’Reilly:

search is facing a huge challenge. The paid search business was built on a desktop browser model. And consumers are increasingly shifting to mobile. On mobile, consumers say they just don’t search as much as they used to because they have apps that cater to their specific needs. They might still perform searches within those apps, but they’re not doing as many searches on traditional search engines (although Google, Bing, and so on do power some in-app search engines.)

It sounds obvious, but there’s new data to show it’s a trend that’s really happening. And it could have a severe impact on Google’s (and Bing, and Yahoo’s) core search business. Indeed, data from eMarketer shows search ad spend growth is set to decline from 2014 through to 2019.

Speaking at digital trade show Dmexco in Cologne earlier this week, global communications agency ZenithOptimedia’s chief digital officer Stefan Bardega and research company GlobalWebIndex’s head of trends Jason Mander gave a mobile trends presentation. It was the slides on search that made the audience really sit up and start taking notes and photos.

And it’s this:

App usage and voice search both contribute too. How do you sell an ad beside a voice search?
link to this extract


Advertising is unwanted, day 2 » Scripting News

Dave Winer, in a followup to a post of a day earlier, suggesting news orgs need to find new ways to bring their readers together:

Here’s an idea for a geography-based news org (i.e. a newspaper) – give readers a place to talk about movies, and then sponsor movie nights based on their interests. Encourage people to provide lists of their favorite movies and do some collaborative filtering. Then collate the reviews and present them alongside your professional reviewer’s post. Work with the movie industry. It can have incredible promotional value, for the movie, the theater, you, the whole idea of going to the movies (as opposed to watching on your home TV, phone or tablet). What’s great for your community is they get to meet people who like the same kinds of movies they do. And you get to know who they are! It’s such a huge, easy win, all-around. That more local news orgs haven’t done it tell you how stuck in old print models we still are. This is an example of a kind of idea that really can only blossom online.

Creating community is a great idea. But what if the community lives all over the world? How does this physically-based idea work?
link to this extract


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s