Start Up: catching the GIF-tweeter, hacking tractors, the 2038 problem, that laptop ban, and more

Looks good – OK, let’s go and DDOS somewhere. Photo by sunrisesoup on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 12 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

New Clips app hints at Apple’s augmented reality ambitions • FT

Tim Bradshaw:


Apple has launched a new app for adding filters and special effects to photos and videos that could act as a launch pad for its ambitions to become a significant player in the emerging field of augmented reality.

Clips, a free app, is only available on Apple’s iPhones and iPads. It is the latest example of how the smartphone camera has become a new battleground for tech companies, with Snap describing itself as a “camera company” and Google using artificial intelligence to enhance photos taken on its Pixel handset.

With its comic-book styles and playful animations such as speech bubbles, Clips’ simple editing tools recall Snapchat’s selfie “lenses”, Instagram’s filters and the artistic effects of Prisma, which manipulates photos so that they look as if they had been painted by Van Gogh or Picasso. Videos can be up to 60 minutes long, incorporating music from iTunes, emoji and captions automatically generated from a user’s voice.


Just me, or are people seeing AR in absolutely anything Apple does?
link to this extract

What’s attacking the web? A security camera in a Colorado laundromat • WSJ

Drew Fitzgerald:


While Bea Lowick’s customers were busy folding clothes last year, the security system at her Carbondale, Colo., laundromat was also hard at work.

Though she didn’t know it, Ms. Lowick’s Digital ID View video recorder was scanning the internet for places to spread a strain of malicious software called Mirai, a computer virus that took root in more than 600,000 devices last year.

Ms. Lowick, 59 years old, said she wasn’t aware the device was doing anything other than acting up. Her remote-viewing app kept disconnecting. She was able to reconnect it by restarting the digital video recorder.

“I would have to go in and unplug and plug in the DVR” to fix it, Ms. Lowick said, adding that she didn’t know that unwanted software was to blame…

…Bill Knapp, who installed the laundromat’s surveillance system, said he learned of the virus after being notified by a reporter.

“One of the hardest parts of this business is that everyone loses their passwords,” said Mr. Knapp, owner of Security Solutions LLC. When Ms. Lowick forgot her password, he said, Digital ID View would reset the DVR to its default password, “123456”—a weak but common option that opens the door to attackers. Compulan Center Inc., which does business as Digital ID View, said it was investigating the situation but didn’t believe its product was responsible for the problem.


link to this extract

FBI Complaint and Affidavit for Search Warrant, re: John Rivello in Kurt Eichenwald GIF-tweeting case • DocumentCloud

This is a scan of the document; you’ll have to read it. The perpetrator used a burner phone to create the account – but used his old SIM in it. And his SIM was associated with a smartphone…
link to this extract

Why American farmers are hacking their tractors with Ukrainian firmware • Motherboard

Jason Koebler:


A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for “crop loss, lost profits, loss of goodwill, loss of use of equipment … arising from the performance or non-performance of any aspect of the software.” The agreement applies to anyone who turns the key or otherwise uses a John Deere tractor with embedded software. It means that only John Deere dealerships and “authorized” repair shops can work on newer tractors.

“If a farmer bought the tractor, he should be able to do whatever he wants with it,” Kevin Kenney, a farmer and right-to-repair advocate in Nebraska, told me. “You want to replace a transmission and you take it to an independent mechanic—he can put in the new transmission but the tractor can’t drive out of the shop. Deere charges $230, plus $130 an hour for a technician to drive out and plug a connector into their USB port to authorize the part.”

“What you’ve got is technicians running around here with cracked Ukrainian John Deere software that they bought off the black market,” he added.

Kenney and Kluthe have been pushing for right-to-repair legislation in Nebraska that would invalidate John Deere’s license agreement (seven other states are considering similar bills). In the meantime, farmers have started hacking their machines because even simple repairs are made impossible by the embedded software within the tractor. John Deere is one of the staunchest opponents of this legislation.


link to this extract

2038: only 21 years away []

Jonathan Corbet:


Sometimes it seems that things have gone relatively quiet on the year-2038 front. But time keeps moving forward, and the point in early 2038 when 32-bit time_t values can no longer represent times correctly is now less than 21 years away. That may seem like a long time, but the relatively long life cycle of many embedded systems means that some systems deployed today will still be in service when that deadline hits. One of the developers leading the effort to address this problem is Arnd Bergmann; at Linaro Connect 2017 he gave an update on where that work stands.


And it’s going to be cars that we’ll probably have to worry about. And all the embedded systems put together a while back.
link to this extract

You think it’s a Muslim laptop ban? This picture suggests it’s really a terrorist ban • The Overspill

By me:


when the governments of not one but two countries impose sudden bans on the transport of potentially explosive things, you might think that people would take it seriously. There was one occasion when a would-be mass murderer ignited a bomb on the passenger deck of a plane out of Somalia – after apparently being handed the explosives by a ground worker. In a fabulous demonstration of karma, he was sucked out of the hole he’d made in the fuselage, and the plane landed safely. Subsequently, 20 ground staff in Somalia were arrested.

There are suggestions that this latest ban has been under discussion for a couple of weeks, in fact. That’s how intelligence works: gather data, consider risks, act.

The number of people complaining that “it’s just another version of the [Trump] Muslim ban” can’t be thinking clearly. The original “Muslim ban”, as a reminder, included Syria, Yemen, Iran, Iraq, Sudan, Somalia and Yemen.

It didn’t include the ones in the US ban: UAE (which includes Dubai), Turkey, Egypt, Jordan, Saudi Arabia, Qatar, Kuwait, or Morocco. The UK ban includes Tunisia too.

It should be pretty obvious, even if you think Trump is a fool, that this isn’t his idea. It has come from intelligence agencies who are worried about the possibility of a mid-air explosion.


link to this extract

Onboard battery fires underscore need for meaningful action • Runway Girl

John Walton:


This week, a battery caught fire in the overhead bins on a KLM 777, Qantas became the third airline to refuse freight carriage of lithium battery shipments, and Air France’s new safety video has started warning passengers not to move their seat if they lose their phone between the cushions. It’s time to talk about lithium batteries in PEDs [personal electronic devices].

With images and video circulating from yet another battery fire in an airline cabin — this time on board KLM 876 from Amsterdam to Bangkok — air safety regulators don’t seem to be on top of the problem. A compounding factor: the cabin crew actions in the video are not entirely in accordance with IATA safety guidelines.

Answers to an in-depth series of questions from Runway Girl Network to the US Federal Aviation Administration (FAA), UK Civil Aviation Authority (CAA) and European Aviation Safety Administration (EASA), as well as to the International Air Transport Association (IATA) and the International Civil Aviation Organization (ICAO), provoked more concerns than they resolved.


link to this extract

To censor or not to censor? YouTube’s double bind • The Guardian

Alex Hern:


[Regarding ads on hate speech] YouTube’s parent company Google has apologised, and promised a raft of changes to appease the big spenders, from better categorisation of hate speech to simpler, more powerful controls for advertisers. It’s also promised to hire “significant numbers of people”, on top of the thousands who already do the work, to review questionable content.

At the same time, in a very different community, YouTube creators are lambasting the site after the discovery that its “restricted mode”, a feature intended to let schools, parents and libraries filter out content not appropriate for children, also removed a vast amount of LGBT content. Some videos from pop duo Tegan and Sara, who are gay, were hidden from view, as were videos from bisexual YouTuber NeonFiona – but only those which talked about her sexuality.

YouTube has apologised there too. Initially, it argued that “LGBTQ+ videos are available in Restricted Mode, but videos that discuss more sensitive issues may not be”. That defence was torpedoed, however, as the community continued to experiment with what was getting blocked: a video titled “GAY flag and me petting my cat to see if youtube blocks this” – showing just that – was blocked on restricted mode. The company now admits that the system sometimes “makes mistakes in understanding context and nuances when it assesses which videos to make available in Restricted Mode”, and as a result many videos were wrongly blocked.

In other words, YouTube is currently being attacked by advertisers for not censoring enough and by creators for censoring too much. It’s almost enough to make you feel sorry for them.

Not quite, though. Because really, the two problems are the same: YouTube sucks at categorising videos, and the larger the site gets, the more serious the ramifications.


That’s it, in a nutshell. Plus it benefits Google to ignore the difference between children aged 13 and those aged one day under 18, since then it can just advertise to them all. For most of its life it hasn’t had to care about how bad it is.
link to this extract

Google’s stock rating downgraded as YouTube ad boycott contagion goes global • The Register

Andrew Orlowski:


The boycott has rapidly gone global [paywalled]. The UK is Google’s second largest market after the USA, bringing in 9% of Alphabet’s revenue, and the only territory where Google breaks out revenue in its financial statements.

Pivotal’s Brian Wieser explained he’d taken the decision because Google wasn’t taking the problem seriously, and accused it of “attempting to minimize the problem rather than eliminating it, which is the standard we think that many large brand advertisers expect”.

It’s four years since Google’s Theo Bertram promised to “drain the swamp”. What’s in the latest evacuation?

In a post titled ‘Expanded safeguards for advertisers’, Philipp Schindler, Google’s chief business officer, reiterated a commitment to give spenders more control over where their ads appear. Schindler euphemistically refers to “higher risk content”.

Promises include a pledge to tighten up the threshold for “acceptable content” and make exclusions easier.


Promising to drain the swamp and then not doing so seems to be in fashion these days.
link to this extract

Battery Status not included: assessing privacy in W3C web standards • Security, Privacy and Tech

Lukasz Olejnik (again – we’ve had him recently):


In 2016, Englehardt and Narayanan published a report (Online Tracking: A 1-million-site Measurement and Analysis) that has validated my previous work – they have identified the misuse of this API in the wild. Together with the fact that battery information may bring second-order privacy risks due to price discrimination (based on Uber study – and by the way, Uber is collecting battery ) it became clear that the matter had to be addressed.

Browser vendors reacted in a number of ways. In October 2016, Mozilla decided to remove Battery Status API from Firefox; I previously wrote about this. WebKit did the same, which means that Safari browser will not enable the API (although it has never did so). Yandex Browser has decided to offer the API in an opt-in manner – the user needs to explicitly enable the API. In March 2017, Firefox has shipped with the API removed, an unprecedented move in the history of the web; for the first time, an entire API has been purged citing privacy concerns.


It’s good that this pressure is getting W3C to recognise that there is more to life than making everything available to every site that wants to snarf the data on your device. Olejnik points to two companies whose widely-used scripts have been used to track peoples’ use and which sites they viewed.
link to this extract

Unicode domains are bad, and you should feel bad for supporting them • VGRsec

Valentine Reid:


I’m going to begin by caveating my opening statement by saying unicode domains improve accessibility to the internet, and that’s a good thing, just unicode is so broad, there are many opportunities for lookalike domain spoofing, and that’s bad.

I discovered during a discussion with @jaredhaight that unicode domains were a thing. We immediately joked about how bad this was, so I went about registering some test domains and ran some test cases to determine how well they were supported across various ecosystems. The following is an exploration of unicode domain names and how they’re interpreted across various platforms as of Feb 2017.


Guess what? He registered (with a weird “m”). Google rejected his emails, but other mail organisations didn’t. Dangerous.
link to this extract

Huawei Watch 2 review: Why? • Android Police

David Ruddock:


In the world of technology, it’s rare that a successor product is actually worse than the one that preceded it.

Today is a rare day.

The Huawei Watch 2 is a step backward – multiple steps, even – from the original, even if it does claw back some of that lost ground with new features. The Huawei Watch 2 adds NFC, GPS, LTE, and Android Wear 2.0 to its repertoire, which all sounds well and good. Alas, it all feels for naught when it comes down to the final product experience. What it takes away is almost everything that made the original the de facto champion of the Android Wear world.

The screen is [much] smaller, having shrunk nearly two tenths of an inch, which is very considerable when we’re talking about something the size of a watchface. There’s a giant, raised bezel that makes actually using this touchscreen a major frustration, too, harkening back to some of the earlier round Wear devices. Wear 2.0’s intense reliance on gestures makes this a considerably greater frustration, though, and there’s no rotating crown to fall back on, unlike the new LG Watch Sport and Watch Style.

The Huawei Watch 2 is such a bizarre series of product and design decisions that I’m unsure how the company that built the original could have come up with… this. It’s kind of sad.


Ruddock really doesn’t like the design, doesn’t like the Android Pay implementation, and doesn’t like Android Wear 2.0. Apart from that, Mrs Lincoln, how was the play?

In fact, Ruddock seems disappointed with stuff coming out of the Android ecosystem. He tears into the HTC Ultra, essentially saying that HTC has wasted its own and any buyer’s money.
link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.