Start Up: decrypting #wannacry on XP, Apple’s glucose test, undesigning Huawei, and more

Ring, the video system for door monitoring, is being sued by ADT, the alarm company. Guess why? Photo by Steve Garfield on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 11 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

The unlikely Google killer • Medium

Jason Bell:


The key is that it’s something you and I probably aren’t thinking about right now. Even if it is something you and I are thinking about, we probably haven’t, or won’t, make the connection that it could kill Google until it becomes inevitable.

I think it’s more likely to come from outside Google’s domain of expertise than inside. Since Google is great with automation, Big Data, and machine learning, maybe it will come from a low-tech industry.

Here is a completely nutty narrative, meant for illustration only. Say someone in India realizes that there are large untapped pools of people in her country, and she starts to hire some of them to respond to queries about difficult search problems. Let’s call her startup Insearchant (yes, pun completely intended.) For example, ‘web hosting’ is a really competitive and expensive keyword to advertise on with Google. Suppose that, instead of searching for web hosting providers on Google, a small group starts using Insearchant to find good web hosting. At this point, Google wouldn’t buy Insearchant because it’s totally low-tech. That’s not the future! It’s a step backward. Besides, Google may not even know about this small firm in India. It’s insignificant. But, eventually, Insearchant becomes the default way to search for information whenever the stakes are high. Maybe Insearchant does a better job synthesizing information from all kinds of sources. Over time, more searchers ask Insearchant to find the answer. Google may start to become less profitable, and Insearchant starts to collect more and more data. The trend continues, until, suddenly, Insearchant builds an internal search engine. This engine provides Google-like results, but modifies them according to internal data, data that only Insearchant has. The output of Insearchant’s engine is much better for answering high-value search queries. People start switching away from Google in large numbers. Now, Google makes a mad dash to buy Insearchant, but it’s too late.


That’s sort of it, but misses the point. First: such companies aren’t “killers”. If Google was the Microsoft killer, why is Microsoft so healthy? Because Google was in the place where the focus was. Facebook is arguably the Google killer – it even competes for ads, and it’s about people, not impersonal web pages. (See how Google failed there.) But it won’t kill Google. It might disable or shrink its importance. (Ben Thompson has made this argument.)

It’s so hard to see this, but the stage still survives even after radio, cinema, TV and the internet.
link to this extract

Security notice update • Zomato Blog

Gunjan Patidar:


Earlier today, our security team discovered that user emails and hashed passwords were stolen from our database. Since then, we have taken multiple steps to mitigate the situation. One of these steps was to open a line of communication with the hacker who had put the user data up for sale.

The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers.

We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.


Oh no, that’s– oh, yes!
link to this extract

Apple CEO Tim Cook test-drove glucose monitor • CNBC

Christina Farr:


A source said that Cook was wearing a prototype glucose-tracker on the Apple Watch, which points to future applications that would make the device a “must have” for millions of people with diabetes — or at risk for the disease.

As CNBC reported last month, Apple has a team in Palo Alto working on the “holy grail” for diabetes: Non-invasive and continuous glucose monitoring. The current glucose trackers on the market rely on tiny sensors penetrating the skin. Sources said the company is already conducting feasibility trials in the Bay Area.

Tim Cook also talked about the device to a roomful of students in February at the University of Glasgow, where he received an honorary degree. He didn’t say if it was a medical device from a company like Medtronic or Dexcom, or an Apple prototype.

“I’ve been wearing a continuous glucose monitor for a few weeks,” he said. “I just took it off before coming on this trip.”


link to this extract

aguinet/wannakey: Wannacry in-memory key recovery for WinXP • GitHub

Adrien Guinet:


This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : “After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.”. So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.

If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.

That’s what this software tries to achieve.


The machine must have not been rebooted for this to (hopefully) work. Even so, nice that a Windows flaw gets around an exploit based on a Windows flaw.
link to this extract

The surest sign you’re winning is when Goliath takes a swing at you • Both Sides

Mark Suster:


This Goliath-imposed fight by ADT is particularly annoying for me because Ring is literally my family’s single favorite tech innovation of the past several years. It is a security doorbell (and now floodlight!) where for just $3 / month you can watch all video footage of people who come to the outside of your house including delivery people, solicitors or people in the neighborhood who perhaps shouldn’t be there.

For my family Ring has become a way that we joke and communicate with each other when I’m on the road. The boys or my wife will step in front of the camera on the way to school and if I’m in NY or SF or London my phone rings and I see them waving on their way.

Just how threatened is ADT? Ring is now arguably the fastest growing consumer product in the country and is now in a staggering 1 million homes in America and growing at an unbelievable clip. It is a product that you can purchase an entry-level camera for under $200 and pay just $3/month in video fees in a security industry that was previously only accessible to wealthy families who could afford expensive protection.

Ring is to ADT what the classic Innovator’s Dilemma says disrupts the industry behemoth by offering a product that is significantly cheaper and initially lower in feature set but eventually becomes so pervasive and where functionality grows to a point where the entire market dumps the giant company charging high prices in favor of a younger, more nimble provider whose innovation cannot be matched.
And the giant gets disrupted precisely because its cost structure to serve its customers and its cash cow, high-priced offering makes it nearly impossible for it to try compete.


ADT, if you didn’t know, is a company that has grown rich on comparatively simple alarm systems, often with subscriptions. Ring threatens to undermine that.
link to this extract

As we may read • Craig Mod


It was the summer of 2014 and I was preparing for my keynote lecture at the Yale Publishing Course. A lecture that was supposed to inspire those in attendance (mainly industry professionals, publishing ceos, editors, and even a few authors), to frame the current state of books — digital and physical — in uplifting but truthful terms. It was during this preparation that I realized something strange: I hadn’t read a digital book in almost a year.

Could that have been right? Had I really not read any digital books in 2014? I may have purchased one or two off the cuff, but I couldn’t remember reading any, certainly not all the way through. And yet I had a stack of physical books sitting next to me on my desk that I had read. Voraciously. Recently.

It seemed, then, that I had stopped reading digital books. It didn’t happen suddenly. Nor with great intention. There was no moment I could remember where I yelled into the sky: I’m done! No, it seemed to have been a much more nuanced, slow erosion of trust (that was the best word I could come up with at the time) that, without much fanfare, had gently guided me back to physical.


It’s so fascinating how digital hasn’t taken over in books, yet has elsewhere.
link to this extract

A tip for Apple in China: your hunger for revenue may cost you • WSJ

Li Yuan:


Last month, Apple told several Chinese social-networking apps, including the wildly popular messaging platform WeChat , to disable their “tip” functions to comply with App Store rules, according to executives at WeChat and other companies. That function allows users to send authors and other content creators tips, from a few yuan to hundreds, via transfers from mobile-wallet accounts.…

…Some social-networking apps likened Apple’s tactics over the tipping function to arm-twisting. Chief executives at two companies say that Apple told them if they refused to make the change, updated versions of their apps wouldn’t be made available and they could be kicked out of the App Store.

“We don’t charge anything as the platform, but Apple gets 30% for doing nothing,” one of the executives fumed.

The Chinese app developers believe that tipping is different from buying a song or making other virtual purchases: tipping is voluntary and happens after users consume the content, so it’s not a sale but a way to show appreciation.

“The biggest value of tipping is ‘fun’ not ‘money,’” writes freelance search programmer Huo Ju on his widely read tech blog.


Tencent (owner of WeChat) really isn’t going to like that. If WeChat withdrew from the App Store, Apple would be sunk in China.
link to this extract

Netflix was just the start: Google Play Console lets developers exclude app availability for devices that don’t pass SafetyNet • Android Police

Rita El Khoury:


Last weekend, a huge turmoil swept the root-enthusiast Android community as it was discovered then confirmed that the Netflix app was being blocked from showing up in search results on the Play Store for rooted devices. At the time, Netflix said it was using Widevine to block unsupported devices, but that made no sense to us: the app was still functional if it was sideloaded, it was only not showing up as compatible in the Play Store. So what sorcery was Netflix really using?! Turns out it’s a new function of the Google Play Console.

As part of the updates announced for the Play Console at I/O 2017, Google mentions a new Device Catalog section under Release management that lets developers choose with intricate granularity which devices their app supports on the Play Store. Devices can be viewed and excluded by many attributes including RAM and SoC, but the important factor we’re interested in is SafetyNet Attestation…

That means any dev could potentially block their apps from showing and being directly installable in the Play Store on devices that are rooted and/or running a custom ROM, as well as on emulators and uncertified devices (think Meizu and its not-so-legal way of getting Play Services and the Play Store on its phones). This is exactly what many of you were afraid would happen after the Play Store app started surfacing a Device certification status…

…this spells trouble for rooted users and the Android enthusiast community as a whole. Google keeps erecting more and more obstacles each day in the face of root and custom ROMs and even if this won’t stop root users who should be knowledgable enough to know how/where to grab an APK and install it, it will make things more and more difficult and maybe less and less worth the trouble.


Rooting is a minority sport (perhaps 10-20 million people in the west, out of around a couple of billion smartphone users), and Netflix is obviously looking to protect its content from devices that could be set up to pirate said content. (The comments, as ever, are hilarious in their obstinate defence of nose-face spiting.)
link to this extract

Huawei loses ex-Apple designer hired to revamp smartphone software • The Information


In an interview with The Information in June last year, Ms. [Abigail] Brody [who was hired in October 2015] said she was making some basic fixes to Huawei’s smartphone interface to address “glaring cosmetic issues” and “pain points.” She also said that she had pointed out other “ugly” aspects of the company’s public-facing look, such as its executives’ business cards.

“I’m not here to be a little designer. I’m here to change the world,” Ms. Brody said in that interview.

But Ms. Brody didn’t win enough support within Huawei and her impact at the company was limited, employees said. The new version of Huawei’s smartphone software skin, released last year, came with an iPhone-like app icon screen similar to its predecessors, but allowed users to switch to an alternative screen with an app drawer, a common feature among Android phones. It is unclear how much Ms. Brody had contributed to the design of that version, given that Wang Chenglu, a Shenzhen-based Huawei executive in charge of software for consumer products, has been overseeing the company’s user interface software design and development.

It is difficult to pinpoint one factor behind Ms. Brody’s departure. Some employees said Huawei didn’t give her enough power to make a difference, while others said she may have had the wrong expectations…

…When British designer Jamie Bates joined Huawei in 2014 to head its London design studio, he proposed some big changes to the company’s mobile interface software, Mr. Bates told The Information. But Chinese executives in Shenzhen were often reluctant to move too far away from the tried-and-tested design of Huawei’s existing product, which shared some similarities with Apple’s iOS such as the way the app icons looked. Mr. Bates left Huawei in 2015 and is now a design leader at Unilever.


Just me, or is there some sort of pattern emerging here?
link to this extract

Superfast broadband delay will cost users £140m, say BT rivals

Nic Fildes:


The delayed introduction of lower superfast broadband prices in the UK will cost consumers £140m according to rivals of BT, which runs the UK’s broadband network.

The telecoms regulator proposed in March that the wholesale cost of a superfast broadband line offering speeds of up to 40Mbps be cut by 40% by 2021. Companies including Sky, Vodafone and TalkTalk are expected to pass on those savings to consumers once the cuts come into effect. 

However, the lowering of wholesale prices was delayed by a year while Ofcom weighed up a wider review of the telecoms market, which concluded in March.

The price cuts had been due at the end of March this year but BT, via its Openreach division, will now lower its prices in April 2018.

BT’s rivals, which offer broadband services using the Openreach network, have calculated that the year’s delay will cost users tens of millions of pounds.

“We estimate that as a result of the 12-month delay in implementing this initial charge control and the subsequent delay in further reductions, UK consumers are being over-charged by around £140m,” said Vodafone.…

…Separately, Ofcom has opened an investigation into whether Openreach has missed targets for the delivery of high-speed fibre lines used by businesses.

In March, it was hit with a record £42m fine and told to pay back £300m to its rivals over the use of a loophole that artificially reduced the amount it compensated them when it failed to connect a line in time.


It’s better than the US (though the UK is – Cap’n Obvious – a lot smaller) but it’s still crap. Ofcom isn’t a victim of regulatory capture; it’s just that competition works a lot faster than regulation in such situations. But with BT controlling the infrastructure company, things can’t progress as fast as they otherwise could.

link to this extract

Facebook slapped with EU fine over WhatsApp deal • WSJ

Natalia Drozdiak:


Facebook Inc. was fined €110m ($122.7m) by the European Union’s antitrust regulator on Thursday for providing incorrect information or misleading authorities over the acquisition of its messaging unit WhatsApp, a warning shot to other companies registering their deals for review.

The EU said Facebook inaccurately claimed during the merger review in 2014 that it couldn’t routinely match Facebook and WhatsApp user accounts—something the company started doing two years later when it began combining user data across the services.

“Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information,” said EU antitrust chief Margrethe Vestager.

“We’ve acted in good faith since our very first interactions with the commission and we’ve sought to provide accurate information at every turn,” a Facebook spokesman said, adding that the errors made in the 2014 filings weren’t intentional.

The fine is manageable for Facebook, which brought in $27.6bn in revenue last year. But it is the latest of many legal and regulatory setbacks for the social-media company in Europe. On Tuesday, France’s privacy watchdog fined Facebook €150,000, alleging the company isn’t transparent enough with users about how it collects their data.

European privacy regulators have also been scrutinizing Facebook and Whatsapp on concerns the messaging service’s terms breaches privacy rules by allowing WhatsApp to share user information including phone numbers with its parent. Regulators in Germany and elsewhere have ordered the company to halt the data sharing.


A long extract, but two points: 1) look at how many places Facebook is in trouble over data collection, and they’re all in Europe 2) look at how quickly Vestager has moved on this, and compare it to the Google antitrust case, where she has in effect dithered for years; all the hard work of determining the case had been done before she started in September 2014.
link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.