Start Up: OneLogin breached, tracker tracking, the SMS bitcoin hack, goodbye Frank Deford, and more

Google plans to make adblocking a default in Chrome next year. Photo by Mr Exploding on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Hey, is it getting warmer in here? I’m @charlesarthur on Twitter. Observations and links welcome.

Notes from an emergency • Idlewords

Maciej Ceglowski, in a transcript of a speech given in Berlin on May 10:


Facebook is the dominant social network in Europe, with 349 million monthly active users. Google has something like 94% of market share for search in Germany. The servers of Europe are littered with the bodies of dead and dying social media sites. The few holdouts that still exist, like Xing, are being crushed by their American rivals.

In their online life, Europeans have become completely dependent on companies headquartered in the United States.

And so Trump is in charge in America, and America has all your data. This leaves you in a very exposed position. US residents enjoy some measure of legal protection against the American government. Even if you think our intelligence agencies are evil, they’re a lawful evil. They have to follow laws and procedures, and the people in those agencies take them seriously.

But there are no such protections for non-Americans outside the United States. The NSA would have to go to court to spy on me; they can spy on you anytime they feel like it.

This is an astonishing state of affairs. I can’t imagine a world where Europe would let itself become reliant on American cheese, or where Germans could only drink Coors Light.

In the past, Europe has shown that it’s capable of identifying a vital interest and moving to protect it. When American aerospace companies were on the point of driving foreign rivals out of business, European governments formed the Airbus consortium, which now successfully competes with Boeing.

A giant part of the EU budget goes to subsidize farming, not because farming is the best use of resources in a first-world economy, but because farms are important to national security, to the landscape, to national identity, social stability, and a shared sense of who we are.

But when it comes to the Internet, Europe doesn’t put up a fight. It has ceded the ground entirely to American corporations. And now those corporations have to deal with Trump. How hard do you think they’ll work to defend European interests?


As ever with his talks, you should read it all. He says things you hadn’t realised, crystallises them until you can almost hold them in your hand. (And he has also bought Delicious – the bookmarking site which was bought for millions by Yahoo, dumped, given millions in VC funds, and left to go dark – for just $35,000. Hilarious triumph over the foolishness of big money.)
link to this extract

Here’s how to track the smartphone apps that are tracking you • Fast Company

Glenn Fleishman:


The ReCon project publishes some data derived from a few hundred early users, listing apps, the kind of data they passed, a severity score, whether a developer was notified, and when misbehavior was fixed (if indeed it was).

For those who have installed the app, ReCon has a web-based console that allows users to block or modify information that’s sent. For instance, a user can block all examples of a given kind of PII, or block all location data sent from a given app. However, because some apps fail without location coordinates, the team is looking into coarsening GPS information instead of blocking it entirely. An app’s backend still gets relevant information, “but other parties aren’t able to pin down where you are to a few meters,” Choffnes notes.

Of course, examining a flow of data from users itself raises massive privacy red flags, which is part of the evolution of ReCon. Its creators don’t ask for passwords, try to avoid storing the values sent, and check only to see whether, say, a password is obviously being passed without encryption. The group ultimately wants to perform distributed machine learning without users disclosing private or secret information, such as domains they’re visiting.


link to this extract

Identity manager OneLogin has suffered a nasty looking data breach • Motherboard

Joseph Cox: On Wednesday,


OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced it had suffered some form of breach. Although it’s not clear exactly what data has been taken, OneLogin says that all customers served by the company’s US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take.

“Today we detected unauthorized access to OneLogin data in our US region,” the company wrote in a blog post.

Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information.

“Customer data was compromised, including the ability to decrypt encrypted data,” according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message.

The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be.

According to copies of those steps, users are being told to generate new API keys and OAuth tokens (OAuth being a system for logging into accounts); create new security certificates as well as credentials; recycle any secrets stored in OneLogin’s Secure Notes feature; have end-users update their passwords, and more.

“Dealing with aftermath,” one customer told Motherboard. “This is a massive leak.”


Go to OneLogin’s main page and see how long it takes you to find the announcement. Note also Cieglowski’s talk about castles of data, and the temptation they breed.
link to this extract

Google will help publishers prepare for a Chrome ad blocker coming next year • WSJ

Jack Marshall:


Google has told publishers it will give them at least six months to prepare for a new ad-blocking tool the company is planning to introduce in its Chrome web browser next year, according to people familiar with the company’s plans.

The new setting, which is expected to be switched on by default within the desktop and mobile versions of Chrome, will prevent all ads from appearing on websites that are deemed to provide a bad advertising experience for users.

To help publishers prepare, Google will provide a self-service tool called “Ad Experience Reports,” which will alert them to offending ads on their sites and explain how to fix the issues. The tool will be provided before the Chrome ad blocker goes live, the people familiar with the plans say…

…Unacceptable ad types include those identified by the Coalition for Better Ads, an industry group made up of various trade bodies and online advertising-related companies that says it aims to improve consumers’ experience with online advertising.

The group’s initial list of unacceptable ad types, released in March, included pop-ups, auto-playing video ads with sound and “prestitial” ads that count down before displaying content. Google is a member of the group, alongside fellow ad giant Facebook , and Wall Street Journal parent News Corp .


This is antitrust territory. Dominant search engine; dominant browser; a dominant advertising supplier. What’s the harm to the consumer? The lack of choice in what they see, and the inability to decide what ads they do and don’t see. I hope Margrethe Vestager is on this preemptively; I’m sure publishers in Europe will be at her door.
link to this extract

Postscript: Frank Deford • The New Yorker

Nicholas Dawidoff on the sports writer who died last weekend aged 78:


Deford’s most celebrated pieces were all “bonuses,” the bonus being the coveted slot at the back of the Sports Illustrated reserved for the week’s long feature. Soon after I met him, Deford explained his theory of how to structure the bonus—a variation of Chekhov’s rifle. The Russian famously ordained that if in the first chapter (or act) a rifle is on the wall, before the end it must be brought down and fired. The man from Baltimore said that in a bonus, you began by telling the reader something that made him interested. Then, once the reader was completely engaged, you moved on to other matters, to the point where the reader forgot the first thing. Then, toward the end, you brought it up again. The act of forming, breaking, and reforming the chemical bond, he said, deepened the reading experience. I was in my early twenties at the time, and the notion that the magazine’s revered figure was sharing his sweetest science with me made me almost overwhelmed with gratitude. You could be good and also, well, good.

Several years later, we drove together in his car from New York City to his family’s home in Connecticut. Deford was as excited as I ever saw him, owing to something new. We would not need to stop, wait in a long line, and pay a toll at a booth along the highway, he said, because of a recent traffic innovation. There was now an electronic pass keyed to a collection sensor that enabled a driver to pay the toll by simply driving through the booth. It was hardly necessary even to slow down. I didn’t believe it? Just wait! Soon, he had me beyond excited in anticipation of such impossible, magical, laser-age technology.


Dawidoff, en route to a neat payoff. Deford inspired me: I used to type out his pieces and analyse them to try to understand why they worked so well. It turned out to be a combination of great reporting and clever construction. If you remember tennis’s 1985 US Open, this is a pretty good description of it. And it’s pretty good even if you don’t.
link to this extract

How to fight the bloatware of AI • Medium

Peter Sweeney is an entrepreneur and inventor of AI technologies, and he takes issue with the idea that we need a human-like AI. What we need, he argues, is one which narrowly does the rational part we’ve only recently learned to do:


it’s only within the past few centuries, beginning with the scientific revolution, that humans began making consistent, predictable progress through the creation of good knowledge. Earlier humans produced a wealth of bad knowledge, most of it long forgotten.

This isn’t to say humans were incapable of producing good knowledge. The point is that good knowledge creation was exceedingly rare. We wouldn’t model flight using a bird that failed to fly at such a spectacular rate. As a model for machine intelligence, shouldn’t humans be subject to the same standard of criticism?

We can further hone our expectations for good knowledge to scientific disciplines. According to Gary Marcus, “What society most needs is automated scientific discovery.” Demis Hassabis [founder and CEO of Google’s DeepMind] holds similar ambitions. “I’ve always hoped that A.I. could help us discover completely new ideas in complex scientific domains.”

We expect machines to embody superhuman intelligence. Only scientific progress embodies the sort of revolutionary knowledge creation that we imagine for our machines. It’s knowledge that arrives in conjectural leaps, defies our past experiences, and redefines what’s possible.
This process of knowledge creation is a human invention, not a natural phenomenon. Yet on closer inspection, our knowledge of how scientific knowledge is created is younger still! It was only in the 20th century, with Karl Popper’s philosophy of science, that there emerged a strong consensus of how scientific knowledge is created.

Naturally irrational humans are deeply flawed knowledge creation machines. We’ve only recently acquired the skills we need from machines and our knowledge of how we do it has not been broadly disseminated. Nature doesn’t provide a model of what we want from intelligent machines, namely revolutionary scientific knowledge, nor is the process that humans use to create this knowledge a naturally occurring phenomenon.


Or as Lewis Wolpert used to put it, “science isn’t common sense. It’s usually the direct opposite.” (Think of Earth revolving around the sun, or the reason for gravity. Common sense doesn’t predict them.)
link to this extract

How to lose $8k worth of bitcoin in 15 minutes with Verizon and • Medium

Cody Brown had his phone account, and then his email, and then his bitcoin wallets hacked:


Before we begin, its worth mentioning that yes, yesssssssssssssssssssss, I did not have enough protection around my Gmail account. I’ve used Google Authenticator before, for my personal account and for various work emails, but I stopped using it at a certain point out of convenience. I deeply regret doing so and you can certainly say, “HA, YOU HAD THIS COMING TO YOU DUDE, MY BITCOIN IS ON AN ENCRYPTED THUMBDRIVE IN A SECRET UNDERGROUND LOCKBOX COLD STORAGE FACILITY.” But there are many coin spectators out there with a similar vulnerability and, as more novices join, this vulnerability will only become more of a problem.

Of all the things that went down in the factors that lead to this hack, Verizon Wireless is what I was massively unprepared for. After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information. This blew my mind and seemed negligent beyond all possible reason but it’s what they do. The main thing that struck me by the hack was the extraction speed possible in the current cryptocurrency ecosystem. $8,000 in 15 minutes is faster and more lucrative than robbing a suburban bank.


The key failing (besides his lack of two-factor non-SMS authentication on his Gmail account) was Verizon letting someone in effect take over his SIM. He had SMS authentication on his account. Guess what happened when the hackers tried to log in to his account? They could reset the password and get an SMS sent to “his” number. Cue disaster.

Coinbase (which has become a target for such hacks) is not above a lot of criticism either.
link to this extract

The US has forgotten how to do infrastructure • Bloomberg

Noah Smith:


There is reason to suspect that high US costs are part of a deeper problem. For example, construction seems to take a lot longer in the US than in other countries. In China, a 30-story building can be completed in only 15 days. In Japan, giant sinkholes get fully repaired in one week. Even in the US of a century ago, construction was pretty fast – the Empire State Building went up in 410 days.

Yet today, it takes the US many years to spend the money that Congress allocates for infrastructure. New buildings seem to linger half-built for months or years, with construction workers often nowhere to be found. Subways can take decades. Even in the private sector, there are problems – productivity in the homebuilding sector has fallen in recent decades.

That suggests that US costs are high due to general inefficiency – inefficient project management, an inefficient government contracting process, and inefficient regulation. It suggests that construction, like health care or asset management or education, is an area where Americans have simply ponied up more and more cash over the years while ignoring the fact that they were getting less and less for their money. To fix the problems choking US construction, reformers are going to have to go through the system and rip out the inefficiencies root and branch.

Unfortunately, this is going to be hard, given all the vested interests and institutional inertia blocking deep reform of the construction sector. As [Matt] Yglesias ruefully notes, a study by the Government Accountability Office looking into the problem of high train-construction costs was recently killed by Congress, with no explanation given.


Before you kneejerk, the article goes through possible culprits (salaries; unions; land acquisition costs; geography) and finds none explains it. A side-by-side comparison of two projects, one in the US and one elsewhere, would be educative. But it seems the GAO has been told not to look into this either.
link to this extract

Keeping your company data safe with new security updates to Gmail • Google Blog

Andy Wen is senior product manager for Counter abuse technology:


Machine learning helps Gmail block sneaky spam and phishing messages from showing up in your inbox with over 99.9% accuracy. This is huge, given that 50-70% of messages that Gmail receives are spam. We’re continuing to improve spam detection accuracy with early phishing detection, a dedicated machine learning model that selectively delays messages (less than 0.05% of messages on average) to perform rigorous phishing analysis and further protect user data from compromise.

Our detection models integrate with Google Safe Browsing machine learning technologies for finding and flagging phishy and suspicious URLs. These new models combine a variety of techniques such as reputation and similarity analysis on URLs, allowing us to generate new URL click-time warnings for phishing and malware links. As we find new patterns, our models adapt more quickly than manual systems ever could, and get better with time.


I see very, very few phishing emails on my Gmail account. I see a fairly constant amount of spam on it, though, despite marking the stuff (always claiming to be from department stores, and not being addressed to my ur-address) as junk consistently.

That spam hasn’t become a bigger, or even overwhelming slice of email is a success for all the organisations such as Spamhaus fighting it.
link to this extract

About Newcastle libraries’ data • Newcastle City Council


In Newcastle Libraries we are endeavouring to open up as much of our data as possible. As library workers sharing and facilitating access to knowledge and information is part of our role; here we apply this principle to the information we collect about your library service. We believe that we are only the custodians of this information, and by publishing it in the public domain (under Creative Commons Licence 0) we are simply giving it back to you.


Newcastle Libraries has better open data policies than the US White House. Let that sink in.
link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.