Start Up: iPhone bug bounties, peak oil fades, HTC’s keyboard ads, DJI’s hacking war, and more

“Cracking end-to-end encryption” might actually be as simple as doing this. (Ignore the date.) Photo by Johan Larsson on Flickr.

Posting note: for personal reasons, it’s possible that the next Overspill posting will be delayed by a day or so. (I can’t presently predict if it will or wont.) If it is, you won’t get tomorrow’s update. (And it won’t be on the website.) If it isn’t, you’ll.. get a post as normal. I realise this is indistinguishable from incompetence. Apologies in advance.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 12 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

New law would force Facebook and Google to give police access to encrypted messages • The Guardian


Under the law, internet companies would have the same obligations as telephone companies to help law enforcement agencies. Police would need warrants to access the communications. [Australian Prime Minister Malcolm] Turnbull said the legislation was necessary to keep pace with advances in technology that could facilitate crime.

“We need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law,” he said.

Asked by reporters how legislation would prevent users simply moving to encryption software not controlled by tech companies, Turnbull said Australian law overrode the laws of mathematics.

“The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only laws that applies in Australia is the law of Australia.”

Turnbull denied the government’s plans involved the use of a “back door” into programs to allow access to encrypted messages on platforms such as WhatsApp and Telegram.

“A back door is typically a flaw in a software program that perhaps the developer of the software program is not aware of, and that somebody who knows about it can exploit,” Turnbull said. “If there are flaws in software programs, obviously, that’s why you get updates on your phone and your computer all the time. So we’re not talking about that. We’re talking about lawful access.”

Pressed on whether the government’s plans meant it would ask companies such as Facebook and Apple to keep a copy of encryption keys used by customers, Turnbull said:

“I’m not a cryptographer, but what we are seeking to do is to secure their assistance. They have to face up to their responsibility. They can’t just wash their hands of it and say it’s got nothing to do with them.”

The attorney general, George Brandis, said the legislation would “impose an obligation upon device manufacturers and service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis”. It could be used to tackle terrorism, or serious organised crime such as paedophile networks.


This isn’t totally absurd. The clue is in Turnbull’s quote about “updates on your phone” and Brandis’s “obligation.. to provide appropriate assistance”. What’s likely to happen is that targeted individuals will receive SIM updates which let the authorities spy on them. Simple as that. If you read the above (and the story) in that light, it becomes feasible – sensible, even. If you think they want to have access to everyone’s encrypted messages all the time, you’re overthinking it. However, that might mean having a supply of the following…
link to this extract

iPhone bugs are too valuable to report to Apple • Motherboard

Lorenzo Franceschi-Bicchierai:


Last year, Apple pushed back against the FBI for months as it resisted an order to help the feds break into the iPhone of the San Bernardino shooter, who killed 14 people and injured 22 in December of 2015. The FBI eventually got into the phone, but not with Apple’s help. Instead, the FBI paid for a costly exploit found by unknown, independent researchers. As The New York Times argued at the time, perhaps one reason hackers had exploits to sell to the FBI was that they had little incentive to report them to Apple instead.

Though the announcement of the program was public, nearly everything else about it has been rolled out with Apple’s typical secrecy. For now, the program is invite-only.

The researchers who received an invite to join have had a chance to earn rewards ranging from $25,000 to $200,000 for bugs in iOS and MacOS, according to Krstic’s talk.

That might sound like a lot of money. But one of the reasons why the researchers we talked to aren’t itching to report bugs is that Apple’s rewards aren’t as high as they could or maybe should be. In the private, gray market, where companies such as Zerodium buy exploits from researchers and sell them to their customers, a method comprised of multiple bugs that can jailbreak the iPhone is valued at $1.5m. Another firm, Exodus Intelligence, offers up to $500,000 for similar iOS exploits. These companies claim to sell only to corporations to help them protect their networks, or to law enforcement and intelligence agencies to help them hack into high-value targets…

…”Apple has to compete with the true value for the bugs they want to buy,” Dan Guido, the CEO of the cybersecurity research firm Trail Of Bits, told me. “They’re trying to buy game-over stuff at $200,000, but it’s just worth more than that.”

In other words, the economics of the bug bounty are just not worth the trouble.


Clever story. But what’s the solution for Apple? Let hackers name their price? Outbid whatever the market is offering? (The latter could vary hugely.) Easy to identify the problem, but not the solution.
link to this extract

iOS 11 will expand your iPhone’s NFC capabilities beyond Apple Pay in several ways • Mac Rumors

Joe Rossignol:


Apple at WWDC 2017 last month introduced Core NFC, a new iOS 11 framework that enables apps to detect Near Field Communication tags.

Similar to Apple Pay, iPhone users are prompted with a “Ready to Scan” dialog box. After holding the iPhone near an item with an NFC tag, a checkmark displays on screen if a product is detected. An app with Core NFC could then provide users with information about that product contained within the tag.

A customer shopping at a grocery store could hold an iPhone near a box of crackers, for example, and receive detailed information about their nutritional values, price history, recipe ideas, and so forth. Or, at a museum, a visitor could hold an iPhone near an exhibit to receive detailed information about it.

Core NFC will expand the iPhone’s NFC chip capabilities beyond simply Apple Pay in several other ways.

Cybersecurity company WISeKey, for example, today announced that its CapSeal smart tag will now support iPhone thanks to Core NFC. CapSeal smart tags are primarily used for authentication, tracking, and anti-counterfeiting on products like wine bottles. Many other companies offer similar solutions.


iPhone 7 upwards only at present.
link to this extract

Remember Peak Oil? Demand may top out before supply does • Bloomberg

Javier Blas:


When Bob Dudley, chief executive officer of British oil giant BP Plc, was asked at a recent conference when oil demand will peak, he had a precise answer: June 2, 2042.

The audience at the annual St. Petersburg International Economic Forum burst into laughter, knowing it’s impossible to predict such an event down to the day. But the American executive wasn’t speaking entirely in jest: The most recent edition of BP’s widely scrutinized Energy Outlook has global demand for crude maxing out in 2½ decades, give or take a year. That projection casts a shadow over one of the world’s largest industries, which until recently was far more concerned with boosting supply. The advent of electric cars, the fight against climate change, and slowing economic growth in China is dampening the world’s once boundless appetite for crude. Carmaker Volvo AB announced on July 5 that it will manufacture only electric or hybrid models from 2019 onward. Three days later, France said it would ban sales of cars with diesel and gasoline engines starting in 2040.


As a date for “Peak Oil Demand”, 2040 seems reasonable. And it’s not that far away.
link to this extract

Scholars cry foul at their inclusion on list of academics paid by Google • The Chronicle of Higher Education

Chris Quintana:


Last week an advocacy group published what it called a list of scholars who have received money from Google and who have written papers that supported its interests, sometimes without disclosing that apparent conflict of interest. Sarah T. Roberts said she doesn’t understand why she was on the list.

Sure, she told The Chronicle, she was a Google fellow in 2009, but that meant a $7,000 award to cover her expenses during a 10-week stint working in Washington, D.C., for the American Library Association.

Why that 2009 fellowship would be relevant to a 2015 paper on information privacy — in which Ms. Roberts, an assistant professor of information studies at the University of California at Los Angeles, was listed as the fourth author — is not clear to her. More important, she said, she didn’t receive any money from the technology giant in connection to that paper. And if the advocacy group’s concern was that she had benefited from Google in the past, that information is on her curriculum vitae.

“What else would they like me to do?” she asked. “I think it’s pretty irresponsible.”

Ms. Roberts is one of a handful of scholars who told The Chronicle on Wednesday that they felt the Campaign for Accountability, the group that issued the report, had included them unfairly in its list of academics who had received money from Google in connection to research that could be used to defend the company’s business practices.


Seems like the Campaign for Accountability needs to get in touch with the Campaign for Context. This story is unravelling rather quickly.
link to this extract

Facebook will start showing ads inside Marketplace, its Craigslist-style section for browsing used goods • Recode

Kurt Wagner:


Facebook has found another place to show advertisements to its users.

The company announced on Friday that it will start running ads inside Marketplace, its Craigslist-style hub where users can buy and sell used goods.

The ads are just a test for now, which means only a small percentage of US Facebook users will see them. Facebook is not even selling ads specifically for Marketplace just yet — instead, it will take existing News Feed ads and put them inside the Marketplace tab free of charge to advertisers, as a way to experiment.


I can’t imagine anything that.. makes more sense. People look for stuff and you show them ads about stuff? Worked out OK for Google.
link to this extract

Implementing Webmentions • All In The Head

Drew McLellan:


In a world before social media, a lot of online communities existed around blog comments. The particular community I was part of – web standards – was all built up around the personal websites of those involved.

As social media sites gained traction, those communities moved away from blog commenting systems. Instead of reacting to a post underneath the post, most people will now react with a URL someplace else. That might be a tweet, a Reddit post, a Facebook emission, basically anywhere that combines an audience with the ability to comment on a URL.

Whether you think that’s a good thing or not isn’t really worth debating – it’s just the way it is now, things change, no big deal. However, something valuable that has been lost is the ability to see others’ reactions when viewing a post. Comments from others can add so much to a post, and that overview is lost when the comments exist elsewhere.

Webmention is a W3C Recommendation that solves a big part of this. It describes a system for one site to notify another when it links to it. It’s similar in concept to Pingback for those who remember that, just with all the lessons learned from Pingback informing the design.


I remember how pingback got turned into a spam problem so bad that most people – and stop me if this bit sounds familiar in this whole debate – turned it off. Yup, any system that scales and allows anyone to contribute will have a spam problem. It will also, now, have a “mad troll” problem, if one thinks the two are different.

The problem with comments is not in systems for allowing comments. It’s in what people want to put into their comments: most has zero value, even to the commenter.
link to this extract

The standard keyboard on the HTC 10 has begun showing ads : mildlyinfuriating • Reddit


User WagnerianDoorbell: “Ads are probably based off all the words you’ve entered with that keyboard.

“From an advertiser’s perspective, having access to the full log of everything entered on a system’s keyboard is like the holy grail of profiling data.”


Utterly dismaying. Though given how poorly HTC is doing, it might think this is a good idea. In reality, you’d expect if word gets out sufficiently then it will hasten its end.
link to this extract

DJI is locking down its drones against a growing army of DIY hackers • Motherboard

Ben Sullivan:


On YouTube, Facebook, drone forums, and Slack groups around the internet, hackers have published instructions for altering the firmware on DJI’s drones, leading to a rising number of drone pilots who have circumvented flight restrictions imposed by DJI on its products. In recent days the company has updated its software to render these hacks moot, and has started removing vulnerable versions of its firmware from its servers in an attempt to regain control of its drones.

DJI told me on Friday it will continue to investigate cases of unauthorized modification and that it will “issue software updates to address them without further announcement.”

“Unauthorized modification of a DJI drone is not recommended, as it can cause unstable flight behavior that could make operating the drone unsafe,” Victor Wang, DJI’s technology security director, told me in a statement. “DJI is not responsible for the performance of a modified drone and we strongly condemn any user who attempts to modify their drone for illegal or unsafe use.”

“This is the beginning of the fight for DJI to retain control of these aircraft,” consumer drone expert Kevin Finisterre, who this week developed and released his own DJI exploit, told me in an email. “End users are more invigorated than ever with the desire to emancipate their drone.”


A very strange arms race. But given the fact that they’ve been used by ISIS in battle, this is one of those fights that DJI looks likely to lose.
link to this extract

Essential marketing vice president leaves after seven months • Business Insider

Steve Kovach:


Brian Wallace, Essential’s VP of marketing, has left the company, he confirmed to Business Insider on Friday.Wallace is now CMO at, a “connected lifestyle” company founded by musician 

Wallace’s move is the latest sign of turmoil at Essential. Wallace joined Essential in December after running marketing for the augmented reality startup Magic Leap. Before that, he worked at Samsung and helped put together the iconic “Next Big Thing” campaign that propelled Samsung’s mobile business in the US.

Wallace isn’t the only major departure at Essential. Andy Fouché, who is listed as the company’s head of communications on its website, left recently as well, he told Business Insider in an email last month. However, Fouché also described himself as an advisor to the company. He also worked with Wallace as the head of communications at Magic Leap. Kenzo Hing, Essential’s head of product marketing, will be running communications in the meantime.

Hing did not respond to multiple requests for comment.

The departures are not a good look for Essential.


I can believe that a startup might have quite a bit of churn as you discover whether people are really right for this stuff, but losing your marketing bod to That’s really got to burn.
link to this extract

It took nine years, but Bitly turned short web links into a real company • Recode


Peter Kafka: here’s a story that won’t get much attention: A modest success for a company that once had much grander aspirations.

That would be Bitly, a company that lets marketers and other businesses keep tabs on customers as they move around the web by generating short, trackable URL links.

Spectrum Equity just bought a majority stake in the nine-year-old company for $63m. A press release doesn’t spell out the specifics but I’m told Spectrum now owns a significant majority of Bitly, and that the new deal values the company below the $100m valuation of its last raise, back in 2012.

In other words, maybe the investors who put a reported $29m into Bitly prior to the Spectrum deal got their money back. But they certainly didn’t make much on this.


Amazing that a company which does web shortening can be valued at all, but perhaps there’s some value in aggregating links. But $63m worth?
link to this extract

Trump’s MAGAnomics is here. And his team repeated Obamanomics’ big mistake • The Washington Post

Heather Long:


the architects of MAGAnomics are making the same error that the masterminds of Obamanomics made: They’re promising far more than they are likely to deliver. Even worse, they are putting a very concrete target out there: 3% GDP growth or bust.

Trump’s already off track. Growth this year is shaping up to be the same — or even worse — than under Obama. Expectations for the coming years are not much better.

On the same day Mulvaney published his MAGAnomics commentary, the Wall Street Journal ran a story with the headline “Forecasters lower economic outlook amid congressional gridlock.” Economists surveyed by the Journal predict 2.4% growth in 2018 and just 1.9% in 2019.

Of course, this is not the first time the Trump team has vowed “huge” and “spectacular” economic growth. Trump himself has said he can achieve 5% growth (annual growth has not exceeded 5% since 1984). The White House website promises 4% a year expansion and 25 million new jobs, the most of any U.S. president.

Trump’s team should have learned from Obama: Be careful with concrete economic promises.

Obama spent a lot of his early days in the White House in 2009 trying to generate support for a big stimulus proposal by promising it would create millions of jobs. His team told the nation that unemployment was unlikely to go above 8% if the stimulus passed, part of detailed projections of the results they expected their plan to deliver. In reality, unemployment hit 10% a few months later.


link to this extract

Errata, corrigenda and ai no corrida: none notified

1 thought on “Start Up: iPhone bug bounties, peak oil fades, HTC’s keyboard ads, DJI’s hacking war, and more

  1. My impression is that whoever writes the “Campaign for Accountability” material comes from a background of data-visualization and presentation, but has little experience with deep analysis of data’s meaning. It’s a pretty rookie mistake to give a misleading impression about multiple authors based on a paper where only one of the authors is relevant. That’s just guaranteed to anger all the other co-authors. Maybe the writer doesn’t care, but that’s attributing to malice what can be explained by inexperience.

    Pity. This is a hard topic to discuss well, especially considering there are some professionally clever people who have every incentive to obscure financial connections. There is more than one story in Google’s influence, but this organization covered it badly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.