Start Up: Facebook’s fake election rallies, Trump blocks Lattice buy, Equifax’s woeful security, and more

Fonts can tell tales – and reveal liars – if you know enough about them. Photo by stewf on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Is that really your face, though? I’m @charlesarthur on Twitter. Observations and links welcome.

Purged Facebook page tied to the Kremlin spread anti-immigrant bile • The New York Times

Scott Shane:


The notice went out on Facebook last year, calling citizens of Twin Falls, Idaho, to an urgent meeting about the “huge upsurge of violence toward American citizens” by Muslim refugees who had settled there.

The inflammatory post, however, originated not in Idaho but in Russia. The meeting’s sponsor, an anti-immigrant page called “Secured Borders,” was one of hundreds of fake Facebook accounts created by a Russian company with Kremlin ties to spread vitriolic messages on divisive issues.

Facebook acknowledged last week that it had closed the accounts after linking them to advertisements costing $100,000 that were purchased in Russia’s influence campaign during and after the 2016 election. But the company declined to release or describe in detail the pages and profiles it had linked to Russia.

A report by the Russian media outlet RBC last March, however, identified the Secured Borders page as the work of the Internet Research Agency, a St. Petersburg firm that employs hundreds of so-called trolls to post material in support of Russian government policies. A Facebook official confirmed that Secured Borders was removed in the purge of Russian fakes…

…It also promoted the Aug. 27, 2016, meeting in Twin Falls, called “Citizens before refugees,” which was first reported by The Daily Beast. The call came amid incendiary claims, linking Muslim refugees in Twin Falls to crime, that circulated on far-right websites last year. In May, Alex Jones, of the conspiracy site, retracted a claim that the Twin Falls yogurt company Chobani, which had made a point of hiring refugees, had been “caught importing migrant rapists.”

Shawn Barigar, the mayor of Twin Falls, said that the City Council Chambers, where the supposed meeting was called on a Saturday, were closed that day and that officials did not recall any gathering. But he said that after two years of “robust debate” over the city’s refugee resettlement program, which dates to the 1980s, it was “kind of surreal” to discover that Russia had joined in.


This reminds me of a Philip K Dick short story called “If There Were No Benny Cemoli” which – because he was a genius ahead of his time – is all about fake news and fake events. Something about this really gives me the shivers.
link to this extract

Trump blocks China-backed Lattice bid • Bloomberg


President Donald Trump blocked a Chinese-backed investor from buying Lattice Semiconductor Corp., casting a cloud over Chinese deals seeking U.S. security clearance and spurring a call for fairness from Beijing.

It was just the fourth time in a quarter century that a U.S. president has ordered a foreign takeover of an American firm stopped on national-security concerns. Trump acted on the recommendation of a multi-agency panel, the White House and the Treasury Department said Wednesday. The spurned buyer, Canyon Bridge Capital Partners LLC, is a private-equity firm backed by a Chinese state-owned asset manager.

The Trump administration has maintained a tough stance against Chinese takeovers of American businesses even as it seeks China’s help to resolve the North Korean nuclear crisis. Other deals under review include MoneyGram International Inc.’s proposed sale to Ant Financial, the financial-services company controlled by Chinese billionaire Jack Ma. The government is also examining an agreement by Chinese conglomerate HNA Group Co. to buy a stake in SkyBridge Capital LLC, the fund-management firm founded by Anthony Scaramucci, who was briefly Trump’s White House communications director…

…Lattice makes programmable logic chips, which have a wide variety of uses because their attributes can be changed using software. The chips are used in communications, computing, and in industrial and military applications. The company generates more than 70% of its revenue in Asia, according to data compiled by Bloomberg.

Trump’s move builds on years of U.S. opposition to China’s efforts to bolster its chip industry by buying American technology. China, the world’s largest chip market, has been on the hunt for acquisitions in the field as it looks to build a domestic supply and rely less on imports, as the $300bn global semiconductor industry undergoes its biggest wave of consolidation.


link to this extract

“Font detectives” use their expertise to solve high stakes cases • WIRED

Glenn Fleishman:


Most forgeries that experts expose aren’t very sophisticated to the discerning type eye. [Thomas] Phinney recounts his involvement in a case he calls The Respected Rabbi: A Long Island rabbi faced controversy among his congregation after his name failed to appear on a list of alumni from the school at which he said he’d obtained ordination. Phinney says he was told, too, that the rabbi “didn’t know his theology as well you might expect from a rabbi.”

After much tsorres, the rabbi presented a board member with a faxed copy of his proof of smicha, or ordination, issued in 1968. It was from an institution that had closed, and its records had been destroyed in a fire. Called in to examine the smicha, Phinney quickly noted that the entire document was in fancy, handwritten calligraphy, except the recipient’s name, which was set in a typeface that had a calligraphed feel.

Though diplomas and similar documents were once written by an expert hand, most have been printed en masse for centuries (Harvard started printing its in 1813) with a blank space left for the recipient’s name. That name is typically then added either via a calligrapher or a letterpress in the same font as the rest of the diploma. But a diploma written by hand with the blank filled in with a calligraphic printed typeface? That was extremely unlikely. Phinney also identified the face as Monotype Corsiva, a font released in the early 1990s, making the chronology impossible.


This article has three headlines: the one above, the one on this article (“Meet the font detectives who ferret out fakery”), and the print one – “I shot the serif.” BOOM. Lots of good stories in this.
link to this extract

What happens if a cop forces you to unlock your iPhone X with your face? • The Washington Post

Brian Fung:


While you can’t legally be compelled to give up your passcode, some analysts say, courts have ruled that law enforcement can compel you to give up your fingerprint under certain conditions. Under a standard known as “reasonable suspicion,” you can be required to provide your fingerprint. Could the same standard be applied to your facial data? That’s what is unclear.

That said, Americans enjoy one additional layer of legal protection. Even if a police officer uses your biometric information to unlock a phone, he or she must still obtain a search warrant to search the phone. The warrantless searching of cellphones was ruled unconstitutional by the Supreme Court in Riley v. California in 2014.

“That’s now established Supreme Court doctrine,” Calabrese said. Either way, he said, the best protection is probably to use a strong passcode.

Given how confusing the law can be on these issues, can’t there be some kind of technological solution?

A partial one may be in the works. The new version of Apple’s mobile operating system, iOS 11, is said to contain a fail-safe that will not only disable Touch ID, but also potentially Face ID. By pressing the power button five times in quick succession, an iPhone will stop accepting biometric data as an unlocking mechanism and require a passcode, according to the researcher who discovered the feature in a beta version of iOS 11.

It is not clear how long the fail-safe lasts before things revert to the regular mode. Apple did not respond to a request for comment.


It was all going so well until that last paragraph, which is clueless. “Regular mode” is “requiring a passcode”. Only when you’ve entered a passcode is the biometric unlock (finger or face) enabled. Pressing the side button five times does indeed disable the biometric unlock. If you feel you need to, that’s your solution.

(Added to the “close but no cigar” category on iPhone X and FaceID.)
link to this extract

Ayuda! (Help!) Equifax has my data! • Krebs on Security

Brian Krebs:


Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

We’ll speak about this Equifax Argentina employee portal — known as Veraz or “truthful” in Spanish — in the past tense because the credit bureau took the whole thing offline shortly after being contacted by KrebsOnSecurity this afternoon. The specific Veraz application being described in this post was dubbed Ayuda or “help” in Spanish on internal documentation.

Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system…

Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.

However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.


link to this extract

Failure to patch two-month-old bug led to massive Equifax breach • Ars Technica

Dan Goodin:


The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more than two months earlier, officials with the credit reporting service said Thursday.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” company officials wrote in an update posted online. “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.


At what point does not updating become dereliction of duty?
link to this extract

Photos: What it was like to attend Apple’s iPhone X event • Recode

Dan Frommer:


it was the first keynote Apple held in its new Steve Jobs Theater — named after the late Apple founder, who made these “Stevenotes” into the sort of mainstream cultural and media events that millions of people would stream live.

I was in attendance yesterday and took hundreds of photos. Here’s my experience, as told through a few dozen.


They’re great pictures (well, spoiled by some clown in one of them). The one that really captures it is the young kid, who we thought might be the tech correspondent for the Ellen de Generes show – seriously. One day, all tech correspondents will be this young, or old.

What that picture really shows, though, is the amazing size of Apple’s new building, in the distance. It’s perhaps 500m away. It’s circular. And it just seems to go on and on; you can see one edge, but not the other. You know the spaceship in Independence Day, which just looms over everything? Like that, but landed.
link to this extract

Google’s influence over its network of influencers • Search Neutrality

Shivaun and Adam Raff run Foundem, the “vertical search” (shopping) site which first complained to the EC about Google’s demotion of their site in organic results:


We accept that many of the academics and other professionals within Google’s extensive network of influencers sincerely believe that their pro-Google opinions are their own and are not influenced by their (or their institution’s) financial ties to Google.  However, it is noteworthy how often these opinions are underpinned by an eerily consistent misrepresentation of the basic facts of the Google case that belies, at the very least, a failure to treat Google’s representations of the case with the healthy scepticism one would normally reserve for a defendant.

The criticisms of the EC’s Google Search verdict by Google-funded academics and think tanks have tended to rely on and mirror many of the same fundamental misrepresentations and omissions that Google’s own criticisms of the verdict rely on. For example:

• They tend to focus exclusively on Google’s anti-competitive promotion of its own services (through Universal Search), while ignoring Google’s anti-competitive demotions and exclusions of competing services (through anti-competitive penalties). This is an important omission because any defence of one practice inevitably undermines the defence of the other.

• They neglect to point out that pay-for-placement advertisements are not a substitute for the relevance-based search results they are anti-competitively replacing. This is not a minor omission: paid advertisements are not what users visit Google for, and, when they are used to promote the merchants willing to pay Google the most money for a click rather than those offering users the lowest prices, the resultant user harm is obvious.

• They ignore the inconvenient yet immutable fact that Google only introduced these pay-for-placement advertisements (which underpin all of Google’s misleading ad-based arguments) in February 2013—at least 7 years after the introduction of Google’s anti-competitive practices, 3 years after the start of the EC’s investigation, and 11 months after the commencement of “settlement” negotiations with Commissioner Almunia. (See our December 2016 Paper for some of the history, context, and consumer harm resulting from Google’s progressive blurring of the lines between search results and pay-for-placement ads).

The perception-shaping power of Google’s sophisticated and disciplined PR machine is far-reaching.


link to this extract

Apple Watch Edition 3 vs Samsung Gear S3 Frontier LTE • SmartWatch Specifications

The contrast is remarkable: the Apple Watch screen is notably bigger (1.65in v 1.3in), and yet smaller in every other dimension; even compared to the 42mm Watch, not the 38mm, the Samsung has 64% more volume and weighs 33% more.

Some of the finer details on the comparison are wrong though – it doesn’t seem to accept you can take and make calls on the Apple Watch, and it suggests it works with Android devices. It doesn’t.

And of course the Apple Watch will have the same phone number as its parent iPhone; the Samsung device won’t. But don’t get me started on the utter ripoff of the prices carriers are charging for data plans for the Watch, which is substitutional use rather than additive. They should be ashamed. (Via Ben Thompson.)
link to this extract

Do autonomous cars dream of driverless roads? • Dark Reading

Laurence Pitt is strategic director for security at Juniper Networks in Europe/Mid-East/Africa:


The UK government is seeking to take a leadership role in the development of these rules by contributing an Autonomous and Electric Vehicle bill which will create a new insurance framework for self-driving cars. In tandem, the UK Department for Transport and Centre for the Protection of National Infrastructure have released a series of documents outlining principles of cyber security for connected and automated vehicles.’These documents form a modern version of Asimov’s Robotic Laws, but with the focus being on the automotive manufacturers to ensure that these vehicles are developed with a defense-in-depth approach so that they remain resilient to threat at all times – even in situations where sensors are unable to respond due to attack or failure.

This legislation will put the United Kingdom at the centre of these new and exciting technological developments, while ensuring that safety and consumer protection remain at the heart of an emerging industry.


Top marks to the sub-editor who ignored Pitt’s chosen narrative (Asimov’s Laws, which as he points out aren’t applicable because the cars aren’t sentient) and went with the Philip K Dick one for the headline.

In fact, I’d say it’s headline of the month.
link to this extract

Errata, corrigenda and ai no corrida: the review of the Essential phone in yesterday’s roundup was by Ryan Whitwam, not David Ruddock.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.