Web readers! For next week, you can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
A selection of 10 links for you. Unharassed. I’m @charlesarthur on Twitter. Observations and links welcome.
In May credit reporting service Equifax’s website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by only three of 65 antivirus providers.
Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to check what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp//:centerbluray.info that looked like this:
He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the influence of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.
The reason why people are prepared to believe they need a Flash update is that since 2010 the number of “critical” flaws has been over 50 annually – implying an update once a week on average. In 2015 the number of “critical” (not just trivial) flaws hit 294 – that’s roughly one update every working day.
So nobody is going to be surprised by a page that tells them to update Flash Player – except if they don’t have Flash Player installed. Which is the correct approach.
As for Equifax getting its site hacked – perhaps that shouldn’t be installed either.
link to this extract
The new financing round comes as Magic Leap readies a long-awaited debut product, a headset that shows images overlaid against the real world, known as augmented reality. The company has been working on prototypes for years but has not yet had a product for consumers to buy. Despite this, it has raised $1.4bn from investors such as venture capital firm Andreessen Horowitz and e-commerce company Alibaba, giving it a valuation last year of $4.5bn.
Magic Leap has come under scrutiny for misleading investors with dazzling demonstrations of technology that will not actually be in the final product, and releasing marketing videos that purported to be Magic Leap technology but were actually created by special effects companies, according to a report in December by news site The Information.
While the company has been working in secret for years, releasing little information about its launch date, competitors such as Facebook Inc’s Oculus have gained ground.
Flipping biscuits. Even more money? If they don’t come up with a product some time soon they’re going to need the most astounding pivot in the history of the wheel.
link to this extract
When a company emits a ton of carbon dioxide, what damage has it caused, exactly? The answer is called the “social cost of carbon,” which may be the most important number that you’ve never heard of.
If the number is large, regulation of greenhouse gas emissions will be amply justified. If it is small, not so much. In proposing to scrap the Obama administration’s Clean Power Plan, the Environmental Protection Agency recently announced that the social cost of carbon is close to zero. Well, a bit higher than that, but not a lot.
More remarkably still, the EPA offered hardly any reasons for its decision. As Ring Lardner once put it: “Shut up, he explained.”…
…In 2010, the group [convened in part by Sunstein to price that social cost] produced a central value of $21 for the social cost of carbon. By 2016, new research resulted in an update, yielding a figure of $36.
For policy, that number matters, because it can play a big role in deciding on whether to go forward with numerous regulations — and in producing the chosen level of stringency. The group’s estimate was also upheld in court.
But science and economics continue to evolve. A more recent estimate, by Yale economist William Nordhaus (often mentioned as a candidate for the Nobel Prize), finds that the $36 figure is just a bit too high; he favors $31. Other experts think that $36 is far too low, with estimates ranging to $200 or higher.
The EPA’s figure under President Donald Trump? Maybe $1. Maybe as high as $6.
How did it get there? The EPA knew enough not to deny that climate change is occurring. The major driver behind its low number was its decision to consider only damage to the US – and to ignore damage to people in every other nation on the face of the planet.
“America First. Screw everyone else.”
link to this extract
Cameras concealed within the screen will track the make, model and colour of passing cars to deliver more targeted adverts. Brands can even pre-program triggers so that specific adverts are played when a certain model of car passes the screen, according to Landsec, the company the owns the screens.
The giant screen replaces six separate screens that previously wrapped around the buildings at Piccadilly Circus, each one dedicated to a different brand. “This screen can be electronically carved up as opposed to having individual screens,” says Landsec portfolio director Vasiliki Arvaniti.
This also means that the entire screen can be taken up by a single advert – something that had been tried on earlier versions of the display, but didn’t really work with six screens of different sizes, made by different manufacturers…
…Landsec won’t say when exactly it’s planning on switching on the screen for the first time as it doesn’t want to cause overcrowding in the West End. When the screen does finally flicker into life, however, it’ll also provide free public Wi-Fi to people in the area.
That giveaway isn’t entirely altruistic, however. The big screen advertisers will be also sponsor the Wi-Fi landing page, so getting away from those adverts just got a little bit trickier.
No such thing as a free lunch, or free Wi-Fi.
link to this extract
Sonos’ policy change, outlined by chief legal officer Craig Shelburne, allows the gizmo manufacturer to slurp personal information about each owner, such as email addresses and locations, and system telemetry – collectively referred to as functional data – in order to implement third-party services, specifically voice control through Amazon’s Alexa software, and for its own internal use.
“If you choose not to provide the functional data, you won’t be able to receive software updates,” a Sonos spokesperson explained at the time. “It’s not like if you don’t accept it, we’d be shutting down your device or intentionally bricking it.”
A handful of customers, however, have managed to brick their Sonos speakers by refusing to accept the data harvesting terms accompanying version 7.4+ of the firmware and then subsequently updating their Sonos mobile app to a version out of sync with their legacy firmware.
In an email to The Register, a reader by the name of Dave wrote: “You should know that in the latest update it is now impossible to use the player without updating, effectively bricking my three devices. Numerous attempts to contact Sonos have met with silence on the issue, and the phone number in the app for support is no longer valid.”
Easy to get this wrong. Also problematic.
link to this extract
Isis is facing near total defeat in Iraq and Syria – but it has been beaten and come back before • The Independent
Isis is suffering heavy defeats but it would be premature to believe that it is totally out of business. Its commanders will have foreseen that, however hard they fought, they would lose Mosul and Raqqa in the end. To fight on they have prepared bunkers, weapons caches and food stocks in the deserts and semi-deserts between Iraq and Syria where they can hope to ride out the storm and perhaps make a comeback in a few years’ time. Isis succeeded in doing this before, after being defeated by the US and anti-Isis Sunni Arabs in 2006-08 but returning stronger than ever after 2011 when the political situation in the region favoured it once again.
This might happen a second time as the unwieldy combination of different states and movements, which includes everybody from the US and Iran to the Syrian army, Hezbollah in Lebanon and the Iraqi Shia paramilitaries, begins to fall apart. Nevertheless a rebirth of Isis looks unlikely because its explosion onto the world stage over the last three years so shocked international and regional powers that they will be wary of allowing Isis to recreate itself.
Isis does still have strengths: the latest recording of its leader Abu Bakr al-Baghdadi indicates that he is still alive and, so long as this is true, it will be difficult to declare his Caliphate quite dead.
Shouldn’t those old mainframe applications just be rewritten? It ain’t that easy. Yeah, I know, you’ve heard about rewrites for years. But the reason why most of those Visual Basic, dBase III, and PHP apps (that’s right, I’m saying they weren’t mainframe apps) were rewritten every 5 years is because they weren’t written that well to begin with. Meanwhile, the mainframe apps have been running well for decades. The Return On Investment (ROI) for rewrites of mainframe applications just hasn’t been there. Case in point: In the mid ‘80s I wrote a traffic system for Hanover Brands Inc. that is still in use today.
But then there’s this retiring and expiring thing. Why not just bite the bullet and do the rewrite?
Rewrites are never easy and, for huge applications, they are often failures. Just a few weeks ago, I did a rewrite of a little, itty, bitty, PHP application to Ruby and Rails. Now, I’m pretty good with Ruby and OK with PHP but, even though it was just over a thousand lines, I still missed stuff. Mainframe Cobol and RPG applications are a wee bit more complex. It is common for an RPG program to be ten, and Cobol to be twenty, thousand lines long.
Multiply that by hundreds and hundreds of programs and you have an application that has a mega-million lines. Worse that that, many of those programs were written before modular programming techniques became available.
Typically, all variables in one of these behemoths are global. I remember, dozen years or so ago, I had a jest-quest in articles and seminars of a Diogenes-like search for a local variable in mainframe code. Diogenes never found an honest man and I had problems finding local variables in circa-70s code.
Kaspersky’s researchers noted that [Israeli] attackers had managed to burrow deep into the company’s computers and evade detection for months. Investigators later discovered that the Israeli hackers had implanted multiple back doors into Kaspersky’s systems, employing sophisticated tools to steal passwords, take screenshots, and vacuum up emails and documents.
In its June 2015 report, Kaspersky noted that its attackers seemed primarily interested in the company’s work on nation-state attacks, particularly Kaspersky’s work on the “Equation Group” — its private industry term for the N.S.A. — and the “Regin” campaign, another industry term for a hacking unit inside the United Kingdom’s intelligence agency, the Government Communications Headquarters, or GCHQ.
Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.
Israel worked with the US on Stuxnet; it would make sense that it would tell the US what it found.
link to this extract
In the first half of 2015, Kaspersky was making aggressive sales pitches to numerous U.S. intelligence and law enforcement agencies, including the FBI and NSA, multiple U.S. officials told CyberScoop. The sales pitch caught officials’ attention inside the FBI’s Counterterrorism Division when Kaspersky representatives boasted they could leverage their product in order to facilitate the capture of targets tied to terrorism in the Middle East. While some were intrigued by the offer, other more technical members of the intelligence community took the pitch to mean that Kaspersky’s anti-virus software could effectively be used as a spying tool, according to current U.S. intelligence officials who received briefings on the matter.
The flirtation between the FBI and Kaspersky went far enough that the bureau began looking closely at the company and interviewing employees in what’s been described by a U.S. intelligence official as “due diligence” after Counterterrorism Division officials viewed Kaspersky’s offerings with interest.
The examination of Kaspersky was immediately noticed in Moscow. In the middle of July 2015, a group of CIA officials were called into a Moscow meeting with officials from the FSB, the successor to the KGB. The message, delivered as a diplomatic démarche, was clear: Do not interfere with Kaspersky.
The démarche is not public and has not been previously reported on. A démarche typically comes from a foreign ministry and is addressed to another country’s diplomats in an effort to send a message and often to lodge a protest. Officials told CyberScoop that the 2015 document was worded as an objection to what the Russians deemed malicious interference against the Moscow company.
The whole Kaspersky incident is deeply puzzling.
link to this extract
Facebook and Twitter could be asked to pay for action against the “undeniable suffering” social media can cause, the culture secretary has said.
Cyber-bullying, trolling, abuse and under-age access to porn will be targeted in plans drawn up by Karen Bradley to make the online world safer. Ms Bradley wants social media groups to sign up to a voluntary code of practice and help fund campaigns against abuse. She also wants social media platforms to reveal the scale of online hate.
Almost a fifth of 12 to 15-year-olds have seen something they found worrying or nasty, and almost half of adults have seen something that has upset or offended them, on social media – according to the government.
Despite promising to introduce new laws regulating the internet in the Conservative Party’s manifesto, Ms Bradley told the BBC that legislating would take “far too long”. She said that the plan was for a “collaborative approach” with internet groups, adding that she sees a “willingness from them”.
She added: “Many of them say: ‘When we founded these businesses we were in our 20s, we didn’t have children… now we’re older and we have teenagers ourselves we want to solve this”.
What fresh nonsense is this? What sort of government thinks something is so important that it isn’t going to legislate it because that’s too slow? It’s like the negation of what government is for.
“Voluntary” codes are the classic “observe in letter but not spirit” thing. And on American companies? It’s a PR front which will change little.
link to this extract
Errata, corrigenda and ai no corrida: none notified