Start Up: what Facebook knows, no no Lenovo!, why clocks go clockwise, Amazon hacking!, and more

DJI (makers of this drone) seems to have reneged on a bug bounty deal after flaws in its server setup were exposed. Photo by GTimofey on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 12 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

How to find out what Facebook knows about you • CNBC

Todd Haselton:


I recently quit Facebook, but decided to return for one final task: To find out exactly what Facebook knows about me.

After some quick digging, I found out that Facebook knows:

Where I’m logged in and on what computer
I like smartphones and am an early tech adopter
I’ve clicked ads for laptop briefcases
I am most likely to interact with ads from Lyft and Nike over others
I’m liberal but prefer to read about Republican news stories
I’m married
My birthday is in March
I work for CNBC
I tend to access the social network from a tablet or smartphone.

I provided some of this information to Facebook, while other info Facebook gathered based on my interactions.

I’m going to deactivate my account again, but before I do I wanted to walk you through how to find out what Facebook knows about you, too.

Before we get started, know that you can click any image below to see a larger version. Let’s go.

First, open your Facebook page and tap “Settings” then “Ads”…


link to this extract

A war of words puts Facebook at the centre of Myanmar’s Rohingya crisis • The New York Times

Megan Specia and Paul Mozur:


Myanmar’s government has barred Ashin Wirathu, an ultranationalist Buddhist monk, from public preaching for the past year, saying his speeches helped fuel the violence against the country’s Rohingya ethnic group that the United Nations calls ethnic cleansing.

So he has turned to an even more powerful and ubiquitous platform to get his message out — Facebook.

Every day he posts updates, often containing false information, that spread a narrative of the Rohingya as aggressive outsiders. And posts like these have put Facebook at the center of a fierce information war that is contributing to the crisis involving the minority group. International human rights groups say Facebook should be doing more to prevent the hateful speech, focusing as much on global human rights as on its business.

“Facebook is quick on taking down swastikas, but then they don’t get to Wirathu’s hate speech where he’s saying Muslims are dogs,” said Phil Robertson, deputy director of Human Rights Watch’s Asia division.


This is from the end of October, but the trajectory it describes is disturbing. Myanmar is the country which adopted smartphones more quickly than any other; it also adopted Facebook pretty fast, going from about 4.7m users (10% of the population) in July 2015 to 9.7m (20%) in May 2016, and an estimated 11m by June 2017. (I’d expect the latter figure is too low.)
link to this extract

Le-no-no-vo • Bloomberg Gadfly

Tim Culpan:


the Chinese company is considering purchasing the PC business of Toshiba, pitting itself [ie bidding] against Taiwan’s Asustek Computer, according to Nikkei. The Japanese company stopped short of denying any spinoff plans, saying that reports of a sale “are not grounded in fact, nor is it in discussion with any individual company.”

Just two weeks ago, I argued that Lenovo needs to shift focus away from personal computers. It’s in this business mostly out of habit and shouldn’t be throwing more money into such an anemic sector without solid signs that the market, or Lenovo’s strategy, are about to undergo drastic improvement. 

Even the mere hint that Lenovo may be entertaining another deal should have shareholders worried.

To date, the company has failed to make good on its hefty purchases of Motorola Mobility’s smartphone unit and IBM’s server business. An investment of 20 billion yen to 31 billion yen ($178m to $276m) to take 51% of Fujitsu Ltd.’s client computing division, announced earlier this month, will add to the indigestion. Buying Toshiba’s computer business would risk turning that into nausea.

Lenovo is very proud of its rising PC market share and crows about it constantly. Those gains over the past six years have been largely organic instead of being juiced by acquiring other brands. At the same time, they didn’t result in huge revenue increases, since we’re in a declining market.


Lenovo and Acer fighting for Toshiba’s business is a bit like the proverbial bald men fighting over a comb, except in this case they’ve both got hair and the comb has no teeth. Toshiba’s PC business is a mess.
link to this extract

In-depth: why clocks run clockwise (and some watches and clocks that don’t) • Hodinkee

Jack Forster:


The explanation for the overwhelming preference for clockwise movement of clock hands is somewhat obscure, but a likely explanation (and one often cited) is that if you happen to be in the northern hemisphere, and you stand facing the Sun’s path across the sky, you’ll see it describe a clockwise arc as it travels from the east, to the southern sky overhead, and finally to the west, where it sets. If you make a sundial, the shadow the sundial throws will likewise follow a clockwise course, going from west to north to east (in opposition to the path of the Sun).  Early clocks, so the thinking goes, simply reflected the apparent motion of the Sun, and of the gnomon (pointer) of a sundial. 


There’s more, but you’ve got your pub quiz answer now.
link to this extract

Man gets threats—not bug bounty—after finding DJI customer data in public view • Ars Technica UK

Sean Gallagher:


DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the “wildcard” certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI’s systems under DJI’s bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback — including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company’s “final offer” for the data. So Finisterre dropped out of the program and published his findings publicly on 16 November, along with a narrative entitled, “Why I walked away from $30,000 of DJI bounty money.”

DJI launched its bug bounty this fall shortly after the US Army issued a ban on using DJI drones for any military purpose due to “operational security” concerns. There were also spreading reports of people hacking the firmware of DJI drones—some have even posted hacks to GitHub by Finisterre. But according to Finisterre, the program was clearly rushed out. The company did not, and has yet to, define the scope of the bounty program publicly. So when Finisterre discovered that DJI’s SSL certificates and firmware AES encryption keys had been exposed through searches on GitHub—in some cases for as long as four years — he contacted the company to see if its servers were within the scope of the bug bounty program. He was told they were — a statement that would later be walked back from by DJI officials.


Finisterre didn’t do anything that DJI wasn’t in effect inviting through its bug bounty program. It was also amazingly slow to respond to his early requests.

And you were wondering why the US military banned the use of DJI kit back in August over “cyber vulnerabilities? DJI’s bug bounty program seems to have been set up in response – but as Finisterre (who has been acknowledged by other companies, including Apple, for finding bugs) discovered, it couldn’t distinguish between people trying to help, and people trying to hack.
link to this extract

There’s a digital media crash. but no one will say it • Talking Points Memo

Josh Marshall:


Let’s try a very simple visualization of what I’m describing. Remember, there are too many publications relative to advertising revenue. So let’s imagine there are 30 publications and 25 revenue seats. The publications fight like hell to secure one of the seats. Then the platform monopolies came along and sat down in maybe 5 or 10 of the 25 seats. You can see the problem. The competition of 30 publications competing for 15 seats gets insane. A bunch of the publications are going to die or be forced to find another way to fund themselves.

Now, here’s the too little discussed part of the equation. A huge, huge, huge amount of digital media is funded by venture capital. That’s not just to say they had investors at the start but in effect a key revenue stream of many digital publications has been on-going infusions of new investment.

Much of that investment has been premised on the assumption that scale – being huge – would allow publications to create stable and defensible business models. There are a lot of moving parts to the strategies. But it essentially comes down to this idea: get big enough and you can solve the chronic problem of over-supply of publications in your favor through sales at volume and being able to command stable, premium advertising rates. But that hasn’t happened…

… The point is that investors are realizing that scale cannot replicate the kind of business model lock-in, price premiums and revenue stability people thought it would. Another way of putting that is that the future that VCs and other investors were investing hundreds of millions of dollars in probably doesn’t exist. That means that they’re much less likely to invest more money at anything like the valuations these companies have been claiming.

The big picture is that Problem #1 (too many publications) and Problem #2 (platform monopolies) have catalyzed together to create Problem #3 (investors realize they were investing in a mirage and don’t want to invest any more). Each is compounding each other and leading to something like the crash effect you see in other bubbles.


One thing that might alleviate this: getting rid of rampant online ad fraud, where huge amounts of money sloshes through third-party ad networks which don’t check that it is spent showing stuff to humans rather than bots.
link to this extract

Amazon Key delivery driver could knock out in-home service’s security camera, researchers show • The Seattle Times

Matt Day:


Amazon Key, which became available to customers last week, gives Amazon delivery drivers one-time access to a residence to drop off a package. The program, designed to eliminate the theft of packages left outside a home and to open up the potential for remote authorization of other home services, is a test of whether consumers trust Amazon enough to give the online retailer access to the front door.

It relies on two pieces of hardware: a smart lock, and Cloud Cam, which communicates with Amazon’s servers to authorize the driver to unlock the door, and then records the delivery, beaming live or recorded video to a smartphone app to give the homeowner peace of mind.

Rhino Security Labs, a security research outfit based in Capitol Hill, showed that it could exploit a weakness in the Wi-Fi protocol that Cloud Cam and many other devices use to communicate with their router. A savvy hacker within Wi-Fi range can send a series of “deauthorization” commands to a specific device, temporarily severing its link to the internet.

In the case of Amazon’s Cloud Cam, that means the camera would stop recording and sending images to Amazon’s servers. A delivery driver who had already received approval to unlock the front door could, before exiting and locking the door, roam inside without being recorded. Or, as demonstrated in a video posted by Rhino, leave the home and re-enter undetected.


Please tell me you’re not surprised.
link to this extract

Google has picked an answer for you—too bad it’s often wrong • WSJ

Jack Nicas:


“Who are the worst CEOs of all time?” Google answered with the names and photos of 11 chief executives, including Gordon Bethune of Continental Airlines and Robert Nardelli of Home Depot Inc.

Sometimes, Google’s response depends on how the question is asked. For “Should abortion be legal?” Google cited a South African news site saying, “It is not the place of government to legislate against woman’s choices.”

When asked, “Should abortion be illegal?” it promoted an answer from obscure clickbait site stating, “Abortion is murder.”

The promoted answers, called featured snippets, are outlined in boxes above other results and presented in larger type, often with images. Google’s voice assistant sometimes reads them aloud. They give Google’s secret algorithms even greater power to shape public opinion, given that surveys show people consider search engines their most-trusted source of information, over traditional media or social media.

Google typically lists the source below the answer—or credits the source first when reading an answer aloud—but not always. The worst-CEOs list was unsourced. “That’s the dumbest bunch of shit I’ve ever seen,” Mr. Bethune said in an interview. Mr. Nardelli declined to comment.


It’s a nice idea, but it’s fatally flawed. Google cleaves to the idea that the most popular result is the canonically correct one. That has long since ceased to be the case.
link to this extract

HomePod delay suggests Siri integration is harder than expected • Loup Ventures

Gene Munster:


Déjà vu. This isn’t the first time Apple has delayed a product release. Today’s announcement brings us back to April of 2007. Apple is working on the iPhone, set to launch in June, and planning on releasing Mac OS X 10.5 Leopard around the same time. On April 12 Apple released a statement saying, “iPhone contains the most sophisticated software ever shipped on a mobile device, and finishing it on time has not come without a price. We had to borrow some key software engineering and QA resources from our Mac OS X team. As a result, we will not be able to release Leopard at our Worldwide Developers Conference in early June as planned. We think it will be well worth the wait. Life often presents tradeoffs, and in this case, we’re sure we’ve made the right ones.”

Did Apple make the right tradeoffs with HomePod? We think so – the damage to the brand as a result of shipping a half-baked product is greater than the potential benefit of pushing it out in time to capture holiday sales. The level of connectivity in Apple’s device ecosystem leads us to believe that HomePod will deliver a superior experience, and loyal Apple consumers will be rewarded for waiting. And the loyal Apple user base would have made up the vast majority of 2017 HomePod sales anyway. In the same Bloomberg interview post-WWDC, Cook added, “For us, it’s not about being first, it’s about being the best.”


OK, it’s Gene Munster, but on this he’s probably right: people who were going to buy a HomePod will likely hold on.
link to this extract

FaceID is brilliant because it’s subtraction instead of addition • Daniel Miessler


The goal for mobile device security shouldn’t be just making security better, but also making it less visible and explicit.

FaceID is an upgrade not just because it’s more accurate than TouchID, or because it’s a faster way to authenticate—it’s an upgrade because you are basically removing the authentication step entirely.

A great way to visualize this point is to imagine a similar handheld device from a superior alien race. Assuming they needed such an interface or display at all, they would simply handle their device normally and it would still allow them to perform sensitive actions.

To an unfamiliar observer it might seem like no authentication took place, like one could just pick up any device and start taking sensitive actions on their behalf. But in reality all of that functionality had just been removed from the workflow and done automatically. It’s security made invisible and effortless.

That’s what FaceID is, and why it represents such an improvement: it adds security while removing friction.


This is absolutely right. But as he points out, if you add the convenience but lower security, you’re taking the easy path which doesn’t actually help the customer. (FaceID’s claimed security is equivalent to a random six-digit passcode; some of the facial recognition systems out there are as secure as a two-digit code.)
link to this extract

You’ll probably never read the iPhone X review that would be most useful to you •

Khoi Vinh:


You could argue that three years is an unrealistically long time to expect a smartphone to be able to keep up with the rapidly changing—and almost exponentially increasing—demands that we as users put on these devices. Personally, I would argue the opposite, that these things should be built to last at least three years, if for no other reason than as a society we shouldn’t be throwing these devices away so quickly.

But even if you disagree with me, even if you’re the kind of person who upgrades to a new phone every year, I think you’d still agree that it would be useful to know how well these devices hold up after one or even two years.

Now, I know it sounds kind of counter-intuitive to read a review of a product a year or more after everyone who would consider buying it has already bought it. But imagine if the sites and publications that review these products did make it a habit to revisit them down the road. Imagine if twelve months from now you could read about how well today’s iPhone X holds up with iOS 12, and also with whatever slate of third-party apps that can reasonably be understood as essential—the 2018 versions of Instagram, Spotify, Twitter or whatever. Imagine that at regular intervals we could see benchmarks on a freshly restored iPhone X running the latest software and getting a quantified and qualified idea of how well that piece of hardware has aged over time.

If reviewers revisited these products in this way, it would give us a whole new dimension of understanding. It would tell us how well-designed these phones really are, whether the manufacturers really understand how technology—and the world—changes within a two or three year time frame. And it would help us judge for ourselves how much effort the companies are investing into ensuring the quality of their products over the lifetime in which they’re used. Basically, it would give us, as customers, a richer track record for these companies, so that we can hold them accountable in a way that tends to go unnoticed today.


link to this extract

Mac keyboard shortcuts • Apple Support


By pressing a combination of keys, you can do things that normally need a mouse, trackpad, or other input device.

To use a keyboard shortcut, hold down one or more modifier keys while pressing the last key of the shortcut. For example, to use the shortcut Command-C (copy), hold down Command, press C, then release both keys.


This is a long and comprehensive (obviously) list. You might find some you didn’t know about here, if you use a Mac. Windows version welcomed.
link to this extract

Errata, corrigenda and ai no corrida: none notified

1 thought on “Start Up: what Facebook knows, no no Lenovo!, why clocks go clockwise, Amazon hacking!, and more

  1. re Lenovo: In a declining industry in a consolidation phase, don’t the leftovers of the vanquished have disproportionate value ? I think the name of the game right now is to buy out the losers, and push Acer out leaving HP+Dell+Lenovo+Asus, thus regaining pricing power ? The PC market must be attractive in some ways, Huawei and Xiaomi have entered it recently.

    re easier ID: it also needs to de-ID then; ie work only when it sees my face or hasn’t been dropped. At work at more angles, esp. flat on table. Hopefully this will become standard quickly and rid us of passwords…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.