Start Up: Murdoch’s Facebook demand, the ICO hacks, who’s ot 2FA?, Google’s un-VPN, and more

CRISPR/Cas9 in neurons. Is what’s happening in China like this? Photo by the National Institutes of Health (NIH) on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 8 links for you. Tolerable. I’m @charlesarthur on Twitter. Observations and links welcome.

Rupert Murdoch: Facebook, Google should pay for trusted news • CNBC

John Shinal:


Rupert Murdoch said on Monday that Facebook and Google have made “scurrilous” news sources popular, and that the U.S. tech giants should pay publishers if they want “trusted” content.

“Facebook and Google have popularized scurrilous news sources through algorithms that are profitable for these platforms but inherently unreliable,” the News Corp. chairman said in a statement.

“If Facebook wants to recognize ‘trusted’ publishers then it should pay those publishers a carriage fee similar to the model adopted by cable companies,” Murdoch said.

The statement comes after Facebook said Friday it would survey its users about what news sources they trust, and tweak its ranking software to help promote more the credible ones.

In his own Facebook post last week, CEO Mark Zuckerberg said, “I’ve asked our product teams to make sure we prioritize news that is trustworthy, informative, and local. And we’re starting next week with trusted sources.”


He keeps trying to find ways to make this happen, and they keep failing.
link to this extract

China, unhampered by rules, races ahead in gene-editing trials • WSJ

Preetika Rana, Amy Dockser Marcus and Wenxin Fan:


In a hospital west of Shanghai, Wu Shixiu since March has been trying to treat cancer patients using a promising new gene-editing tool.

U.S. scientists helped devise the tool, known as Crispr-Cas9, which has captured global attention since a 2012 report said it can be used to edit DNA. Doctors haven’t been allowed to use it in human trials in America. That isn’t the case for Dr. Wu and others in China.

In a quirk of the globalized technology arena, Dr. Wu can forge ahead with the tool because he faces few regulatory hurdles to testing it on humans. His hospital’s review board took just an afternoon to sign off on his trial. He didn’t need national regulators’ approval and has few reporting requirements.

Dr. Wu’s team at Hangzhou Cancer Hospital has been drawing blood from esophageal-cancer patients, shipping it by high-speed rail to a lab that modifies disease-fighting cells using Crispr-Cas9 by deleting a gene that interferes with the immune system’s ability to fight cancer. His team then infuses the cells back into the patients, hoping the reprogrammed DNA will destroy the disease.

In contrast, what’s expected to be the first human Crispr trial outside China has yet to begin. The University of Pennsylvania has spent nearly two years addressing federal and other requirements, including numerous safety checks designed to minimize risks to patients. While Penn hasn’t received final federal clearance to proceed, “we hope to get clearance soon,” a Penn spokeswoman said…

…There is little doubt China was first out of the block testing Crispr on humans. Nine trials in China are listed in a U.S. National Library of Medicine database. The Wall Street Journal found at least two other hospital trials, including one beginning in 2015—a year earlier than previously reported. Journal reporting found at least 86 Chinese patients have had their genes edited.

The trials align with China’s industrial policy. As part of its drive to place China on the global stage in a multitude of industries, Beijing in a 2016 five-year plan highlighted gene editing. Many of the Crispr trials emerged after that call-to-arms.


Expected. Also: please don’t let this be the opening scene of a zombie apocalypse.
link to this extract

More than 10% of $3.7bn raised in ICOs has been stolen: Ernst & Young

Anna Irrera:


More than 10% of funds raised through “initial coin offerings” are lost or stolen in hacker attacks, according to new research by Ernst & Young that delves into the risks of investing in cryptocurrency projects online.

The professional services firm analyzed more than 372 ICOs, in which new digital currencies are distributed to buyers, and found that roughly $400m of the total $3.7bn funds raised to date had been stolen, according to research published on Monday.

Phishing was the most widely used hacking technique for ICOs, with hackers stealing up to $1.5m in ICO proceeds per month, according to the report.

The research also noted that the volume of ICOs has been slowing since late 2017. Less than 25% of ICOs reached their target in November, compared with 90% in June.

The study comes amid a cryptocurrency investing craze, with young companies raising hundreds of millions of dollars online to fund their projects, with often little more than a handful of employees and a business plan outlined in a so-called “white paper”.


Going to keep pointing this stuff out until the inevitable happens.
link to this extract

Who’s using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication • The Register

Iain Thomson:


It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it.

In a presentation at Usenix’s Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10% of active Google accounts use two-step authentication to lock down their services. He also said only about 12% of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

We polled El Reg readers on Twitter just before we published this piece, asking: “What percentage, rounded to nearest integer, of Gmail users do you think use two-factor authentication?” Out of 838 followers who responded within the hour, 82% correctly selected less than 10%. The rest picked more than 10%.

The Register asked Milka why Google didn’t just make two-factor mandatory across all accounts, and the response was telling. “The answer is usability,” he replied. “It’s about how many people would we drive out if we force them to use additional security.”

Please, if you haven’t already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone. So, simply stealing your password isn’t enough – they need your unlocked phone, or similar, to to get in.


I consider it a mark of achievement that I got all my family onto 2FA. And recall that it was the lack of 2FA on John Podesta’s personal email account which led to it being hacked to such disastrous effect.

Meanwhile inside Google…
link to this extract

BeyondCorp: how Google ditched VPNs for remote employee access • The New Stack


Today, none of Google’s employee-facing applications are on a virtual private network. They all have public IP addresses.

The company feels this approach, which it has dubbed BeyondCorp, is the “new cloud model,” for doing cloud security, asserted Neal Mueller, head of infrastructure product marketing at Google, who gave a presentation on this approach at the O’Reilly Security conference, held recently in New York.

This model can be fall under a number of rubrics in the security community, including “zero-trust” or “perimeter-less” security. It is the opposite of the traditional approach of security, which Mueller described as “the castle” approach, in which a strong firewall is used to set off an internal network that can only be accessed by way of a virtual private network (VPN).

The problem with the “castle” approach is that once the perimeter is breached, the entire internal network, and all the associated applications, are at risk. “Do not trust your network. It is probably already owned,” added Max Saltonstall, a Google program manager for corporate engineering, who also participated in the presentation. Phishing, man-in-the-middle, SQL Injection attacks all find fertile ground on VPNs.

Plus, a VPN was cumbersome to use, and slowed performance, especially for overseas workers. And it is no walk in the park for admins either.


Fascinating how Google is inverting this whole idea, and letting anyone – who is correctly authorised – access it. And it must be enormously confident to give a presentation like this (more slides in the full article) where hackers will target its systems.
link to this extract

A powered-on ‘Xbox Watch’ emerges, shows off fitness focus • Windows Central

Jez Corden:


Images of the so-called “Xbox Watch” have surfaced before, but this is the first time we’ve been able to see the device powered on (no chargers seem to exist for this thing.)

The pictures come via Hikari Calyx on Twitter, showing off an extremely early version of the Xbox Watch in a powered-on state. At this stage, the device only sported four apps, “Workout,” “GPS,” “Settings,” and a USB debugger for developers.

This device preceded the Microsoft Band, and might have been a response to how well Nintendo was able to position console gaming as a fitness option, back during the Wii Fit craze. We believe that the technology developed for the “Xbox Watch” eventually got rolled into the Microsoft Band, which, of course, also got cancelled.


Wise to cancel it. This wasn’t going to be a winner, and the writing was already on the wall of Microsoft’s mobile ecosystem.
link to this extract

Why ads keep redirecting you to scammy sites and what we’re doing about it • Vox

Winston Hearn, who – like you probably did at some point recently – found himself diverted to a scammy site when he’d clicked on what seemed like a safe page:


another engineer and I became curious about what exactly was happening to cause the redirect and annoy all users served the malicious ad. We dug in and were extremely surprised that the frigging thing could not be more simple. When the ad landed on the page there were about three lines of code. That code creates a link just like you click to go to any page on the web then waits seven seconds before triggering a click on the link which causes the browser to redirect you. That’s it. Why seven seconds? Most likely to avoid security tools that actively scan sites to try and detect ads like this, although that is just speculation on my part.

Let me be extremely clear: we hate these malicious ads with the fire of a thousand suns and are working actively to keep them off of our sites. We use automated services that regularly scan our sites trying to find malicious ads. We work with ad-selling partners to try to ensure the ads that are sold and served on our sites are high quality. And Vox Media’s AdOps team is constantly monitoring social media, email and Slack for reports of anything that seems questionable (not just malicious).

Despite all this, malicious ads like this pop up every few months. After this recent round, we started investigating what else we can do to prevent these ads from harming your experience on our sites. The ideal solution would be for ads to be delivered to our sites in a safe way that prevent things like this. Google allows advertisers to treat these safer options as opt-in, which means nothing currently prevents scammers from sneaking in ads that cause App Store or gift card redirects.


link to this extract

10 typography trends to look for in 2018 • Elegant Resources

B.J. Keeton:


The internet changes so quickly and so often that web designers can barely keep up. What works for clients and converts well one month might completely falter the next. So we have to keep up with trends, specifically with typography because it is so foundational to every single project we work on.

2018 is pretty exciting, honestly, because there are some trends that we’re seeing that may just shake up what we’ve taken for granted over the past few years.

Let’s take a look at what this year has in store for us!


Your guide to all the things you’re going to be squinting at this year saying “Why can’t it just be in clean type dammit.”
link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.