Start Up: cryptominer attack!, torturing paper, the iBoot leakers, what we say to machines, and more

Your musical taste seems to be set when you were 13. Radiohead fan? Does that fit? Photo by rula on Flickr.

»You can sign up to receive each day’s Start Up post by email (arriving at about 0800GMT each weekday). You’ll need to click a confirmation link, so no spam.«

A selection of 11 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

Protect your site from cryptojacking – with csp sri • Scott Helme

Helme noticed that thousands of sites, including government sites, were running a cryptominer via a hacked Javascript file. As he points out, to hack 2,000 sites you don’t hack 2,000, you hack one:


This is not a particularly new attack and we’ve known for a long time that CDNs [content delivery networks] or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there’s a pretty easy way to defend yourself against this attack. Let’s take the ICO as an example, they load the affected file like this:

[script src=”//” type=”text/javascript”][/script]

That’s a pretty standard way to load a JS file and the browser will go and fetch that file and include it in the page, along with the crypto miner… Want to know how you can easily stop this attack?

[script src=”//” integrity=”sha256-Abhisa/nS9WMne/YX dqiFINl JiE15MCWvASJvVtIk=” crossorigin=”anonymous”][/script]

That’s it. With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I’ve done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page. To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute. In short, this could have been totally avoided by all of those involved even though the file was modified by hackers.


Sure, he’s selling a service. But it’s a useful service.
link to this extract

How a low-level Apple employee leaked some of the iPhone’s most sensitive code • Motherboard

Lorenzo Franceschi-Bicchierai:


A user named “ZioShiba” posted the closed source code for iBoot—the part of iOS responsible for ensuring a trusted boot of the operating system—to GitHub, the internet’s largest repository of open source code.

Jonathan Levin, an iPhone researcher, called it the “biggest leak” in the history of the iPhone. The iBoot code is for iOS 9 and the code is two-years old. But even today, it could help iOS security researchers and the jailbreak community find new bugs and vulnerabilities in a key part of the iPhone’s locked-down ecosystem.

The leak of the iBoot source code is not a security risk for most—if any—users, as Apple said in a statement. But it’s an embarrassment for a company that prides itself in secrecy and aggressively goes after leaks and leakers.

How does something like this happen?

A low-level Apple employee with friends in the jailbreaking community took code from Apple while working at the company’s Cupertino headquarters in 2016, according to two people who originally received the code from the employee. Motherboard has corroborated these accounts with text messages and screenshots from the time of the original leak and has also spoken to a third source familiar with the story.

Motherboard has granted these sources anonymity given the likelihood of Apple going after them for obtaining and distributing proprietary, copyrighted software. The original Apple employee did not respond to our request for comment and said through his friend that he did not currently want to talk about it because he signed a non-disclosure agreement with Apple.

According to these sources, the person who stole the code didn’t have an axe to grind with Apple. Instead, while working at Apple, friends of the employee encouraged the worker to leak internal Apple code. Those friends were in the jailbreaking community and wanted the source code for their security research.


Man, that guy was some idiot. Apple is sure to track these people down, and they’re going to get sued to oblivion.
link to this extract

The songs that bind • NY Times

Seth Stephens-Davidowitz:


For this project, the music streaming service Spotify gave me data on how frequently every song is listened to by men and women of each particular age.

The patterns were clear. Even though there is a recognized canon of rock music, there are big differences by birth year in how popular a song is.

Consider, for example, the song “Creep,” by Radiohead. This is the 164th most popular song among men who are now 38 years old. But it is not in the top 300 for the cohort born 10 years earlier or 10 years later.

Note that the men who most like “Creep” now were roughly 14 when the song came out in 1993. In fact, this is a consistent pattern.

I did a similar analysis with every song that topped the Billboard charts from 1960 to 2000. In particular, I measured how old their biggest fans today were when these songs first came out.
It turns out that the “Creep” situation is pretty much universal. Songs that came out decades earlier are now, on average, most popular among men who were 14 when they were first released. The most important period for men in forming their adult tastes were the ages 13 to 16.

What about women? On average, their favorite songs came out when they were 13. The most important period for women were the ages 11 to 14.

Granted, some results of my research are not surprising. One of the facts I discovered is that Coolio’s “Gangsta’s Paradise” is extremely unpopular among women in their 70s. Thank you, Big Data, for uncovering that nugget of wisdom!

But I did find it interesting how clear the patterns were and how much early adolescence matters. The key years, in fact, match closely with the end of puberty, which tends to happen to girls before boys.


This metric indicates that I am *looks at iTunes most-played* 31 years old.
link to this extract

Homepod initial impressions • GR36

Greg Morris:


I was dead set on returning the HomePod after I had played around with it. My Sonos speakers have been one of the best devices I have spent money on, and I found it hard to believe they could be replaced.

However given a very small time with the HomePod both myself and the family have been converted. The device has already replaced two Sonos Play:1 speakers upstairs and I will more than likely buy another to replace a Play:3 downstairs in time. This is said with a little resistance, as the HomePod only exists to keep iOS users in the ecosystem and gain Apple Music subscribers. Yes, Spotify works, in a roundabout way, but the experience is much better with Apple Music.

Although the smart aspects of the HomePod leaves a lot to be desired, so does using Alexa with my Sonos speakers. There are a lot of features that I feel are missing from the device to make every user happy, however for me the device is more than capable of doing what I require. Apple really needs to pull out all the stops this WWDC and introduce many platform changes to Siri for risk of being even further behind.


link to this extract

Why paper jams persist • New Yorker

Annie Proulx:


Bruce Thompson, the computer modeller who sat at the head of the table, had spent days creating a simulation of the jam. “We’re dealing with a highly nonlinear entity moving at a very high speed,” he said. On the screen, his wireframes showed a sheet of paper in mid-flight. He called up a shadowy slow-motion video made inside the press. “There’s a good inch before the vacuum takes effect,” he observed.
The team began to consider their options. The most obvious fix would have been to buffet the paper upward from below using a device called an air knife. This was off limits, however, because the bottom side was coated with loose toner. “An air knife will just blow the toner right off,” Ruiz said. Another possibility was to place “fingers”—small, projecting pieces of plastic—where they could support the corners as they began to droop. “That might create a higher jam rate on different paper shapes,” an engineer said—it could be a “stub point.” A mystified silence descended.
A mechanical engineer named Dave Breed pointed toward the upside-down conveyor belt. “The vacuum pump actually works by pulling air through holes in the belts,” he said. “So what is the pattern of those holes relative to the corners? Maybe there’s no suction there.”
On the whiteboard, Ruiz sketched a diagram of the conveyor belt—the V.P.T., or vacuum-paper transport—showing the holes through which the suction operated. “Optimize belt pattern,” he wrote.
“If my understanding of air systems is right,” Breed went on, “then the force that gets a sheet moving isn’t really pressure—it’s flow.”


You thought you didn’t care about printers, but this will make you care about printers, and realise that – as one person says – “a printer is a torture chamber for paper”. (So, is Annie Proulx between books?)
link to this extract

What 3,000 voice search queries tell us about the ‘voice search revolution’ • Search Engine Land

Bryson Meunier:


My family of five in the suburbs of Chicago, Illinois, has been using Google Home for a little over a year. We use it daily and now have five Google Homes in the house since the kids got Google Home Minis for Christmas.

Google returns personalized data in MyActivity, which you can filter by voice search queries. It’s not easy to extract, but when I did it manually, I extracted a total of 3,188 queries that mostly occurred between October 8, 2017, and January 10, 2018. These were mostly queries using Google Home, but some of them were voice queries from smartphone, desktop and tablet.

I have three kids under 8 years old, so not every query was crystal clear. When I categorized the queries, “unknown” was my sixth-largest category, and it comprised queries like my six-year-old daughter asking Google Home, “Does Google Home belong to me or my little brother” and queries I didn’t know we were making, like “All right, Blake if you’re going to be good you can come down,” after I told my 3-year-old he could come down from his time out.

But the findings largely show what my family uses the Google Home for. I am sharing my findings in hopes it will help other marketers find actual ways to promote their businesses with these devices and will provide value to themselves and to searchers.

Keep in mind while most of these are Google Home voice queries, we also search by voice from our smartphones and tablets, and those voice-based queries are included here as well.

By far, the number one thing we asked of our Google Home was to stop, which usually meant to stop playing “Cherry Bomb,” “Ghostbusters,” “Jingle Bells” or some other song my 3-year old decided was worthy of playing 10 times a day.


This seems to indicate that there’s a pretty narrow range of transactions one wants to (or can) carry out with these devices. Limitation of the voice UI, or what it can do?
link to this extract

About • Complexity Explorables

Dirk Brockmann:


This page is part of the Research on Complex Systems Group at the Institute for Theoretical Biology at Humboldt University of Berlin.

The site is designed for people interested in complex dynamical processes. The Explorables are carefully chosen in such a way that the key elements of their behavior can be explored and explained without too much math (There are a few exceptions) and with as few words as possible.

Almost all interactive visualizations are implemented in D3 (Data Driven Documents). All the Explorables should work on your laptop or desktop computer and on Chrome, Safari and Firefox. Not sure about IE. Some of the Explorables may not work on mobile devices but hopefully the majority does.

Complexity Explorables is also designed as an instructive element of a course in Complex Systems in Biology that I teach.


You could spent a lot of time playing around here. Double pendulums, plant growth, and all sorts of dynamic mathematical-biological processes are yours to play with.
link to this extract

Quantifying the value of bitcoin • Medium

Noah Ruderman puts the bull case for bitcoin’s trading value:


Quantifying the value of Bitcoin
tldr; $184k, maybe.

The value of Bitcoin is not a complete mystery. The problems that Bitcoin addresses have existed since the dawn of trade. Bitcoin’s value largely comes from presenting a compelling alternative to existing solutions. The value of solving a problem can be quantified with heuristics that puts a number on the the cost the problem or the cost of implementing an existing solution. We can put a number on Bitcoin by summing these values and dividing by the total supply that will ever exist excluding lost coins. Like estimations in physics, the hope is that the final number will be accurate to an order of magnitude.

I start with a few assumptions:
• Bitcoin’s primary use case is as a censorship-resistant store of value
• Bitcoin will be the premier store of value among cryptocurrencies

Let’s get started.


This really is the optimist’s read on how it could be used (“censorship-resistant transactions for institutions and government”) which is worth reading so that at least you can have your counterarguments ready. (For a start, I think some of his use cases overlap, which means he’s double-counting his theoretical benefits.)

Unless you agree with him, in which case BUY AND HODL!
link to this extract

Russian nuclear scientists arrested for ‘bitcoin mining plot’ • BBC


Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.
The suspects had tried to use one of Russia’s most powerful supercomputers to mine Bitcoins, media reports say.

The Federal Nuclear Centre in Sarov, western Russia, is a restricted area.

The centre’s press service said: “There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining.”

The supercomputer was not supposed to be connected to the internet – to prevent intrusion – and once the scientists attempted to do so, the nuclear centre’s security department was alerted. They were handed over to the Federal Security Service (FSB), the Russian news service Mash says.

“As far as we are aware, a criminal case has been launched against them,” the press service told Interfax news agency.


link to this extract

Has anyone seen the president? • Bloomberg View

Michael Lewis, author of Liar’s Poker, Moneyball and The Big Short, goes to Washington for the White House press room and lunch and some TV viewing with Steve Bannon:


“If you can get Trump elected president, you can get anyone elected president. And so I want you to tell me the steps I’d need to take to get elected. What do we need to do?”

He shakes his head quickly. The question doesn’t offend him. He just thinks I’m missing the point. “What was needed was a blunt force instrument, and Trump was a blunt force instrument,” he says. Trump may be a barbarian. He may be in many senses stupid. But in Bannon’s view, Trump has several truly peculiar strengths. The first is his stamina. “I give a talk to a room with 50 people and I’m drained afterward,” Bannon says. “This guy got up five and six times a day in front of 10,000 people, day in and day out. He’s 70! Hillary Clinton couldn’t do that. She could do one.” The public events were not trivial occasions, in Bannon’s view. They whipped up the emotion that got Trump elected: anger. “We got elected on Drain the Swamp, Lock Her Up, Build a Wall,” he says. “This was pure anger. Anger and fear is what gets people to the polls.”

The ability to tap anger in others was another of Trump’s gifts, and made him, uniquely in the field of Republican candidates, suited to what Bannon saw as the task at hand: Trump was himself angry. The deepest parts of him are angry and dark, Bannon told Wolff. Exactly what Trump has to be angry about was unclear. He’s had all of life’s advantages. Yet he acts like a man who has been cheated once too often, and is justifiably outraged. What Bannon loved was the way Trump sounded when he was angry. He’d gone to the best schools, but he had somehow emerged from them with the grammar and diction of an uneducated person. “The vernacular,” Bannon called Trump’s odd way of putting things. Other angry people, some of whom actually had been cheated by life, thrilled to its sound.


If Lewis has written this, he’s almost certainly writing a book about it. That’s something to look forward to.
link to this extract

Errata, corrigenda and ai no corrida: none notified.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.