Start Up: Skype’s unfixed bug, retesting HomePod, Android cryptomining, Nokia’s back!, and more

“Professional drone racer” is an actual job title now. Photo by Ars Electronica on Flickr

»You can sign up to receive each day’s Start Up post by email (arriving at about 0800GMT each weekday). You’ll need to click a confirmation link, so no spam.«

A selection of 12 links for you. It’s amazing what you can fit in. I’m @charlesarthur on Twitter. Observations and links welcome.

Skype can’t fix a nasty security bug without a massive code rewrite • ZDNet

Zack Whittaker:


A security flaw in Skype’s updater process can allow an attacker to gain system-level privileges to a vulnerable computer.

The bug, if exploited, can escalate a local unprivileged user to the full “system” level rights — granting them access to every corner of the operating system.

But Microsoft, which owns the voice- and video-calling service, said it won’t immediately fix the flaw, because the bug would require too much work.

Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs.


Not going to fix a deep bug in Skype for Windows?!
link to this extract

Head to head, does the Apple HomePod really sound the best? • Yahoo

David Pogue did an A/B/C/D test on the Sonos Play:1, HomePod, Amazon Echo, and Google Home Max. People didn’t pick the HomePod overall as the best sound:


I actually have no great explanation for this outcome. Most of the panelists had ranked the HomePod (“B”) as first on some of the songs — just not most of the songs.

Rob: “For me, A, the Sonos, consistently had the most robust sound of all of them.”
Tori:  “The Sonos won two of them for me. ‘B’ [HomePod] won the ‘Star Wars.’”
Dana: “’B’ [HomePod] won one of mine. I felt like ‘A’ [Sonos], a lot of times, sounded a lot more sharp.”
Julie: “I picked between B and D [HomePod and Google Home Max] as being the two best. B and D were pretty clear. And C [the Amazon Echo] came in consistently last for me.”
Darwin: “I actually found A [the Sonos] to be the one that I hated the most. B [HomePod] did win one for me. It won ‘Havana,’ because it had a better low end. But I generally picked D [Google Home Max], because it had a clearer, nicer range. As a classical person, I definitely would go with D. But if I were listening to more pop stuff, I could see where ‘A’ [Sonos] could win.”

So what are we to make of this? Why did none of my panelists rank HomePod a solid  No. 1, when most critics all do (and so do I)?

Was something wrong with my setup? Well, no, because the night before, using the same setup, [wife] Nicki and [former tour sound engineer] Mike both ranked the HomePod No. 1.


link to this extract

60 million Android users hit by cryptocurrency miner • Tom’s Guide

Marshall Honorof:


A new malvertising campaign is targeting Android users, forcing their phones to mine cryptocurrency, for as long as it can keep them captive on a shady website. The good news is that the scam is easy to avoid; the bad news is that if you fall victim, it could damage your phone permanently.

Malwarebytes Labs, a Santa Clara, California-based security firm, discovered the scheme, then wrote about it on the company blog. According to security researcher Jérôme Segura, the attack is an example of “drive-by mining,” in which a malefactor exploits a device to mine cryptocurrency (in this case, Monero, or XMR) for just a short period of time.

While Malwarebytes didn’t specify which sites might be carrying the dangerous ads in question, at least one of them must be pretty popular. Dr. Augustine Fou, working alongside Malwarebytes, discovered that more than 60 million visitors have visited the malicious domains, and spent an average of four minutes on the page. That’s probably equivalent to a few thousand dollars in Monero — and a lot of overtaxed Android CPUs…

…Here’s how the attack works: First, a user encounters a malicious ad on an otherwise-legitimate site. The ad determines what browser a user is running, and by extension, what OS. If the ad detects Android, it redirects the user to a malicious page, which claims that the phone is “showing suspicious surfing behavior.” Users have to input a captcha to “verify [themselves] as human.”

You’ve seen similarly shady pages if you’ve spent any time in an Android browser, but this one has a catch: It states that until users complete the captcha, it will “mine the Cryptocurrency (sic) Monero for us in order to recover server costs incurred by bot traffic.”


“You’ve seen similarly shady pages if you’ve spent any time in an Android browser”?
link to this extract

Nokia sells 4.4m smartphones in Q4 2017, surpassing OnePlus, Google and others • Tech Radar

Sudhanshu Singh:


The 4.4 million figure puts Nokia at the 11th position in the list of companies with highest market share. This also means that Nokia sold more phones in the last quarter than a lot of other popular brands. Some of the companies that sold lesser smartphones that Nokia are: Google, HTC, Sony, Alcatel, Lenovo, OnePlus, Gionee, Meizu, Coolpad and Asus.


Amazing. And it sold 20.7m featurephones (over 2017, one assumes.) In total sales – smartphone plus featurephone – it was in 6th spot, with 5% market share. The power of a brand.

IDC reckons the Google Pixel sold 3.9m, since you ask.
link to this extract

How Osso VR is revolutionizing the way surgeons train for operations • UploadVR

David Jagneaux:


Osso VR is a virtual reality technology company founded on the principle of training surgeons with real-world skills that can be directly applied when in the OR. It’s impressively designed and even the U.S. Department of Education agreed when they awarded the studio an EdSim prize.

Recently I had the chance to try out one of the training modules for myself to see what it was like. In the scenario I was installing a rod into someone’s shin after they had suffered a fracture. The virtual prompts walked me through each action, from drilling in screws to nailing in rods and everything else. It was a very kinetic training exercise and one that wouldn’t be feasible to try for the first time on a real patient without prior knowledge.

To prove the effectiveness of their training modules Osso VR conducted a study. They had one group of students study the procedure using text books and other traditional forms of education while the other group simply did the VR exercise and that’s it. When both groups tried to perform the procedure on a test body, the VR group dramatically out-performed the non-VR, as was determined by an impartial blind judge.


To be really useful, you’d want haptic feedback on this. Professional uses for VR really look promising. (Consumer uses I’m less sure about.)
link to this extract

Facebook is pushing its data-tracking Onavo VPN within its main mobile app • Techcrunch

Sarah Perez:


Onavo Protect, the VPN client from the data-security app maker acquired by Facebook back in 2013, has now popped up in the Facebook app itself, under the banner “Protect” in the navigation menu. Clicking through on “Protect” will redirect Facebook users to the “Onavo Protect – VPN Security” app’s listing on the App Store.

We’re currently seeing this option on iOS only, which may indicate it’s more of a test than a full rollout here in the U.S. It’s unclear what percentage of Facebook’s user base is seeing the option, or which markets may have had this listing before, as there’s been little reporting on the feature.

We do know this is not the first time Onavo’s Protect has shown up in Facebook’s app – it was spotted before in 2016 in the UK.

Marketing Onavo within Facebook itself could lead to a boost in users for the VPN app, which promises to warn users of malicious websites and keep information secure – like bank account and credit card numbers – as you browse. But Facebook didn’t buy Onavo for its security protections.

Instead, Onavo’s VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps’ new features appear to be resonating with their users, and much more.


To be fair: Facebook is offering something which can protect you in many circumstances. And it does get a benefit from that. Which is no different from the way that any free VPN will seek to monetise you – quite possibly less beneficially for you.
link to this extract

Six top US intelligence chiefs caution against buying Huawei phones • CNBC

Sara Salinas:


Six top U.S. intelligence chiefs told the Senate Intelligence Committee on Tuesday they would not advise Americans to use products or services from Chinese smartphone maker Huawei.

The six — including the heads of the CIA, FBI, NSA and the director of national intelligence — first expressed their distrust of Apple-rival Huawei and fellow Chinese telecom company ZTE in reference to public servants and state agencies.

When prompted during the hearing, all six indicated they would not recommend private citizens use products from the Chinese companies.

“We’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks,” FBI Director Chris Wray testified.

“That provides the capacity to exert pressure or control over our telecommunications infrastructure,” Wray said. “It provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage.”


Paranoia? Or justifiable caution? After all, nothing is proven here, and other western governments (including the UK) don’t have those concerns – though I don’t know if anyone at GCHQ would use a Huawei phone. Wonder what they do use?
link to this extract

The trippy, high-speed world of drone racing • New Yorker

Vinson Cunningham looks at the new world of professional drone racing:


Flying their drones every day constitutes the core of their schedule, so, after lunch at a sandwich shop in Fort Collins (wooden tables, deluxe combos, artisanal sodas), Jordan and Travis drove us in Jordan’s new Subaru WRX hatchback into the Roosevelt National Forest and up the Cache la Poudre Canyon. The river, known as the Pooder, is one of the better trout-fishing streams in the state, and it provides angling access along the road every quarter mile or so. They stopped at a narrow pullout against the canyon wall, took out their equipment, goggled up, and sent the drones skyward. The rock formations in the canyon resembled books slumped this way and that on a shelf, with an occasional pillar standing out like a book’s denuded spine. The drones glided along the vertical rocks almost caressingly and wound among the scrubby junipers growing just downslope, as the motors made a high-pitched, sewing-machine sound.

Extra goggles had been brought so that I could watch along with the pilot. I found it impossible to do that without sitting on the tailgate and holding tightly to the car. At each swoop and plunge, the F.P.V. [first person viewer] view causes the uninitiated brain to think it’s about to die. After a few minutes, I took the goggles off, with relief. Watching the drones again without them, I noticed the canyon rocks’ black, cubistic shadow patterns for the first time. While Jordan flew, Travis told me about the passing flock of geese he tried to join with his drone, and about seeing a bear suddenly pop up in his F.P.V. He brought the drone back for a second look; the bear did not seem bothered.

Jordan’s drone hit a juniper branch and crashed. Putting his goggles aside, he sprang up the steep slope and retrieved drone, battery, and GoPro camera. A crash that scatters parts is called a yard sale, a term that is also used to describe a gear-strewing fall in skiing. Jordan skis and used to do ski acrobatics, but gave that up in his late teens after an accident in which he smashed his knee into his head and had to recuperate in bed for a month. Like a number of other drone racers, he has replaced a high-adrenaline physical sport with one in which you crash only vicariously.


link to this extract

Why the Connected PC initiative misses the mark • Techpinions

Tim Bajarin:


While in theory, I like the idea of always being connected, anytime and anywhere, I knew from our research that connectivity via cellular was not a high priority when it comes to features wanted in a laptop. Indeed, we have had the availability of cellular modems as options for laptops for over ten years, and demand for this feature in laptops is very low.

Another good benchmark to measure demand for cellular connectivity beyond a smartphone is the cellular activation rates of iPads. It turns out that of all iPads sold, around 50% buy up to include a cellular modem. But our research shows that less than 20% of those iPads with a cellular modem in them activate them. [So only 10% of all iPads – CA.]

The key reason for lack of real demand for a cellular connection in a laptop or a tablet is the additional cellular costs this adds to a person’s cell phone bill. When I asked one major cellular carriers about how they would price the connection on a connected PC, they said it would be an additional $10 or 12 dollars a month fee, and data used on a laptop would count against the person’s monthly data allotment they pay for already.

I could imagine that a younger demographic user who watches a lot of Youtube videos and accesses a lot of content on their laptops now, could go through their allotted all-you-can-eat 22-25 gig personal data plan in one or two weeks and then their data speeds on both their smartphone and connected laptop go down to 128 kbps.

Our research about the demand for cellular in a laptop was done sometime back so early this year we updated this survey by asking people “what are the three most important features you want in the next notebook or laptop you will buy.” As you can see from this chart below, long battery life, more memory, and larger hard drive storage topped their list.


Personally I use a PAYG (pay-as-you-go, aka prepaid) sim card. And being connected really is useful – though weirdly, one doesn’t care on a laptop.
link to this extract

Could self-driving trucks be good for truckers? • The Atlantic

Alexis C. Madrigal:


Uber does not believe that self-driving trucks will be doing “dock to dock” runs for a very long time. They see a future in which self-driving trucks drive highway miles between what they call transfer hubs, where human drivers will take over for the last miles through complex urban and industrial terrain.

For that reason, Woodrow says that he saw their version of self-driving trucks as complementing humans, not replacing them. To make their case, Uber created a model of the industry’s labor market based on Bureau of Labor Statistics data. Then, they created scenarios that looked at a range of self-driving-truck adoption rates and how often those autonomous trucks would be on the road in comparison to human-driven vehicles.

Their numbers for autonomous-truck adoption are intentionally very aggressive, Woodrow says, corresponding to 25, 50, and 70% of today’s trucks being self-driven. These do not reflect an Uber prediction that between 500,000 and 1.5 million self-driving trucks will be on the road by 2028, but rather they allow the model to show the dynamics in the labor market that might result from widespread adoption. “Imagine that self-driving trucks are incredibly successful and impactful,” he says. “What would that mean?”

The other set of numbers in the model—the utilization rate of the self-driving trucks—is the component that leads Uber to a different analysis of the effect that these vehicles will have on truckers. Basically, if the self-driving trucks are used far more efficiently, it would drive down the cost of freight, which would stimulate demand, leading to more business. And, if more freight is out on the roads, and humans are required to run it around local areas, then there will be a greater, not lesser, need for truck drivers.


Also read the full Uber writeup. Note how the narrative is shifting around these things: let robots do the boring stuff, let humans do the trickier things.
link to this extract

Fiat Chrysler pushed a UConnect update that causes constant reboots with no announced fix (updated) • Jalopnik

Jason Torchinsky:


It appears that the over-the-air update to the UConnect system went out on Friday, and many, many owners have not had working center-stack systems since then. Many of these vehicles are nearly brand-new, which makes the issue even more maddening.

(I reached out to FCA to find out what was known about the issue, if it was affecting all versions of the system, when a fix was expected, and so on, but I was surprised to find that the representative I spoke with wasn’t aware of the problem until I described it. I reached out to FCA two more times, but the first time I was told they had no statement or information yet, and the most recent time I had to leave a message. We’ll update with FCA’s response when we get it.)

The failure of the UConnect system isn’t just limited to not having a radio; like almost all modern automotive infotainment systems, the center screen, controlled by UConnect, handles things like rear-view camera systems, navigation, cell phone connection systems like Apple CarPlay or Android Auto, some climate control functions, many system and user settings, and more.

Losing access to the system on a new FCA vehicle is a major problem.


To say the least. Naturally, one’s imagination jumps forward to how it could be with self-driving cars.
link to this extract

Analyst predicts new Apple Pencil, ‘low-end’ $200 HomePod this fall/autumn • Apple Insider

Roger Fingas:


“Looking at the success of Amazon’s Echo products we believe demand could exceed 10 million units this calendar year,” wrote Rosenblatt Securities’ Jun Zhang. Apple is forecast to ship about 6 million units of the full-size [HomePod] product.

Zhang didn’t propose what features a second HomePod model might have, but much of Amazon’s success can be attributed to the Echo Dot, which sacrifices built-in sound quality in exchange for a $40-50 pricetag, about half the cost of a full-size Echo. The difference makes it practical to equip multiple rooms with Amazon’s Alexa voice assistant.

A cheaper HomePod would offer a similar benefit for Siri, but Apple might not be willing to sacrifice sound. The company has touted the product as a speaker first and AI platform second, focusing its marketing on technologies like beamforming, room correction, and the use of seven tweeters plus a dedicated woofer.

Separately, Zhang supported the idea that Apple’s 2018 lineup will include things like a faster iPhone SE and an iPad Pro with a TrueDepth camera.


The idea of Apple rushing downmarket quite so quickly with the HomePod feels a bit weird, but then again it was announced last summer – so the expectation had been that it would go on sale for last Christmas. Could a cheaper version really juice sales? Would enough people care that the sound was slightly less good? Answer to those could well be “yes” – it worked like a charm for Sonos with its Play:1 a few years ago.

As a counterargument: the AirPods have been out for more than 12 months without an update.
link to this extract

Errata, corrigenda and ai no corrida: the Sonos Play:5 does have a line-in connection; I incorrectly suggested yesterday that it doesn’t. I should have looked.

4 thoughts on “Start Up: Skype’s unfixed bug, retesting HomePod, Android cryptomining, Nokia’s back!, and more

  1. Coiming to the defense of Android again: Android is the only OS that supports the only Mobile browser (Firefox) which supports full regular desktop add-ons, especially the ad-blocking and shenanigans-disabling ones. Android is thus the safest and best mobile platform for browsing.
    I don’t know what the AOSP browsers or Chrome/The OEM’s do by default. Probably not enough and not quickly enough. But a browser on mobile is the same as a browser on the desktop: you need to carefully choose it, and addons to make it work right. That’s Firefox on Android, and nothing else.

    • iOS has had “content blockers”, aka ad blockers, since ios9. Google blocks true ad blockers from the Play Store.

      Firefox also has far fewer downloads than the other browsers, and isn’t a default. Defaults are what matters here. Sure, content blockers aren’t default on iOS – but there’s no challenge getting hold of them.

      • That thread is from mid-2016. And putting the adjective “serious” in front of a word as a means of dismissing perfectly functional alternatives – “oh sure it blocks malicious content, and ads, and tracking, and cookies, but it’s not serious” – is a slack form of argument. IOS has content blocking on Safari, and you can get free adblockers on the App Store. Google blocks them from the Play Store, and you need to download an alternative browser *and* sideload the blocker (see if you can spot the security weakness) to get the same functionality. Multiple steps which go beyond the security cordon v one step that remains inside it. The fact that the original linked article goes on to suggest that the way forward is to install an antivirus suite for Android tells us what we need to know, I think.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.