»You can sign up to receive each day’s Start Up post by email (arriving at about 0800GMT each weekday). You’ll need to click a confirmation link, so no spam.«
A selection of 11 links for you. Thank Workflow + Pythonista. I’m @charlesarthur on Twitter. Observations and links welcome.
So many laborers were getting hurt that [Dr] Rohringer’s colleagues began keeping an unofficial spreadsheet, separate from standard hospital records: a grim catalog of broken bones, lacerations, puncture wounds, dislocated limbs, and eyes penetrated by flying metal. The dead man Rohringer saw was not, of course, a tourist who’d stumbled over a railing—he was a builder named Hu Yuanyou, and he’d plummeted from a scaffold. His colleagues hadn’t called 911; instead, they’d pulled the work clothes off his broken body in a clumsy attempt to obscure his identity. The less that outsiders learned about the casino, the better.
Hu died building what’s become, on paper, the most successful gambling operation in history. In the first half of 2017, table for table, Imperial Pacific turned over nearly six times more cash than the fanciest gaming facilities in Macau, which themselves dwarf the activity in Las Vegas. And that was before Imperial Pacific opened its lavish megacasino in July.
Given Macau’s status as a hub for industrial-scale money laundering, the Saipan figures have left gaming veterans astonished that they could be generated on U.S. soil, under Washington’s ostensible oversight. Eight casino executives and analysts interviewed for this story, all with extensive experience of the Asian gaming trade, said they saw no way such volumes could be generated legitimately. Asked if there could be a benign explanation for such instantaneous success at a casino more than three hours’ flight from any major city, on a drowsy island where the best hotel is a 1970s-era Hyatt, one of the executives burst out laughing.
Per capita, there’s almost certainly more Chinese money moving through Saipan than anywhere else in the world.
Boardwalk Empire, Pacific version.
link to this extract
Hackers are targeting Jenkins, a continuous integration/deployment web application built in Java that allows dev teams to run automated tests and execute various operations based on test results, including deploying new code to production servers. Because of this, Jenkins servers are extremely popular with both freelance web developers, but also with large enterprises.
On Friday, Israeli security firm Check Point announced it uncovered the footprint of a large hacking operation targeting Jenkins servers left connected to the Internet.
Attackers were leveraging CVE-2017-1000353, a vulnerability in the Jenkins Java deserialization implementation that allows attackers to run malicious code remotely without needing to authenticate first.
Check Point says hackers used this vulnerability to make Jenkins servers download and install a Monero miner (minerxmr.exe).
The miner was being downloaded from an IP address located in China and assigned to the Huaian government network. It is unclear if this is the attacker’s server, or a compromised server used to host the miner on behalf of the hackers.
The attackers have been active for months. This has allowed them to mine and already cash out over 10,800 Monero, which is over $3.4m, at the time of writing.
Hardly going out on a limb to suggest it’s either Chinese or North Korean hackers.
link to this extract
Facebook is set to officially foray into the global smart speaker market in mid-2018 by launching two new models, codenamed Aloha and Fiona – both with 15-inch touchscreens – in July at the latest, with the devices positioned as a way to allow family and friends to stay in touch with video chat and various social features, according to industry sources.
The sources said that the Facebook move is expected to further heat up the global smart speaker market, which has been crowded with heavyweight players, including top supplier Amazon and other tech giants such as Google, Microsoft, Apple and many China players including Alibaba. According to estimates by market researcher Canalys, the global market sales of smart speakers are likely to double to over 50 million units in 2018 from 2017.
Supply chain sources said that Facebook was originally slated to release the devices in May, but has decided to reschedule the launch to allow more time for perfecting the acoustic quality of the gadgets and software modification.
The two models will be fitted with 15-inch in-cell touchscreen panels reportedly to be sourced from LG Display, while Taiwan’s Pegatron is also reported to be the sole contract assembler of the devices. But both firms declined to comment on matters concerning clients.
The sources said that the Aloha model is more sophisticated than Fiona, both designed by Facebook’s Building 8 hardware lab. The Aloha model, to be marketed under the official name Portal, will use voice commands but will also feature facial recognition to identify users for accessing Facebook via a wide-angle lens on the front of the device.
1) a 15-inch touchscreen? Isn’t that what’s known as a “tablet”?
2) Will it do more than Facebook – will it do the rest of the web?
3) recall that Facebook’s last foray into hardware (the HTC-made One phone) was an epic failure. This feels very me-too.
link to this extract
The Church of England struck a deal with the UK government departments to encourage the church to “use its buildings and other property to improve broadband, mobile and wifi connectivity for local communities,” the Department for Digital, Culture, Media and Sport said in a statement on Sunday.
The accord, also involving the Department for the Environment, Food and Rural Affairs, expands on an initiative that already exists in some dioceses in the UK including Chelmsford and Norwich.
“Our work has significantly improved rural access to high-speed broadband,” Bishop Stephen Cottrell of Chelmsford said in the statement.
About 65% of Anglican churches and 66% of parishes in England are in rural areas, according to the government.
The accord includes rules to ensure that any telecommunication infrastructure used doesn’t affect the character and architecture of the churches, according to the statement. The DCMS also said similar deals could be made with other religious communities.
The announcement follows last year’s pledge by the UK government that no part of the country or group in society should be without adequate connectivity, a pledge that includes the complete roll-out of 4G and superfast broadband by 2020.
Would love to know if any money is changing hands here. (Fundraising for church spire maintenance is a trope of British rural life, with giant thermometers of funds raised displayed at churches, and usually woefully far from their target.) This is a good way though for companies to bypass BT’s swingeing charges for use of its ducts and poles.
link to this extract
Trolls on twitter: how mainstream and local news outlets were used to drive a polarized news agenda • Medium
The chart below is the top-line breakdown of where these 11-plus thousand external links in my set of 36.5k troll tweets from 2016 pointed to. This includes the expanded short URLs and redirects. This shows the news outlets the troll accounts (through tweeting, retweeting, and tweet-quoting) tended to re-broadcast from the middle of 2016 through election day:
Top 25 most-linked news sources across 11.5k troll tweets (using thousands of expanded short links)
Looking at this breakdown, a result from this sample of tens of thousands of tweets is that the most-shared news outlets from 11.5k links across 388 troll accounts in the six months leading up to the election isn’t your typical hyper-partisan “fake news.”
Sure, Breitbart ranks first, but it’s followed by a long list of what many would argue are credible — if not mainstream — news organizations, as well a surprising number of local and regional news outlets.
Another result from this analysis is the effect of “regional” troll accounts, aka the fake accounts with a city or region name in the handle (e.g., HoustonTopNews, DailySanFran, OnlineCleveland), which showed a pattern of systematically re-broadcasting local news outlets’ stories.
The linking pattern is also consistent: a large number of story links are Bitly-wrapped, and links to local outlets often originate through RSS or Google Feedproxy — to some degree co-opting local outlets’ content streams in an attempt to establish themselves and connect with local audiences.
The collapse in local news outlets in the US (largely mirrored in the UK) magnifies this effect.
link to this extract
The indictment names thirteen Russians, twelve of whom worked for a shadowy, Kremlin-connected outfit called the Internet Research Agency. The Agency has been linked to a campaign of online disinformation that included the creation of hundreds of fake political pages on Facebook and accounts on Twitter that were presented as belonging to everyday Americans; during the election, according to the indictment, this disinformation campaign was aimed at boosting Donald Trump, undermining Hillary Clinton, and sowing general “political discord” in the United States by supporting radical causes on both sides. It was sort of like a cutting-edge social-media marketing operation run, as the indictment alleges, by a St. Petersburg-based oligarch named Yevgeny Prigozhin.
Much of the information in the indictment isn’t new. The Agency was first noticed by Russian media outlets in 2014, when it was dedicated mainly to spreading online propaganda in support of pro-Russian separatists in the Ukraine conflict. In the spring of 2015, when the idea of a President Donald Trump was still a laughable fantasy, I travelled to St. Petersburg to investigate the Agency, which had recently started experimenting with targeting audiences outside Russia. As I conducted my reporting, I was myself the target of an elaborate smear campaign to label me a neo-Nazi sympathizer and U.S. intelligence agent—an early use of the kind of bizarre tactics that have been documented by numerous investigations in both the Russian and Western media, and by the internal investigations of social-media companies.
Yet the new indictment offers the most complete look yet at the Agency’s internal workings. Mueller’s investigators discovered that the Agency used a network of shell companies— entities with names like MediaSintez LLC, GlavSet LLC, and MixInfo LLC—to hide its activities and funding. The indictment alleges that the Agency employed hundreds of workers, and that by September, 2016, it had a monthly budget of more than $1.25m. The document details how the Agency’s “specialists” worked in day and night shifts, and the way they were constantly trying to measure the effect of their efforts. The employees ran fake conservative Twitter and Facebook accounts, and even planned (sparsely attended) real-life rallies.
What was the working environment like — was it really like a factory?
There were two shifts of 12 hours, day and night. You had to arrive exactly on time, that is, from 9 a.m. to 9 p.m. There were production norms, for example, 135 comments of 200 characters each. … You come in and spend all day in a room with the blinds closed and 20 computers. There were multiple such rooms spread over four floors. It was like a production line, everyone was busy, everyone was writing something. You had the feeling that you had arrived in a factory rather than a creative place.
How did the trolling work?
You got a list of topics to write about. Every piece of news was taken care of by three trolls each, and the three of us would make up an act. We had to make it look like we were not trolls but real people. One of the three trolls would write something negative about the news, the other two would respond, “You are wrong,” and post links and such. And the negative one would eventually act convinced. Those are the kinds of plays we had to act out.
Do you think it worked?
Who really reads the comments under news articles, anyway? Especially when they were so obviously fake. People working there had no literary interest or abilities. These were mechanical texts. It was a colossal labor of monkeys, it was pointless. For Russian audiences, at least. But for Americans, it appears it did work. They aren’t used to this kind of trickery. They live in a society in which it’s accepted to answer for your words. And here — I was amazed how everyone was absolutely sure of their impunity, even as they wrote incredibly offensive comments. They were sure that with the anonymity of the Internet, no one would find them.
How much would you get paid?
Around 40,000 rubles a month [about $700 at the current exchange rate]. We’d work 12-hour days, two days on, two days off.
I love the nose-wrinkling of “who really reads the comments under news articles, anyway?”
link to this extract
Surrounding the building, located in Cupertino, California, are 45-foot tall curved panels of safety glass. Inside are work spaces, dubbed “pods,” also made with a lot of glass. Apple staff are often glued to the iPhones they helped popularize. That’s resulted in repeated cases of distracted employees walking into the panes, according to people familiar with the incidents.
Some staff started to stick Post-It notes on the glass doors to mark their presence. However, the notes were removed because they detracted from the building’s design, the people said. They asked not to be identified discussing anything related to Apple. Another person familiar with the situation said there are other markings to identify the glass.
Apple’s latest campus has been lauded as an architectural marvel. The building, crafted by famed architect Norman Foster, immortalized a vision that Apple co-founder Steve Jobs had years earlier. In 2011, Jobs reportedly described the building “a little like a spaceship landed.” Jobs has been credited for coming up with the glass pods, designed to mix solo office areas with more social spaces.
Seems more like an argument for not looking at your phone while walking, but glass demarcation is always a pain in offices.
link to this extract
The Coalition for Better Ads [which determined which ads could and could not be shown through the new adblocking Chrome] lacks a consumer voice. The Coalition involves giants such as Google, Facebook, and Microsoft, ad trade organizations, and adtech companies and large advertisers. Criteo, a retargeter with a history of contested user privacy practice is also involved, as is content marketer Taboola. Consumer and digital rights groups are not represented in the Coalition.
This industry membership explains the limited horizon of the group, which ignores the non-format factors that annoy and drive users to install content blockers. While people are alienated by aggressive ad formats, the problem has other dimensions. Whether it’s the use of ads as a vector for malware, the consumption of mobile data plans by bloated ads, or the monitoring of user behavior through tracking technologies, users have a lot of reasons to take action and defend themselves.
But these elements are ignored. Privacy, in particular, figured neither in the tests commissioned by the Coalition, nor in their three published reports that form the basis for the new standards. This is no surprise given that participating companies include the four biggest tracking companies: Google, Facebook, Twitter, and AppNexus.
Taboola in particular is cited disapprovingly for “helping fund the underbelly of the net”.
link to this extract
I’ve been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security – a paradigm that every single person with an online account understands – yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won’t let you paste a password. Some force you to regularly rotate it. It’s all over the place.
Last year, I wrote about authentication guidance for the modern era and I talked about many of the aforementioned requirements. I particularly focused on how today’s thinking is at odds with many of the traditional views of how passwords should be handled. That post has a lot of guidance from the NCSC in the UK and NIST in the US and it debunked many of those long-held beliefs; get rid of complexity rules, allow long passwords, let people paste them and move away from forced rotation. However, there was nothing on minimum required lengths, and that got me thinking – what’s the correct number?
When I run my Hack Yourself First workshop, that’s one of the first questions I ask – “what’s the correct minimum password length?” I was thinking about that again just this weekend when preparing V2 of Pwned Passwords because I thought I might be able to use a minimum length threshold to reduce the size of the data set. So, rather than projecting my own views on minimum password length, I thought I’d go and check what the world’s top sites are doing.
By the end, he had answered one question and found another, more difficult one.
link to this extract
The National Labor Relations Board published its memo this week, which was issued in January after Damore filed a charge against his former employer on August 8. In spite of Damore withdrawing his NLRB filing in September, the board proceeded to examine and issue its own ruling:
Google “discharged [Damore] only for [his] unprotected conduct while it explicitly affirmed [his] right to engage in protected conduct.” The NLRB emphasized that any charge filed by Damore on the matter should be “dismissed.”
In explaining the board’s reasoning, NLRB member Jayme Sophir points to two specific parts of the controversial memo circulated by Damore in August: Damore’s claim that women are “more prone to ‘neuroticism,’ resulting in women experiencing higher anxiety and exhibiting lower tolerance for stress” and that “men demonstrate greater variance in IQ than women.”
Sophir describes how these gender-specific claims resemble other cases decided by the NLRB that revolved around racist, sexist, and homophobic language in the workplace. She says that specific Damore statements were “discriminatory and constituted sexual harassment, notwithstanding [his] effort to cloak [his] comments with ‘scientific’ references and analysis, and notwithstanding [his] ‘not all women’ disclaimers. Moreover, those statements were likely to cause serious dissension and disruption in the workplace.”
The NLRB memo also includes a quote from Google’s letter of termination given to Damore in August, which Sophir says focused specifically on offending, fireable content while also protecting other portions of his speech:
»I want to make clear that our decision is based solely on the part of your post that generalizes and advances stereotypes about women versus men. It is not based in any way on the portions of your post that discuss [the Employer’s] programs or trainings, or how [the Employer] can improve its inclusion of differing political views. Those are important points. I also want to be clear that this is not about you expressing yourself on political issues or having political views that are different than others at the company. Having a different political view is absolutely fine. Advancing gender stereotypes is not.«
I’m sure that will be the end of it 🙄 But of course not. Jordan Peterson has tweeted that it’s the end for science. Google’s HR made a subtle distinction in its dismissal, and Damore might not be able to get around that. But every cause needs its martyr.
link to this extract
Errata, corrigenda and ai no corrida: none notified.