Start Up: the in-app browser risk, gun culture and slippery slopes, bad notch!, a cheaper MacBook Air?, and more

This Twitter user – a Russian troll – was amplified millions of times by American Reddit users. Photo by Bit Burner on Flickr

»You can sign up to receive each day’s Start Up post by email (arriving at about 0800GMT each weekday). You’ll need to click a confirmation link, so no spam.«

A selection of 11 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

Leaked: secret documents from Russia’s election trolls • Daily Beast

Ben Collins:


what The Daily Beast has seen provides a new level of texture and detail to the [Russian troll farm Internet Research Agency] US efforts, online and off. While the troll farm’s use of YouTube, Twitter, and Facebook is now well-known, the leak shows that the Internet Research Agency also operated on Reddit and had a substantial footprint on Tumblr. They documented and tracked their personalized interactions with specific, unsuspecting Americans, some of whom are named in the leaks.

Those outreach efforts display conceptual sophistication. The leaks show that IRA imposter accounts targeted activists for specific causes the Russians wanted promoted. On the target list: the daughter of one of Martin Luther King’s lieutenants.

But the leaks also provide a glimpse into the troll farm’s weaknesses. Some of the Americans the group contacted described receiving impersonal entreaties from unfamiliar accounts, asking for trivial aid and then declining to follow up. The Internet Research Agency might have known how to leverage social media, but they knew far less about how users authentically interact with each other on it—which itself attracted suspicion amongst the very people the Russians were contacting.

“I couldn’t put my finger on it. I didn’t know who they were and why they were remaining anonymous, and I didn’t really see the need for it,” said Craig Carson, a Rochester, New York, attorney and civil rights activist who was contacted by the farm-created account Blacktivist.

Shanall LaRay Logan—who lives in Sacramento, California, and said she is active in Black Lives Matter campaigns —told The Daily Beast that these kind of trolling overtures are “actually just counterproductive to our movement.”

The leaks also reveal the IRA’s previously unreported connection to two additional 2016 rallies, one outside Atlanta and another in western New York, The Daily Beast can now confirm. One of them turned violent.


This came out last week. On Monday, Reddit admitted it was investigating and so far had found “a few hundred” accounts that were directly Russian-controlled – but also that (foolish American) people had amplified Russian propaganda. This is far from over.
link to this extract

Why iOS in-app browsers that don’t use Safari’s WebKitView are dangerous • Krausefx

Felix Krause on the risks from custom in-app browsers:


This is basically the main reason why in-app browsers are still a thing: It allows the app maintainer to inject additional analytics code, without telling the user. This way, the app’s developer can track the following:

– How long does the user visit the linked website?
– How fast does the user scroll?
– Which links does the user open, and how long do they stay on each of them?

Combined with watch.user, the app can record you while you browse third party websites, or even use the iPhone X face sensor to parse your face. Every single tap, swipe or any other gesture; device movements, GPS location (if granted) and any other granted iOS sensor, while the app is still in the foreground.

Any app with an in-app browser can [also] easily steal the user’s email address, passwords and two-factor authentication codes. They can do that by injecting JavaScript code that bridges the data over to the app, or directly to a remote host. This is simple, it’s basically code like this:

email = document.getElementById(“email”).value
password = document.getElementById(“password”).value

That’s all that’s needed: just inject the code above to every website, run it on every user’s key stroke, and you’ll get a nice list of email addresses and passwords.


In short: open links in Safari if you don’t trust the app; or insist it opens a Safari webview.
link to this extract

A HomePod intervention • 512 Pixels

Stephen Hackett:


Hardware wise, the HomePod may sound amazing but its physical controls aren’t as good as the Echo’s. Our first-gen Echo has a big ring that spins around to control the volume that works perfectly; the HomePod’s touch buttons can be finicky and slow to respond.

Even more annoying is the HomePod’s resumption of music playback if you touch the top of the unit. Our smart speakers have always been under a counter in the kitchen, and we brush the top of them a lot more than we realized after the HomePod would start blaring music after any accidental touch. Apple should have an option to disable it.

All in all, I thought the move to the HomePod was going well right until my family staged an intervention. Their annoyance with Siri misunderstanding or misinterpreting has grown over the last few weeks, and the clumsiness with which Siri handles — or doesn’t handle — some requests has become bothersome.

I’ve overheard several interactions with the HomePod that entail a family member asking for a song or album that ends in getting upset with the device when it starts playing something else. The Echo — coupled with Amazon Music — had a much higher hit rate when it came to accurately playing what was desired.

In short, the increase in sound quality doesn’t make up for the frustration of using Siri. The HomePod is going to live in my studio; the Echo is back in its rightful place in the kitchen.


Hackett makes a lot of good points. Even though the HomePod has been in development for years at Apple, its testers clearly didn’t put it through the right paces.
link to this extract

What critics don’t understand about gun culture • The Atlantic

David French on how people go from non-gun owners to full-time gun carriers:


Next, you realize that you want that sense of safety to travel with you. So you sign up for a concealed-carry permit class. You gather one night with friends and neighbors and spend the next eight hours combining a self-defense class with a dash of world-view training. And when you carry your weapon, you don’t feel intimidated, you feel empowered. In a way that’s tough to explain, the fact that you’re so much less dependent on the state for your personal security and safety makes you feel more “free” than you’ve ever felt before.  

And as your worldview changes, you expand your knowledge. You learn that people defend themselves with guns all the time, usually without pulling the trigger. You share the stories and your own experience with your friends, and soon they walk into gun stores. They start their own journey into America’s “gun culture.”

At the end of this process, your life has changed for the better. Your community has expanded to include people you truly like, who’ve perhaps helped you through a tough time in your life, and you treasure these relationships. You feel a sense of burning conviction that you, your family, and your community are safer and freer because you own and carry a gun.

It’s a myth that gun owners despise regulation. Instead, they tend to believe that government regulation should have two purposes—deny guns to the dangerous while protecting rights of access for the law-abiding. The formula is simple: Criminals and the dangerously mentally ill make our nation more violent. Law-abiding gun owners save and protect lives.

Thus the overwhelming support for background checks, the insistence from gun-rights supporters that the government enforce existing laws and lock up violent offenders, and the openness to solutions—like so-called “gun violence restraining orders” that specifically target troubled individuals for intervention.


Stephen King (the writer) says, in one of his writing rules, that “nobody ever thinks of themselves as the bad guy”. Gun ownership, as described here, is one of those slippery slopes, where you’re always doing completely rational things. Just one more step. But seen from outside, it’s just a descent into madness, with each step slightly more crazy than the next.

You’re never the bad guy, though.
link to this extract

Bad iPhone notches are happening to good Android phones • The Verge

Vlad Savov:


I’ve been coming to Mobile World Congress for close to a decade now, and I’ve never seen the iPhone copied quite so blatantly and cynically as I witnessed during this year’s show. MWC 2018 will go down in history as the launch platform for a mass of iPhone X notch copycats, each of them more hastily and sloppily assembled than the next.

No effort is being made to emulate the complex Face ID system that resides inside Apple’s notch; companies like Noa and Ulefone are in such a hurry to get their iPhone lookalike on the market that they haven’t even customized their software to account for the new shape of the screen. More than one of these notched handsets at MWC had the clock occluded by the curved corner of the display.

Ulefone T2 Pro Photo by Sam Byford / The Verge

Asus is one of the biggest consumer electronics companies in the world, and yet its copycat notch is probably the most galling of them all. The Zenfone 5 looks and feels like a promising phone, featuring loud speakers, the latest Sony imaging sensor with larger-than-average pixels, and a price somewhere south of $499. I should be celebrating it right now, but instead I’m turning away in disgust as Asus leans into its copying by calling Apple a “Fruit Company” repeatedly. If you’re going to copy the iPhone, at least have the decency to avoid trying to mock it.

It would be stating the obvious to say that this trend is not a good one. I’m absolutely of the belief that everyone, Apple included, copies or borrows ideas from everyone else in the mobile industry. This is a great way to see technical improvements disseminated across the market. But the problem with these notched screens on Android phones is that they’re purely cosmetic. Apple’s notch at the top of the iPhone X allows the company to have a nearly borderless screen everywhere else, plus it accommodates the earpiece and TrueDepth camera for Face ID. Asus et al have a sizeable “chin” at the bottom of their phones, so the cutouts at the top are self-evidently motivated by the desire to just look — not function, look — like an iPhone X.


Sure, these are obvious copycats. It’s stretching it to call them “good” Android phones though. They’re run-of-the-mill, entirely fungible things.
link to this extract

Mobiles to Americans? That’s not the only thing Xiaomi’s selling • Bloomberg Gadfly

Tim Culpan:


Xiaomi’s plan [to sell phones in the US] is as much about selling shares in its forthcoming IPO as it is about selling handsets to Americans.

Talk of a $100bn valuation for the Chinese startup would make it vastly overvalued. That doesn’t mean bankers won’t try to help it reach such lofty heights, or that Chinese investors won’t pay through the roof to bag some shares. However to get there, Xiaomi’s leadership, financial boffins and marketing teams all need to keep kicking the can down the road.

The story for 2017 was about the company’s turnaround, from a slump in 2015 to a rebound in 2016 and continued momentum last year. India was the main engine, and we can expect more of that noise over the coming 12 months. But Xiaomi needs another booster rocket if it’s to go to the moon like everybody hopes. Hence the talk of a U.S. entry, where growth in the most recent quarter was much faster than for Asia when measured in revenue terms.

And note the timing: end of this year or early next. That would be after Xiaomi’s IPO, providing a great talking point for bankers while not requiring them to demonstrate any actual success.


link to this extract

KGI: Apple to release more affordable 13in MacBook Air in Q2, HomePod demand ‘mediocre’ so far • 9to5 Mac

Chance Miller:


[KGI Securities’ Ming-chi] Kuo says that he expects Apple to release a new MacBook Air “with a lower price tag” during the second quarter of 2018, meaning we should see it sooner rather than later. The analyst expects that the more affordable MacBook Air will help push MacBook shipments up by 10%-15% this year.

Details on the new MacBook Air are sparse, but this report from KGI corroborates a similarly vague report from Digitimes earlier this year. The MacBook Air line has been largely stagnant in recent years as Apple has shifted focus towards the 12in MacBook and MacBook Pro.

Currently, Apple sells the 13in MacBook Air starting at $999, and KGI seems to think it will get even cheaper this year. Despite its neglect by Apple, the MacBook Air remains a popular choice for college students.

The investor notes also offers some additional details on supply chain reactions to the upcoming iPhone refreshes, the growing success of AirPods and more. Kuo says that KGI is “positive” on shipments of AirPods and predicts the refreshed model will come in the second half of the year, driving strong year over year growth.


Neil Cybart disagrees with this forecast (partly on the basis that Kuo doesn’t have insight into Apple’s pricing), and I go along with him. Apple hasn’t dropped the price of the Air in absolutely years; it’s an ageing – in some ways obsolescent (no retina screen!) – product which simply holds the base price down. No reason to drop it; Apple’s focus is all on the MacBook, which is smaller and lighter than the MBAir.
link to this extract

Brands beware – YouTube ads pulled from Infowars • BBC

Rory Cellan-Jones:


After CNN contacted the various brands, they mostly pronounced themselves surprised and opted to remove their adverts from the channel associated with Mr Jones and InfoWars.

One British company affected was Brighton-based financial services firm OneFamily. The business told me that its ads on YouTube – which is owned by Google – were targeted at groups including 18 to 34-year-old “business & economic news junkies”.

But it had not been aware that this would include InfoWars, which did not align with its values.

OneFamily explained that it had not specifically excluded the Alex Jones channel but had thought that its adverts would not appear alongside unsuitable content:
“Working with Google we exclude our advertising from any sites that fall within these categories: sensational and shocking, profanity & rough language, content not yet rated, sensitive social issues, tragedy & conflict, sexually suggestive content, adult content, and live streaming videos,” it said.

“As such, any site in these categories does not feature our advertising. We have asked Google to explain why InfoWars was not on its exclusion list.”

I asked Google for a response. The company said it could not comment on individual cases but stressed that it gave its advertising customers a range of options to filter out unsuitable videos for their messages and make sure they reached the right audience.


“Ah yeah, here’s your mistake, right here – you didn’t tick ‘don’t show my ads on nutjob conspiracy theory videos’. Oh wait, we don’t have that.”
link to this extract

More Mailchimp malware: invoice 1717 from City Sign Graphics Ltd • My Online Security


Back today with even more Mailchimp abuse and attempted malware spreading. By the time I got round to investigating the email, the links in it were down. At first I got a “Hostgator account suspended: message but now get an “error 500 server misconfigured: message.  A twitter post gave me the file # of the downloaded malware that I assume is still the Gootkit banking Trojan.

We still have no idea how the victim companies’ details or login credentials to the Mailchimp network are being stolen or compromised.

This next email has the subject of Invoice 1717 from CITY SIGN AND GRAPHICS LTD coming from CITY SIGN AND GRAPHICS LTD ; on behalf of; CITY SIGN & GRAPHICS LTD

About one month ago we saw a malware campaign using Mailchimp to distribute the Gootkit banking trojan. Since then there have been a regular almost daily campaign. Today’s campaign has changed slightly and although the initial emails are coming via the Mailchimp system, the malware downloader and the payloads are coming from other sites which are probably/almost certainly compromised.

They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.


Obvious enough how they get Mailchimp logins: people are lazy and reuse them, and they get phished elsewhere. (Or you send out a phishing campaign around Mailchimp.)

It’s long past time that username/password was enough to log you in to services that can reach so many people. And I say that as a user of Mailchimp.
link to this extract

The blockchain pipe dream • Project Syndicate

Nouriel Roubini and Preston Byrne:


It turns out that many likely appropriate applications of blockchain in finance – such as in securitization or supply-chain monitoring – will require intermediaries after all, because there will inevitably be circumstances where unforeseen contingencies arise, demanding the exercise of discretion. The most important thing blockchain will do in such a situation is ensure that all parties to a transaction are in agreement with one another about its status and their obligations.

It is high time to end the hype. Bitcoin is a slow, energy-inefficient dinosaur that will never be able to process transactions as quickly or inexpensively as an Excel spreadsheet. Ethereum’s plans for an insecure proof-of-stake authentication system will render it vulnerable to manipulation by influential insiders. And Ripple’s technology for cross-border interbank financial transfers will soon be left in the dust by SWIFT, a non-blockchain consortium that all of the world’s major financial institutions already use. Similarly, centralized e-payment systems with almost no transaction costs – Faster Payments, AliPay, WeChat Pay, Venmo, Paypal, Square – are already being used by billions of people around the world.

Today’s “coin mania” is not unlike the railway mania at the dawn of the industrial revolution in the mid-nineteenth century. On its own, blockchain is hardly revolutionary. In conjunction with the secure, remote automation of financial and machine processes, however, it can have potentially far-reaching implications.
Ultimately, blockchain’s uses will be limited to specific, well-defined, and complex applications that require transparency and tamper-resistance more than they require speed – for example, communication with self-driving cars or drones. As for most of the coins, they are little different from railway stocks in the 1840s, which went bust when that bubble – like most bubbles – burst.


I think it’s the definition of a bubble that it bursts. The question still remains: what is blockchain better for than anything else? (I’m moderating a discussion on this at the E-crime and Cybersecurity congress on Wednesday in London. Do come and join in.)
link to this extract

Coal industry mired in decline despite Trump pledges • The Hill

Reid Wilson:


Production declines are likely to hit two of America’s three main coal regions particularly hard. In central Appalachia, where hot-burning and relatively clean coal is some of the best in the world, production costs are rising as miners are forced to dig deeper. And in the Powder River Basin, a lack of access to western ports that could ship coal to Asia means higher transportation costs.

That threatens states like West Virginia and Wyoming, where for generations blue-collar workers used the coal industry to build a middle class life for themselves and their families. 

“We’re talking about jobs where we have people with only a high school diploma making $70,000 or $75,000 a year,” said John Deskins, director of the Bureau of Business and Economic Research and an associate professor of economics at West Virginia University. “A bounce back to what we considered normal a decade ago is very unlikely.”

In Wyoming, where about 20% of the state’s revenue comes from taxes associated with mining, the legislature now faces a budget deficit.

“We’ve been living high and heady for a long time, and with the decline of the industry in the last couple of years and the crash, it’s significant,” Deti said. “When that revenue declines, obviously the state is crunched.”


Reality bites. Hard.
link to this extract

Errata, corrigenda and ai no corrida: none notified.

1 thought on “Start Up: the in-app browser risk, gun culture and slippery slopes, bad notch!, a cheaper MacBook Air?, and more

  1. Re MailChimp and security – one thing I like about their service is the way they give a small financial discount if you use two-factor authentication. Sure, people should know to use it anyway… but given how few people do, providing a little incentive seems a good move (though I don’t know how successful it is.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.