Start Up: hackers who hack back, Fitbit teams with Google, the Bezos memos, squirt guns for all!, and more

Four years later, Jan Koum is leaving WhatsApp – and Facebook. Photo by Photostream on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Still here. I’m @charlesarthur on Twitter. Observations and links welcome.

WhatsApp founder plans to leave after broad clashes with parent Facebook • The Washington Post

Elizabeth Dwoskin:


The billionaire chief executive of WhatsApp, Jan Koum, is planning to leave the company after clashing with its parent, Facebook, over the popular messaging service’s strategy and Facebook’s attempts to use its personal data and weaken its encryption, according to people familiar with internal discussions.

Koum, who sold WhatsApp to Facebook for more than $19bn in 2014, also plans to step down from Facebook’s board of directors, according to these people. The date of his departure isn’t known. He has been informing senior executives at Facebook and WhatsApp of his decision, and in recent months has been showing up less frequently to WhatsApp’s offices on Facebook’s campus in Silicon Valley, according to the people.

The independence and protection of its users’ data is a core tenet of WhatsApp that Koum and his co-founder, Brian Acton, promised to preserve when they sold their tiny startup to Facebook. It doubled down on its pledge by adding encryption in 2016. The data clash took on additional significance in the wake of revelations in March that Facebook had allowed third parties to mishandle its users’ personal information.


Wow. This must have come directly from Koum – the Washington Post isn’t going to go with a flyer on this. That Facebook is looking to weaken the WhatsApp encryption is a hell of a story in itself (this will be denied in the next news cycle).

One might say that Koum should have known this back in 2014 – that he’s cashing in and taking the billions. It certainly never meshed with the Facebook culture, according to the later parts of the story.

link to this extract

The digital vigilantes who hack back • The New Yorker

Nicholas Schmidle:


Last year, Nisos did such a test on behalf of a major financial institution. Two of Bourie’s colleagues went to a café across the street from the client’s headquarters, where employees often stopped in for coffee. One of the Nisos operators, carrying a messenger bag with a radio-frequency identification device concealed inside it, surreptitiously scanned the facility code from employees’ I.D. badges. With this information, Nisos could make fake badges. The next day, the Nisos operators swiped into the lobby, plugged a local-area-network device into an Ethernet port in a conference room, and left before anyone noticed. Using the lan connection, they hacked into the financial institution’s network and, among other things, briefly commandeered its security cameras. The company realized that it needed to make serious upgrades to its network.

According to Bourie, when the C.E.O. of the multinational corporation asked him if Nisos could hack into the ex-employee’s home network, the general counsel interrupted to say that the C.E.O. was obviously kidding—hacking the network would be illegal. The C.E.O. said, “Illegal how? Running-a-stop-sign illegal? Or killing-someone illegal?”

Bourie recalled that everyone laughed, and the question was left hanging. But it stuck with him, because he wasn’t sure of the answer. He knew that no firm had ever been prosecuted for hacking back, but he didn’t know why.


Fascinating examples about a murky area. (Nobody in Cyber Wars “hacked back” – they tended to be the people who discovered how to hack, such as the Microsoft worker who accidentally discovered SQL injection.)
link to this extract

Fitbit will use Google Cloud to make its data available to doctors • TechCrunch

Brian Heater:


For Fitbit, the deal means moving a step closer toward healthcare legitimacy. At a recent event, CEO James Park told us that health was set to comprise a big part of the consumer electronics company’s plans moving forward. It’s clear he wasn’t quite as all-in with Jawbone, which shuttered the consumer side entirely, but there’s definitely money to be made for a company that can make legitimate health tracking ubiquitous.

The plan is to offer a centralized stop for doctors to monitor both electronic medical records and regular monitoring from Fitbit’s devices. Recently acquired Twine Health, meanwhile, will help the company give more insight into issues like diabetes and hypertension.

No word yet on a timeline for when all of this will become widely available.


Fitbit really needs this business-to-business side to thrive; its consumer business is dying on its feet.
link to this extract

Publishing trade groups criticize Google over GDPR policy • Ad Age

George Slefo:


Four trade groups representing publishers such as Axel Springer, Bloomberg, Conde Nast, Hearst and the Guardian released a letter Monday addressed to Google CEO Sundar Pichai that sharply criticizes the company’s approach to publishers as strict new privacy rules loom in Europe.

The trade associations—Digital Content Next, European Publishers Council, News Media Alliance and the News Media Association—say Google is putting their members in a corner as it implements the European Union’s General Data Protection Regulation, or GDPR, which takes effect May 25.

Google updated its policy roughly one month ago, telling publishers they will need to share any data they receive from consumers if they intend to use the company’s software to sell ads. Google won’t disclose exactly how it will use that data and, should any GDPR violations occur, the liability will rest with the publishers, not Google.

Those found in violation under GDPR face fines of roughly $25m, or 4% of global revenue, whichever is greater.

“Your proposal severely falls short on many levels and seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law,” the groups say in the letter.


Not much time left to fix this, is there?
link to this extract

Seth Rogen, in conversation • Vulture

David Marchese talks to the film writer:


Q: What thoughts get kicked up when you see North Korea in the news these days?
It does kick stuff up for sure. Honestly, I really don’t think North Korea hacked SonyDirected by Rogen and Goldberg, 2014’s The Interview stars Rogen and James Franco as journalists traveling to North Korea to interview Kim Jong-un, who are co-opted by the CIA to assassinate him. In June of that year, North Korea threatened the United States, calling the film’s release an “act of war.” In November, the DPRK-affiliated group “Guardians of Peace” hacked into Sony, dropping executive salary numbers and a few unreleased films. (It also revealed a huge gender and racial gap at the company.) Sony eventually decided not to widely release the picture in theaters, and made it available as a digital rental in December 2014. .

Why’s that?
When the trailer for The Interview came out we were called into a meeting at Sony, where they told us that North Korea had probably already hacked into their system and seen the movie and that the statements they’d put out was their response. Then, months later, when the movie itself finally came out, all this hacking shit happened. This was months after North Korea had probably already seen the movie. Why would they wait? And they never did anything like that before and haven’t done anything like it since. So things just never quite added up. The guy I’d hired to do my cybersecurity even told me, “There’s no way this was a hack. It had to be a physical act.” The amount of stuff that was stolen would have had to have physical mass to it.

In the sense that whoever stole the information needed to have his or her hands on a server at some point?
Yeah, it wasn’t something you could’ve hacked remotely. It required plugging shit into other shit. And the hack also seemed weirdly targeted at Amy [Pascal], which seems fishy — of all the people to target? Why not me? Why not Michael Lynton? [Lynton was the CEO of Sony Pictures Entertainment at the time of the hack, and was largely spared. He’s currently the CEO at Snapchat.]


Ooh, another chance to plug Cyber Wars. (Also available on Amazon and in bookshops from Thursday.) The first chapter investigates the Sony hack. There’s no doubt among security professionals that it was North Korea. Kim Jong Un wasn’t going to be made fun of on the international stage just as he was working towards being an international player with his nuclear plan. Sony Pictures was hacked by North Korea.

link to this extract

Bezos: a CEO who can write • Monday Note

Jean-Louis Gassée on the letters to shareholders that Bezos writes each year:


After reading this year’s letter, I downloaded the entire collection of twenty-one epistles and devoured them. (I hope someone, somewhere has done a better job than Amazon’s site putting the compilation together in a consistent and directly accessible fashion…)

More than a few thoughts emerged from the exercise, but the one that stands out is that the customer, the ultimate arbiter of success, must be held in awe. Bezos was a bit overly dramatic about it in 1998:


I constantly remind our employees to be afraid, to wake up every morning terrified. Not of our competition, but of our customers. Our customers have made our business what it is, they are the ones with whom we have a relationship, and they are the ones to whom we owe a great obligation. And we consider them to be loyal to us — right up until the second that someone else offers them a better service


By 2017, he had lightened up, but without losing the sense of the customers’ importance:


One thing I love about customers is that they are divinely discontent. Their expectations are never static — they go up. It’s human nature. We didn’t ascend from our hunter-gatherer days by being satisfied. People have a voracious appetite for a better way, and yesterday’s ‘wow’ quickly becomes today’s ‘ordinary’.


Bezos’ letters make splendid material for a Business School course on Strategy and Communication. (I’d love to teach it — if I were twenty years younger.) A caveat applies, however. Most of the strategies and practices advocated by Amazon’s founder have broad applicability, but a central mystery remains: Bezos himself, his combination of early life experience, intellect, emotional abilities and communication skills. Being Bezos isn’t teachable.


Bezos, and Amazon, remain the biggest mystery – in terms of function – of the big five tech companies.
link to this extract

Tech’s structural change • Bloomberg

Tim Culpan:


In the second quarter of 2016, for example, it sold panels at an average $504 per square meter and managed to generate a 44bn won ($41m) operating profit. In the first quarter of this year, prices touched $522, but LG Display posted a 98bn won operating loss.

The difference comes from costs, and that shift looks structural. General expenses have ballooned, which is a line item that could be trimmed. Research and development, though, is also on the rise and is an area LG Display can’t afford to skimp on as it tries to keep up with rivals such as Samsung Electronics Co.

Taiwan Semiconductor Manufacturing Co. sparked a plunge in tech stocks last week when it reported earnings and gave a weak second quarter outlook.

I argued at the time that the real concern should be that TSMC needs to spend more money – on capital expenditure – for lower sales growth. The same thing is playing out at LG Display, where R&D is a far larger cost component than depreciation.

LG Display is preparing to move into new technologies, including organic light-emitting diodes. A higher research spend is a necessary part of that development.

The breakeven price of panels has already climbed from around $500 per square meter in the second quarter of 2016 to approximately $550 in the most recent period.

If larger R&D budgets are baked into its cost base, then LG Display becomes the latest tech company to face the prospect of spending more money for less return – first in chips, now in displays.


The implication is higher costs, for manufacturers and consumers? Or slower growth? Or both?
link to this extract

Privacy guide: Amazon Echo, Google Home, Apple HomePod • NYMag

Kaveh Waddell:


Connecting a home speaker to third-party extensions is also potentially a recipe for abuse. It was a third-party quiz app that vacuumed up Facebook users’ personal data — and that of their friends — and shared it with a researcher associated with Cambridge Analytica. There’s no reason an unscrupulous developer couldn’t come up with a similarly invasive add-on for a home speaker. Both Google and Amazon allow developers to create extensions for their home speakers, but the Echo, having been around longer, has more plug-ins.

Apple is the odd one out in this trio: Its HomePod offers the most privacy of any home speaker — but at the cost of convenience. Besides using the HomePod to control Apple’s software or as a hub for an automated home, you can ask about the news, weather, or traffic — but not much else. You can’t install extensions the way you can on an Echo or a Google Home, so Apple has complete control over what data goes where.

But the biggest privacy difference between the HomePod and its competitors isn’t what it can or can’t do — it’s how the HomePod interacts with Apple’s servers. Like the other speakers, when a HomePod hears a request, it sends it off to Apple to parse and fulfill it. But instead of associating the request with the user’s account, like Google and Amazon do, HomePod requests are anonymous, tied only to a random, rotating ID. Just like a request you might make of Siri on an iPhone, HomePod requests will live on Apple’s servers for six months, associated with that ID, and then another year and a half, unlinked to any ID at all. By contrast, Google and Amazon only delete requests from their servers when asked by the user.

In the few months it’s been out, people have complained about one particular privacy shortfall of the HomePod. The HomePod can fulfill “personal requests,” like reading out and sending texts, or reading and creating notes. For someone who lives alone — or has no secrets — this might be useful. But otherwise, as long as the primary user is at home, anyone can walk up to the device and ask it to send an embarrassing text to mom, and it will. Unlike the Echo or the Google Home, HomePod can’t differentiate between people’s voices, so anyone’s request will go through.

But that’s a relatively small privacy gripe. Generally, if you value privacy (and sound quality) over omniscient assistance, Apple’s HomePod should be your go-to. Siri is leagues behind its competitors, but at least it doesn’t tattle.


link to this extract

Researchers reveal how hotel key cards can be hacked – what you need to know • Tripwire

Graham Cluley:


Security researchers at F-Secure have discovered a flaw that could allow millions of hotel rooms around the world to be accessed by unauthorised parties, without leaving a trace.

A design flaw in the widely-used Vision by VingCard electronic lock software could have been exploited by intelligence agencies, thieves, and other criminals to gain access to rooms – and potentially any computers left inside.

It’s unusual today to check into a hotel room and to be given an old-fashioned physical key. It’s much more likely today that you will be given an electronic key card to gain access to a room via the RFID card reader used by its lock.

Cloning a key card requires physical access to the card for a period of time, and that’s a challenge that someone keen to enter a room might not be able to pull off easily. Similarly, generating a new key card at the front desk might arouse suspicions and may invalidate the key card carried by the legitimate occupant of the hotel room.

What researchers Tomi Tuominen and Timo Hirvonen managed to do was find a vulnerability that allowed them to generate a master key that can open any room in a hotel, without leaving a trace.

The researchers worked on-and-off on the challenge for a long time incorporating “several thousand hours of work,” after first becoming curious when a friend of Tuominen had his laptop stolen from his hotel room in 2003 while attending a security conference in Berlin.

Staff at the Alexanderplatz Radisson reportedly dismissed the issue at the time as there was no sign of forced entry or evidence of unauthorised access.

The fact that it took the researchers so long to find a way to unlock any room in a hotel, without leaving any evidence, proves that the flaw as not simple to uncover – but offers no guarantee that others, such as nefarious intelligence agencies, may have developed similar tools.


Great news for film scriptwriters, since this means the scene where the bad/good guys slip a card into the hotel room of the good/bad guy and go straight in is still valid.
link to this extract

Google and Facebook adopt water gun emoji, leaving Microsoft holding the pistol • The Verge

Thuy Ong:


Google is the latest company to ditch the pistol with a new emoji update for Android users. The switch to a bright orange and yellow water gun, rolling out now, mimics changes made by Apple, WhatsApp, Twitter, and Samsung over the last few years. That leaves Microsoft as the only major platform with the realistic handgun emoji. True, Facebook still uses it, but a spokesperson for the company confirmed to Emojipedia that it would also be replacing its gun emoji with a toy water gun. The Verge has reached out to Microsoft for comment.

The move makes Google’s gun emoji correspond with other platforms. So, if a friend sends the playful water pistol from an iPhone, it will now look similar on an Android device or in a tweet without any unintended miscommunication.

Image: Emojipedia

Ironically, Microsoft initially displayed the gun emoji as a toy, but changed it to a revolver in 2016 as part of its emoji redesign project. With Google’s (and Facebook’s) latest move, Microsoft’s gun emoji puts it at philosophical odds with the other giant tech companies based in the US where gun violence is a major concern. As we previously noted, in 2016 Apple successfully pushed to remove the rifle icon from the standardized collection of emoji.


The update is that Microsoft has now joined in the disarmament. Control language, control what you think. Emoji is, in case you hadn’t noticed, a language.
link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.