Start Up: FBI zaps Russian botnet, don’t listen Alexa!, the quiet location scandal, a fresh dating site hell, and more

An Uber self-driving car: its emergency response isn’t ideal. Photo by zombieite on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Non-negotiable, but call me to check. I’m @charlesarthur on Twitter. Observations and links welcome.

Cyberwars small A reminder: you can buy my book Cyber Wars, published in the UK and due out in the US later this week. It investigates hacking incidents such as the Sony Pictures hack, the TalkTalk hack, ransomware, the Mirai IoT botnet, the TJX hack, and more. It looks at how the people in those organisations responded to the hacks – and takes a look at what future hacks might look like.

“A terrifying analysis of the dark cyber underworld.” – Aleks Krotoski

Buy it via Amazon UK (Kindle or paperback)

Buy it via Amazon US (Kindle or paperback)

Exclusive: FBI seizes control of Russian botnet • Daily Beast

Kevin Poulsen:


FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.

The FBI counter-operation goes after  “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.

VPN Filter uses known vulnerabilities to infect home office routers made by Linksys, MikroTik, NETGEAR, and TP-Link. Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.

The FBI has been investigating the botnet since at least August, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware. “She voluntarily relinquished her router to the agents,” wrote FBI agent Michael McKeown, in an affidavit filed in federal court. “In addition, the victim allowed the FBI to utilize a network tap on her home network that allowed the FBI to observe the network traffic leaving the home router.”


That was quick.
link to this extract

The LocationSmart scandal is bigger than Cambridge Analytica. Here’s why no one is talking about it • Slate

Will Oremus:


Motherboard reported last week that Securus had been hacked, with the credentials of 2,800 authorized users stolen, most or all of them presumably working in law enforcement or at prisons. (Securus’ main business involves helping prisons crack down on inmates’ cellphone use.) It’s a safe bet that some of those users had access to the same location-tracking tools that the Missouri sheriff abused.

So how was Securus getting all that data on the locations of mobile-phone users across the country? We learned more last week, when ZDNet confirmed that one key intermediary was a firm called LocationSmart. The big U.S. wireless carriers—AT&T, Verizon, Sprint, and T-Mobile—were all working with LocationSmart, sending their users’ location data to the firm so that it could triangulate their whereabouts more precisely using multiple providers’ cell towers. It seems no one can opt out of this form of tracking, because the carriers rely on it to provide their service.

It gets worse. A Carnegie Mellon researcher poking around on LocationSmart’s website found that he could use a free trial service to instantly pinpoint the location of, well, just about anyone with a mobile phone and wireless service from one of those major carriers. He did this without any permission or credentials, let alone a warrant.


And why is it not a big story? Oremus thinks because it’s not about Trump getting elected, unlike the Cambridge Analytica story. I disagree: I think it’s because we’re so used to tracking each other that it has become ordinary. What isn’t ordinary – with the Cambridge Analytica story – is foreign interference and dark media aimed at changing peoples’ minds.
link to this extract

Pray for the souls of the people sucked into this dating site hell • Gizmodo

Kashmir Hill:


Earlier this year, the media got very excited about, a site for the pro-Donald set that promised to “make dating great again.” Much of the media coverage was critical: The site only allowed users to conduct heterosexual searches; the male-half of the couple originally featured on the homepage had a child sex conviction; and its creator didn’t seem to actually exist.

Despite all this, the site attracted over 250,000 members, according to its media liaison, Sean McGrossler. He told me over email that 15% of those members paid for accounts, starting at $24.99 per month, which would mean the site has made a not immodest $1m over the last few months.

Perhaps it’s no surprise, then, that launched weeks later. It got its own round of news articles, despite being founded by a “political startup” called the “American Liberal Council” that only seems to exist on Facebook, where it mostly posts liberal memes in the style of a Russian misinformation account. (The account hasn’t posted since March and did not respond to messages.)

Intrigued by the attention these sites were getting, Alexandra Mateescu, a researcher at Data & Society Research Institute, decided to sign up, not to date a political partisan but to see who was actually on the sites. When she began looking for single men in New York City, where she lives, the results immediately struck her as odd. According to the site, there were lots of Trump supporters in her liberal hometown, and they were racially and ethnically diverse, which surprised her. Few of them referred to Trump in their profiles, though, which seemed strange given the site they’d joined. She wanted to find out more about these people, but she couldn’t message them without purchasing a membership, which she didn’t want to do, so she and a few friends tried to find the members elsewhere on the web, by using a tried-and-true method of many an online dater: reverse image-searching profile photos to see where else they appeared.

This led Mateescu to people who were not the ones described in the profiles.


It turns out both sites used a “turnkey dating solution” which claims to do dating sites for “almost any niche”. (She tried but was blocked from doing one for journalists.) It all looks reaallly sketchy.
link to this extract

What happened to Velib, Paris’s glitchy bikeshare system? • CityLab

Feargus O’Sullivan:


The problems started last May, when management for the Velib system was taken over by a new contractor that, in a classic burst of nonsensical Franglais, goes by the name Smovengo. As part of an ambitious new upgrade, Smovengo promised that a third of the 14,000-plus fleet of bikes would be battery assisted e-bikes, forming part of a new more online-and-app-friendly fleet that would make managing and using the system more streamlined. This move required a complete overhaul of the network’s 1,200-plus docking stations. That’s where things went pear shaped. By the end of last summer, only half the replacement docks had been created, with those left unfinished creating ramshackle mini-eyesores across the French capital.

Those that have actually come into service, meanwhile, have been glitchy in the extreme. Some have electricity supply problems that have required contractors to temporarily wire up the stations to batteries. These not uncommonly run out of juice, meaning that many bikes are blocked for use by afternoon. To cap it all, Velib employees went on strike last month, frustrated by a decline in working conditions and benefits since Smovengo took over the Velib concession from previous operator JCDecaux.

With functioning docks scarce, the number of Velib subscribers plummeted from 290,000 to 190,000. The number of daily shares dropped by April to just 10,000 daily—from an all-time high of 100,000 daily. For the world’s first large-scale bikeshare service, this was quite a tumble. The free bike plan is thus less a bold move to fully liberate the system than an effort to mollify frustrated customers. If the problems continue into June, the free bike offer will continue into the summer.


A sign of the times that a bike sharing scheme going wrong becomes important.
link to this extract

Look (what you made me do): I illustrated 10 of my professional sins • Medium

Xaquín González Veira:


The #distractedBoyfriend meme was such a low hanging fruit. I wasn’t expecting the 3.5K likes. I can’t handle the fame.

So, I decided to really exhaust the meme by doing enough infographic-related variations that nobody in their right mind would want to be this silly again. I’m doing the industry a favor.


Such as this splendid one:
link to this extract

Preliminary report released for crash involving pedestrian, Uber Technologies test vehicle • NTSB


The report states data obtained from the self-driving system shows the system first registered radar and LIDAR observations of the pedestrian about six seconds before impact, when the vehicle was traveling 43 mph. As the vehicle and pedestrian paths converged, the self-driving system software classified the pedestrian as an unknown object, as a vehicle, and then as a bicycle with varying expectations of future travel path. At 1.3 seconds before impact, the self-driving system determined that emergency braking was needed to mitigate a collision. According to Uber emergency braking maneuvers are not enabled while the vehicle is under computer control to reduce the potential for erratic vehicle behavior. The vehicle operator is relied on to intervene and take action. The system is not designed to alert the operator.

In the report the NTSB said the self-driving system data showed the vehicle operator engaged the steering wheel less than a second before impact and began braking less than a second after impact. The vehicle operator said in an NTSB interview that she had been monitoring the self-driving interface and that while her personal and business phones were in the vehicle neither were in use until after the crash.

All aspects of the self-driving system were operating normally at the time of the crash, and there were no faults or diagnostic messages.


It doesn’t do emergency braking when it’s under computer control, but it doesn’t alert the “driver” either. That’s all sorts of wrong. It’s a pity that someone had to die for this huge error to become apparent.
link to this extract

Four serious questions about Elon Musk’s silly credibility score • Poynter

Alexios Mantzarlis:


Musk’s suggestion of a “credibility score” is worth discussing because building one is actually a pretty popular idea — especially among Silicon Valley types.

Some, like the Credibility Coalition, are trying to frame the problem thoughtfully, but most are imbued with the same techno-utopianism that has defined Musk’s public persona. In the past few months alone I received at least four different pitches for a system that uses artificial intelligence (of course) to rate the credibility of the entire internet.

The vision that one easy hack can fix media bias and massive online misinformation is pervasive among certain quarters. But it’s fatally flawed.

Other well-heeled journalism projects have promised to upend fact-checking by either injecting the crowd in it (WikiTribune) or developing a universal credibility score (NewsGuard). In WikiTribune’s case, the jury is still out, but the fact-checking work to date hardly seems paradigm-shifting. NewsGuard has raised $6m but has yet to launch.

Still, it’s clear that the status quo needs reform. Fact-checking might need to be blown up and reinvented. So rather than dunk on Musk, we should debate the underlying challenges of a genuine credibility score for the internet.


He goes through this effectively. There’s no way of doing this.
link to this extract

Woman says her Amazon device recorded private conversation, sent it out to random contact • KIRO-TV

Gary Horcher:


Every room in her family home was wired with the Amazon devices to control her home’s heat, lights and security system.

But Danielle [who declined to give her last name] said two weeks ago their love for Alexa changed with an alarming phone call. “The person on the other line said, ‘unplug your Alexa devices right now,'” she said. “‘You’re being hacked.'”

That person was one of her husband’s employees, calling from Seattle.

“We unplugged all of them and he proceeded to tell us that he had received audio files of recordings from inside our house,” she said. “At first, my husband was, like, ‘no you didn’t!’ And the (recipient of the message) said ‘You sat there talking about hardwood floors.’ And we said, ‘oh gosh, you really did hear us.'” Danielle listened to the conversation when it was sent back to her, and she couldn’t believe someone 176 miles away heard it too.

“I felt invaded,” she said. “A total privacy invasion. Immediately I said, ‘I’m never plugging that device in again, because I can’t trust it.'” Danielle says she unplugged all the devices, and she repeatedly called Amazon. She says an Alexa engineer investigated.

“They said ‘our engineers went through your logs, and they saw exactly what you told us, they saw exactly what you said happened, and we’re sorry.’ He apologized like 15 times in a matter of 30 minutes and he said we really appreciate you bringing this to our attention, this is something we need to fix!”


Amazon later confirmed that this happened. But how? Unclear.
link to this extract

Wearables market up 35% in Q1 2018 as Apple and Xiaomi maintain lead • Canalys


Apple Watch shipments stabilized after a record quarter for the company and it matched its Q1 2017 number. “Key to Apple’s success with its latest Apple Watch Series 3 is the number of LTE-enabled watches it has been able to push into the hands of consumers,” said Canalys Senior Analyst Jason Low. “Operators welcome the additional revenue from device sales and the added subscription revenue for data on the Apple Watch, and the list of operators that sell the LTE Apple Watch worldwide is increasing each month.” Apple represents 59% of the total cellular-enabled smartwatch market. “While the Apple ecosystem has a strong LTE watch offering, the lack of a similar product in the Android ecosystem is glaring. If Google decides to pursue the opportunity with a rumored Pixel Watch, it would jump-start much needed competition in this space.”

Garmin is now the second largest smartwatch vendor after Apple, with 1 million smartwatches shipped in the last quarter. “Garmin’s transition to smartwatches has been swift as it focuses its GPS expertise on catering to endurance athletes and outdoor enthusiasts,” said Vincent Thielke, Research Analyst at Canalys. “It brought much needed improvements by adding features such as Garmin Pay to the Forerunner and vívoactive series, and now offers onboard music storage on the latest Forerunner 645.


Very weird to still be mixing fitness bands with smartwatches. They’re really not comparable. And the WearOS space looks more and more anaemic.
link to this extract

StumbleUpon is calling it quits after 16 years • The Next Web

Abhimanyu Ghoshal:


I fondly remember the StumbleUpon browser button: one click, and you were instantly transported to a randomly selected webpage from its vast database, with an almost certain guarantee of spotting something of interest. The company, which was once owned by eBay, gave birth to (and eventually sunsetted) an excellent video discovery tool called 5by, and had once surpassed Facebook as the #1 source of social media traffic in the US back in 2011.

But that was then, and this is now, when ‘random’ isn’t good enough, and even our ‘serendipitous’ content discoveries are closely connected to our interests, thanks to cookies that follow us around, platforms that task us with tagging all the things online, and clever algorithms that learn what we’re into.

Garrett Camp, the founder of StumbleUpon, wants fans to transition over to his other project, Mix, which he began building back in October 2015, as something like Pinterest for content.

It works well enough when you tell the site what you like – but after spending several minutes on there, I can tell you that it doesn’t quite recreate the magic of the SU button.


I never used StumbleUpon, though the death of a little bit of serendipity is always sad. Garrett Camp, who devised it, writes on Medium that “we’ve learned from SU that while simplicity and serendipity is important, so is enabling contextual curation (ie. ‘cool space photos’) instead of just clicking ‘I like it’.”
link to this extract

Errata, corrigenda and ai no corrida: none notified

2 thoughts on “Start Up: FBI zaps Russian botnet, don’t listen Alexa!, the quiet location scandal, a fresh dating site hell, and more

  1. I wonder if Musk is in fact taking a leaf from Donald Trump’s playbook of media management: If you’re getting bad press on a story, throw out a flaming tweet about some juicy topic. The pundits absolutely can’t resist it, they go nuts like hyperactive kittens snorting a meth-catnip combo. And all the subsequent noise buries the original story.

    That “Pravda” suggestion is a nicely trollish touch, in a way that strikes me as an analog of Trump’s namecalling (just a different cultural register). And Musk really looks like he’s baiting the media in followups (c’mon, c’mon, *more noise*). If he can make all the chatter be about how people who don’t like him think his ideas about them about bad, that’s a big win for him with his base. Sound familiar?

    • I think that’s an astute analysis, though it’s also a little dismaying to think that he might be consciously following the “troll the outlets” approach. Then again: tech CEOs are just like other CEOs, but gain more of our attention.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.