Start Up No.897: Oregon’s weed problem, the battle over Sidewalk, Magic Leap trashed, UN condemns Myanmar and Facebook, and more

Fortnite on Android avoids Google’s Play Store – but turned out to have a big security hole. Photo by portalgda on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Asbestos-free. I’m @charlesarthur on Twitter. Observations and links welcome.

Oregon grew more cannabis than customers can smoke. Now shops and farmers are left with mountains of unwanted bud • Willamette Week

Matt Stangel and Katie Shepherd:


Three years into Oregon’s era of recreational cannabis, the state is inundated with legal weed.

It turns out Oregonians are good at growing cannabis—too good.

In February, state officials announced that 1.1 million pounds of cannabis flower were logged in the state’s database.

If a million pounds sounds like a lot of pot, that’s because it is: Last year, Oregonians smoked, vaped or otherwise consumed just under 340,000 pounds of legal bud.

That means Oregon farmers have grown three times what their clientele can smoke in a year.

Yet state documents show the number of Oregon weed farmers is poised to double this summer—without much regard to whether there’s demand to fill.

The result? Prices are dropping to unprecedented lows in auction houses and on dispensary counters across the state.

Wholesale sun-grown weed fell from $1,500 a pound last summer to as low as $700 by mid-October. On store shelves, that means the price of sun-grown flower has been sliced in half to those four-buck grams.

For Oregon customers, this is a bonanza. A gram of the beloved Girl Scout Cookies strain now sells for little more than two boxes of actual Girl Scout cookies.

But it has left growers and sellers with a high-cost product that’s a financial loser. And a new feeling has descended on the once-confident Oregon cannabis industry: panic.


How surprising that if you allow a weed to grow unchecked, it grows unchecked.
link to this extract

Myanmar’s military accused of genocide in damning UN report • The Guardian

Hannah Ellis-Petersen:


Individuals singled out for investigation and prosecution for genocide and crimes against humanity included Min Aung Hlaing, the commander-in-chief of the Tatmadaw, who has openly stated his intention to solve “the long-standing Bengali problem”.

“There is sufficient information to warrant the investigation and prosecution of senior officials in the Tatmadaw chain of command, so that a competent court can determine their liability for genocide in relation to the situation in Rakhine state,” the report said.

Minutes after the report was released, Facebook removed 18 accounts and 52 pages associated with the Myanmar military, including that of Min Aung Hlaing. It comes in the wake of months of criticism of the company for failing to combat the spread of hate speech on Facebook in Myanmar. The Tatmadaw have often used their Facebook pages to spread disinformation and anti-Rohingya sentiment, such as photos of dismembered children posted to Min Aung Hlaing’s page, claiming they were killed by “Muslim terrorists”.

“We want to prevent them from using our service to further inflame ethnic and religious tensions,” the company said. The pages and accounts that were removed had a total of almost 12 million followers.

The UN mission called for Myanmar, formerly known as Burma, to be investigated by the international criminal court (ICC).


Let’s hope that this, the first time Facebook has been implicated in a genocide, is also the last.
link to this extract

All three iPhones coming this fall will reportedly have edge-to-edge displays • Ars Technica

Valentina Palladino:


As September approaches, so too does the release of new iPhones from Apple. A report from Bloomberg provides a few more details about the new smartphones that we can expect from the tech giant this fall, along with insight into Apple’s overall strategy. The main rumors still stand: Apple is expected to debut three new iPhones in September with the goal of diversifying its product line with various device sizes and prices to attract new customers.

The report suggests Apple will reveal a new high-end iPhone with a display close to 6.5in, which would make it the largest iPhone ever. It would also be the second iPhone to have an OLED display, a premium feature to be carried over from last year’s iPhone X. This handset will have a glass back, stainless steel edges, and the ability to show two apps side by side in split-screen.

Apple will update the current iPhone X with a faster processor and an upgraded camera. Otherwise, last year’s flagship $1,000 smartphone should remain unchanged.

The third iPhone model will sit in between the 5.8in iPhone X and the new, 6.5in high-end smartphone in size, measuring 6.1in diagonally. This will be the affordable model that has been rumored for quite some time, featuring a cheaper LCD screen instead of an OLED panel. It will also come in multiple colors and have aluminum edges instead of the stainless steel ones found on the other two iPhone models. Constructing this handset with an LCD panel and aluminum will keep costs down, allowing Apple to keep the price of this model lower than the others.


Probably two and a bit weeks off the release now.
link to this extract

Toronto’s Sidewalk Labs is facing accusations of an Orwellian takeover • The Washington Post

Brian Barth:


In October 2017, Sidewalk Labs, a Google-affiliated company looking to make urban life more streamlined, economical and green by infusing cities with sensors and data analytics, announced plans to build the world’s first neighborhood “from the Internet up” on 12 acres of the Toronto waterfront, an area known as Quayside. Sidewalk aims to, for example, build an “advanced microgrid” to power electric cars, design “mixed-use” spaces to bring down housing costs, employ “sensor-enabled waste separation” to aid recycling and use data to improve public services.

The company’s long-term vision is to expand to the adjacent Port Lands, a valuable 800-acre tract of industrial waterfront. And from there, as Prime Minister Justin Trudeau said at a press conference to unveil the project, to “other parts of Canada and around the world.” Quayside will be “a testbed for new technologies,” Trudeau declared in rousing tones. “Technologies that will help us build smarter, greener, more inclusive cities.” The media was then treated to a series of utopic renderings of a futuristic neighborhood featuring driverless buses, green-roofed condos and carefree children
running barefoot amid butterflies.

Wylie, however, has zero tolerance for smart city PR-speak. “The smart city industry is a Trojan horse for technology companies,” she told The WorldPost. “They come in under the guise of environmentalism and improving quality of life, but they’re here for money.”

Wylie’s resume is filled with positions in IT, government consultancies and corporate development. More recently, she’s worked part-time as a professor while volunteering for various “open data” and “civic tech” initiatives. Last November, she launched Tech Reset Canada (TRC) with three other activist-entrepreneurs — all women.

The group describes itself as “pro-growth” and “pro-innovation” but questions whether a top-down smart city project by an American tech behemoth is really in the best interests of Toronto’s citizens. “This is a story about governance, not urban innovation,” Wylie said. “There is nothing innovative about partnering with a monopoly.”


Sidewalk is a mostly unnoticed attempt by Google to control the “smart city”. There’s also opposition to it in London, coordinated by a group including Adrian Short.
link to this extract

Epic’s first Fortnite Installer allowed hackers to download and install anything on your Android phone silently • Android Central

Andrew Martonik:


Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic’s first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user’s knowledge. Google’s security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.

In short, this was exactly the kind of exploit that Android Central, and others, had feared would occur with this sort of installation system…

…The problem, as Google’s security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It’s what’s known as a “man-in-the-disk” attack: an app on your phone looks for requests to download something from the internet and intercepts that request to download something else instead, unbeknownst to the original downloading app. This is possible purely because the Fortnite Installer was designed improperly — the Fortnite Installer has no idea that it just facilitated the malware download, and tapping “launch” even launches the malware.


Ben Thompson had a good rundown about this on his Stratechery newsletter (subscribers only) where he points out that this is both the downside of Android’s openness (vulnerability) and its upside (you can install anything from anywhere). Epic Games, Fortnite’s maker, wasn’t too pleased about this.
link to this extract

WhatsApp has a fake news problem—that can be fixed without breaking encryption • Columbia Journalism Review

Himanshu Gupta and Harsh Taneja:


WhatsApp changed its terms of service in August 2016 to say that it would be sharing phone number and metadata attributes such as last seen with Facebook (but not chat messages since they are end-to-end encrypted). To a TechCrunch enquiry, Facebook said the sharing of data would lead to “better friend suggestions” and “more relevant ads” for a WhatsApp user if s/he is using Facebook. Kashmir Hill of Gizmodo wrote that Facebook may be using the metadata information from WhatsApp for improving its “People You May Know” feature:

In 2014, it(Facebook) bought WhatsApp, which would theoretically give it direct insight into who messages who. Facebook says it doesn’t currently use information from WhatsApp for People You May Know, though a close read of its privacy policy shows that it’s given itself the right to do so.

Therefore, even if WhatsApp can’t actually read the contents of a message, it can access the unique cryptographic hash of that message (which it uses to enable instant forwarding), the time the message was sent, and other metadata. It can also potentially determine who sent a particular file to whom. In short, it can track a message’s journey on its platform (and thereby, fake news) and identify the originator of that message.


They reckon that Facebook could look at the metadata for attachments – which is often how fake news spreads – and identify and control its spread. The first part at least should be feasible. Notable that it now also says if a message has been forwarded multiple times; but I don’t think that would stem fake news’s virality. It tends to give it status. (Ditto on Twitter: retweets and likes aren’t veracity.)
link to this extract

Firefox Test Pilot • Advance


The Advance Test Pilot experiment is a collaboration between Laserlike and Mozilla.

In addition to the data collected by all Test Pilot experiments, here are the key things you should know about what is happening when you use Advance:

Sensitive Data: After installation, Laserlike will receive your web browsing history. No data is sent if you are in private browsing or pause mode, the experiment expires, or you disable it. Laserlike also receives your IP addresses, dates/timestamps, and time spent on webpages. This data is used to index URLs publicly visible on the web.

Controls: The settings allow you to request what data Laserlike receives about you from this experiment. You can also delete cookies, web browsing history, and related Laserlike account information.

Technical and Interaction Data: Both Mozilla and Laserlike will receive clickthrough rates and time spent on recommended content; data on how you interact with the sidebar and experiment; and technical data about your OS, browser, locale.


It’s going to send your web browsing history to a third party?!
link to this extract

Magic Leap is a tragic heap • The Blog of Palmer Luckey

The aforesaid Palmer Luckey:


Tracking is bad. There is no other way to put it. The controller is slow to respond, drifts all over the place, and becomes essentially unusable near large steel objects – fine if you want to use it in a house made of sticks, bad if you want to work in any kind of industrial environment. Magnetic tracking is hard to pull off in the best of cases, but this is probably the worst implementation I have seen released to the public…

…I will keep this part short. I hope Magic Leap does cool stuff in the future, but the current UI is basically an Android Wear watch menu that floats in front of you. The menus are made of flat panels that can only be interacted with through the previously discussed non-clickable trackpack. Eye tracking and rotation/position of the controller are ignored, as is headlook. You can toss Windows 8 style application windows all over the place, floating in space or even attached to walls! That is nifty, mostly useless, and also exactly what Microsoft started showing off about three years ago. It is some of the worst parts of phone UI slammed into some of the most gimmicky parts of VR UI, and I hope developers create better stuff in the near future…

…I gathered some order numbers from friends and compared their order times, and I am pretty confident about predicting first-week sales. Unfortunately, they changed the system shortly after I tweeted about it. Based on what I do know, it looks like they sold about 2,000 units in the first week, with a very heavy bias towards the first 48 hours. If I had to guess, I would put total sales at well under 3,000 units at this point. This is unfortunate for obvious reasons – I know over a hundred people with an ML1, and almost none of them are AR developers.


You’re thinking: Palmer Luckey.. rings a bell? Yup, the founder of Oculus, the VR company bought by Facebook.
link to this extract

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool • The Washington Post


Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out (or maybe all of the above). A security audit of the Western Australian government released by the state’s auditor general this week found that 26% of its officials had weak, common passwords — including more than 5,000 including the word “password” out of 234,000 in 17 government agencies.


The legions of lazy passwords were exactly what you — or a thrilled hacker — would expect: 1,464 people went for “Password123” and 813 used “password1.” Nearly 200 individuals used “password” — maybe they never changed it to begin with?

Almost 13,000 used variations of the date and season, and almost 7,000 included versions of “123.”


The old favourites are the best.
link to this extract

The rise of dismal science fiction • Slate

Annalee Newitz:


When I was writing my novel Autonomous, I wanted to explore a future where automation has ushered in a world whose economy is built in part on indentured servitude. So I met with economist and Bloomberg columnist Noah Smith, who immediately started world building like a fiction writer. He suggested that I imagine that people in the 22nd century have lost the right to work or live wherever they like, unless they pay for the privilege. As a result, work itself becomes pay-to-play, and people without money have no choice but to sign indenture contracts.

I wasn’t aiming to create a metaphor. I was trying to be as literal as possible about how easy it would be to slide backward into the savagery of a slave economy. By incorporating the ideas of a working economist, I hoped to offer readers a believable thought experiment about the real-life dangers of unchecked capitalism.

Economists wouldn’t mind doing a little more consulting work for fiction writers. Just as physicists love to complain about terrible science in space operas, Smith had a lot of gripes about all the unrealistic economic ideas in current pop culture. (The Iron Bank’s investment policy in Game of Thrones was a particular target of scorn.) Nobel-winning economist Paul Krugman, a science-fiction fan, told me that it “would be nice” if he could be consulted on fantasy economics once in a while, too.

He just might get his wish. As long as the economy continues to be a source of tremendous anxiety, it’s going to fill our fantasies with alien currencies and demonic financial instruments. Maybe by confronting our problems in metaphors and thought experiments, we equip ourselves to solve them in the real world.


link to this extract

Errata, corrigenda and ai no corrida: none notified

10 thoughts on “Start Up No.897: Oregon’s weed problem, the battle over Sidewalk, Magic Leap trashed, UN condemns Myanmar and Facebook, and more

  1. Phone sizes seem to be increasing (6.5″ iPhone ! 6.4″ Note 9 ! ), but this is misleading:
    1- the cutout takes away some screen (not a lot; about 2% on the iPX)
    2- today’s screens are more elongated, so, for the same diagonal, smaller in area: a 6.5″ 19:9 screen has the same surface as a 6.2″ 16:9.
    3- worse, I find the width of a phone’s screen matters a whole lot, and the extra space up top matters very little. When reading, using maps, gaming, typing, trying to work with Office in landscape mode… very narrow screens aren’t that nice, I’d prefer a shorter, even smaller, but wider/squarer screen. That 6.5″19:9 is only as wide as a 5.6″ 16:9.

    In the end, it looks nicer because no bezels, but it doesn’t work any better.

    I still miss the 16:10 ratio of the Huawei Mediapad. I think I’ll skip upgrading my Mi Max 1 this year, because the 3’s screen isn’t any bigger, and is narrower (also, the CPU is barely faster, only the camera is noticeably better).

  2. Unless Facebook’s terms-of-service department has somehow managed to solve the problem of 100% perfectly telling the difference between “terrorist” and “freedom-fighter” (which would be an amazing feat, maybe it involves AI deep learning using a blockchain applied to its social network metadata), then it’s going to be “implicated” _every single time_ there’s a genocide and the factions involved make use of it. It’s either allowing the “terrorists” to spread their propaganda, or preventing the “freedom fighters” from drawing the world’s attention to the atrocities.

    Remember, for a while Facebook banned the iconic “Napalm Girl” Vietnam War photo. Imagine if (when?) something like that happens with a current war.

    • All that is true, but Myanmar is a particularly egregious case because it only very recently had *any* useful access to the internet for the populace. suggests that up to 2010, only 0.3% of the population of 51m had connectivity. That exploded with the advent of smartphones (I think internetlivestats overlooks them; it still thinks only 2.5% have internet, which I think is wrong, as ownership has gone to 50%) and the arrival of Facebook/WhatsApp. So this is very much a genocide where Facebook’s mechanisms – the lack of any real fact-checking of what is said, so that the loudest and most outrage-generating message is heard more loudly than the truth – have played a key part.

      • There might be a large gap between smartphone ownership and mobile Internet. Early on, when data contracts where $120+ and I still had my good Palm+Nokia habits, I used my smartphone w/o a data contract, it works surprisingly well w/ media/web pre-loading and opportunistic wifi.

        Still today, there’s a long list of offline/caching RSS/news readers, games, social media, messaging… apps. Even podcasts, YouTube vids etc don’t have to be streamed.

  3. Interestingly in the Fortnite story, it is Google’s apps that were weak to the attack and Google itself found out about own apps completely opened to the attack weeks if not days before it proudly blamed Epic Games. It’s not Epic Games problem that Google made this hole in Android especially considering that Google’s own widely used apps were vulnerable. (

    So the whole blaming of Epic Games is Google’s PR stunt orchestrated based on own falts to move responsibility and fight back off the Google Play installation. The whole China installs WeChat etc for years directly via APK downloads directly from Tencent web site. More important question is how that malicious program that catches the download stream gets on the phone from the first place. If Google play has this app to start with it’s Google Play’s initial problem to allow such an app to be on the market.

    • Very true, Michael – and Ben Thompson (at Stratechery) and Benedict Evans did point out (on their newsletters and on Twitter) that this is down to a fundamental flaw in Android. Or fundamental decision in Android, about allowing expandable storage with “Access all areas” rather than app/folder sandboxing.

  4. That’s the usual Android-bashing BS coming from the usual Android-bashing quarters:
    1- apps do have their private directory on the internal Flash, they just have to use that
    2- every Android developer knows the SD (and shared directories such as Downloads…) isn’t a safe place
    3- Google tried to make SDs safe a while back. It pissed off users, broke various apps even ledua storage, was messed-up/overridden by various OEMs…
    4- Android now has the ability to meld the SD with the internal Flash (safe, but not good for performance nor reliability) or use it in legacy mode as a free-for-all storage space. Almost all users chose that.

    • It was Google which discovered and hiighlighted the Fortnite vulnerability – is that the usual Android-bashing quarters then? And as Ben Thompson pointed out, the same flaw exists in some Google apps. It’s because the SD card is a compromise to get you more storage Real Cheap, and the downside is the security risk, which is small but real.
      Sure, Android 9 allows encryption of Adoptable Storage, but that’s an OS feature, not a GPlay feature, and so only those phones which are or get Android 9 will have it. And as we know, that’s a tiny proportion of the whole population of Google Android phones out there.
      Compromises entail chewing it up when the downside is brought to light. That’s just how it is.

      • When legit Apple devs got their apps and millions of users contaminated by malware because Apple was too cheap to have a fast local mirror for dev tools in Asia so devs were using contaminated bootlegs, nobody said it was Apple’s fault.

        When devs forget to check code integrity before installing it from an unsafe storage bucket, it is not Google’s fault. Google provides safe storage buckets, a safe way to distribute apps, and tried to make more buckets safer but users rejected it.

        I know SD storage has been a sore spot with Apple users for a while, but schadenfreude at it being misused is… petty.

        Also, I’m not sure how encryption would have any impact on this issue. Internal flash, SD, and individual files can already be encrypted. For SDs, it merely ensures they can’t be used on another device, or w/o unlocking their home device. How does that matter for the present issue ?

Leave a Reply to Michael Babich (@MichaelBabich) Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.