Start Up No.906: “iPhone XC” and “XS Plus”?, Facebook’s fake problem, are we post-PC?, ride-hailing grows… traffic, and more

Tesla’s touchscreen: distraction never looked so appealing, or potentially dangerous. Photo by harry_nl on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Because it’s Monday, or soon will be. I’m @charlesarthur on Twitter. Observations and links welcome.

Opinion: why Facebook will never be free of fakes • The New York Times

Siva Vaidhyanathan:


“As of this morning, the Facebook community is now officially two billion people!” Facebook’s chief executive, Mark Zuckerberg, wrote on his Facebook page in July 2017. “We’re making progress connecting the world, and now let’s bring the world closer together.”

It was a monumental achievement. But on Wednesday, Sheryl Sandberg, Facebook’s chief operating officer, revealed a number that was almost as startling. She told the Senate Intelligence Committee that from October to last March, Facebook deleted 1.3 billion fake accounts. In other words, an alarming portion of those more than two billion users — more than the company had publicly acknowledged — were fake.

That number should prompt tough questions from Facebook users and advertisers. How many fake accounts were there before Facebook instituted this aggressive defense in 2017? What sort of sites are these — political propaganda or attempted advertising fraud? What countries do these accounts come from? How can anyone — advertisers, investors or Facebook users concerned about its role in our culture and democracy — trust the integrity of the Facebook experience?

Facebook’s latest “transparency report” states that fake pages account for only 3% to 4% of monthly active users at any given time. How can 1.3 billion accounts account for only 3% to 4% of 2.2 billion users? The answer is that such pages are going up faster than Facebook can swat them down.


Vaidhyanathan is a professor of media studies at the University of Virginia and the author of “Antisocial Media: How Facebook Disconnects Us and Undermines Democracy.” His general point: no matter how small the percentage seems, Facebook is always going to have a lot of fakes at any time.
link to this extract

Tesla touchscreens to offer minimalist ‘fade mode’ • Engadget

Nick Summers:


Screens can be distracting and, therefore, dangerous if you’re driving an expensive car down the freeway. If you own a Tesla, though, fear not: the company is adding a software feature that will make its giant touchscreens less intrusive. Tesla CEO Elon Musk, replying to a tweet by EV owner Andrew Gold, confirmed that a “fade mode” will soon be added that hides all but “essential info.” It sounds like a neat option, and heck — if the display isn’t working so hard, maybe it will save some battery life too?

Fade Mode will form part of version 9, a highly anticipated firmware update for Tesla’s electric fleet. The update will change the UI in the Model S and crossover Model X to be closer to the Model 3. It should also include some “significant advancements in autonomy,” Musk hinted on a conference call in August. The company’s autopilot software could be patched with a long-anticipated “on-ramp to off-ramp solution” that will move into faster lanes on the freeway, identify your exit, move into the correct lane for the exit and then hand back control at a suitable time.


Can’t think that having a stonking big tablet just by the steering wheel is anything but a massive distraction. Physical controls on the dashboard might be old-fashioned but they have terrific affordance: you know what the controls can do just by feeling them, in general.
link to this extract

The ‘post-PC era’ never really happened…and likely won’t • Tech.pinions

Mark Lowenstein:


the growing number of portable PCs that feature touch screens and other tablet-like capabilities are eating a bit into tablet sales, particularly among the student set. The other personification of some aspect of the ‘post-PC’ area, I suppose, is the successful Chromebook line, which is more a reflection of the Cloud and near-pervasiveness of broadband connectivity.

It even appears that Apple doesn’t believe in the ‘post-PC’ mantra in the same way, given the steadily narrowing delta between the largest iPhone and the smallest iPad. Mainly, this is an effort to convince more users to have both an iPhone and an iPad, since I doubt that most users who have both would have a big phone and a small tablet.

So, the question is, what will change in 3 to 5 years? There will be tons of innovation of course, but I’m not expecting the average consumer or business professional to be carrying with them a dramatically different mix of device types or # of devices in the medium term. Even with pens that recognize and convert handwriting better and continual improvements in voice input, there’s still nothing that really beats the good ‘ol keyboard for productivity. And we’re still very locked into the Big Three of word processing, spreadsheets, and presentation software. The main difference has been the move to the cloud, improved collaboration, and competitive products from Google.


This is slightly disingenuous. Since 2013, iPads have outsold Macs by an average of nearly 3x every quarter. Sure, the replacement rate for Macs is probably lower than for iPads. However, we are in the post-PC world. Ask yourself when the last world-roiling program was launched first on a PC. The answer: 2010. (Dropbox and Spotify.) Since then, every important innovation has been on mobile.

We’re in the post-music hall age, but not quite the post-radio age, or the post-TV age. But they’ve all being superseded in turn by more modern methods.
link to this extract

A new study says ride-hailing services like Uber and Lyft are causing urban traffic woes • Axios

Steve LeVine and Henrietta Reily:


Bruce Schaller, a former New York deputy commissioner of transportation and author of the report, tells Axios that when people use a ride-hailing company, they are opting to do so rather than take public transportation, walk or bike. They generally are not choosing between hailing and driving themselves.

U.S. ridership is surging, he said — up 37% last year, to 2.6bn passengers, from 2016. And hailing added 5.7bn miles of driving a year to the nine cities in the study compared with six years ago — Boston, Chicago, Los Angeles, Miami, New York, Philadelphia, San Francisco, Seattle and Washington.

Uber and other ride-hailing services may not have exacerbated traffic initially. “But now they are clearly a source of congestion, and to deal with congestion you have to deal with them,” he said. Schaller’s report aligns with an October study released by UC Davis. It found that, in U.S. cities, 49% to 61% of ride-hailing trips would have not been made at all — or by walking, biking, or public transit.

Regina Clewlow, a transportation research scientist and an author of the UC Davis study, told Axios that no one expected such consumer demand for the rides.

“Cities were blindsided by the dramatic growth of ride-sharing companies,” she said. Clewlow urged continued investment in public transportation. “There’s no way that ride hailing could move people around as efficiently as mass transit.”

This outcome also repeats history.


That history is: providing more traffic methods increases traffic.
link to this extract

Verizon’s internet boss Tim Armstrong in talks to leave • WSJ

Sarah Krouse:


Mr. Armstrong, who came to Verizon in 2015 when it acquired AOL and helped steer its purchase of Yahoo two years later, had tried to combine the two internet companies to challenge Google and Facebook Inc. in digital advertising. But those efforts so far have failed to generate much growth or make the unit, called Oath, more than a side note in the wireless giant’s earnings.

There were recent discussions about whether to spin off the Oath business, the people said, but Verizon has decided instead to integrate some of its operations more closely with the rest of the company. Mr. Armstrong, 47 years old, is in discussions to depart as soon as next month, they said, as are other members of his leadership team.

Verizon and Oath executives have disagreed over what some employees within the digital ad unit see as an overly conservative approach to using wireless subscriber data to boost Oath’s advertising revenue, people familiar with those discussions say.

Senior executives within Verizon are wary of potentially alienating lucrative wireless customers in the name of adding incremental advertising revenue, these people said. Oath contributed less than $4bn in revenue during the first half of the year, compared with the wireless business’s $44bn.


Just in case you’d forgotten, this is the rump of Yahoo. Sic transit gloria mundi.
link to this extract

Alleged China Mobile leak names ‘iPhone XC’ and ‘iPhone XS Plus’ in Apple’s 2018 iPhone lineup • Mac Rumors

Tim Hardwick:


First spotted by Japanese tech blog MacOtakara, the China Mobile slide refers to the larger 6.5-inch OLED iPhone as “iPhone XS Plus”, casting doubt on earlier claims that the larger OLED iPhone will take the moniker “iPhone XS Max”. Meanwhile, the lower-spec 6.1-inch LCD iPhone is referred to as “iPhone XC”.

The last time Apple used “C” nomenclature in its smartphones was for 2013’s iPhone 5c, which was priced below the flagship iPhone 5 series and featured a plastic rear case available in blue, green, yellow, white, and pink colors.

Respected Apple analyst Ming-Chi Kuo expects the 6.1-inch iPhone to be available in red, blue, orange, gray, and white, while the 5.8 and 6.5-inch iPhone models will be available in just three colors – presumably silver, space gray, and gold.

As for the slide’s pricing, which includes 17% Chinese sales tax, the “iPhone XS” is 7388 yuan ($1079), the “iPhone XS Plus” is 8388 yuan ($1225), and the lower-spec “iPhone XC” is 5888 yuan ($860). Minus tax, the “iPhone XS”, “iPhone XS Plus”, and “iPhone XC” prices approximately convert to $900, $1015, and $700, respectively.


I think that the celebrated discovery last week by 9to5Mac of marketing visuals for the new OLED iPhones and the new Watch design came from a carrier, not Apple. This close to the launch, they need to have the materials in place so that they can do a coordinated launch with Apple. They need to brief their staff – as demonstrated here.

The naming is starting to go all over the place. Like others, I’d expected iPhone 9 for the LCD phone. Assuming it’s right, where does the naming go next year? iPhone Y? iPhone 😀
link to this extract

For second time in three years, mobile spyware maker mSpy leaks millions of sensitive records • Krebs on Security

Brian Krebs:


mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.

Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.

A list of data points that can be slurped from a mobile device that is secretly running mSpy’s software.
Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said.


It’s like rain on your wedding day, isn’t it.
link to this extract

Things you probably don’t want to do on your [airline] website’s payment pages • KristoferA’s blog


What’s the problem?
TL/DR: Some airline websites make excessive use of third party scripts/CSS/html hosted on third party sites/hosts not controlled by the website owner, which in turn make them exposed to potential vulnerabilities at those third party sites. In other words: they expose a larger than necessary attack surface. When this is done on payment pages, it increases the chance that they may leak their customers’ credit card details to unauthorized third parties.

I’m responsible for an airline website that does this – what is the worst that could happen?
Someone: either an authorized rogue user at a third party organization, or an unauthorized person who have found a weakness or backdoor that can be used to make modifications to one of the third party hosted scripts (or CSS files) can modify one of the scripts in order to make it capture credit card data and funnel it elsewhere. When discovered, the credit card companies will invite you to pay stiff penalties for the breach if you want to continue processing credit card payments, and depending on where in the world you are located/based you may also be legally required to issue a breach notification. This will inevitably lead to negative publicity for your organization.

Has this ever caused a problem in the real world?
Yes, it has. Not too long ago, Delta had customer credit card data exposed by a third party script loaded on their site as part of a chat help tool:


It feels increasingly likely to me that this is how the British Airways hack happened.
link to this extract

The servers are burning • Logic Mag

Dale Markowitz was working as a developer at OKCupid, and made a few changes that… knocked it offline. He thinks that’s OK:


For most businesses, however, a software crash is not a death knell. If you’re not building self-driving cars, storing sensitive information, or supporting the data backbone of the internet, it may not matter if an error interrupts your service. It’s okay, for example, if a free online dating site goes down for an hour or half a day. In fact, it might even be better for business to trade off bugginess for forward momentum—the ethos behind Facebook’s old mantra “move fast and break things.”

When you allow yourself to build imperfect systems, you start to work differently—faster, more ambitiously. You know that sometimes your system will go down and you’ll have to repair it, but that’s okay. “The fact that it’s easy to fix things means you end up with this methodology where you think, ‘Let’s get a broken thing out there as fast as possible that does sort of what we want, and then we’ll just fix it up,’” says David. That’s not necessarily a bad thing, since preventing errors is inherently difficult. “Even if you spend a whole bunch of time trying to make something that’s perfect, you won’t necessarily succeed,” he explains.

OkCupid was a complex site. Had we tried to make it perfect, it might not have come to exist in the first place.


His CEO at the time used to say “We can’t sacrifice forward momentum for technical debt” – that is, just build it, don’t mind about the problems building up.

I can see how this attitude comes to become dominant. But it also seems wrong, in the grand sense: debt has to be repaid. You can try to fix things. So did the people who sold collateralised debt obligations. (Via ex-Facebook dev Alec Muffett.)
link to this extract

A top-tier app in Apple’s Mac App Store stole your browser history • TechCrunch

Zack Whittaker:


Thanks in part to a video posted last month on YouTube and with help from security firm Malwarebytes, it’s now clear what the app [Adware Doctor] is up to.

Security researcher Patrick Wardle, a former NSA hacker and now chief research officer at cybersecurity startup Digita Security, dug in and shared his findings with TechCrunch.

Wardle found that the downloaded app jumped through hoops to bypass Apple’s Mac sandboxing features, which prevents apps from grabbing data on the hard drive, and upload a user’s browser history on Chrome, Firefox and Safari browsers.

Wardle found that the app, thanks to Apple’s own flawed vetting, could request access to the user’s home directory and its files. That isn’t out of the ordinary, Wardle says, because tools that market themselves as anti-malware or anti-adware expect access to the user’s files to scan for problems. When a user allows that access, the app can detect and clean adware — but if found to be malicious, it can “collect and exfiltrate any user file,” said Wardle.

Once the data is collected, it’s zipped into an archive file and sent to a domain based in China.

Wardle said that for some reason in the last few days the China-based domain went offline. At the time of writing, TechCrunch confirmed that the domain wouldn’t resolve — in other words, it was still down.

“Let’s face it, your browsing history provides a glimpse into almost every aspect of your life,” said Wardle’s post. “And people have even been convicted based largely on their internet searches!”

He said that the app’s access to such data “is clearly based on deceiving the user.”


I’d suggest that anything which claims to be helping you with adware is going to be a scam, unless it comes from a recognised cybersecurity company. The solution to adware is not running vulnerable products such as Flash and Java, and to be wary about what you download. At least Apple makes it hard to run apps from outside the Mac App Store.

This won’t, of course, help anyone’s trust in Huawei, ZTE and other Chinese companies with their own high-profile problems. And there are strong suggestions that the app maker got a lot of fake reviews on the Mac App Store.
link to this extract

Errata, corrigenda and ai no corrida: none notified

3 thoughts on “Start Up No.906: “iPhone XC” and “XS Plus”?, Facebook’s fake problem, are we post-PC?, ride-hailing grows… traffic, and more

  1. “I’d suggest that anything which claims to be helping you with adware is going to be a scam, unless it comes from a recognised cybersecurity company.”

    Well, you can’t expect each and every user to learn about each and every security company. I thought Apple was charging top dollar to do the curating for you. And that app isn’t the only culprit: ? And that dev had a history of dishonesty that warranted extra scrutiny.

    Not only did Apple not curate properly, it didn’t react for several weeks when the issue was raised directly to them. They reacted *only* when it got into the press:

    I think it’s unavoidable, though disappointing, to have holes in the curating process even for devs that should be on a watch list. What’s not excusable is to wait for bad press to start caring for the issues. This shows the same mindset as having only a token, very gated, security bounty program and not publishing a security report. Security theater through obscurity :-[

  2. Looking at the coverage of the issue.

    If you remember, last week I criticized Mr Evans and another one for trying to make Fortnie’s security issue into an Android issue. Basically, Android has public folders, devs should know to not store code there (apps have their own pvrivate folders), or at least to check the signature when running/installing. Trying to put blame on Google is like faulting the landlord when you leave your bike in an apartment building’s entryway, don’t use its lock, and it gets stolen.

    I’m curious how those 2 security activists and experts will comment about Apple failing to curate an iffy dev’s app, then failing to act for weeks after a 3rd party’s security alert. Let me guess : “”, then “Oh shiny new iPhones !”.

    Yes, I’m a bit bitter about that.

  3. PS And the analogy for that one is not “I left my bike unlocked in the hallway and someone took it”, it’s “I bought that car from you, “as new” you said, told you it was making a noise, you wouldn’t investigate, now I realize I’ve been leaking gas for years”.

Leave a Reply to stormyparis Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.