Start Up No.924: Google secures protesters, Microsoft ❤️ Android, Russia’s long troll game, Fitbit solves murder?, and more

“OK, get searching.” A Supermicro server, opened up. Photo by Patrick Finnegan on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 11 links for you. Today’s forecast: cyber on a number of fronts. I’m @charlesarthur on Twitter. Observations and links welcome.

The big hack: how China used a tiny chip to infiltrate US companies • Bloomberg

Jordan Robertson and Michael Riley:


To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to US authorities, sending a shudder through the intelligence community.


(The chips, they say, were put there by agents of the Chinese Peoples’ Liberation Army to spy on Amazon, Apple and others.)

This story has of course been cannoning around the internet, eliciting various gasps of amazement. Amazon and Apple have vehemently denied pretty much every element of the story, but the US government has been silent.

A few possibilities. 1) Apple and Amazon aren’t allowed to acknowledge it; it’s super-high security.
2) didn’t happen; it’s a ploy by US security to get manufacture brought back to the US because they’re worried about security of Chinese manufacture. (It’s not just a Trump-era ploy, because the reporters have been talking to their sources for years.)
3) everyone’s getting overheated – the chips weren’t what they’re being made out to be, which means it’s a version of No.2. Read the denials, though. Wow. Apple put out an even more aggressive denial, saying it’s not under any confidentiality demands.

One notable opinion is that this torpedoes China’s ambitions to supply chips: that nobody will trust them. I’d agree.
link to this extract

Google tested this security app with activists in Venezuela. Now you can use it too • CNET

Alfred Ng:


When connections aren’t secure, attackers can intercept DNS traffic, directing people to pages infected with malware instead, or completely block out online resources. Venezuela’s government has been known block access to social media applications and news websites through DNS manipulation, according to a study from the Open Observatory of Network Interference.

The practice is widespread, as researchers have found governments in more than 60 countries, including Iran, China and Turkey, using DNS manipulation to censor parts of the internet.

Intra was released on the Play Store on Wednesday morning for free, and Jigsaw had been testing its security features among a small group of activists in Venezuela since the beginning of the summer, Henck said.

They wanted to keep its public beta limited, but the app spread through word of mouth in Venezuela, to the point where activists from around the world started using it.

“People found it useful as a tool they could use to get the access that they needed,” Henck said.

Intra automatically points your device to Google’s public DNS server, but you’re able to point it to change it to other servers like Cloudflare’s through the settings. There’s not much you need to do with it for your encrypted connection — the app really has only one button that you tap to turn on.

This encrypted connection to DNS servers comes by default on the upcoming version of Android Pie, but Jigsaw’s developers realized that millions of people that don’t have the latest updates wouldn’t have that same protection. It’s important to consider when about 80% of Android’s users aren’t on the latest version of the mobile operating system.


As long as you’re confident the Google Play link is safe.. But this is definitely a good thing.
link to this extract

Microsoft is embracing Android as the mobile version of Windows • The Verge

Tom Warren:


Android app mirroring will be part of Microsoft’s new Your Phone app for Windows 10. This app debuts this week as part of the Windows 10 October 2018 Update, but the app mirroring part won’t likely appear until next year. Microsoft briefly demonstrated how it will work, though; You’ll be able to simply mirror your phone screen straight onto Windows 10 through the Your Phone app, which will have a list of your Android apps. You can tap to access them and have them appear in the remote session of your phone.

We’ve seen a variety of ways of bringing Android apps to Windows in recent years, including Bluestacks and even Dell’s Mobile Connect software. This app mirroring is certainly easier to do with Android, as it’s less restricted than iOS. Still, Microsoft’s welcoming embrace of Android in Windows 10 with this app mirroring is just the latest in a number of steps the company has taken recently to really help align Android as the mobile equivalent of Windows.

Microsoft Launcher is designed to replace the default Google experience on Android phones, and bring Microsoft’s own services and Office connectivity to the home screen. It’s a popular launcher that Microsoft keeps updating, and it’s even getting support for the Windows 10 Timeline feature that lets you resume apps and sites across devices.

All of this just reminds me of Windows Phone.


Yeah, Tom, let it go now. But Microsoft trying to ju-jitsu Android by getting Windows connectivity? Seems smart.
link to this extract

Oppo, Vivo and Xiaomi top customer satisfaction in India • Strategy Analytics


Based on analysis of more than 20,000 consumer ratings and reviews of 11 high, mid and low-tier smartphones in the Indian market, Strategy Analytics’ new Consumer Ratings Index Report, India Smartphones: August 2018, has identified that Oppo’s Realme 1 led consumer satisfaction in India from June to August 2018.

• Based on consumer satisfaction, the top three smartphones in India from June to August 2018 were from Chinese brands: Oppo Realme 1, Vivo V9 and Xiaomi Redmi 5. Samsung’s Galaxy J8 was rated fourth.
• Consumer reviews in India mentioned the camera most. In fact, the Samsung Galaxy J8 and Vivo V9 were rated highest for camera satisfaction among those reviews analyzed.
• The Indian brand Karbonn was rated least favorably by Indian consumers, between June and August 2018.

Adam Thorwart, Lead Analyst and report author commented, “Despite Samsung not finishing atop the consumer sentiment chart, consumers of other brands are still mentioning it most. In fact, it nearly triples Oppo which is the second most mentioned brand. This indicates that Samsung is still very popular across India.”


Chinese brands are six of the top 11 top-selling brands. It’s a conquest.
link to this extract

Reckless campaign of cyber attacks by Russian military intelligence service exposed • UK National Cyber Security Centre


Today, the UK and its allies can expose a campaign by the GRU, the Russian military intelligence service, of indiscriminate and reckless cyber attacks targeting political institutions, businesses, media and sport.

The National Cyber Security Centre (NCSC) has identified that a number of cyber actors widely known to have been conducting cyber attacks around the world are, in fact, the GRU.  These attacks have been conducted in flagrant violation of international law, have affected citizens in a large number of countries, including Russia, and have cost national economies millions of pounds.

Cyber attacks orchestrated by the GRU have attempted to undermine international sporting institution WADA, disrupt transport systems in Ukraine, destabilise democracies and target businesses.

This campaign by the GRU shows that it is working in secret to undermine international law and international institutions.


It then lists 10 attacks which it attributes to the GRU – “high confidence the GRU was almost certainly responsible”. Maybe just do a confidence score out of 10?
link to this extract

Russian trolls tweeted disinformation long before US election • WSJ

Rob Barry:


Alice Norton posted an emergency message on a cooking-website forum on Thanksgiving 2015: Her entire family had severe food poisoning after buying a turkey from Walmart.

“My son Robert got in the hospital and he’s still there,” wrote Ms. Norton, who had described herself as a 31-year-old New York City mother of two. “I don’t know what to do!”

Within hours, Twitter users repeated the claim thousands of times, and a news story was published saying 200 people were in critical condition after eating tainted turkey.

The catch? No outbreak of food poisoning matching this description occurred, according to New York City health officials. A Walmart Inc. spokesman said the company had spotted the posts but determined they were a hoax and didn’t investigate their origin further.

In fact, many of the claims came from accounts linked to a pro-Kremlin propaganda agency charged by Special Counsel Robert Mueller’s office last week for meddling in U.S. politics. Security experts now believe the early posts, and others like them, may have been practice for a bigger target: the 2016 U.S. election.

While it is impossible to be sure what was in the minds of Russians tweeting false stories in 2014 and 2015—which also included tales of contaminated water, terrorist attacks and a chemical-plant explosion—these experts say it is as if the Russians were testing to see how much they could get Americans to believe.


Turns out that the latter is “really quite a lot”. America’s a big country, and a lot can happen. And a lie can get halfway around the world before the truth has got its boots on, as people say.
link to this extract

Smaller outlets reduce, scrap Facebook promotion over new ad rules • Columbia Journalism Review

Mathew Ingram:


To promote political news stories, Facebook requires that publishers apply and be authorized as a political advertiser—presumably to prove that they aren’t a front for a Russian or Iranian troll factory. The process requires the uploading of official ID, such as a driver’s license, a passport, or the last four digits of a Social Security Number, along with receipt of a registered letter at an approved US address.

For larger media outlets, these requirements might be complicated and annoying. For smaller publishers, Facebook’s new rules can be so unwieldy and demanding—and the definition of what constitutes a “political news story” so capricious—that small newsrooms in four states told CJR they are either scaling back their Facebook usage or, in some cases, have given up on promoting their content there at all.

Nick Kratsas, the digital operations director for southwestern Pennsylvania’s Observer-Reporter, went through Facebook’s approval process in order to promote his site’s political stories; he says his company gets a significant amount of traffic and engagement from the social network. About 55% of its monthly visits are due to Facebook links. (Like many other publishers, the paper has seen a drop after the latest algorithm changes, a decline that Kratsas recently estimated at about 8 percent.)

Kratsas says the platform’s tendency to flag any news story that mentions a politician or political topic has become so irritating that he wonders whether it is really worth the time that his company spends on it. The rest of the Observer-Reporter team hasn’t gone through Facebook’s authorization process, says Kratsas, and they are still finding their stories denied for allegedly political topics.


Unintended consequences: local news gets stuffed.
link to this extract

Police use Fitbit data to charge 90-year-old man in stepdaughter’s killing • The New York Times

Christine Hauser:


On Sept. 13, a co-worker of Ms. Navarra’s went to the house to check on her because she had not showed up for her job at a pharmacy, the report said. The front door was unlocked, and she discovered Ms. Navarra dead, slouched in a chair at her dining room table.

She had lacerations on her head and neck, and a large kitchen knife was in her right hand, the report said. Blood was spattered and uneaten pizza was strewn in the kitchen. The coroner ruled the death a homicide.

Detectives then questioned Ms. Navarra’s only known next-of-kin, her 92-year-old mother, Adele Aiello, and [stepfather] Mr. Aiello. Mr. Aiello told the authorities he had dropped off the food for his stepdaughter and left her house within 15 minutes, but he said he saw Ms. Navarra drive by his home with a passenger in the car later that afternoon.

Investigators obtained a search warrant and retrieved the Fitbit data [from Ms Navarra’s AltaHR worn on her wrist, which measured her heartbeat] with the help of the company’s director of brand protection, Jeff Bonham, the police report said…

When Ms. Navarra’s Fitbit data was compared with video surveillance from her home, the police report said, the police discovered that the car Mr. Aiello had driven was still there when her heart rate stopped being recorded by her Fitbit.

Bloodstained clothes were later found in Mr. Aiello’s home, the document said. He was arrested on Sept. 25.


When I was younger, some sci-fi stories had the idea of monitors which rich people wore to monitor their heartbeat, so that if they were killed, the killer wouldn’t get away. Turns out they’re available in your local store.
link to this extract

Artificial sweeteners are toxic to digestive gut bacteria: study • CNBC

Alexa Lardieri:


According to a study published in the journal Molecules, researchers found that six common artificial sweeteners approved by the Food and Drug Administration and 10 sport supplements that contained them were found to be toxic to the digestive gut microbes of mice.

Researchers from Ben-Gurion University of the Negev in Israel and Nanyang Technological University in Singapore tested the toxicity of aspartame, sucralose, saccharine, neotame, advantame, and acesulfame potassium-k. They observed that when exposed to only 1 milligram per milliliter of the artificial sweeteners, the bacteria found in the digestive system became toxic…

…According to the study, the gut microbial system “plays a key role in human metabolism,” and artificial sweeteners can “affect host health, such as inducing glucose intolerance.” Additionally, some of the effects of the new FDA-approved sweeteners, such as neotame, are still unknown.


Glucose intolerance.. which could be a step towards diabetes.
link to this extract

BlackBerry races ahead of security curve with quantum-resistant solution • TechCrunch

Ron Miller:


Today, BlackBerry announced a new quantum-resistant code signing service to help battle that possibility.

The service is meant to anticipate a problem that doesn’t exist yet. Perhaps that’s why BlackBerry hedged its bets in the announcement saying, “The new solution will allow software to be digitally signed using a scheme that will be hard to break with a quantum computer.” Until we have fully functioning quantum computers capable of breaking current encryption, we probably won’t know for sure if this works.

But give BlackBerry credit for getting ahead of the curve and trying to solve a problem that has concerned technologists as quantum computers begin to evolve…

…”If your product, whether it’s a car or critical piece of infrastructure, needs to be functional 10-15 years from now, you need to be concerned about quantum computing attacks,” Charles Eagan, BlackBerry’s chief technology officer, said in a statement.


I would like to announce that I have got software which will be hard to break by nine-legged aliens intent on dominating our planet. I thought it was important to get ahead of the curve and try to solve a problem that has concerned me since, well, yesterday.
link to this extract

The interesting ideas in Datasette • Simon Willison

The aforesaid Willison, who has built a database tool called Datasette which uses SQLite databases (caution: can only store up to 140TB – yes, terabytes). This will interest you if you’re into data tools; Willison built the tools that the Guardian used to analyse MPs’ expenses:


Since the data in a Datasette instance never changes, why not cache calls to it forever?

Datasette sends a far future HTTP cache expiry header with every API response. This means that browsers will only ever fetch data the first time a specific URL is accessed, and if you host Datasette behind a CDN such as Fastly or Cloudflare each unique API call will hit Datasette just once and then be cached essentially forever by the CDN.

This means it’s safe to deploy a JavaScript app using an inexpensively hosted Datasette-backed API to the front page of even a high traffic site—the CDN will easily take the load.

Zeit added Cloudflare to every deployment (even their free tier) back in July, so if you are hosted there you get this CDN benefit for free.

What if you re-publish an updated copy of your data? Datasette has that covered too. You may have noticed that every Datasette database gets a hashed suffix automatically when it is deployed:

This suffix is based on the SHA256 hash of the entire database file contents—so any change to the data will result in new URLs. If you query a previous suffix Datasette will notice and redirect you to the new one.

If you know you’ll be changing your data, you can build your application against the non-suffixed URL. This will not be cached and will always 302 redirect to the correct version (and these redirects are extremely fast).

The redirect sends an HTTP/2 push header such that if you are running behind a CDN that understands push (such as Cloudflare) your browser won’t have to make two requests to follow the redirect.


link to this extract

Errata, corrigenda and ai no corrida: none notified

3 thoughts on “Start Up No.924: Google secures protesters, Microsoft ❤️ Android, Russia’s long troll game, Fitbit solves murder?, and more

  1. re. Chinese hack. My brother used to work for a very large French company, in non-core IT. He twice told me the core team was locked down in what seemed emergency mode; for a few days. I’d say it’s possible that some incidents are kept very confidential, to the point of extracting false statements from 3rd parties.

    With several thousand supposedly hacked servers in the wild, it should be possible to get our hands on one though. Who wants to go seize them ? Your choice: porn company or mormons !

  2. re. Android+Windows: I’m not seeing anything Windows My Phone does that Pushbullet hasn’t been doing -and more- for years, w/o forcing us to use a specific Launcher (MS’s is quite good though).

    What’s surprising is that Google hasn’t done something equivalent, to avoid relinquishing the Launcher to MS. To me, that goes back to Google not understanding most users. They don’t have an official x86-Andorid VM; they don’t have official remoting; even simple backups is messed up, it’s supposed to be supported by their desktop Sync utility, but
    – it blocks the USB port (no copying files while Sync is in progress)
    – it doesn’t integrate with Photos, (pics and vids get backed-up twice, or something)
    – it doesn’t list folders in a tree but as a flat list, which is fun with a 384GB phone filled with ever-changing TV series and Movies you don’t want to backup.

    On balance, I’d say Google is less user-aware than MS these days, which is a huge change that happened after MS gave up on Mobile. Unluckily, I don’t see any humble coming Google’s way anytime soon.

  3. re. Smartphone satisfaction, I think the Chinese OEMs in India (and Europe) are benefiting from the late-entrant bonus: they got there once cheap smartphones could be delightful, which happened 3-4 yrs ago. Brands that were selling before that are tainted since people remember their bad early devices.

    I’ve got a case of that myself, I bought cheap Lenovo that really sucked, since then I’ve been leery of Lenovo, even though tests say some models today are Xiaomi-like.

    Also, remember Oppo, Vivo and OnePlus are really the same company. I’m surprised we’re not seeing more articles about consolidation, I peg it at 90% for the top 5 in China, 75+% wwide, which is recent and fast and meaningful (see: Google freaking out a bit about China)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.