Start Up No.963: the headphones vulnerable to hacking, Amazon gets chippy, tracking a novel’s progress, AutoCAD malware?!, and more

Amazon’s new Textract might be able to OCR the text – and tables – if you can scan it. CC-licensed photo by Thom Watson on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 12 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

How restaurants got so loud • The Atlantic

Kate Wagner:


Other sounds that reach 70 decibels include freeway noise, an alarm clock, and a sewing machine. But it’s still quiet for a restaurant. Others I visited in Baltimore and New York City while researching this story were even louder: 80 decibels in a dimly lit wine bar at dinnertime; 86 decibels at a high-end food court during brunch; 90 decibels at a brewpub in a rehabbed fire station during Friday happy hour.

Restaurants are so loud because architects don’t design them to be quiet. Much of this shift in design boils down to changing conceptions of what makes a space seem upscale or luxurious, as well as evolving trends in food service. Right now, high-end surfaces connote luxury, such as the slate and wood of restaurants including The Osprey in Brooklyn or Atomix in Manhattan.

This trend is not limited to New York. According to Architectural Digest, mid-century modern and minimalism are both here to stay. That means sparse, modern decor; high, exposed ceilings; and almost no soft goods, such as curtains, upholstery, or carpets. These design features are a feast for the eyes, but a nightmare for the ears. No soft goods and tall ceilings mean nothing is absorbing sound energy, and a room full of hard surfaces serves as a big sonic mirror, reflecting sound around the room.

The result is a loud space that renders speech unintelligible. Now that it’s so commonplace, the din of a loud restaurant is unavoidable. That’s bad for your health—and worse for the staff who works there. But it also degrades the thing that eating out is meant to culture: a shared social experience that rejuvenates, rather than harms, its participants.


link to this extract

Sennheiser headset software could allow man-in-the-middle SSL attacks • Bleeping Computer

Lawrence Abrams:


When users have been installing Sennheiser’s HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store. To make matters worse, the software was also installing an encrypted version of the certificate’s private key that was not as secure as the developers may have thought.

Similar to the Lenovo SuperFish fiasco, this certificate and its associated private key, was the same for everyone who installed the particular software. Due to this it could allow an attacker who was able to decrypt the private key to issue fraudulent certificates under other domain that they have no control over. This would allow them to perform man-in-the-middle attacks to sniff the traffic when a user visits these sites.

While these certificate files are deleted when a user uninstalls the HeadSetup software, the trusted root certificate was not removed. This would allow an attacker who had the right private key to continue to perform attacks even when the software was no longer installed on the computer.

According to a vulnerability disclosure issued today by security consulting firm Secorvo these certificates were discovered when doing a random check of a computer’s Trusted Root Certificate CA store.


Whaaaat. Some time later:


Now that they had access to the private key for the root certificate, they were able to generate a wild card certificate that signs traffic from,, and for fun, some of the headset maker’s competitors –,, and


link to this extract

Amazon Textract: extract text and data • AWS


Amazon Textract is a service that automatically extracts text and data from scanned documents. Amazon Textract goes beyond simple optical character recognition (OCR) to also identify the contents of fields in forms and information stored in tables.

Many companies today extract data from documents and forms through manual data entry that’s slow and expensive or through simple optical character recognition (OCR) software that is difficult to customize. Rules and workflows for each document and form often need to be hard-coded and updated with each change to the form or when dealing with multiple forms. If the form deviates from the rules, the output is often scrambled and unusable.

Amazon Textract overcomes these challenges by using machine learning to instantly “read” virtually any type of document to accurately extract text and data without the need for any manual effort or custom code.


Ooo. There’s a free tier. Or $1.50 per thousand pages. Now in preview. (Is that Amazonese for “beta”?)
link to this extract

Amazon Web Services introduces its own custom-designed Arm server processor, promises 45% lower costs for some workloads • GeekWire


After years of waiting for someone to design an Arm server processor that could work at scale on the cloud, Amazon Web Services just went ahead and designed its own.

Vice president of infrastructure Peter DeSantis introduced the AWS Graviton Processor Monday night, adding a third chip option for cloud customers alongside instances that use processors from Intel and AMD. The company did not provide a lot of details about the processor itself, but DeSantis said that it was designed for scale-out workloads that benefit from a lot of servers chipping away at a problem.

The new instances will be known as EC2 A1, and they can run applications written for Amazon Linux, Red Hat Enterprise Linux, and Ubuntu. They are generally available in four regions: US East (Northern Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland).

Intel dominates the market for server processors, both in the cloud and in the on-premises server market. AMD has tried to challenge that lead over the years with little success, although its new Epyc processors have been well-received by server buyers and cloud companies like AWS.

But lots of companies have tried and failed to build attractive server processors using the Arm architecture, which enjoys the same market share in mobile phones as Intel does in the data centre.


Amazon bought its own company to do this. It’s able to figure out the cost-benefit because it knows precisely what it needs the chips to do, rather than the generalised ones that other companies have tried to sell it. That’s what the ARM architecture tends to be about.
link to this extract

C M Taylor on ‘keystroke logging project’ with British Library • English and Drama blog


Re-entering the academic world after starting work as an Associate Lecturer on the Publishing degree at Oxford Brookes University, I began speculating about writers’ archives. Did previous scholars have access to more hand-written and typed drafts of works in progress – actual objects showing the shaping of works of art – but with the normalisation of computerized authorship, were these discrete drafts abolished in the rolling palimpsest of write and digital rewrite?

Plus, I was considering a new novel myself, but as I have written elsewhere, emotionally I was daunted by the long-haul loneliness of novel writing, a process I considered in my most despairing moments as like wallpapering a dungeon.

I spoke to my friend Mark about these two things – the lost drafts and the loneliness – and in a flash he had the answer: ‘Put a piece of malware on it.’

He meant that if I put some malware, or spyware, on my computer to note everything I did, it would record all changes made to an evolving manuscript, plus it might offer a weird kind of company for me in my wallpapered dungeon.

It was worth a shot.


Generated 222GB of data across 108,318 files.
link to this extract

Bloomberg is still reporting on challenged story regarding China hardware hack • The Washington Post

Eric Wemple is the WaPo’s media critic:


In emails to employees at Apple, Bloomberg’s Ben Elgin has requested “discreet” input on the alleged hack. “My colleagues’ story from last month (Super Micro) has sparked a lot of pushback,” Elgin wrote on Nov. 19 to one Apple employee. “I’ve been asked to join the research effort here to do more digging on this … and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings.”

One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn’t part of the reporting team that produced “The Big Hack.” The goal of this effort, Elgin told the potential source, was to get to “ground truth”; if Elgin heard from 10 or so sources that “The Big Hack” was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of “The Big Hack” were “100% right.”

According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he’d never written that report, nor is he aware of such a document. Following the publication of Bloomberg’s story, Apple conducted what it calls a “secondary” investigation surrounding its awareness of events along the lines of what was alleged in “The Big Hack.” That investigation included a full pat-down of Ziatek’s own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.


Still wonder how Bloomberg is going to reverse the ferret on this one.
link to this extract

I’ve got a bridge to sell you: why AutoCAD malware keeps chugging on • Ars Technica

Dan Goodin:


The attacks aren’t new. Similar ones occurred as long ago as 2005, before AutoCAD provided the same set of robust defenses against targeted malware it does now. The attacks continued to go strong in 2009. A specific campaign recently spotted by security firm Forcepoint was active as recently as this year and has been active since at least 2014, an indication that malware targeting blueprints isn’t going away any time soon.

In an analysis expected to be published Wednesday, company researchers wrote:


CAD changed our modern life and, as an unfortunate side effect, industrial espionage also changed along with it. Design schemes, project plans, and similar vital documents are being stored and shared between parties in a digital manner. The value of these documents–especially in new and prospering industries such as renewable energy–have probably never been this high. All this makes it attractive for the more skilled cybercriminal groups to chip in: instead of spamming out millions of emails and waiting for people to fall for it, significantly more money can be realized by selling blueprints to the highest bidder.


Forcepoint said it has tracked more than 200 data sets and about 40 unique malicious modules, including one that purported to include a design for Hong Kong’s Zhuhai-Macau Bridge. The attacks include a precompiled and encrypted AutoLISP program titled acad.fas. It first copies itself to three locations in an infected computer to increase the chances it will be opened if it spreads to new computers. Infected computers also report to attacker-controlled servers, which use a series of obfuscated commands to download documents.


link to this extract

Are you sitting down? Standing desks are overrated • The New York Times

Aaron Carroll:


Let’s start with what we know about research on sitting, then explain why it can be misleading as it relates to work. A number of studies have found a significant association between prolonged sitting time over a 24-hour period and increased risk for cardiovascular disease. A 2015 study, for instance, followed more than 150,000 older adults — all of whom were healthy at the start of the study — for almost seven years on average. Researchers found that those who sat at least 12 hours a day had significantly higher mortality than those who sat for less than five hours per day.

A 2012 study in JAMA Internal Medicine followed more than 220,000 people for 2.8 years on average and found similar results. Prolonged sitting over the course of a day was associated with increased all-cause mortality across sexes, ages and body mass index. So did a smaller but longer (8.6 years on average) study published in 2015 in the Journal of Physical Activity & Health.

Another study from 2015, which followed more than 50,000 adults for more than three years, also found this relationship. But it found that context mattered. Prolonged sitting in certain situations — including when people were at work — did not have this same effect.


I’m not going to take this news… sitting down. No, wait.

Why might that be? Sitting itself may not be the problem; it may be a marker for other risk factors that would be associated with higher mortality. Unemployed or poorer people, who would also be more likely to have higher mortality, may be more likely to spend large amounts of time sitting at home. For some, sedentary time is a marker, not the cause, of bad outcomes.
link to this extract

Nintendo Switch loses shine with shipments seen missing target • Bloomberg

Yuji Nakamura:


With few attractive titles for the holiday shopping season and shipments on track to fall short of the company’s targets, doubts are growing whether Nintendo Co.’s Switch can ever become a mass-market product.

When the device debuted last year as a hybrid console that could be carried around, it was classic Nintendo — a new gadget that broke the norms of conventional video games. Equipped with a built-in screen and hypersensitive controllers, the Switch was billed as a worthy successor to the Wii, Nintendo’s rule-breaking blockbuster console.

The goal was to make the gaming experience as seamless as possible, while letting people use the product in new ways, such as turning it into a virtual piano or motorcycle. But so far, the Switch has struggled to find customers beyond a core fan base. The Switch is on track to reach 35 million unit shipments by March, according to the average of eight analysts’ estimates compiled by Bloomberg, short of Nintendo’s target of 38 million.

After cramming its best franchises — Super Mario, Zelda and Splatoon — into the first 12 months, the Kyoto-based company was left with fewer games to show off in the second year, hurting hardware sales. Cardboard accessories introduced in April, called Nintendo Labo, have mostly failed to expand interest beyond those who were already planning to pick up a Switch.

“All great consoles need a great second year, and Nintendo hasn’t delivered one for the Switch,” said Cornelio Ash, an analyst at William O’Neil & Co. in Los Angeles. “Investors thought over five years they could sell maybe 90 million units. But after this year, that’s looking pretty much impossible.”


link to this extract

KodakOne allegedly owes developers over $100K in unpaid invoices • The Next Web



In a series of email exchanges reviewed by Hard Fork, a group of contractors has accused KodakOne for failing to pay up their contracting fees in the agreed timeframe. The contractors are collectively seeking to receive over $125,000 in accumulated invoices, according to an email sent by a UK-based law firm on their behalf.

“Unfortunately apologies and unfulfilled promises of a payment proposal are not enabling my client to pay the people that did the work for [KodakOne],” the email shared with Hard Fork read. “Time is short and in the absence of any meaningful payment proposal, court proceedings will be commencing in [seven] days.”

The email was sent on behalf of European recruiting agency iFindTech, which purportedly helped KodakOne find talent to build its platform. The email was sent by law firm London Law Practice on October 26.

Indeed, the email exchanges show that at some point iFindTech reps advised contractors to cease work on KodakOne until all owed funds have been paid out.


Kodak has some problems.
link to this extract

Killing 3ve: how the FBI and tech industry took down a massive ad fraud scheme • Buzzfeed News

Craig Silverman:


In August 2017, the FBI organized a secret meeting of digital advertising and cybersecurity experts in a secure room in a Manhattan federal building. The roughly 30 people in attendance met to create a coordinated response to a massive ad fraud scheme that posed a risk to the global digital advertising industry and sparked a criminal investigation.

After an introduction by FBI agents, representatives from Google and bot-detection firm White Ops outlined the details of what the tech employees say is one of the largest and most sophisticated digital ad fraud operations they’d encountered.

Sandeep Swadia, the CEO of White Ops, called it a “very complex, ever-shifting maze,” while Scott Spencer, a Google product manager, labeled it a “multiheaded beast” in exclusive interviews with BuzzFeed News.

Eventually, they gave it a name: 3ve (pronounced “eve”).

Today the Department of Justice announced it has unsealed a 13-count indictment against eight men for charges including wire fraud, computer intrusion, aggravated identity theft, and money laundering for their alleged role in masterminding and operating 3ve. The government alleges they stole tens of millions of dollars by using “sophisticated computer programming and infrastructure around the world to exploit the digital advertising industry through fraud.”


link to this extract

US iOS users targeted by massive malvertising campaign • ZDNet

Catalin Cimpanu:


A cyber-criminal group known as ScamClub has hijacked over 300 million browser sessions over 48 hours to redirect users to adult and gift card scams, a cyber-security firm has revealed today.

The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads.

In this particular case, the code used by the ScamClub group hijacked a user’s browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam.

These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today.

“On November 12 we’ve seen a huge spike in our telemetry,” Jerome Dang, Confiant co-founder and CTO, told ZDNet in an email.

Dangu says his company worked to investigate the huge malvertising spike and discovered ScamClub activity going back to August this year.

“The difference is the volume,” Dango told us. “One of the reasons for the November 12 spike is that they were able to access a very large ad exchange. Previously they only had access to lower reputation ad networks which limited their visibility on premium websites.”

Dangu said that during the 48 hours during which the malvertising spike was active, 57% of Confiant’s customers were affected, showing the malvertising campaign’s huge reach.

He said that the malicious ads were created to look like ads for official Android apps (, but in reality, they were engineered to hijack iOS US-based users and redirect them to ScamClub’s adult and gift card scams, where crooks tried to collect users’ personal and financial data via deceitful offers.


link to this extract

Errata, corrigenda and ai no corrida: OK, so: it is the null allele of the CCR5 gene (mentioned in the story about a Chinese scientist altering babies’ DNA with CRISPR) which is of recent origin, according to Wikipedia, not the CCR5 gene itself. The point being though that the null allele seems to confer resistance against HIV, but has no obvious drawbacks. Well, apart from higher risk of a tick-borne encephalitis. Thanks to Chris Wolverton for pointing that out.

1 thought on “Start Up No.963: the headphones vulnerable to hacking, Amazon gets chippy, tracking a novel’s progress, AutoCAD malware?!, and more

  1. I’m a bit confused about the ins & outs of doing your own custom ARM chip. It seems IP is more of an obstacle than tech, with 1 part easy to license (the ARM cores and internal buses), 2 parts hard to license or work around (graphics and radio), a virgin part (AI), and probably some parts I don’t know bout (like external buses, it seems a bit weird they’re not doing a PCIe version to normalize peripherals, …).

    It’s kind of weird that Xiaomi’s efforts seem dead, and that Samsung doesn’t seem eager to sell theirs (maybe some gentleman’s agreement with fab clients such as Qualcomm ?), and that nobody seems to be even trying to go after Apple’s single-thread lead. I’m curious if Android’s baseline CPU-load is higher and more threaded than iOS’. There seems to be a lot more background stuff and less policing of app, and a bit of drama when OEMs try to stop that

    It’s also weird to see so many companies designing chips. One would assume the research and IP is a lot more complex than picking the right features, creating some barriers to entry ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.