Were the Chinese behind the hack of the Starwood – and Marriott – hotels? That’s the growing suspicion. CC-licensed photo by Matt@TWN on Flickr.
It’s charity time: ahead of Christmas, I’m encouraging readers to make a donation to charity; a different one each day.
Crisis, the charity aiming to end homelessness.
Please give as generously as you feel you can.
A selection of 11 links for you. By a simple majority. I’m @charlesarthur on Twitter. Observations and links welcome.
Marriott data breach is traced to Chinese hackers as US readies crackdown on Beijing • The New York Times
While American intelligence agencies have not reached a final assessment of who performed the hacking, a range of firms brought in to assess the damage quickly saw computer code and patterns familiar to operations by Chinese actors.
The Marriott database contains not only credit card information but passport data. Lisa Monaco, a former homeland security adviser under Mr. Obama, noted last week at a conference that passport information would be particularly valuable in tracking who is crossing borders and what they look like, among other key data.
But officials on Tuesday said it was only part of an aggressive operation whose centerpiece was the 2014 hacking into the Office of Personnel Management. At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances — forms that contain financial data; information about spouses, children and past romantic relationships; and any meetings with foreigners.
Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans’ personal data for future targeting. With those details and more that were stolen from insurers like Anthem, the Marriott data adds another critical element to the intelligence profile: travel habits.
James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington, said the Chinese have collected “huge pots of data” to feed a Ministry of State Security database seeking to identify American spies — and the Chinese people talking to them.
“Big data is the new wave for counterintelligence,” Mr. Lewis said.
Marriott seems to suggest the breach was made in the reservation system. However, it is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout.
Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.
As for the SPG database, it would contain one record from each SPG member, but not even under the most optimistic scenarios would Starwood have had 500 million registered SPG guests.
This leaves the Data Warehouse. The Data Warehouse would contain the booking records for several prior years, and it clearly could contain 500 million records. This is most likely the area from which the data was stolen.
However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration.
The second point appears to indicate Marriott first detected the issue back in September of this year (presumably by using a traffic detection tool).
We do not know when such a tool was first used, but what’s most confounding is Marriott’s assurance that the breach first occurred in 2014. If the detection tool was used prior to this September, why hadn’t the breach been detected earlier? And if the tool was not used earlier, how can they be so sure the breach occurred in 2014?
The more this story goes on, the stranger it gets.
link to this extract
[Visual effects – VFX – guru Paul] Franklin points to the work he’s done with [Interstellar/Inception/Dunkirk/Dark Knight series director Christopher] Nolan as an example of a filmmaker who gives his collaborators room to explore while staying committed to an overall vision. The director famously prefers practical effects and tries to avoid heavy CGI whenever he can. “He doesn’t like using green screens and blue screens, for all sorts of reasons, not the least of which is that it slows down the shoot,” Franklin says. “And from the point of view of the cast, there’s nothing for them to look at and react to.”
Even on Interstellar — a space-travel epic that might have been a prime candidate for loads of green screen — Franklin and his team [at his VFX company Double Negative] used front projection methods, taking massive screens and used digital projectors to throw images on them, “to create the views of what was outside the windows of the aircraft.” This is not a new method: “It’s a technique that goes back to old Roy Rogers movies, or to Cary Grant in his car driving across the Amalfi coast in To Catch a Thief, even though he’s actually on a soundstage in Burbank. But Chris realized that the advances in digital projection meant that he could do it at a much higher level of quality than had been possible in the past.”
Franklin and [the Oscar-winning VFX supervisor on Blade Runner 2049, Paul] Lambert furthered that process on Damien Chazelle’s Neil Armstrong biopic First Man, which also mostly avoided using green screens. This time, instead of using projectors to throw images on a screen, they built a massive wraparound high-definition LED screen outside of the set, so that performers could act against images that otherwise would have been added months later in post. The intensely beautiful X-15 experimental flight sequence that opens the film was shot this way, and the realism achieved also meant that the camera captured little offhand details that would have taken VFX artists weeks to do with computers. “Because you had the content on the screen, when you see Ryan [Gosling] bursting through the atmosphere, you can then see the beautiful chromatic shift on the horizon,” recalls Lambert. “That shot is in camera; Ryan is actually looking at the horizon. It’s reflected in his visor, and it’s reflected in his eye. I used to do that work myself. I used to be a compositor. I know how tricky it is to do that in post.”
Absorbing read; when the VFX take over from the story, everyone loses. When they’re subsidiary, good story wins.
link to this extract
The wireless carrier slashed the value of its AOL and Yahoo acquisitions by $4.6bn, an acknowledgment that tough competition for digital advertising is leading to shortfalls in revenue and profit.
The move will erase almost half the value of the division it had been calling Oath, which houses AOL, Yahoo and other businesses like the Huffington Post.
“The hype of Oath has been over for some time,” Wells Fargo analyst Jennifer Fritzsche said in a note Tuesday. She likened the writedown to “ripping off the Oath band-aid.”
The episode offered a silver lining for investors. Rather than attempt a megadeal like AT&T Inc.’s $85bn acquisition of Time Warner Inc., Verizon only spent about $9.5bn in the past three years buying fading web giants. Though the bet hasn’t paid off, it at least stumbled on a smaller scale.
The revision of the Oath division’s accounting leaves its goodwill balance – a measure of the intangible value of an acquisition – at about $200m, Verizon said in a filing Tuesday.
Astonishing to think of the inflated value there. And people were wondering if we were in a tech bubble?
link to this extract
Apple has dozens of medical doctors working across its various teams, say two people familiar with the company’s hiring, showing how serious it is about health tech.
The hires could help Apple win over doctors — potentially its harshest critics — as it seeks to develop and integrate health technologies into the Apple Watch, iPad and iPhone. It also suggests that Apple will build applications that can help people with serious medical problems, and not just cater to the “worried well,” as many have speculated.
These hires are not just for show, according to people familiar with the doctors and their roles. Many haven’t disclosed their role at Apple at all, which is commonplace at a company that prides itself on secrecy. One example is Stanford pediatrician Rajiv Kumar, who has worked there for several years. CNBC was able to locate 20 physicians at Apple via LinkedIn searches and sources familiar, and other people said as many as 50 doctors work there. Apple has more than 130,000 employees globally.
Clever way to increase the stickiness of its devices: if they’re better informed about your health, why are you going to give them up just for something cheaper?
link to this extract
Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked • The Register
A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal.
Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu.
“We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018,” the letter from Lenovo HR and IT Security, dated 21 November, stated.
“Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted.”
Lenovo employs more than 54,000 staff worldwide, the bulk of whom are in China.
The letter stated there is currently “no indication” that the sensitive employee data has been “used or compromised”, and Lenovo said it is working with local police to “recover the stolen device”.
When Shan Junhua bought his white Tesla Model X, he knew it was a fast, beautiful car. What he didn’t know is that Tesla constantly sends information about the precise location of his car to the Chinese government.
Tesla is not alone. China has called upon all electric vehicle manufacturers in China to make the same kind of reports — potentially adding to the rich kit of surveillance tools available to the Chinese government as President Xi Jinping steps up the use of technology to track Chinese citizens.
“I didn’t know this,” said Shan. “Tesla could have it, but why do they transmit it to the government? Because this is about privacy.”
More than 200 manufacturers, including Tesla, Volkswagen, BMW, Daimler, Ford, General Motors, Nissan, Mitsubishi and U.S.-listed electric vehicle start-up NIO, transmit position information and dozens of other data points to government-backed monitoring centers, The Associated Press has found. Generally, it happens without car owners’ knowledge.
The automakers say they are merely complying with local laws, which apply only to alternative energy vehicles. Chinese officials say the data is used for analytics to improve public safety, facilitate industrial development and infrastructure planning, and to prevent fraud in subsidy programs.
The methods Facebook uses to thwart ad-blocking technology have been criticised by web developers.
The social network injects dozens of lines of code in every page to make it harder for ad blockers to detect and hide sponsored posts. But that makes the website less efficient and stops software such as screen readers used by visually impaired users from working properly. The BBC has contacted Facebook for comment.
In order to block advertising, developers look for patterns in a website’s code that can be consistently identified and hidden. It would be easy for a plug-in to spot the word “sponsored” or to find a container labelled “ad” inside the webpage code, so companies, including Facebook, use coding tricks to obfuscate their ads.
The tricks Facebook uses to fool ad-blocking plug-ins include:
• breaking up the word “sponsored” into small chunks only one or two letters long
• inserting extra letters, as in “SpSonSsoSredS”, hidden to the viewer
• adding the word to all regular posts on the news feed, even ones that are not ads, and then using another piece of code to hide it on the non-ads.
The convenience of the disabled is always the collateral damage in such wars; this one is ongoing, though the adblocking developers are doing their work in the open by posting what they’re looking for and finding on GitHub.
link to this extract
Until Notes came along, PCs were personal productivity tools, with the majority of uses being spreadsheets, word processing and presentations. Notes created a social use for personal computers and enabled teams of people, spread across geographies, to communicate, collaborate and share information in a way which was not possible previously. It was the tool that moved PCs and networks onto every desk in every office of PW around the world.”
This is an important point, and one that I didn’t think much about until I started corresponding recently with Laube. If you credit Notes as being the first social software tool, it actually predates Facebook by more than a decade. Even MySpace, which was the largest social network for a few years (and had more traffic than Google too), was created in the early 2000s.
Notes was also ahead of its time in another area. “Notes was a precursor to both the web and social media,” says Laube. “It was all about easily publishing and sharing information in a managed way suited to business use. It is the ease of management and the ability to control information access within Notes securely which allowed its rapid adoption by business.” Laube reminded me that back then, information security was barely recognized as necessary by IT departments.
This isn’t completely an accurate picture, mainly because Notes was focused on the enterprise, not the consumer. Notes “mixed email with databases with insanely secure data replication and custom apps,” said David Gewirtz in his column this week for ZDnet. He was an early advocate of Notes and wrote numerous books and edited many newsletters about its enterprise use.
I used Notes in two newspapers, and knew of people in other newspapers who used it. We only ever got the email part, which was calamitously bad. A piece I wrote in 2006 bemoaning this fact drew a huge response: users agreed, while administrators said it was wonderful because it was so secure and easy to administer.
History shows the users won. Yay.
link to this extract
Google Chat is the worst desktop chat program that I have ever used.
How bad is it exactly? Let’s just say if I had to choose between using Google Chat and signing up for Comcast I’d choose Comcast every time.
Google Chat for Desktop login opens your default browser to login
Sounds reasonable right? Wrong.
A self contained application should need no browser at all to login.
I am required to use Google Chat for work. I use Google Chrome for work and Firefox for my personal stuff. I do not ever mix the two. I do not want my personal Gmail cookies anywhere near my work Gmail cookies. Mixing the two is a recipe for my work having access to my personal logins or accidentally syncing contacts. Do I really want to accidentally pocket dial one of my coworkers? Not really.
Guess what Google Chat does?
Clicking that goes to my default browser of course. Because you’re not allowed to login to your work account on a secondary browser apparently. I literally have to copy/paste its OAuth login URL to Chrome myself.
Even more ludicrous: since this is all using OAuth, Google Chat literally hosts its own web server on your localhost so that it can redirect to itself upon success.
And this is just the login.
Things, as you guess, go downhill from there.
link to this extract
Prior to 1968, there was no standard emergency number. So how did 911 become one of the most recognizable numbers in the United States? Choosing 911 as the universal emergency number was not an arbitrary selection, but it wasn’t a difficult one either. In 1967, the Federal Communications Commission (FCC) met with AT&T to establish such an emergency number. They wanted a number that was short and easy to remember. More importantly, they needed a unique number, and since 911 had never been designated for an office code, area code or service code, that was the number they chose.
Soon after, the U.S. Congress agreed to support 911 as the emergency number standard for the nation and passed legislation making 911 the exclusive number for any emergency calling service.
Thanks to those who provided links explaining this.
link to this extract
You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
Errata, corrigenda and ai no corrida: none notified