Start Up No.1,034: the genes that null pain, EU bans single-use plastics, Huawei’s longrunning security failures, filter bubble or decision bubble?, and more

Credit cards: the next thing to get disrupted by Apple after smartphones and tablets? CC-licensed photo by Thomas Kohler on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 13 links for you. Meaningful? Vote! I’m @charlesarthur on Twitter. Observations and links welcome.

How Apple Card works • TechCrunch

Matthew Panzarino, with some interesting detail:


Perhaps the biggest security feature of the offering is that Apple Card can generate virtual card numbers for online non-Apple Pay purchases. Though Apple said that the app would display your card info during the event, they weren’t specific on what that info would be so I got some more detail here.

• The physical Apple Card, of course, has no number. The app displays the last 4 digits of the card number that is on the mag stripe of the card only, you never see the full card number.
• Instead, Apple provides a virtual card number and virtual confirmation code (CVV) for the card in the app. You can use this for non-Apple Pay purchases online or over the phone. This number is semi-permanent, meaning that you can keep using it as long as you want.
• But you can hit a button to regenerate the PAN (primary account number), providing you with a new credit card number at any time. This is great for situations where you are forced to tell someone your credit card number but do not necessarily completely trust the recipient.
• Card numbers are manually regenerated only, and do not automatically rotate. There is, currently, no single-use number support or single-merchant number support.
• Each purchase requires a confirmation code, a fantastic additional security feature outlined by Zack Whittaker earlier in the week. This makes it even harder for someone to use your card, even if skimmed or copied, to make online purchases.


Credit cards are so prone to being copied and stolen. We’ve had widespread use of smartphones for nearly a decade. It’s about time this got changed.
unique link to this extract

This woman doesn’t feel pain; two tiny mutations may be why • Live Science

Yasemin Saplakoglu:


Doctors first realized that there was something different about the woman when she had hand surgery and reported feeling no pain before or after the procedure. She later told doctors that a year earlier, she was diagnosed with osteoarthritis in her hip and scans showed she had severely degenerated joints — yet she felt no pain.

The revelations prompted a group of researchers at the University College London and the University of Oxford to carry out genetic tests to see what could be driving her pain insensitivity.

The team found two specific mutations in her genes.

One mutation was a tiny deletion in a not-well-documented “pseudogene” — a segment of DNA that is thought of as a nonfunctional copy of a parent gene — called FAAH-OUT. The second was a mutation in the original gene, called FAAH.

After being duplicated from the FAAH gene, the FAAH-OUT pseudogene accumulated a number of mutations that prevent it from coding for a protein like the FAAH gene does, said co-senior report author James Cox, a senior lecturer in pain genetics at University College London. As a result of these mutations, FAAH-OUT “has probably evolved a whole new function,” though it’s unclear what that function is.

(These FAAH-OUT mutations aren’t unique to the woman in Scotland, however. What is unique in her case is the tiny portion that’s deleted from the pseudogene.)


Geneticists love daft names for genes. But this protein discovery is amazing: is it a way towards an incredible painkiller? How much would it be worth?
unique link to this extract

Mueller report exceeds 300 pages, raising questions about four-page summary • The New York Times

Nicholas Fandos, Adam Goldman and Katie Benner:


The still-secret report on Russian interference in the 2016 election submitted last week by the special counsel, Robert S. Mueller III, was more than 300 pages long, the Justice Department acknowledged on Thursday.

Mr. Barr wrote to Congress on Sunday offering what he called the “principal conclusions” of the report — including that Mr. Mueller had not found that the Trump campaign had taken part in a conspiracy to undermine the election. But he had notably declined to publicly disclose its length.

The total of 300-plus pages suggests that Mr. Mueller went well beyond the kind of bare-bones summary required by the Justice Department regulation governing his appointment and detailed his conclusions at length. And it raises questions about what Mr. Barr might have left out of the four dense pages he sent to Congress.

Answering those questions is likely to prove difficult for lawmakers and the public. Mr. Barr has indicated to two congressional chairmen that it will most likely take weeks to redact the report for classified and grand jury information the department deems unfit for public consumption.


I really don’t understand why it hasn’t been published already. The Starr Report was delivered to Congress on September 9, 1998, and published online on September 13. I remember downloading it, just because we could.
unique link to this extract

EU bans single-use plastics in restaurants from 2021 • Bloomberg



The European Union decided to ban plastic consumer items including plates, cutlery and straws as of 2021 to help clean up oceans.

The prohibition on single-use plastics approved by the European Parliament on Wednesday in Strasbourg, France, also applies to beverage cups, food containers and cotton bud sticks. EU governments have already signaled support for the ban, making their final approval due on April 15 a formality.

With plastics accounting for around 80% of marine litter, the EU rushed through deliberations on the planned restrictions in less than a year. The European Commission, the bloc’s executive arm, proposed the curbs in May 2018 and representatives of EU governments and the 751-seat Parliament reached a negotiated deal in December.

“Plastics poison our seas,” said Frederique Ries, a Belgian member who steered the draft law through the 28-nation assembly. “If we do not take action, by 2050 there will be more plastic than fish in the oceans.”


Can’t wait for all the Bufton Tuftons to declare that this is the EU interfering too much and that the UK needs to be able to have single-use plastics killing off the fish that we now own the right to net.
unique link to this extract

The FCC has fined robocallers $208m. It has collected $6,790 • WSJ

Sarah Krouse:


Since 2015, the Federal Communications Commission has ordered violators of the Telephone Consumer Protection Act, a law governing telemarketing and robodialing, to pay $208.4m. That sum includes so-called forfeiture orders in cases involving robocalling, Do Not Call Registry and telephone solicitation violations.

So far, the government has collected $6,790 of that amount, according to records obtained by The Wall Street Journal through a Freedom of Information Act request.

The total amount of money secured by the Federal Trade Commission through court judgments in cases involving civil penalties for robocalls or National Do Not Call Registry-related violations, plus the sum requested for consumer redress in fraud-related cases, is $1.5bn since 2004. It has collected $121m of that total, said Ian Barlow, coordinator of the agency’s Do Not Call program, or about 8%. The agency operates the National Do Not Call Registry and regulates telemarketing.

“That number stands on its own. We’re proud of it; we think our enforcement program is pretty strong,” Mr. Barlow said.


Total of 26.3bn (unwanted) robocalls made to US mobile phones in 2018. That number stands on its own too.
unique link to this extract

The filter bubble is actually a decision bubble • Baekdal Plus

Thomas Baekdal:


we don’t have a filter bubble, at least not for the younger generation. It’s a myth that is very easily debunked. What we do have, however, is a decision bubble. Something we see all the time is that there are many people who end up believing something that simply isn’t true, and it is quite painful to watch.

Let me give you a simple example. Take the flat-Earthers. I mean… they are clearly bonkers in their belief that the world is flat, and when you look at this you might think that this is because they are living in a filter bubble.

But it isn’t. You see, the problem with the flat-Earthers isn’t that they have never heard that the Earth is round. They are fully aware that this is what the rest of us believe in. They have seen all our articles and they have been presented with all the proof.

In fact, when you look at how flat-Earthers interact online, you will notice that they are often commenting or attacking scientists any time they post a video or an article about space.

So flat-Earthers do not live in a filter bubble. They are very aware that the rest of us know the Earth is actually round, because they spend every single day attacking us for it.

It’s the same with all the other examples where we think people are living in a filter bubble. Take the anti-vaccination lunatics. They too are fully aware that society as a whole, not to mention medical professionals, all recommend that you get vaccinated. And, they also know that the rest of us think about them as idiots.

They are not living in a filter bubble, but something has happened that has caused them to choose not to believe what is general knowledge.


unique link to this extract

Damning Huawei security report: the top 10 key takeaways • Computer Business Review

Ed Targett:


These are Computer Business Review’s Top 10 takeaways from the Huawei security report [pdf].

1: Huawei’s build processes are dangerously poor
Huawei’s underlying build process provides “no end-to-end integrity, no good configuration management, no lifecycle management of software components across versions, use of deprecated and out of support tool chains (some of which are non-deterministic) and poor hygiene in the build environments” HCSEC said.

2: Security officials don’t blame Beijing
The National Cyber Security Centre (NCSC) which oversees HCSEC, said it “does not believe that the defects identified are a result of Chinese state interference.”

3: Pledges of a $2bn overhaul mean nothing, yet…
Huawei promises to transform its software engineering process through the investment of $2bn over five years are “currently no more than a proposed initial budget for as yet unspecified activities.” Until there is “evidence of its impact on products being used in UK networks” HCSEC has no confidence it will drive change.

4: The vulnerabilities are bad…
Vulnerabilities identified in Huawei equipment include unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials and many other basic vulnerability types, HCSEC reported.


Also there: old issues aren’t fixed, managing the risk will grow, UK operators may have to replace hardware because of the “significant risk”, it’s using outdated OSs, and the lack of progress is becoming critical. You wonder if this is new? Read on.
unique link to this extract

Huawei bungled router security, leaving kit open to botnets, despite alert from ISP years prior • The Register

Gareth Corfield:


Huawei bungled its response to warnings from an ISP’s code review team about a security vulnerability common across its home routers – patching only a subset of the devices rather than all of its products that used the flawed firmware.

Years later, those unpatched Huawei gateways, still vulnerable and still in use by broadband subscribers around the world, were caught up in a Mirai-variant botnet that exploited the very same hole flagged up earlier by the ISP’s review team.

The Register has seen the ISP’s vulnerability assessment given to Huawei in 2013 that explained how a programming blunder in the firmware of its HG523a and HG533 broadband gateways could be exploited by hackers to hijack the devices, and recommended the remote-command execution hole be closed.

Our sources have requested anonymity.

After receiving the security assessment, which was commissioned by a well-known ISP, Huawei told the broadband provider it had fixed the vulnerability, and had rolled out a patch to HG523a and HG533 devices in 2014, our sources said. However, other Huawei gateways in the HG series, used by other internet providers, suffered from the same flaw because they used the same internal software, and remained vulnerable and at risk of attack for years because Huawei did not patch them.

One source described the bug as a “trivially exploitable remote code execution issue in the router.”


And exploited it was. Repeatedly. But Huawei would only patch as it was told about exploits, model by model, despite them all using the same firmware.
unique link to this extract

YouTube’s child viewers may struggle to recognise adverts in videos from ‘virtual play dates’ • The Conversation

Rebecca Mardon:


Ryan’s channel has become a lucrative business, complete with 25 employees, including video editors, writers and production assistants. It achieved initial commercial success by allowing more traditional “pre-roll” adverts to appear before its videos, which mostly saw Ryan playing with toys – which his parents say they buy. The channel later began to embed advertising content for major brands, such as Walmart, within Ryan’s own videos. More recently, the business launched a range of Ryan’s World toys that often feature in his video content.

Ryan’s videos do include what seem like clear, child-friendly disclosures surrounding sponsored content. But the question is whether children actually recognise these disclosures and understand what advertising is, and whether all YouTube videos aimed at children adequately disclose marketing messages.

Research shows that children have lower advertising literacy than adult viewers. They struggle to recognise adverts when they are embedded in organic content, and may not recognise YouTube videos featuring paid advertising content, vloggers’ own-brand merchandise, or free products “gifted” by brands as marketing.

Children are particularly likely to struggle to identify advertising messages by their favourite vloggers. Viewers often come to feel personal attachments to YouTube stars. Fans of beauty vlogger Zoella, for instance, see her as a sister or best friend, and my own research has found that fans often defend and excuse vlogger actions that might otherwise be seen as problematic or unethical as a result of this relationship.


By the way, Ryan is aged seven and reckoned to have earned $22m between June 2017 and June 2018.
unique link to this extract

What Facebook is getting wrong in the fight against fake news • VICE

David Uberti:


From her home in San Diego, [Brooke] Binkowski sees the stakes of the info war in nearby Tijuana, where the asylum seekers known as “The Caravan” remain in limbo after a journey across Central America that received a lot of publicity riddled with misinformation. The real-world implications don’t end there: Parents of Sandy Hook victims are pursuing a defamation suit against Infowars huckster Alex Jones—a case on which Binkowski is consulting as an expert witness—for claiming the school shooting was a hoax. “I love talking shit to people who lie on the internet,” she said. “I’m pretty much born for this.”

I caught up with Binkowski by phone to talk Facebook, fact-checking, and how fake news has changed since she joined Snopes in late 2015.

VICE: Did you have any sense of how big the problem was on Facebook or to what extent they were taking it seriously?
Brooke Binkowski: They didn’t share shit with us. I felt that we were crisis PR: They could point to us and say, Look, we’re doing something about it. We hired Snopes. They also [included] The Weekly Standard and [considered including] The Daily Caller in their fact-checking teams, because they didn’t want to be perceived as left-wing fact-checker friendly. I was like, You guys don’t know how this fucking works, do you? You should not be doing this. You need to hire people internally.

V: They’re reacting to conservative criticism the exact same way a legacy media company might react.
BB: Their reaction has been very telling. That’s another reason I’ve gone on this offensive. I’m broke as shit—always. I don’t have a lot of personal power. But what I really have right now is a megaphone. I have a voice. And they’re very sensitive to public opinion. So I’m just going to keep kicking them in the teeth publicly as long as I can, because they’re fucking up.

V: So you think the power lies with them?
BB: One hundred percent. For them, they’ve been in denial about being a media company, not just for legal reasons, but also because they can tell themselves media may be prone to being swayed one way or the other. Tech is morally neutral—it’s all in the way people use it. That’s obviously not true. It never was.


unique link to this extract

UK opens up access to oil and gas data • Out-law


Terabytes of data on the UK’s oil and gas fields and infrastructure has been made freely available for use by industry.

The Oil and Gas Authority (OGA) said the release of the data can help industry recover the 20 billion barrels of oil and gas that are estimated to remain untapped in the UK’s Continental Shelf (UKCS).
The data is accessible via a new national data repository (NDR) established by the OGA, and includes “130 terabytes of well, geophysical, field and infrastructure data … covering more than 12,500 wellbores, 5,000 seismic surveys, and 3,000 pipelines”.

Bob Ruddiman, specialist in oil and gas at Pinsent Masons, the law firm behind, said: “This is a significant development in the evolution of the UKCS. The future prospectivity of the basin will be significantly enhanced by the free availability of data. Innovators will look differently at the many opportunities which undoubtedly exist and the future will undoubtedly include developments previously overlooked or discarded but which will be enhanced by application of new technology to existing data.”


Er, well, open data, so that’s good. But it would be better to leave these reserves buried.
unique link to this extract

How the UK lost the Brexit battle • POLITICO

Tom McTague:


Had [Downing Street] been prepared for Brexit on June 24, 2016, the negotiations might have played out differently.

“The British government should have offered something very, very quickly,” said one high-ranking official of a large EU country. “If the UK had said: ‘Here’s the plan,’ we might have accepted it.”

“The British strength was being one member state, being able to define its national interest quickly and making its move quickly,” the official said. “It did not do that.”

Instead, in the aftermath of the referendum, Cameron resigned as prime minister; Labour MPs attempted to oust their party’s leader Jeremy Corbyn; Nicola Sturgeon, the Scottish first minister, vowed to hold a second independence referendum; and Martin McGuinness, then deputy first minister of Northern Ireland, called for a vote on whether the British territory should leave the UK and become part of the Republic of Ireland.

The seeds of the crisis Britain faced today were planted by Cameron, said Foreign Office Minister Alan Duncan. “He called the referendum too early, ran a crappy campaign and then walked out, leaving a vacuum.”

“It is a crisis caused by bad decisions on top of bad decisions, turning a short-term gambit into a long-term catastrophe,” he added. “You can trace the whole thing back to the start. The crash was always coming.”

…One adviser on European affairs to a prominent EU27 leader said Dublin had begun lobbying other EU countries in the months before the referendum to ensure Ireland was protected in the event of decision by the UK to leave…

Northern Irish peer Paul Bew, one of the chief architects of the Good Friday Agreement, said Dublin’s preparation was typical of the Irish in their long history of negotiations with Britain. “They are on top of the detail, and we [the British] are incurious. The people at the top of the UK government are also paralyzed by imperial guilt.”

The contrast with London was stark. While Cameron refused to allow officials to prepare for a Leave vote — barring officials from putting anything on paper — Ireland had produced a 130-page Contingency Plan with an hour-by-hour checklist.


Excellent in-depth piece which shows how many times the UK got this wrong – ie pretty much at every turn. So much for the EU being a sclerotic organisation that can’t tie its shoelaces.
unique link to this extract

Sony to close smartphone plant in China, shift production to Thailand • Reuters

Pei Li and Miakiko Yamazaki:


Sony Corp will close its smartphone plant in Beijing in the next few days, a company spokesman said, as the Japanese electronics giant aims to cut costs in the loss-making business.

Sony will shift production to its plant in Thailand in a bid to halve costs and turn the smartphone business profitable in the year from April 2020, the spokesman said on Thursday. He said the decision was not related to Sino-U.S. trade frictions.

Sony’s smartphone business is one of its few weak spots and is bracing for a loss of 95 billion yen ($863m) for the financial year ending this month.

Some analysts say Sony should sell the business amid acute price competition with Asian rivals. The company has a global market share of less than 1%, shipping just 6.5 million units this financial year mainly for Japan and Europe.

But Sony has said it has no intention to sell as it expects smartphones to be central to technologies for fifth-generation wireless networks, where cars and various devices would be connected.


What is the magical thinking that leads Sony execs to think that 5G will make its smartphone business profitable? Competition then will come from more places than ever, and Sony isn’t in the 5G space to any appreciable extent. I suspect it comes from people whose jobs are at risk if they confess the division is never going to break even again. Which is, let’s be fair, understandable.
unique link to this extract

Errata, corrigenda and ai no corrida: none notified

2 thoughts on “Start Up No.1,034: the genes that null pain, EU bans single-use plastics, Huawei’s longrunning security failures, filter bubble or decision bubble?, and more

  1. Re Huawei: it’s good that Huawei’s security practices are being closely looked at. But are anybody else’s, or is this just a clickbaity trawl for headlines ? Off the top off my head, I can remember US Intelligence having a whole assembly line to rootkit Cisco routers, Supermicro motherboards having a very backdoorable admin side channel, Intel CPUs still being vulnerable to Spectre and Meltdown and AMD and ARM CPUs mostly so too.

    More specific to network infrastructure, has Nokia and Ericsson stuff been subjected to the same level of scrutiny ?

    You’re gonna cry whataboutism, and you’re right. But still, Has *anyone* tried to take step back and put things in context ? This pile on feels gaslighty.

  2. Google’s Android security report for 2018 is out. It’s an interesting read especially absent Apple’s equivalent.

    Salient points:
    – The situation is OK with 0.08% of Google Play-only devices “affected” by a PHA (0.68% if not Google Play-only, so x8).
    – Google seems to be working hard to stay put, this is not better than last year. More than entirely explained by click-fraud malware now being counted and cancelling gains in other categories. They also warn that some “Potentially Harmful Apps” are not *actually* harmful and installed knowingly by users (rootkits etc…) but still counted.
    – Per-app as opposed to per-device rate actually went up to 0.04% from 0.02%, which I take to mean that unsafe devices are getting several bad apps while safe devices are getting fewer bad apps. Probably those root users, mostly.
    – Click fraud is over half of all malware, but the remaining 0.017% is really Bad Stuff (trojans etc…)
    – contaminated dev tools are a significant issue, same as for Apple a few years back.
    – varies almost x3 by country, with India, Indonesia and the US less safe, Brazil and Russia safer. That’s weird. Google says click fraud is very country-specific.
    – varies also x3 by OS version, with 8.0 and 9.0 much safer than 5.0 and 6.0 (4.x and older are still 10% of PlayStore-using devices, I shudder to think how bad they get… and I have one of those ^^)
    – Play Protect catches 3/4 bad apps including from non-Google sources.
    – You end up with interesting insights, ie Russia is only 3% of PlayStore click fraud, but 14% of non-PlayStore backdoors.

    I’d love to have separate data for correctly updated devices (ie Pixels, ONE, …) but they don’t publish that. From the OS version alone they should be at 0.03%, then there’s the impact of security patches.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.