Loyalty programs are a huge target for hackers. CC-licensed photo by John Hritz on Flickr.
You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
A selection of 10 links for you. What about a social robot graph? I’m @charlesarthur on Twitter. Observations and links welcome.
Uber’s losses reach double digits in IPO debut debacle • Yahoo
Jeran Wittenstein and Sam Unsted:
»
The ride-hailing giant dropped as much as 11% to $37.08 in New York. The San Francisco-based company sold 180 million shares at $45 apiece on Thursday, and on Friday it never traded above that price, ending the day down 7.6% at $41.57 even as other stocks gained.
“Sentiment does not change overnight, and I expect some tough public market times over the coming months,” CEO Dara Khosrowshahi told staff in an email.
The share slump reflects investor skepticism about the size of the ride-hailing market, Uber’s ability to execute on food and package delivery and its push into autonomous vehicles, said Ygal Arounian of Wedbush Securities. The IPO also comes as investors shy away from riskier assets given U.S.-China trade tensions, said the analyst, who has an outperform rating on Uber and sees the stock reaching $65 in the next year.
«
I link to this only to note it; I don’t think the first few days or weeks are anything either way. What’s going to matter is its financial results, and that’s going to play out over years. (Has anyone analysed how a company’s shares perform on its first day compared to how it performs over its life?)
unique link to this extract
Anki, Jibo, and Kuri: what we can learn from social robots that didn’t make it • IEEE Spectrum
Guy Hoffman heads the Human-Robot Collaboration + Companionship Lab at Cornell University:
»
I believe that Cozmo, Kuri, and Jibo (disclosure: Jibo was founded by my Ph.D. advisor Cynthia Breazeal) will play a similar role on the path towards successful social home robotics. If that is true, what exactly can we learn from their experience? Here are four lessons I have personally drawn from closely following these first attempts to put the promise of social robotics research into commercial practice:
Lesson 1: Long-term engagement is the holy grail, and the Gordian knot
All of the social robotics companies were struggling to sustain a long-term use-case for their products. Critics of the products would often say that this kind of product may be fun to use for a while, but that its tricks get old quickly. This made it especially difficult to succeed, given the upscale price point of some of the devices.One big part of the longevity problem is the inability of the robots to escape the single turn structure of an interaction. There is only so far you can go with a single round of conversation, even when you stack a thousand single rounds back-to-back. At some point you want to follow-up and back-refer (“Remember when I asked you about Florida yesterday? I think I’m ready to commit.”); you want your conversant to make connections across conversations (“That is so similar to the story you told me about how your boss talks to you!”); and you want to be able to speak over each other while still understanding what’s going on.
«
The other three are interesting too. Hoffman reckons that the three (failed) social robots leave us at about the point where the Newton left us in 1998 – a while before a really good implementation.
unique link to this extract
One month ago, Foxconn said its innovation centers weren’t empty — they still are • The Verge
Josh Dzieza:
»
At the event announcing the Madison project, Foxconn’s Alan Yeung said the innovation centers were “not empty,” which prompted laughter from the crowd. Yeung also said The Verge’s story contained “a lot of inaccuracies” and that the company would issue a correction soon. He did not say what those inaccuracies were, and Foxconn never issued a correction, nor has it responded to repeated requests to clarify Yeung’s statement.
One month after Yeung’s comments and promise of a correction, every innovation center in Wisconsin is still empty, according to public documents and sources involved with the innovation center process. Foxconn has yet to purchase the Madison building Yeung announced, according to Madison property records. No renovation or occupancy permits have been taken out for Foxconn’s Racine innovation center, though a permit has been taken out for work on the roof of another property Foxconn bought for “smart city” initiatives. There has been no activity in Foxconn’s Green Bay building, either.
«
The Verge is doing good work by continuing to hold Foxconn (and by extension Wisconsin’s useless governor) to account on this boondoggle. How soon is an election where it will all get thrown out?
unique link to this extract
Playlist malfeasance • Midia Research
null:
»
Streaming economics are facing a potential crisis. The problem does not lie in the market itself; after all, in Q1 2019 streaming revenue became more than half of the recorded music business and Spotify hit 100 million subscribers. Nor does it even lie in the perennial challenge of elusive operating margins. No, this particular looming crisis is both subtler and more insidious. Rather than being an inherent failing of the market, this crisis, if it transpires, will be the unintended consequence of short-sighted attempts to game the system. The root of it all is playlists…
…With playlists being so important for both marketing and revenue, it was inevitable that people would seek out ways to attain any possible advantage. Consequently, playlists are becoming gamed, whether that be major labels getting more than their fair share of access to the biggest playlists or ‘fake artists’ filling them out.
Most recently, Humble Angel’s Kieron Donoghue identified a cynically constructed playlist called ‘Sleep & Mindfulness Thunderstorms’(all terms optimised for user searches) that contained 330 one-minute songs of “ambient noise of rain and a few thunder storms thrown in for good measure”. The one-minute track length ensures they are long enough to qualify for a royalty share, but short enough to ensure that a typical listening session will generate a vast quantity of streams, thus generating more royalties.
The twist to this story is that this playlist was created by Sony Music and the artist behind all these tracks appears to be a Sony Music artist. Crucially Sony isn’t the only one doing this, with UMG getting in on the act and Warner Music signing an algorithm.
«
All’s fair in love, war and making money in the music business.
unique link to this extract
Why rewards for loyal spenders are ‘a honeypot for hackers’ • The New York Times
Tiffany Hsu:
»
Some brands have hooked their rewards to other companies. Walgreens offers points to shoppers who connect their accounts to Fitbit fitness trackers. In March, Chipotle briefly promoted a new loyalty program with cash prizes for consumers who also used the social payments app Venmo. Participants submitted the phone number associated with their Venmo accounts on a website created by Chipotle.
Companies are collecting so much data that it is often “more than they can actually use,” said Emily Collins, an analyst with Forrester Research.
“They’ve got oceans of data and puddles of insight,” she said.
As consumers hand over more data, many of them fail to monitor their accounts closely. More than half of the rewards memberships in the United States are inactive, and more than $100 billion a year in rewards points go unredeemed, according to the marketing firm Bond Brand Loyalty.
Tate Holcombe, a photographer in Arlington, Va., said he was usually “pretty religious about changing passwords and multiple verifications,” especially for accounts linked to payment data. With rewards programs, he was much more lax.“Of course, that’s the one place I got hacked,” he said.
On March 23, Mr. Holcombe woke up at home to a 3 a.m. notification from his Domino’s loyalty account: His pizza was ready for pickup in Santa Clarita, Calif.
Someone had hacked his profile and used a coupon for a free pizza, he said. Personal details, like his phone number and address, had been overwritten with gibberish. When he complained, the company replaced his coupon.
«
A honeypot, because there are 3.8bn rewards memberships in the US – an average of 10 per person. Of course they’ll get hacked; that it’s only $1bn in value lost suggests hackers are only just warming up, or that rewards programs are pretty worthless.
unique link to this extract
Friend portability is the must-have Facebook regulation • TechCrunch
Josh Constine:
»
as the FTC considers how many billions to fine Facebook or which executives to stick with personal liability or whether to go full-tilt and break up the company, I implore it to consider the root of how Facebook gets away with abusing user privacy: there’s no simple way to switch to an alternative.
If Facebook users are fed up with the surveillance, security breaches, false news, or hatred, there’s no western general purpose social network with scale for them to join. Twitter is for short-form public content, Snapchat is for ephemeral communication. Tumblr is neglected. Google+ is dead. Instagram is owned by Facebook. And the rest are either Chinese, single-purpose, or tiny.
No, I don’t expect the FTC to launch its own “Fedbook” social network. But what it can do is pave an escape route from Facebook so worthy alternatives become viable options. That’s why the FTC must require Facebook offer truly interoperable data portability for the social graph.
In other words, the government should pass regulations forcing Facebook to let you export your friend list to other social networks in a privacy-safe way. This would allow you to connect with or follow those people elsewhere so you could leave Facebook without losing touch with your friends. The increased threat of people ditching Facebook for competitors would create a much stronger incentive to protect users and society.
«
Good idea. Facebook has been able to strangle companies by denying them access to the social graph that people need to be able to build a presence on a new social network, while boosting its own by crosslinking Facebook/Instagram/WhatsApp data, all purloined from your phonebook.
unique link to this extract
Supreme Court allows antitrust lawsuit against Apple to proceed • The New York Times
Adam Liptak and Jack Nicas:
»
The legal question in the case, Apple v. Pepper, was whether the lawsuit was barred by a 1977 decision in Illinois Brick Co. v. Illinois, a case that allowed only direct purchasers of products to bring federal antitrust lawsuits. Apple argued that it was an intermediary and so not subject to lawsuit.
The majority rejected that argument. “The plaintiffs’ allegations boil down to one straightforward claim: that Apple exercises monopoly power in the retail market for the sale of apps and has unlawfully used its monopoly power to force iPhone owners to pay Apple higher-than-competitive prices for apps,” Justice Kavanaugh wrote.
Apple argued that app developers set their own prices, meaning that consumers should not be able to sue the company. Justice Kavanaugh responded that the argument missed the economic reality of the relationship between Apple and app developers.
“A ‘who sets the price’ rule,” he wrote, “would draw an arbitrary and unprincipled line among retailers based on retailers’ financial arrangements with their manufacturers or suppliers.”
“Under Apple’s rule a consumer could sue a monopolistic retailer when the retailer set the retail price by marking up the price it had paid the manufacturer or supplier for the good or service,” he wrote. “But a consumer could not sue a monopolistic retailer when the manufacturer or supplier set the retail price and the retailer took a commission on each sale.”
«
Here’s the Supreme Court ruling. In effect, it says that Apple’s a monopolistic retailer, and thus able to set prices (why is it 30% on top? How does one shop around to get apps at a different price?). Apple’s going to have to let apps be sold in a different way, or at least allow different transaction paths to be signposted.
Apple’s response: “Developers set the price they want to charge for their app and Apple has no role in that. The vast majority of apps on the App Store are free and Apple gets nothing from them… We’re confident we will prevail when the facts are presented and that the App Store is not a monopoly by any metric.”
unique link to this extract
Switching to a Pixel 3a from any iPhone newer than the iPhone 6 is just silly • BGR
Chris Smith:
»
Google says its $399 Pixel 3a does better night photography than the $999 “Phone X” from the competition. We all know that’s the iPhone X, or, better said its successor, the iPhone XS [the iPhone X, from last year, costs less than $999]. Even if Google’s Night Sight photo mode is remarkable and puts Apple’s low-light photography to shame, that’s an incredible narrow-sided way to compare these phones. Make no mistake, the Pixel 3a phones aren’t the equivalent of iPhone XR, or the Galaxy S10e for that matter. Google’s cheaper phones pack mid-tier hardware compared to Apple’s and Samsung’s cheapest new flagship.
Aside from taking photos at night, you probably want to use your phone for plenty of other things. While a $399 phone with incredible photo skills sounds excellent, the phone is still a mid-range handset whose performance pales when compared to the iPhone.
Switching from an iPhone 6s or newer to the Pixel 3a phones makes zero sense…
If you really want to switch your iPhone for a new Android phone, then go for the Pixel 3 flagship phones. Although, I would point out that the Pixel 3 phones still suffer from performance issues, the kind you wouldn’t expect from a flagship Android handset — that’s one other reason you shouldn’t swap an iPhone 6s or newer for the Pixel 3a series. Even better, if you want to trade-in your iPhone, then get a Galaxy S10, Huawei P30, or OnePlus 7 instead. It’d be a much better deal.
«
Smith justifies this on the basis of benchmarks showing the Pixel 3a as slower on multi- and single-core tasks than anything Apple’s offered since 2015. I think people might find the visuals and UI slower – Apple optimises like crazy for scrolling (in particular) and other interactions.
unique link to this extract
Privacy rights and data collection in a digital economy • Idle Words
Maciej Cieglowski, who runs the Pinboard service but is also one of the clearest thinkers on the state of the internet, gave evidence last week to the US Congress. As you’d expect, it’s a must-read:
»
Until recently, even people living in a police state could count on the fact that the authorities didn’t have enough equipment or manpower to observe everyone, everywhere, and so enjoyed more freedom from monitoring than we do living in a free society today. [Note: The record for intensive surveillance in the pre-internet age likely belongs to East Germany, where by some estimates one in seven people was an informant.].
A characteristic of this new world of ambient surveillance is that we cannot opt out of it, any more than we might opt out of automobile culture by refusing to drive. However sincere our commitment to walking, the world around us would still be a world built for cars. We would still have to contend with roads, traffic jams, air pollution, and run the risk of being hit by a bus.
Similarly, while it is possible in principle to throw one’s laptop into the sea and renounce all technology, it is no longer be possible to opt out of a surveillance society.
When we talk about privacy in this second, more basic sense, the giant tech companies are not the guardians of privacy, but its gravediggers.
The tension between these interpretations of what privacy entails, and who is trying to defend it, complicates attempts to discuss regulation.
Tech companies will correctly point out that their customers have willingly traded their private data for an almost miraculous collection of useful services, services that have unquestionably made their lives better, and that the business model that allows them to offer these services for free creates far more value than harm for their customers.
Consumers will just as rightly point out that they never consented to be the subjects in an uncontrolled social experiment, that the companies engaged in reshaping our world have consistently refused to honestly discuss their business models or data collection practices, and that in a democratic society, profound social change requires consensus and accountability.
«
Who to sue when a robot loses your fortune • Bloomberg
Thomas Beardsworth and Nishant Kumar:
»
It all started over lunch at a Dubai restaurant on March 19, 2017. It was the first time 45-year-old Li, met Costa, the 49-year-old Italian who’s often known by peers in the industry as “Captain Magic.” During their meal, Costa described a robot hedge fund his company London-based Tyndaris Investments would soon offer to manage money entirely using AI, or artificial intelligence.
Developed by Austria-based AI company 42.cx, the supercomputer named K1 would comb through online sources like real-time news and social media to gauge investor sentiment and make predictions on US stock futures. It would then send instructions to a broker to execute trades, adjusting its strategy over time based on what it had learned.
The legal battle is a sign of what’s to come as AI is incorporated into all facets of life
The idea of a fully automated money manager inspired Li instantly. He met Costa for dinner three days later, saying in an email beforehand that the AI fund “is exactly my kind of thing.”Over the following months, Costa shared simulations with Li showing K1 making double-digit returns, although the two now dispute the thoroughness of the back-testing. Li eventually let K1 manage $2.5bn — $250m of his own cash and the rest leverage from Citigroup. The plan was to double that over time.
But Li’s affection for K1 waned almost as soon as the computer started trading in late 2017. By February 2018, it was regularly losing money, including over $20m in a single day — Feb. 14 — due to a stop-loss order Li’s lawyers argue wouldn’t have been triggered if K1 was as sophisticated as Costa led him to believe.
«
Ooh, this will be such fun if it ever reaches court – though as the court date is set for April 2020, I suspect it will get settled before it does.
unique link to this extract
Errata, corrigenda and ai no corrida: none notified
The Overspill: when there's more that I want to say 
“social robots leave us at about the point where the Newton left us in 1998 – a while before a really good implementation.”
As in -1 (minus one) year, since the Palm Pilot, which was much more functional, useful, and successful, was released in 1997. Admittedly more limited, but better/easier at what it actually did. And with AppStores, local apps, wired later wireless sync, removable storage, an audio jack, folding keyboard (no mouse support ;-p). It displaced my NEC PC 1100 (IIRC) as a way to type emails on my commute, and could do a lot more than that. I remember putting a transcoded video on it just for kicks (not a good experience at 320×320 B&W), read lots of ebooks on it though, and had that whole website hoovering setup I ran each morning for news.
My biggest regret is skipping the Sinclair laptop and the Psion between the NEC and the Palm, but the NEC was Good Enough until the Palm came along and raised the bar 5-fold.
All tech references don’t have to be about Apple, that feels incredibly iBubblish.
re Pixel 3a. iFans’ hypocritical ability to focus on whatever Apple has a lead in is impressive. Admittedly Apple has a lead in performance, but let’s look at a few other specs
– Antutu: 3a =160k, iP7S = 180k. Probably not noticeable (notice: 7S, not 6)
– Storage: 3a = 64GB, 7S = no sweet-spot 64GB, majority got a measly 32GB
– Screen: similar rez/def, AMOLED vs LCD, same old-school bezels
– Pictures: clear difference https://www.gsmarena.com/piccmp.php3?idType=4&idPhone1=9256&idPhone2=8065
Furthermore, I don’t think the question is “is it better”, but “is it Good Enough”. If you have an older iPhone and are looking to upgrade, the first choice is how much you’re willing to spend. Apple wants 855€ for an XR, over twice a Px3a’s 400€. Do you need more perf than your current phone, or are you OK with same perf ? With a Px3a, you’re getting better pics, a better screen, more battery, more storage than your current phone; and keeping the audio jack compared to that expensive new iPhone.
My question is, rather, for whom does getting an iPhone Xx (or any flagship really) make objective sense ?
PS: Also, the Redmi Note 5 will give you all of that except low-light pics but w/ extra SD slot and FM radio for 130€ ;-p
Do you think about Apple 24 hours a day. You go on about them far more than any ‘iFans’ I know.
They’re the company that gets most stories that set off my BS detector, and that gets me to react.
I rarely go on proactive rants about them (though there’s one in the queue right now, or there should be, something about security through obscuratism and that whatsapp malware); and I rarely see undeserved fawning pieces about other companies.
Look at the stories here: what’s the count of stories about Apple vs others (Apple: 15% of the market), and then the positive:negative ratio of those (Apple: no better than anyone else) ? Apple is notoriously mean w/ critics so it’s understandable that devs and consultants hide watered-down criticism hours into podcasts (Marco Arment’s admission), but this attitude seems unduly contagious. I’m pro-vaxx.
It’s Charles’ blog. He writes about what he finds interesting – there’s no reason there should be any ‘balance’ here.
If you don’t like it you can go and read another blog rather than whine about how unfair everything is, there are plenty of blogs just for Android. You could go there and moan about how there are no Apple articles.
“iBubblish”, “iFans”, conspiracy theories about Apple stories – it’s like reading comments on a football page … for six year olds.
Indeed that’s a bit how it feels, that kid who was all about Power Rangers, dissed all other cartoons and drew parallels between Power Rangers and everything else (other shows, real life…) all the time.
I don’t feel I’m whining that much. I try to complete the picture both about the Power Rangers’ flaws and about the goodness and flaws of other shows.
I’m on record on other sites saying I don’t think Pixel phones are that hot and I don’t see their point (most expensive phones really, I don’t even think the term flagship is appropriate any more), that ChromeOS is a mind-boggling strategic mistake, that MS just doesn’t have the culture for Consumer stuff… I just haven’t had opportunities/reasons to make those points here. Take a wild guess why.
I’ve got an actual question that I never could get an answer to: what are elongated screens with a more than 16:9 ratio good for ?
I’m getting irked by ever-narrower screens, my best phone ever in that regard was the 7″ 16:10 Huawei Mediapad X1, now the only thing I can get is an 19+:9 which is actually narrower (so worse for reading, maps, gaming, even for video).
I understand growing the screen up a bit around the selfie cam so 17:9, but beyond that, what are narrow screens especially good at ?
PSA:
1- for regular people, Apple’s supposed better security is irrelevant.
2- for high-value targets, Apple’s security through obscurity doesn’t work (it never does): https://www.vice.com/en_us/article/pajkkz/its-almost-impossible-to-tell-if-iphone-has-been-hacked
Users have no way to tell if their phone has been hacked via whatsapp’s passive 0-day. Apple doesn’t have a history of being helpful either: https://www.macstories.net/news/internal-applecare-document-directs-employees-not-to-help-with-malware-removal/ . That’s not even obscurity, that’s obscurantism.
The WhatsApp vulnerability was in WhatsApp’s VOIP stack and so applied across all platforms, including Android and even Windows Phone.
It’s also almost impossible to know if your Android device has been hacked. But there’s a higher chance of it because Android is an easier target and there are more of them in the wild, running older software.
The malware removal is frustrating but explicable: don’t get involved in things that might lead to unnecessary lawsuits from customers or companies. By the way, that link is just about to celebrate being eight years old. History indeed.
Sorry I remember history, it does help with noticing when it’s repeating. Has Apple culture changed since then ?
And not really my main point. Main point, again: Android is safe enough for regular Joes; even iOS isn’t safe enough for unregular Joes – and comes with its own set of security-through-obscurantism issues.
Android is both a blessing and a curse: when not updated, it is more vulnerable; when updated, it’s probably a wash. But whether updated or not Android does let security researchers investigate, which iOS does not. What’s your source for saying it’s almost impossible to know on Android ? All the usual antimalware and forensics tools apply (they might need updating if the malware is very new or very clever, but they’ll get there); iPhone won’t let security researchers run any such tools except for that handful of dev prototypes.
“But whether updated or not Android does let security researchers investigate, which iOS does not.”
Oh come on. That’s to do with the inherent architecture of Android, not some wonderful generosity on the part of its designers towards the security researchers of the imagined future when they were building it.
Also, sure, not helping users with malware is the safe (not the nice, but the safe) thing to do for corps, and Apple is doing just like everyone else.
Where Apple is unique is that it not only doesn’t help, but actually prevents users and 3rd-party whose job it is from working on those issues. Apple’s rationale and PR for locking everything up is that it keeps users safe (the unspoken reason is that it keeps revenues in-house). Shoudln’t Apple own up to their promise and premise even in more difficult situations, not just when it’s money-generating ? ie, claim ownership of malware issues, not just of revenue streams ?
What happens when you take your malware-ridden Windows PC to a Microsoft store? A Samsung store, if it’s a Samsung PC? An HP store, if they exist and it’s an HP PC? Do they leap to remove it for you, or do they suggest you get antivirus and point you towards it?
You create impossible-to-meet standards for Apple which don’t even tally with normal corporate behaviour, and then criticise it for not meeting those standards which you have totally pulled out of thin air. That’s a pretty classic example of a strawman argument.
Show us examples of other companies acting in ways that demonstrate how Apple has fallen short, and you have a better argument. Otherwise, you’re making the imaginary perfect the enemy of the actual good.
Again, easy, and already done. Compared to iOS:
1- all other OSes (*) let users run antimalware apps
2- all other OSes let 3rd parties and expert users provide advanced services: run advanced tools, diagnostics, procedures. Not typically a 1st-party service, but 3rd-parties can do it, which is the difference with iOS.
It’s not me making that up: read that Vice article in the grandparent post.
(*) certainly Android, Windows, and Linux. Not sure about ChromeOS: the Linux and Android “personnalities” do, but I don’t know about ChromeOS itself, though I think it can be rooted once you dismiss the usual disclaimers.
“This truck can’t carry heavy loads!”
“Sir, that’s a Volkswagen Beetle.”
IOS is sandboxed like crazy by design. A primary focus of its designers was to prevent problems in one app affecting others, and also to prevent apps interfering with each other – a major cause of crashes. Android is more like Linux – everything can get at everything. That’s why Android could implement sharing between apps pretty much from the start, and it took iOS way longer.
But to think that iOS was built to prevent malware researchers doing things and that Android is designed to help them is just to fundamentally misunderstand the respective architectures of the OSs.
(*) also, even MacOS allows these 2 things.
Also, as an example, both MS and Google have sponsored the pwn2own event, with Google getting in a huff when rules wouldn’t require participants to publish exploits, and setting up its own contest on the side.
Appel doesn’t want its name anywhere near “exploit” so won’t pay a cent to pre-empt black hats. You’ve got to rely on others’ generosity, and to read the fine print to work out they’ve been hacked like everyone else:
thezdi.com/blog/2019/3/20/pwn2own-vancouver-2019-day-one-results
Apple has a bug bounty program. It’s not the greatest in the world, but it does exist. The problem it faces is that being able to hack iOS is worth so much to folks such as NSO Group that Apple would face an impossible bidding war.
If anything, pwn2own competitions show a sort of reverse valuation: you hacked Safari! You hacked Firefox! You hacked the things that don’t have much commercial value to black hat hackers because if they did then folks would sell the exploits for much more!
You keep mistaking things that happen in public, and especially public pronouncements, for what’s actually important.
I’m not saying security research was prevented as a major goal in iOS, and helped along as a major goal in Android.
I’m saying:
1- corp policies (white hat support, security reports…) do that nowadays
2- user control is an OEM choice any way you want to slice and dice it. Built-in, user-controled root and dev options have zero impact on users who don’t activate them
3- security is impacted as a side effect of general architecture indeed, in all cases, at the periphery. Google is trying to be helpful, Apple is trying not to.
As a side note, if all of that is to prevent “a major cause of crashes”, it’s a miss: betanews.com/2016/11/17/ios-android-app-crashes/
“impossible bidding war” ? You’re saying NSO group has more money than Apple ? And that no security researcher whatsoever has a conscience and would love a way to reasonably monetize their skill that wasn’t on the dark side ?
Jeezus. Take a timeout. Crashes: yes, iOS 11 was bad for crashes, which is why iOS 12 focussed on stability over new features. That Betanews report is all over the place; it doesn’t capture what the stats are (and likely hasn’t read the report).
You don’t seem to understand what architecture means in an operating system. To say “Google is trying to be helpful” completely misunderstands what is going on. Not just a little; completely.
As to “security researchers who want to monetise [for good]” – sure, that’s the jailbreaking community, who also might sell their own stuff. But if you had an exploit that could give you RCE on iOS, and you are deep enough into the business to know how rare that is, you’re probably talking six figures for selling it to an interested group.
Apple is badly organised for dealing with this (as the recent Facetime exploit showed) because the idea of being a gigantic target for malware is relatively new to its corporate culture.
“Google has the courage to..” Again, give me a break. It’s all marketing. Apple’s choice not to do it is marketing too. There’s no legal obligation.
“I’m not sure how this makes Apple’s closedness more excusable”. Well, nothing Apple does is ever excused in your eyes – we all know that, and it’s quite wearying – but it’s not something that needs “excusing”. It’s how it works. If you sandbox every app, then you can’t have apps that watch what other apps do. It’s an architecture decision whose intent is to prevent malicious apps and so on. Android being Swiss cheese is lovely for security researchers, and delights people who think “open” is the ne plus ultra, but in reality it entails serious tradeoffs that iOS doesn’t have to make, mostly around the problem that antivirus actually is a thing on Android. What’s the biggest bot network that’s been taken down on iOS? I haven’t seen any reports of any. What’s the biggest bot network exploiting flaws in Android? Oh, apps get removed from the Play Store all the time and botnets of thousands or more are not unheard of. But hey, security researchers can examine processes! That makes it ok, right? Not really, no.
Granted, pwn2own are the low-hanging fruit. Which means… it shouldn’t be picked ?
Indeed, I base my discourse on available info. I should base it on what ?
Also,
1- yes Google is generous to the security community. It has meaningful, open bounties whereas Apple’s bounties for iOS are closed (only 6 accepted contributors last I read) and cheap to the point of being meaningless.
2- Google has the courage to publish an official, on-the-record, security report. Apple is silent on the subject (better no PR than a hint of bad PR, Google is 0.02% bad, Apple can’t stomach that)
3- Some of the openness is indeed due to Android’s architecture and past. I’m not sure how this makes Apple’s closedness more excusable, it is also due to architectural and historical *choices*, not happenstance.
4- most of the openness is voluntary. OEMs have the choice to lock bootloaders or not, to make phones rootable or not, to disable adb or not; and users and security providers have the choice to buy more open devices and activate those features which make security research and action much easier.
Again, not saying Android is perfect (it is very flawed, mostly for non-updated devices), but let me refresh you memory: Apple had a millions-scale botnet too, that’s xcodeghost. Sorry, history again: that was years ago ! certain to never-ever ahppen again ! But entertain me: so iOS is flawed too. Everything is, esp re. computer malware. What matters is whether you try to swipe flaws under the carpet and silence security discourse; or address issues openly and foster discovery and solutions.
Also, you seem to deeply misunderstand that Android is sandboxed too. It has been from v1. The difference is that OEMs are free to provide users with the ability to overwrite the whole OS (via bootloader unlocking) or the included OS’ permissions system (= sandbox, via rooting). That enables funky security settings (up to those hardened Android devices/distributions) and security work. But, and that’s important, OEMs can choose not to offer those possibilities, and/or users can choose not to activate it, **in which case Android is for all intents and purposes as locked down as iOS** , and if you picked a well-updated device, probably as secure.
Reciprocally, Apple could offer the same choice to users. If that red pill is not taken, the mere existence of that red pill has no impact on the blue-pillers.
Of course communication about security is marketing. One company deals in platitudes, the other commits to hard numbers and analysis. Shouldn’t it be a no-brainer to prefer one approach to the other ?
The comment nesting stuff is wacky. I think displaying the comments in random order wouldn’t be worse :-p I’m trying hard to get them to list logically, sorry for a couple of misses.
I’m curious:
1- don’t you think there’s something slightly wrong if your attitude to security lets one, the same piece of malware lurk for 5+ years ? vice.com/en_us/article/zmv79w/mysterious-mac-malware-has-infected-hundreds-of-victims-for-years . IMHO, helping researchers creates a benevolent ecosystem… Not saying having 10 malwares in the same time span is better, but doesn’t the one kind of invalidate whatever your strategy is, too ?
2- do you think that info is too public to be meaningful ? I’m not allergic to cigar smoke, so I’m up for those back rooms where truthiness is shared. We can set up a dead drop too: I’ve got sunglasses, a hat, and a scarf, and used to play spy vs spy. Not sure where my Burberry’s at, it’s never really needed in sunny Provence.
3- Do you think it is too old to be relevant ? The main argument for that is that most of the fun stuff already happened at least once, we want to leave it a chance to happen again. But in the case of malware… maybe we should remember ?
1 – Fruitfly is interesting, though I’ll hazard a guess (based solely on that story) that it’s malware dropped by some drive-by scam, perhaps linked to Flash exploits or, shrug, porn sites. “Antiquated” code makes it sound almost like a relic. And your point about researchers makes no sense. This was discovered. Apple doesn’t prevent people doing things on Macs. That’s part of why malware is so much easier to install on them. (I haven’t heard you complain that ChromeOS and Windows are too locked down. Why is that?)
I’ve no idea what you mean by “your attitude to security”. Apps installed (apparently) with the permission of the user which connect to remote servers and/or control the screen and mouse exist all over the place. I’ve got one – it’s called Keyboard Maestro, but other daemons are available. Are you seriously suggesting Apple should monitor every daemon on every Mac? That’s crazy. Or ban kernel extensions and daemons? Oh no, that would be closed and so bad, and only ChromeOS, which is from Google and therefore open and good even when it’s closed, is allowed to do that.
2 – no idea what you’re referring to here.
3 – no idea what this refers to either. Take a break from commenting, please.
1- You seem to be trying to put the onus back on users for maybe using USB thingies or Flash or watching porn. That’s sketchy rhetoric: they do, even Apple users. Shouldn’t security measures take that into account ?
Of course malware that’s been running for 5 yrs will be antiquated. Doesn’t it make it all the more of an issue that it was around for so long ? “This was discovered”. After 5 yrs ! You count that as a positive ?
My point about researchers is that security like all apps is an ecosystem: you need several players, a community, shared skills and knowledge, pow-wows… Apple isn’t fostering that. That’s what I’m saying w/ “attitude to security” : to Apple, something to be PRd about in vague terms, not quantified, and not opened to peer review. That’s security through obscurity, many have discussed it much better than I ever could, and we’re seeing the results with “can’t even know if your phone is infected or not”.
Not sure what your thing about remoting means. Are you saying that since malware is remote, the only solution vs it would be to ban all remoting ? It ain’t so.
FYI, yes, modern OSes include supervisors that monitor and curate running apps incl daemons and services, sometimes even network activity (esp 3rd-party solutions for that).
I’m not sure where I said ChromeOS is open and good, if I did I retract it, the only thing I can find is my overwrought explanation that I’m not sure it can be rooted, so it may be not open; not sure what you mean by good I don’t think I used that word.
2- I’m referring top you discounting my arguments because they’re based in publicly available info.
3- I’m referring to you discounting my arguments because they’re based on 1-10 year old info and attitudes.
As for Windows being too locked down, I’ve never said it because I don’t think so. I haven’t said it about MacOS either. I’m not sure about ChromeOS, but since you can run Android and Linux within it, I’m not sure it matters either way.
Just to be very clear, I think as long as there’s the option to install apps from any source and to get full admin rights, an OS is open enough (it’s even better, but not required, if it’s open-source too incl. drivers).
2 key points:
1- the possibility has to *exist* not to * be activated*. 90+% of users should, like myself, stay within the various walled gardens (corollary: not all devices have to offer the choice), and to me one of the major flaws of legacy OSes (Windows, MacOS) is that uncurated apps and admin rights are way to easy to reach. But, it is an even worse problem when users can’t at all choose to break out of the walled garden or sandbox, because some have very legitimate reasons to, mostly gov censorship, curator censorship, or security.
2- With these criteria, MacOS, Windows, Linux and Android are open. iOS isn’t, and I’m not sure about ChromeOS (though since it can run Linux and Android, and least the walled garden can be exited, that leaves the sandbox).
And lastly on the topic, those 5-10% of rooters/sideloaders are crucial because their influence far outweighs their numbers:
1- researchers can research. There’s not many of them, they help everyone.
2- govs or curators can’t abuse censorship since apps can be installed anyway (and still be sandboxed since sideloading doesn’t require rooting, so still be safe)
3- commercial capriciousness (a la “let’s ban kid supervision apps now that we have ours”) is reined in too.
4- a non-insignificant amount of interesting Android features originated in the Hacker scene and got mainstreamed by Google later on. Not quite as much as OEM-originated stuff or Apple-copied stuff ;-p , but some.
And, again, Google is being nice to them. AOSP-based, from-the-ground-up, Google-free Android rebuilds are allowed to add Google’s proprietary apps (as long as the rebuilds don’t break the cardinal rule: don’t make apps crash/not run). Of course that’s mostly in Google’s interest: more Google Services users ! But Google could also be petty and that would mostly kill off the whole AOSP scene, with a negative impact on the sliver of it that’s not so much about a better mainstream Android, but a hardened, specialized one.