Start Up No.1223: Mozilla lays off 70, Apple buys another AI company, could the FBI hack those iPhones?, what bystanders really do, and more

Google’s new neural network can forecast weather from photos like this – really quickly. CC-licensed photo by NASA Goddard Space Flight Center on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 12 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

Mozilla lays off 70 as it waits for new products to generate revenue • TechCrunch

Frederic Lardinois:


Mozilla laid off about 70 employees today, TechCrunch has learned.

In an internal memo, Mozilla chairwoman and interim CEO Mitchell Baker specifically mentions the slow rollout of the organization’s new revenue-generating products as the reason for why it needed to take this decision. The overall number may still be higher, though, as Mozilla is still looking into how this decision will affect workers in the UK and France. In 2018, Mozilla Corporation (as opposed to the much smaller Mozilla Foundation) said it had about 1,000 employees worldwide.

“You may recall that we expected to be earning revenue in 2019 and 2020 from new subscription products as well as higher revenue from sources outside of search. This did not happen,” Baker writes in her memo. “Our 2019 plan underestimated how long it would take to build and ship new, revenue-generating products. Given that, and all we learned in 2019 about the pace of innovation, we decided to take a more conservative approach to projecting our revenue for 2020. We also agreed to a principle of living within our means, of not spending more than we earn for the foreseeable future.”


Wants to offer a VPN, which would be a break from its reliance on search: 91% of its revenue comes from search. (Google pays, a lot, to be Firefox’s default search engine.)
unique link to this extract

Climate threats now dominate long-term risks, survey of global leaders finds • Reuters

Laurie Goering:


Climate-change-related threats such as extreme weather, large-scale biodiversity losses and a failure of political leaders to slow planetary heating are now the top long-term risks facing the globe, business and other leaders said on Wednesday.

An annual risk survey published ahead of the World Economic Forum next week put climate threats ahead of risks ranging from cyberattacks and pandemics to geopolitical conflict and weapons of mass destruction for the first time.

“That’s new. Last year we didn’t have it,” said Mirek Dusek, deputy head of the Centre for Geopolitical and Regional Affairs and an executive committee member of the World Economic Forum, of the rise of environmental issues up the list.

The shift comes as climate-changing emissions continue to rise strongly globally, despite government and business commitments to reduce them, and as the potential impact of runaway climate change becomes clearer.


unique link to this extract

2020 update on my global warming “traffic light” bet with Bryan Caplan and Alex Tabarrok • Stand-Up Economist

Yoram Bauman:


Back in 2014 I made a global warming bet with fellow economists Bryan Caplan and Alex Tabarrok about global temperatures over the following 15 years (2015-2029) compared with the previous 15 years (2000-2014). The bet can be illustrated with this graphic, so I’m calling it our “traffic light” bet:

The short version is that the red line at 0.92°C represents average temperatures during the first 5 years of our 15-year betting period; the yellow line at 0.67°C shows the finish line for the bet: if the red line is above the yellow line after another 10 years then I win the bet, and otherwise they win the bet; and the green line at 0.55°C shows how high average temperatures can be over the next 10 years for Bryan and Alex to win the bet.

The good news for Bryan and Alex is that they can still win our global warming bet if average temperatures for the next 10 years are about 0.4°C lower than the average for the past 5 years! (The bad news is that the green line is moving down: last year it was at 0.58°C.)


I hope the bet is for two trillion dollars, via some sort of leveraged derivative, so we can sort this stuff out.
unique link to this extract

Equal Rights Amendment: Virginia General Assembly passes resolution • CNNPolitics

Veronica Stracqualursi:


Virginia’s General Assembly on Wednesday approved resolutions to ratify the Equal Rights Amendment, a century-long dream of progressives and feminists that would ban discrimination on the basis of sex and guarantee equality for women under the Constitution…

…Congress passed the ERA in 1972, sending the amendment to the states to ratify within a seven-year window. That deadline was later extended by three years to 1982. By the 1982 deadline, only 35 states had ratified the amendment – three-fourths of state legislatures, or 38 out of 50, are needed to amend the Constitution – though five that had earlier passed it had by then rescinded their support. In subsequent years, two more states – Nevada in 2017 and Illinois in 2018 -have ratified the ERA.

The Justice Department’s Office of Legal Counsel said in a legal opinion made public last week that the deadline to ratify the ERA has expired and is no longer pending before the states. The opinion effectively prevents the archivist of the United States from verifying the ERA as Virginia is on the cusp of becoming the 38th state to ratify the amendment.

But the archivist’s authority doesn’t prevent states from acting on their own to ratify the amendment – or preclude them from legally challenging the Justice Department’s opinion in court.


The point about the ratification and the challenges is miles down the story, but it matters a bit.
unique link to this extract

Apple buys, an edge-centric AI2 spin-out, for price in $200M range • GeekWire

Alan Boyle, Taylor Soper and Todd Bishop:


The arrangement suggests that Xnor’s AI-enabled image recognition tools could well become standard features in future iPhones and webcams.’s acquisition marks a big win for the Allen Institute for Artificial Intelligence, or AI2, created by the late Microsoft co-founder Paul Allen to boost AI research. It was the second spin-out from AI2’s startup incubator, following, which was acquired by the Chinese search engine powerhouse Baidu in 2017 for an undisclosed sum.

The deal is a big win as well for the startup’s early investors, including Seattle’s Madrona Venture Group; and for the University of Washington, which serves as a major source of’s talent pool.

The three-year-old startup’s secret sauce has to do with AI on the edge — machine learning and image recognition tools that can be executed on low-power devices rather than relying on the cloud. “We’ve been able to scale AI out of the cloud to every device out there,” co-founder Ali Farhadi, who is the venture’s CXO (chief Xnor officer) as well as a UW professor, told GeekWire in 2018…

…The company notched several notable advances in 2019, including the development of a standalone AI chip capable of running for years on solar power or a coin-sized battery, the debut of an AI-enabled gizmo that can autonomously monitor grocery shelves; and a deal to have its edge-based person recognition technology built into Wyze Labs’ low-cost security cameras.


unique link to this extract

September 2019: developer of Checkm8 explains why iDevice jailbreak exploit is a game changer • Ars Technica

Dan Goodin in September 2019:


Checkm8 was developed by a hacker who uses the handle axi0mX. He’s the developer of another jailbreak-enabling exploit called alloc8 that was released in 2017. Because it was the first known iOS bootrom exploit in seven years, it was of intense interest to researchers, but it worked only on the iPhone 3GS, which was seven years old by the time alloc8 went public. The limitation gave the exploit little practical application.

Checkm8 is different. It works on 11 generations of iPhones, from the 4S to the X. While it doesn’t work on newer devices, Checkm8 can jailbreak hundreds of millions of devices in use today. And because the bootrom can’t be updated after the device is manufactured, Checkm8 will be able to jailbreak in perpetuity.

I wanted to learn how Checkm8 will shape the iPhone experience—particularly as it relates to security—so I spoke at length with axi0mX on Friday. Thomas Reed, director of Mac offerings at security firm Malwarebytes, joined me. The takeaways from the long-ranging interview are:

• Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits
• The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
• Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.


Sounds like the FBI (or a third party) could use this at least to bypass security on the iPhone 5. If that isn’t the one that the guy shot with a bullet. The iPhone 7 Plus will be more of a problem: it has the Secure Enclave, and as the hacker says “for pretty much all current phones, from iPhone 6 to iPhone 8, there is a Secure Enclave that protects your data if you don’t have the PIN.”

So you need a method to find the PIN – which could be a password. Tricky.
unique link to this extract

Why Japan is so successful at returning lost property • BBC Future

William Park and Johanna Airth:


“Handing in a lost or forgotten item is something that is taught at a young age,” says Tamura. “Children are encouraged to deliver lost items to the kōban, even if it’s 10 yen (7p). A child can deliver this coin to the kōban, the police officer will treat it formally as any lost item. A report is made up, and the coin is taken into police custody. Yet, knowing that no one would report [it], the police then gives the coin back as a reward. Therefore, although it is the same monetary amount, the process of handing it into the police is different from outright taking the money – that is, one is theft, the other is a reward.”

In a study comparing dropped phones and wallets in New York and Tokyo, 88% of phones “lost” by the researchers were handed into the police by Tokyo residents, compared to 6% of the ones “lost” in New York. Likewise, 80% of Tokyo wallets were handed in compared to 10% in New York. The abundance of police stations must make it easier, but is there something else going on.

Lost umbrellas, on the other hand, are rarely retrieved by their owners. Of the 338,000 handed in to Lost Property in Tokyo in 2018, only 1% found their way back to their owner. The vast majority – about 81% – were claimed by the finder, which is a peculiarity in itself. In fact, the profligacy of umbrellas can work the other way. Knowing that many people would forget to claim their umbrella, Satoshi, a former resident of Suginami-ku, Tokyo, says he would trick Lost Property into handing one over if he was caught out in the rain.


Umbrellas v iPhones. Very weird.
unique link to this extract

The FBI can unlock Florida terrorist’s IPhones without Apple • Bloomberg

Mark Gurman:


The FBI is pressing Apple to help it break into a terrorist’s iPhones, but the government can hack into the devices without the technology giant, according to experts in cybersecurity and digital forensics.

Investigators can exploit a range of security vulnerabilities – available directly or through providers such as Cellebrite and Grayshift – to break into the phones, the security experts said.

Mohammed Saeed Alshamrani, the perpetrator of a Dec. 6 terrorist attack at a Navy base in Florida, had an iPhone 5 and iPhone 7, models that were first released in 2012 and 2016, respectively. Alshamrani died and the handsets were locked, leaving the FBI looking for ways to hack into the devices.

“A 5 and a 7? You can absolutely get into that,” said Will Strafach, a well-known iPhone hacker who now runs the security company Guardian Firewall. “I wouldn’t call it child’s play, but it’s not super difficult.”

That counters the U.S. government’s stance. Attorney General William Barr slammed Apple on Monday, saying the company hasn’t done enough to help the FBI break into the iPhones…

…Strafach and other security experts said Apple wouldn’t need to create a backdoor for the FBI to access the iPhones that belonged to Alshamrani.

Neil Broom, who works with law enforcement agencies to unlock devices, warned that the software version running on the iPhone 5 and iPhone 7 could make it more difficult to break into the handsets. But it would still be possible.

“If the particular phones were at a particular iOS version, it might be as easy as an hour and boom, they are in. But they could be at an iOS version that doesn’t have a vulnerability,” he said.


unique link to this extract

Using machine learning to “Nowcast” precipitation in high resolution • Google AI Blog

Jason Hickey is a senior software engineer:


the availability of computational resources limits the power of numerical weather prediction in several ways. For example, computational demands limit the spatial resolution to about 5 kilometers, which is not sufficient for resolving weather patterns within urban areas and agricultural land. Numerical methods also take multiple hours to run. If it takes 6 hours to compute a forecast, that allows only 3-4 runs per day and resulting in forecasts based on 6+ hour old data, which limits our knowledge of what is happening right now. By contrast, nowcasting is especially useful for immediate decisions from traffic routing and logistics to evacuation planning.

As a typical example of the type of predictions our system can generate, consider the radar-to-radar forecasting problem: given a sequence of radar images for the past hour, predict what the radar image will be N hours from now, where N typically ranges from 0-6 hours. Since radar data is organized into images, we can pose this prediction as a computer vision problem, inferring the meteorological evolution from the sequence of input images. At these short timescales, the evolution is dominated by two physical processes: advection for the cloud motion, and convection for cloud formation, both of which are significantly affected by local terrain and geography.

We use a data-driven physics-free approach, meaning that the neural network will learn to approximate the atmospheric physics from the training examples alone, not by incorporating a priori knowledge of how the atmosphere actually works. We treat weather prediction as an image-to-image translation problem, and leverage the current state-of-the-art in image analysis: convolutional neural networks (CNNs).


The “physics-free” emphasis is Google’s, and it’s a good point: it’s basically looking at past weather maps and estimating how the cloud maps will look, and hence the rain maps. It’s entirely image-based – it doesn’t know (or ask for) anything about barometric pressure, temperature or anything. Probably doesn’t even care about night and day.

I came across an Alex Stamos (ex-Facebook) commentary from 2019 recently where he said the best machine learning we have right now is like a humungous number of preschoolers: you can teach them how to do simple stuff, but not really complex stuff. Seems like they’re growing up a little, though.
unique link to this extract

5G security • Schneier on Security

Bruce Schneier:


keeping untrusted companies like Huawei out of Western infrastructure isn’t enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards , the protocols and software for 5G ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security.

To be sure, there are significant security improvements in 5G over 4G in encryption, authentication, integrity protection, privacy, and network availability. But the enhancements aren’t enough.

The 5G security problems are threefold. First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it.

Second, there’s so much backward compatibility built into the 5G network that older vulnerabilities remain…

…Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them.


unique link to this extract

Researchers find 17 Google Play apps that bombard users with battery-draining ads • Ars Technica

Dan Goodin:


Developers employed a variety of tricks to populate Google Play with more than a dozen apps that bombard users with ads, even when the apps weren’t being used, researchers have found.

Among the tactics used to lower the chances of being caught by Google or peeved users: the apps wait 48 hours before hiding their presence on devices, hold off displaying ads for four hours, display the ads at random intervals, and split their code into multiple files, researchers with antivirus provider Bitdefender reported. The apps also contain working code that does the things promised in the Google Play descriptions, giving them the appearance of legitimacy. In all, Bitdefender found 17 such apps with a combined 550,000 installations.

One of the apps Bitdefender analyzed was a racing simulator that also charged in-app fees for extra features. While it worked as advertised, it also aggressively displayed ads that drained batteries and sometimes prevented people from playing the game. After a four-hour waiting period, ad displays are generated using a random number (less than three) that was checked against a value. If the random number was equal to the value, an ad would appear.

The result: when a user unlocks an infected phone, there’s a one-in-three chance it will display an ad. The ad-showing mechanisms are also scattered within multiple activities and use modified adware developer kits. The randomness of the ad occurrences and display-time intervals further make it hard to notice patterns that might help identify the source. The app uses other tricks to make the displays unpredictable.

“Users see multiple ads either in-game when pressing different buttons or even if not in the app,” the report said.


Subtle point made in the comments: relies on an Android capability (background apps can Draw Over foreground ones) to do the ad thing. Can’t be done on iOS. Google is removing the apps, but removing Draw Over would be a lot better.
unique link to this extract

You will be helped! Research using real-world situations fails to replicate the “bystander effect” • Boing Boing

Cory Doctorow:


an international team of psych researchers have created an empirical account of the bystander effect that punctures the received wisdom [that people don’t get involved], finding that in 9 out of 10 times, bystanders do step up to help; and the more bystanders there are, the greater the likelihood is that you will receive help.

The researchers used police CCTV video footage of “conflict between at least two individuals” and analyzed whether bystanders intervened to help. The footage came from central districts Cape Town, Amsterdam, and Lancaster, providing data on cities with very different public perceptions of the likelihood and severity of violent crime.

The researchers concluded that not only did one or more people intervene in 90% of conflicts, but also that the likelihood of intervention went up with the number of bystanders present.

The researchers say that earlier work on the bystander effect focused on “responsibility diffusion” (the feeling that someone else was likely to step in so you didn’t have to), but not enough of “mechanical helping potential” (the pervasive tendency to want to help). They caution that they were only able to survey conflicts in cities’ central business districts, and that these conclusions don’t necessarily carry over to “conflicts at music and sporting events, or sexual aggression on campuses.”


Here’s the paper. CCTV is turning out to be useful for all sorts of things, including dispelling old wives’ (and psychologists’) tales.
unique link to this extract

Errata, corrigenda and ai no corrida: none notified

2 thoughts on “Start Up No.1223: Mozilla lays off 70, Apple buys another AI company, could the FBI hack those iPhones?, what bystanders really do, and more

  1. Let’s hype Mozilla again !
    1- It’s a fine browser, especially the latest desktop version. Renders all, fast enough and reliable enough.
    2- On Android specifically, it is one of the rare browsers that accept plugins, so you can run your uBlock Origin and Privacy Badger (and Night Mode !), and still sync to your Desktop Browser
    3- There’s quite a bit of stuff under the hood that makes it more private than Chrome, especially no unique user-agent string.

    Everyone should really give it a try for a week (there’ll be some friction, UI mostly, it’s a bit different but it isn’t bad/worse). We need the extra bit of privacy, we need the extra bit of difference, and on Android it’s really a no-brainer because addons.

  2. Android’s draw-over is one of those semi-naughty possibilities that can be used to cause mischief but also to provide useful/fun functionality. Kids around me use it to keep up with social, sports… even when they’re out-of-app. I’m sure there are some accessibility angles too.

    I think there’d be an outcry if Google were to cut it. The good ole’ functionality vs security dilemma. Google has no direct reason to want things either way in this case, I think they’re trying to strike a balance. Maybe limits it more, in size and position especially ? AFAIK, right now it’s on/off, ie you get access to the whole screen or none at all, I’m sure most functionality could be delivered in a small vignette. Solves the login-screen hijacking issue though not the ad push issue.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.