Start Up No.1354: EU rejects data transfer to the US, the Twitter in depth, TSMC cuts out Huawei, should TikTok be blocked?, and more

What if the Trinity test, where the first atom bomb was exploded, had gone… wrong? CC-licensed photo by Kelly Michals on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 12 links for you. Not radioactive. I’m @charlesarthur on Twitter. Observations and links welcome.

EU court rejects data transfer tool in Max Schrems case • Irish Times

Naomi O’Leary:


Europe’s top court has declared an arrangement under which companies transfer personal data from the European Union to the US invalid due to concerns about US surveillance powers.

The ruling in the long-running battle between Facebook, Ireland’s Data Protection Commissioner and the Austrian privacy activist Max Schrems found that the so-called Privacy Shield agreement does not offer sufficient protection of EU citizens’ personal data.

“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court said in a statement.

The ruling is a blow to the thousands of companies, including Facebook that rely on the Privacy Shield to transfer data across the Atlantic, and to the European Commission, as it unpicks an arrangement it designed with US authorities to allow companies to comply with EU data protection law.

“Like many businesses, we are carefully considering the findings and implications of the decision of the Court of Justice in relation to the use of privacy shield and we look forward to regulatory guidance in this regard,” said Facebook’s associate general counsel, Eva Nagle.


And so the merry-go-round continues once again. All I expect is a ton of emails saying companies have updated their privacy policy, and buttons on web pages giving you a single option but to agree to the data transfer.
unique link to this extract

Hackers convinced Twitter employee to help them hijack accounts • Vice

Joseph Cox:


The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.

In all, four sources close to or inside the underground hacking community provided Motherboard with screenshots of the user tool. Two sources said the Twitter panel was also used to change ownership of some so-called OG accounts—accounts that have a handle consisting of only one or two characters—as well as facilitating the tweeting of the cryptocurrency scams from the high profile accounts.

Twitter has been deleting some screenshots of the panel and has suspended users who have tweeted them, claiming that the tweets violate its rules.

The panel is a stark example of the issue of insider data access at tech companies. Whereas in other cases hackers have bribed workers to leverage tools over individual users, in this case the access has led to takeovers of some of the biggest accounts on the social media platform and tweeted bitcoin related scams in an effort to generate income.

The screenshots show details about the target user’s account, such as whether it has been suspended, is permanently suspended, or has protected status.


Remember that the Saudi regime used Twitter employees to spy on activists. This is a problem with internal security systems; Twitter needs some sort of two-factor system for its own employees, apparently. Which creates all sorts of headaches.
unique link to this extract

Twitter hack 2020 was probably done by a bitcoiner – but not a savvy one • CoinDesk

Leigh Cuen:


“As much as I can tell by the evidence I see right now, the attackers did not understand the value of the information that they had,” ClearSky CEO Boaz Dolev told CoinDesk. “We need to find a way to build a more resilient audience that won’t believe anything they see in a certain format is true. It’s a new era where we need new tools to understand what is true.”

That said, with an audience reach of over 375 million followers, the hacked accounts only ensnared 421 bitcoin transactions, with only 17 of those transactions valued above $1,000. Roughly half of the transactions hailed from North American exchange accounts.

Whoever is behind the Twitter Hack of 2020, which collected bitcoin by hijacking the accounts of everyone from Barack Obama to Elon Musk, Dolev said it doesn’t appear to be a state actor or a terror group. 

So far the evidence suggests the attackers were well-versed in crypto culture, using inside jokes like spending up to 6.15 bitcoin, a popular meme reference, and tweeting about paid Telegram groups. 

“Based on the history of the first destination address of the CryptoForHealth scam addresses, the scammers have a history of gambling on BitMEX and Coinbase usage,” said the privacy-centric team behind Samourai Wallet. 


375 million followers, 421 transactions. I guess we know how many truly stupid people there are in the world.
unique link to this extract

No, you couldn’t have made more money than the Twitter hacker • Fort & Forge

Rahul Sridhar:


The hackers got full access to all Twitter-verified accounts, meaning that they should have had access to their direct messages. Surely this is much more valuable than just posting a fake tweet? Think about the incalculable damage caused by the Sony leaks or watch this hypothetical-but-still-terrifying Tom Scott video about a world in which Gmail password-checking was turned off for a day.

It’s definitely true that there are gobs of interesting material lurking in verified users’s DMs that they wouldn’t want seeing the light of day, but it’s a little tricky to make money from this. The most obvious method is blackmail. Exfiltrate the messages from the most popular users and threaten that you’ll release them in full if they don’t send X BTC to Y address.

This would definitely make some amount of money, but I’m not convinced it’s worth the effort. Firstly, it’s hard to judge ahead of time which accounts have the juicy DMs. Large, high-profile accounts like Joe Biden’s are run by a whole social media team and probably don’t exchange sensitive information via Twitter. Smaller accounts probably do have more interesting gossip, but might be less willing or able to pay as a result.

Then there’s the problem of actually exfiltrating and storing all the data, sending individual messages to each of the users you hack, tracking who has and hasn’t paid, and actually releasing the leaked material publicly. It’s a lot of operational overhead that may, in the end, net you less money than the dumb Bitcoin scam.


unique link to this extract

What if the Trinity test had failed? • Restricted Data

Alex Wellerstein on the anniversary (on Thursday) of the first nuclear test, and a counterfactual consideration: what if it hadn’t worked as they anticipated?


The scientists had high confidence that the gun-type design would work, and it was easier to confirm the principles behind it without a full-scale test. Would their confidence have been shaken? If their diagnostics of the Trinity test told them that the detonator system had worked as planned, then they might have worried that their deeper understanding of a fission bomb was incorrect. But if they thought it was just an assembly problem — something unique to the implosion design — then they’d probably have still been confident about the gun-type arrangement. 

But the policymakers and military brass would probably have been a lot less confident. Outside of Groves, none of the other military leaders had a deep understanding of the bomb, and several expressed extreme pessimism about its prospects prior to Trinity. A Trinity failure would have reinforced these perspectives. It’s possible they might have judged the entire thing not ready for prime time, and scuttled any use plans until they were confident that it wouldn’t be an embarrassment.

And a failed Trinity would, as noted, probably mean that they would have extreme delays in their plutonium bomb capabilities. I think they’d still want to use the uranium bomb as soon as possible. But they’d know that they would not be able to follow it up with more attacks for some time. Maybe they’d try to bluff about that, or maybe they’d just downplay how much destruction they’d be delivering that way, I don’t know. But I think they’d consider it a pretty different situation.


unique link to this extract

TSMC plans to halt chip supplies to Huawei in 2 months • Nikkei Asian Review

Cheng Ting-Fang and Lauly Li:


Taiwan Semiconductor Manufacturing Co. on Thursday confirmed it has suspended processing new orders from key customer Huawei Technologies to comply with U.S. export regulations, but said it can still achieve more than 20% revenue growth this year thanks to strong demand for 5G smartphones, infrastructure and high-performance computing applications.

The world’s biggest contract chipmaker also said it is ramping up capital spending for 2020, despite the ongoing coronavirus pandemic.

“We are complying fully with the new [U.S.] regulations. We did not take any new orders [from Huawei] since May 15,” TSMC Chairman Mark Liu told an investors conference, confirming an earlier report by the Nikkei Asian Review. “Although the regulation just finished its public comment period, the BIS [Bureau of Industry and Security] did not make a final ruling change. Under this circumstance, we do not plan to ship wafers [to Huawei] after Sept. 14.”

Under the tightened export control rule, non-U.S. chip companies must apply for licenses to use American technology and tools to supply to Huawei, the biggest Chinese tech company. TSMC and other chipmakers were not allowed to process new orders from Huawei or its chip design arm HiSilicon after May 15 without a license and must ship any orders already in the pipeline before Sept. 14.


Noose tightening for Huawei. Either it will become completely independent, or it will die.
unique link to this extract

The US military is using online gaming to recruit teens • The Nation

Jordan Uhl:


“Have a nice time getting banned, my dude,” Army recruiter and gamer Joshua “Strotnium” David told me right before he booted me from the US Army’s Twitch channel. I had just reminded viewers of the United States’ history of atrocities around the globe, and helpfully provided a link to the Wikipedia page for US war crimes.

Was I undiplomatic? Sure. But if the military is going to use one of the world’s most popular platforms to recruit kids, then it shouldn’t be able to do so without some pushback. Right now, with the support of Twitch, gamers with the US military are spending hours with children as young as 13, trying to convince them to enlist.

The Army, Navy, and Air Force all stream on Twitch using dedicated e-sports teams. These teams are comprised of skilled gamers who compete in tournaments for cash prizes. While members of military e-sports teams offer the regular gaming skill set, they’re also on-screen talent and recruiters. Instead of approaching a recruiter behind a table in a school cafeteria, kids can hang out with one who is playing their favorite video games and replying to their chat messages for hours on end.

…The practices employed on Twitch by military e-sports teams are part of a system by which recruiters target children in unstable and/or disadvantaged situations. Recruiters take advantage of the poor seeking steady income, the vulnerable longing for stability, and the undocumented living in fear because of their citizenship status. Now, at a time when all those factors are magnified by a pandemic that has left half the country out of work and over 30% unable to afford their housing payments, conditions are ripe for recruiters to prey on anxious youth..


The US military has been using videogames as a recruitment method for ages. This story got them banned from Twitch.
unique link to this extract

Banning TikTok is a terrible idea • SupChina

Samm Sacks:


The mere fact that a Chinese company handles U.S. citizen data in and of itself may not necessarily warrant banning investment under CFIUS or blacklisting a specific company for use in the U.S. The U.S. national security risks should be evaluated based on an investigation, with regular audits, to determine (a) what kind of U.S. citizen data is being accessed (for example, metadata, images, geographic data, critical infrastructure data), (b) how that data is being used and what data protection measures are in place to protect the rights and interests of U.S. consumers, and (c) with whom that data is being shared and through what mechanisms. If, based on the outcomes of such an evaluation, the U.S. government cannot verify that the interests and rights of U.S. consumers will be protected, then that company should be prohibited from storing and sharing U.S. personal data.

Such an assessment also must consider what intelligence value the data collected on TikTok’s platform would provide to Beijing. Videos of lip syncing and dancing are of limited strategic use even for an “adversary government” (which the Trump administration is increasingly calling China) — whether to target individuals for coercion or even as used in aggregate form as part of a mass collection effort. In this way, the data security risk posed by TikTok is different from that of Grindr, the gay dating app acquired by a Chinese gaming company deemed a national security threat by CFIUS.


The better argument, which he also makes, is that there should be better data security for all sorts of data. But to think that TikTok isn’t any sort of risk comes across as a little nieve.
unique link to this extract

Toshiba’s light sensor paves the way for cheap Lidar • IEEE Spectrum

John Boyd:


high-end Lidar systems can be expensive, costing $80,000 or more, though cheaper versions are also available. The current leader in the field is Velodyne, whose lasers mechanically rotate in a tower mounted atop of a vehicle’s roof.

Solid-state Lidar systems have been announced in the past several years but have yet to challenge the mechanical variety. Now, Toshiba hopes to advance their cause with its SiPM: a solid-state light sensor employing single-photon avalanche diode (SPAD) technology. The Toshiba SiPM contains multiple SPADs, each controlled by an active quenching circuit (AQC). When an SPAD detects a photon, the SPAD cathode voltage is reduced but the AQC resets and reboots the SPAD voltage to the initial value. 

“Typical SiPM recovery time is 10 to 20 nanoseconds,” says Tuan Thanh Ta, Toshiba’s project leader for the technology. “We’ve made it 2 to 4 times faster by using this forced or active quenching method.”

The increased efficiency means Toshiba has been able to use far fewer light sensing cells—down from 48 to just 2—to produce a device measuring 25 μm x 90 μm, much smaller, the company says, than standard devices measuring 100 μm x 100 μm. The small size of these sensors has allowed Toshiba to create a dense two-dimensional array for high sensitivity, a requisite for long-range scanning. 


Important waypoint, although this is probably going to be more useful offroad and for drones.
unique link to this extract

How to fix the Covid-19 dumpster fire in the US • STAT News

Helen Branswell:


The website has updated its previously tri-colored U.S. map, which showed states as either green, signifying they are trending better; yellow, making progress; or red, trending poorly. A fourth designation, called “bruised red,” signals states with uncontrolled spread; criteria for this category includes hospitals nearing capacity both in terms of overall beds and ICU space. Already 17 states are wearing bruised red.

The virus suppression gains earned through the painful societal shutdowns of March, April, and May — the flattened epidemiological curves — have been squandered in many parts of the country, dejected public health experts agree. A vaccine for the masses is still months away. What can be done?

One thing is clear, according to public health experts: Widespread returns to lockdown must be a last resort — and may not be doable.

“It would be really a morale breaker,” Anthony Fauci, director of the National Institute for Allergy and Infectious Diseases, told STAT. “The stress and strain that people were under during prolonged lockdown is the genesis of why, when they were given the opportunity to try and open up, they rebounded so abruptly. Because what I think happened is, they overshot.”


That exit strategy site shows quite what a mess the US is. The article has opinions from health experts, in which the one that would probably make the most sense – but won’t happen – is “consistent consistency” in the messaging about what to do. (Thanks G for the link.)
unique link to this extract

Attorney General Barr accuses Hollywood, Big Tech of collaborating with China • Reuters

Sarah Lynch and David Shepardson:


U.S. Attorney General William Barr took aim at Hollywood companies, including Walt Disney on Thursday as well as large technology firms like Apple, Alphabet’s Google and Microsoft Corp over company actions with China.

“Corporations such as Google, Microsoft, Yahoo, and Apple have shown themselves all too willing to collaborate with the (Chinese Communist party),” Barr said. He added that Hollywood has routinely caved into pressure and censored their films “to appease the Chinese Communist Party.” The companies and the Chinese Embassy in Washington did not immediately comment. Apple declined comment.

“I suspect Walt Disney would be disheartened to see how the company he founded deals with the foreign dictatorships of our day,” Barr said in a speech at the Gerald R. Ford Presidential Museum in Michigan.

Barr chided U.S. companies for being too willing to take steps to ensure access to the large Chinese market. “The Chinese Communist Party thinks in terms of decades and centuries, while we tend to focus on the next quarterly earnings report,” Barr said. “America’s big tech companies have also allowed themselves to become pawns of Chinese influence.”

…Barr suggested that Apple iPhones “wouldn’t be sold (in China) if they were impervious to penetration by Chinese authorities.” He suggested American tech companies were imposing a “double standard.”


Barr is, as so often, talking nonsense. Sure, Hollywood takes financing from China for films, which are then shown there. Google doesn’t operate there. Microsoft and Yahoo have minimal operations. Apple’s products can’t be penetrated, same as the US government can’t penetrate them here (and keeps wailing for help to break into them).
unique link to this extract

Russia-linked hackers accused of targeting Covid-19 vaccine developers • Financial Times

Helen Warrell, Clive Cookson and Henry Foy:


Hackers backed by the Russian state are targeting pharmaceutical companies and academic institutions in the UK, US and Canada that are conducting Covid-19 vaccine research, British intelligence officials have warned.

The UK’s National Cyber Security Centre, together with Canada’s Communications Security Establishment, blamed the attacks on the cyber espionage group APT29, which it alleged was “almost certainly” working for the Kremlin’s intelligence services. The findings have been endorsed by the US National Security Agency.

Intelligence officials said the group had used a form of malware known as “WellMess” and “WellMail” to steal information on vaccine research and development, and warned that the attacks were likely to continue. Officials would not confirm whether the hacking group had successfully stolen any intellectual property but said UK research facilities were being “well-defended” against the threat.

Dominic Raab, UK foreign secretary, said it was “completely unacceptable that the Russian intelligence services are targeting those working to combat the coronavirus pandemic”, adding that Britain would work with international partners to hold the perpetrators to account.

…The new allegations about Russian hacking come ahead of the publication on Monday of the first clinical trial results from Oxford university’s much anticipated Covid-19 vaccine.

The results, which will appear in The Lancet journal, include what one senior Oxford scientist called “terrific preliminary data” on the way the inoculation stimulates immunity.


APT29, aka “Cozy Bear”, the Russian state-sponsored hacking group that hacked the Democratic National Committee in 2016.
unique link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.