Start Up No.1533: ransomware leaks new Apple Macbook design, App Store hacks get worse, the influencer life, Signal bites back, and more

How often do coders visiting Stack Overflow hit the copy keys? We can reveal. CC-licensed photo by wiredforlego on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 9 links for you. Pay up, or.. don’t. I’m @charlesarthur on Twitter. Observations and links welcome.

• Why did Facebook create business profiles for terrorists?
• Why are so many people on social media so angry?
• Are algorithm-free social networks like WhatsApp free of misinformation?
• What did Covid change about social networks’ approach to truth?
• How much do Facebook, Twitter and Google coordinate on taking accounts down?

Preorder Social Warming, my forthcoming book, and find answers – and more.

Apple targeted in $50 million ransomware hack of supplier Quanta • Bloomberg

Kartikay Mehrotra:


The ransomware group REvil, also known as Sodinokibi, published a blog on its darkweb site early on Tuesday in which it claimed to have infiltrated the computer network of Quanta Computer Inc. The Taiwan-based company is a key supplier to Apple, manufacturing mostly Macbooks. It similarly produces goods for the likes of HP Inc., Facebook Inc. and Alphabet Inc.’s Google.

REvil’s public face on the darkweb, a user on the cyber-crime forum XSS who goes by the name ‘Unknown’, announced Sunday that the ransomware group was on the cusp of declaring its “largest attack ever,” in a post reviewed by Bloomberg News. The post was made in Russian on a channel where the REvil group recruits new affiliates, according to a person familiar with Unknown’s history on the XSS forum who sought anonymity for fear of retaliation.

By early on April 20, REvil’s ‘Happy Blog’ — a site where the cartel publicly names and shames victims in hopes of coaxing ransom payment — declared Quanta its latest victim. In their post, also reviewed by Bloomberg, the hackers claim they’d waited to disclose the Quanta compromise until the date of Apple’s latest big reveal, contending the parts supplier had expressed no interest in paying to recover the stolen data. Quanta acknowledged an attack without explaining if or how much of its data was stolen.

…By the time Apple’s product launch was over, REvil had posted schematics for a new laptop, including 15 images detailing the guts of what appears to be a Macbook designed as recently as March 2021, according to the documents reviewed by Bloomberg.

REvil is now attempting to shake-down Apple in its effort to profit off the stolen data. They’ve asked Apple to pay their ransom by May 1, as was first reported by Bleeping Computer. Until then, the hackers will continue to post new files every day, REvil said on its blog.


Not much use posting them on the dark web, is it? They’re assembly schematics (as you’d expect for an assembly company) which Apple Insider, among others, has published. (At least, the picture was up when I looked.) MacBook Pro: no Touch Bar, HDMI connector, SD card slot. Rejoice.
unique link to this extract

Apple’s $64 billion-a-year App Store isn’t catching the most egregious scams • The Verge

Sean Hollister:


Recently, I reached out to the most profitable company in the world to ask a series of basic questions. I wanted to understand: how is a single man making the entire Apple App Store review team look silly? Particularly now that Apple’s in the fight of its life, both in the courts and in Congress later today, to prove its App Store is a well-run system that keeps users safe instead of a monopoly that needs to be broken up.

That man’s name is Kosta Eleftheriou, and over the past few months, he’s made a convincing case that Apple is either uninterested or incompetent at stopping multimillion-dollar scams in its own App Store. He’s repeatedly found scam apps that prey on ordinary iPhone and iPad owners by luring them into a “free trial” of an app with seemingly thousands of fake 5-star reviews, only to charge them outrageous sums of money for a recurring subscription that many don’t understand how to cancel. “It’s a situation that most communities are blind to because of how Apple is essentially brainwashing people into believing the App Store is a trusted place,” he tells The Verge.

There’s a lot to unpack there: fake free trials, fake reviews, subscription awareness. We could write an entire story about each. Today, I’d like to focus on how one guy could find what Apple’s $64-billion-a-year App Store apparently cannot, because the answer is remarkable.

You simply look at the apps that are making the most money. Then, you find ones where the user reviews are suspicious and look for ridiculously high subscription prices.

That’s it. There’s no step four. Eleftheriou tells us this is how he started finding these scams, but you don’t need to be a coder to figure it out.


This continues to be a ridiculous embarrassment for Apple. Fake reviews and scummy apps with tricksy headfakes that drag people into pricey subscriptions. It has begun picking up on some apps, but nothing like as many as there are. To some extent, this is “cutting the grass”: new scams will appear as each one is removed. But that’s the point about curating an app store: you have to keep at it, and there is a lot of grass cutting.
unique link to this extract

“Fake Famous” and the tedium of influencer culture • The New Yorker

Naomi Fry:


Working a menial job is hard, but “Fake Famous” demonstrates that being an influencer, too, can be a tedious kind of labor. In one amusing sequence, Bilton takes us behind the scenes of a photo shoot in which Dominique and Wylie are shown partaking in one-per-cent-like activities such as sipping champagne and eating chocolates poolside at the Four Seasons, relaxing blissfully on an international flight, and receiving a luxurious spa treatment. All of this, however, is smoke and mirrors: in the pictures, which are shot in quick succession at a single location, a toilet seat held aloft mimics a plane’s window, the champagne is apple juice, the chocolates are pats of butter dipped in cocoa powder, and the rose-petal-infused spa basin is a plastic kiddie pool.

There is a kind of D.I.Y. creativity about all of this, a spirit of making do, which allows the plucky influencer some agency. “Remember, you’re the Lulu girl!” Dominique’s mom reminds her daughter, early in the film, when Dominique expresses doubts about her ability to make nice at her retail job—and, in her attempts to become an influencer, Dominique’s fealty to Lululemon is exchanged for a commitment to the new version of herself that she has decided to sell online. Dominique wants to brand her own self rather than work for someone else’s, and on the face of it, one might wonder what could be wrong with this strategy, in which, instead of allowing a corporation to harvest the surplus value of an employee’s personality, the employee is able to harvest it for herself. (Slay, kween!) Depressingly, though, as Dominique’s popularity grows—she even starts getting more auditions and acting gigs, thanks to her burgeoning Instagram profile—her success seems to depend not on any surplus of personality but, rather, on a lack thereof. She develops an audience by posting videos of herself unboxing products that she has been sent for free by other brands: a blender, energy bars, slippers, a CBD vibrator. Dominique “is like a piece of Play-Doh,” Chris says to Bilton. Like the pink wall on Melrose, she is eye-catching, but still blank enough.


*crosses “influencer” off list of jobs to apply for*. This isn’t even “famous for being famous”. It’s “not particularly famous for being not particularly famous”.
unique link to this extract

Herd immunity in US likely impossible, but vaccines can control Covid • USA Today

Elizabeth Weise:


Dr. Anthony Fauci, the nation’s top infectious disease doctor, doesn’t want to talk about herd immunity anymore. 

“Rather than concentrating on an elusive number, let’s get as many people vaccinated as quickly as we possibly can,” he said at a White House briefing last week, a sentiment he’s since repeated.

What Fauci doesn’t explicitly state, but others do, is that with about a quarter of Americans saying they might not want to be immunized, herd immunity is simply not an attainable goal.

“It’s theoretically possible but we as a society have rejected that,” said Dr. Gregory Poland, director of the Mayo Clinic’s Vaccine Research Group. “There is no eradication at this point, it’s off the table. The only thing we can talk about is control.”

After initially aiming for the kind of protection provided by the measles vaccine, officials are now focused on containment similar to the flu: acknowledging there will be regular outbreaks but hoping to limit them as much as possible. 

Americans can go through their entire lives without worrying about getting the measles because of a long-lasting effective vaccine given to more than 90% of children. Although small pockets of infection occur when vaccination rates drop, even people who can’t get the vaccine or are immunocompromised remain mostly protected.

With COVID-19, where vaccines are effective but won’t last a lifetime, vaccine hesitancy makes that kind of widespread protection unlikely, experts say.

That means people who can’t get vaccinated or whose immune systems are dampened by medication or disease will remain vulnerable. There will probably always be enough unvaccinated people to allow COVID-19 to spread once it arrives in a community. And even people who are vaccinated won’t be 100% protected in the face of such a contagious illness.


Perhaps it was inevitable that such a big country would fail in this way. But it is a monumental failure.

unique link to this extract

How often do people actually copy and paste from Stack Overflow? Now we know • Stack Overflow Blog

Ben Popper and David Gibson, after an April Fool’s joke that Stack Overflow (beloved by coders seeking a solution to a problem) was going to make a hardware keyboard that would simply copy and paste, they got to wondering how often people actually do Cmd-C Cmd-V:


One out of every four users who visits a Stack Overflow question copies something within five minutes of hitting the page. That adds up to 40,623,987 copies across 7,305,042 posts and comments between March 26th and April 9th. People copy from answers about ten times as often as they do from questions and about 35 times as often as they do from comments. People copy from code blocks more than ten times as often as they do from the surrounding text, and surprisingly, we see more copies being made on questions without accepted answers than we do on questions which are accepted. 

So, if you’ve ever felt bad about copying code from our site instead of writing it from scratch, forgive yourself! Why recreate the wheel when someone else has done the hard work? We call this knowledge reuse – you’re reusing what others have already learned, created, and proven. Knowledge reuse isn’t a bad thing – it helps you learn, get working code faster, and reduces your frustration. Our whole site runs on knowledge reuse – it’s the altruistic mentorship that makes Stack Overflow such a powerful community. 


unique link to this extract

Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective • Signal

Moxie Marlinspike (who, if you don’t know, is a hacker extraordinaire) got hold of a Cellebrite analyser, as used by law enforcement and others to break into phones seized from people:


Anyone familiar with software security will immediately recognize that the primary task of Cellebrite’s software is to parse “untrusted” data from a wide variety of formats as used by many different apps. That is to say, the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.

Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security.

…Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures.


Something something hoist petard. Now Cellebrite has to worry about whether any phone its equipment is used to hack into might have a (kinda, sorta) malicious version of Signal.
unique link to this extract

Lina Khan, a progressive trustbuster, displays get-tough approach to tech in confirmation hearing • The New York Times

Cecilia Kang:


At the Senate Commerce committee hearing, Ms. Khan, 32, said she was “seeing whole range of potential risks. One that comes up across board is that the ability to dominate one market gives companies, in some instances, the ability to expand into adjacent markets.”

She also focused on the online advertising market and how the consumer data mining that fuels it poses potential harms for consumers. The business model, she said, incentivizes more and more data collection.

“In some cases, companies may think it’s worth the cost of doing business to risk violating privacy laws,” she said.

Ms. Khan is part of a progressive wing of the Democratic Party that has pushed for antitrust legal reform and the breakup of companies like Facebook and Google. In a 2017 Yale Law Journal article titled “Amazon’s Antitrust Paradox,” she questioned the bias of antitrust experts toward consumer prices as the key metric for antitrust violation. Even though Amazon offers consumers lower prices in many cases, she argued the company could harm competition by squeezing out small-business rivals who rely on its marketplace.

President Biden’s nomination of Ms. Khan to one of three Democratic seats at the FTC has been taken as a sign of how the White House plans to be tough on tech. Tim Wu, a progressive critic of Facebook and other big tech companies, was also recently named to a role in the White House.


Can’t imagine who she’s thinking about with the “privacy laws” stuff.
unique link to this extract

Chill Kevin Bacon vibes only today • Garbage Day

Ryan Broderick’s newsletter (which is great) looks, briefly, at what Facebook’s new Clubhouse rival is likely to do:


Readers of Garbage Day already know that I am extremely bearish about Clubhouse. Mainly for its increasingly toxic user base, but also I think live audio for live audio’s sake is a fad. That’s not to say that some people haven’t figured out how to do some great stuff with the medium, but I don’t see conference calls with LinkedIn dark enlightenment wizards as The Next Big Thing In Tech. I assume we’ll look back on it as a weird COVID fad. And, more worryingly, I fear that Clubhouse’s ultimate legacy will be that any app can grow a massively over-inflated valuation simply because it convinced 1000 extremely rich people in Silicon Valley to use it first. The app is already seeing a 72% drop in downloads [from 9.6m installs in February to 2.4m in March, according to Sensor Tower]. So I’m not exactly optimistic about Facebook’s foray into the space.

As for short-form audio and long-form audio, I suspect it will go exactly like all other content types supported by Facebook. At first, the algorithm will over-promote it. Because of the scale of the site and economic value of Facebook virality, this will create an audio gold rush on the platform. More than a few media companies will almost certainly get involved. If audio doesn’t stick with Facebook users, which I think is likely, the dial on audio will be turned down, any media companies that staffed up for the push will have layoffs, and there will be like a couple dozen random people who are suddenly massive podcast names with millions of listeners that you’ll probably never hear about until they come out as anti-vaxxers or something.

If audio on Facebook does work, what will happen will most likely be a subtle shifting of the medium. Content that works on Facebook and Instagram tends to slowly morph over time into content that only works on those platforms.


unique link to this extract

The fine print: What Apple didn’t talk about • Six Colors

Dan Moren:


Like Apple’s other digital stores, its new podcast marketplace allows users to pay creators directly. And, like those other stores, it has similar terms: there’s a $19.99 annual charge for the Apple Podcasters Program, which is available starting today. Subscriptions are monthly by default, with an annual option as well. And according to my brief look at the terms, Apple will take a 30% commission on the first year of a subscription, with a drop to 15% if auto-renew is enabled.

Ads and sponsorships can still be used in paid podcasts, and Apple doesn’t get a cut of those. And, from what I can tell, the deal with Apple isn’t exclusive, meaning that you can still run a membership program elsewhere as well.

Also an interesting thing that I caught: one of the rights granted to Apple by putting your podcast up is the ability for Apple to create and make available transcripts (though it looks like creators can opt out). From an accessibility point, that would be a great feature of the podcast offering, since many podcasts don’t have the resources or wherewithal to provide one currently.


I don’t know quite how complicated the systems for creating subscriptions used by Dithering and Accidental Tech Podcast are, but they seem feasible enough for anyone with some expertise. Plus the Podmasters team (Oh God What Now, The Bunker) manage it and use Patreon. I expect the real challenge is dealing with (in order) wrongly entered details, fraud attempts and expiring cards. Apple will do all that. Is that worth the 30% (then 15%) deduction on what might be not a huge amount of money?

Still, it indicates that Apple is getting serious – after a long, long time – about podcasts. All part of the Services narrative.
unique link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.