Start Up No.1547: ‘dark pattern’ regulation?, IEA raises renewables forecast, DarkSide under scrutiny, Trump’s blog flops, and more

What happens if you post an Apple AirTag? Turns out you can track its progress. CC-licensed photo by Spixey on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Toot toot! I’m @charlesarthur on Twitter. Observations and links welcome.

The internet’s ‘dark patterns’ need to be regulated • The New York Times

Greg Bensinger is a member of the NYT’s editorial board:


Some things are difficult by design.

Consider Amazon. The company perfected the one-click checkout. But canceling a $119 Prime subscription is a labyrinthine process that requires multiple screens and clicks.

Or Ticketmaster. Online customers are bombarded with options for ticket insurance, subscription services for razors and other items and, when users navigate through those, they can expect to receive a battery of text messages from the company with no clear option to stop them.

These are examples of “dark patterns,” the techniques that companies use online to get consumers to sign up for things, keep subscriptions they might otherwise cancel or turn over more personal data. They come in countless variations: giant blinking sign-up buttons, hidden unsubscribe links, red X’s that actually open new pages, countdown timers and pre-checked options for marketing spam. Think of them as the digital equivalent of trying to cancel a gym membership.

There are plans in both the House and Senate to tackle dark patterns. And there’s movement at the state level, too. California strengthened its data privacy laws to include certain dark patterns and, in Washington State, lawmakers included similar language in a failed privacy bill of its own.

The phrase was coined over a decade ago by a British user experience designer — who maintains an online “hall of shame” — and since then dark patterns have become only more effective and pernicious. Because of the scale of the internet, if even a small percentage of these ploys work, many thousands or even millions of people may be affected.


Have you subscribed to the NYT online? To unsubscribe, you need to phone them during (their) work hours and persuade them to unsubscribe you. Editorialiser, edit thyself. Legislation is a good idea: make it obligatory that you can unsubscribe by the same method. Simple. (Via Benedict Evans’s newsletter.)
unique link to this extract

‘Exceptional new normal’: IEA raises growth forecast for wind and solar by another 25% • Carbon Brief

Simon Evans:


The International Energy Agency (IEA) has raised its forecast for the global growth of wind and solar by another 25% compared to figures it published just six months ago.

Furthermore, the IEA’s “renewable energy market update” forecasts nearly 40% higher growth in 2021 than it expected a year ago, putting wind and solar on track to match global gas capacity by 2022.

The Paris-based agency says a “huge” 280 gigawatts (GW) of renewable capacity – primarily wind and solar – was installed globally last year, some 45% higher than the level in 2019, after the largest annual increase in more than 20 years.

This “exceptional” level of annual additions will become the “new normal” in 2021 and 2022, the IEA says, with the potential for further acceleration in the years that follow.

Overall, the IEA says that renewables accounted for 90% of new electricity generating capacity added globally last year and that they will meet the same share in each of the next two years.


What’s really notable about this is that for years, the IEA’s forecast for renewables has been miles below what actually happened. Finally, though, it seems to have noticed.
unique link to this extract

Coal is losing the price war to wind and solar faster than anticipated • Electrek

Michelle Lewis:


No wonder Senator Joe Manchin (D-WV) and Cecil Roberts, president of US coal’s largest union, the United Mine Workers of America, finally (begrudgingly, on Manchin’s part) acknowledged the need for a transition from coal to renewables in Appalachia on April 19. Coal can no longer be justified in the US, not only for environmental and societal reasons but now also for economic reasons.

As demonstrated in many social media comments on my stories about green energy, particularly when it comes to Texas, the general public is still buying the fossil fuel industry’s lies, as well as the lies of their political supporters. But once the higher costs for fossil fuels hit consumers’ pockets, the lying won’t be able to continue.

Coal may be worryingly rebounding in Asia, according to a recent report from the International Energy Agency. Energy and environmental groups expected that fossil-fuel use would get worse before it got better.

There are issues that need to be urgently addressed in renewable growth, such as the demand for, possible shortage of, and ethical procurement of minerals and the urgent need for a big boost in renewable manufacturing in the US. But bottom line, coal is now the worst possible choice for energy on all fronts.


The link is to the US think tank Energy Innovation, which says that local wind and solar could replace 80% of the US coal fleet and save people money. That’s a lot.
unique link to this extract

A closer look at the DarkSide ransomware gang • Krebs on Security

Brian Krebs:


In late March, DarkSide introduced a “call service” innovation that was integrated into the affiliate’s management panel, which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.

In mid-April the ransomware program announced new capability for affiliates to launch distributed denial-of-service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.

DarkSide also has advertised a willingness to sell information about upcoming victims before their stolen information is published on the DarkSide victim shaming blog, so that enterprising investment scammers can short the company’s stock in advance of the news.

“Now our team and partners encrypt many companies that are trading on NASDAQ and other stock exchanges,” DarkSide explains. “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares. Write to us in ‘Contact Us’ and we will provide you with detailed information.”

DarkSide also started recruiting new affiliates again last month — mainly seeking network penetration testers who can help turn a single compromised computer into a full-on data breach and ransomware incident.

“We have grown significantly in terms of the client base and in comparison to other projects (judging by the analysis of publicly available information), so we are ready to grow our team and a number of our affiliates in two fields,” DarkSide explained.

…DarkSide has shown itself to be fairly ruthless with victim companies that have deep pockets, but they can be reasoned with. Cybersecurity intelligence firm Intel 471 observed a negotiation between the DarkSide crew and a $15bn US victim company that was hit with a $30m ransom demand in January 2021, and in this incident the victim’s efforts at negotiating a lower payment ultimately reduce the ransom demand by almost two-thirds.


unique link to this extract

Namecheap hosted 25%+ of fake UK govt phishing sites last year – NCSC report • The Register

Gareth Corfield:


Domains’n’hosting outfit Namecheap harboured more than a quarter of all known phishing sites that falsely posed as UK government web presences during 2020, according to the National Cyber Security Centre today.

This stat can be found in the centre’s fourth annual Active Cyber Defence report, which boasts how much digital filth it cleansed from the internet. These included 700,000 scam sites stretching across 1.4 million URLs, or so the NCSC tells us.

It also encountered the usual COVID-themed ones we’ve all become familiar with over the last year – fake copies of the NHS Test and Trace app laced with malware – plus sites impersonating Capita TV Licensing, the outsourced subscription sales arm of the BBC. Email scams were also popular, with 26,000 being shut down after netizens flooded the NCSC’s email reporting portal with complaints of four million suspicious messages.

…One area where the NCSC hopes to make an immediate and positive difference is by killing off scam texts that appear to be sent from alphanumeric names such as UK_Gov. These are possible by design; UK mobile networks support the use of alpha tags in place of phone numbers but until very recently, there wasn’t much in the way of security for those tags.

Alpha tag scamming is easy if you know how, as infosec bod Jake Davis showed The Register last year by sending SMSes appearing to be from the Irish government saying “it looks like you’ve got the old cheeky corona.” The NCSC is now beginning to crack down on and register British Government-themed tags (plus the telly tax agency, unusually) to prevent their reuse by scammers and ne’er-do-wells through a relatively new thing: the SMS SenderID Protection Registry.


“There wasn’t much in the way of security”. Just calamitous. Who sets up this sort of stuff without thinking of the potential for scams?
unique link to this extract

The oncoming ransomware storm • Stephen Diehl

Diehl is a software engineer based in London:


The scary part, is there is almost nothing that can be done from an information security standpoint. Software is not going to magically become more secure any faster, even the most capitalised companies in the United States aren’t able to stave off the new generation of software exploits that are dropping every other day. There are too many exploits in the wild and there’s no stopping a massive increase in discovery, especially when billions of dollars are stake for their immediate use in ransomware. Our entire field is bad at what we do and if you rely on us to fix this, we’re doomed.

This battle cannot and will not be won on the technology side alone. The tech industry can’t solve this. It requires legislation and intervention in the financial system at only the level nation states can act.

Cryptocurrency is the channel by which all the illicit funds in this epidemic flow. And it is the one channel that the US government has complete power to reign in and regulate. The free flow of money from US banks to cryptocurrency exchanges is the root cause and needs to halt. Cryptocurrencies are almost entirely used for illicit activity and investment frauds, and on the whole have no upside for society at large while also having unbounded downside and massive negative externalities.

I fear we are at a critical point where there is not much time left before this new cyberpandemic reaches critical mass. And that looks like a very scary future indeed. I imagine some very dark things become part of the public discourse.

Imagine a hundred new Stuxnet-level exploits every day, for every piece of a equipment in public works and health care. Where every day your check your phone for the level of ransomware in the wild just like you do the weather. Entire cities randomly have their metro systems, water, power grids and internet shut off and on like a sudden onset of bad cybersecurity “weather”.


Possibly a bit hyperbolic, but it’s always worth considering the worst-case scenario. I’m not that sure the US government can actually stop bitcoin transactions. Even if US banks don’t allow it, there are plenty of other countries that would. He’s right that cryptocurrency is the real critical point here.
unique link to this extract

Twitter was Trump’s megaphone. His new blog isn’t as powerful • CNBC

Brandy Zadrozny:


Trump’s new blog has attracted a little over 212,000 engagements, defined as backlinks and social interactions — including likes, shares and comments — received across Facebook, Twitter, Pinterest and Reddit. Before the ban, a single Trump tweet was typically liked and retweeted hundreds of thousands of times.

The blog posts come in the form of statements that are also sent to supporters via email. In the multiple daily notes, Trump has attacked his political enemies and endorsed faithful supporters, continued to push false claims and conspiracy theories, and opined on news of the day.

Trump’s bans cost him the ability to communicate with millions of people: 88 million followers on Twitter, 32 million on Facebook, and 24 million on Instagram. Trump had just around 3 million YouTube subscribers, but his videos regularly racked up millions of views.

A CNBC analysis of Trump’s tweets in January found his most-liked tweets spread disinformation. But the conspiracy theories and name-calling that the former president has spread via his blog don’t seem to move the way they did when Trump benefited from the dual platforms of the White House and traditional social media. Trump has called his statements a “more elegant” alternative to tweeting, telling Newsmax’s Greg Kelly in March, “I like this better than Twitter. Actually they did us a favor.”


Less of a megaphone, more of a kazoo. Stick a fork in it: he’s done.
unique link to this extract

I posted an AirTag and tracked its progress; here’s what happened • The Mac Security Blog

Kirk McElhearn:


I live near Stratford-upon-Avon, in the UK, and I sent the AirTag to a friend south of London. I mailed this AirTag on Friday afternoon, and, with first-class postage, I expected the envelope to be delivered the next day.

The AirTag weighs a mere 11g, so I put one taped to a card, then in a small bubble envelope for protection. I dropped it in the postbox in my village, just down the road from my home. I made sure to open the Find My app on my iPhone when I was next to the postbox; it showed the correct location.

Post is picked up around 5 pm, and a bit later than that, I checked the Find My app on my iPad. At 5:28, I found that my AirTag had reached the local sorting station.

This means that someone, either the postal worker who picked up the post and delivered it to the sorting station, or another employee at the sorting station, had an iPhone which spotted the AirTag. Apple touts their network of nearly a billion devices capable of spotting AirTags, and if there are that many, it should be easy to track this envelope across the country.

It didn’t take long for my AirTag to start its journey. At 5:49, it had started moving, going into Stratford-upon-Avon, presumably to be loaded on to a truck to go to the next location. At around 6:40, it had left the town, heading north.

…I don’t know if any of the truck drivers carrying the mail had iPhones. Even if they didn’t, it’s possible that if someone in a car driving next to the truck has an iPhone, then it would be spotted. Since AirTags use Bluetooth 5, the range is around 100m, but that depends on such things as interference, walls, and other obstacles, and testing would need to be done to find how efficient they are in motion.


Terrific idea, though the reality is a little disappointing: he tracked it. Concept proven. Next step is to try an international posting, I guess. (I’ve translated this from the American: McElhearn calls it “mail” and thinks it was collected by a “mailman”. Women can and do perform the job, Kirk.)
unique link to this extract

Apple brass discussed disclosing 128-million iPhone hack, then decided not to • Ars Technica

Dan Goodin:


In September 2015, Apple managers had a dilemma on their hands: should, or should they not notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.

The mass hack first came to light when researchers uncovered 40 malicious App Store apps, a number that mushroomed to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.

An email entered into court this week in Epic Games’ lawsuit against Apple shows that, on the afternoon of September 21, 2015, Apple managers had uncovered 2,500 malicious apps that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the US.

“Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple Senior Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan.


This was the XcodeGhost hack, where a man-in-the-middle app that posed as a “better Xcode” to developers, mostly in China injected malicious code into apps compiled with it. (Quite an ambitious project in its own right.) There was also a “Jekyll and Hyde” app in 2013 which, foreshadowing Epic’s method, sneaked past App Store review and then became malicious through remote command.
unique link to this extract

Anti-maskers ready to start masking—to protect themselves from the vaccinated • Vice

Mack Lamoureux:


The conspiracy—which comes in several shapes and sizes—more or less says the vaccinated will “shed” certain proteins onto the unvaccinated who will then suffer adverse effects. The main worry is the “shedding” will cause irregular menstruation, infertility, and miscarriages. The entirely baseless idea is a key cog in a larger conspiracy that COVID-19 was a ploy to depopulate the world, and the vaccine is what will cull the masses. 

Experts say the conspiracy is born from a fundamental misunderstanding of how vaccines work. It has been widely debunked and you can read about it here, here, and here, among other places.  

Anti-vax influencers are instructing their fellow anti-vaxxers as well as anti-maskers (at this point the two communities overlap to a huge degree) that one of the best ways to defend themselves from this blight is to co-opt…social distancing, the very strategy they have long decried. 

Sherri Tenpenny, an anti-vaxxer who was found to be key in spreading COVID-19 conspiracy theories, suggested on a recent anti-vax livestream that you may have to “stay away from somebody who’s had these shots…forever.” 


Oh, really? Suits me fine.
unique link to this extract

Hey you! Preorder Social Warming, my forthcoming book.

Errata, corrigenda and ai no corrida: none notified

3 thoughts on “Start Up No.1547: ‘dark pattern’ regulation?, IEA raises renewables forecast, DarkSide under scrutiny, Trump’s blog flops, and more

    • Thanks for the input Kirk – though I have to point out that because he was in the U.K., he was a postman. (There was a time when Apple localised the deletion bucket from “Trash” to, I think, “Bin” but it didn’t stick.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.