Start Up No.1700: Apache’s RCE flaws, the YouTuber detective, Twitter Spaces problems, chronological Instagram?, and more

The Selina Meyer character in HBO’s Veep efficiently satirised American politicians – but now they’re not the people with power nowadays. CC-licensed photo by Jeffrey Zeldman on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Seventeen hundred! There’ll be a test. I’m @charlesarthur on Twitter. Observations and links welcome.

Extremely critical Log4J vulnerability leaves much of the internet at risk • The Hacker News

Ravie Laksmanan:


Log4j is used as a logging package in a variety of different popular software by a number of manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. In the case of the latter, attackers have been able to gain RCE on Minecraft Servers by simply pasting a specially crafted message into the chat box.

“The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year,” said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. “Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit.”

Cybersecurity firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of mass scanning of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the availability of a proof-of-concept (PoC) exploit. “This is a low skilled attack that is extremely simple to execute,” Sonatype’s Ilkka Turunen said.

GreyNoise, likening the flaw to Shellshock, said it observed malicious activity targeting the vulnerability commencing on December 9, 2021. Web infrastructure company Cloudflare noted that it blocked roughly 20,000 exploit requests per minute around 1800 UTC on Friday, with most of the exploitation attempts originating from Canada, the US, Netherlands, France, and the UK.


Pretty comprehensive list of big user companies. RCE – remote code execution – is the worst of the worst. This has been concerning security people up and down the internet, though of course it won’t percolate up to the rest of the world until something really dramatic happens. And it’s unlikely this will be used to do something dramatic; more likely, to extract information or to access a system and lurk in there.
unique link to this extract

Why satire gave up on politics • UnHerd

Dorian Lynskey:


Next to most politicians, the likes of Jeff Bezos and Elon Musk are fascinatingly weird characters with literally cosmic ambitions. Mark Zuckerberg, in his public appearances, comes off as less a human being than a beta-version AI — a flesh-and-blood demonstration of the uncanny valley. This is good material. Take Christopher Evan Welch in Silicon Valley, whose character Peter Gregory always looked as if he were on the verge of teleporting back to his home planet, Oscar Isaac’s malfunctioning hipster hermit in Ex Machina, or Nick Offerman’s glumly deranged schlub-genius in Devs. Succession’s Lukas Mattson combines a killer instinct with airport-bookstore self-help mantras and the distinct impression that he could tank [his Scandinavian content streaming service] GoJo’s share price with a single ill-judged tweet composed while tripping at Burning Man.

But tech gurus aren’t just a fun new toy for writers to play with. Satire follows power, and power is not where it was. In Western democracies there is a general sense that politicians are hamstrung and hopeless while tech companies are busy changing the way we communicate, think and act. After a mob stormed the Capitol on January 6, for example, social media companies did far more to dampen Trump’s efforts to overturn the election than Congress did.

Iannucci told me that his final episode of Veep, which ended with a deadlocked electoral college, “seemed to me to sum up where American politics is”, which is to say paralysed. While Joe Biden’s ambitious legislative agenda depends on the vanity of Joe Manchin and Kyrsten Sinema, Jeff Bezos is flying into space and earning $143,000 a minute. Which man is the more fertile source of both comedy and outrage? In Succession, Logan Roy has the power to bring down one president and handpick another, yet even he is at the mercy of Lukas Mattson’s whims.


This is a really good point. (Yes, Succession is satire.) Silicon Valley was fine satire, and the episode of Veep where Selina Meyer goes to Silicon Valley and is unblinkingly told by one company that “we think of ourselves as post-tax” is one of the best in the whole series.

We also use satire to tear down that which we think has been placed wrongly above us. So there’s that.
unique link to this extract

Businessweek 2021 Jealousy List • Bloomberg

The Bloomberg editors and staff:


At Bloomberg Businessweek, we read—a lot. We also listen to podcasts and watch a ton of stuff (often with borrowed passwords). Sometimes we read, watch, or listen to something that we wish we had published. To recognize a job well done, the magazine’s staff and many of our contributors in the Bloomberg newsroom have compiled our annual yearend Jealousy List. Congratulations to those on this year’s list, we hate/love you.


I mean, strictly it should be called the Envy List, shouldn’t it. No matter; plenty of fun content in there, too variable to classify.
unique link to this extract

Scuba-diving YouTuber finds car linked to teens missing since 2000 • The New York Times

Amanda Holpuch:


A YouTuber who uses underwater sonar equipment to investigate missing persons cases found a car belonging to two Tennessee teenagers who have been missing for 21 years, potentially bringing an end to the cold case.

It is at least the fourth time since late October that people who investigate cold cases on YouTube have dived and found a submerged vehicle belonging to a missing person.

The teenagers, Erin Foster and Jeremy Bechtel, both of Sparta, Tenn., were last seen on April 3, 2000, leaving Erin’s home in her 1988 Pontiac Grand Am.

Late last month, Jeremy Sides, 42, who runs the YouTube account Exploring With Nug, searched nearby lakes for a few days before turning his attention to Calfkiller River. Shortly before nightfall on Nov. 30, his sonar device showed that his boat was floating above a car-shaped object. He spent the night in his van, then dived to identify the car’s make and license plate number first thing the next morning. It was a match for Erin’s missing Pontiac.

Mr. Sides documented the discovery in a 20-minute YouTube video that includes his phone call to Steve Page, the sheriff of White County, to report the findings. In the video, the sheriff meets Mr. Sides at the site and expresses his thanks: “You just became White County’s hero.”

In a brief telephone interview, the sheriff said that divers recovered human remains on Thursday but that they had not been positively identified. “We do believe it’s them,” Sheriff Page said on Friday. “We found articles that came out of the car and was in the water that leads us to believe it’s them.”


Obviously, having a YouTube channel is the financial incentive for his activities. I wonder if it’s encouraging or the opposite that individuals are making more impact in cold cases than the police, who should have so many more resources (such as access to bank accounts and phone records) at their disposal.

Then you consider that in the UK a serial killer was only caught by the efforts of the relatives of his victims, which makes you wonder more deeply about the efficacy of the police.
unique link to this extract

How a bug in Android and Microsoft Teams could have caused this user’s 911 call to fail • Medium

Mishaal Rahman goes into some detail (with a fair amount of digging into Android) to figure out this bug, mentioned last week:


I do not use Microsoft Teams that often, but from what I’ve read online, there have been problems where it frequently logs the user out. I have also read reports that enterprises can set a policy to log the user out from time to time for security reasons.

After inspecting a decompiled version of the Microsoft Teams application, we were able to determine why a new PhoneAccount instance appears every time the app restarts. We found that when the user is not signed in, a new, randomly generated UUID is used to create the PhoneAccount instance that gets added to Android’s TelecomManager. This means that every time the Teams app restarts or crashes, a new UUID is generated for users that are not logged in, and thus a new PhoneAccount is added to Android’s TelecomManager. Because Teams has a boot broadcast receiver, this also happens every time the phone is rebooted.


For complicated reasons (which are explained, but it’s not short), having too many “PhoneAccount” IDs can cause emergency calls to fail. There is a little open source app for Android users which will detect if there are too many PhoneAccounts registered on a phone.
unique link to this extract

Social media makes us know too much about each other • The New York Times

Michelle Goldberg:


As [Duke University professor of sociology Christopher] Bail writes in his recent book, “Breaking the Social Media Prism,” [his team] recruited 1,220 Twitter users who identified as either Democrats or Republicans, offering to pay them $11 to follow a particular Twitter account for a month. Though the participants didn’t know it, the Democrats were assigned to follow a bot account that retweeted messages from prominent Republican politicians and thinkers. The Republicans, in turn, followed a bot account that retweeted Democrats.

At the time, a lot of concern about the internet’s role in political polarization centered around what the digital activist Eli Pariser once called filter bubbles, a term for the way an increasingly personalized internet traps people in self-reinforcing information silos. “The echo chamber idea was reaching its kind of apex in terms of its public influence,” Bail told me. “It nicely explained how Trump had won, how Brexit had happened.” Bail’s team wanted to see if getting people to engage with ideas they wouldn’t otherwise encounter might moderate their views.

The opposite happened. “Nobody became more moderate,” said Bail. “Republicans in particular became much more conservative when they followed the Democratic bot, and Democrats became a little bit more liberal.”

Social media platforms have long justified themselves with the idea that connecting people would make the world more open and humane. In offline life, after all, meeting lots of different kinds of people tends to broaden the mind, turning caricatures into complicated individuals. It’s understandable that many once believed the same would be true on the internet.

But it turns out there’s nothing intrinsically good about connection, especially online. On the internet, exposure to people unlike us often makes us hate them, and that hatred increasingly structures our politics. The social corrosion caused by Facebook and other platforms isn’t a side effect of bad management and design decisions. It’s baked into social media itself.


No. It’s baked into humans. We identify our tribe, and we reject (weakly or strongly) those not in our tribe. We can rub along with large numbers of people in daily life as long as we don’t know too much about their deepest political, social, or other views. Once we’re exposed to that a lot – hello, social media! – we get that tribal itch to either welcome them or reject them. That’s what gives you social warming. (I guess the interesting question next would be to identify at what age those tribal delineations are moulded. Feel free to email/comment/tweet, social scientists.)
unique link to this extract

Twitter Spaces is being used by the Taliban and white nationalists • The Washington Post

Elizabeth Dwoskin, Will Oremus, Craig Timberg and Nitasha Tiku:


Earlier this year, as Twitter raced to roll out Spaces, its new live audio chat feature, some employees asked how the company planned to make sure the service didn’t become a platform for hate speech, bullying and calls to violence.

In fact, there was no plan. In a presentation to colleagues shortly before its public launch in May, a top Twitter executive, Kayvon Beykpour, acknowledged that people were likely to break Twitter’s rules in the audio chats, according to an attendee who spoke on the condition of anonymity to describe internal matters. But he and other Twitter executives — convinced that Spaces would help revive the sluggish company — refused to slow down.

Fast forward six months and those problems have become reality. Taliban supporters, white nationalists, and anti-vaccine activists sowing coronavirus misinformation have hosted live audio broadcasts on Spaces that hundreds of people have tuned in to, according to researchers, users and screenshots viewed by The Washington Post. Other Spaces conversations have disparaged transgender people and Black Americans. These chats are neither policed nor moderated by Twitter, the company acknowledges, because it does not have human moderators or technology that can scan audio in real-time.


The fear of Clubhouse’s growth obviously drove this, but I wonder whether now that that threat is fast receding they’ll get on top of it. There’s a suggestion in the story of internal demands for big big BIG listener numbers, but quantity is never the answer online.
unique link to this extract

Still a few days to order Social Warming, my latest book, which explains how tribalism and outrage turns social networks sour – and how that affects people even in places where social network penetration is low.

How cryptocurrency revolutionized the white supremacist movement • Southern Poverty Law Center

Michael Edison Hayden and Megan Squire:


Less than a quarter of Americans presently own some form of cryptocurrency as of May 2021. But those numbers increase substantially within fringe right-wing spaces, according to Hatewatch’s findings, approaching something much closer to universal adoption. Hatewatch struggled to find any prominent player in the global far right who hasn’t yet embraced cryptocurrency to at least some degree. The average age of a cryptocurrency investor is 38, but even senior citizens in the white supremacist movement, such as Jared Taylor of American Renaissance, 69, and Peter Brimelow of VDARE, 73, have moved tens of thousands of dollars of the asset in recent years.

Cryptocurrency, or a group of digital moneys maintained through decentralized systems, has grown into a billion-dollar industry. A growing swath of Americans embrace the technology. Nothing is inherently criminal or extreme about it, and most of its users have no connections to the extreme far right. (One of the authors of this essay owns cryptocurrency, as disclosed in an author’s note at the end.) However, the far right’s early embrace of cryptocurrency merits deeper analysis, due to the way they used it to expand their movement and to obscure funding sources. It is not uncommon for far-right extremists to seek to hide their dealings from the public. The relative secrecy blockchain technology offers has become a profitable, but still extraordinarily risky, gamble against traditional banking.

“There are a lot of Bitcoin whales from pretty early [on in its history],” futurist and computer scientist Jaron Lanier told the Lex Fridman podcast in September. (People use “whales” to describe those who hold large sums of cryptocurrency.) “And they’re huge, and if you ask, ‘Who are these people?’ there’s evidence that a lot of them are not the people you would want to support.”

…“Bitcoin started in right-wing libertarianism,” [cryptocurrency critic David] Gerard said in an email. “This is not at all the same as being a neo-Nazi subculture. That said, there’s a greater proportion of Nazis there than you’d expect just by chance, and the Bitcoin subculture really doesn’t bother kicking its Nazis out. … Bitcoiners will simultaneously deny they have Nazis (which they observably do), and also claim it’s an anti-bitcoin lie, and also claim it’s good that anyone can use Bitcoin.”


The far right seems to have embraced it early on, perhaps because it couldn’t be blocked like traditional banking. But it is visible in a way they might not like, to everyone’s benefit.
unique link to this extract

Instagram head answers questions about the future of the chronological feed • The Verge

Mitchell Clark:


In a Q&A on Friday, [Instagram CEO Adam Mosseri] said that the company is testing out two versions of the feature and that it’s “targeting early next year” as a release window.

One version of the chronological feed would let you “pick your favorites and they show up at the top in chronological order,” he said. The other would let you see the posts from everyone you’re following in chronological order, though he didn’t mention how recommended posts would be interspersed.

When a follow-up question asked Mosseri when the feature would show up, he said it wouldn’t be too long, and that Instagram is “already testing the favorites idea.” He said that “full chronological” mode would come shortly after.


Benedict Evans wrote back in 2013 that algorithmic feeds become necessary once you’ve go above a certain number of people you’re following:


When people get married, they are often quite sure that they will have a small, quiet wedding. None of these massive, extravagant parties with hundreds of people for us! We’ll just invite close family and friends. Then, you make a list of ‘close family and friends’… and realise why people have 100 or 200 people at a wedding. You know a lot more people than you think.

I was reminded of this recently by the fact that, according to Facebook, its average user is eligible to see at least 1,500 items per day in their newsfeed. Rather like the wedding with 200 people, this seems absurd. But then, it turns out, that over the course of a few years you do ‘friend’ 200 or 300 people. And if you’ve friended 300 people, and each of them post a couple of pictures, tap like on a few news stories or comment a couple of times, then, by the inexorable law of multiplication, yes, you will have something over a thousand new items in your feed every single day.


Even so, I think a lot of people will want Instagram Chrono.
unique link to this extract

This terrible book shows why the Covid-19 lab leak theory won’t die • The New Republic

Lindsay Beyerstein reviews “Viral” by Alina Chan and Matt Ridley (yes, that Matt Ridley):


When you raise concrete objections to one theory, lab leakers throw out a slightly different version. If Covid-19 couldn’t be made from RaTG13, what if it was made from some other virus like RaTG13? No social or geographic link to the Wuhan Institute? Well, maybe it was some other lab we don’t know about. No obvious signs of genetic modification? Suppose they used an invisible technique? None of these scenarios is prima facie impossible, and therefore, once raised, none can be dismissed out of hand. But none of them is supported by any evidence whatsoever. And if you don’t like those, they have others. They’re just asking questions, here.

The through line in all of these possible scenarios is that there is no through line. There’s no overarching coherent narrative about when or how this “lab leak” happened. And in making that clear, Viral also shows why the very weakness of the lab leak case is also its greatest strength: The great part about suspicions—from a conspiracy theorist’s perspective—is that they don’t have to gel into any coherent theory. You can just have a bad feeling that becomes someone else’s job to resolve for you.

This is why the lab leak theory will never die, no matter how much evidence virologists are patiently accumulating on the side of natural origin. It’s all about suspicion and innuendo. And when one supposedly suspicious event is unpacked, it’s usually a long and boring explanation nobody wants to hear. Meanwhile, the theorists have already found 10 more things that seem spooky to them. Conspiracy theories, we’re learning, are even harder to eradicate than infectious diseases.


unique link to this extract

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.