Start Up No.1702: Instagram passes 2bn users, log4j’s scale revealed, Huawei’s surveillance questions, Snap’s ARv4, and more

The UK Post Office says it can’t afford to recompense the former staff it wrongly accused of theft – so the government will have to pick up the tab. Can it really not afford it? CC-licensed photo by Andrew Bowden on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 10 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

Huawei documents show Chinese tech giant’s involvement in surveillance programs • The Washington Post

Eva Dou:


A review by The Washington Post of more than 100 Huawei PowerPoint presentations, many marked “confidential,” suggests that the company has had a broader role in tracking China’s populace than it has acknowledged.

…”Privacy protection is our top priority”, the company said.

The Post reviewed more than 3,000 PowerPoint slides from the presentations outlining surveillance projects co-developed by Huawei with partner vendors. Five of the most relevant slides are translated into English below, with original formatting retained. Each outlines a surveillance solution created in a partnership between Huawei and another company, with both companies’ technology.

The Post could not confirm whom the Chinese-language presentations were shown to, or when. Some of the slides showcase surveillance functions specific to police or government agencies, suggesting that Chinese government authorities may have been the intended audience. Many of the PowerPoints have a creation timestamp of Sept. 23, 2014, with the latest modifications to the files made in 2019 or 2020, according to the presentations’ metadata.

Each of the five presentations has a final slide stating a “Huawei Technologies Co., Ltd.” copyright, with dates ranging from 2016 to 2018.

The Chinese Embassy in Washington said criticism of Huawei was groundless. “Huawei has long publicly expressed its readiness to sign a ‘no back door’ agreement and to set up a cyber security assessment center in any country to receive external scrutiny,” it said. “So far, no other company has ever made the same commitment.”

…The Huawei slides shed light on the company’s role in five surveillance activities in China: voice recording analysis, detention centre monitoring, location tracking of political individuals of interest, police surveillance in the Xinjiang region, and corporate tracking of employees and customers.


It’s not quite a smoking gun, but it’s certainly some smoke in the same room as a gun.
unique link to this extract

Snap AR Spectacles hands-on: an ambitious, impractical start • The Verge

Alex Heath:


tIt doesn’t take long to realize why Snap’s first true AR glasses aren’t for sale. The overall design is the highest quality of any standalone AR eyewear I’ve tried, and they make it easy to quickly jump into a variety of augmented-reality experiences, from a multiplayer game to a virtual art installation. But the first pair I was handed during a recent demo overheated after about 10 minutes, and the displays are so small that I wouldn’t want to look through them for a long period of time, even if the battery allowed for it.

Snap is aware of the limitations. Instead of releasing these glasses publicly, it’s treating this generation of Spectacles like a private beta. The company has given out pairs to hundreds of its AR creators since the glasses were announced in May and has recently made a few notable software updates based on user feedback. “It was really just about getting the technology out there in the hands of actual people and doing it in a way that would allow us to maximise our learning from their experiences of using it,” Bobby Murphy, Snap’s co-founder and chief technology officer, says of the rollout.


30-minute battery life (whaaat?); the AR experiences included “a zombie chase, a pong game, solar system project and an interactive art piece”. None of which is what people want. “Years away” for useful ones, Snap reckons. 15th time lucky?
unique link to this extract

What’s the deal with the Log4Shell security nightmare? • Lawfare

Nicholas Weaver:


So what is log4j? 

The first rule of being a good programmer is don’t reinvent things.  Instead we re-use code libraries, packages of previously written code that we can just use in our own programs to accomplish particular tasks.  And let’s face it, computer systems are finicky beasts, and errors happen all the time. One of the most common ways to find problems is to simply record everything that happens. When programmers do it we call it “logging”. And good programmers use a library to do so rather than just using a bunch of print()—meaning print-to-screen statements scattered through their code.  Log4j is one such library, an incredibly popular one for Java programmers.  

Unfortunately there is a very easy to exploit vulnerability, leaving an enormous volume of projects vulnerable. Recall the famous XKCD “dependency” comic: almost every project written in Java (and there are a lot of programs, ranging from major products like Minecraft to Internet of Things devices to bespoke custom software) is going to include log4j or a similar library. So if there is a vulnerability in log4j, it now potentially affects huge swaths of digital infrastructure.

So how does the vulnerability work? Java has a design flaw in it: It has a lot of complexity and the ability to load random pieces of code and execute them. The most common way this vulnerability expresses itself is through serialization, the ability to take a piece of data and turn it into a Java object, complete with code that is executed with the object. The log4j vulnerability is a combination of Java’s serialization tendencies with an intermingling of code and data in the logging infrastructure.


unique link to this extract

The numbers behind a cyber pandemic – detailed dive • Check Point Software


Since Friday, December 9th, when the vulnerability was reported, actors around the world are on the lookout for exploits. The number of combinations of how to exploit it give the attacker many alternatives to bypass newly introduced protections. It means that one layer of protection is not enough, and only multi-layered security posture would provide a resilient protection. Three days after the outbreak, we are summing up what we see until now, which is clearly a cyber pandemic that hasn’t seen its peak yet.

Diving into the numbers behind the attack, gathered and analyzed by Check Point Research, we see a pandemic-like spread since the outbreak on Friday, by the beginning of the week, on Monday.
Early reports on December 10th showed merely thousands of attack attempts, rising to over 40,000 during Saturday, December 11th. Twenty-four hours after the initial outbreak our sensors recorded almost 200,000 attempts of attack across the globe, leveraging this vulnerability. As of the time these lines are written, 72 hours post initial outbreak, the number hit over 800,000 attacks.

It is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable… We have so far seen an attempted exploit on almost 44% of corporate networks globally.


The number of variants puts the coronavirus to shame – 45 different ones within 72 hours of the word getting out. Who says humans can’t beat viruses?
unique link to this extract

Bank of England warns on crypto-currency risks • BBC News


Although not much of UK households’ wealth is currently held in assets such as Bitcoin, they are becoming more mainstream, said deputy Bank governor Sir Jon Cunliffe.
If their value fell sharply, it could have a knock-on effect, he said. The Bank needed to be ready to contain those risks, he added.

Speaking to the BBC’s Today programme, Sir Jon said that at present, about 0.1% of UK households’ wealth was in crypto-currencies. About 2.3 million people were estimated to hold them, with an average amount per person of about £300.

However, he stressed that crypto-currencies had been “growing very fast”, with people such as fund managers wanting to know whether they should hold part of their portfolios in crypto-currencies.

“Their price can vary quite considerably and they could theoretically or practically drop to zero,” he said. “The point, I think, at which one worries is when it becomes integrated into the financial system, when a big price correction could really affect other markets and affect established financial market players. It’s not there yet, but it takes time to design standards and regulations.”

He added: “We really need to roll our sleeves up and get on with it, so that by the time this becomes a much bigger issue, we’ve actually got the regulatory framework to contain the risks.”


0.1%, 2.3 million, £300 (=£690m, or $910m). Numbers to remember.
unique link to this extract

Web3 is going just great

Molly White:


…and is definitely not an enormous grift that’s pouring lighter fluid on our already-smoldering planet.


A fabulous (in that context) timeline of things. Dead people’s accounts being used to push NFTs, huge hacks, oh my.
unique link to this extract

UK taxpayer to foot bill for Post Office staff wrongly convicted of theft • The Guardian

Zoe Wood:


The government has agreed that the taxpayer will foot the substantial compensation bill for former Post Office workers who were wrongly convicted of theft due to the defective Horizon IT system.

The Post Office has said it cannot afford the multimillion-pound cleanup bill for the scandal and on Tuesday the government, which is the service’s only shareholder, confirmed its intention to step in.

So far, 72 post office operators’ convictions have been quashed. Several other cases are in train, and there are potentially hundreds more operators whose convictions relied on Horizon evidence who may seek to clear their names.

In a written ministerial statement, the postal affairs minister, Paul Scully, said he wanted those with quashed convictions to be compensated “fairly and swiftly”.

The vast majority of these people had received interim payments of up to £100,000 while they waited for the next step, Scully said. The government was now making cash available so final compensation awards could be made, he said.

“We are working with the Post Office to finalise the arrangements that will enable the final settlement negotiations to begin as soon as possible,” he said. The money would enable the Post Office to deliver the “fair compensation postmasters deserve”.

Between 2000 and 2014, the Post Office prosecuted 736 post office operators based on information from a recently installed computer system called Horizon.


“Cannot afford”. In 2020 the Post Office had revenues of £951m and a trading profit of £86m. It incurred legal costs of £20m, plus £58m in payouts. It’s made provisions of £153m. It’s got £443m of cash and equivalents on hand.

Perhaps it’s reasonable to say that the Horizon scandal happened when the Post Office was government-owned, so the government should bear the cost. But it feels a little like privatising the profit, socialising the losses.
unique link to this extract

How to use the iPhone’s new App Privacy Report • The Verge

Barbara Krasnoff:


Information is power, and if you’re an iPhone user, you can now get more information about how often your apps access your data (for example, your location or your microphone). The App Privacy Report, which became available with iOS 15.2, also lets you know each app’s web activity and what domains they attach to.

The feature is off by default, but if your phone has updated to iOS 15.2, it’s very simple to turn on:

• Go to Settings > Privacy > App Privacy Report (which will be at the bottom of the screen)
•Select “Turn On App Privacy Report”
• Select App Privacy Report at the bottom of the Privacy screen.
• and wait.

After that, you can follow the same series of selections to see your report. (You can also use a Shortcut for quicker access right from your home screen or a Siri voice command.)

You won’t immediately see any data — it takes time for your phone to collect the data and assemble the report, but you can start to see results in just a few minutes.


Tells you which apps accessed your data over the past seven days; app network activity (which domains they contacted); most-contacted domains.
unique link to this extract

Instagram surpasses two billion monthly users • CNBC

Salvador Rodriguez:


Whether pressure from [Democrat senator Richard] Blumenthal and others in Washington forces any changes at Instagram is a looming issue, because Facebook relies on the app’s user growth.

The main Facebook app had 2.91 billion monthly active users as of October, and expansion is slowing compared to Instagram. In the time Instagram’s user base has doubled, Facebook’s has grown by just 30%. Revenue at the Facebook app is forecast to increase 18% next year to $135.1bn, according to eMarketer, while Instagram’s growth is expected to top 30% to $60.5bn.

For Meta to finance its bold and costly ambitions to move the company to the so-called metaverse — a world of virtual and augmented reality experiences — it needs Instagram to keep growing and throwing off hefty profits.

“I still see it as a very important part of the company,” Heger said. “If you look in the next five years, Instagram revenue is growing faster than the revenue from the core platform.”


Again, this is the problem with the “break them up” narrative. Instagram would be Instagram, an absolute behemoth, even if it weren’t owned by Facebook. You have to limit the size.
unique link to this extract

There’s plenty more in Social Warming, my latest book. (Here’s a nice comment about it that I came across.)

Ofgem chief: we need to go much further in regulating energy suppliers • Financial Times

Jonathan Brearley is the chief executive of Ofgem, the British energy regulator:


Increased competition in energy supply, as recommended by the Competition and Markets Authority in 2016, opened up the market, but the regulations were not ready to weather a global shock on this scale. It is clear that any regulatory regime needs to be allowed to effectively manage market shocks — and Ofgem’s price cap has not always been sufficiently flexible. Having seen this latest crisis play out, I want these lessons to be applied in real time, to build the market we need for the future in a systematic way that understands all these complex drivers.

Put simply, we need an urgent step change to bring in the rules and regulations needed to create a stronger, more innovative and resilient energy market, fit for the future so we can change the way we run energy businesses for good.

As the regulator, I want to support suppliers to manage risks, and to stamp out bad practice when we see it.

Every time I speak to energy consumers I hear that this is a worrying time, and that action is required. At Ofgem, our core purpose is to protect consumers by making sure the market works in their interests.

And Ofgem’s safety net has worked. I am proud that we have protected 4m customers, that no customer has been left without an energy supplier, and that credit balances have been preserved.

We’ve given consumers certainty and control over their bills and made millions available to vulnerable bill-payers. But just as the price cap has protected them from month-to-month price volatility, we need to lessen the cost to consumers of companies failing, by making the market more resilient.


Basically, realising that the regulatory structure isn’t up to the challenge of a world where gas prices can quintuple in a year but you have tiny suppliers who have made longer-term promises to consumers.
unique link to this extract

Errata, corrigenda and ai no corrida: none notified

1 thought on “Start Up No.1702: Instagram passes 2bn users, log4j’s scale revealed, Huawei’s surveillance questions, Snap’s ARv4, and more

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.