Start Up No.1877: YouTube ignores your Dislikes, spotting deepfake audio, Apple funds “small developer” lobby, and more

A hacking crew, thought to be based in the UK, has leaked code and video from Grand Theft Auto 6. Now the FBI is after them. We’ve seen this video, and its end, before. (Picture* by Diffusion Bee.)

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 8 links for you. Hacking for fun and profit. I’m @charlesarthur on Twitter. Observations and links welcome.

Now the FBI is looking into the GTA hack, too • PC Gamer

Joshua Wolens:


It looks like the hacker behind last weekend’s historic leak of GTA 6 info (opens in new tab) has racked up quite the wanted level. They’re now the target of an FBI investigation, according to a press statement put out by Uber.

Uber, which also fell victim to an enormous hack last week, wrote in a statement that there are “reports over the weekend that this same actor” who was responsible for the attack on Uber also “breached videogame maker Rockstar Games”. “Reports” is a bit of an understatement: the GTA leaker claimed responsibility for the Uber hack as well. 

Uber goes on to say that it is “in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts”. 

In other words: because of its proximity to the Uber hack, the GTA 6 leak and its perpetrator are now under active investigation by the United States’ primary federal law enforcement agency. 

Uber says it believes the hacker (or hackers) is “affiliated with a hacking group called Lapsus$” which has also breached Microsoft, Cisco, Samsung, Nvidia and Okta. Lapsus$, according to Uber, tends to use the same techniques over and over when it performs its hacks. That makes sense: in both the Uber and Rockstar hacks, the attacker gained access to company data via the company Slack channel.

Earlier this year, a 16-year-old from Oxford in the UK was accused of being one of the leaders of the Lapsus$ group, and of amassing a personal fortune of around $14m (about £10.6m) from his illicit activities. The youth, who went by the name ‘White’ and ‘Breachbase’ online, was eventually doxxed by rival hackers and arrested before being released under investigation.


Someone should write about how big hacks, invariably by teens, always happen towards the end of the summer holidays. (Paul Carr did, sort of, back in 2011.) Basically, they’ve upped their skills in the intervening months, perhaps?
unique link to this extract

Negative carbon dioxide emissions • Physics Today

David Kramer, writing in 2020:


The February 2019 National Academies of Sciences, Engineering, and Medicine committee report Negative Emissions Technologies and Reliable Sequestration: A Research Agenda concluded that achieving Paris goals without retarding economic growth will likely require that 10 Gt of CO2 be extracted from the atmosphere annually by 2050, and that figure will need to increase to 20 Gt annually by 2100. The committee said that a combination of currently available NETs could be ramped up to the 10 Gt level by 2050, but constraints—chiefly the availability of land—might limit their potential to just half that amount.

Those NETs, which could be implemented for $100 or less per ton of CO2, are reforestation, afforestation (establishing forests on land not previously forested), improved forest management, agricultural and coastal management practices that add carbon to soils and sediments, and bioenergy with carbon capture and storage (BECCS). “We have the technology today. It’s not crazy expensive and it adds up to gigatons,” says National Academies committee member Jennifer Wilcox of Worcester Polytechnic Institute.

Capturing and storing CO2 in such quantities will be a massive undertaking. Julio Friedmann, senior research scholar at Columbia University’s Center for Global Energy Policy, regards the 10 Gt target as comparable to the mass of annual global oil and gas production. “We have to create an industry the size of the oil and gas industry that runs in reverse. And we’re on the clock. If we could do that over 200 years, I’d be a lot more relaxed. But we’ve actually got 30 years to do that.”

…Global Thermostat officials say its process can extract CO2 for $100/ton, though it has yet to demonstrate it at scale. Wilcox says paper studies indicate costs of $100 to $150 a ton are feasible in the long run, but the Swiss company Climeworks is the only direct air capture (DAC) pioneer to have sold commercial systems. The largest produces 900 tons of CO2 per year for a greenhouse in Hinwal, Switzerland, at a cost of $600/ton. That was the exact cost estimated by the American Physical Society in a 2011 report on DAC.

Climeworks hopes to lower that cost to $200/ton in the next three years, says spokesperson Louise Charles, and ultimately to $100.


All those hopes. Still at $600 per tonne. (Thanks Paul G for the link.)
unique link to this extract

Apple quietly bankrolled a lobbying group for app developers • The Verge

Makena Kelly:


One of Washington’s loudest tech groups, The App Association (ACT), says it proudly represents thousands of app developers across the world. But according to a new report from Bloomberg on Monday, the group receives more than half of its funding from Apple.

The report paints Apple and the ACT as strange bedfellows, especially as the company’s App Store frequently finds itself at odds with the developers whose software it hosts. Over the last few years, major software developers like Epic Games and Spotify have accused Apple of running an anti-competitive online marketplace by requiring them to use the company’s in-app purchasing system while taking a stiff 15 to 30% cut from all sales. 

Unlike other rival trade groups, like the Coalition for App Fairness, the ACT regularly issues statements and press releases echoing some of Apple’s own lobbying stances. On its website, ACT sings the praises of the App Store model, writing that it has “given companies never before seen access to overseas markets.” 

The group has also opposed looming antitrust legislation, like Sen. Amy Klobuchar’s (D-MN) Open App Markets Act, which would ban potentially anti-competitive behavior from companies like Apple that control how software can be distributed on its devices. In a statement last year, the ACT said Klobuchar’s bill was “another ‘ready, fire, aim’ at the mobile software distribution model simply because it seems big.”


Linked to this version rather than the Bloomberg version because this version is better, in terms of the detail it gets. The ACT denies it as far as it possibly can. But the overlap between things the ACT says and that Apple says is revealing.
unique link to this extract

Deepfake audio has a tell: it doesn’t know the shape of the speaker’s vocal tract • The Conversation

Logan Blue and Patrick Traynor are a PhD and professor in computer and information science and engineering at the University of Florida:


The first step in differentiating speech produced by humans from speech generated by deepfakes is understanding how to acoustically model the vocal tract. Luckily scientists have techniques to estimate what someone – or some being such as a dinosaur – would sound like based on anatomical measurements of its vocal tract.

We did the reverse. By inverting many of these same techniques, we were able to extract an approximation of a speaker’s vocal tract during a segment of speech. This allowed us to effectively peer into the anatomy of the speaker who created the audio sample.

From here, we hypothesized that deepfake audio samples would fail to be constrained by the same anatomical limitations humans have. In other words, the analysis of deepfaked audio samples simulated vocal tract shapes that do not exist in people.

Our testing results not only confirmed our hypothesis but revealed something interesting. When extracting vocal tract estimations from deepfake audio, we found that the estimations were often comically incorrect. For instance, it was common for deepfake audio to result in vocal tracts with the same relative diameter and consistency as a drinking straw, in contrast to human vocal tracts, which are much wider and more variable in shape.

This realization demonstrates that deepfake audio, even when convincing to human listeners, is far from indistinguishable from human-generated speech. By estimating the anatomy responsible for creating the observed speech, it’s possible to identify the whether the audio was generated by a person or a computer.


Seems a bit roundabout, but it can probably be speeded up. The point being that deepfake audio has already been used to fool people into handing over large sums of money.
unique link to this extract

Peloton Row hands-on: pretty much what you’d expect • The Verge

Victoria Song:


The best part so far has been the Form Assist feature. When you first set up the rower, there’s a roughly five-minute calibration process so the sensors in the seat and handle can learn your individual stroke. Once that’s done, a little figure in the upper left corner of the screen matches your movements. If you muck up your form, the areas where you need to improve will light up in red. 

Learning to row can be tricky, and it isn’t as intuitive as running on a treadmill or pedaling on a stationary bike. Proper rowing form has four components: the catch, drive, finish, and recovery. There are a zillion YouTube videos with fitness experts expounding on these, but the gist is you move your legs, body, then arms, and then reverse it. If you’re unfamiliar with rowing, it takes getting used to, and if you’ve never received any sort of instruction, you’re probably doing it wrong.  

Form feedback is still nascent in connected fitness tech, but it’s nice to see that Peloton’s made the effort to include it on the Row (especially since it wasn’t really a thing with its Guide strength training system). After a workout, you get some handy breakdowns of your form and metrics to understand what you need to do better. I’ve always wondered if I’m doing it right, and now, if Peloton is to be believed, I know I need to stop jumping the gun with my body during the drive portion of a stroke. 

The main workout screen includes strokes per minute and personal pace targets. You’re prompted to select your skill level during setup, which then determines what pace ranges work best for you during intervals. These two metrics are standard for rowers, but it’s always good to see a recommended range (even if you completely ignore them at the end of a long class).


I use a rowing machine (it’s a great zero-impact exercise). You get other forms on different rowing machines, but this one sounds good. However, is it $3,000+ good?

And is it going to save Peloton? It’s pricey, it’s hardware. Might become a collector’s item.
unique link to this extract

Study: YouTube doesn’t really care when you dislike a video • Android Authority

Hadlee Simons:


YouTube gives users a number of ways to control what they see on the service, with one of the most visible methods being the dislike button. However, a new study has revealed that hitting “dislike” hardly worked in preventing bad recommendations.

A Mozilla study used an open-source web extension called RegretsReporter to gather insight into YouTube recommendations (h/t: Engadget) from thousands of users.

The data showed that the “dislike” button only stopped a mere 12% of unwanted video recommendations. The team defined a bad or unwanted recommendation as a video similar to a video they had previously rejected.

Mozilla’s study also showed that choosing “not interested” stopped just 11% of bad recommendations, while choosing “remove from watch history” stopped 29% of them. However, the most effective official way to halt bad suggestions was to select “don’t recommend channel,” preventing 43% of unwanted recommendations.

In other words, none of YouTube’s controls allowed you to prevent even half of all bad recommendations. In fact, some users noted that they took other measures like switching to incognito mode, using VPNs, downloading privacy browser extensions, and regularly wiping their cookies. Some users even created brand-new accounts for certain YouTube videos.

This is a rather disappointing turn of events for YouTube, and it suggests that the company is willing to ignore explicit feedback about its recommendations in a bid to increase viewing metrics. After all, you’d think that hitting something as obvious as the “dislike” button would adjust recommendations accordingly.


Respondents to the story say the same: bad recommendations just keep showing up. The algorithm is relentless. Other people liked it, so you will too.
unique link to this extract

Experts blame a ‘vanity address’ bug for Wintermute’s $160m hack • The Block

Vishal Chawla:


According to Mudit Gupta, Polygon’s chief information security officer, a vulnerability may well have enabled the hacker to calculate the private keys of the vault’s admin address — allowing them to drain the vault of its funds.

As a market maker, Wintermute maintained several crypto assets in a vault. This vault relied on an admin address with a prefix “0x0000000,” which analysts say is a “vanity address.” At the same time, the vanity address functioned as an admin account (in the form of a hot wallet) to authenticate transactions for Wintermute’s vault.

Vanity addresses contain identifiable names or numbers within them — or have a particular style — and can be generated using certain online tools like Profanity. Last week, decentralized exchange aggregator 1inch published a security disclosure report claiming that “vanity addresses” generated with Profanity were not secure. Per 1inch, the private keys linked to Profanity-generated addresses could be extracted with brute force calculations.

Gupta and other security analysts have hypothesized that since the admin address is a vanity address, the hacker calculated its private key, took over Wintermute’s vault and transferred funds out to another address in their control.

“The vault only allows admins to do these transfers and Wintermute’s hot wallet is an admin, as expected. Therefore, the contracts worked as expected but the admin address itself was likely compromised,” Gupta wrote in a separate blog post.

Gupta said that it seems like Wintermute moved all the ether (ETH) from the vanity address wallet itself prior to the hack, perhaps as a precaution in light of the Profanity disclosures — but the firm didn’t change its admin privileges.

…According to SlowMist, the hacker has now deposited $114m worth of stolen assets into decentralized exchange Curve.


Me: resets “Days since a gigantic hack against a web3 property” counter back to zero.
unique link to this extract

Mercury Weather° on the App Store

A lot of people are narked by the impending end (in January) of Dark Sky, which has been rolled into Apple’s Weather app as of iOS 16. As linked by John Gruber, this is a weather app for the iPhone (and Watch) which uses Apple’s WeatherKit API (so has the same info as Dark Sky does/would) but displays in a nice line system reminiscent of WeatherLine (RIP) – also on your lock screen or watch face.

Costs $2 per month, $10 per year, or $35 lifetime – so if you think you’d use it longer than 17 months, or alternatively three and a half years, the lifetime is the deal.
unique link to this extract

• Why do social networks drive us a little mad?
• Why does angry content seem to dominate what we see?
• How much of a role do algorithms play in affecting what we see and do online?
• What can we do about it?
• Did Facebook have any inkling of what was coming in Myanmar in 2016?

Read Social Warming, my latest book, and find answers – and more.

Errata, corrigenda and ai no corrida: *Prompt used for Diffusion Bee: “grand theft auto 6 is hacked”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.