Start Up No.1962: the lifesaving NHS Covid Bluetooth app, the danger of iPhone passcodes, how hackers breached LastPass, and more

With a million miles under their wheels, Waymo’s cars have been involved in just two crashes. CC-licensed photo by zombieitezombieite on Flickr.

You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

There’s another post coming this week at the Social Warming Substack on Friday at about 0845 UK time. Free signup.

A selection of 9 links for you. Use them wisely. I’m @charlesarthur on Twitter. On Mastodon: Observations and links welcome.

COVID-19 app saved estimated 10,000 lives in its first year, research finds • University of Oxford


A team of experts at the Pandemic Sciences Institute at the University of Oxford and Department of Statistics at the University of Warwick estimate the NHS COVID-19 app prevented around 1 million cases, 44,000 hospitalizations and 9,600 deaths during its first year.

The new research, published in Nature Communications, is the most comprehensive evaluation of the NHS COVID-19 contact tracing app to date.

Researchers analyzed the NHS COVID-19 app in England and Wales in the first year of its use—September 2020 to September 2021. They found that the app played an important role in reducing transmission of COVID-19 in England and Wales. The app experienced high user engagement, identified infectious contacts well, and helped to prevent significant numbers of cases, hospitalizations and deaths.

Professor Christophe Fraser, principal investigator at the Pandemic Sciences Institute at the University of Oxford’s Nuffield Department of Medicine and the paper’s senior author said, “Many of us will remember being ‘pinged’ by the NHS COVID-19 app at the height of the pandemic, and the impact that self-isolating had on our daily lives.”

“Our research shows that the NHS COVID-19 app worked, and it worked well. Through our analysis we estimate the app saved almost 10,000 lives in its first year alone.”


Not as many as the vaccines, but for a purely electronic system, which was introduced before the vaccines, impressive.
unique link to this extract

Hackers claim they breached T-Mobile more than 100 times in 2022 • Krebs on Security

Brian Krebs:


Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.

Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “Tmobile up!” or “Tmo up!” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber.


Which is why you don’t really want to do any authorisation through SMS. None at all.
unique link to this extract

A basic iPhone feature helps criminals steal your entire digital life • WSJ

Joanna Stern and Nicole Nguyen:


In the early hours of Thanksgiving weekend, Reyhan Ayas was leaving a bar in Midtown Manhattan when a man she had just met snatched her iPhone 13 Pro Max.

Within a few minutes, the 31-year-old, a senior economist at a workforce intelligence startup, could no longer get into her Apple account and all the stuff attached to it, including photos, contacts and notes. Over the next 24 hours, she said, about $10,000 vanished from her bank account.

Similar stories are piling up in police stations around the country. Using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and their digital lives.

The thieves are exploiting a simple vulnerability in the software design of over one billion iPhones active globally. It centers on the passcode, the short string of numbers that grants access to a device; and passwords, generally longer alphanumeric combinations that serve as the logins for different accounts.

With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the passcode can unlock access to all the device’s stored passwords.

“Once you get into the phone, it’s like a treasure box,” said Alex Argiro, who investigated a high-profile theft ring as a New York Police Department detective before retiring last fall.

…An examination of the recent spate of thefts reveals a possible gap in Apple’s armor. The company’s defenses are designed around common attack scenarios—the hacker on the internet attempting to use a person’s login credentials, or the thief on the street looking to snatch an iPhone for a quick sale.

They don’t necessarily account for the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes. Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally designed as a convenience: allowing forgetful customers to use their passcode to reset the Apple account password.


There’s also a discussion of this at Tidbits, with a simple suggestion for how to protect yourself against this. (Android phones have this vulnerability too.)
unique link to this extract

Elon Musk’s Twitter is a disaster for disaster planning • The Atlantic

Juliette Kayyem is faculty chair of the homeland security program at Harvard Kennedy School of Government:


Twitter was useful in saving lives during natural disasters and man-made crises. Emergency-management officials have used the platform to relate timely information to the public—when to evacuate during Hurricane Ian, in 2022; when to hide from a gunman during the Michigan State University shootings earlier this month—while simultaneously allowing members of the public to transmit real-time data. The platform didn’t just provide a valuable communications service; it changed the way emergency management functions.

That’s why Musk-era Twitter alarms so many people in my field. The platform has been downgraded in multiple ways: Service is glitchier; efforts to contain misleading information are patchier; the person at the top seems largely dismissive of outside input. But now that the platform has embedded itself so deeply in the disaster-response world, it’s difficult to replace. The rapidly deteriorating situation raises questions about platforms’ obligation to society—questions that prickly tech execs generally don’t want to consider.

…Four days after the company’s API announcement, a massive earthquake hit Turkey and Syria, killing at least 46,000 people. In an enormous geographic area, API data can help narrow down who is saying what, who is stuck where, and where limited supplies should be delivered first. Amid complaints about what abandoning free API access would mean in that crisis, Twitter postponed the restriction. Still, its long-term intentions are uncertain, and some public-spirited deployments of the API by outside researchers—such as a ProPublica bot tracking politicians’ deleted tweets—appear to be breaking down.

Meanwhile, Musk’s policy of offering “verified” status to all paying customers is making information on the platform less dependable. Twitter’s blue checks originally signified that the company had made some effort to verify an account owner’s identity. Soon after Musk made them available to Twitter Blue subscribers, an enterprising jokester bought a handle impersonating the National Weather Service.


unique link to this extract

Waymo’s driverless cars were involved in two crashes and 18 ‘minor contact events’ over 1 million miles • The Verge

Andrew Hawkins:


Waymo announced recently that its fully driverless vehicles in California and Arizona have traveled 1 million miles as of January 2023. To recognize this milestone, the Alphabet-owned company pulled back the curtain on some interesting statistics, including the number of crashes and vehicle collisions that involved its robot cars.

Waymo operates a fleet of driverless cars in Phoenix, San Francisco, and the Bay Area. Some of those trips include paying customers. The company also recently started testing its driverless vehicles in Los Angeles.

Over that 1 million miles, Waymo’s vehicles were involved in only two crashes that met the criteria for inclusion in the National Highway Traffic Safety Administration’s database for car crashes, called the Crash Investigation Sampling System (CISS). In general, these are crashes that were reported to the police and involved at least one vehicle being towed away. Of the two crashes that met the criteria, Waymo says its vehicle was rear-ended by another vehicle whose driver was looking at their phone while approaching a red light.

…Waymo says 10 of 18 of these minor contact events involved another driver colliding with a stationary Waymo vehicle, and two occurred at night. None of the events took place at intersections, where most vehicle crashes occur, nor did any involve pedestrians, cyclists, or other vulnerable road users.


That’s the sort of statistic that any human would be shouting from the rooftops. Although it depends on what sort of roads you’ve been driving on.
unique link to this extract

This model does not exist • Meet Ailice


Hey, I’m Ailice 👋

I do not exist, I was created by AI.

I post daily photos of my life on Instagram. Help me pick the photo of the day by upvoting your favorites. Every day, the best one gets posted on my Instagram.


Some of the pictures are weird, some are impressive. So many are in strange situations.
unique link to this extract

AI, ChatGPT, and Bing…Oh My. And Sydney too • Learning By Shipping

Steven Sinofsky:


Lots of 4-D chess predicting where things will go. Who will win or lose? How much a platform shift is “AI” or not? It’s too soon to know. If PC, phone, cloud, or internet are a guide — wary/pessimists will quickly fall behind because exponential growth is like that.

There are parallels to learn from and help guide us on how technology will evolve. Not the one path, but the sorts of paths that can follow. History rhymes. Why? Because both producers and consumers are humans and humans follow patterns, not precisely though.

First, in the next 6–12 months every product (site/app) that has a free form text field will have an “AI-enhanced” text field. All text entered (spoken) will be embellished, corrected, refined, or “run through” an LLM. Every text box becomes a prompt box.

This is a trivial add for most any product. Some will enhance with more bells & whistles. For example there might be an automatic suggestion (API costs aside) or several specific “query expansions” that take the text and guide the enhancement. Everyone will call the API.

This will be done to call attention to the new feature but also to add more surface area upon which to prove there is some depth to the work beyond just feeding what one types to the LLM.

This reminds me of the mundane example of spell-checking moved from a stand alone feature to integrated into word processing to suites and then 💥 it showed up in the browser. All of a sudden it wasn’t an app feature but every text box had squiggles.


Plenty more here, from the guy who saw Windows and Office go from idea to product.
unique link to this extract

The tech tycoon martyrdom charade • Anil Dash

Dash documents an intriguing example of, well, social warming:


I’ve been saying this for a few years now, but it’s worth recording here for the record: It’s impossible to overstate the degree to which many big tech CEOs and venture capitalists are being radicalized by living within their own cultural and social bubble. Their level of paranoia and contrived self-victimization is off the charts, and is getting worse now that they increasingly only consume media that they have funded, created by their own acolytes.

In a way, it’s sort of like a “VC Qanon”, and it colors almost everything that some of the most powerful people in the tech industry see and do — and not just in their companies or work, but in culture, politics and society overall. We’re already seeing more and more irrational, extremist decision-making that can only be understood through this lens, because on its own their choices seem increasingly unfathomable.

To be clear, there are still really thoughtful, smart people in positions of leadership in tech as executives, founders or investors, who aren’t participating in this mass delusion, but few of these good actors feel like they have the power to speak out against the rising extremism of the big tycoons. That power is especially coercive since even very established players rely on these newly-extremist figures for funding their companies or for business deals that they are dependent upon. And we know that, once reasonable voices stop speaking, only the most extreme ideas will dominate the conversation.


Absolutely classic pattern that will be familiar to anyone who’s read Social Warming: the research by Cass Sunstein about closed groups tending towards an extreme position applies all over. One of the most obvious examples was the targeting of the reporter Taylor Lorenz by VCs for doing her job – a job that they discovered wasn’t so simple.
unique link to this extract

LastPass says employee’s home computer was hacked and corporate vault taken • Ars Technica

Dan Goodin:


Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.

Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”


That “vulnerable third-party media software package” was Plex. An amazing chain of hacks to get into the target. But that’s how hackers work. LastPass really doesn’t look very clever now: developers working at home have computers that aren’t locked down?
unique link to this extract

• Why do social networks drive us a little mad?
• Why does angry content seem to dominate what we see?
• How much of a role do algorithms play in affecting what we see and do online?
• What can we do about it?
• Did Facebook have any inkling of what was coming in Myanmar in 2016?

Read Social Warming, my latest book, and find answers – and more.

Errata, corrigenda and ai no corrida: none notified

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.