The UK’s DVLA managed to update many of its processes for the web – but still needs to rely on daily batch jobs. CC-licensed photo by Amy Whitney on Flickr.
You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
There’s another post coming this week at the Social Warming Substack on Friday at 0845 UK time. Free signup.
A selection of 9 links for you. Licensed. I’m @charlesarthur on Twitter. On Threads: charles_arthur. On Mastodon: https://newsie.social/@charlesarthur. On Bluesky: @charlesarthur.bsky.social. Observations and links welcome.
GLP-1s are crazy effective — just not cost-effective • Medscape
F Perry Wilson:
»
How much is your life worth?
To an economist, the answer is basically $100,000 per year of perfect health. The ways they arrive at this number are pretty fascinating, but a lot of it is done by looking at what we as a society are willing to pay for. A cost of $100,000 per “quality-adjusted life year” (QALY) is our standard candle here. More than that is not particularly cost-effective. Less than that is. The “quality” in the QALY is important too. Economists know that a year of perfect health is worth more, in dollar terms, than a year of moderate or poor health.
…The authors modeled the cost of the [semaglutide] drugs, the cost of medical care for people taking the drugs, even the cost of lifestyle modification alone (gym memberships aren’t free). Over the lifetime of a given individual, the total cost of a policy of using lifestyle interventions to treat overweight and obesity would be $244,000. A policy of lifestyle interventions plus tirzepatide? $313,000 dollars. Sure, the cost of medical care is lower with the tirzepatide strategy; those averted cases of heart disease and diabetes save money — about $30,000 per person over their lifetime. But the cost of the drug itself adds up. At current prices (about $1000 a month), we’re talking $111,000 dollars per person.
Now that we have a measure of the effectiveness of the drugs and a measure of the cost, we can do some division and calculate the cost per QALY gained. And here’s what you see.
For tirzepatide, the most effective of the drugs, about $200,000 per quality-adjusted life year. For semaglutide? $470,000 per QALY (since it’s less effective and similarly priced). The older, less used drugs are remarkably more cost-effective: $85,000 for the phentermine drug, and Contrave actually saves money. Society saves $2500 per QALY for using this drug, even though it doesn’t work as well as the pricier stuff.
Does that mean we should abandon these amazingly effective agents? Definitely not. I love a drug that works, and these drugs work. They’re just, quite simply, too expensive. If we want to bring them down below the $100,000 per QALY threshold for cost-effective treatments, the price of tirzepatide needs to decrease by 30%, and the price of semaglutide by 82%. Honestly, I suspect Lilly and Novo would do fine at these price points, but what do I know? I’m not an economist.
«
I remain fascinated by the social effects of these drugs. If they get to the point where NICE in the UK thinks the price v QALYs equation is right, everyone gets on board.
unique link to this extract
Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch • 9to5Mac
Arin Waichulis:
»
In iOS 18, Apple spun off its Keychain password management tool—previously only tucked away in Settings—into a standalone app called Passwords. It was the company’s first move at making credential management more convenient for users. It’s now been revealed that a serious HTTP bug left Passwords users vulnerable to phishing attacks for nearly three months, from the initial release of iOS 18 until the patch in iOS 18.2.
Security researchers at Mysk first discovered the flaw after noticing that their iPhone’s App Privacy Report showed Passwords had contacted a staggering 130 different websites over insecure HTTP traffic. This prompted the duo to investigate further, finding that not only was the app fetching account logos and icons over HTTP—it also defaulted to opening password reset pages using the unencrypted protocol. “This left the user vulnerable: an attacker with privileged network access could intercept the HTTP request and redirect the user to a phishing website,” Mysk told 9to5Mac.
“We were surprised that Apple didn’t enforce HTTPS by default for such a sensitive app,” Mysk states. “Additionally, Apple should provide an option for security-conscious users to disable downloading icons completely. I don’t feel comfortable with my password manager constantly pinging each website I maintain a password for, even though the calls Passwords sends don’t contain any ID.”
Most modern websites nowadays allow unencrypted HTTP connections but automatically redirect them to HTTPS using a 301 redirect. It’s important to note that while the Passwords app before iOS 18.2 would make a request over HTTP, it would redirected to the secure HTTPS version. Under normal circumstances, this would be totally fine, as the password changes occur on an encrypted page, ensuring that credentials are not sent in plaintext.
However, it becomes a problem when the attacker is connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi) and intercepts the initial HTTP request before it redirects.
«
Mysk were “surprised”? It’s a shockingly bad piece of app design that should never have come through testing. How could someone write a piece of code that says “http” and not think “wait, that should probably be https, shouldn’t it”?
Apple has made lots of software mistakes in the past, but I can’t think of such an obviously avoidable one offhand. The discussion about software quality at Apple will intensify; apart from anything, who was asking for passwords to be hived off into a new app with such a wonderful bug?
unique link to this extract
Apple innovation and execution • Benedict Evans
Evans considers the delay to the new Siri in the context of what Apple has done in the past, then looks ahead:
»
a year is a long time given the speed of AI progress right now, especially given the ferocity of competition that Apple faces in China and the waves of new features that the OEMs there are pushing. And ‘Apple Intelligence’ certainly isn’t going to drive a ‘super-cycle’ of iPhone upgrades any time soon.
Indeed, a better iPhone feature by itself was never going to drive fundamentally different growth for Apple, but failures like Humane and Rabbit point to what else Apple (or others) might do with this technology once it works. The rumoured new home smart-screen device is probably a lot less appealing without this, and the AR glasses would need this too, except that those really are years away.
However, it clearly is a problem that the Apple execution machine broke badly enough for Apple to spend an hour at WWDC and a bunch of TV commercials talking about vapourware that it didn’t appear to understand was vapourware. The decision to launch the Vision Pro looks like a related failure. It’s a big problem that this is late, but it’s an equally big problem that Apple thought it was almost ready.
And the failure of Siri 2 is by far the most dramatic instance of a growing trend for Apple to launch stuff late. The software release cycle used to be a metronome: announcement at WWDC in the summer, OS release in September with everything you’d seen. There were plenty of delays and failed projects under the hood, and centres of notorious dysfunction (Apple Music, say), and Apple has always had a tendency to appear to forget about products for years (most Apple Watch faces don’t support the key new feature in the new Apple Watch) but public promise were always kept. Now that seems to be slipping. Is this a symptom of a Vista-like drift into systemically poor execution?
On the other hand, I’m old enough to remember when people said Apple was going to miss Machine Learning, and narratives are always easy to build when something’s gone wrong.
«
Certainly there are lots of people prepared to say “nobody knew what the LLM bit was going to do! Ordinary people weren’t looking forward to it, so it’s no loss if it’s delayed!” But people who watch Apple closely know that that isn’t the point. To announce and then backpedal is not the Apple way.
unique link to this extract
The first new Pebble smartwatches are coming later this year • The Verge
David Pierce:
»
The first watch that Migicovsky and [his company] Core plan to ship is called the Core 2 Duo (not to be confused with the old Intel processor), which Migicovsky says will cost $149 and will ship in July. The name explains the whole idea, he says: “It’s like a Pebble 2, but it’s made by Core devices. And then ‘Duo’ is for do-over.” It has the exact same black-and-white e-paper display as the old Pebble 2 (technically a transflective LCD, if you’re curious), and it even comes in the exact same frame. “We were able to find a supplier that still had the frames for Pebble Time 2 and Pebble 2,” he says. “They were never used. So we’ve been able to just draft on that.”
The Core 2 Duo does get a couple of upgrades, mostly by virtue of overall technological progress — Migicovsky says the new watch will last more than 30 days, instead of the Pebble 2’s seven, largely because Bluetooth chips have become so much more efficient. There’s also a speaker in the device now, which Migicovsky uses for chatting with AI assistants. Overall, though, this is an 8-year-old device simply made new again. (This is part of the idea behind the Pebble reboot: Migicovsky is convinced that Pebble mostly had it right a decade ago and simply wants to get back to that.) He estimates there will be around 10,000 Core 2 Duos available and figures a lot of developers and hardcore fans will be happy to have a new watch to play with as soon as possible.
«
I recall an analyst saying once that you can probably sell 100,000 of any new hardware – it’s the next 7,999,900,000 that are the problem. Can Migicovsky make a profit from that small group?
unique link to this extract
Sobering revenue stats of 70K mobile apps show why devs beg for subscriptions • Ars Technica
Scharon Harding:
»
If you’re frustrated by some of your favorite apps pestering you to sign up for a subscription, some new data may help you empathize with their developers more. According to revenue data from “over 75,000” mobile apps, the vast majority have a hard time making $1,000 per month.
The data is detailed in RevenueCat’s 2025 State of Subscription Apps report. RevenueCat makes a mobile app subscription tool kit and gathered the report’s data from apps using its platform. The report covers “more than $10bn in revenue across more than a billion transactions,” and RevenueCat’s customer base ranges from indie-sized teams to large publishers. Buffer, ChatGPT, FC Barcelona, Goodnotes, and Reuters are among the San Francisco-based firm’s customer base.
Additionally, the report examines apps that rely primarily on in-app subscriptions, as well as those that only generate some revenue from subscriptions. All apps examined, though, actively generate subscription revenue and “meet a minimum threshold of installs or revenue (to ensure statistically meaningful findings,” according to the report.
RevenueCat’s report doesn’t cover every single mobile app available, but it paints a picture of the challenges related to monetizing mobile apps across different types of categories, as well as how uneven the distribution of app revenue is.
RevenueCat’s report concluded that most apps fail to make $1,000 in monthly revenue within their first two years. It says: “Across all categories, nearly 20% reach $1,000 in revenue, while 5% reach the $10,000 mark. Revenue drop-off is steep, with many categories losing ~50% of apps at each milestone, emphasizing the challenge of sustained growth beyond early revenue benchmarks.”
«
$12,000 per year really isn’t living wages. So it’s not surprising that scams proliferate from less honest developers. The internet is big, but it’s also parsimonious.
unique link to this extract
Britain’s car parking is a complete disaster • The Value of Nothing
Martin Robbins:
»
Car parks are a key part of something I like to call the ‘National User Experience’: a category of things that have been largely abandoned by government yet have a major impact on people’s daily lives and their perception of how the country is being run. Car parks, potholes, neglected public spaces, boarded-up shopping centres, persistent antisocial behaviour, the punctuality of trains – things people encounter day after day after day that make life a little bit harder, a little bit more miserable.
When Labour tries to get reelected in 2029, yes national issues will play a big part, but I think Westminster politicians massively underestimate the impact of unglamorous daily drudgery on much of the population: fix potholes and parking and you’re showing visible change to a lot of grateful people. Fail, and whatever you do at national level is overshadowed by the continuing enshittification of Britain.
In a sane world, all public transport including car parking would be wrapped up in a single, easy payment system. You should be able to tap in and out of car parks with an Oyster card or equivalent, with the parking charge rolled into your ticket. If you want to get people out of cars and onto public transport, providing a frictionless way to move between the two is a good start, particularly outside London where bus services will never be sufficient and personal transport is a necessity for many people.
«
I know what you’re thinking: don’t worry, Martin, the government’s funding a single-payer app! But as Robbins points out, the government cancelled it in February, citing fiscal straitjackets.
From the article about the cancellation:
»
There are thought to be at least 30 different parking apps in the UK, and it is not unusual for someone to have a number on their phone. Among the biggest are RingGo, PayByPhone and JustPark.
A survey published in 2024 by Autocar, however, found that “more than four in five motorists dislike using car parking apps”, with 83% saying they preferred to use cash or contactless card payments.
«
This is not good for the National User Experience.
unique link to this extract
Why some DVLA digital services don’t work at night • Dafydd Vaughan
Vaughan worked at the UK’s Driver and Vehicle Licensing Agency, and was there when it tried to make everything webby:
»
As part of the GDS [Government Digital Service] exemplar programme in 2013, DVLA committed to delivering a set of new digital services for managing vehicles and personal registrations. To deliver these services, we had to navigate the complexity of the existing tech in place.
Building a new front-end service would be relatively straightforward. However, updating the vehicle record would be more complex – we’d have to integrate with the legacy systems and deal with IBM/Fujitsu to do it. But the even bigger issue – how would we deal with the fragile overnight batch jobs?
We faced a choice. Step back and spend the next few years redesigning and rebuilding the underlying infrastructure to remove/remediate the overnight batch jobs, or accept the service couldn’t initially operate overnight.
Organisations often fall into this trap – spending years and huge amounts of money fixing the underlying foundations before starting to do new things. It’s difficult for an organisation to keep its focus and attention on a complex upgrade – particularly without getting noticeable benefits along the way. DVLA tried this in the early 2000s when migrating away from the mainframe. They ran out of money, and ended up in an even worse half-state.
I pushed for us to press on and deliver a service that could operate normally during the day, but would be turned off overnight. This would allow us to get some value early – giving people access to a new service quickly, while we looked to fix the issues behind the scenes. Luckily the political pressure of the exemplar programme supported us to do that.
«
So they did create a system that in effect still ran batch jobs – stopping taking new entries at some point in the 24 hours so all the records could be updated without creating conflicts.
Two neat codas in his writeup:
»
It’s now 2024 – 10 years on from the launch of the first service. The legacy infrastructure, which really should have been replaced by now, is probably still the reason why the services are still offline overnight.
Is this acceptable? Not really. Is it understandable? Absolutely.
«
And:
»
Transforming government services isn’t as easy as the tech bros and billionaires make it out to be.
«
Former Meta executive Sarah Wynn-Williams on her “Careless People” memoir • Business Insider
Pranav Dixit interviewed Sarah Wynn-Williams, who makes some interesting points about why she wrote her book:
»
PD: You left Facebook in 2017. Why did you decide to release it now, after all these years?
SWW: Because I think we’re on the cusp of this new era of technology. We’re stepping into this AI era, and at a high level, I don’t want the mistakes that were made during the social media era to be applied to the AI era.
One of the things that I’ve worked on since leaving [Meta] is the US-China AI dialogue on AI in weapons. So, I really understand the existential nature of AI. I also understand these people and how decisions are made. That’s why, as we go into this new era, we have to do it better. China is such a big part of the story of AI. It’s this growing strategic rivalry and how technology is so central to that rivalry.
And yet, this company has been doing things in the shadows for so long with the Chinese Communist Party, and their line is, “Oh, you know, we tried to get our services [into China] and we told you in 2019 that didn’t happen.” Have a look at how much of [Meta’s] revenue comes from China — it’s $18 billion.
(Editor’s note: According to Meta’s 2024 annual report, the company made $18.35 billion from China, primarily through resellers serving Chinese advertisers targeting global users.) So it seems that everyone is operating under the false notion that Meta is not operating in China when actually, it is fundamental to its current valuation, it’s fundamental to its future growth. And we don’t talk openly about it at the very time that we’re about to enter this new AI era.
…PD: A Meta spokesperson, Andy Stone, has said that your book wasn’t fact-checked and that nobody reached out to Meta for comment. Did you get the book fact-checked?
SWW: I think Meta’s problem is using this to not answer the questions themselves. What I would love is for us not to fall into the distraction. There’s a real risk that we talk about things that don’t matter. We’ve got these huge issues like China and I notice they’re not providing any detail on that. There are so many smart people who’ve worked at this company and who are covering this company. Like, we have to do better.
«
She gave the interview just before the arbitration ruling she couldn’t publicise her book. So this is worth reading now.
Also, it only just occurred to me that the title comes from The Great Gatsby: “They were careless people, Tom and Daisy – they smashed up things and creatures and then retreated back into their money or their vast carelessness or whatever it was that kept them together, and let other people clean up the mess they had made.”
unique link to this extract
How bribes helped a crime ring steal thousands of iPhones from porches • WSJ via MSN
Esther Fung:
»
[Phone shop] Wyckoff Wireless looked like many other mom-and-pop shops around New York City—except federal agents were surveilling the scene, as they later recounted in a criminal complaint.
They suspected the wireless shop was a fence, or middleman, that authorities say was being used to move thousands of stolen iPhones. Last month, federal authorities arrested 13 people in connection with what they say was an international crime ring that targeted FedEx deliveries nationwide.
Porch thefts aren’t new, but they have become increasingly sophisticated. There was a spree last year—captured on doorbell cameras—where thieves stole iPhones just moments after they were dropped on front steps. They knew when the packages were coming and what was inside.
The Wyckoff Wireless case reveals how authorities say they did it: by harnessing technology and old-fashioned bribery.
The group created software to scrape FedEx tracking numbers and bribed AT&T store employees to get order details and delivery addresses, according to a criminal complaint filed in New Jersey. The group then sent thieves to pick off the packages and bring them back to destinations like the Brooklyn shop.
The software was created by Demetrio Reyes Martinez, who is known online as “CookieNerd,” according to the complaint. The 37-year-old wrote code to get around FedEx limits on delivery-data requests and sold it via Telegram with instructions on how to run the program, prosecutors said.
Reyes Martinez, a citizen and resident in the Dominican Republic, is still in the Caribbean nation, according to the U.S. Attorney’s Office in New Jersey, which declined to provide further information on his status.
…An AT&T store employee in Paterson, New Jersey, Alejandro Castillo, used his employment credentials to track hundreds of shipments that were subsequently reported stolen in transit, prosecutors said. He took photos of customers’ names, addresses and tracking numbers and shared them with the criminal group, according to the complaint.
He also worked with another store employee in Fort Lee, New Jersey, and recruited other employees at the cellular carrier, prosecutors said. Law-enforcement officials believe Castillo was receiving $2,000 to $2,500 if he recuirted other employees.
«
Because Americans capitalise first letters in headlines (I take them down), I saw “From Porches” and thought the phones were stolen from Porsches and thought that was a bit niche to hit thousands. A theft from a porch, though? Sure.
unique link to this extract
| • Why do social networks drive us a little mad? • Why does angry content seem to dominate what we see? • How much of a role do algorithms play in affecting what we see and do online? • What can we do about it? • Did Facebook have any inkling of what was coming in Myanmar in 2016? Read Social Warming, my latest book, and find answers – and more. |
Errata, corrigenda and ai no corrida: none notified
The Overspill: when there's more that I want to say 
“who was asking for passwords to be hived off into a new app”
EU and other regulators.
Password management is now a separate app instead of being baked into the OS and it can be removed altogether. You can also choose to use any third party app (or even multiple ones) as default and the third party ones integrate nicely with Safari and apps.
Changes like this is always a risk. One can only wonder what new issues there are in iOS after all the drastic changes to how to platform works, thanks to EU and DMA. In the future UK, USA, JP etc. will all have their own similar, but not identical, requirements. It will be a nightmare for Apple.
“Open” (as in “platform must allow apps to do pretty much anything”) and “secure” (for a normal user) are always at the opposite ends of the spectrum. Closed platforms like iOS, Android to some extend, and gaming consoles have proven to be the best for users.