Start up: talking to Barbie, BlackBerry’s criminal approach, mobile theses, tracing bitcoin, and more


I know – it’s backspace, 28 times. Photo by totumweb on Flickr.

Oh, you could get each day’s Start Up post by email. But it’s email, isn’t it? Email.

A selection of 9 links for you. Apply topically. I’m charlesarthur on Twitter. Observations and links welcome.

Talking toys are getting smarter: should we be worried? » WSJ

Geoffrey Fowler:

Maybe the best way to understand whether these toys hinder imagination is to look at their underlying technology. From an interactive standpoint, Hello Barbie is basically a voice-activated Choose-Your-Own-Adventure book, in that she gives children a limited number of choices as they go down the conversational path and has a finite, albeit vast, number of dialogue lines (8,000 in total, recorded by an actress).

Once you start talking to Hello Barbie, what you soon realize is that, although she can remember details—a child’s favorite color or whether she has a sibling—the doll is not a very good listener. Many of her questions are just setups to tell a scripted story. “If you could go on vacation anywhere in the world, where would you want to go?” she asked [test child] Riley before describing her own recent vacation. Sure, every now and then she invites Riley to chime in. (“It’s a warm day and my friends invited me to go to the beach. I’m not really sure what to wear. Um, maybe some mittens and a scarf?”) But ultimately, whatever the child says, Hello Barbie sticks to her script.

Despite Hello Barbie’s inability to participate in a child’s flights of fancy, the doll is programmed to extol the virtues of imagination. “I think it’s great to exercise your imagination and creativity!” she said to Riley. Also: “We love using our imaginations. We are so avant-garde!”

So the answer to the question posed in the headline is “not yet”. But not “not ever”. It feels very much like a slice from a Philip K Dick novella.
link to this extract


Detect and disconnect WiFi cameras in that AirBnB you’re staying in » Julian Oliver

There have been a few too many stories lately of AirBnB hosts caught spying on their guests with WiFi cameras, using DropCam cameras in particular. Here’s a quick script that will detect two popular brands of WiFi cameras during your stay and disconnect them in turn. It’s based on glasshole.sh. It should do away with the need to rummage around in other people’s stuff, racked with paranoia, looking for the things.

Thanks to Adam Harvey for giving me the push, not to mention for naming it.

May be illegal to use this script in the US (not that that will stop people). Note how the sharing, trusting economy has its limits.
link to this extract


Bypass Linux passwords by pressing backspace 28 times » Apextribune

Daniel Austin:

if certain conditions are met (mostly the proper version of the OS), pressing the backspace key 28 time in a row will cause the computer to reboot, or it will put Grub in rescue mode, Linux’s version of Safe Mode.

This will provide the would-be hacker with unauthorized access to a shell, which he can then use to rewrite the code in the Grub2 in order to gain full unauthorized access to the machine.

From this point, anything is possible, since the hacker would be able to do anything he wanted to the computer.

Vulnerable versions: Linux GRUB 1.98 (from 2009) through to the current 2.02 version. (Not Linux as said in earlier version of this post.)
link to this extract


Tracing the Bitcoinica theft of 40,000 btc in July 2012 » YouTube

So 10,000 bitcoins were stolen from MtGox in July 2012. You thought bitcoin were untraceable? Not at all. Watch and learn. Though this doesn’t mean the people named here are guilty of theft (he said, covering himself against any potential libel).


link to this extract


Activation lock checker » Apple

Before transferring ownership of an iPhone, iPad, iPod touch, or Apple Watch, make sure Activation Lock has been disabled and the device is ready for the next user.

The implication there is that it’s for you, the seller, to do the checking that you’ve turned it off – but the protection is really for buyers to make sure they don’t get a hot phone.
link to this extract


Competition is shifting to the high end » Tech.pinions

Jan Dawson:

Sony has abandoned PCs and continues to struggle in smartphones, HTC increasingly looks like it’s on its last legs as an Android vendor, Toshiba is considering spinning off its PC business, and Samsung’s smartphone business – once the poster child for success making Android phones – continues to slip. It sometimes seems as if the only vendors making Android phones and Windows PCs who aren’t struggling in some way are the licensors of the operating systems. And though we don’t have detailed financials for either company’s hardware business, they’ve both done it by focusing on selling premium devices at premium prices, and by tightening the integration between hardware and software.
What’s interesting is we haven’t seen any of the OEMs pursue this strategy. That likely reflects, in equal parts, a lack of capability and a lack of will, as these OEMs have neither the experience nor the desire to pursue the high end of the market. And yet it’s been clear for years that, while scale may be in the mass market, the margins are in the high end.

link to this extract


16 mobile theses » Benedict Evans

We’re now coming up to 9 years since the launch of the iPhone kicked off the smartphone revolution, and some of the first phases are over – Apple and Google both won the platform war, mostly, Facebook made the transition, mostly, and it’s now perfectly clear that mobile is the future of technology and of the internet. But within that, there’s a huge range of different themes and issues, many of which are still pretty unsettled.

In this post, I outline what I think are the 16 topics to think about within the current generation, and then link to the things I’ve written about them. In January, I’ll dig into some of the themes for the future – VR, AR, drones and AI, but this is where we are today.

I wouldn’t be surprised if the title is a subtle reference to Martin Luther (though he rambled on for 95 theses), but it’s impossible to argue against any of these; they simply state the ground where the world now stands. The point about mobile being 10x larger as an ecosystem now than the PC is an important one, though not the only important one.
link to this extract


August 2010: RIM’s Deal: Saudi Arabia Can Access BlackBerry User Data » DailyFinance

From August 2010, by Douglas McIntyre:

Saudi Arabia’s government announced it reached a deal with Research In Motion (RIMM) that will allow the Canadian maker of BlackBerry smartphones to continue operating its service there. Under the agreement, RIM will put a server in the nation that will allow the government to monitor messages to and from Blackberries. All of RIM’s servers have been in Canada until now so the company could guarantee confidentiality for its customers though the encryption process on those servers.

According to several news sources, similar deals will probably be sought by other countries that have voiced concerns about the Blackberry encryption procedures. First among these is the United Arab Emirates, which threatened to shut down RIM’s services there on Oct. 11. India and Indonesia have also said they’re concerned about the RIM confidentiality system and their inability to track information that they claim may not be in the best interests of their governments.

Everyone’s a criminal, after all – they just need to work out what they’re guilty of. Now read on.
link to this extract


The encryption debate: a way forward » Inside BlackBerry

John Chen, who is chief executive of BlackBerry, in December 2015:

For years, government officials have pleaded to the technology industry for help yet have been met with disdain. In fact, one of the world’s most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would “substantially tarnish the brand” of the company. We are indeed in a dark place when companies put their reputations above the greater good. At BlackBerry, we understand, arguably more than any other large tech company, the importance of our privacy commitment to product success and brand value: privacy and security form the crux of everything we do. However, our privacy commitment does not extend to criminals.

BlackBerry is in a unique position to help bring the two sides of this debate together, to find common ground and a way forward. BlackBerry’s customers include not only millions of privacy-conscious consumers but also the banks, law firms, hospitals, and – yes, governments (including 16 of the G20) – that use our products and services to protect their highest value resources every single day. We stand as an existence proof that a proper balance can be struck.

We reject the notion that tech companies should refuse reasonable, lawful access requests.

The “powerful tech company” Chen is referring to there is Apple, which has refused to cooperate in unlocking an iOS 7-powered phone in a federal case (which remains under seal). There’s a search warrant for the phone, which is locked.

Chen’s stance though is really surprising. He seems to be saying “sure, we’ll cooperate with the government if it asks.” But what if it’s the Chinese government? Or the Syrian government? And what’s the mechanism that lets BlackBerry cooperate? From iOS 8 onwards, Apple simply can’t decrypt a phone, no matter what access it gets. Is BlackBerry ceding that ground?
link to this extract


Errata, corrigenda and ai no corrida:

Start up: the Foodpanda takeaway scam, watch iOS 9 grow!, 2 billion lines of Google, and more


“Hi! You look like you want an (artificially) intelligent conversation!” Photo by RomitaGirl67 on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 9 links for you. May cause. I’m charlesarthur on Twitter. Observations and links welcome.

Mixpanel Trends » Mixpanel Mobile Analytics

The link is to the iOS 9 adoption curve from Mixpanel; it’s live, so when you click through it’ll be the latest figures. At the time of writing, three hours after iOS 9 went live, its adoption was at 3.2%, against 7.2% for “older than iOS 8” and 89.6% for iOS 8. (Apple’s own stats on September 14 were 87% iOS 8, 11% iOS 7, 2% earlier.)
link to this extract


The trouble with Foodpanda » Livemint

Ashish Mishra with a terrific tale of a much-funded startup which didn’t quite figure out that not everyone is honest:

Let’s say you are a restaurant. Now, place 10 orders using 10 names or even the same name, each for Rs.300. Every order is a takeaway. Pay online using the BOGO voucher, a campaign (Buy One Get One) run by Foodpanda. So for Rs.300, get Rs.300 free. So for a Rs.600 order, you paid only Rs.300. How much does Foodpanda have to return to you, the restaurant? Rs.600. After deducting 12% as its cut, Rs.528. How much did you make in the process? Rs.228 . Did you have to deliver that order? Nope. So, a straight profit of Rs.228.

Now, let’s say you processed 100 such orders a day. For a month. Total investment: Rs.9 lakh. Reimbursed by Foodpanda: Rs.15.84 lakh. Your total gain, by just processing fake orders: Rs.6.84 lakh.

Now imagine you are not the only restaurant on the platform doing this.

link to this extract


Issue 178139 – android – Android full lockscreen bypass – 5.1.1 PoC » Android Open Source Project

John Gordon at the University of Texas at Austin:

Android 5.1.1 Lockscreen Bypass
—–
Summary: Unlock a locked device to access the homescreen, run arbitrary applications, and enable full adb access to the device. This includes access to encrypted user data on encrypted devices.
Prerequisites: Must have a password lockscreen enabled. (PIN / swipe untested)
Hardware: Nexus 4
Software: Google factory image – occam 5.1.1 (LMY47V)

Attack details:
Pasting a sufficiently large string into an input field will cause portions of the lockscreen to become unresponsive and allow the user to terminate those processes. An attacker can construct a large string by typing characters into the Emergency Dialer, then select all + copy + paste repeatedly to increase the string size exponentially. Once the string has been pasted, either into the Emergency Dialer or the lockscreen password prompt, attempting to type more characters or performing other intaractions quickly and repeatedly causes the process to become overloaded and crash, or produce a dialog allowing the user to kill the process. If done in a password prompt in the foreground of the camera application, this crash results in the homescreen or Settings applcation being exposed.

PIN/swipe is untested, rather than safe (as far as we can see). This seems to be pretty hard to do – the video is 18 minutes long, involving lots of copy/pasting. It’s not really a giant flaw like Stagefright; and Apple has had some egregious lockscreen bypasses in the past. (Though none in iOS 8 that I’ve seen.) The problem though is that this doesn’t help Android’s reputation among businesses considering whether to buy it. It’s not the exploit; it’s the suggestion of vulnerability.
link to this extract


Popping the publishing bubble » Stratechery

Ben Thompson, in his weekly “free to view” article, says that iOS 9’s adblockers are just going to finish what was already happening:

It is easy to feel sorry for publishers: before the Internet most were swimming in money, and for the first few years online it looked like online publications with lower costs of production would be profitable as well. The problem, though, was the assumption that advertising money would always be there, resulting in a “build it and they will come” mentality that focused almost exclusively on content product and far too little on sustainable business models.

In fact, publishers going forward need to have the exact opposite attitude of publishers in the past: instead of focusing on journalism and getting the business model for free, publishers need to start with a sustainable business model and focus on journalism that works hand-in-hand with the business model they have chosen. First and foremost that means publishers need to answer the most fundamental question required of any enterprise: are they a niche or scale business?

• Niche businesses make money by maximizing revenue per user on a (relatively) small user base
• Scale businesses make money by maximizing the number of users they reach
The truth is most publications are trying to do a little bit of everything: gain more revenue per user here, reach more users over there.

Worth it for the illustrations. You should subscribe so he can afford an iPad Pro and a stylus.
link to this extract


Google is 2 billion lines of code — and it’s all in one place » WIRED

Cade Metz:

Google has built its own “version control system” for juggling all this code. The system is called Piper, and it runs across the vast online infrastructure Google has built to run all its online services. According to [Google’s head of… big stuff? Rachel] Potvin, the system spans 10 different Google data centers.

It’s not just that all 2 billion lines of code sit inside a single system available to just about every engineer inside the company. It’s that this system gives Google engineers an unusual freedom to use and combine code from across myriad projects. “When you start a new project,” Potvin tells WIRED, “you have a wealth of libraries already available to you. Almost everything has already been done.” What’s more, engineers can make a single code change and instantly deploy it across all Google services. In updating one thing, they can update everything.

There are limitations this system. Potvin says certain highly sensitive code—stuff akin to the Google’s PageRank search algorithm—resides in separate repositories only available to specific employees. And because they don’t run on the ‘net and are very different things, Google stores code for its two device operating systems — Android and Chrome — on separate version control systems. But for the most part, Google code is a monolith that allows for the free flow of software building blocks, ideas, and solutions.

The point about Android and Chrome being on separate version control systems is one to note. Can’t merge the code until those two come together.
link to this extract


IPv6 will get a big boost from iOS 9, Facebook says » Computerworld

Stephen Lawson:

Even when all the pieces are in place for IPv6, iOS 8 makes an IPv6 connection only about half the time or less because of the way it treats the new protocol. With iOS 9, and IPv6 connection will happen 99% of the time, Saab predicts. 

IPv4 is running out of unused Internet addresses, while IPv6 is expected to have more than enough for all uses long into the future. Adoption has been slow since its completion in 1998 but is starting to accelerate. The release of iOS 9 may give a big boost to that trend. 

“Immediately, starting on the 16th, I’m expecting to see a lot more v6 traffic show up,” said Samir Vaidya, director of device technology at Verizon Wireless. About 50% of Verizon Wireless traffic uses IPv6, and Vaidya thinks it may be 70% by this time next year as subscribers flock to the iPhone 6s. 

Apple’s change should help drive more IPv6 use on Comcast’s network, too. About 25% of its traffic uses the new protocol now, and that figure could rise above 50% by early next year, said John Brzozowski, Comcast Cable’s chief IPv6 architect. 

This is the point, again and again. Android has the installed base; but iOS adoption is so rapid that it can drive change almost immediately.
link to this extract


Barbie wants to get to know your child » The New York Times

James Vlahos:

Hello Barbie is by far the most advanced to date in a new generation of A.I. toys whose makers share the aspiration of Geppetto: to persuade children that their toys are alive — or, at any rate, are something more than inanimate. At Ariana’s product-testing session, which took place in May at Mattel’s Imagination Center in El Segundo, Calif., near Los Angeles, Barbie asked her whether she would like to do randomly selected jobs, like being a scuba instructor or a hot-air-balloon pilot. Then they played a goofy chef game, in which Ariana told a mixed-up Barbie which ingredients went with which recipes — pepperoni with the pizza, marshmallows with the s’mores. ‘‘It’s really fun to cook with you,’’ Ariana said.

At one point, Barbie’s voice got serious. ‘‘I was wondering if I could get your advice on something,’’ Barbie asked. The doll explained that she and her friend Teresa had argued and weren’t speaking. ‘‘I really miss her, but I don’t know what to say to her now,’’ Barbie said. ‘‘What should I do?’’

‘‘Say ‘I’m sorry,’ ’’ Ariana replied.

‘‘You’re right. I should apologize,’’ Barbie said. ‘‘I’m not mad anymore. I just want to be friends again.’’

We now return you to our regular scheduled programming of “Philip K Dick short stories brought to life.” Take your pick: War Game, Second Variety or The Days of Perky Pat?
link to this extract


One great reason to update to iOS 9 – a nasty silent AirDrop attack is in town » Forbes

Australian researcher Mark Dowd, who heads up Azimuth Security, told FORBES ahead of Apple’s iOS 9 release on Wednesday that the flaw allowed anyone within range of an AirDrop user to install malware on a target device and tweak iOS settings so the exploit would still work if the victim rejected an incoming AirDrop file, as seen in the video below.

Users should update to iOS 9 and Mac OS X El Capitan, version 10.11, as soon as possible to avoid losing control of their phones and PCs to malware. Any iOS versions that support AirDrop, from iOS 7 onwards, are affected, as are Mac OS X versions from Yosemite onwards. There are few protections outside of upgrading, other than turning AirDrop off altogether. The service is off by default, though it’s possible to start it running from the lockscreen.

By carrying out what’s known as a “directory traversal attack”, where a hacker enters sections of the operating system they should not be able to access, Dowd found it was possible to exploit AirDrop and then alter configuration files to ensure iOS would accept any software signed with an Apple enterprise certificate. Those certificates are typically used by businesses to install software not hosted in the App Store and are supposed to guarantee trust in the provenance of the application. But, as FORBES found in a recent investigation into the Chinese iPhone jailbreaking industry, they’re often used to bypass Apple security protections.

I dunno, getting AirDrop to work is usually the biggest challenge I face. (The mitigation is pretty easy on any version – turn off Wi-Fi or Bluetooth, or turn Airdrop to accept files from Contacts Only or off; this leaves Wi-Fi and Bluetooth untouched.)
link to this extract


Google taken to court to uncloak ebook pirates » TorrentFreak

Early June, GAU [the Dutch trade organisation representing dozens of book publishers in the Netherlands] reported that Google appeared to be taking steps to prevent rogue sellers from offering illegal content via its Play store. The group also noted that BREIN was attempting to obtain the personal details of the ‘pirate’ seller from Google.

Unsurprisingly that wasn’t a straightforward exercise, with Google refusing to hand over the personal details of its user on a voluntary basis. If BREIN really wanted the seller’s identity it would have to obtain it via a court order. Yesterday the anti-piracy group began the process to do just that.

Appearing before the Court of The Hague, BREIN presented its case, arguing that the rogue seller was not merely a user of Google, but actually a commercial partner of Google Play, a partnership that earned revenue for both parties.

“The case is clear,” BREIN said in a statement.

“There was infringement carried out by an anonymous seller that was actually a commercial ‘partner’ of Google via Google Play. This is how Google refers to sellers in its own terms of use.”

BREIN says that ultimately Google is responsible for the unauthorized distribution and sales carried out via its service.

“There is no right to anonymously sell illegal stuff, not even on Google Play while Google earns money,” the anti-piracy group concludes.

In the UK I think this would be a fairly straightforward “Norwich Pharmacal” case. Wonder if Holland has anything comparable.
link to this extract